Master Recon-Tool (Mr. T)
So the Seattle (beta) Toorcon was fun today. On top of learning a bunch about technologies that I just never get any time to play with (and probably a lot more to discuss there in the future after I do some more research with some of the people I met this week) I had a pretty successful talk. My talk was based on recovering information that the client freely gives up for more targeted exploitation. If you remember Ronald’s Black Dragon project, you’ll see striking similarities in this. I felt terrible building this, like I was ripping him off, but I assure you, there was no code-reuse and it’s for a different purpose than his code. Ronald’s code was meant more as a demonstration of what we know, my code is meant more as an actual tool, even though for the most part it does the same stuff.
So I took the same general concept of things like the JS environmental variables page and Ronald’s page, plus a few other goodies like the MHTML vuln and, attempting to locate local HTTP ports, etc… and I threw it all together into one peice of code that can be called from JS space. If you want a demo of what it looks like go visit the Master Recon-Tool (Mr. T). You will see very different results in IE and Firefox. If you want the full effect in IE, visit Gmail in IE7.0 before viewing the recon tool. That bug will get fixed soon enough, but for the time being it works.
Mr. T combines all that into one place so that you can gather a great deal of client based info through a single XSS hole. Then by taking the DOM and dumping it into a form that you submit to a logging server, you can know pretty much everything you want to know about breaking into the machine in question.
So essentially, this tool is a) portable b) extensible and c) buggy as it gets. It’s sorta meant to be buggy though, partially because it’s not thoroughly thought out since I’ve been moving around so much this month, and partially because it doesn’t need to be 100% accurate. It does work pretty well though. It’s meant to be modified as much as it makes sense to, which is why I wrote it in PERL and made it as clear as possible what I was doing under the hood. Sure, specific vulns will get fixed, and sure, new things will need to get added, but ultimately, this is one of the best ways to do browser based recon out there. You can download the source to the project here if you want to play with it.
May 13th, 2007 at 1:32 am
That site crashed my firefox. Can’t even open it again without a reboot.
Anyway, would you be so kind as to sanitize the user agent variables properly so that they’re not vulnerable to XSS? Would be fine
May 13th, 2007 at 2:33 am
I get an empty page on IE7 - probably because the script tag is trying to load a cgi file (what mimetype is mr-t.cgi being served as?)
Works nicely in Opera though, good job. Even though it seems to pick up more history than there actually is
May 13th, 2007 at 3:12 am
your crazy “Mr-T” crashes Linux’ Firefox (Ubuntu Feisty, both latest version). Thank you
May 13th, 2007 at 4:03 am
Don’t feel bothered Robert
That project of mine was collecting dust over there, haven’t got the time to maintain it and test it and It looked awful in MSIE and such so it’s pretty dead now 
I will take a look at yours soon.
May 13th, 2007 at 6:16 am
Strange, I tried it in IE6 after visiting Gmail to get the full affect and I get an error “XMLHttpRequest is undefined” when trying to open the /mr-t/ page.
May 13th, 2007 at 6:56 am
Works perfectly for me (same set up as Beni). Nice stuff
May 13th, 2007 at 7:25 am
did NOT crash my firefox (ubuntu feisty as well)
May 13th, 2007 at 8:22 am
Nice, pretty good.
May 13th, 2007 at 10:30 am
christ1an - XSSing yourself with a user agent isn’t really a vuln, since you can’t exactly force people to change their user agent, and it’s not stored.
David - the CGI’s mimetype doesn’t matter because it’s in the context of a JS tag, and it works fine for me in IE7.0 did you check to see if it was throwing a JS error? But the mimetype changes depending on what stage it is in. For the bulk of it it is:
Content-Type: text/javascript;charset=ISO-8895-1
beNi - that’s cool… do you know how it’s crashing it? Seems like we found a vuln in something.
Jamuse - I didn’t try in IE6.0. You’ll notice I said try in IE7.0. IE6.0 compatibility would take a little more work.
Ronald - thanks, I’m glad you felt that way. I in no way wanted to rip you off, and I did give you credit in the speech as well, btw, since you did a lot of this first.
May 13th, 2007 at 11:14 am
RSnake: Sure, never claimed anything else but you should sanitize it though
May 13th, 2007 at 11:45 am
Yah yah, I know… I’ll do that tomorrow when I’m back in the office. Even if it’s not vulnerable, why leave it like that, right?
May 13th, 2007 at 12:18 pm
Right
May 14th, 2007 at 2:04 am
Holy…
Crap….
Some javascript nmap
BTW: didn’t crash my config (ubuntu edgy + ffx)
May 14th, 2007 at 11:00 am
now it works, crazy the only thing I changed (i tried it three times - always crash) was installing a new Plugin… so this flaw will be hidden some more time =(
May 15th, 2007 at 3:55 am
The IE 7 detection false +ves on Konqueror.
May 16th, 2007 at 9:51 am
Most Useless I can’t agree
July 3rd, 2007 at 4:24 pm
Hello mr-t.cgi no fund error
Internal Server Error
The server encountered an internal error or misconfiguration and was unable to complete your request. …..
help please !!
July 5th, 2007 at 10:02 am
mikikar - are you finding this error on my site or yours? It’s on my site, and working as expected for me.