Cenzic 232 Patent
Paid Advertising
web application security lab

Master Recon-Tool (Mr. T)

So the Seattle (beta) Toorcon was fun today. On top of learning a bunch about technologies that I just never get any time to play with (and probably a lot more to discuss there in the future after I do some more research with some of the people I met this week) I had a pretty successful talk. My talk was based on recovering information that the client freely gives up for more targeted exploitation. If you remember Ronald’s Black Dragon project, you’ll see striking similarities in this. I felt terrible building this, like I was ripping him off, but I assure you, there was no code-reuse and it’s for a different purpose than his code. Ronald’s code was meant more as a demonstration of what we know, my code is meant more as an actual tool, even though for the most part it does the same stuff.

So I took the same general concept of things like the JS environmental variables page and Ronald’s page, plus a few other goodies like the MHTML vuln and, attempting to locate local HTTP ports, etc… and I threw it all together into one peice of code that can be called from JS space. If you want a demo of what it looks like go visit the Master Recon-Tool (Mr. T). You will see very different results in IE and Firefox. If you want the full effect in IE, visit Gmail in IE7.0 before viewing the recon tool. That bug will get fixed soon enough, but for the time being it works.

Mr. T combines all that into one place so that you can gather a great deal of client based info through a single XSS hole. Then by taking the DOM and dumping it into a form that you submit to a logging server, you can know pretty much everything you want to know about breaking into the machine in question.

So essentially, this tool is a) portable b) extensible and c) buggy as it gets. It’s sorta meant to be buggy though, partially because it’s not thoroughly thought out since I’ve been moving around so much this month, and partially because it doesn’t need to be 100% accurate. It does work pretty well though. It’s meant to be modified as much as it makes sense to, which is why I wrote it in PERL and made it as clear as possible what I was doing under the hood. Sure, specific vulns will get fixed, and sure, new things will need to get added, but ultimately, this is one of the best ways to do browser based recon out there. You can download the source to the project here if you want to play with it.

18 Responses to “Master Recon-Tool (Mr. T)”

  1. christ1an Says:

    That site crashed my firefox. Can’t even open it again without a reboot.

    Anyway, would you be so kind as to sanitize the user agent variables properly so that they’re not vulnerable to XSS? Would be fine :)

  2. David Says:

    I get an empty page on IE7 - probably because the script tag is trying to load a cgi file (what mimetype is mr-t.cgi being served as?)

    Works nicely in Opera though, good job. Even though it seems to pick up more history than there actually is :)

  3. beNi Says:

    your crazy “Mr-T” crashes Linux’ Firefox (Ubuntu Feisty, both latest version). Thank you ;)

  4. Ronald van den Heetkamp Says:

    Don’t feel bothered Robert :) That project of mine was collecting dust over there, haven’t got the time to maintain it and test it and It looked awful in MSIE and such so it’s pretty dead now ;)

    I will take a look at yours soon. :D

  5. Jamuse Says:

    Strange, I tried it in IE6 after visiting Gmail to get the full affect and I get an error “XMLHttpRequest is undefined” when trying to open the /mr-t/ page.

  6. Sid Says:

    Works perfectly for me (same set up as Beni). Nice stuff

  7. ChosenOne Says:

    did NOT crash my firefox (ubuntu feisty as well)

  8. r0xes Says:

    Nice, pretty good.

  9. RSnake Says:

    christ1an - XSSing yourself with a user agent isn’t really a vuln, since you can’t exactly force people to change their user agent, and it’s not stored. ;)

    David - the CGI’s mimetype doesn’t matter because it’s in the context of a JS tag, and it works fine for me in IE7.0 did you check to see if it was throwing a JS error? But the mimetype changes depending on what stage it is in. For the bulk of it it is:

    Content-Type: text/javascript;charset=ISO-8895-1

    beNi - that’s cool… do you know how it’s crashing it? Seems like we found a vuln in something.

    Jamuse - I didn’t try in IE6.0. You’ll notice I said try in IE7.0. IE6.0 compatibility would take a little more work.

    Ronald - thanks, I’m glad you felt that way. I in no way wanted to rip you off, and I did give you credit in the speech as well, btw, since you did a lot of this first.

  10. christ1an Says:

    RSnake: Sure, never claimed anything else but you should sanitize it though :P

  11. RSnake Says:

    Yah yah, I know… I’ll do that tomorrow when I’m back in the office. Even if it’s not vulnerable, why leave it like that, right?

  12. christ1an Says:

    Right ;)

  13. ethernode Says:

    Holy…

    Crap….

    Some javascript nmap :)

    BTW: didn’t crash my config (ubuntu edgy + ffx)

  14. beNi Says:

    now it works, crazy the only thing I changed (i tried it three times - always crash) was installing a new Plugin… so this flaw will be hidden some more time =(

  15. Richard Moore Says:

    The IE 7 detection false +ves on Konqueror.

  16. Milind Amin Says:

    Most Useless I can’t agree

  17. mikikar Says:

    Hello mr-t.cgi no fund error

    Internal Server Error
    The server encountered an internal error or misconfiguration and was unable to complete your request. …..

    help please !!

  18. RSnake Says:

    mikikar - are you finding this error on my site or yours? It’s on my site, and working as expected for me.