So the Seattle (beta) Toorcon was fun today. On top of learning a bunch about technologies that I just never get any time to play with (and probably a lot more to discuss there in the future after I do some more research with some of the people I met this week) I had a pretty successful talk. My talk was based on recovering information that the client freely gives up for more targeted exploitation. If you remember Ronald’s Black Dragon project, you’ll see striking similarities in this. I felt terrible building this, like I was ripping him off, but I assure you, there was no code-reuse and it’s for a different purpose than his code. Ronald’s code was meant more as a demonstration of what we know, my code is meant more as an actual tool, even though for the most part it does the same stuff.
So I took the same general concept of things like the JS environmental variables page and Ronald’s page, plus a few other goodies like the MHTML vuln and, attempting to locate local HTTP ports, etc… and I threw it all together into one peice of code that can be called from JS space. If you want a demo of what it looks like go visit the Master Recon-Tool (Mr. T). You will see very different results in IE and Firefox. If you want the full effect in IE, visit Gmail in IE7.0 before viewing the recon tool. That bug will get fixed soon enough, but for the time being it works.
Mr. T combines all that into one place so that you can gather a great deal of client based info through a single XSS hole. Then by taking the DOM and dumping it into a form that you submit to a logging server, you can know pretty much everything you want to know about breaking into the machine in question.
So essentially, this tool is a) portable b) extensible and c) buggy as it gets. It’s sorta meant to be buggy though, partially because it’s not thoroughly thought out since I’ve been moving around so much this month, and partially because it doesn’t need to be 100% accurate. It does work pretty well though. It’s meant to be modified as much as it makes sense to, which is why I wrote it in PERL and made it as clear as possible what I was doing under the hood. Sure, specific vulns will get fixed, and sure, new things will need to get added, but ultimately, this is one of the best ways to do browser based recon out there. You can download the source to the project here if you want to play with it.