Skip to content
/ xsser Public

From XSS to RCE 2.75 - Black Hat Europe Arsenal 2017 + Extras

License

Notifications You must be signed in to change notification settings

Varbaek/xsser

Repository files navigation

XSSER

Black Hat Arsenal

Black Hat Arsenal

Black Hat Arsenal

Black Hat Arsenal

Presentation

  • From XSS to RCE 2.75 - Black Hat Europe Arsenal 2017

Demo

Requirements

  • Python (2.7.*, version 2.7.14 was used for development and testing)
  • Msfconsole (accessible via environment variables)
  • Netcat (nc)
  • PyGame (pip install pygame)
  • jsmin (new dependency - pip install jsmin)
  • xterm (previously gnome and bash)

To install the Python dependencies, you can run the following command:

pip install -r requirements.txt

If you're using a virtual environment, then you may need to use the full list:

pip install -r requirements-all-libraries-used.txt

For installation instructions on Ubuntu 16.04.1 LTS, please refer to the wiki: https://github.com/Varbaek/xsser/wiki

Removed Dependencies:

  • Gnome (switched to xterm)
  • Bash (only tested in bash, but should work in other terminals)
  • cURL (switched to native python requests)

Payload Compatibility

  • Chrome (2018) - Tested live at Black Hat Arsenal 2017 and during extras development.
  • Firefox - Untested - Should still work as available JS features are almost the same.

WordPress Lab

WordPress Exploit

Joomla Lab

Joomla Exploit

Directories

  • Audio: Contains remixed audio notifications.
  • Exploits: Contains DirtyCow (DCOW) privilege escalation exploits.
  • Hello_Shell: Contains a Joomla extension backdoor, which can be uploaded as an administrator and subsequently used to execute arbitrary commands on the system with ?c=ls or ?c64=base64_here. This directory was originally placed in "Joomla_Backdoor".
  • Payloads/javascript: Contains the JavaScript payloads.
  • Received_Data: Empty directory which will be used in future versions.
  • Shells: Contains the PHP shells, including a slightly modified version of pentestmonkey's shell that connects back via wget to send the attacker a notification of success.

Developed By

  • Hans-Michael Varbaek
  • VarBITS

Special Credits

  • MaXe / InterN0T
  • Sense of Security (Versions 2.0 - 2.5)

Code Design

  • It works! (Again!)
  • Still spaghetti code, but now with almost complete PEP8 and possible refactoring in the future.
  • Just-In-Time for Black Hat Europe 2017