begood Posted July 20, 2010 Report Posted July 20, 2010 This is something that I used to always think and just stop at thinking only! But, the author of Shell of the Future has not only done that, but done it quite impressively. We had to rely on a lot of things and do a lot of stuff to show that a page was actually vulnerable for cross-site scripting (XSS). But thanks to this tool. It is very easy to leave behind ubiquitous “Alert ()” while displaying a XSS vulnerability to your clients. You can do a lot more!Shell of the Future is a Reverse Web Shell handler. In other words, it is the browser equivalent of a reverse command shell! Instead of a command prompt from which you type in commands and they get executed on the remote computer, you get to browse the victim’s HTTP/HTTPS session from your browser. Even though the site is being browsed from the your browser all the pages are fetched by the victim’s browser by tunneling HTTP over HTTP using HTML5 Cross Origin Requests.The hijacked session also displays a hovering banner which can be customized, making it the perfect POC for your pentest report. But, how do you browse the victim’s HTTP/HTTPS session from your browser? Simple – you set the victim’s browser to use Shell of the Future’s proxy server, start the tool and visit http://127.0.0.1/sotf.console from his browser. This can be done using JavaScripts easily, or manually too!This is the architecture of Shell of the Future:Shell of the Future has two main components:Proxy Server: The Pentester’s browser must be configured to use this as the proxy server. The proxy server listens on port 1337 by default. All requests sent by the Pentester’s browser are captured by this proxy which converts them in to JSON messages and sends them to the Shell of the Future web server. It regularly polls the web server to test if responses to those requests are available. If a response is available the proxy processes the response body to make changes like adding a banner etc(if enabled by the user) and sends the response to the pentester’s browser.If the browser is requesting static files like css or jpg files then these are directly fetched from the server. This feature is also configurable and can be turned off if required.Web Server: The web server gets all the requests from the proxy and stores it in a temporary database. When the victim polls the web server, the requests are sent to it. The victim fetches the response for these requests from the server and sends them back to the server which is again stored in the database. When the proxy polls the server looking for responses, this response is sent to it. The web server also serves JavaScript exploits to the victim.The author has been gracious enough to add two JavaScript exploits for us! They are:e1.js This exploit is the simpler of the two. Once injected in to the browser it polls the Shell of the Future server constantly checking for any new requests that must be fetched. If any requests are available these are sent in JSON format. The exploit fetches individual requests from the JSON object, fetches each of them from the server, encodes the response in hex and then sends it over to the Shell of the Future server.e2.js This exploit performs all the functions that e1.js does and in addition has an added feature to increase the lifetime of the injected script. It adds an invisible link to the page and adds a ‘onmousemove’ event handler so that the link is always under the cursor. When the victim clicks anywhere on the page, this link gets clicks and it opens the same site in a new tab.Transition between these two exploits is hardly noticeable and the victim would continue browsing the site in the new tab while the injected exploit would remain active in the other tab. For the ones with a programming streak, you can include your own e3.js & e4.js JavaScripts and they will be treated as exploits for the tool.As of now, everything is amazing with this tool. Just some caveats:Needs.NET framework 2.0 and aboveIf the proxy or the server component must listen on a port less than 1024 then it must be run with administrator privileges. Does not properly work with Linux. Communication is a bit slow while browsing a victims session as it is routed between three points.Apart from these, we did not find any other problems with the tool.We know you must be interested in downloading it already! Download Shell of the Future v0.9 here.Shell of the Future: A Reverse Web Shell Handler! ? PenTestIT Quote
tdxev Posted July 20, 2010 Report Posted July 20, 2010 "Shell of the Future" - in nici un caz, da ca si idee este de aplaudat dar pentru uz practic sunt prea multe variabile care iti pot pica conexiunea! Quote
