XSS Shell v0.3.9

["Ferruh Mavituna" <ferruh () mavituna com>]

Sorry about shameless plug but I think lots of people in the list may
find it quite useful,

XSS Shell is a powerful XSS backdoor which allows interactively
getting control over a Cross-site Scripting (XSS) vulnerability in a
web application. Demonstrates the real power and damage of Cross-site
Scripting attacks.


-------------------------
XSS SHELL v0.3.9
-------------------------
Ferruh Mavituna - Last Updated : 02/11/2006

Online URL (Download, Screenshots, demo etc.):
http://ferruh.mavituna.com/article/?1338


Download :
http://www.portcullis-security.com/tools/free/XSSShell039.zip
or
http://ferruh.mavituna.com/xssshell/download/xssshellv039.zip


-------------------------
WHAT IS XSS SHELL ?
-------------------------
XSS Shell is powerful a XSS backdoor and zombie manager. This concept
first presented by "XSS-Proxy - http://xss-proxy.sourceforge.net/";.
Normally in XSS attacks attacker has one shot, in XSS Shell you can
interactively send requests and get responses from victim. you can
backdoor the page.

You can steal basic auth, you can bypass IP restrictions in
administration panels, you can DDoS some systems with a permanent XSS
vulnerability etc. Attack possibilities are limited with ideas.
Basically this tool demonstrates that you can do more with XSS.


-------------------------
LICENSE
-------------------------
GNU, Check xssshell.asp for details.

-------------------------
FEATURES
-------------------------
XSS Shell has several features to gain whole access over victim. Also
you can simply add your own commands.

Most of the features can enable or disabled from configuration or can
be tweaked from source code.

Features;
        - Regenerating Pages
                - This is one of the key and advanced features of XSS Shell. XSS
Shell re-renders the infected page and keep user in virtual
environment. Thus even user click any links in the infected page he or
she will be still under control! (within cross-domain restrictions) In
normal XSS attacks when user leaves the page you can't do anything.
                - Secondly this feature keeps the session open so even victim follow
an outside link from infected page session is not going to timeout and
you will be still in charge.
        - Keylogger
        - Mouse Logger (click points + current DOM)

Built-in Commands;
        - Get Keylogger Data
        - Get Current Page (Current rendered DOM / like screenshot)
        - Get Cookie
        - Execute supplied javaScript (eval)
        - Get Clipboard (IE only)
        - Get internal IP address (Firefox + JVM only)
        - Check victim's visited URL history
        - DDoS
        - Force to Crash victim's browser

-------------------------
INSTALL
-------------------------
XSS Shell uses ASP + MS Access database as backend but you can simply
port them into any other server-side solution. You just need to stick
with simple communication protocol.


Install Admin Interface;

1. Copy "xssshell" folder into your web server
2. Copy "db" to a secure place (below root)
3. Configure "database path" from "xssshell/db.asp"
4. Modify hard coded password in db.asp [default password is : w00t]
5. Now you can access admin interface from something like
http://[YOURHOST]/xssshell/


Configure XSS Shell for communication;
1. Open xssshell.asp
2. Set "SERVER" variable to where your XSSShell folder is located.
i.e: "http://[YOURHOST]/xssshell/";;
3. Be sure to check "ME", "CONNECTOR", "COMMANDS_URL" variables. If
you changed filenames, folder names or some kind of different
configuration you need modify them.

Now open your admin interface from your browser,
To test it, just modify "sample_victim/default.asp" source code and
replace "http://attacker:81/release/xssshell.js"; URL with your own XSS
Shell URL. Open "sample_victim" folder in some other browser and may
be upload in to some other server.

Now you should see a zombie in admin interface. Just write something
into "parameters" textarea and click "alert()". You should see an
alert message in victim's browser.

-------------------------
SECURITY NOTES
-------------------------
- As a hunter be careful about possible "Backfire" in getSelfHTML().
Someone can hack you back or track you by another XSS or XSS Shell
attack.
        - Checkout "showdata.asp" and implement your own "filter()" function
to make it safer for you.

- Put "On error resume next" to db.asp, better modify your web server
to not show any error.

-------------------------
HOW CAN YOU EXTEND?
-------------------------
First implement it to xssshell.asp
        1) Add new enum for your control
                - Set a name and unique number like "CMD_GETCOOKIE"
                        - var CMD_SAMPLE = 78;
                
                - Set datatype for your response (generally TEXT),
                        - dataTypes[CMD_SAMPLE] = TEXT;
                
        2) Write your function and add it to page
                - function cmdSample(){return "yeah working !"}
        
        3) Call it
                - Go inside to "function processGivenCommand(cmd)"
                - Add a new case like "case CMD_SAMPLE:"
        
        4) Report it back
                - Inside the case call log;
                "log(cmdSample(), dataTypes[cmd.cmd], cmd.attackID, "waitAndRun()");"
                
Secondly Implement it to admin interface;
        - In db.asp just add a new element to "Commands" array (command name,
command unique number, description).
        i.e. "cmdSample()",78,"Command sample ! Just returns a message"


There are parameters and lots of helper in the code. Check out other
commands for reference.
Enable debug feature to debug your new commands easily.


-------------------------
KNOWN BUGS;
-------------------------
- Keylogger is not working on IE
- Possibly not going to work for framed pages because of frame regeneration.
- Not working on Konqueror



-------------------------
CHANGELOG
-------------------------
Ferruh Mavituna [ ferruh{at}mavituna.com - http://ferruh.mavituna.com ]

v0.2 (14/08/2006)
        - Communication Changes
        - Working well in cross-site domains issues
        - New commands added

v0.3 (18/08/2006)
        - Frameset Feature
        - Several changes & Bug Fixes

v0.3.1 (30/10/2006)
        - Clean-up in files and folders

v0.3.5 (31/10/2006)
        - Improvements and fixes related with victim management
        - Password Protected admin pages

v0.3.7 (01/11/2006)
        - Visited Link checker command
        - Spell checks
        - Save / Eval parsing bugs fixed
        - History Checker added
        - Minor fixes & improvements especially in tunnel
        - Some admin interface makeover

v0.3.8 (01/11/2006)
        - getURL Command() - no post etc. support yet...
        - Post support added to getURL() command!

v0.3.9 (02/11/2006)
        - Connection drop timeout check. If your XSS Shell server is down or
connection dropped because of victim it'll try to repair itself.
        - DoS and Crash commands added


-------------------------
USED JS LIBRARIES for ADMIN INTERFACE, Thanks to developers
-------------------------
moo.ajax        -       moofx.mad4milk.net
script.aculo.us -       (http://script.aculo.us, http://mir.aculo.us)




Ferruh Mavituna
http://ferruh.mavituna.com

-------------------------------------------------------------------------
Sponsored by: Watchfire

AppScan delivers new remediation capabilities, key regulatory compliance 
reporting, and productivity enhancements that dramatically improve, 
automate and streamline users' ability to quickly find, remediate and 
manage web application security vulnerabilities. Change the way you think 
about application security testing - download AppScan today!

https://www.watchfire.com/securearea/appscancamp.aspx?id=701500000008YTE
--------------------------------------------------------------------------