Posts Tagged

Browser exploit

Browser Silent Exploitation (2018) POC

Since 2010 I was following the browser exploits of (Silent Java drive by) methods and techniques, and after 2016 I’ve never heard of another “silent drive by” on the Markets, but another critical thing came through, Browser Local storage.

This is a working example of a HTML/JavaScript browser storage exploitation.

As an example, to show how an attacker could force any PC system to download a executable file onto the system just directing the victim to visit a webpage no clicks needed.

Unlike the old Java Drive by methods which have been patched for many years, which used jar applets to allow VBS to execute on the local systems browser TMP folder.

This exploit works by using the browser Local Storage abilities, 90% of web browsers have built in Local Storage cache abilities which allow the them to store files onto the system and reference to these files later when re visiting the website. This allows the browser to reload images and video / SWF content of the website faster than it would normally load the content on the webpage by download.

Now when the victim re-visit a website on a browser with Local Storage cache enable by default it will load the website faster than it would loading from the first time. And the web browser will load the website resources from the local system rather than downloading them again.

What this means is when a site is coded to store its video or image data to the browsers Local Storage cache, the browser automatically downloads the file with no user input or knowledge to the end user this file is then stored on their PC.

trojan.exe = is a file the attacker wishes to have the PC download it by viewing the webpage.

extract.exe = the file that when run will extract trojan.exe from the browsers Local Storage cache and execute it.

The thing is for example Firefox stores this Local Storage cache in a SQL database format on the local HDD, It stores this data in such a way that the image files and video files are not directly on the system but rather there base64 encodings of the file are stored here as a database table value to load from later.

Here is where this exploit comes to play 🙂

With this POC example provided in my GitHub Repo you can see it uses simple CSS/JavaScript with html to store an exe file to the browser cache of any visitor to the webpage.

So, any user visiting this page will automatically download the trojan.exe onto their system no user input dialogs or notices the exe file is on their system as soon as page is done loading.

But the file is on their systems browser cache database which now needs to be extracted and ran on the system now that it is downloaded.

This is where the attacker send them the extract.exe

the Trojan.exe file is the file they must now run to have the Trojan.exe downloaded from viewing the webpage be extracted and ran on the system.

The extract.exe as of version 1.0 is only designed to work in this POC.

The extract.exe DOES NOT download any file it makes no internet connection at all – It simply extracts and runs the file that was silently downloaded and placed onto the system from the website viewing.

The advantages of using this method is that the attacker can indeed force any system viewing any site to download the file just by viewing the webpage. This makes the download ad placement of the file onto their system extremely undetectable AT ALL.

This would also allow attackers to force the file onto victim’s system even if they have a strict firewall in place.

POC contents:

Exploit.js = a java script file that will download the virus silently into the system.

Trojan.exe = example of a cmd trojan that will be downloaded.

index.html = a web page that has the malicious content.

Extract.exe = a file to translate the base 64 code and extract it from the browser storage.