| Name | safari_file_stealing |
| CVE | CVE-2008-4216 |
| Exploit Pack | CANVAS |
| Description | Safari < 3.2 File Stealing |
| Notes | A Warning: Due to the nature of this exploit, a file (error.html) will be left behind on the target system CVE Name: CVE-2008-4216 VENDOR: Apple NOTES: There are a lot of things working together in this exploit. Each stage of the attack is outlined as follows: 1 - A target is somehow enticed to browse to our server that hosts the exploit. 2 - An html page with 2 embedded iframes and a malicious Java applet is loaded into the target browser 3 - iframe number 1 makes a GET request for error.html 4 - When the request is made SPIKEproxy sends an invalid Content-Type header to force Safari to download the file to a 'known' location 5 - The Java applet abuses the vulnerable showDocument() function to load the malicious error.html file at the 'known' location -The user either supplied a known user name or a list of possible user names to brute force -A trick was used to make all the brute forcing take place in the second (invisible) iframe so the target will not see anything -You may want to try running the CANVAS userenum module against a windows target in attempt to enumerate valid user names 6 - Once the Java applet has successfully found the malicious error.html it executes the javascript inside that iterates through the list of files the user supplied to be stolen. Any type of files can be stolen as the javascript will convert even binary files (exe/pdf/doc) for flawless transport over the network back to us. 7 - Once SPIKEproxy sees a POST request with ?file= in the request, it will parse a custom 'filename' header and convert and dump that file into Reports/ The only difficulty in exploiting this is that we might not know the usernames that are in use on the target systems which is needed to make a call to the downloaded error.html file. Due to all the 'moving parts' involved in this exploit - it is best to run it from the httpserver module. You will need to supply arguments to the httpserver module when using this exploit. All possible arguments are listed below Repeatability: Infinite (client side - no crash) CVE Url: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4216 Arguments: In the Resources/safari_file_stealing folder you will find usernames.txt and filelist.txt - those files are where you will put your usernames to try the files you would like to steal - each file should be on its own line without the drive letter and without the beginning slashes as follows: WINDOWS/system32/calc.exe Documents and Settings/Administrator/Desktop/some.pdf etc/passwd each user name should be on its own line in the file as follows: Administrator bob root singleuser: singleuser:Administrator singlefile: (starting with the file name only. The drive letter and slashes are handled internally) singlefile:somefile.txt (will target the file singlefile:somefolder/somefile.txt (will target the file os: os:mac os:windows driveletter: driveletter:c driveletter:d CVSS: 4.3 |
| Learn more about the CANVAS Exploit Pack here: CANVAS |