Feature #2995
Adding XSSF to Metasploit Framework
| Status: | New | Start date: | 10/19/2010 | |
|---|---|---|---|---|
| Priority: | Normal | Due date: | ||
| Assignee: | - | % Done: | 0% |
|
| Category: | - | |||
| Target version: | Open Backlog | |||
| Resolution: | How To Use: | |||
| Release Note: |
Description
The XSS Framework (XSSF) is able to manage victims of a generic XSS attack and hold an already existing connection in order to allow future attacks.
After injection of the generic attack (resource "loop" generated by XSSF), each victim will ask the attack server (every "x" seconds) if new commands are available:- Simple Script/HTML execution (XSSF auxiliary modules) on targeted victim or group of victims
- MSF Exploit execution on targeted victim
- XSS Tunnel with targeted victim
The advantage of having the project built within the Metasploit Framework is the ability to run exploits (on browsers for example) already included in MSF. In addition, new exploits can be executed on old victims already linked to the attack server.
Unlike the existing projects (BeEF, XeeK, XSSShell/XSSTunnel), XSSF gives the possibility to simply add and run attacks (adding modules), and execute already existing MSF exploit without installing third-party solutions (server, database ... [which are already provided by Ruby/MSF]). In addition, the ability to create XSS tunnels with targeted victims is a real advantage knowing that only XSSShell/XSSTunnel manages it but is not portable (ASP.NET).
Videos showing how XSSF works (using XSS in default WAMP installation):- XSS Attacks: http://securitytube.net/XSSF-%28Attacking-with-XSS-using-Metasploit%29-Part-1-video.aspx
- XSS Tunnel: http://securitytube.net/XSSF-%28Attacking-with-XSS-using-Metasploit%29-Part-2-video.aspx
- Mozilla Firefox (2, 3, 3.5, 3.6, 4)
- Google Chrome (5, 6 Beta)
- Microsoft Internet Explorer (6, 7, 8, 9 Preview)
- Apple Safari (3, 4, 5)
- Opera (9, 10)
History
Updated by Ludovic Courgnaud over 1 year ago
- File XSSF.zip added
Solving UTF-8 BOM (Byte Order Mark) problem for some users¶
Few people had encoding error when starting MSF with XSSF :
[...] [-] /opt/metasploit3/msf3/modules/auxiliary/xssf/web_services.rb: SyntaxError /usr/lib/ruby/1.8/rubygems/custom_require.rb:31:in gem_original_require': /opt/metasploit3/msf3/lib/msf/base/xssf/xssfproxy.rb:1: Invalid char \357' in expression /opt/metasploit3/msf3/lib/msf/base/xssf/xssfproxy.rb:1: Invalid char \273' in expression /opt/metasploit3/msf3/lib/msf/base/xssf/xssfproxy.rb:1: Invalid char \277' in expression [...]
The problem was that some files were backed up with invisible UTF-8 markers encoding unsupported by certain versions of Ruby :-(
Please take this new version solving the problem!
Updated by James Lee about 1 year ago
- Target version changed from Metasploit 3.5.1 to 54
Feature that didn't make it into 3.5.1; pushing.
Updated by James Lee about 1 year ago
- Target version changed from 54 to Metasploit 3.6