Well the research made for the exploit for the joke for rsnake is sort of interesting, so I'll try to explain what was needed (even do it was unsuccesfull).
This was made with the help of the research made by the members of sla.ckers like ascii, gareth heyes, rsnake, Jeremiah Grossman, thornmaker, Wisec, kuza55 and me.
It exploited a bug and a feature from ha.ckers.org:
- bug: http://ha.ckers.org/xss.swf
- feature: http://ha.ckers.org/blog/wp-admin/anything is protected to everyone besides rsnake and id IPs.
- feature: XBL bindings.
Some bugs from NoScript:
- XBL Frame Injection to bypass NoScript IFrame protection.
- setter/name NoScript anti XSS filter bypass.
You can read the comments from Robert Hansen, and Giorgio Maone about this exploit at ha.ckers.org and hackademix.net (oh jeremiah grossman also talked about this here and some others in langs that I dont understand).
The only thing the exploit required was that rsnake had ha.ckers.org white-listed on NoScript, but it didn't succeed for that and some other secret reasons.
For targeting the exploit just for rsnake, and hiding it from other persons, we did 3 things.
If this was unsuccesfull because of the "SafeHistory" plugin, or any other reason, we checked if his IP had access to ha.ckers.org/blog/wp-admin/wp-admin.css stylesheet, if he had, we would try to exploit it.
For doing that we played with display:block/display:none properties of iframes, but in the case that rsnake had NoScript iframe protection enabled, then the exploit would be unsuccesfull, so we added a -moz-binding, for detecting NoScript presence, and replacing it with a frameset/frame.
With that, we just redirected rsnake to the payload, the problem was that NoScript detects reflected XSS attacks, so we needed to find a way to bypass it, and we did.. (http://ha.ckers.org/xss.swf?a=0:0;a/**/setter=eval;b/**/setter=atob;a=b=name;)
That in un-obfuscated code is:
The reason this bug works was a mistery at the begining, but after Wisec re-constructed the as2 bytecode he saw that there where some variables appending to the url, and then after some more research this is the reason this guys found out (explained by kuza55):
the Flash file looked like this:
That third parameter turned out to be the key (though we only found this by an absolute fluke), initially we just assumed that the third parameter was just saying it should be a GET request, but the third argument does more actually:
getURL(url [, window [, "variables"]])
variables: A GET or POST method for sending variables. If there are no variables, omit this parameter. The GET method appends the variables to the end of the URL, and is used for small numbers of variables. The POST method sends the variables in a separate HTTP header and is used for sending long strings of variables.
So we simply used this to finish off a valid statement using the ternary operator, and then specified our XSS.
So, we posted a comment with a link that may attract the attention of rsnake when moderating the comments, and we only needed to wait..
Then, we saw the anti-climax.. the comment was aprooved, and the payload wasnt triggered.. lol (hey spammers)
So we did another post, now with a link that appeared to be spam, and we did..
Any way, that comment wasnt aprooved, and the exploit in there (that was clearly more hidden than the ultimatehxr.googlepages.com) was not necessary.
So you can see the exploit here (it's commented :D):
if you want to know what's blah1.html, it's just how we where trying to detect the wp-admin.css.
The last thing is to explain the functionment of the payload.
1.- via XMLHttpRequest, it asked for /post-new.php source code.
2.- it created an iframe, and writted inside that iframe the source code with a.. "< base target="/wp-admin">"
3.- Then he submited the first form modifying the title, content, and tags fields, and clicking on publish (yeah we wanted the payload to had tags).
4.- And that was all, no RegEx.match for finding nonces, and nothing :P..
You can see the content of the post as it would appear if the exploit suceeded here: