Some time ago, I was testing mbed’s USBMouse and USBKeyboard, and used
CookieClicker for the proof of
concept.
The idea of these libraries is that the microcontroller will tell the computer
“Hey, I’m a mouse” or “I’m a keyboard”, and we will program it to send the key
presses or movements we want. This can be used for all kinds of reasons, such as
security attacks: “Hey, I’m a keyboard. Launch the terminal, execute these
commands, close the terminal.”, but it can also be used for fun. Here, the mbed
will identify itself as a mouse, and send tons of left clicks without any delay
between them.
Thanks to the mbed’s libraries, you don’t need to configure the low level stuff
for USB communication, and the code is as simple as this:
#include"mbed.h"
#include"USBMouse.h" //The library to work as a mouseUSBMousemouse;//Declare the object mouseDigitalInmyInput(p5);//Set an input to control when to send clicksintmain(){myInput.mode(PullDown);//Internal pull-down in the input pinwhile(1){//Forever:if(myInput.read()==1)//If the input button/switch is enabledmouse.click(MOUSE_LEFT);//click}}
And here’s a video of the device in action:
Note: The computer does not actually lag like in the video. That was because of
the screen-recording software.
For the sake of keeping this post short, I’m not going to post schematics, but
it’s a really simple circuit: The switch is connected between the pin p5 and
Vout, and the USB was an old USB cable cut in half, soldered to some header
pins, and connected to the mbed’s USB pins as explained
here.
In my quest for fun, I also wrote a program with the USBKeyboard library to send
the key presses 0 to 9 time and time again. I replaced the switch with a button,
started a StarCraft 2 game, created 10 random control groups, and kept the button
pressed a few times during the beginning of the game. This way, we can inflate
our APM (Actions Per Minute) automatically. Here is the result:
I’ll have to try it again, pressing the button during much more time (That 736
APM is just the average APM for all the game), just to see how high it can go.
Could it be possible to overflow a variable somewhere? We’ll see…
For those of you who don’t know it, “memondo network” is the spanish company
behind a bunch of websites for memes, funny gifs, etc. And they have, according
to alexa, a quite large amount of traffic (a couple of their sites being in the
top 3000 and in the spanish top 200).
Well, a couple of days ago I found an XSS vulnerability in their search system
with a curious attack vector, so let’s take a look at it:
The vulnerable pages were http://www.$(SITE).com/buscar/0/
When you tried to search something -“DEVDEV” in our example- this GET request
was sent: http://www.cuantocabron.com/busqueda/0/devdev
After playing a bit with the search parameter, the first output of the value
(displayed to the user) seemed to be properly filtered, but the page navigation
buttons -prev, next- were not, so we should be able to inject code there:
But that injection is tricky… The vulnerable parameter is a link, and it’s
being processed by the server before echoing it to make it URL-friendly, which
means that any space would become %20 and any slash would screw the attack up.
That implies that you could get the code executed when you decoded those values
manually in the source code, but that would not be a feasible attack.
As far as i got, I could not get a way to bypass that problem, so I had to think
about a different attack vector… I couldn’t use tags with parameters (because
of the space between the tag name and the first attribute) and I could not inject
a script because of the slash in </script>, so…. What about adding attributes
to the tag being injected?
It was dirty, it was anything but subtle and it required another step of social
engineering, but it did work and it might fool someone out there. Here’s a quick
example of how it could be done:
And when the victim’s mouse hovers over the link…
And that’s as far as I got. I did not wait to have anything prettier or better
and just reported it like that. I sent the email yesterday at 22.12, they were
very friendly about it and it had already been fixed by 12.00 today, so good job
on their part :)
Using the widget QComboBox in Qt 4.8 is pretty easy, but the documentation can
be a little bit confusing the first time you want to use it, so here is a quick
example on how to use its basic features:
#include"mainwindow.h"MainWindow::MainWindow(QWidget*parent):QDialog(parent){myGrid=newQGridLayout(this);myLabel=newQLabel("-");//<RELEVANT>myComboBox=newQComboBox();//we fill myComboBox with some stuff:myComboBox->addItem("AAA");myComboBox->addItem("BBB");myComboBox->addItem("CCC");myComboBox->addItem("DDD");//and we connect the signal to the appropiate slot:QObject::connect(myComboBox,SIGNAL(activated(int)),this,SLOT(mySlot(int)));//</RELEVANT>myGrid->addWidget(myComboBox,0,0,Qt::AlignLeft);myGrid->addWidget(myLabel,1,0,Qt::AlignLeft);}//The slot that will read our input and do something with it:voidMainWindow::mySlot(intidx){myLabel->setText(myComboBox->itemText(idx));}
And now let’s take a look at how this simple example looks:
