Tuesday, October 19, 2010

Adding XSSF to Metasploit Framework

The XSS Framework (XSSF) is able to manage victims of a generic XSS attack and hold an already existing connection in order to allow future attacks.
After injection of the generic attack (resource "loop" generated by XSSF), each victim will ask the attack server (every "x" seconds) if new commands are available:

Simple Script/HTML execution (XSSF auxiliary modules) on targeted victim or group of victims
MSF Exploit execution on targeted victim
XSS Tunnel with targeted victim

The advantage of having the project built within the Metasploit Framework is the ability to run exploits (on browsers for example) already included in MSF. In addition, new exploits can be executed on old victims already linked to the attack server.
Unlike the existing projects (BeEF, XeeK, XSSShell/XSSTunnel), XSSF gives the possibility to simply add and run attacks (adding modules), and execute already existing MSF exploit without installing third-party solutions (server, database ... [which are already provided by Ruby/MSF]). In addition, the ability to create XSS tunnels with targeted victims is a real advantage knowing that only XSSShell/XSSTunnel manages it but is not portable (ASP.NET).

More info: http://www.metasploit.com

No comments: