Welcome to the full schedule of the OWASP AppSec Research EU 2013 conference days. You’ll find the schedule for the training days at http://trainings2013.appsec.eu
Back To Schedule
Thursday, August 22 • 11:00am - 11:45am
Rooting your internals: Inter-Protocol Exploitation, custom shellcode and BeEF

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

Inter-protocol Exploitation removes browser-based attacks from being dependent upon browser vulnerabilities. It increases the number of potential exploits to include many service vulnerabilities throughout the internal corporate network. This includes whatever service can be contacted via a browser request.

Multiple protocols like IMAP, SMTP, POP, SIP, IRC and others are "tolerant" to errors, and they don't reset the connection with the client if they receive data that is not compliant with the protocol grammar. This leads to the possibility of interacting with such protocols with HTTP requests, even without the need of a SOP bypass.

During the talk, we will see a demonstration on how to compromise an IMAP server that sits in the victim's internal network through its browser hooked in BeEF.

This will include disabling the browser's PortBanning, identifying the victim's internal network IP and the live hosts in the subnet, followed by a port scan and finally sending the custom BeEF Bind shellcode after the IMAP service has been localized.


Michele Orrú

Michele Orrù (@antisnatch0r) from Sardinia, co-maintainer of the BeEF project, will demonstrate how web-attacks can cross protocol and network boundaries and get access to the most precious data behind them Intranet fences. Prepare for scare.

Thursday August 22, 2013 11:00am - 11:45am CEST
Aussichtsreich Emporio