Saturday, November 24, 2012

The end of Windows sidebar gadgets

So... after doing the con-tour at Blackhat, Defcon, Brucon and BsidesPDX
(which was AWESOME!!! btw)
It is time to summarise it all and share the knowledge, below are the links and the short description of all the relevant files.

  1. Demo Proxy code - Source code for the simple http python proxy, modified to intercept clear text JS requests and replace with a custom payload. Link to file holding the decoded payloads, makes it easy to understand quickly
  2. Demo gadgets - These are not zipped files, they are actual folders of the gadgets as they appear in the windows file system. To install the gadgets, download+zip+rename to '.gadget' and double click.
The interesting technical part is located in the gadget.html, thats where the code resides.

  • Gmail demo gadget - Gadget that opens a gmail URL assuming the user never logs out, then the gadget uses keyboard short cuts to send an email to all the user's contacts.
  • Wire transfer demo gadget - Gadget that opens a URL to a demo web page of a banking web site, the assumption here is that a user stores theirs credentials in the browser, leaving the gadget to simply hit 'Enter' and log in. Look in gadget.html to see the commented source code.
  • Open calc gadget - This one opens calculator by only sending key strokes to the OS, take a look in the gadget.html for a giggle :)