SlideShare a Scribd company logo

If You Tolerate This, Your Child Processes Will Be Next

B
Bart Leppens

Presentation given by Bart Leppens at Belgian OWASP chapter on 17th december 2013. This preso talks about BeEF, IPC and IPE. Web-browser exploiting internal network services and Cross-Site Faxing (XSF).

Technology
1 of 32
Download to read offline
If You Tolerate This Your Child Processes Will Be Next Bart Leppens
whoami Bart Leppens ● BeEF developer (since may 2012) ● Ported BeEF Bind shellcode to Linux ● Smashing the stack for FUN @bmantra In
Disclaimer ● The views and opinions expressed here are my own and do not necessarily represent those of my employer ● My employer has absolutely nothing to do with anything related to BeEF ● I’m not speaking in the representation of my company
What the talk? ● ● ● ● ● BeEF: Browser Exploitation Framework IPC: Inter-Protocol Communication IPE: Inter-Protocol Exploitation BeEF Bind Shellcode Binding shells with BeEF
BeEF: Browser Exploitation Framework ● ● ● ● Professional security tool Focus on client side attack vectors Real attack scenarios v1.0 by Wade Alcorn https://github.com/beefproject/beef http://beefproject.com
BeEF: Sesame Magic Browser “Internal server vulnerabilities are sitting there bored and lonely” - Michele Orru` // ”ActiveFax, you look very bored” - Bart Leppens
BeEF: Architecture
BeEF: A Whole Lot Of Modules ● Many different purposes ○ ○ ○ ○ Information gathering Social Engineering Network Discovery ... ● Easy to extend with your own modules ● Complex scenarios with RestFul API https://github.com/beefproject/beef http://beefproject.com
BeEF: DEMO
IPC: Inter-Protocol Communication ● Initial research by Wade Alcorn in 2006/2007 ● “Tolerant” protocol implementation that does not drop the client connection after N errors ● A properly encoded POST request can be send to the target: ○ HTTP Headers are parsed as BAD COMMANDS ○ HTTP request body is parsed as VALID COMMANDS (or as SHELLCODE)
IPC: Limitations ● Some ports are banned by the Browser (e.g. 21,25,110,..) ● Content-Type: text/plain or multipart/formdata ● Doesn’t work well with binary protocols => often not that tolerant
IPC: ActiveFax Server ● Extended research done by Michele Orru` & myself ● Widely used Fax solution ● Manual suggest port 3000 for RAW socket ● Protocol is very tolerant ● Commands are formatted as: @Fxxx data@
IPC: ActiveFax Server (example message) Sender...................... Bart Leppens, +1 11 112233-25 Recipient 1............... OWASP Belgium, Fax: 016 123456 Subject..................... IPC is cool Priority...................... Very High @F101 Bart Leppens@@F110 +1 11 112233-25@ @F201 OWASP Belgium@@F211 016 123456@ @F307 IPC is cool@ @F301 1@
IPC: ActiveFax Server (XHR) var xhr = new XMLHttpRequest(); var uri = "http://x.x.x.x:3000/"; xhr.open("POST", uri, true); xhr.setRequestHeader("Content-Type", "text/plain"); var post_body = "@F101 Bart Leppens@@F110 +1 11 11223325@@F201 OWASP Belgium@@F211 016 123456@@F307 IPC is cool@@F301 1@"; xhr.send(post_body);
IPC: ActiveFax Server (XHR) POST / HTTP/1.1 Host: 127.0.0.1:3000 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:24.0) Gecko/20100101 Firefox/24.0 .. Content-Type: text/plain; charset=UTF-8 Cache-Control: no-cache @F101 Bart Leppens@@F110 +1 11 112233-25@@F201 OWASP Belgium@@F211 016 123456@@F307 IPC is cool@@F301 1@
IPC: ActiveFax Server (Demo)
IPC: ActiveFax Server (Time-out) The ActiveFax RAW socket takes 60 seconds to time-out. We can fix that! 2 seconds is more then enough to send a FAX over a LAN network: xhr = new XMLHttpRequest(); .. xhr.send(post_body); setTimeout(function(){xhr.abort()}, 2000);
IPC: ActiveFax Server (Faster Demo)
IPE: Inter-Protocol Exploitation ● Research by Wade Alcorn (extension of IPC) ● Extended research in 2012 by Michele Orru` ○ QualCOMM WorldMail IMAP 3.0 ● More research in 2013 by Michele & myself ○ ActiveFax Server
IPE: Inter-Protocol Exploitation ● Need to send binary data ○ sendAsBinary (FF, Chrome) ● Same restrictions: tolerance, blocked ports ● More restrictions: header space, bad chars
IPE: ActiveFax 5.01 RAW Server Exploit ● bug found by Craig Freyman ● @F506 crashes after 1024 bytes ● Many bad characters: ○ 0x00 -> 0x19 ○ 0x40 (@) ● PoC modified to use IPE
IPE: ActiveFax (Metasploit Reverse shell)
IPE: ActiveFax (Demo)
BeEF Bind Shellcode ● Shellcode written by Ty Miller (Win32) ● Allows communication from the browser to a shell ○ Commands are proxied back and forth through the browser to cmd.exe ○ Stage is delivered through the browser as well
BeEF Bind Shellcode: The Stager ● Stager listens on a specified port for HTTP requests ● Ignores HTTP headers and looks for the egg “cmd=” which marks the start of our 2nd stage (or any stage you like) ● Allocate executable memory + copy ● Jump into the stage shellcode
BeEF Bind Shellcode: The Stage ● Stage listens on a specified port for HTTP requests as well ● Ignores HTTP headers and looks for “cmd=” which marks the start of our command ● Requests are proxied back and forth from the browser to a “cmd.exe” childprocess ● Access-Control-Allow-Origin: *
BeEF Bind Shellcode: ● Ported to Linux x86 and Linux x64 ○ stager and stage ● Can also be used compiled with RCE vulns ● Metasploit modules are available for easily encoding and removal of bad characters
IPE: ActiveFax (BeEF Bind + BeEF)
IPE: ActiveFax (Demo)
For those who can’t get enough ● Browser Hackers Handbook ○ Chapter 10: Attacking Networks ○ out march 2014 ○ 50% of revenues will be used for the BeEF project (testing infrastructure, etc..)
Thanks to ● ● ● ● OWASP Belgium (ISC)2 The other BeEF guys My wife for lending her laptop
Questions

Recommended

Fluentd Hacking Guide at RubyKaigi 2014
Fluentd Hacking Guide at RubyKaigi 2014Fluentd Hacking Guide at RubyKaigi 2014
Fluentd Hacking Guide at RubyKaigi 2014Naotoshi Seo
 
Interoperable PHP
Interoperable PHPInteroperable PHP
Interoperable PHPweltling
 
Hosts
HostsHosts
HostsKhoa Huu
 
Hacking Robotics(English Version)
Hacking Robotics(English Version)Hacking Robotics(English Version)
Hacking Robotics(English Version)Kensei Demura
 
Hosts
HostsHosts
HostsPutra Andriawan
 
BSides Ottawa 2019 - HTB Blue
BSides Ottawa 2019 - HTB BlueBSides Ottawa 2019 - HTB Blue
BSides Ottawa 2019 - HTB BlueDianaWhitney4
 
Nous Sommes Cyber - HTB Blue
Nous Sommes Cyber - HTB BlueNous Sommes Cyber - HTB Blue
Nous Sommes Cyber - HTB BlueDianaWhitney4
 
Hosts
HostsHosts
Hostsumer890
 

Recommended

Fluentd Hacking Guide at RubyKaigi 2014
Fluentd Hacking Guide at RubyKaigi 2014Fluentd Hacking Guide at RubyKaigi 2014
Fluentd Hacking Guide at RubyKaigi 2014Naotoshi Seo
 
Interoperable PHP
Interoperable PHPInteroperable PHP
Interoperable PHPweltling
 
Hosts
HostsHosts
HostsKhoa Huu
 
Hacking Robotics(English Version)
Hacking Robotics(English Version)Hacking Robotics(English Version)
Hacking Robotics(English Version)Kensei Demura
 
Hosts
HostsHosts
HostsPutra Andriawan
 
BSides Ottawa 2019 - HTB Blue
BSides Ottawa 2019 - HTB BlueBSides Ottawa 2019 - HTB Blue
BSides Ottawa 2019 - HTB BlueDianaWhitney4
 
Nous Sommes Cyber - HTB Blue
Nous Sommes Cyber - HTB BlueNous Sommes Cyber - HTB Blue
Nous Sommes Cyber - HTB BlueDianaWhitney4
 
Hosts
HostsHosts
Hostsumer890
 
The Future of C# and Visual Basic
The Future of C# and Visual BasicThe Future of C# and Visual Basic
The Future of C# and Visual BasicMicrosoft Developer Network (MSDN) - Belgium and Luxembourg
 
Hosts
HostsHosts
HostsIsnandar Daud
 
Hosts fpt
Hosts fptHosts fpt
Hosts fptHuy Nguyen Quoc
 
Hosts yes
Hosts yesHosts yes
Hosts yesAdil Khan
 
Hogy jussunk ki lezárt hálózatokból?
Hogy jussunk ki lezárt hálózatokból?Hogy jussunk ki lezárt hálózatokból?
Hogy jussunk ki lezárt hálózatokból?hackersuli
 
Keynote - Fluentd meetup v14
Keynote - Fluentd meetup v14Keynote - Fluentd meetup v14
Keynote - Fluentd meetup v14Treasure Data, Inc.
 
Hosts
HostsHosts
Hostshoaphung0510
 
Hosts
HostsHosts
HostsHo Ngoc Nhi
 
BlueHat v18 || The matrix has you - protecting linux using deception
BlueHat v18 || The matrix has you - protecting linux using deceptionBlueHat v18 || The matrix has you - protecting linux using deception
BlueHat v18 || The matrix has you - protecting linux using deceptionBlueHat Security Conference
 
.NET & C# Updates Fall 2019
.NET & C# Updates Fall 2019.NET & C# Updates Fall 2019
.NET & C# Updates Fall 2019Marco Parenzan
 
Fluentd Unified Logging Layer At Fossasia
Fluentd Unified Logging Layer At FossasiaFluentd Unified Logging Layer At Fossasia
Fluentd Unified Logging Layer At FossasiaN Masahiro
 
Hosts para a info
Hosts para a infoHosts para a info
Hosts para a infoalberth123
 
Hosts
HostsHosts
Hostsferdiannur
 
Asynchronous Io Programming
Asynchronous Io ProgrammingAsynchronous Io Programming
Asynchronous Io Programmingl xf
 
44CON 2014 - Breaking AV Software
44CON 2014 - Breaking AV Software44CON 2014 - Breaking AV Software
44CON 2014 - Breaking AV Software44CON
 
Intercepting Windows Printing by Modifying GDI Subsystem
Intercepting Windows Printing by Modifying GDI SubsystemIntercepting Windows Printing by Modifying GDI Subsystem
Intercepting Windows Printing by Modifying GDI SubsystemPositive Hack Days
 
Meet a parallel, asynchronous PHP world
Meet a parallel, asynchronous PHP worldMeet a parallel, asynchronous PHP world
Meet a parallel, asynchronous PHP worldSteve Maraspin
 
Hot potato Privilege Escalation
Hot potato Privilege EscalationHot potato Privilege Escalation
Hot potato Privilege EscalationSunny Neo
 
Hosts
HostsHosts
Hostslukenninja
 
Root via XSS
Root via XSSRoot via XSS
Root via XSSPositive Hack Days
 
Owasp AppSecEU 2015 - BeEF Session
Owasp AppSecEU 2015 - BeEF SessionOwasp AppSecEU 2015 - BeEF Session
Owasp AppSecEU 2015 - BeEF SessionBart Leppens
 
The internet of $h1t
The internet of $h1tThe internet of $h1t
The internet of $h1tAmit Serper
 

More Related Content

What's hot

Hogy jussunk ki lezárt hálózatokból?
Hogy jussunk ki lezárt hálózatokból?Hogy jussunk ki lezárt hálózatokból?
Hogy jussunk ki lezárt hálózatokból?hackersuli
 
BlueHat v18 || The matrix has you - protecting linux using deception
BlueHat v18 || The matrix has you - protecting linux using deceptionBlueHat v18 || The matrix has you - protecting linux using deception
BlueHat v18 || The matrix has you - protecting linux using deceptionBlueHat Security Conference
 
.NET & C# Updates Fall 2019
.NET & C# Updates Fall 2019.NET & C# Updates Fall 2019
.NET & C# Updates Fall 2019Marco Parenzan
 
Fluentd Unified Logging Layer At Fossasia
Fluentd Unified Logging Layer At FossasiaFluentd Unified Logging Layer At Fossasia
Fluentd Unified Logging Layer At FossasiaN Masahiro
 
Hosts para a info
Hosts para a infoHosts para a info
Hosts para a infoalberth123
 
Asynchronous Io Programming
Asynchronous Io ProgrammingAsynchronous Io Programming
Asynchronous Io Programmingl xf
 
44CON 2014 - Breaking AV Software
44CON 2014 - Breaking AV Software44CON 2014 - Breaking AV Software
44CON 2014 - Breaking AV Software44CON
 
Intercepting Windows Printing by Modifying GDI Subsystem
Intercepting Windows Printing by Modifying GDI SubsystemIntercepting Windows Printing by Modifying GDI Subsystem
Intercepting Windows Printing by Modifying GDI SubsystemPositive Hack Days
 
Meet a parallel, asynchronous PHP world
Meet a parallel, asynchronous PHP worldMeet a parallel, asynchronous PHP world
Meet a parallel, asynchronous PHP worldSteve Maraspin
 
Hot potato Privilege Escalation
Hot potato Privilege EscalationHot potato Privilege Escalation
Hot potato Privilege EscalationSunny Neo
 

What's hot (20)

The Future of C# and Visual Basic
The Future of C# and Visual BasicThe Future of C# and Visual Basic
The Future of C# and Visual Basic
 
Hosts
HostsHosts
Hosts
 
Hosts fpt
Hosts fptHosts fpt
Hosts fpt
 
Hosts yes
Hosts yesHosts yes
Hosts yes
 
Hogy jussunk ki lezárt hálózatokból?
Hogy jussunk ki lezárt hálózatokból?Hogy jussunk ki lezárt hálózatokból?
Hogy jussunk ki lezárt hálózatokból?
 
Keynote - Fluentd meetup v14
Keynote - Fluentd meetup v14Keynote - Fluentd meetup v14
Keynote - Fluentd meetup v14
 
Hosts
HostsHosts
Hosts
 
Hosts
HostsHosts
Hosts
 
BlueHat v18 || The matrix has you - protecting linux using deception
BlueHat v18 || The matrix has you - protecting linux using deceptionBlueHat v18 || The matrix has you - protecting linux using deception
BlueHat v18 || The matrix has you - protecting linux using deception
 
.NET & C# Updates Fall 2019
.NET & C# Updates Fall 2019.NET & C# Updates Fall 2019
.NET & C# Updates Fall 2019
 
Fluentd Unified Logging Layer At Fossasia
Fluentd Unified Logging Layer At FossasiaFluentd Unified Logging Layer At Fossasia
Fluentd Unified Logging Layer At Fossasia
 
Hosts para a info
Hosts para a infoHosts para a info
Hosts para a info
 
Hosts
HostsHosts
Hosts
 
Asynchronous Io Programming
Asynchronous Io ProgrammingAsynchronous Io Programming
Asynchronous Io Programming
 
44CON 2014 - Breaking AV Software
44CON 2014 - Breaking AV Software44CON 2014 - Breaking AV Software
44CON 2014 - Breaking AV Software
 
Intercepting Windows Printing by Modifying GDI Subsystem
Intercepting Windows Printing by Modifying GDI SubsystemIntercepting Windows Printing by Modifying GDI Subsystem
Intercepting Windows Printing by Modifying GDI Subsystem
 
Meet a parallel, asynchronous PHP world
Meet a parallel, asynchronous PHP worldMeet a parallel, asynchronous PHP world
Meet a parallel, asynchronous PHP world
 
Hot potato Privilege Escalation
Hot potato Privilege EscalationHot potato Privilege Escalation
Hot potato Privilege Escalation
 
Hosts
HostsHosts
Hosts
 
Root via XSS
Root via XSSRoot via XSS
Root via XSS
 

Similar to If You Tolerate This, Your Child Processes Will Be Next

Owasp AppSecEU 2015 - BeEF Session
Owasp AppSecEU 2015 - BeEF SessionOwasp AppSecEU 2015 - BeEF Session
Owasp AppSecEU 2015 - BeEF SessionBart Leppens
 
The internet of $h1t
The internet of $h1tThe internet of $h1t
The internet of $h1tAmit Serper
 
Возможности интерпретатора Python в NX-OS
Возможности интерпретатора Python в NX-OSВозможности интерпретатора Python в NX-OS
Возможности интерпретатора Python в NX-OSCisco Russia
 
The why and how of moving to php 7
The why and how of moving to php 7The why and how of moving to php 7
The why and how of moving to php 7Wim Godden
 
Stack-Based Buffer Overflows
Stack-Based Buffer OverflowsStack-Based Buffer Overflows
Stack-Based Buffer OverflowsDaniel Tumser
 
OSDC 2016 - Ingesting Logs with Style by Pere Urbon-Bayes
OSDC 2016 - Ingesting Logs with Style by Pere Urbon-BayesOSDC 2016 - Ingesting Logs with Style by Pere Urbon-Bayes
OSDC 2016 - Ingesting Logs with Style by Pere Urbon-BayesNETWAYS
 
Anton Mishchuk - Multi-language FBP with Flowex
Anton Mishchuk - Multi-language FBP with FlowexAnton Mishchuk - Multi-language FBP with Flowex
Anton Mishchuk - Multi-language FBP with FlowexElixir Club
 
Php Inside - confoo 2011 - Derick Rethans
Php Inside - confoo 2011 - Derick RethansPhp Inside - confoo 2011 - Derick Rethans
Php Inside - confoo 2011 - Derick RethansBachkoutou Toutou
 
Gears of Perforce: AAA Game Development Challenges
Gears of Perforce: AAA Game Development ChallengesGears of Perforce: AAA Game Development Challenges
Gears of Perforce: AAA Game Development ChallengesPerforce
 
Practical IoT Exploitation (DEFCON23 IoTVillage) - Lyon Yang
Practical IoT Exploitation (DEFCON23 IoTVillage) - Lyon YangPractical IoT Exploitation (DEFCON23 IoTVillage) - Lyon Yang
Practical IoT Exploitation (DEFCON23 IoTVillage) - Lyon YangLyon Yang
 
Quick and Easy Device Drivers for Embedded Linux Using UIO
Quick and Easy Device Drivers for Embedded Linux Using UIOQuick and Easy Device Drivers for Embedded Linux Using UIO
Quick and Easy Device Drivers for Embedded Linux Using UIOChris Simmonds
 
Kernel bug hunting
Kernel bug huntingKernel bug hunting
Kernel bug huntingAndrea Righi
 
conjoon - The Open Source Webmail Client
conjoon - The Open Source Webmail Clientconjoon - The Open Source Webmail Client
conjoon - The Open Source Webmail ClientThorsten Suckow-Homberg
 
epoll() - The I/O Hero
epoll() - The I/O Heroepoll() - The I/O Hero
epoll() - The I/O HeroMohsin Hijazee
 
Jun Heider - Flex Application Profiling By Example
Jun Heider - Flex Application Profiling By ExampleJun Heider - Flex Application Profiling By Example
Jun Heider - Flex Application Profiling By Example360|Conferences
 
Advanced SOHO Router Exploitation XCON
Advanced SOHO Router Exploitation XCONAdvanced SOHO Router Exploitation XCON
Advanced SOHO Router Exploitation XCONLyon Yang
 
Multi-language FBP with flowex
Multi-language FBP with flowexMulti-language FBP with flowex
Multi-language FBP with flowexAnton Mishchuk
 
Multi language FBP with Flowex by Anton Mishchuk
Multi language FBP with Flowex by Anton Mishchuk Multi language FBP with Flowex by Anton Mishchuk
Multi language FBP with Flowex by Anton Mishchuk Pivorak MeetUp
 

Similar to If You Tolerate This, Your Child Processes Will Be Next (20)

Owasp AppSecEU 2015 - BeEF Session
Owasp AppSecEU 2015 - BeEF SessionOwasp AppSecEU 2015 - BeEF Session
Owasp AppSecEU 2015 - BeEF Session
 
The internet of $h1t
The internet of $h1tThe internet of $h1t
The internet of $h1t
 
Возможности интерпретатора Python в NX-OS
Возможности интерпретатора Python в NX-OSВозможности интерпретатора Python в NX-OS
Возможности интерпретатора Python в NX-OS
 
Monkey Server
Monkey ServerMonkey Server
Monkey Server
 
The why and how of moving to php 7
The why and how of moving to php 7The why and how of moving to php 7
The why and how of moving to php 7
 
Stack-Based Buffer Overflows
Stack-Based Buffer OverflowsStack-Based Buffer Overflows
Stack-Based Buffer Overflows
 
OSDC 2016 - Ingesting Logs with Style by Pere Urbon-Bayes
OSDC 2016 - Ingesting Logs with Style by Pere Urbon-BayesOSDC 2016 - Ingesting Logs with Style by Pere Urbon-Bayes
OSDC 2016 - Ingesting Logs with Style by Pere Urbon-Bayes
 
Anton Mishchuk - Multi-language FBP with Flowex
Anton Mishchuk - Multi-language FBP with FlowexAnton Mishchuk - Multi-language FBP with Flowex
Anton Mishchuk - Multi-language FBP with Flowex
 
Php Inside - confoo 2011 - Derick Rethans
Php Inside - confoo 2011 - Derick RethansPhp Inside - confoo 2011 - Derick Rethans
Php Inside - confoo 2011 - Derick Rethans
 
Gears of Perforce: AAA Game Development Challenges
Gears of Perforce: AAA Game Development ChallengesGears of Perforce: AAA Game Development Challenges
Gears of Perforce: AAA Game Development Challenges
 
Practical IoT Exploitation (DEFCON23 IoTVillage) - Lyon Yang
Practical IoT Exploitation (DEFCON23 IoTVillage) - Lyon YangPractical IoT Exploitation (DEFCON23 IoTVillage) - Lyon Yang
Practical IoT Exploitation (DEFCON23 IoTVillage) - Lyon Yang
 
Quick and Easy Device Drivers for Embedded Linux Using UIO
Quick and Easy Device Drivers for Embedded Linux Using UIOQuick and Easy Device Drivers for Embedded Linux Using UIO
Quick and Easy Device Drivers for Embedded Linux Using UIO
 
DSA Day 2 PPT.pdf
DSA Day 2 PPT.pdfDSA Day 2 PPT.pdf
DSA Day 2 PPT.pdf
 
Kernel bug hunting
Kernel bug huntingKernel bug hunting
Kernel bug hunting
 
conjoon - The Open Source Webmail Client
conjoon - The Open Source Webmail Clientconjoon - The Open Source Webmail Client
conjoon - The Open Source Webmail Client
 
epoll() - The I/O Hero
epoll() - The I/O Heroepoll() - The I/O Hero
epoll() - The I/O Hero
 
Jun Heider - Flex Application Profiling By Example
Jun Heider - Flex Application Profiling By ExampleJun Heider - Flex Application Profiling By Example
Jun Heider - Flex Application Profiling By Example
 
Advanced SOHO Router Exploitation XCON
Advanced SOHO Router Exploitation XCONAdvanced SOHO Router Exploitation XCON
Advanced SOHO Router Exploitation XCON
 
Multi-language FBP with flowex
Multi-language FBP with flowexMulti-language FBP with flowex
Multi-language FBP with flowex
 
Multi language FBP with Flowex by Anton Mishchuk
Multi language FBP with Flowex by Anton Mishchuk Multi language FBP with Flowex by Anton Mishchuk
Multi language FBP with Flowex by Anton Mishchuk
 

Recently uploaded

Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsRoshan Dwivedi
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Paola De la Torre
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEarley Information Science
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...gurkirankumar98700
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 

Recently uploaded (20)

Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 

If You Tolerate This, Your Child Processes Will Be Next

  • 1. If You Tolerate This Your Child Processes Will Be Next Bart Leppens
  • 2. whoami Bart Leppens ● BeEF developer (since may 2012) ● Ported BeEF Bind shellcode to Linux ● Smashing the stack for FUN @bmantra In
  • 3. Disclaimer ● The views and opinions expressed here are my own and do not necessarily represent those of my employer ● My employer has absolutely nothing to do with anything related to BeEF ● I’m not speaking in the representation of my company
  • 4. What the talk? ● ● ● ● ● BeEF: Browser Exploitation Framework IPC: Inter-Protocol Communication IPE: Inter-Protocol Exploitation BeEF Bind Shellcode Binding shells with BeEF
  • 5. BeEF: Browser Exploitation Framework ● ● ● ● Professional security tool Focus on client side attack vectors Real attack scenarios v1.0 by Wade Alcorn https://github.com/beefproject/beef http://beefproject.com
  • 6. BeEF: Sesame Magic Browser “Internal server vulnerabilities are sitting there bored and lonely” - Michele Orru` // ”ActiveFax, you look very bored” - Bart Leppens
  • 8. BeEF: A Whole Lot Of Modules ● Many different purposes ○ ○ ○ ○ Information gathering Social Engineering Network Discovery ... ● Easy to extend with your own modules ● Complex scenarios with RestFul API https://github.com/beefproject/beef http://beefproject.com
  • 10. IPC: Inter-Protocol Communication ● Initial research by Wade Alcorn in 2006/2007 ● “Tolerant” protocol implementation that does not drop the client connection after N errors ● A properly encoded POST request can be send to the target: ○ HTTP Headers are parsed as BAD COMMANDS ○ HTTP request body is parsed as VALID COMMANDS (or as SHELLCODE)
  • 11. IPC: Limitations ● Some ports are banned by the Browser (e.g. 21,25,110,..) ● Content-Type: text/plain or multipart/formdata ● Doesn’t work well with binary protocols => often not that tolerant
  • 12. IPC: ActiveFax Server ● Extended research done by Michele Orru` & myself ● Widely used Fax solution ● Manual suggest port 3000 for RAW socket ● Protocol is very tolerant ● Commands are formatted as: @Fxxx data@
  • 13. IPC: ActiveFax Server (example message) Sender...................... Bart Leppens, +1 11 112233-25 Recipient 1............... OWASP Belgium, Fax: 016 123456 Subject..................... IPC is cool Priority...................... Very High @F101 Bart Leppens@@F110 +1 11 112233-25@ @F201 OWASP Belgium@@F211 016 123456@ @F307 IPC is cool@ @F301 1@
  • 14. IPC: ActiveFax Server (XHR) var xhr = new XMLHttpRequest(); var uri = "http://x.x.x.x:3000/"; xhr.open("POST", uri, true); xhr.setRequestHeader("Content-Type", "text/plain"); var post_body = "@F101 Bart Leppens@@F110 +1 11 11223325@@F201 OWASP Belgium@@F211 016 123456@@F307 IPC is cool@@F301 1@"; xhr.send(post_body);
  • 15. IPC: ActiveFax Server (XHR) POST / HTTP/1.1 Host: 127.0.0.1:3000 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:24.0) Gecko/20100101 Firefox/24.0 .. Content-Type: text/plain; charset=UTF-8 Cache-Control: no-cache @F101 Bart Leppens@@F110 +1 11 112233-25@@F201 OWASP Belgium@@F211 016 123456@@F307 IPC is cool@@F301 1@
  • 17. IPC: ActiveFax Server (Time-out) The ActiveFax RAW socket takes 60 seconds to time-out. We can fix that! 2 seconds is more then enough to send a FAX over a LAN network: xhr = new XMLHttpRequest(); .. xhr.send(post_body); setTimeout(function(){xhr.abort()}, 2000);
  • 18. IPC: ActiveFax Server (Faster Demo)
  • 19. IPE: Inter-Protocol Exploitation ● Research by Wade Alcorn (extension of IPC) ● Extended research in 2012 by Michele Orru` ○ QualCOMM WorldMail IMAP 3.0 ● More research in 2013 by Michele & myself ○ ActiveFax Server
  • 20. IPE: Inter-Protocol Exploitation ● Need to send binary data ○ sendAsBinary (FF, Chrome) ● Same restrictions: tolerance, blocked ports ● More restrictions: header space, bad chars
  • 21. IPE: ActiveFax 5.01 RAW Server Exploit ● bug found by Craig Freyman ● @F506 crashes after 1024 bytes ● Many bad characters: ○ 0x00 -> 0x19 ○ 0x40 (@) ● PoC modified to use IPE
  • 22. IPE: ActiveFax (Metasploit Reverse shell)
  • 24. BeEF Bind Shellcode ● Shellcode written by Ty Miller (Win32) ● Allows communication from the browser to a shell ○ Commands are proxied back and forth through the browser to cmd.exe ○ Stage is delivered through the browser as well
  • 25. BeEF Bind Shellcode: The Stager ● Stager listens on a specified port for HTTP requests ● Ignores HTTP headers and looks for the egg “cmd=” which marks the start of our 2nd stage (or any stage you like) ● Allocate executable memory + copy ● Jump into the stage shellcode
  • 26. BeEF Bind Shellcode: The Stage ● Stage listens on a specified port for HTTP requests as well ● Ignores HTTP headers and looks for “cmd=” which marks the start of our command ● Requests are proxied back and forth from the browser to a “cmd.exe” childprocess ● Access-Control-Allow-Origin: *
  • 27. BeEF Bind Shellcode: ● Ported to Linux x86 and Linux x64 ○ stager and stage ● Can also be used compiled with RCE vulns ● Metasploit modules are available for easily encoding and removal of bad characters
  • 28. IPE: ActiveFax (BeEF Bind + BeEF)
  • 30. For those who can’t get enough ● Browser Hackers Handbook ○ Chapter 10: Attacking Networks ○ out march 2014 ○ 50% of revenues will be used for the BeEF project (testing infrastructure, etc..)
  • 31. Thanks to ● ● ● ● OWASP Belgium (ISC)2 The other BeEF guys My wife for lending her laptop