Bits and Bytes

This is a quick blog post based on my slides from the May 2012 NovaHackers Meeting

Two posts got me started looking at PowerShell and its ability to execute shellcode

http://www.exploit-monday.com/2011/10/exploiting-powershells-features-not.html

and

http://0entropy.blogspot.com/2012/04/powershell-metasploit-meterpreter-and.html

The first post talks about executing shellcode and gives the calc.exe example. These examples work on x64 and x86. yay!

The second post talks about doing something more than calc.exe…getting shell whooo hooooo

You can review the code but it only shows a x86/32bit shellcode. This will fail miserably on x64.

I was initially thought it would be an easy fix, just grab an x64 payload from MSF. Problem is there are no x64 http/https payloads…

CG was a sad panda.

This left me with two options:

Suck it up and use an existing x64 payload (like rev_tcp) or just pop calc.exe to prove how awesome i am during pentests

or

Invoke 32 bit PowerShell and run 32 bit shellcode (now we get http/https payloads)

So googling turned up a way to tell PowerShell to use the x86 version even on x64. The solution i used was here: http://www.viveksharma.com/TECHLOG/archive/2008/12/03/running-scripts-that-only-work-under-32bit-cleanly-in-64bit.aspx

You will need to set the execution policy for  v1.0 powershell, or possibly try a bypass technique.

I ended up adding this to Nicolas’ code before it started doing its thing (line 24). It detects if its not x86 and just runs the shellcode with the x86 PowerShell.  You’ll have to set the execution policy for it first.

[Byte[]]$sc = $sc32
if ($env:Processor_Architecture -ne "x86")
 {
  write-warning "WTF!  This is 64x, switching to 32x and continuing script."
   &"$env:windir\syswow64\windowspowershell\v1.0\powershell.exe" -noprofile -file $myinvocation.Mycommand.path -executionpolicy bypass
 exit
}

now it works

Remember that you have to migrate out of the PowerShell process.
Much like the office macro and shellcode exec, if user closes office, or you close exit powershell process shell goes bye-bye.

References:

http://0entropy.blogspot.com/2012/04/powershell-metasploit-meterpreter-and.html
http://www.exploit-monday.com/2011/11/powersyringe-powershell-based-codedll.html
http://www.exploit-monday.com/2011/10/exploiting-powershells-features-not.html
http://www.obscuresecurity.blogspot.com/2011/08/powershell-executionpolicy.html
http://www.viveksharma.com/TECHLOG/archive/2008/12/03/running-scripts-that-only-work-under-32bit-cleanly-in-64bit.aspx

A recent case was unusual because most of the ipoc were located by the police examiner in a folder entitled MessengerCache at the path C:\Users\<user_name>\AppData\Local\Temp\MessengerCache.

My mission was to have a closer look at how this folder is utilised by the program Windows Live Messenger.  The folder is a hidden folder and is used for various purposes by WLM.  I found that the folder can be used to store the user tile (this may be an icon or a thumbnail photograph or graphic) and theme picture of a remote contact. Of course the remote user (who could be anywhere in the world) can change these at any time to a contraband image.  In Figure 1 below the screenshot shows the Windows Live Messenger program running upon the local user’s computer. The two photographs arrowed and labelled as Remote User Tile and Remote User Theme Picture respectively have been received from the remote user Mars with whom the local user is engaged in an instant messaging conversation.

It is also possible for a remote contact anywhere in the world whilst engaged in an instant messaging conversation with the local user to drag a picture file into the conversation window. This results in the picture concerned appearing in the local user’s conversation window in full size and thumbnail form and at the same time a copy of the picture and a thumbnail version are stored within the MessengerCache folder. In the case that the picture concerned was ipoc the local user’s only immediate option would be to close the conversation window. He would be unlikely to be aware that the photograph concerned was now stored upon his own computer in the MessengerCache folder. In figure 2 the screenshot shows the local user’s conversation window after the remote user Mars has dragged a photograph of tulips into his conversation window. This has caused the local user’s conversation window to also display the tulip pictures. The tulip photograph would also be stored in full and thumbnail versions within the local user’s MessengerCache folder.

Figure 3 below illustrates a forensic examination of the local user’s MessengerCache folder. It can be seen that it contains the Remote User Tile and Remote User Theme Picture together with three different versions (they differ in resolution) of the Tulip picture. At this point none of these five pictures were solicited or accepted by the local user.

In the case referred to the prosecution, after discussions at court, offered no evidence in respect to all the counts on the indictment that relied on the pictures located within the MessengerCache folder.  The defendant pleaded guilty to one count of possession not related to the MessengerCache pictures.

But you can bet your last penny that at some stage you will have to image them.  That is the problem I faced one wet weekend recently when I was required to image an HP behemoth resplendent with two sizable raid 5 arrays and two USB 1 ports.  All drive bays and ports were in use so I could not insert a new drive into the box to image it and I didn’t fancy imaging all the elderly SCSI raided hard drives separately.  I was permitted to shut down the server and had decided to boot the box to a forensic linux distro that had suitable HP Raid Controller drivers.

The problem I faced was USB1.  Obviously I needed to output my images somewhere and an external USB hard drive was an option.  But the maths didn’t add up – the maximum bandwidth of a USB1 port is 12 megabits per second (Mbps) which equates to 1.5 megabytes per second (MB/s) which equates to 5.4 Gigabytes per hour.  There were not going to be enough hours in this weekend to image both arrays on the server. 

What I did next I thought might be worth sharing with you.  I used dd to create a source image, netcat to pipe it to an onsite laptop across a network and ewfacquirestream to capture the dd image, hash it and write it into Encase evidence files. It can be carried out entirely at the command line.  Crucially I achieved an imaging speed of about 25 MB/s which is 1.46 gigabytes a minute or nearly 88 gigabytes an hour using gigabit network interface cards.  In testing I have achieved 39 gigabytes an hour using 10/100 NICS.

Method to image computers across a network

1. I connected my onsite laptop and the server via Cat5E cables to a Netgear GS105 5 port gigabit switch.  I attached a 2TB external hard drive to my onsite laptop and booted both the server and my laptop to a DEFT 7 forensic linux distro.
2. To configure Ethernet settings on both using Gigabit NICs (10/100/1000) if available
   • Launch terminal and at prompt type sudo su
   • At prompt type ifconfig to identify network cards
   • At prompt type ifconfig eth0 192.168.0.100 on onsite laptop and ifconfig eth0 192.168.0.101 on machine to be imaged (these commands assume that you are pugged into eth0 – if there is more than one NIC on the computer to be imaged it might be eth1 or higher)
   • Test connection by typing at prompt ping –c 5 192.168.0.100 or ping –c 5 192.168.0.101 as appropriate
3. On on-site laptop
   • Connect collection hard disk drive
   • Launch terminal and at prompt type sudo su
   • At prompt type fdisk –l to identify storage drive
   • Create a folder to mount the storage drive to by typing mkdir /mnt/(name of your folder)
   • Next mount the storage drive to your folder by typing mount /dev/(sdb2 or whatever) /mnt/(name of your folder)
   • Now we create a netcat listener and a pipe to ewfacquirestream – at prompt type but donʼt press enter just yet nc –l 1234 | ewfacquirestream –c none –b 4096 –C case_number –D description –w –E evidence_number –e ʻRichard Drinkwaterʼ –t /mnt/(name of your folder)/(name of your evidence files)
     [relevant switches –c compression type: none, fast or best; -b amount of sectors to read at once: 64, 128, 256, 512, 1024, 2048, 4096, 8192, 16384 or 32768; words in italics change to suit and use single quote marks (ʻ-- --ʼ) to group more than one word]
4. On machine to be imaged
   • At prompt type sudo su
   • At prompt type fdisk –l to identify drive to be imaged
   • Next we prepare to dd drive to be imaged and pipe to netcat – at prompt type dd if=/dev/sdb conv=noerror,sync bs=4096 | nc 192.168.0.100 1234 but donʼt press enter (if you are imaging a server with an HP Raid card the command might look something like dd if=/dev/cciss/c0d0 bs=4096 conv=noerror,sync | nc 192.168.0.100 1234)
5. Start imaging process by
   • Press enter within terminal on onsite laptop first to start netcat listener
   • Then press enter within terminal on machine to be imaged to start dd
6. When the acquisition completes ewfacquirestream outputs a MD5 hash calculated over data value to the terminal. Either photograph this value or copy and paste it to a text file on your collection hard disk drive.

Notes re imaging speed

In testing where the NICs are both gigabit speeds of over 40 Mb/s (144 GB/h) can be achieved. With 10/100 NICs up to 11 Mb/s (39.6 GB/h) can be expected. Compression and block size does affect imaging speed and if you have time it may be worth fine-tuning these settings. The settings shown in this post are probably a good starting point. To fine-tune, run the imaging process with the settings in this post. After 5 minutes or so if you are getting poor speeds stop the process and try adjusting the compression size on the onsite laptop (i.e. change from none to fast). Sometimes either doubling or halving the block size on both source and receiver machines can make a difference also.

A rash of recent and ongoing targeted attacks involving compromises at high-profile Web sites should serve as a sobering reminder of the need to be vigilant about applying browser updates. Hackers have hit a number of prominent foreign policy and human rights group Web sites, configuring them to serve spyware by exploiting newly patched flaws in widely used software from Adobe and Oracle.

The latest reports of this apparent cyberspy activity come from security experts at Shadowserver.org, a nonprofit that tracks malware attacks typically associated with so-called “advanced persistent threat” (APT) actors. APT is a controversial term that means many things to different folks, but even detractors of the acronym’s overuse acknowledge that it has become a useful shorthand for “We’re pretty sure it came from China.”

A diagram depicting the (since-cleaned) attack on the Website of the Center for Defense Information.

One look at the list of the sites found to be currently serving an exploit to attack a newly-patched Adobe Flash Player vulnerability (CVE-2012-0779) shows how that shorthand is earned. Shadowserver uncovered Flash exploits waiting for visitors of the Web sites for Amnesty International Hong Kong and the Center for Defense Information, a Washington, D.C. think-tank. The home page for the International Institute for Counter-Terrorism was found to be serving up malware via a recent Oracle Java vulnerability (CVE-2012-0507), while the Cambodian Ministry of Foreign Affairs site was pointing to both Flash and Java exploits.

“In recent months we have continued to observe 0-day vulnerabilities emerging following discovery of their use in the wild to conduct cyber espionage attacks,” wrote Shadowserver volunteers Steven Adair and Ned Moran, in a blog post about the attacks, which they dubbed “strategic Web compromises.”

“Frequently by the time a patch is released for the vulnerabilities, the exploit has already been the wild for multiple weeks or months — giving the attackers a very large leg up,” they wrote. “The goal is not large-scale malware distribution through mass compromises. Instead the attackers place their exploit code on websites that cater towards a particular set of visitors that they might be interested in.”

The discoveries come just days after security vendor Websense found that the site for Amnesty International United Kingdom (AIUK)  was hosting the same Java exploit. According to Shadowserver, other sites that were compromised by remarkably similar attacks but since cleaned include those belonging to the American Research Center in Egypt, the Institute for National Security Studies, and the Center for European Policy Studies.

Shadowserver experts believe that many of the attacks above are likely the work of the same hacking group. For example, Adair and Moran said they found “a clear connection” between the hackers who compromised the AIUK site in this incident and a separate attack on the same site in December 2011, a break-in first reported by KrebsOnSecurity.com. Some of the common elements in the attacks include identical Internet addresses and files (down to the same internal metadata) used in different attacks.

Adair and Moran also called attention to targeted attacks that leverage the Flash flaw (CVE-2012-0779) via Microsoft Word documents, which have the built-in ability to invoke Flash objects. Mila Parkour, the author of the Contagiodump blog, on May 6 published an exhaustive look at just such an attack.

I hope it is obvious to readers that the exploits leveraged in these cyberspy attacks to steal national security and trade secrets are the same weapons that traditional computer crooks use to steal financial information (in fact, last week I blogged about other tantalilzing signs of overlap between these two seemingly disparate communities). It is almost certain that this Flash exploit will soon be bundled into automated exploit kits that are sold to miscreants on the cybercriminal underground, if it hasn’t already. If you use any of the above-mentioned software products and have fallen behind in patching them, please see the following posts:

May 8, 2012: Adobe, Microsoft Push Critical Security Fixes

May 4, 2012: Critical Flash Update Fixes Zero-Day Flaw

Mar 27, 2012: New Java Attack Being Rolled Into Exploit Packs

Post [8] Honorable Mention: Log File Injection

So this didn’t make it into the talk, but was in the hidden slides…

not positive this is a “low” but a friend suggested it, so here you go.

Goes like this:
Request gets logged
Something malicious gets written commonly something like a one line PHP backdoor

1. 1.  Use an LFI vulnerability to browse to page get shell

1. Example 1:  Php Shell Injection On A Website Through Log Poisoning http://www.securitytube.net/video/167
2. Rails 3.0.5 Log File Injection http://packetstormsecurity.org/files/99282/Rails-3.0.5-Log-File-Injection-Proof-Of-Concept.html
3. http://websec.wordpress.com/2010/02/22/exploiting-php-file-inclusion-overview/
4. Example 2: BURP SUITE – PART IV: LFI EXPLOIT via LOG INJECTION  http://kaoticcreations.blogspot.com/2011/12/burp-suite-part-iv-lfi-exploit-via-log_20.html

1. Example 1: http://xforce.iss.net/xforce/xfdb/50170
2. Example 2: http://www.securityfocus.com/archive/1/464471

Can also do fun stuff like this (TNS Logfile injection in Oracle)

Debit card accounts stolen in a recent hacker break-in at card processor Global Payments have been showing up in fraud incidents at retailers in Las Vegas and elsewhere, according to officials from one bank impacted by the fraud.

At the beginning of March 2012, Danbury, Conn. based Union Savings Bank began seeing an unusual pattern of fraud on a dozen or so debit cards it had issued, noting that most of the cards had recently been used in the same cafe at a nearby private school. When the bank determined that the school was a customer of Global Payments, it contacted Visa to alert the card association of a possible breach at the Atlanta-based processor, according to Doug Fuller, Union Savings Bank’s chief risk officer.

That’s when USB heard from Tony Higgins, then a fraud investigator at Vons, a grocery chain in Southern California and Nevada owned by Safeway Inc.

According to Fuller, Higgins said the fraudsters were coming to the stores to buy low-denomination Safeway branded prepaid cards, and then encoding debit card accounts issued by USB onto the magnetic stripe on the backs of the prepaid cards. The thieves then used those cards to purchase additional prepaid cards with much higher values, which were then used to buy electronics and other high-priced goods from other retailers.

“Higgins said, ‘You have a problem,’” Fuller recalled, of a phone conversation the bank had with Higgins in early March. “He said he had a slew of these people going through their Vons and Safeway stores exchanging cards. He had them on surveillance tape, knew where they were from and everything.”

Higgins told USB that the fraud he was seeing was mostly in Las Vegas, but that there also was some fraudulent card activity in neighboring states in the southwest.

“He had a theory that these guys came from Los Angeles and San Diego to Vegas just to make these transactions, and then went back,” Fuller said.

The fraud described by Higgins matched the unauthorized activity that they had seen stemming from accounts used at the private school cafeteria. Fuller said Visa has alerted Union Savings Bank that about 1,000 debit accounts it issued were compromised in the Global Payments breach — including the dozen or so card accounts that initially prompted USB to investigate.

USB officials say the bank has suffered approximately $75,000 in fraudulent charges, and that it has so far spent close to $10,000 reissuing customer cards.

Other banks notified by Higgins had much higher losses, Fuller said. “Mr. Higgins told us that the thieves also hit Bank of Oklahoma and Fulton Bank of New Jersey. He said Fulton was hit very hard by these guys, to the tune of about one thousand [stolen card accounts] each week.”

Higgins could not be reached for comment. Safeway officials confirmed that he retired from the company last month, but declined to discuss Higgins’ work or the incidents that prompted him to alert USB and other financial institutions affected by the Global Payments breach. Neither the Bank of Oklahoma nor Fulton Bank responded to repeated requests for comment.

The experience of Union Savings Bank illustrates how fraudsters can extract value from debit cards even if they only have some of the data associated with the accounts. Initial alerts about the breach from Visa and MasterCard stated that the breach at Global Payments compromised both Track 1 and Track 2 data from affected card accounts, meaning thieves could produce counterfeit versions of the cards and possibly commit other acts of identity theft against cardholders. Global Payments claims that only Track 2 data was taken, and that cardholder names, addresses and other data were not obtained by the criminals.

Yet, as USB’s story shows, the data on Track 2 alone was enough for the crooks to encode the card number and expiration date onto any cards equipped with a magnetic stripe. The cards could then be used at any merchant that accepts signature debit — transactions that do not require the cardholder to enter his or her PIN.

Visa and MasterCard each have revoked their certification of Global Payments as a compliant card processor. Global Payments said it is still investigating the cause and extent of the incident. The company maintains that fewer than 1.5 million card accounts were stolen, but some in the industry now believe more than 7 million card accounts may have been compromised. Meanwhile, the card associations keep broadening the window of time in which hackers likely had access to the processor’s network. Initially, Visa and MasterCard said the breach window at Global Payments was between January and February 2012, but in the latest round of alerts sent to banks affected by the breach, the card brands warned that the breach dates back to at least early June 2011.

USB’s experience also raises fresh questions about the timing of the breach discovery. Global Payments says it self-discovered and self-reported the breach on March 8, but Fuller said his bank figured out Global Payments was having an issue and reported the fraud before that.

“Global is saying this was self-discovered, but already knew it was them at the beginning of March, because within 48 hours of a customer telling us they were having problems, we figured out it was Global and alerted Visa,” Fuller said. “We are going to put Global on notice that we hold them accountable, because we’re bleeding here. Granted, a seventy-five thousand dollar loss isn’t the end of the world, but when you have a large institution like Global that doesn’t want to accept responsibility about what’s happened, that’s sort of annoying.”

I wrote shellcode that calls ExitProcess for my TaskManager.xls spreadsheet.

Now I’ve added the asm files (sc-ep.asm for 32-bit and sc-64-ep.asm for 64-bit) for this shellcode to my library.

Remark that the 32-bit version assembler code, that was generated with my simple shellcode generator, has a ret instruction after the call to ExitProcess. This instruction will never be executed, as a call to ExitProcess does not return.

You can find this shellcode on my shellcode page.

Thanks to the comments left by Zach from our last Android post here, it has been brought to my attention there is an easier way to do all of this with the latest AVD (4.0.3).

After creating your AVD (4.0.3)…

Step 1 – Push PortSwiggerCA.crt up to the emulator’s sd card (make sure you’ve added SD Card support to the AVD when creating it). 

Step 2 – Navigate to Settings > Security > Install Certificate from SD Card

Step 3 – Press Okay, enter a pin or password if asked

Step 4 – Following the install, if you’d like to shutdown the emulator and verify the settings have stuck, navigate to Settings > Security > Trusted Credentials and view the user pane. 

Step 5 – As always, if you’d like to proxy traffic from the emulator, leverage the http-proxy argument….

~cktricky

UPDATE – An easier way to do this can be found on our update post here

Android periodically updates it’s SDK and somtimes when this happens, old methods for importing a Trusted CA, necessary to proxy SSL traffic, will fail and you must find a new solution. Technically speaking, it’s not necessarily the import that is the problem, it’s saving those changes between restarts of the emulator. If you’ve worked with the emulator you’ll note that after importing a Trusted CA such as BurpSuite’s certificate, the changes only take effect once you’ve rebooted the emulator. In other words, you actually have to restart the emulator, and without these steps, you’ll lose your updated Trusted CA list.

Using Android SDK 19, the solution was to move a temporary file and rename it. Let’s begin:

After creating your Android Virtual Device (AVD) named “test”….

Step 1 – Run the emulator

Step 2 – While running, pull the cacerts.bks file

Step 3 – Get the keytool

Step 4 – Import the PortSwigger SSL Certificate into the cacerts.bks file w/ keytool
NOTE: Exporting PortSwigger SSL Certificate instructions here - http://carnal0wnage.attackresearch.com/2010/11/iphone-burp.html

Step 5 – Remount the emulator /system folder with read-write permissions

Step 6 – Push the cacerts.bks file up onto the emulator

Step 7 – Move the tmp file to your local avd directory and rename it to system.img

Step 8 – Restart, rm cacerts.bks, pull down the copy from emulator, ensure certificate still exists in cacerts.bks file

The reason this data persisted was because we moved the temporary copy (emultor-<random string>) from /tmp/android-<myname>/ and renamed it to system.img. Lastly, we placed the image file in the ~/.android/avd/test.avd/ directory.

hack on,

cktricky

Post [7] HTTP PUT/WebDAV/SEARCH

Man I love mis-configured WebDAV, I have put a foot in many a network’s ass with a writable WebDAV server.  Like the browsable directories thing, its *usually* not writable, but it occurs often enough that you really have to make sure you check it each time you see it.

LOW?

IIS5 is awesome (not) because WebDAV is enabled by default but web root is not writable. Wait who still runs Windows 2000?! i know i know app cant be rewritten…accepted risk…blah blah…no one will ever use this to pwn my network…its ok if that DA admin script logs into it daily….

The “game” is finding the writable directory (if one exists) on the WebDAV enabled server.
     *Dirbusting and ruby FTW*

I find that its usually NOT the web root, so honestly it can be a challenge to find the writable directory.  VA scanners can help, Nessus will actually tell you methods allowed per directory…still a challenge though.

Once you have a directory you want to test you can use cadaver to manually test, davtest, or Ryan Linn’s metasploit module for testing for WebDAV.

I’ve also done some posts on webDAV in the past

http://carnal0wnage.attackresearch.com/2010/05/more-with-metasploit-and-webdav.html
http://carnal0wnage.attackresearch.com/2007/08/creating-http-options-auxiliary-module.html

hdm had done a post on it in the past in relation to the asp payload, i cant find it on the R7 site but its mirrored here: http://meta-sploit.blogspot.com/2010/01/exploiting-microsoft-iis-with.html

Decent writeup here:
http://www.ubersec.com/downloads/WEBDAV_Exploit_example.pdf

HTTP PUT

HTTP PUT/SEARCH usually gets rolled into

Web scanners are better about alerting on PUT as an available method and most will attempt the PUT for you.  I don’t think any vuln scanners do, i’m sure someone will correct me if i’m wrong.

Writable HTTP PUT is rare (least for me) although some friends say they see it all the time.