OWASP AppSecEU 2015Bart Leppens

whoami

Bart Leppens

● BeEF developer (since may 2012)● Ported BeEF Bind shellcode to Linux● Smashing the stack for FUN

@bmantra In

Disclaimer

● The views and opinions expressed here are my own and do not necessarily represent those of my employer

● My employer has absolutely nothing to do with anything related to BeEF

● I’m not speaking in the representation of my company

What the talk?

● BeEF: Browser Exploitation Framework○ architecture○ modules○ extensions

● … live demos and videos

BeEF: Browser Exploitation Framework

● Professional security tool● Focus on client side attack vectors● Real attack scenarios● v1.0 by Wade Alcorn

http://beefproject.comhttps://github.com/beefproject/beef

BeEF: Live CD

● https://github.com/beefproject/beef/wiki/BeEF-Live-CD

● Ubuntu 12.04 LTS● Ruby 1.9.3p194● Metasploit and sqlmap

BeEF: Architecture

BeEF: Hook a Browser

Inject the javascript hook to the DOM● Cross-site Scripting● MiTM● Controlling DNS● Social Engineering● … be creative ;)

BeEF: Polling

● Once the browser is hooked, the browser will ‘poll’ BeEF for new JavaScript payloads to execute

● When a payload is found, the browser will execute it

BeEF: A Whole Lot Of Modules● Many different purposes

○ Information gathering○ Social Engineering○ Network Discovery○ ...

● Easy to extend with your own modules● Complex scenarios with RestFul API

http://beefproject.comhttps://github.com/beefproject/beef

BeEF: Module overviewEach module contains 3 primary files:

● config.yaml => Configuration file● module.rb => Ruby Module Code● command.js =>JavaScript payload

http://beefproject.comhttps://github.com/beefproject/beef

BeEF: config.yamlProvides basic information

● name of author● category● working browsers● determines if module is enabled

http://beefproject.comhttps://github.com/beefproject/beef

BeEF: module.rb

Defines configurable options (self.options)

Defines return result actions (post.execute)

http://beefproject.comhttps://github.com/beefproject/beef

BeEF: command.jsJavaScript payload template

● Supports eRuby variable substitution

<%= @var %>

● Access to the JavaScript BeEF object

beef.net.forge_request

BeEF: Sesame Magic Browser

“Internal server vulnerabilities are sitting there bored and lonely” - Michele Orru` // ”ActiveFax, you look very bored” - Bart Leppens

BeEF: DEMO

BeEF: Skype iOS URI Scheme

BeEF: IoT

BeEF: GlassFish XSRF

● REST CSRF in GlassFish 3.1.1 (build 12)● Bug FOUND by Roberto Suggi Liverani● According to ORACLE the 3th most critical

bug ever in SUN products● Demo (fingerprint + exploit)

BeEF: CookieJar overflow

● JavaScript cannot modify HTTPOnly-cookies● John Wilander overflowed the CookieJar● Recreate those cookies● Demo

BeEF: Autorun

● launch modules automatically on new hooked browsers

● edit config.yaml set autorun: true in each module

● limitation => used with default parameters

BeEF: RESTful API

Scripting BeEF through HTTP/JSON requests● token parameter must be always added to

requests● GET or POST● Automate advanced attacks automatically

BeEF: RESTful API

Authentication● Post credentials to /api/admin/login● return authentication token● e.g. curl -H "Content-Type:

application/json" -X POST -d '{"username":"beef", "password":"beef"}' http://127.0.0.1:3000/api/admin/login

BeEF: RESTful API

Hooked Browsers● GET to /api/hooks● return online/offline hooked browsers● e.g. curl http://127.0.0.1:

3000/api/hooks?token=[token]

BeEF: RESTful API

Browser Details● GET to /api/hooks/:session● Information on the hooked browser● e.g. curl http://127.0.0.1:

3000/api/hooks/[session]?token=[token]

BeEF: RESTful API

List Command Modules

● GET to /api/modules● e.g. curl http://127.0.0.1:

3000/api/modules?token=[token]

BeEF: RESTful API

Informations on a specific module

● GET to /api/modules/:module_id● e.g. curl http://127.0.0.1:

3000/api/modules/[module_id]?token=[token]

BeEF: RESTful API

Launch a command on a specific browser

● POST to /api/modules/:session/:module_id● e.g. curl -H "Content-Type:

application/json; charset=UTF-8" -d '{"question":"wtf?"}' -X POST http://127.0.0.1:3000/api/modules/[session]/[module]?token=[token]

BeEF: RESTful API

Return information about the command module previously executed

● GET to /api/modules/:session/:mod_id/:cmd_id

● e.g. curl http://127.0.0.1:3000/api/modules/[session]/[module_id]/[cmd_id]?token=[token]

BeEF: RESTful API

A whole lot more:

● control BeEF DNS rules● Access Logs● ...Refer to the BeEF Wiki: https://github.com/beefproject/beef/wiki/BeEF-RESTful-API

BeEF: Console

Console is a BeEF extension● metasploit-like console● should be enabled in the main config.

yaml● control hooked browsers

BeEF: Metasploit integration

Console is a BeEF extension● should be enabled in the main config.

yaml● should be configured in

extentions/metasploit/● msfrpcd can be launched automatically

from within BeEF :-)

IPC: Inter-Protocol Communication● Initial research by Wade Alcorn in 2006/2007● “Tolerant” protocol implementation that does

not drop the client connection after N errors● A properly encoded POST request can be

send to the target:○ HTTP Headers are parsed as BAD COMMANDS○ HTTP request body is parsed as VALID

COMMANDS (or as SHELLCODE)

IPC: Limitations● Some ports are banned by the Browser (e.g.

21,25,110,..)● Content-Type: text/plain or multipart/form-

data● Doesn’t work well with binary protocols =>

often not that tolerant

IPC: ActiveFax Server● Extended research done in 2013 by Michele

Orru` & myself● Widely used Fax solution● Manual suggest port 3000 for RAW socket● Protocol is very tolerant● Commands are formatted as: @Fxxx data@

IPC: ActiveFax Server (example message)Sender...................... Bart Leppens, +1 11 112233-25Recipient 1............... OWASP Belgium, Fax: 016 123456Subject..................... IPC is coolPriority...................... Very High

@F101 Bart Leppens@@F110 +1 11 112233-25@@F201 OWASP Belgium@@F211 016 123456@@F307 IPC is cool@@F301 1@

IPC: ActiveFax Server (XHR)var xhr = new XMLHttpRequest();var uri = "http://x.x.x.x:3000/";xhr.open("POST", uri, true);xhr.setRequestHeader("Content-Type", "text/plain");var post_body = "@F101 Bart Leppens@@F110 +1 11 112233-25@@F201 OWASP Belgium@@F211 016 123456@@F307 IPC is cool@@F301 1@";xhr.send(post_body);

IPC: ActiveFax Server (XHR)POST / HTTP/1.1Host: 127.0.0.1:3000User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:24.0) Gecko/20100101 Firefox/24.0..Content-Type: text/plain; charset=UTF-8Cache-Control: no-cache

@F101 Bart Leppens@@F110 +1 11 112233-25@@F201 OWASP Belgium@@F211 016 123456@@F307 IPC is cool@@F301 1@

IPC: ActiveFax Server (Demo)

IPC: ActiveFax Server (Time-out)The ActiveFax RAW socket takes 60 seconds to time-out.We can fix that! 2 seconds is more then enough to send a FAX over a LAN network:

xhr = new XMLHttpRequest();..xhr.send(post_body);setTimeout(function(){xhr.abort()}, 2000);

IPC: ActiveFax Server (Faster Demo)

BeEF: NAT Pinning

● Samy Kamkar in 2010● Trick user to visit page● Access port on internal network (via IPC)● Connection Tracking must be enabled● not only routers, IPTables with connection

tracking works as well

BeEF: NAT Pinning

IPE: Inter-Protocol Exploitation

● Research by Wade Alcorn (extension of IPC)● Extended research in 2012 by Michele Orru`

○ QualCOMM WorldMail IMAP 3.0● More research in 2013 by Michele & myself

○ ActiveFax Server

IPE: Inter-Protocol Exploitation

● Need to send binary data○ sendAsBinary (FF, Chrome)

● Same restrictions: tolerance, blocked ports● More restrictions: header space, bad chars

IPE: ActiveFax 5.01 RAW Server Exploit

● bug found by Craig Freyman● @F506 crashes after 1024 bytes● Many bad characters:

○ 0x00 -> 0x19○ 0x40 (@)

● PoC modified to use IPE

IPE: ActiveFax (Metasploit Reverse shell)

IPE: ActiveFax (Demo)

BeEF Bind Shellcode

● Shellcode written by Ty Miller (Win32)● Allows communication from the browser to a

shell○ Commands are proxied back and forth through the

browser to cmd.exe○ Stage is delivered through the browser as well

BeEF Bind Shellcode: The Stager● Stager listens on a specified port for HTTP

requests● Ignores HTTP headers and looks for the egg

“cmd=” which marks the start of our 2nd stage (or any stage you like)

● Allocate executable memory + copy● Jump into the stage shellcode

BeEF Bind Shellcode: The Stage● Stage listens on a specified port for HTTP

requests as well● Ignores HTTP headers and looks for “cmd=”

which marks the start of our command● Requests are proxied back and forth from

the browser to a “cmd.exe” childprocess● Access-Control-Allow-Origin: *

BeEF Bind Shellcode:

● Ported to Linux x86 and Linux x64○ stager and stage

● Can also be used compiled with RCE vulns● Metasploit modules are available for easily

encoding and removal of bad characters

IPE: ActiveFax (BeEF Bind + BeEF)

IPE: ActiveFax (Demo)

Exploiting Webmail with XSS

Cross-site Scripting● most common vulnerability● impact = underestimated● mail = interesting target for attacker

CVE-2011-2937 Round-cubereflected Cross-site Scripting vulnerability● found by Abyszko● before 0.5.4

http://server/roundcube/?_mbox=<script> alert(document.cookie)</script>

CVE score for this bug is 4.3 out of 10.

CVE-2014-0913 Lotus iNotesstored Cross-site Scripting vulnerability● IBM iNotes and Domino 8.5.3 FP6 before

IF2 and 9.0.1 before FP1● Inject arbitrary web script or HTML via an e-

mail message

CVE score for this bug is 4.3 out of 10.

CVE-2014-0913 Lotus iNotestelnet iNotesSMTPserver 25

HELO xss MAIL FROM: attacker@evil.com RCPT TO: poorvictim@good.com DATA MIME-Version: 1.0 FROM: ATTACKER <attacker@evil.com> TO: VICTIM <poorvictim@good.com> Subject: iNotes XSS vulnerable mail Content-Type: text/html

<img style="display:none" src="x"/onerror="alert(1)">

Universal Cross-site Scripting and webmail

● Control every origin● Execute arbitrary code● Control all webmail clients => including

Cloud based like gmail, yahoo mail, etc.

This is a myth: there ain’t no such thing● Targeted mailbox attack

○ read mails○ send mails

● Nesting and replication○ Mailworm - Nduja by Rosario Valotta in

2007■ spreading across multiple webmail services■ named after spicy italian sausage from Calabria,

Italy

This is a myth: there ain’t no such thing

● DDoS of server○ BeEF DOSer-module○ also internal servers (via victims browser)

● DDoS of mailbox○ multiple zombies sending mails to victim

This is a myth: there ain’t no such thing

● Sending spam○ by email account of trusted user

● Download infection○ attachment that seems to be sent from

well-know user (=victim)○ Replace attachment links in existing mails

This is a myth: there ain’t no such thing

● Modify existing “notes”● Social Engineering attacks by mail● Perform reset of passwords● names.nsf in iNotes● ….

This is a myth: there ain’t no such thing

4.3/10

DEMO

Tunneling Proxy

Reverse HTTP Proxy● hooked browser = exit point● XHR requests or WebSockets● limited to the hooked domain and security

context of the victims browser

Tunneling Proxy

Attack scenarios ● browsing hooked domain (security context of

the victim browser)● spidering hooked domain● finding and exploiting SQLi with Burp Pro

Scanner and sqlmap● Video

BeEF: Video

Videos● TrixBox exploit● WebCloner Massmailer● uiabuse● Distributed Blind SQLi● ..

For those who can’t get enough

● Browser Hackers Handbook○ 50% of revenues will be used for

the BeEF project (testing infrastructure, etc..)

Thanks to

● OWASP● The other BeEF guys ;)● My wife for lending her laptop

Questions