A Quick Peek at Network Injection

Like many of you, I’ve been looking at the various NSA document leaks to see what kind of tools and techniques are being used. I suppose these releases will give cybercriminals new ideas and we will see some of these put to nefarious use sooner than later.

This particular article was very interesting, especially the concept of network injectors. I’ve heard about EvilGrade but never played with it. It seems as though QUANTUMINSERT and FinFly ISP do something similar.

I wondered how I could use this for a pentest. Getting inline with my target would be the first challenge. There are several tools I could use to route wired and wireless network traffic to my computer but maybe an easier way is to setup a proxy server then push out a proxy.pac file.

Here’s a website with a link to a setup file for Revelo.

2014-08-20_01

When the user downloads the program, I can see their GET request and response. At this point the program gets downloaded. Here we see excerpts from Paros.

2014-08-20_02

The way QUANTUMINSERT is described to work, the download request gets silently redirected to another server where an implant gets downloaded. And according to the FinFisher documentation, there is a method called “INJECT-EXE” which “infects the downloaded EXE file in real time. The agent is installed when the target runs the EXE file.”

There’s not too much details so I can only infer how this is being done. Maybe they would have pre-downloaded popular programs, binded it with a backdoor, then sent the file over via a forged HTTP redirect. This would allow the user to install the real program with real certificates but have their program run too.

But how could you do this in real-time, with any download? If I can write a program that intercepts the GET request to any EXE program, bind it with a backdoor in real-time, update the Content-Length field in the response header, and send the file along…it *should* work. ;)

After some coding, I came up with “Interjector” – Interceptor and Injector (because of the nature of this program I won’t be making this available, sorry). There’s not much to look at I know.

2014-08-20_03

With Interjector off, when I download the file, it looks like this:

2014-08-20_04

However, when Interjector is running, the same download dialog box now looks like this (note the file size):

2014-08-20_05

What’s happening behind the scenes is that there is a specially-crafted EXE file that’s been added to Interjector as a resource. When the program sees a GET request to any EXE file, it loads the resource to a variable and gets ready. When the program sees the response, it reads in the Content-Length value, adds the length of the resource to it, and puts the updated value back into the header. Finally, it injects the variable containing the resource into the download stream.

The advantage of doing it this way is that I don’t need to redirect users to another server, I can intercept/inject any EXE file the user downloads, it’s very stealthy, and all of this happens in real time.

Here’s what it looks like when the downloaded file is executed:

2014-08-20_06

Ugh, the icon makes it look fake but I can fix that. This is going to be a challenge for those programs with unique icons. The best way is probably to use a generic icon like this and hope users don’t notice.

2014-08-20_07

What about the MD5/SHA hash? That’s the biggest hurdle to overcome. I could change the hash on the webpage to match the final file but only for the ones I know about by doing a global search and replace. Or I can search for any hash line and remove it from the webpage.

2014-08-20_08

What if it’s a compressed file download (e.g. ZIP)? I think I would have to rezip the file with a new EXE or rebuild the download which changes the ZIP file to an EXE. The real-time requirement makes this difficult to handle without the user taking notice.

So what’s a user to do?
- Use HTTPS to download programs
- Choose to download a compressed version (e.g. ZIP) instead of a bare EXE/MSI file
- Pay attention to any anomalies and inconsistencies; when in doubt, stop
- Verify the program’s hash before installing (for the paranoid, use an out-of-band device like your phone to view the hash on the webpage)

Posted in Pentest, Tools | Tagged , , , | Comments Off

Wild Wild West – 07/2014

Added the following packs:

RIG Exploit Kit
Niteris aka “CottonCastle”
“Snet”

Special thanks to Kafeine for his valuable input.

wildwildwest_0714

Posted in Exploit Packs | Comments Off

Reversing a PHP Script Dynamically and Statically

A reader sent me two PHP scripts because the PHP Converter program I wrote wasn’t able to handle it. They are both similar so I’ll just work on one of them in this post. Here’s what it looks like:

2014-07-11_01

And this is what happens when you try to use PHP Converter:

2014-07-11_02

Let’s reverse this script dynamically and then statically.

First, I’ll just change the ‘eval’ keyword to ‘echo’.

2014-07-11_03

And take a peek at what’s going on.

2014-07-11_04

Yikes, this is messed up! I thought the PHP file got corrupted somehow but then I looked closely and noticed several PHP keywords. This is actually a pretty clever technique. Basically the script is converting the strange characters to text but it’s surrounded by long, seemingly random strings that are variable names.

So I figure I would just write it out to a file and then change the ‘eval’ I noticed at the end to ‘echo’.

2014-07-11_05

Here’s the resulting file:

2014-07-11_06

I’ll just make that quick change and run it again.

2014-07-11_07

Cool, now we know what this script does!

Now let’s reverse this script statically.

Here’s a new, fixed version of PHP Converter. I added a filter to present the results of the deobfuscation without stopping if it encounters any strange characters. The characters outside the alphanumeric range will be represented by a neutral character.

2014-07-11_08

I also added the ability to output the result to Base64 format and/or to a file. With both options checked, you will get a text file of the result encoded in Base64 so the binary values will be preserved.

2014-07-11_09

Now I can convert this base64-encoded string to text using Converter.

2014-07-11_10

After cleaning this up, we can see that the section below is XOR’ing the blob using the decimal value of ’30′ which is assigned to the first variable.

2014-07-11_11

I’m going to convert the base64-encoded string to hex this time.

2014-07-11_12

Then send the data to Converter’s Key Search/Convert feature and set the values accordingly:

2014-07-11_13

And I get this result. The junk at the top and bottom is the result of XOR’ing the original text so I can ignore that.

2014-07-11_14

There are other ways to get to the final result but I think these two methods are straightforward and quick/easy to do.

The updated version of PHP Converter can be downloaded here.

Posted in Malscript, Tools | Tagged , , | Comments Off

Deobfuscating PHP Scripts

Occasionally people send me PHP scripts to help them analyze it. Most of the time, it’s simply unescaping the script and finding the right variable to echo. I got two tricky ones within the past couple of months and finally got around to writing a program to quickly deobfuscate them. These scripts represent obfuscation methods that make it difficult to read them but they don’t employ character rotation, XOR, base64, etc. I’m not sure if there’s an easier way to do this; if there is, I’d like to hear about it.

I already wrote a tool to handle an older variety of this method and I decided to add functionality to handle the newer ones. I also added a pretty basic (crappy) beautifier and making this available as a separate download (I think I’ll add this to Converter later).

Method 1 – Array Search/Replace
This script uses an array of base64-encoded strings. The second part of the script references specific values from the array. The obfuscated script looks like this:

2014-06-01_01

The idea is to first base64-decode the strings and load them into an array. Loop through the array and replace the calling variables with the actual values.

You should concatenate the strings first. I use Converter but even Notepad will do.

2014-06-01_02

Then you need to base64-decode the strings. Again I’m using Converter.

2014-06-01_03

Using the PHP Script Decoder tool, I paste the result from above to the “Lookup Array” box. I paste the obfuscated script to the input box. When you choose the Array method you have to enter a delimiter (in this case the comma is used) and the search string. The search string is the variable you wish to replace with the value. In this case I enter “_449578015(#)”. The pound sign is a placeholder which the tool needs.

Here’s what it looks like. Now the deobfuscated script is much easier to figure out.

2014-06-01_04

If you want to beautify the script, click on the “Copy Output to Input” button then click on the “Beautify” button.

2014-06-01_05

The result is a simple and rough cleanup of the script.

Method 2 – Random Variables
This script uses randomize variable names and assigns a value to it. The later portion references the value. Here’s what this looks like:

2014-06-01_06

The tool will parse the script and load each variable and associated value into an array. It then does a search for the variable and replaces it with the value.

I just paste the entire script in the input box and choose the “random vars” option. The delimiter for this script is a semi-colon and for the search string I enter ${“GLOBALS”}["#"]=”*”; The pound sign is a placeholder for the variable name and the asterisk is the placeholder for the value.

Here’s the result:

2014-06-01_07

Method 3 – Key Lookup
This script uses a lookup array to build the values for its variables. Each character in this string is loaded into an array:

“,`TD[r)Ej|4*^QXOK\t: @.tl#2%\\L\r_R-~b=Z7zaV{]S+’Gio>gd058up6C!HkwxmvN?nJI(\”FMWc3hYs\$&;\nBA

The script concatenates each character of the value and assigns it to a variable. The tool again does a search and replace of each character. You can optionally concatenate the result. For this particular script, you then need to use the second method and replace the variable name with the value.

2014-06-01_08

Here we go…the first step I do is paste the entire script in the input box and choose the key lookup option. The delimiter is irrelevant. I use $f9[#] as the search string. In the lookup key box I need to paste the key with the starting and ending quotes. The tool will unescape the value so you don’t have to do it yourself.

2014-06-01_09

You can see that the strings should be concatenated so I check the box and click on Convert again.

2014-06-01_10

Now I click on the “Copy Output to Input” button and choose the random vars option. I leave the delimiter to semi-colon and use $GLOBALS['#'] = ‘*’; as my search string.

2014-06-01_11

Ah, much more readable! By the way, you may have seen this on several compromised sites as the output looks something like this:

Linux10+cfcd208495d565ef66e7dff9f98764da
-or-
WINNT20+cfcd208495d565ef66e7dff9f98764da

This script is essentially an emailer.

You can find this program here.

Posted in Malscript, Tools | Tagged , | Comments Off

Reversing RIG EK’s Flash File

VirusTotal is showing 0 out of 51 for RIG EK’s SWFIE exploit (MD5: 65AFF3A3774298B3ED5BA2C43F8A1979). Here’s a really quick overview on how to reverse this exploit file so we can determine which vulnerability it’s using. This method can also be used on Infinity EK’s flash file and probably others.

First, you need to use your favorite method to decompile the SWF file. I always try to give ActionScriptExtractor the first shot. If it doesn’t work, you might have to use a commercial tool like I did. Looking over the decompiled code, there’s an interesting function called “onus”.

2014-05-23_01

Variable _local5 is assigned a value of “4939333″. This value is used to XOR each value from the large array. The _local2 array consists of Qwords in decimal and hex formats.

I wrote a program that will convert the Qwords to decimals then XOR the values with an XOR key. It will then write it out in little Endian format just like the ActionScript indicates.

2014-05-23_02

After converting the decimal values to hex and writing it out to a binary file, I get another SWF file (MD5: 04FC52BE437FF46465F42994F0DC5AAE). VirusTotal detects this with 3 out of 53 AV with one saying it’s CVE-2013-0634.

2014-05-23_03

The decompiled version looks like this:

2014-05-23_04

Here we see the exploit code:

2014-05-23_05

This part here writes out the shellcode after base64-decoding it.

2014-05-23_06

The Javascript from the landing page contains the base64-encoded shellcode which is read in by the ActionScript.

2014-05-23_07

The code does look similar to CVE-2013-0634 but my understanding of the Flash exploit tells me this is really CVE-2014-0322.

Anyway, the point of this article was really to make available the tool to convert Qword, Dword, and Word values to decimal. I’ll continue using it and work out any kinks before adding it to Converter. You can download this tool here if you want to give it a try.

Posted in Exploit Packs, Malscript, Tools | Tagged , , | Comments Off