Breaking

Reverse Engineering With Radare2 – Part 2

Welcome back to the radare2 reversing tutorials. If you’ve missed the previous parts, you can find them here and here.

Last time we’ve used the rabin2 application to view the  strings found inside the challenge01 binary to find password candidates. Based on the results we looked into the assembly to find the correct password. In this post, we’ll go through the next challenge and try out some of the features provided by radare2.

Continue reading “Reverse Engineering With Radare2 – Part 2”

Continue reading
Breaking

PFX Profiles in Microsoft’s System Management Server

In a recent assessment, we had to evaluate how Microsoft’s System Management Server (SMS) certificate management solution (CMS) stores and handles certificates. This question came up because sensitive, encrypted user certificates were to be stored in the SMS CMS. Due to the sensitivity of the handled certificates, we assessed the protection capabilities of the certificate management solution against extraction attempts from a local attacker with administrative privileges.

Continue reading “PFX Profiles in Microsoft’s System Management Server”

Continue reading
Breaking

Reverse Engineering With Radare2 – Intro

As some of you may know, there is a “new” reverse engineering toolkit out there which tries to compete with IDA Pro in terms of reverse engineering. I’m talking about radare2, a framework for reversing, patching, debugging and exploiting.

It has large scripting capabilities, runs on all major plattforms (Android, GNU/Linux, [Net|Free|Open]BSD, iOS, OSX, QNX, w32, w64, Solaris, Haiku, FirefoxOS and even on your pebble smartwatch 😉 ) and is free.

Sadly, I had some problems finding good tutorials on how to use it, as the interface is currently a bit cumbersome. After fiddling around, I’ve decided to create a little tutorial series where we can learn together ;). Continue reading “Reverse Engineering With Radare2 – Intro”

Continue reading
Breaking

Pentesting Webservices with Net.TCP Binding

Hi all,

Most of you that are  pentesters  may have already tested plenty of webservices using SOAP (Simple Object Access Protocol) for communication. Typically, such SOAP messages are transferred over HTTP (Hypertext Transfer Protocol) and are encapsulated in XML (Extensible Markup Language). Microsoft has developed different representations of this protocols to reduce the network load. As these representations/protocols aren’t really covered by typical tools out there, this post will show you some of them, and a proxy which can be used to simplify the testing.

Continue reading “Pentesting Webservices with Net.TCP Binding”

Continue reading
Breaking

Your Mouse Got Sick and You Don’t Know it. aka “Reverse Shell via Mouse”

Ever got a backdoor installed on your computer by your beloved mouse? Here’s the story of a poor mouse that got really, really sick.

Agent "Danger Mouse"
Agent “Danger Mouse”

Do you remember the times where people put Teensy-boards and USB hubs in their mouses? [Chris? ;)] Their aim was to attach an additional Human Interface Device (HID, like keyboards or mouses) with some payload in kind of e.g. keystrokes or mouse movements. Also, there are devices available like the USB Rubber Ducky in the housing of a USB thumb drive.
The principle is easy: The tools are using a programmable microcontroller with the capability to emulate USB HID. That’s it. Just program your board of choice with the payload fitting your needs and plug it in at the target computer. The latter will recognize it as a keyboard/mouse and the payload-keystrokes will be entered.
But why should external hardware be used? Many modern gaming peripherals provide functions to store macros on them, including enough onboard memory for little payloads.

While we were working on the layout of this years’ Troopers-Badge, I felt uncomfortable using my touchpad, so I switched over to a Logitech G-series gaming mouse. This one worked like a charm – many buttons and the feature to store personal profiles on the mouse itself, which is perfect when you work on more than one machine.

But wait – macros and profiles stored on the mouse? Recall the lines above concerning the HID story.
Could it be possible to store a macro big enough to drop a reverse shell on a Windows target?
Actually – it could.
It’s just as simple as using the Logitech Gaming Software’s Command Editor. Choose a button, put a macro on it, fit the timings and go!
The only thing you should consider, that you’re limited to about 100 keystrokes. If there should be something dropped on the target, like an executable or a script, you should think about using FTP or Powershell to download it externally, like I did here.

In this Proof of Concept the marco opens the Windows Command Line and downloads Netcat via Windows’ own ftp.exe from an external FTP server. Afterwards, it launches Netcat in background mode, while a Netcat listener already is waiting on the remote machine.

https://youtu.be/LiC1jnT6b68

I think this kind of attack is dangerous due to its minimal effort and people trusting their mouses. Who would be afraid of a manipulated mouse, while being away for just 2 minutes to grab a cold Mate drink in the kitchen? The mouse’s software in this example offers the option to delay the keystrokes. Consider, the mouse acts like usual and after 30 or 60 seconds the bad magic happens, and it would take only a few seconds, so you might even miss the chance to see the windows popping up.

 

Live long and prosper,

Stefan

Continue reading
Breaking

Remote Code Execution via Server Side Template Injection at OFBiz 13.07.03 (CVE-2016-4462)

Dear Reader,

this blog post is about Server Side Template Injections for the Apache Freemarker Template Engine, how to detect them, how to craft an exploit and what countermeasures can be implemented. Server Side Template Injections are critical because they often allow even Remote Code Execution, like the exploit of Apache OFBiz 13.07.03 that triggered this post in the first place. It is fair to note, that the exploit of Apache OFBiz requires a valid session with the server, but often this is just an inconvenience for an attacker.

Continue reading “Remote Code Execution via Server Side Template Injection at OFBiz 13.07.03 (CVE-2016-4462)”

Continue reading
Breaking

New Ransomware-Wave Analysis

In the context of a customer project, we examined a new variant of the Locky ransomware. As in the meantime stated by a law enforcement agency, this has been part of a large wave of attacks hitting various enterprises in the night from Tuesday (2016-07-26) to Wednesday.

As an initial attack vector, the attackers use emails with an attachment that probably even uses a 0day exploit, that enables the payload to be executed already when displayed in the MS Outlook preview.

The ransomware encrypts accessible documents and threatens victims to pay a ransom in order to be able decrypt the files. Further, the malware uses accessible network shares/drives for further spreading.

Further information is following in the next section.

It might help to create filtering rules based on the mentioned file names, hash values, URLs, and IP addresses that are named in the rest of this report.

Continue reading “New Ransomware-Wave Analysis”

Continue reading
Breaking

Notes on Hijacking GSM/GPRS Connections

As shown in previous blogposts we regularly work with GSM/GPRS basestations for testing devices with cellular uplinks or to simply run a private network during TROOPERS. Here the core difference between a random TROOPERS attendee and a device we want to hack is the will to join our network, or not! While at the conference we hand out own SIM cards which accept the TROOERPS GSM network as their “home network” some device need to be pushed a little bit.
Continue reading “Notes on Hijacking GSM/GPRS Connections”

Continue reading