Invalid Packet by @_coreDump

Attacking Java serialization protocol

2010-09-12T04:10:00.000-07:00

Hi Guys

My colleague Manish from A&D Labs has posted and released DSer for attacking Java Serialization protocol, using the JVMITM approach check it out here

Abusing serialization protocol using JVMITM (JVM in the middle)

2010-08-09T21:53:00.000-07:00

A friend of mine asked me to clarify about Belch usage in serialization manipulating, so here goes:

When a serialization channel is created between client and server, all traffic switches from basic http to serialization over http. This makes tracing, manipulating and testing more difficult due to the binary content of the serialization protocol.

This in mind, what you need is a decrytor-encryptor utility to stick in the middle of communication channel, so you can get a better understanding and control over the communication between the client and server. You need it to be very efficient and very fast: enters JVMITM - JVM in the middle.

If you could divert the communication to an Java VM, you could utilize java to translate the serialization protocol into a somewhat better understandable format -say XML. Once in XML format, you abuse it at your will and then redirect it to JVM back. JVM convert it back to serialization protocol and send it down the communication channel.

JVMITM approach support any serialization protocol that Java understand, such as Flash, Java-serialization and more. The only thing you have to do in order to decrypt the protocol, is to include the proper library in your JVMITM classpath

Belch can help you utilize JVMITM by enabling you to redirect the communication to your chosen application (hex-editor ,batch wrapper of a JVM or other self written tool)

Stay tuned as I will publish some example of using Belch to JVMITM against Flash AMF serialization protocol

SQLmap 0.8 and SOAP based Web-Services

2010-06-23T02:37:00.000-07:00

I Love SQLmap , it's clean, fast, super efficient, fully automated and get's the job done when a POC is needed.

Lately I was pen-testing SOAP Web-Services, and I came to learn that SQLmap wasn't aware of SOAP syntax.

Being the lazy hacker I am the thought of manually testing the entire application using SOAPUI and some tweaking gave me a chill ,So, I have fired up my Python and patched a small mod to let SQLmap do it's magic on SOAP request too.

Basically, the mod instructs SQLmap to parse XML input into parameter-value map in the same manner that SQLmap was parsing GET/POST parameters.

In the same manner of looking for &parametera=valueA&paramB=valueB.. etc. SQLmap now looks into the XML request and parse it to Child and Value (current mod omit the attributes)

That said, if you wanna get some serious injection and SOAP'n dirty (Ha!) try this patch and let me know ;)

There are three files to patch for version 0.8: agent.py, common.py and traget.py
Happy Hunting ;)

--- /Users/osx/Downloads/sqlmap/./lib/core/agent.py 2010-03-05 11:14:36.000000000 +0200
+++ ./lib/core/agent.py 2010-06-20 13:08:35.000000000 +0300
@@ -32,7 +32,7 @@ from lib.core.data import kb
from lib.core.data import queries
from lib.core.data import temp
from lib.core.exception import sqlmapNoneDataException
-
+from xml.etree import ElementTree as ET

class Agent:
"""
@@ -77,7 +77,15 @@ class Agent:
retValue = value.replace(value, newValue)
else:
paramString = conf.parameters[place]
- retValue = paramString.replace("%s=%s" % (parameter, value),
+ if conf.paramDict["POSTxml"]:
+ root = ET.XML(paramString)
+ iterator = root.getiterator(parameter)
+ for child in iterator:
+ child.text =newValue
+ retValue=ET.tostring(root)
+
+ else:
+ retValue = paramString.replace("%s=%s" % (parameter, value),
"%s=%s" % (parameter, newValue))

return retValue
--- /Users/osx/Downloads/sqlmap/./lib/core/common.py 2010-03-05 11:14:36.000000000 +0200
+++ ./lib/core/common.py 2010-06-20 13:54:01.000000000 +0300
@@ -53,6 +53,7 @@ from lib.core.settings import IS_WIN
from lib.core.settings import SITE
from lib.core.settings import SQL_STATEMENTS
from lib.core.settings import VERSION_STRING
+from xml.etree import ElementTree as ET

def paramToDict(place, parameters=None):
"""
@@ -81,9 +82,9 @@ def paramToDict(place, parameters=None):
splitParams = parameters.split(";")
else:
splitParams = parameters.split("&")
-
- for element in splitParams:
- elem = element.split("=")
+ if place is not "POSTxml":
+ for element in splitParams:
+ elem = element.split("=")

if len(elem) == 2:
parameter = elem[0].replace(" ", "")
@@ -94,6 +95,12 @@ def paramToDict(place, parameters=None):
if condition:
value = elem[1]
testableParameters[parameter] = value
+ else:
+
+ root = ET.XML(parameters)
+ iterator = root.getiterator()
+ for child in iterator:
+ testableParameters[child.tag] =child.text

if conf.testParameter and not testableParameters:
paramStr = ", ".join(test for test in conf.testParameter)
--- /Users/osx/Downloads/sqlmap/./lib/core/target.py 2010-03-05 11:14:36.000000000 +0200
+++ ./lib/core/target.py 2010-06-21 12:47:53.000000000 +0300
@@ -24,6 +24,8 @@ Franklin St, Fifth Floor, Boston, MA 02

import os
import time
+"""for RegEx identification of partterns in POST data"""
+import re

from lib.core.common import dataToSessionFile
from lib.core.common import paramToDict
@@ -44,7 +46,7 @@ def __setRequestParams():
"""

__testableParameters = False
-
+ __paramDict = list()
# Perform checks on GET parameters
if conf.parameters.has_key("GET") and conf.parameters["GET"]:
parameters = conf.parameters["GET"]
@@ -60,14 +62,19 @@ def __setRequestParams():
raise sqlmapSyntaxException, errMsg

if conf.data:
- conf.parameters["POST"] = conf.data
- __paramDict = paramToDict("POST", conf.data)
-
- if __paramDict:
- conf.paramDict["POST"] = __paramDict
- __testableParameters = True
+ conf.parameters["POST"] = conf.data
+ """Search the POST data for tags if found - treat as XML"""
+ if re.match(".*<.*>.*", conf.data):
+ conf.paramDict["POSTxml"] = True
+ __paramDict = paramToDict("POSTxml",conf.data)
+ else:
+ __paramDict = paramToDict("POST", conf.data)
+
+ if __paramDict:
+ conf.paramDict["POST"] = __paramDict
+ __testableParameters = True

- conf.method = "POST"
+ conf.method = "POST"

# Perform checks on Cookie parameters
if conf.cookie:

Pentesting Adobe Flex AMF with Belch

2010-05-03T06:43:00.000-07:00

Hi all, long time no post,
I had to do some developing, got a flex/BlazeDS application to attack.

The AMF architecture is very straight forward, the flash client communicate to BlazeDS server using adobe AMF binary protocol.
Yep, those words Binary-Protocol means some playing around when trying to manipulate in the middle.

So, got myself busy and wrote a new external library for good old Belch. It handles all the decoding-manipulating-encoding on the fly and makes my life easier.

Stay put for sources, I will publish as soon as they are stable

Full disclosure:Security vulnerability in Lenovo™ Laptops(Hotkey™ Driver and Access Connections™ v5.33) - Fix availble

2010-03-08T06:30:00.000-08:00

Subject:
Security vulnerability in Lenovo™ Hotkey™ Driver and Access Connections™ v5.33

Impact:
A privilege escalation attack can be used as a backdoor to bypass login and run arbitrary code as a System user on Lenovo™ or Thinkpad™ laptops running Access Connection™ v5.33 and earlier versions (tracked back to version 4)

Technical details:

The Hotkey™ Driver is an Lenovo™ application that monitors the Lenovo™ special Hotkeys (Fn keys) and execute Lenovo™ specified applications upon their invocation.
The default installation of the Hotkey™ Driver is as a service and runs under NT Authority\System privileges.
Upon hot key detection, the Hotkey™ driver checks the registry key for the specified file to lunch and evokes that file, as example When the Fn + F5 key combination is pressed the Hotkey™ driver checks the registry key named File at HKEY_LOCAL_MACHINE\SOFTWARE\IBM\TPHOTKEY\CLASS\01\05 for its value and then launches the specified application (by default, Tp/AcFnF5.exe).
The Hotkey™ driver is available even prior to Windows login due to its installation configuration.
The value of the registry key to be lunched is not verified at invocation time.
This key is not monitored by the operating system and any change to this key is undetected.
An attacker with restricted access to the registry can use this information to launch a targeted attack on Lenovo™ or Thinkpad™ users that changes this key into an arbitrary application that runs with System permission.

Reproduce:

1. Using the target laptop change the File registry key value at HKEY_LOCAL_MACHINE\SOFTWARE\IBM\TPHOTKEY\CLASS\01\05 from 'Tp/AcFnF5.exe' to 'cmd.exe'.

2. Lock the station ('Windows' + 'L').

3. Press 'Fn'+'F5' and a windows command prompt opens with System privilege.

Mitigation:

Please update Hotkey™ Driver and Access connection™ to the most updated version (link here) at Lenovo™ website

Belch v1.0 - Burp external channel manipulator

2009-12-30T07:08:00.000-08:00

Belch v1.0 is out.

Belch is a plug-in for burp suite designed to aid protocol analysis and manipulation, it is fairly simple.

When dealing with thin client application (such as jser - java serialization protocol ) most of the time the communication between the client and the server is encrypted and transmitted in binary format.

Most proxy tools cannot manipulate binary packets on the fly with a valuable editor, that is why i wrote Belch.

Belch is aimed at helping protocol analysis be smother, once you understood the protocol concepts and write an encryption/decryption tool, you wish to use it upon live communication.

Enters Belch..

Belch lunches as a burp suite plug-in that interacts with the communication on both ends.
Once a message has been trapped burp forwards it to Belch process.

Belch perform the following action on the message:

1. it logs the message to a file
2. it then execute an external editor (user choice , notepad,sed,awk,perl, etc.) on the file, in this step the editor manipulate the message data.
3. once editor process has terminated Belch reads the file content and forward it to Burp onto the wire.

Bellow is a screen capture of Belch settings:

Enable/Disable : this option enable or disable Belch.

Change: this button pops up the Logging folder selection GUI, in this folder Belch will record all the traffic that passes throw it.

Trap Requests: when enabled Belch will pass requests to the External editor for processing.

Trap Responses: when enabled Belch will pass responses to the External editor for processing.

Select: this button pops up the External editor selection GUI, Belch will execute the editor on each selected message as pre-configured in the requests/responses check-boxes.

Automation Enabled: when checked responses that arrived will be preprocessed by the selected processor and the will be sent to the client side of communication.

Automation Folder (Automator): this button will pop up the Automation responses folder selection, when automation is enabled select the first response to be sent to the processor and the to the client, since Belch records it traffic using the ##_Response.raw convention, Belch automation will iterate on the following responses sequentially.

Processor: this button will pop up the processor selection GUI, Belch will execute this processor on each response prior to forwarding it to the client.

Reset: this button will reset the iteration responses into the first response that was selected.

command line arguments:
Belch will process the following tokens when lunched:
Editor - the external editor to use,
LogPath - the folder in which Belch should record its traffic,
Processor - the executable that will be launched on server responses prior to forwarding them to the client.

here is an example of running Belch using notepad as an editor and as an processor

java -Xmx512m -cp burpsuite_v1.2.01.jar;Belch.jar burp.StartBurp Editor="notepad.exe" LogPath=.\temp Processor=notepad.exe

Download from source forge at https://sourceforge.net/projects/belch/
Enjoy :)

new tools - new boundaries to explore !

2009-12-07T21:59:00.000-08:00

It's been a while since my last post, I was preoccupied writing a new tools set for "on the fly" manipulation of Java Serialization packets.
I got to a great progress and now I am finalizing the tools.
Will post soon with tools.

Wrapping it up together

2009-09-30T04:52:00.000-07:00

Following my post on Java serialized object capture, I had some time for cleanup, so here goes:

Problem:
You are trying to pentest a j2ee application, the client - server are deployed using jser protocol for communication (java objects over tcp).
you set up a reverse proxy and capture the conversation on the fly - only thing is that the content of the packets are mainly binary and you don't have anything else to work with except for the Mighty hex-editor :-)

Solution:
my setup is as follows:
client <-> reverse proxy <-> wrapper batch (ngrep-jser)<-> simple proxy <-> server

The wrapper batches automate the analysis process by repeatedly executing ngrep-jser and forwarding the packet to a java desiralization routine that tampers the data and writes back the (now tampered) object.

The new object can be forward to the server instead of the original one by dropping it at the proxy and injecting the new object instead.

ok enough said here are the files
(warning: very straight to the point no hoo-ha's included):

Requests_monitor.bat
--------------------------------
@echo Requests monitor
@SET /P M=Type dst to listen to:
@SET /P F=Type Flowdirectory to write to:

if exist %F%\requests goto start
md %F%\requests

:start
FOR /L %%i IN (1,1,100) DO @echo "Recording Packet to .\%F%\requests\request_%%i" && ngrep -d 2 -q -m -O .\%F%\requests\request_%%i.pcap -X 0x78 dst %m% && java -jar JSER_Descryptor.jar .\%F%\requests\request_%%i.pcap >> .\%F%\requests\request.log
goto start
--------------------------------

Responses_monitor.bat
--------------------------------
@echo Responses monitor
@SET /P M=Type src to listen to:
@SET /P F=Type Flow directory to write to:

if exist %F%\responses goto start
md %F%\responses

:start
FOR /L %%i IN (1,1,100) DO @echo "Recording Packet to .\%F%\responses\response_%%i" && ngrep -d 2 -q -m -O .\%F%\responses\response_%%i.pcap -X 0x78 src %m% && java -jar JSER_Descryptor.jar .\%F%\responses\response_%%i.pcap >> .\%F%\responses\response.log
goto start
--------------------------------

Ngrep 1.45 for Java Serialized Objects

2009-08-03T08:18:00.000-07:00

Following my last post, a new need for adjusting Ngrep has arose.
We needed to let Ngrep identify JSER communication session and to dump the whole req/res into one file so it can be sent to decryption and further analysis.
To address this issue I have added a new option (-m) to Ngrep that identifies the end of object transmitting and exits the pcap_loop upon it.

usage example: ngrep -d 5 -O output.pcap -m -X 0x78 dst host www.mytarget.com

Sources and precompiled windows binary tarball here (sourceforge svn)

A .patch file for use with the original 1.45 distribution can be download here

Building Ngrep 1.45 on VS2008

2009-07-14T01:19:00.000-07:00

update (08-04-2009) check up Ngrep for JSER mod in today's post

Needed to fine tune Ngrep for windows, downloaded the source from the net but it wasn't compatible with the new VS2008 distrib. after some time messing around with it got to a very clean solution, all code changes are marked in green:

download Ngrep sources
download WinCap sources
extract and open with VS2008
fix include lib to point to the WinCap location
open up regex.c and change the regerror() definition
from this:

size_t
regerror (errcode, preg, errbuf, errbuf_size)
int errcode;
const regex_t *preg;
char *errbuf;
size_t errbuf_size;

to this:
size_t
regerror(
int errcode,
const regex_t * preg,
char * errbuf,
size_t errbuf_size)
open ws2tcpip.h from microsoft SDK (usally under c:\program files\microsoft SDKs) and add an ifndef macro definition of you choice (i name it NGREP_COMPILE) before the NTDDI_VERSION LONGHORN check like this:

#ifndef NGREP_COMPILE
#if (NTDDI_VERSION >= NTDDI_LONGHORN)

close this macro at the end of the LONGHORN and add the endif so it will close the wrapper like this:

#endif // TYPEDEFS
#endif // LONGHORN
#endif //NGREP_COMPILE
in config.h define the macro you set in step 6:

add macro definition to end of file like this:

#define USE_DROPPRIVS 0
#define DROPPRIVS_USER "notused"
#define NGREP_COMPILE
that's it now compile and build your self-tailored Ngrep for windows.

iPC 10.5.6 + ThinkpadR50

2009-02-17T04:58:00.000-08:00

Being tackling this one for a week now, just got it all tide up together.

Current works:

Sound AC97
Ethernet Intel Pro 100
ATI Radeon 7500
Touchpad
Keyborad

Not :
Intel 2200 wifi pci

photoes and a quick tutorial in the next days.

a trip to the blacksmith

2009-02-16T03:35:00.000-08:00

on my list, among others are:

thinkpad R50
iPC 10.5.6
xCode
pdb
Racket
Rumble
libevent

trying to forge together a new pentest architecture.

from black to white

2009-02-11T04:14:00.000-08:00

New day, new blog, new job

fading from blak to white.

image by freedigital photos