Firefox tunnel

A crucial element of the Red Team's task is stealth in the attack. Success is its ability to espouse an aggressive mindset. If the red team wins, an absolute cracker's point of view can help construct a better defence for the Blue Team in the future. Don't bear this content. All content here has a practical purpose.

This blog post is about a different attack approach to remote control the machine and bypasses the firewall. We have many weapons to work in that perspective, something like veil framework, msfvenom. But sometimes, following a different path will generally bring good results.

 The attack aims to use firefox to communicate between client and server. Using hooks to do that is not impossible, but DLL injection sometimes is boring to implement and can be harder to turn in portable. Do you know that? x32 and x64, each architecture needs a different approach to develop(in the future, I discovered that the easy hook API could solve that). Another day I was studying the firefox internals, reading something about the use of SQLite to work with cookies that gave me a different focus.
Look at the following:

That is a complete plan to create a program to use firefox with the tunnel. I going to explain in each step:

1- Programm of tunnel call firefox browser in hidden mode, sending a URL, URL has a malicious server, that malicious server sends a cookie with command.

2- The tunnel gets a cookie of evil server in the cookie.SQLite uses that in the command shell.

3- Result of command shell is used to write an HTML with javascript to make auto-submit with the content result.

4- Programm open wrote HTML in hidden mode to send CMD to the malicious server.


 Now you can look at the following:

For a satisfactory conclusion, I wrote the code and recorded the proof of concept. The incredible fact of the empirical point turns all into reality. You can view all staff at the following:

https://github.com/convisoappsec/firefox_tunnel

Future insights:

* Insert persistence, using function RegOpenKeyEx() to open path: 

"Software\Microsoft\Windows\CurrentVersion\Run" 

write with function RegSetValueEx() to launches a program automatically at system startup.

 *Using images in I/O using steganography.

 *Running process in hidden mode.

 *Turn to tunnel unkillable process.

Possible mitigations:

* Global hooking, to get OpenFile(), CreateFIle() functions and filter argv "cookie.sqlite" and block when programm route is different of firefox.exe.

* File watch API to monitor the database of cookies.

* Programm to open database of cookies by periodicity and search wrong domain or hosts, that can use a blocklist to find and uses DELETE query to remove the evil cookie.

Thank you for reading this. Cheers!

Killing dragons spawned by arithmetic-related security pitfalls

In the last week, which followed my attempt to earn money with financial trading, I glanced through the Black & Scholes model.

This study resulted in the creation of OptionsCat, an open-source tool to work with European options. I faced many Arithmetic-related security pitfalls when writing this tool, which motivated me to study it and write a blog post.  

  

 I always develop my implementations for the algorithms presented throughout the finance books. That's because the writers are often careless about security pitfalls. From this article's perspective, this is a problem or dragon that can be solved by adding a chapter about validation.

Programming languages that enable direct memory access and do not provide buffer boundary checks and arithmetic numeric checks are particularly vulnerable to integer overflow attacks. An integer overflow may occur when computing the memory size to allocate a buffer, often leading to a buffer overflow.

 

 Look at the following quote: 

 "Integer overflows cannot be detected after they have happened, so there is no way for an application to tell if a result it has calculated previously is correct. This action can get dangerous if the calculation has to do with a buffer's size or how far into an array to index. Of course, most integer overflows are not exploitable because memory is not being directly overwritten, but sometimes they can lead to other bug classes, frequently buffer overflows. As well as this, integer overflows can be difficult to spot, so even well-audited code can spring surprises." 

 by blexim - Phrack Volume 0x0b, Issue 0x3c, Phile #0x0a of 0x10

Some people talk to me about the use of the Big integer library. Like LibGMP to solve it, but when you work with big int need limit that numbers, arithmetic operations with bigint when a user has input with considerable length can cause Denial of service. The use of Integers is not hard to find in the stock markets. But double is then expected and can bring you a problem if you don't control the length, for example:

#include < math.h>
#include < stdio.h> 

double mul_code(double x,double y) 
{
  double result=0;
   
  return result = x*y;
}

int main()
{
 double a=90000000000, b=20000000000000;

 printf("Result: %f\n", mul_code(a,b));
 return 0;
}

If you compile it and run it, it returns something like "1799999999999999916112.*(dirts...)". You ask me, "why to return it ?" you don't validate the operation and pass the carrying limit. This action can cause undefined behaviour and overflow.

Killing dragons in integers 

There are lots of ways for you to solve. One is validating user input. This way, you can use automatons, regular expressions, and strnlen() to limit the number of lengths. Remember phrack; the correct way to test for integer overflow during multiplication is to try before the multiplication, test if the number is negative, and replace functions like atoi() to strtol().

 

 

 Some operating systems have solutions at libraries to mitigate the problem. For example, OSX has os/overflow.h. With this header, you can do something like it:

#include < "os/overflow.h">
 
if (os_mul_overflow(m, n, &bytes)) {
    /* Overflow occured.  Handle appropriately. */
} else {
    /* Allocate "bytes" space. */

Another way to mitigate this way is from OpenBSD:

#define MUL_NO_OVERFLOW ((size_t)1 << (sizeof(size_t)*4))
// based in OpenBSD reallocarray() function http://man.openbsd.org/reallocarray.3
void *reallocarray (void *ptr, size_t nmemb, size_t size) 
{
 if ((nmemb >= MUL_NO_OVERFLOW || size >= MUL_NO_OVERFLOW) && nmemb > 0 && SIZE_MAX / nmemb < size) 
 {
  DEBUG("integer overflow block");
  return NULL;
 }

 void *p = realloc (ptr, nmemb*size);

 if (p == NULL) 
  return NULL;

 return p;
}

Other approaches that you can see is the using libraries and different ways to write safe code with integers, sometimes calling each function safe_add(), safe_sub(), safe_mul(), and safe_div() is very dull when having significant expressions, and thinking about it I wrote a solution, look my project Here!

Killing dragons in double

 The Cert C book by Robert Seacord has an example of solving the problem at the double, the derivatives and futures have a lot of operations with double, one way to detect possible bug is using the function fetestexcept() :

At inputs, don't use the atof() function. Replace to strtod(), and double look the following code here.

Thank you for reading.
Cheers!

Steps to create your WAF(web application firewall) in C

Following definition (like OWASP), a WAF is a piece of software intended to protect a web app on the application level. Nowadays, a WAF action is not only defined by the web app. It’s not a customized solution specific to that application but similarly to a general software firewall, where one contains parameters to protect against intrusion in a wide variety of frameworks and codes.

Firewall burning invasors hehehe !

Let's go to clear your mind. There is overlap between the different types of firewalls. Software and hardware firewalls are used in their own right to protect networks. However, with their specialized function for web applications, WAFs can take the form of input of either of those two main types. Per default, a firewall uses a blocklist, protecting against an individual, previously logged attacks.

Additionally, it can also use an allowlist, providing allowable users and instances of interaction for the application. Another function is to block SQL Injection attacks and XSS attacks... In another context, WAFs can create random tokens and put them in forms to stop web robots and automated attacks. This practice can try to mitigate CSRF pitfalls.

Before you ask, "how-to, I create my WAF ?" I have got to bring you some principles, anyway, the theory around facts.

Have two common WAFs:

 1-Uses plugin in HTTPd to get information of INPUT or OUTPUT, before the finish he receives the request and blocks some contents, this function focuses at HTTP METHODs POST, GET... 

2-this way is my favourite. It is an independent reverse proxy server. He brings all requests of the client to the proxy. The proxy makes some analysis in the content. If not, block, he sends all the information to the external server.

Number One is cold, and this path is not fully portable. Another bad thing is you need to create a different plugin for each HTTPd, something to apache another to NGINX, IIs, Lighttpd... it's not cool! If you are not an excellent low-level programmer. You can try using twisted python. It is easy to make a reverse proxy with it, but it is not the right way because not have good performance in production. If you piss off at it, study the Stevens book of sockets.

It is OK, the title of this post is "create waf in C", Task is entirely done here and commented and with some documentations in LaTex... relax, you can get it in this repository: https://github.com/CoolerVoid/raptor_waf

 

Raptor WAF is a simple web application firewall made in C, using KISS principle, to make poll use the select() function, is not better than epoll() or kqueue() from *BSD but is portable, the core of match engine using DFA to detect XSS, SQLi and path traversal, you can see here https://github.com/CoolerVoid/raptor_waf/tree/master/doc/test_dfa

 No more words, look at the following :

Thank you for reading this! 
Cheeers!

Talking about text classifiers

In the last year following search, I searched something about machine learning, like trying to detect SPAMs at my private projects. I saw something about KNN, random decision forests and naive Bayes.

Consequently, I wrote a C++ library to classify texts and some slides for a presentation, which you can view at the end of this blog post.

So I chose Naive Bayes because Naive Bayes is one of the simplest classifiers, based on Bayes theorem with naïve and complete independence assumptions. It is one of the most basic text classification techniques with various email spam detection, document categorization, sexually explicit content detection, personal email sorting, language detection and sentiment detection(i think something like NLP). Despite the naïve design and oversimplified assumptions that this technique uses, Naive Bayes performs well in many complex real-world problems. Another good thing, Naive Bayes is suitable for limited CPU and memory resources.

To optimize detection accuracy, I use DFA(deterministic finite automaton) to match patterns and put each mark in ranking. That ranking has one classification. You can view the following code here. To make your automaton, you can use Flex, bison in another way.

If you view a presentation on slide number 12, you can see my point of view about ranking to optimize the accuracy of the classifier at results.

 

Improving spam detection with automaton from Antonio Costa aka Cooler_

SO, This is a very cool trick to gain accuracy. No more words, friends. Thank you for reading this! 

Cheers!

References:

• Natural Language Processing by Dan Jurafsky, Christopher Manning
• John, G. H. e Langley, P. (1995). Estimating continuous distributions in bayesian classifiers. Montreal, Quebec; Canada.
• Svore, K. M., Wu, Q., e Burges, C. J. (2007). Improving web spam classification using rank-time features. Banff, Alberta, Canada.

Uncommon trick to bypass windows firewall

When I was about to write post I remembered a scene from the movie Monty Python. It's about a black knight that blocks a bridge (his main purpose) saying the following to Arthur, a guy who insisted on crossing the bridge in safety: "None shall pass!". But Arthur kept on insisting, so the black night said: "Then you shall die.".

A firewall is supposed to stop all applications that don't have a good reason to get privileged access to computers or networks. If your app could "bypass" it, so could malicious applications. Firewall plays the same role as the black night, i.e. prevent anything suspicious from going through the bridge.

You can configure firewalls to let particular connections go through the checks, but sometimes you need physical access to the equipment running the firewall to do that.  Don't you have access to the equipment running the firewall? If so, you need to bypass it.

Are you willing to change rules via RegEdit to allow a specific service to run? I have some bad news to you. Your antivirus can detect this trick, because it's a common approach used by malwares.

• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile
• SYSTEM\ControlSet%03d\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List

Before you say "I can try to hook it" or "I can execute a function like execl(), system() with the argument: 

• netsh advfirewall set currentprofile state off

What if I tell you that you can use Windows API to simulate a keystroke so as to bypass firewall checks?

Windows has the function SendInput() to simulate a keystroke. This function accepts as argument an array of INPUT structures. The INPUT structures can be either a mouse or a keyboard event. The keyboard event structure has a member called wVk which can be any key on the keyboard.

SendInput() played an important role when writing the code for bypassing Windows firewall. How does it work? 

Firstly, it finds a window with title 'Windows Security Alert' using the function GetWindowText(). Secondly, it calls SendInput() with TAB and ENTER keys to choose button 'allow access'. As simple as that

Take a look at the following video:

Take a look at my code that bypasses Windows firewall:
https://github.com/CoolerVoid/X_files/blob/master/docs/PoCs/bypass_firewall_windows.cpp 

This is a very cool trick. No more words friends. Thank you for reading this!

cheers !

Hack any TV remote control

Do you have an old TV remote? What if I told you can create your code to make communication with this remote controller.

You can do it!

Infrared remote control is cool, the idea of this blog post is turn it in presentation tool. It is easy with this remote to keep your finger on the advance button and simply advance slides — or turn the screen back, at your favorite PDF viewer. 

Think like MacGyver,  to handle a difficult situation through improvisation using only available materials to do an intelligent activity...

Its Ok, lets go to the hack...

First step you need get some things:

• Computer with Unix Like OS(at my tests i using Fedora Linux) 
• Any TV remote control (i use a samsung model “AA59-00469A”) 
• Arduino nano 12,00 USD 
• IR recv (model “1838B”) - 2,00 USD 
• Jumpers 1,00 USD 
• Breadboard 2,50 USD

Total of costs is 17.50 USD, looks good  is not expensive, try following this image to assembly your hardware:

• Green wire is GND 
• Orange wire is 5v 
• Yellow wire is pin 6(this is input  to make communication with arduino) 
• USB connected at arduino(usually at mini series uses FTDI input)

Second step mapping your TV remote control:

At this step we are get some libraries, look this following:

• $ git clone https://github.com/shirriff/Arduino-IRremote 

• $ mv Arduino-IRremote ArduinoRemote; sudo cp -rf ArduinoRemote/ /usr/share/arduino/libraries 

At your arduino IDE tool, you can view examples of use it at tab "File", load example that show the input of serial, look this following:

The function Serial.println() shows the output of serial input. for example: when you hold the button one of TV remote control, this action shows the hexadecimal value "E13DDA28".

Done the mapping process of buttons, the next step is use syscall open() to open the file "/dev/ttyUSB0" and use  the syscall read() to get INPUTs of arduino device, remember to put diferent condition at each button input of device.

To automate keyboard hold keys, at Unix like system, you need use some libraries like libXtst and libX11, to emulate keys to turn screens of presentation, to install this libraries look the following:

$ yum install libXtst-devel libX11-devel
at deb based distros uses apt-get install pkg_name-dev

To get final code, rewrite this lines 152 and 159 with address of your button mapping,  compile it and run:
$ git clone https://github.com/CoolerVoid/arduino_ppt_walk 
$ gcc IR_remote.c -o IR_remote -lX11 -lXtst -Wall
$ ./IR_remote /dev/ttyUSB0
Look this following:

https://www.youtube.com/watch?v=Wx64BfLgxQU

Solving the fizzbuzz problem in Assembly code

Hello ladies and gentlemen, also the loyal readers of my blog. In this post, we will not be working with optimization techniques. Instead, I will share a small challenge that I worked on. Working on a small challenge can be a good way of relieving stress at the end of the day.

For those who don't know, the problem is about replacing a number that is multiple of 3 or 5 by Fizz or Buzz,respectively. Numbers that are multiple of both 3 and 5 should be replaced by "FizzBuzz".

More information about the problem can be found  here.

This problem can be easily solved using a high-level programming language, but if you use Assembly language instead, it's harder.

That's basically what I am going to share with you. I solved fizzbuzz using x86-64 Assembly with Intel syntax.

Let's take a look at the code:

;; Author: CoolerVoid
;;
;; https://en.wikipedia.org/wiki/Fizz_buzz
;; for multiples of three print "Fizz" instead of the number, and for the multiples of five print "Buzz".
;; For numbers which are multiples of both three and five print "FizzBuzz".
;;
;; $ nasm -g -f elf64 fizz_buzz_game.asm -o buzz.o
;; $ ld -m elf_x86_64 buzz.o -o gamebuzz; ./gamebuzz
section .data
 tick db 'tick'
 fizz db 'fizz'
 buzz db 'buzz'
 newline db 0xA
section .bss
 three resb 1      
 five resb 1      
 zero resb 1      

section .text
global _start

_start:
 xor si, si
 mov si,      0xFF
 mov [three], byte 0x3
 mov [five],  byte 0x5

Loop:
 push si   
 mov [zero], byte 1
 sub [three], byte 1
 mov bl, [three]
 cmp [three], byte 0
 jne Zero_Fizz
 mov [three], byte 3
Zero_Fizz: 
 xor rax, rax   
 cmp bl, 0x0
 jnz Not_Fizz
 mov [zero], byte 0
 mov rax, 4              ; syscall write()
 mov rbx, 1
 mov rcx, fizz
 mov rdx, 4
 int 0x80
Not_Fizz:
 sub [five], byte 1
 mov bl, [five]

 cmp [five], byte 0
 jne Zero_Buzz
 mov [five], byte 5
Zero_Buzz: 
 xor rax, rax  
 cmp bl, 0x0
 jnz Not_Buzz
 mov [zero], byte 0
 mov rax, 4           ; syscall write()
 mov rbx, 1
 mov rcx, buzz
 mov rdx, 4
 int 0x80
Not_Buzz:
 xor rax, rax
 mov al, [zero]
 cmp al, 0x0
 jz Not_Tick
 mov rax, 4         ; syscall write()
 mov rbx, 1
 mov rcx, tick
 mov rdx, 4
 int 0x80
Not_Tick:
 push 0x0
 xor rax, rax
 mov rax, 4         ; syscall write()
 mov rbx, 1
 mov rcx, newline
 mov rdx, 1
 int 0x80
 pop rax
    
 pop si
 dec si
 jnz Loop
    
 mov rax, 1        ; syscall exit()
 mov rbx, 0
 int 0x80

If you have familiarity with Assembly, you will notice that the solution is simple. For those unfamiliar, Assembly is not hard, but it does require that the programmer pays attention to slight details.

If you have doubt you can decrease value 0xFF at line 24, and try run again...its all right in do this...

My fifty cents ! CHEERS !