tag:blogger.com,1999:blog-83921331167936385972024-03-20T00:34:50.447-07:00siberas blogmisc stuff about itsecsiberashttp://www.blogger.com/profile/11387925034210832034noreply@blogger.comBlogger7125tag:blogger.com,1999:blog-8392133116793638597.post-87297301866023875892016-04-12T05:39:00.001-07:002016-04-12T05:55:54.409-07:00Pwning Adobe Reader - SyScan360 and Infiltrate 2016 slide decksHi everyone,<br />
<br />
in the last few weeks I've given two presentations (@ SyScan360, Singapore and Infiltrate, Miami) about Pwning Adobe Reader using its embedded XFA engine. <br />
<br />
The URLs to the slide decks can be found below. Besides the PDFs I also uploaded the PPTX versions since some might have reservations opening PDFs from me (at least with Adobe products...) ;-)<br />
<br />
<br />
The analytical part of the presentations (symbol recovery, object and jfCacheManager analysis) are mostly identical. The main difference is the practical exploitation part: At SyScan360 I explained how to abuse a 0-DWORD write primitive to create a memory leak (thus bypassing ASLR) and to get near 100% reliable, OS- and version-independant code execution within the sandboxed Reader process. At Infiltrate I used an 0day exploit to showcase the great flexibility of the exploitation technique and explained the general steps to exploit a rather "ugly" vulnerability which does not give you a clean, controlled write primitive.<br />
<br />
<ul>
<li><a href="http://siberas.de/presentations/SyScan360_2016_-_Pwning_Adobe_Reader_with_XFA.pdf" target="_blank">SyScan360_2016_-_Pwning_Adobe_Reader_with_XFA.pdf</a></li>
<li><a href="http://siberas.de/presentations/SyScan360_2016_-_Pwning_Adobe_Reader_with_XFA.pptx" target="_blank">SyScan360_2016_-_Pwning_Adobe_Reader_with_XFA.pptx</a></li>
</ul>
<ul>
<li><a href="http://siberas.de/presentations/Infiltrate_2016_-_Pwning_Adobe_Reader_with_XFA.pdf" target="_blank">Infiltrate_2016_-_Pwning_Adobe_Reader_with_XFA.pdf</a> </li>
<li><a href="http://siberas.de/presentations/Infiltrate_2016_-_Pwning_Adobe_Reader_with_XFA.pptx" target="_blank">Infiltrate_2016_-_Pwning_Adobe_Reader_with_XFA.pptx</a> </li>
</ul>
<br />
[ Please note that the layout of the Powerpoint version gets a bit screwed
up when viewed with mobile PPTX readers (such as the one embedded in
iOS)... ]<br />
<br />
A technical writeup which goes deeper into the topic of Pwning the Reader will be released soon. Stay tuned :)<br />
<br />
Cheers,<br />
Sebastian<br />
<br />Sebastian Apelthttp://www.blogger.com/profile/02123517927363071448noreply@blogger.comtag:blogger.com,1999:blog-8392133116793638597.post-48456575055359002582014-07-11T08:37:00.000-07:002014-07-11T09:14:00.608-07:00Pwn2Own 2014 - Escaping the sandbox through AFD.sys<br />
<h2>
</h2>
This year Andy and I were finally able to take part in the Pwn2Own contest during the CanSecWest conference in Vancouver. We won the Internet Explorer 11 competition by compromising a fully-patched Windows 8.1 (x64) system.<br />
For successful exploitation we abused three distinct vulnerabilities:
<br />
<ul>
<li>Two Internet Explorer 11 Use-After-Frees which evaded ASLR/DEP and gave us userland code execution</li>
<li>One Windows Kernel vulnerability to escape the Internet Explorer sandbox and execute code with SYSTEM privileges.</li>
</ul>
(In fact, we needed three Internet Explorer vulnerabilities, since the second vulnerability in our exploit chain had been patched the day before the contest - yes, it was a rather sleepless night.)<br />
<br />
The vulnerabilities have been patched in the Microsoft Security Bulletins <a href="https://technet.microsoft.com/library/security/ms14-035" target="_blank">MS14-035</a>, <a href="https://technet.microsoft.com/library/security/ms14-037" target="_blank">MS14-037</a> and <a href="https://technet.microsoft.com/library/security/ms14-040" target="_blank">MS14-040</a>.<br />
<br />
The vulnerability analysis, a detailed description of the exploitation process and the patch analysis can be downloaded <a href="http://www.siberas.de/papers/Pwn2Own_2014_AFD.sys_privilege_escalation.pdf" target="_blank">HERE</a>.<br />
<br />
Hopefully see you at next year's Pwn2Own! :)<br />
Sebastian<br />
<br />
<br />siberashttp://www.blogger.com/profile/11387925034210832034noreply@blogger.comtag:blogger.com,1999:blog-8392133116793638597.post-78758880525910474882013-10-26T00:15:00.002-07:002013-10-26T00:15:45.158-07:00Custom Viewer<div class="MsoNormal">
With release 0.9.17 watobo introduced a new viewer pane. This custom viewer gives you full control of how the output should look like. It enables you to parse the response (extract, format, decode, …) and display only the relevant parts by using the power of ruby – an example will follow shortly.<br />
The custom viewer is available in the main window’s response viewer as well as in the manual request editor response - the latter we use for this tutorial.<br />
Here’s the place we’re talking about:</div>
<span lang="EN-US" style="font-family: "Calibri","sans-serif"; font-size: 11.0pt; line-height: 115%; mso-ansi-language: EN-US; mso-ascii-theme-font: minor-latin; mso-bidi-font-family: "Times New Roman"; mso-bidi-language: AR-SA; mso-bidi-theme-font: minor-bidi; mso-fareast-font-family: Calibri; mso-fareast-language: EN-US; mso-fareast-theme-font: minor-latin; mso-hansi-theme-font: minor-latin;"><br /></span>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjaWXkvPVBCyIlzdCINQHb-yt0jaTHu6ycSnM3LccjZq1B7WuCsvFFnjYgRODh4Dj8eV_PRFVDk_1UQd5OxreGlBUtbb_FEyT7iMwec4e10licV76Zi_BcUVaKVFBvoHDPVTkqw1AVO5WAz/s1600/2013-10-25_17-09-15.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="146" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjaWXkvPVBCyIlzdCINQHb-yt0jaTHu6ycSnM3LccjZq1B7WuCsvFFnjYgRODh4Dj8eV_PRFVDk_1UQd5OxreGlBUtbb_FEyT7iMwec4e10licV76Zi_BcUVaKVFBvoHDPVTkqw1AVO5WAz/s400/2013-10-25_17-09-15.png" width="400" /></a></div>
<h4>
Example</h4>
<div class="separator" style="clear: both; text-align: left;">
Our example function takes two parameters ‘char’ and ‘count’. The JSON response contains the parameter ‘answer’, which looks based64 encoded:</div>
<div>
<span lang="EN-US" style="font-family: "Calibri","sans-serif"; font-size: 11.0pt; line-height: 115%; mso-ansi-language: EN-US; mso-ascii-theme-font: minor-latin; mso-bidi-font-family: "Times New Roman"; mso-bidi-language: AR-SA; mso-bidi-theme-font: minor-bidi; mso-fareast-font-family: Calibri; mso-fareast-language: EN-US; mso-fareast-theme-font: minor-latin; mso-hansi-theme-font: minor-latin;"><br /></span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg3Uz0vn6MEzU2vRvwEDRNH2BOJu3lqdZmwHCOUK0Niwu8ly93wDRn2vMtKmjwJk5k6iAbTEBkZji1fwe08qOvmjk_zev_0RYPR9eFpbz7TBJ4J-u-ClWN7TCJMpEa02R_nNoAlzQCbJrN0/s1600/2013-10-25_17-15-24.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="217" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg3Uz0vn6MEzU2vRvwEDRNH2BOJu3lqdZmwHCOUK0Niwu8ly93wDRn2vMtKmjwJk5k6iAbTEBkZji1fwe08qOvmjk_zev_0RYPR9eFpbz7TBJ4J-u-ClWN7TCJMpEa02R_nNoAlzQCbJrN0/s400/2013-10-25_17-15-24.png" width="400" /></a></div>
<div>
<br />
For decoding, select the base64 string, right-click and send it to watobo’s transcoder …</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhcJIleBcpfV5rX2wV6OH8VAj5ba6gneqAJ-HgzsxSmZYHCM4FaolqoKgFKSG9HE_pSSqZk9C1OeZtGFtF4xbaeODVD-CVDMuNWCjstzWbCPPAgGQRPvkQPQXuEzupuEgE6jYRpHJRXi2Ts/s1600/2013-10-25_17-22-57.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="400" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhcJIleBcpfV5rX2wV6OH8VAj5ba6gneqAJ-HgzsxSmZYHCM4FaolqoKgFKSG9HE_pSSqZk9C1OeZtGFtF4xbaeODVD-CVDMuNWCjstzWbCPPAgGQRPvkQPQXuEzupuEgE6jYRpHJRXi2Ts/s400/2013-10-25_17-22-57.png" width="316" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
and finally decode it. But it still doesn't look human readable:</div>
<div>
<span lang="EN-US" style="font-family: "Calibri","sans-serif"; font-size: 11.0pt; line-height: 115%; mso-ansi-language: EN-US; mso-ascii-theme-font: minor-latin; mso-bidi-font-family: "Times New Roman"; mso-bidi-language: AR-SA; mso-bidi-theme-font: minor-bidi; mso-fareast-font-family: Calibri; mso-fareast-language: EN-US; mso-fareast-theme-font: minor-latin; mso-hansi-theme-font: minor-latin;"><br /></span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhBPbe57bsuAIwMje4uKtkPdJuE_fbLGUneacwlaZtQy3xL3dzOYHjUbe25JhEOIr5GstZov4O0fg29Wlt4h_UILaYYOa1FeV-CgBbfvKE_eU7Es9oPJq1ct83AF1e2paFLTDzdjpyV4Z6O/s1600/2013-10-25_17-27-25.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="259" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhBPbe57bsuAIwMje4uKtkPdJuE_fbLGUneacwlaZtQy3xL3dzOYHjUbe25JhEOIr5GstZov4O0fg29Wlt4h_UILaYYOa1FeV-CgBbfvKE_eU7Es9oPJq1ct83AF1e2paFLTDzdjpyV4Z6O/s640/2013-10-25_17-27-25.png" width="640" /></a></div>
<div>
<span style="font-family: inherit;"><span lang="EN-US" style="font-size: 11.0pt; line-height: 115%; mso-ansi-language: EN-US; mso-ascii-theme-font: minor-latin; mso-bidi-font-family: "Times New Roman"; mso-bidi-language: AR-SA; mso-bidi-theme-font: minor-bidi; mso-fareast-font-family: Calibri; mso-fareast-language: EN-US; mso-fareast-theme-font: minor-latin; mso-hansi-theme-font: minor-latin;"><br /></span><span lang="EN-US" style="font-size: 11.0pt; line-height: 115%; mso-ansi-language: EN-US; mso-ascii-theme-font: minor-latin; mso-bidi-font-family: "Times New Roman"; mso-bidi-language: AR-SA; mso-bidi-theme-font: minor-bidi; mso-fareast-font-family: Calibri; mso-fareast-language: EN-US; mso-fareast-theme-font: minor-latin; mso-hansi-theme-font: minor-latin;"><br /></span></span><br />
<span style="font-family: inherit;"><span lang="EN-US"><span style="line-height: 115%;">There's no well known magic-byte, but because of the two parameters ‘char’ and ‘count’ …
bla … bla … bla … I know that the response is deflated with zlib ;)</span></span></span><br />
<span style="font-family: inherit;"><span lang="EN-US"><span lang="EN-US">Let’s proof it in irb:</span></span></span><br />
<div class="code">
<span style="font-family: inherit;"><span lang="EN-US"><span lang="EN-US">>> require 'zlib'</span></span></span><br />
>> require 'base64'<br />
<span lang="EN-US"><span lang="EN-US" style="font-family: inherit;">>> Zlib::Inflate.new(-Zlib::MAX_WBITS).inflate </span></span><span style="line-height: 17px;">Base64.decode64(</span><span style="font-family: inherit;">"Cw+HAQA=")</span><br />
<span lang="EN-US"><span lang="EN-US" style="font-family: inherit;">WWWWWWWWWW</span></span></div>
<br />
<br />
<span style="font-family: inherit;"><span lang="EN-US">This looks much better!</span></span><br />
<span style="font-family: inherit;"><span lang="EN-US"><br /></span></span>
<span style="font-family: inherit;"><span lang="EN-US">Cool, but it is not very comfortable if you have to copy-paste this string for each single response. So this is the time for the custom viewer.</span><span lang="EN-US">To automate this process (extract, decode and finally inflate) we only have to write a small handler. This handler consists of a ruby-lambda which receives the response object as an argument.</span></span><br />
<span style="font-family: inherit;"><span lang="EN-US"><br /></span></span>
<span style="font-family: inherit;"><span lang="EN-US">The very handler skeleton looks like this:</span></span><br />
<div class="code">
<span style="font-family: inherit;">lambda{|response|</span><br />
<span style="font-family: inherit;">}</span>
</div>
<br />
<span style="font-family: inherit;"><br /></span>
<span style="font-family: inherit;"><span lang="EN-US">Because the return value of the handler function will be displayed, it is a good choice to return a string</span></span><span style="font-family: inherit;">.</span><br />
<br />
<br />
The final code should look like this:<br />
<br />
<div class="code">
lambda{|response|<br />
<span style="font-family: inherit; line-height: 17px;"> h = JSON.parse(response.body.to_s)</span><br />
<span style="font-family: inherit;"><span style="line-height: 17px;"> </span><span style="line-height: 17px;">bin = Base64.decode64(h[‚answer‘])</span></span><br />
<span style="font-family: inherit; line-height: 17px;"> Zlib::Inflate.new(-Zlib::MAX_WBITS).inflate bin</span><br />
<span style="font-family: inherit; line-height: 17px;">}</span><br />
<span style="font-family: inherit;"><span lang="EN-US"><br /></span>
</span></div>
<span style="font-family: inherit;"><span lang="EN-US"><br /></span></span>
<span style="font-family: inherit;"><span lang="EN-US">Now, save it and go on with the</span></span> custom viewer:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj231mE-c_uw0iJ5GHVlOF0Q8uKUhJ3Er6hLp3Ky9v1OiI6EuLiA0Vun5_D0MRrKedbLkm1Z5EYiIbBBDOAH1CHE_Hily5DWunrTqLIwXH_WyUQbj2g8s0Z8P1ILfneHdFE5Kuftvw8Ra_e/s1600/2013-10-25_18-01-27.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="201" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj231mE-c_uw0iJ5GHVlOF0Q8uKUhJ3Er6hLp3Ky9v1OiI6EuLiA0Vun5_D0MRrKedbLkm1Z5EYiIbBBDOAH1CHE_Hily5DWunrTqLIwXH_WyUQbj2g8s0Z8P1ILfneHdFE5Kuftvw8Ra_e/s640/2013-10-25_18-01-27.png" width="640" /></a></div>
<br />
You should see the red sign "No handler!". Press ‘add’ and select our freshly created handler file.<br />
The sign should have been turned green, saying "Handler ready!"<br />
<br />
*DRUMS_PLEASE* … press “SEND” … et voilà!<br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhMY4OmpsiMAbV1wlhEKOiurl-G4gIX9Pg8d54wLyECY3Rd_fzdqCzWaqzsiSzlpyYOtOL5XwEVBCkSTd1bQI-aXFOr6YSCctZGG64_MRboVyeiOMTeW9Zzk7m-jAWdvL6zuedYVm_AVYEC/s1600/2013-10-25_14-16-23.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="232" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhMY4OmpsiMAbV1wlhEKOiurl-G4gIX9Pg8d54wLyECY3Rd_fzdqCzWaqzsiSzlpyYOtOL5XwEVBCkSTd1bQI-aXFOr6YSCctZGG64_MRboVyeiOMTeW9Zzk7m-jAWdvL6zuedYVm_AVYEC/s640/2013-10-25_14-16-23.png" width="640" /></a></div>
<br />
The viewer shows only the extracted, decoded and finally inflated value.<br />
<br />
If you like it, please spread the word!<br />
<br />
[as]<br />
<br />
<br /></div>
<div>
<div class="MsoNormal" style="font-size: 11pt; line-height: 115%;">
<span lang="EN-US" style="font-family: inherit;"><o:p></o:p></span></div>
<span lang="EN-US" style="font-family: inherit;">
</span>
<br />
<div class="MsoNormal">
<span lang="EN-US" style="font-family: inherit;"><span lang="EN-US" style="font-size: 15px; line-height: 17px;"></span></span></div>
<span lang="EN-US" style="font-family: inherit;">
</span></div>
<div>
<span lang="EN-US" style="font-family: inherit; font-size: 11.0pt; line-height: 115%; mso-ansi-language: EN-US; mso-ascii-theme-font: minor-latin; mso-bidi-font-family: "Times New Roman"; mso-bidi-language: AR-SA; mso-bidi-theme-font: minor-bidi; mso-fareast-font-family: Calibri; mso-fareast-language: EN-US; mso-fareast-theme-font: minor-latin; mso-hansi-theme-font: minor-latin;"><br /></span></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div>
<span lang="EN-US" style="font-family: "Calibri","sans-serif"; font-size: 11.0pt; line-height: 115%; mso-ansi-language: EN-US; mso-ascii-theme-font: minor-latin; mso-bidi-font-family: "Times New Roman"; mso-bidi-language: AR-SA; mso-bidi-theme-font: minor-bidi; mso-fareast-font-family: Calibri; mso-fareast-language: EN-US; mso-fareast-theme-font: minor-latin; mso-hansi-theme-font: minor-latin;"><br /></span></div>
siberashttp://www.blogger.com/profile/11387925034210832034noreply@blogger.com0tag:blogger.com,1999:blog-8392133116793638597.post-318899710625057262013-03-18T13:24:00.001-07:002013-03-22T01:34:16.420-07:00Installing FX/Ruby on (Kali) LinuxAs most of the common linux distribution also Kali Linux has its own ruby package. But using these pre-built packages is often a pain in the ... ahm ... not the best choice, especially if you need to compile your own modules.
From my experiences with Ruby on linux, I recommend to use <a href="https://rvm.io/rvm/">RVM (Ruby Version Manager)</a> for installing Ruby. This little tutorial will show you how to install (FX)Ruby on Kali Linux.
<br />
<br />
I assume you're using Kali Linux as an unprivileged user (not/never root!). If not, it's not my problem ;)
<br />
If running as root you should create an unprivileged user with the following commands:
<br />
<div class="code">
adduser -m -s /bin/bash -G sudo "your_username"<br />
passwd "your_username"
[now enter your super-secure-password]
</div>
<br />
Now logout 'root' and login as your new user
<br />
<br />
<span style="color: red;"><b><span style="font-size: large;">Note: The following steps are meant to be executed as an unprivileged user!
</span><br />Otherwise RVM will install itself as a multi-user-environment which will not work for this tutorial.
</b></span><br />
<h2>
1. Install Additional Packages</h2>
These packages are necessary to compile fox-toolkit, fxscintilla and opengl which are essential for fxruby.
<br />
<div class="code">
for pkg in bash curl git patch bzip2 build-essential openssl libreadline6 libreadline6-dev git-core zlib1g zlib1g-dev libssl-dev libyaml-dev libsqlite3-dev sqlite3 libxml2-dev libxslt-dev autoconf libc6-dev libgdbm-dev ncurses-dev automake libtool bison subversion pkg-config libffi-dev libx11-dev libxcursor-dev libxext-dev libxrandr-dev libxft2-dev freeglut3-dev libjpeg-turbo8-dev libjpeg8-dev libjpeg-dev zlib1g-dev libbz2-dev libpng12-dev libtiff4-dev;
<br />
do
<br />
sudo apt-get -y install $pkg
<br />
done
<br />
# ftp://ftp.fox-toolkit.org/pub/fox-1.6.47.tar.gz
<br />
# Download and compile fox-toolkit
<br />
# version 1.6.44 works
<br />
# version 1.7.x is incompatible with fxruby
<br />
# http://www.fox-toolkit.org/
<br />
wget http://ftp.fox-toolkit.org/pub/fox-1.6.47.tar.gz
<br />
tar xzvf fox-1.6.47.tar.gz
<br />
cd fox-1.6.47
<br />
./configure
<br />
make
<br />
sudo make install
<br />
cd ..
<br />
<br />
# Download and compile fxscintilla
<br />
wget http://download.savannah.gnu.org/releases/fxscintilla/fxscintilla-2.28.0.tar.gz
<br />
tar xzvf fxscintilla-2.28.0.tar.gz
<br />
cd fxscintilla-2.28.0
<br />
./configure
<br />
make
<br />
sudo make install
<br />
cd ..
</div>
<br />
<br />
Now it's time to lay back and get a coffee ...<br />
<h2>
2. Install RVM</h2>
Installing RVM is very straight forward. More details can be found <a href="https://rvm.io/rvm/install/">here</a>.
<br />
<div class="code">
znow@hotdog:~$curl https://raw.github.com/wayneeseguin/rvm/master/binscripts/rvm-installer | bash -s stable
<br />
znow@hotdog:~$source "$HOME/.rvm/scripts/rvm"
</div>
<br />
<h2>
3. Integrate RVM Into Gnome Terminal</h2>
Before we continue with installing Ruby we should make our bash running as a login-shell. If you want to learn more about how to integrate RVM into Gnome, I recommend this <a href="https://rvm.io/integration/gnome-terminal/">article</a>.
<br />
So, first check "Run command as login shell" option under Terminal->Edit->Profile Preferences|<-title data-blogger-escaped-and="" data-blogger-escaped-command-=""><!---title--><br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi3hFfDWWwInJa92Bj2mRGwgQEDAnItyxQ19pSX9rZWAAXL5xvflBi9m7OgjhPy-6l-qtqRr_eeqqkrFkjViD6z84F67tOhDD712yRAP_IFB9wWgCSMo52QjqKJwEW_LIxRvFUDFa0ma0bi/s1600/term_profile-run_cmd_as_login_shell.png" imageanchor="1"><img border="0" height="368" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi3hFfDWWwInJa92Bj2mRGwgQEDAnItyxQ19pSX9rZWAAXL5xvflBi9m7OgjhPy-6l-qtqRr_eeqqkrFkjViD6z84F67tOhDD712yRAP_IFB9wWgCSMo52QjqKJwEW_LIxRvFUDFa0ma0bi/s640/term_profile-run_cmd_as_login_shell.png" width="640" /></a>
<br />
Next, we have to edit ~/.bash_profile to make it look like this:
<br />
<div class="code">
source "$HOME/.profile"
<br />
[[ -s "$HOME/.rvm/scripts/rvm" ]] && source "$HOME/.rvm/scripts/rvm" # Load RVM into a shell session *as a function*
</div>
<br />
<h2>
4. Install Ruby</h2>
In case you want to use WATOBO you should install Ruby 1.9.3. No lower version and no higher! Open a new terminal and type:
<br />
<div class="code">
znow@hotdog:~$rvm install 1.9.3
</div>
Now it's time to lay back and get a 2nd coffee ....
<br />
<br />
Re-check your ruby path which should point into your home directory:
<br />
<div class="code">
znow@hotdog:~$ which ruby
<br />
/home/znow/.rvm/rubies/ruby-1.9.3-p392/bin/ruby
</div>
<h2>
5. Install FXRuby and more ...</h2>
Now everything should be fine and you can continue installing gems you like, like fxruby, opengl, ...
<br />
<div class="code">
znow@hotdog:~$ gem install fxruby
<br />
Fetching: fxruby-1.6.26.gem (100%)
<br />
Building native extensions. This could take a while...
<br />
Successfully installed fxruby-1.6.26
<br />
1 gem installed
<br />
Installing ri documentation for fxruby-1.6.26...
<br />
Installing RDoc documentation for fxruby-1.6.26...
<br />
znow@hotdog:~$ ruby -e "require 'fox16'; puts Fox.fxversion"
<br />
1.6.47
<br />
znow@hotdog:~$
</div>
<h2>
Installer</h2>
You can download the installer shell script <a href="http://watobo.sourceforge.net/Installers/watobo_installer_kalilinux.sh">[here]</a>
<br />
<br />
[as]siberashttp://www.blogger.com/profile/11387925034210832034noreply@blogger.com0tag:blogger.com,1999:blog-8392133116793638597.post-14832178996331096702012-08-16T04:40:00.000-07:002012-08-16T04:40:00.768-07:00WATOBO Running SQLMap In WATOBO version 0.9.9 I introduced a new plugin which builds a bridge between WATOBO and sqlmap (<a href="http://sqlmap.org/">http://sqlmap.org</a>).<br />
<br />
To bring up the plugin right-click on the request you want to test and select 'Send to' -> SQLmap:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh0axde-E7xZOLo9Xw72jyvMjFm7lMOh1vvFZO59EDZsvFFPvW8YQRK_-fq96mXfauLQ2GKjTNVAnzJlzjkfn3DdeMVQZ8aRY2t5Pf0aBuxTmPUo8UGrDvEn_W69wU1h6hVThRyeiyR3esd/s1600/Screenshot-2012-08-14_23.45.11.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="208" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh0axde-E7xZOLo9Xw72jyvMjFm7lMOh1vvFZO59EDZsvFFPvW8YQRK_-fq96mXfauLQ2GKjTNVAnzJlzjkfn3DdeMVQZ8aRY2t5Pf0aBuxTmPUo8UGrDvEn_W69wU1h6hVThRyeiyR3esd/s640/Screenshot-2012-08-14_23.45.11.png" width="640" /></a></div>
<br />
The plugin provides an easy to use interface:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjcPTiZfGmPcKgQUnxNRQQzACreJY-rrbbpUp1UVa80tl3256OSadJ6h7xTcf7h_VTzwSeyZQ1Yw_FXK2m86seSBBRAr8L_avDDnrDJ8D7vVt0O7rRZV_4K6kFgEGIkJ6Lv7T4UU1qb0fci/s1600/Screenshot-2012-08-15_12.27.28.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="481" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjcPTiZfGmPcKgQUnxNRQQzACreJY-rrbbpUp1UVa80tl3256OSadJ6h7xTcf7h_VTzwSeyZQ1Yw_FXK2m86seSBBRAr8L_avDDnrDJ8D7vVt0O7rRZV_4K6kFgEGIkJ6Lv7T4UU1qb0fci/s640/Screenshot-2012-08-15_12.27.28.png" width="640" /></a></div>
<br />
<br /><br />
There are predefined menus for typical sqlmap options like Technique, Risk and Level. You also can add any command line option manually, e.g. for further enumeration tasks.<br />
<br />
When you press the start button WATOBO will first write the request to a file in the <em>temp directory</em> which will be parsed by sqlmap (-r option). Then it opens a new command window and runs sqlmap. <br />
<br />
Have Phun!<br />
-andysiberashttp://www.blogger.com/profile/11387925034210832034noreply@blogger.com0tag:blogger.com,1999:blog-8392133116793638597.post-11629003700947515402012-08-16T04:36:00.000-07:002012-08-16T04:36:03.481-07:00WATOBO 0.9.9 Supports Transparent Mode"Cool, WATOBO can act as a transparent proxy. But why do I need this feature?"<br />
Right, most of the time when you're pentesting a web application you only have to configure your browser to use a proxy. This will work for most of the applications designed for web browsers.<br />
But there are more and more apps for mobile devices, e.g. iPhones or Androids which also rely on web based applications. Sometimes these apps are not able to use a proxy or even refuse to use one.<br />
For these special cases a transparent proxy is the only way to intercept and modify the communication - beside modifying or hooking the app itself.<br />
<h2>
Running Transparent</h2>
Some very special requirements must be met by the proxy and by the Operating System (IP Stack) in order to run a web proxy in transparent mode - especially when SSL connections must be handled.<br />
<br />
These are the main tasks which have to be fulfilled:<br />
- intercept the request before the request arrives at the proxy<br />
- keep track of the original destination of the request<br />
- get the certificate of the original destination to extract the CommonName<br />
- create a fake certificat with the correct CommonName<br />
- redirect the request to the proxy<br />
- proxy must lookup the original destination <br />
- lookup for the correct certificate<br />
- do the SSL handshake<br />
<br />
Because some of these tasks need a direct access to the routing process of the operating system it is only possible (with a minimum effort) on a Linux system. Most of this magic is done with IPTables and NetfilterQueues. The later is an IPTables interface to analyze and modify IP packets from within the userland.<br />
<br />
<em>Note:</em><br />
At the time of this writing I'm not aware of any other web testing proxy supporting transparent mode. If you know one, please let me know.<br />
<h2>
Lab Setup</h2>
The folling steps will show you how to setup a system running WATOBO as a transparent proxy. <br />
<br />
You must met some requirements before working with this tutorial:<br />
- BackTrack 5R2 <br />
- DHCPD (dhcp3-server)<br />
- DNS (bind9) server<br />
- HostAP Daemon up and running to connect your mobile device<br />
<br />
The following link might help you if you have problems installing bind9 or dhcp3-server.<br />
<a href="http://www.backtrack-linux.org/backtrack/upgrading-to-backtrack-5-r2/">http://www.backtrack-linux.org/backtrack/upgrading-to-backtrack-5-r2/</a><br />
<br />
Our lab setup is as follows:<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiWNxlQGnGzMGVAm4fcw2DRuWXVUZoxl__FcA9pwW6EccwTAh6DbH7CcVHdlmry2gOWbJk9a_rnfE_O5qd0l9dnpY2bezTDALBV3J73FtLxy0r2JfdpqOmcNvnc-C1I4GO06kTIf5xs2p6w/s1600/Screenshot-2012-08-14_09.56.41.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="171" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiWNxlQGnGzMGVAm4fcw2DRuWXVUZoxl__FcA9pwW6EccwTAh6DbH7CcVHdlmry2gOWbJk9a_rnfE_O5qd0l9dnpY2bezTDALBV3J73FtLxy0r2JfdpqOmcNvnc-C1I4GO06kTIf5xs2p6w/s640/Screenshot-2012-08-14_09.56.41.png" width="640" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
Here's the interface configuration (/etc/network/interfaces):
<br />
<div class="code">
auto eth0<br />
iface eth0 inet dhcp<br />
<br />
auto wlan0<br />
iface wlan0 inet static<br />
address 192.168.33.1<br />
netmask 255.255.255.0</div>
<br />
<em>Note:</em><br />
If you only want to test the transparent feature without a mobile device you don't need hostapd. Any other additional interface, e.g. eth1 will also work.<br />
But don't forget to adjust the example scripts and commands.
<br />
<h2>
Testing Basic Communication</h2>
Before you continue with setting up WATOBO this would be a good time to test your general network setup. So, we first convert our system into a simple router which hides our internal IP addresses (NAT). For this, we have to enable IP forwarding and NATing:<br />
<div class="code">
echo "Turn on NATing"<br />
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE<br />
echo "Enable IP forwarding"<br />
echo 1 > /proc/sys/net/ipv4/ip_forward<br />
<br /></div>
Now you should have a working internet connection with your mobile device. If not, you must work on your setup - try harder ;)<br />
<br />
<h2>
Time To Install WATOBO</h2>
Just download and run the <a href="http://watobo.sourceforge.net/extras/watobo-installer.sh">installer script</a>.<br />
<br />
<div class="code">
wget http://watobo.sourceforge.net/extras/watobo-installer.sh
</div>
<br />
<h2>
Start And Configure WATOBO </h2>
After the installation script finished open a new shell and type watobo_gui.rb. <br />
Then start a new project and open the Interceptor settings menu (Settings -> Interceptor).<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi1-k9hZKcDx9N_X3M96zZXKvcqtUW5DP2KGE4YNlct_JeHf4Ug5nMUQZCV5cLYtrXM9nQT7xn0eKr0ROicx2U3exeXRrGQtBwNctIfgydIhafm4WamQAR0MIVSDQQx8J8G0iWNtKk5Slap/s1600/Screenshot-2012-08-13_22.01.02.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi1-k9hZKcDx9N_X3M96zZXKvcqtUW5DP2KGE4YNlct_JeHf4Ug5nMUQZCV5cLYtrXM9nQT7xn0eKr0ROicx2U3exeXRrGQtBwNctIfgydIhafm4WamQAR0MIVSDQQx8J8G0iWNtKk5Slap/s1600/Screenshot-2012-08-13_22.01.02.png" /></a></div>
<br />
Enable the transparent mode and don't forget to change the Bind Address to make WATOBO listening on the correct interface. In our lab we set it to 0.0.0.0 => listen on all interfaces.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEipFAEUTKlO8hgC4RCdOXE-G_NnLu82iBC6IegxVdHXqul5CB_dSEUR9g0VLizOp5tEBgPlStNqAp3zqdMcuMRy8haML-mM8UypXfiVCLX67kO0KHnSsnM0asdIgqwFRRZUn8RQ-hzIgokr/s1600/Screenshot-2012-08-13_22.01.36.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="167" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEipFAEUTKlO8hgC4RCdOXE-G_NnLu82iBC6IegxVdHXqul5CB_dSEUR9g0VLizOp5tEBgPlStNqAp3zqdMcuMRy8haML-mM8UypXfiVCLX67kO0KHnSsnM0asdIgqwFRRZUn8RQ-hzIgokr/s320/Screenshot-2012-08-13_22.01.36.png" width="320" /></a></div>
<br />
You must restart WATOBO after changing the interceptor settings. After re-open the project the port information in the statusbar should be highlighted in red.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgS7XeJB5rkPxqh8pZH5eCO0faP5KHSqOHG-t_Juy_JVNRrJxbmrUEwPUhwlsMsk-FFQ1aBxDQBH2-fRcpA3banHLCq-WuOLekfkkruXPgoCuPATCE-TgdriA5sqWfTQrkNJ3485yT4425V/s1600/Screenshot-2012-08-13_22.04.17.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgS7XeJB5rkPxqh8pZH5eCO0faP5KHSqOHG-t_Juy_JVNRrJxbmrUEwPUhwlsMsk-FFQ1aBxDQBH2-fRcpA3banHLCq-WuOLekfkkruXPgoCuPATCE-TgdriA5sqWfTQrkNJ3485yT4425V/s1600/Screenshot-2012-08-13_22.04.17.png" /></a></div>
<br />
<br />
<h2>
<br />Import The WATOBO CA Certificate</h2>
To prevent your app or your browser from complaining (or even stop working) about a wrong certificate you should make your device trust the WATOBO CA. This CA is used to generate the fake server certificates. The CA certificate is generated the first time you start WATOBO and is written to /root/.watobo/CA/cacert.pem<br />
<br />
To make your iPhone trust this certificate, send the cacert.pem file via email to your device and install it.<br />
<br />
<div class="separator" style="clear: both; text-align: right;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiX_AxKxgIZ5qSQg7LaRPaRfKqVelefPeLG4rZWCq6Xu6U0tjrMuz_m_3rzb3cldaQGJg4udKb5clC8o7cZMdKILNJ7LKv_3dLqjflFJu8BeVbtR4BIc878mGL0K7IGFQW89OBJi2t3QGpE/s1600/Foto.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="200" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiX_AxKxgIZ5qSQg7LaRPaRfKqVelefPeLG4rZWCq6Xu6U0tjrMuz_m_3rzb3cldaQGJg4udKb5clC8o7cZMdKILNJ7LKv_3dLqjflFJu8BeVbtR4BIc878mGL0K7IGFQW89OBJi2t3QGpE/s200/Foto.PNG" width="133" /></a></div>
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiX_AxKxgIZ5qSQg7LaRPaRfKqVelefPeLG4rZWCq6Xu6U0tjrMuz_m_3rzb3cldaQGJg4udKb5clC8o7cZMdKILNJ7LKv_3dLqjflFJu8BeVbtR4BIc878mGL0K7IGFQW89OBJi2t3QGpE/s1600/Foto.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"></a><br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiX_AxKxgIZ5qSQg7LaRPaRfKqVelefPeLG4rZWCq6Xu6U0tjrMuz_m_3rzb3cldaQGJg4udKb5clC8o7cZMdKILNJ7LKv_3dLqjflFJu8BeVbtR4BIc878mGL0K7IGFQW89OBJi2t3QGpE/s1600/Foto.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"></a><br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiX_AxKxgIZ5qSQg7LaRPaRfKqVelefPeLG4rZWCq6Xu6U0tjrMuz_m_3rzb3cldaQGJg4udKb5clC8o7cZMdKILNJ7LKv_3dLqjflFJu8BeVbtR4BIc878mGL0K7IGFQW89OBJi2t3QGpE/s1600/Foto.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><div style="text-align: left;">
</div>
</a><br />
<br />
<br />
<br />
<h2>
Start Netfilter Server</h2>
Next we have to start the Netfilter Server. This is our userland process which handles incoming requests before they are redirected to the proxy necessary to keep track of the original destination. I first tried to implement this service inside the WATOBO core process but I run into problems crashing WATOBO imediately. I guess there were some conflicts with other IO streams. My second attempt was to implement it as an XML/RPC service but the same problems occured. Now the process is implemented as a DRb (Distributed Ruby) service which seems to be much more stable. You can get more infos about DRb <a href="http://segment7.net/projects/ruby/drb/introduction.html">here</a>.
<br />
<br />
So, to run this service type:<br />
<div class="code">
nfq_server.rb</div>
<br />
<br />
<em>Note:</em><br />
Unfortunately this service also crashes or hangs from time to time. So just keep an eye on the shell where you started the service. If you see any error message or the service stopped working a simple restart will let the communication continue without any problems.<br />
<br />
If I find some time I will write a watchdog service or maybe you want to do it? ;)<br />
<h2>
Configure IPTables</h2>
Ok, now IPTables comes on the scene. We use it for two tasks:<br />
First, we have to redirect incoming traffic imediatly to our Netfilter Server before routing takes place. This can be done with the <em>mangle</em> table of the pre-routing chain. You can find detailed information about IPTables packet-flow here: <span style="font-family: "Calibri","sans-serif"; font-size: 11pt; line-height: 115%; mso-ansi-language: DE; mso-ascii-theme-font: minor-latin; mso-bidi-font-family: "Times New Roman"; mso-bidi-language: AR-SA; mso-bidi-theme-font: minor-bidi; mso-fareast-font-family: Calibri; mso-fareast-language: EN-US; mso-fareast-theme-font: minor-latin; mso-hansi-theme-font: minor-latin;"><a href="http://www.linuxhomenetworking.com/wiki/index.php/Quick_HOWTO_:_Ch14_:_Linux_Firewalls_Using_iptables"><span style="color: blue;">http://www.linuxhomenetworking.com/wiki/index.php/Quick_HOWTO_:_Ch14_:_Linux_Firewalls_Using_iptables</span></a></span><br />
In our lab setup we only redirect traffic using port 443 because we have to keep track of the original destination of encrypted connections - we don't get a CONNECT request when running transparent. This is not necessary for regular HTTP traffic. Here we can extract the original destination from the HTTP Server Header. Anyway, to not slow down communication too much we only want to redirect SYN packets. This can be done with the following command:<br />
<br />
<div class="code">
iptables -t mangle -A PREROUTING -p tcp -m state --dport 443 --state NEW -j NFQUEUE --queue-num 0
</div>
<br />
<br />
After the packet has been processed by our Netfilter Server it's passed back to the regular packet-flow of IPTables.<br />
<br />
The second task is to redirect the traffic to the WATOBO proxy. We do this for the ports 80 and 443:<br />
<br />
<div class="code">
iptables -t nat -A PREROUTING -i wlan0 -p tcp -m tcp -j REDIRECT --dport 443 --to-ports 8081<br />
iptables -t nat -A PREROUTING -i wlan0 -p tcp -m tcp -j REDIRECT --dport 80 --to-ports 8081</div>
<br />
You can download a little script which does all the necessary IPTables commands for you <a href="http://watobo.sourceforge.net/extras/watobo-transparent.sh">here</a> or using wget:<br />
<br />
<div class="code">
wget http://watobo.sourceforge.net/extras/watobo-transparent.sh
</div>
<br />
<h2>
Start Analyzing Your App</h2>
Finally just start the app you want to analyze. You don't have to configure a proxy. If everything went well you should see all the requests in the conversation table of WATOBO - ready to perform some nice checks ;)<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjd30rWLFJJOU3MJtTN-FFWTUNmEh1kGmEag8eLBMseij6QksBZNPn0v-DY5sgzslXyaWBEb7BfIr3MgenGZQBEBJXioAUg3ua2Ub28Gc_Iocup8ZNU5IDW_ZRS0zVqlgDSxg_92a1g9IVF/s1600/Screenshot-2012-08-14_23.20.21.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="271" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjd30rWLFJJOU3MJtTN-FFWTUNmEh1kGmEag8eLBMseij6QksBZNPn0v-DY5sgzslXyaWBEb7BfIr3MgenGZQBEBJXioAUg3ua2Ub28Gc_Iocup8ZNU5IDW_ZRS0zVqlgDSxg_92a1g9IVF/s400/Screenshot-2012-08-14_23.20.21.png" width="400" /></a></div>
<br />
<br />
<br />
Have Phun!<br />
-andy<br />
<br />siberashttp://www.blogger.com/profile/11387925034210832034noreply@blogger.com1tag:blogger.com,1999:blog-8392133116793638597.post-92092502541922450302012-06-29T06:40:00.000-07:002013-03-18T13:52:23.165-07:00Installing WATOBO on BackTrack 5R2The following script installs all necessary gems on your BackTrack system:
<br />
<div class="code">
#!/bin/bash
<br /># WATOBO-Installer for BackTrack 5R2 - may work on other distros too.
<br /># Version: 1.0
<br /># Date: 26.06.2012
<br /># Author: Andreas Schmidt
<br />info() {
<br /> printf "\033[36m$*\033[0m\n"
<br />}
<br />head() {
<br /> printf "\033[31m$*\033[0m\n"
<br />}
<br />head "##############################################"
<br />head "# W A T O B O - I N S T A L L E R #"
<br />head "##############################################"
<br />echo "Adding /root/.gem/ruby/1.9.2/bin/ to your PATH .."
<br />echo 'export PATH=$PATH:/root/.gem/ruby/1.9.2/bin/' >> /root/.bashrc
<br />export PATH=$PATH:/root/.gem/ruby/1.9.2/bin/
<br />
<br />echo "Installing needed gems ..."
<br />for G in selenium-webdriver mechanize fxruby net-http-digest_auth net-http-persistent nokogiri domain_name unf webrobots ntlm-http net-http-pipeline watobo
<br />do
<br /> info ">> $G"
<br /> gem install --user-install $G
<br />done
<br />
<br />info "Installation finished."
<br />echo "Type watobo_gui.rb to start WATOBO."
<br />echo "For manuals/videos and general information about WATOBO please check:"
<br />echo "* http://watobo.sourceforge.net/"
</div>
<br />Get the most recent script <a href="http://watobo.sourceforge.net/extras/watobo-installer.sh">[here]</a>.<br />
<div class="code">
wget http://watobo.sourceforge.net/extras/watobo-installer.sh
</div>
<br /><br />
Enjoy!<p>[as]
<br /></p>
<br />
siberashttp://www.blogger.com/profile/11387925034210832034noreply@blogger.com0