Since I like to hack with Excel, I made a PoC for MS15-034 in VBA/Excel.
Here’s the video:
Since I like to hack with Excel, I made a PoC for MS15-034 in VBA/Excel.
Here’s the video:
Several detection rules (SNORT, F5, …) are being published these days to detect exploitation of vulnerability MS15-034.
If you are making or modifying such detection rules, I want to share some observations with you.
MS15-034 can be exploited with a GET request with a specially crafted Range header.
Here is the example we’ll use: Range: bytes=2-18446744073709551615
Referring to RFC 2616 section 14.35.1, you can see that this is not the only way to specify a range. Here is the BNF:
ranges-specifier = byte-ranges-specifier
byte-ranges-specifier = bytes-unit “=” byte-range-set
byte-range-set = 1#( byte-range-spec | suffix-byte-range-spec )
byte-range-spec = first-byte-pos “-” [last-byte-pos]
first-byte-pos = 1*DIGIT
last-byte-pos = 1*DIGIT
suffix-byte-range-spec = “-” suffix-length
suffix-length = 1*DIGIT
First of all, whitespace is allowed. So Range: bytes = 2 – 18446744073709551615 is valid (and also caused a BSOD on my test machine).
Second, numbers can have leading zeroes. So Range: bytes=2-018446744073709551615 is valid (and also caused a BSOD on my test machine).
Third, multiple ranges are allowed. So Range: bytes=2-3,4-18446744073709551615 is valid (this did not cause a BSOD on my test machine).
If you are using rules that don’t detect these cases properly, then attackers can easily evade detection. One space character could be all it takes to evade detection. If the rule looks for string “-18446744073709551615″, then using string “- 18446744073709551615″ in the attack (extra space character added) will evade detection.
I provide 2 days of Hacking PDF training at HITB Amsterdam. This is one of the methods I teach.
Sometimes when I analyze PDF documents (benign or malicious), I want to reduce the PDF to its essential objects. But when one removes objects in a PDF, indexes need to be updated and references updated/removed. To automate this process as much as possible, I updated my pdf-parser program to generate a Python program that in turn, generates the original PDF.
Thus when I want to make changes to the PDF (like removing objects), I generate its corresponding Python program, and then I edit this Python program.
I do this simply with option -g.
Then you can edit the Python program, and when you run it, it will generate a new PDF file.
You can also use option -g together with option -f to filter the streams before they are inserted in the Python program. This gives you the decompressed streams in the Python program, opening them up to editing.
In this example, without option -f the Python statement for the stream object is:
oPDF.stream(5, 0, 'x\x9cs\nQ\xd0w3T02Q\x08IS040P0\x07\xe2\x90\x14\x05\r\x8f\xd4\x9c\x9c|\x85\xf0\xfc\xa2\x9c\x14M\x85\x90,\x05\xd7\x10\x00\xdfn\x0b!', '<<\r\n /Length %d\r\n /Filter /FlateDecode\r\n>>')
And with option -f, it becomes:
oPDF.stream2(5, 0, 'BT /F1 24 Tf 100 700 Td (Hello World) Tj ET', '', 'f')
The generated Python program relies on my mPDF library found in my PDF make tools.
I have a video showing how to use oclHashcat to crack PDF passwords, but I was also asked how to do this with John The Ripper on Windows.
It’s not difficult.
Decompress this version.
Download the previous jumbo edition John the Ripper 1.7.9-jumbo-5 (Windows binaries, ZIP, 3845 KB).
Extract file cyggcc_s-1.dll from the previous jumbo edition, and copy it to folder John-the-Ripper-v1.8.0-jumbo-1-Win-32\run.
Generate the hash for the password protected PDF file (I’m using my ex020.pdf exercise file) and store it in a file (pdf2john.py is a Python program, so you need to have Python installed):
John-the-Ripper-v1.8.0-jumbo-1-Win-32\run\pdf2john.py ex020.pdf > ex020.hash
Start John The Ripper:
Loaded 1 password hash (PDF [MD5 SHA2 RC4/AES 32/32]) Will run 8 OpenMP threads Press 'q' or Ctrl-C to abort, almost any other key for status secret (ex020.pdf) 1g 0:00:00:00 DONE 2/3 (2015-03-29 22:39) 10.20g/s 125071p/s 125071c/s 125071C/s 123456..crawford Use the "--show" option to display all of the cracked passwords reliably Session completed
By starting John The Ripper without any options, it will first run in single crack mode and then in wordlist mode until it finds the password (secret).
But you can also provide your own wordlists (with option –wordlist) and use rules (option –rules) or work in incremental mode (–incremental).
A new version of oledump (small bugfix and updated plugins).
Since a day or two I’m seeing yet another trick used by malware authors in their VBA macros.
The sample I’m looking at is 26B857A0A57B89166584CBB7167CAA19.
The VBA macro downloads base64 encoded scripts from Pastebin:
The scripts are delimited by HTML-like tags like <text10>. Tags that start with stext are scripts for Windows XP systems, and tags that start with text are for Windows Vista and later. This difference is for Powershell: on XP, VBS scripts are executed, and on more recent systems, Powershell scripts are executed.
The URL of the payload comes from another Pastebin entry:
Correct: that trojan is hosted on Dropbox.
I’m teaching a PDF class at HITB Amsterdam in May. This is one of the many subjects covered in the class.
For about half a year now, I’ve been adding YARA support to several of my analysis tools. Like pdf-parser.
I’ll write some blogposts covering each tool with YARA support. I’ll start with a video for pdf-parser:
Some people following my “Howto: Make Your Own Cert With OpenSSL” do this on Windows and some of them encounter problems. So this post shows the procedure on Windows.
For your info: I also have a video showing this howto.
I installed the latest version (v1.0.2a) and choose the 32-bit version (Win32). I choose the 32-bit version because this will work for every Windows machine: the 32-bit version works on 32-bit and 64-bit machines.
If you start the installation and get the following message:
then you need to cancel the installation and install the Visual C++ 2008 Redistributables first. You can find download links on the same page. If you install Win32 OpenSSL (32-bit), install Visual C++ 2008 Redistributables, and if you install Win64 OpenSSL (64-bit), install Visual C++ 2008 Redistributables (x64).
The installation of the Redistributables is easy:
After this, you can restart the OpenSSL installation:
I will create the certificates in folder c:\demo. So go ahead and create this folder on your machine.
Then start a command-line prompt (cmd.exe), and go to the demo folder (type: cd \demo).
Before you start OpenSSL, you need to set 2 environment variables:
Now you can start OpenSSL, type: c:\OpenSSL-Win32\bin\openssl.exe:
And from here on, the commands are the same as for my “Howto: Make Your Own Cert With OpenSSL”.
First we generate a 4096-bit long RSA key for our root CA and store it in file ca.key:
genrsa -out ca.key 4096
If you want to password-protect this key, add option -des3.
Next, we create our self-signed root CA certificate ca.crt; you’ll need to provide an identity for your root CA:
req -new -x509 -days 1826 -key ca.key -out ca.crt
The -x509 option is used for a self-signed certificate. 1826 days gives us a cert valid for 5 years.
Next step: create our subordinate CA that will be used for the actual signing. First, generate the key:
genrsa -out ia.key 4096
Then, request a certificate for this subordinate CA:
req -new -key ia.key -out ia.csr
Make sure that the Common Name you enter here is different from the Common Name you entered previously for the root CA. If they are the same, you will get an error later on when creating the pkcs12 file.
Next step: process the request for the subordinate CA certificate and get it signed by the root CA.
x509 -req -days 730 -in ia.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out ia.crt
The cert will be valid for 2 years (730 days) and I decided to choose my own serial number 01 for this cert (-set_serial 01). For the root CA, I let OpenSSL generate a random serial number.
That’s all there is to it! Of course, there are many options I didn’t use. Consult the OpenSSL documentation for more info. For example, I didn’t restrict my subordinate CA key usage to digital signatures. It can be used for anything, even making another subordinate CA. When you buy a code signing certificate, the CA company will limit its use to code signing. And I did not use passwords to protect my keys. In a production environment, you want to protect your keys with passwords.
pkcs12 -export -out ia.p12 -inkey ia.key -in ia.crt -chain -CAfile ca.crt
If you did not provide a different Common Name for the root CA and the intermediate CA, then you’ll get this error:
Error self signed certificate getting chain. error in pkcs12
To sign executables in Windows with the signtool: install file ia.p12 in your certificate store (e.g. double click it), and then use signtool /wizard to sign your PE file.
The certificates (.crt files) you created here can also be double-clicked in Windows to view/install them:
I updated oledump to handle a new type of malicious document: an XML file, not with VBA macros, but with an embedded OLE object that is a VBS file.
And the man page is finished. Run oledump.py -m to view the man page.
The sample I’m using here is 078409755.doc (B28EF236D901A96CFEFF9A70562C9155). The extension is .doc, but it is an XML file, not an OLE file.
The XML file contains an OLE file with 1 stream.
Let’s take a look inside the stream:
Byte 0x78 could be the start of a ZLIB compressed data stream. Let’s checks this with option –decompress:
It is indeed ZLIB compressed, and the decompressed data seems to be another OLE file (D0 CF 11 E0).
So let’s pipe this decompressed OLE file into a second instance of oledump:
This OLE file contains an embedded object (Ole10Native). Let’s have a look:
It seems to be a .VBS file. Let’s have a look:
So this looks like VB Script with base64 strings. Let’s try to decode them with a plugin:
So now it’s clear what this maldoc does: launch PowerShell, download a file and store it as a .cab file in a temporary folder. Expand the downloaded .cab file to an .exe file, and then launch the .exe file. In other words, it is a downloader.
Split is a Python program to split text files into several parts.
Usage: split.py [options] file
Split a text file into X number of files (2 by default)
–version show program’s version number and exit
-h, –help show this help message and exit
-m, –man Print manual
-p PARTS, –parts=PARTS
Number of parts to split the file into
This program will split the given text file in 2 parts (2 parts by
default, the number of parts can be changed with option -p). Each
resulting file has suffix _part_?? where ?? is the number of the file
(01, 02, …). The extension remains the same.
The first line of text is written to _part_01, the second line of text
is written to _part_02, and so on, until the last part _part_?? is
written to. Then the cycle starts again with the first part _part_01.