Didier Stevens

Thursday 11 May 2017

Crack A ZIP Password, And Fly To Dubai …

Filed under: My Software,Update — Didier Stevens @ 0:00

We had to crack a password protected ZIP file, to discover that just few hours later, we would fly to Dubai for our NVISO team building event.

This inspired me to update my zipdump.py tool. This tool can handle password protected ZIP files. Using default password “infected”, or a password that can be provided with option -p.

In this new version, you can provide a list of password in a text file using option -P. Turns out that this simple dictionary attack just using Python is surprisingly quick (at least to me): 8000 passwords per second on an average machine.



zipdump_v0_0_6.zip (https)
MD5: B605DEABFC5458488B6487B1E9104085
SHA256: DDC2CE94D250CBDE62AD1EBE650654E4A50C51F97CADF412B16A553242819772

Tuesday 9 May 2017

Quickpost: Internet Zone IDs

Filed under: Quickpost — Didier Stevens @ 0:00

Mostly as a reminder for myself, here are the Internet Zone IDs (taken from HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones on a Windows 8.1 machine, there is also a HKLM entry) as used in the Zone.Identifier ADS:

Zone ID Displayname Description
0 Computer Your computer
1 Local intranet This zone contains all Web sites that are on your organization’s intranet.
2 Trusted sites This zone contains Web sites that you trust not to damage your computer or data.
3 Internet This zone contains all Web sites you haven’t placed in other zones
4 Restricted sites This zone contains Web sites that could potentially damage your computer or data.

Quickpost info

Thursday 4 May 2017

Gzip Decompression Via Pipes

Filed under: My Software — Didier Stevens @ 0:00

A good friend asked me how to decompress a gzip compressed file, stored inside a McAfee quarantine file. On Linux, it’s simple, using the punbup.py tool. Like this:

punbup.py -f quarantine.bup | gzip -d

Option -f dumps the first file in the quarantine file to the pipe of gzip, which decompresses the file and dumps it to stdout.

On Windows, where you have no gzip (unless you use Cygwin or a similar solution), you can use my translate.py tool.

translate has 2 modes of operation: translate byte per byte, or translate the complete byte sequence in one go.

By default, translate operates in byte per byte mode. To operate on the complete byte sequence, you use option -f. The translation expression (a Python expression) needs to be a lambda function when you use option -f. It receives the complete byte sequence as argument, and must return the translated byte sequence. So we need to use the gzip Python module for decompression, and the StringIO Python module to operate in memory (and not with files). This is the lambda function (argument b is the byte sequence, e.g. the quarantined file):

lambda b: gzip.GzipFile(”, ‘r’, fileobj=StringIO(b)).read()

As translate does not import the gzip Python module (it does import the StringIO Python module however), we need to import it using option -e:

-e -“import gzip”

The complete command is:

punbup.py -f quarantine.bup | translate.py -e “import gzip” -f “lambda b: gzip.GzipFile(”, ‘r’, fileobj=StringIO(b)).read()”

Wednesday 3 May 2017

Overview of Content Published In April

Filed under: Announcement — Didier Stevens @ 0:00

Here is an overview of content I published in April:

Blog posts:

YouTube videos:

Videoblog posts:

SANS ISC Diary entries:

NVISO Labs blog posts:

NVISO YouTube videos:

Monday 24 April 2017

Bash Bunny PDF Dropper

Filed under: Hardware,My Software,PDF — Didier Stevens @ 0:00

More than 5 years ago, I worked out a technique to drop any file on a machine which has removable storage disabled. The technique used a Teensy to simulate a keyboard and type out a pure ASCII PDF to notepad. The PDF, containing an embedded executable, can then be saved and opened with a PDF reader to extract the embedded file.

I recently re-visited this technique with my Bash Bunny (it can also be done with a Rubber Ducky):

First I create a pure ASCII PDF file with an embedded executable using my make-pdf-embedded.py tool:

make-pdf-embedded.py -f fi80 -t -n Dialog42.exe.txt Dialog42.exe Dialog42.pdf

Option -f select the filters to use: f to deflate (zlib compress) and i80 to use hexadecimal lines of 80 characters to encode the compressed executable file in pure ASCII.

Option -t for pure text.

Option -n to choose the name used in the PDF document for the embedded file (files with extension .exe can not be extracted with Adobe Reader).

And then I create a Ducky Script script from the PDF with my python-per-line.py tool:

python-per-line.py "Duckify({})" -o payload.duck Dialog42.pdf

The payload.duck file can then be installed on my Bash Bunny, referenced from a payload.txt bash script like this:




QUACK STRING notepad.exe

QUACK switch1/payload.duck

Here is a video showing my Bash Bunny dropping this PDF file:

Sunday 23 April 2017

New Tool: python-per-line

Filed under: My Software — Didier Stevens @ 10:42

I often have to make changes to text files by processing each line, and prefer to do that with Python. This is why I wrote this tool about a year ago, and publish it now in preparation of a blog post on Bash Bunny.

The man page:

Usage: python-per-line.py [options] expression [[@]file ...]
Program to evaluate a Python expression for each line in the provided text file(s)

@file: process each file listed in the text file specified
wildcards are supported

Source code put in the public domain by Didier Stevens, no Copyright
Use at your own risk

  --version             show program's version number and exit
  -h, --help            show this help message and exit
  -m, --man             Print manual
  -o OUTPUT, --output=OUTPUT
                        Output to file
  -s SCRIPT, --script=SCRIPT
                        Script with definitions to include


This program reads lines from the given file(s) or standard input, and
then evaluates the provided Python expression on each line of text and
outputs the result of the Python expression.

The Python expression needs to use {} to represent the content of each
line. Before evaluation, {} is replaced by the content of each line
surrounded by single quotes.
The value of the evaluated expression is outputed as a single line,
except when the Pythion expression returns a list. In that case, each
element of the list is outputed on a single line.

 Content test.txt:
 Line 1
 Line 2
 Line 3

 python-per-line.py "'copy ' + {}" test.txt

 copy Line 1
 copy Line 2
 copy Line 3

This program contains a predefined Python function to help with the
generation of Rubber Ducky scripts: Duckify.

 Content test.txt:
 Line 1
 Line 2
 Line 3

 python-per-line.py "Duckify({})" test.txt

 STRING Line 1
 STRING Line 2
 STRING Line 3

The lines are written to standard output, except when option -o is
used. When option -o is used, the lines are written to the file
specified by option -o.

An extra Python script (for example with custom definitions) can be
loaded using option -s.

python-per-line_V0_0_1.zip (https)
MD5: B7C1146D44D6B3F8B04C571E8C205191
SHA256: 6D7931B33F8A1D81539E892897D301145A63502A181B2B89A01466D599D53787

Thursday 20 April 2017

Malicious Documents: The Matryoshka Edition

Filed under: maldoc,Malware,PDF — Didier Stevens @ 0:02

I must admit that I was (patiently) waiting for the type of malicious document I’m about to describe now. First I’m going to analyze this document with my tools, and after that I’m going to show you some of the mitigations put in place by Adobe and Microsoft.

Malicious document 123-148752488-reg-invoice.pdf is a PDF with an embedded file and JavaScript. Here is pdfid’s report:

As we can notice from this report, the PDF document contains /JavaScript and an /OpenAction to launch this JavaScript upon opening of the PDF file, and also an /EmbeddedFile.

pdf-parser.py searching for JavaScript (option -s javascript) reveals that the JavaScript is in object 5:

Object 5 contains JavaScript (option -o 5 to select object 5, and option -f to decompress the stream with JavaScript):

This script (this.exportDataObject) will save the embedded file (996502.docm) to a temporary file and launch the associated application (if MS Office is installed, Word will be launched). A .docm file is a Word document with macros.

So let’s search for this embedded file:

The embedded file is stored in object 3, as a compressed stream (/FlateDecode).

So let’s decompress and extract the file with pdf-parser: option -f to filter (decompress) and option -d to dump the content. Since I expect the embedded file to be a Word document with macros, I’m going to analyze it with oledump. So in stead of writing the embedded file to disk, I’m going to extract it to stdout (-d -) and pipe it into oledump:

oledump‘s report confirms that it is a Word document with macros. I’m not going to spend much time on the analysis of the VBA code, because the intent of the code becomes clear when we extract all the strings found in the VBA code. First we select and extract all VBA code (options -s a -v) and then we pipe this into re-search to produce a list of unique strings (enclosed in double quotes) with these options: -n str -u

One of the extracted strings contains 3 URLs separated by character V. The macros will download an XOR encoded EXE file from these sites, decode it and execute it.


The first mitigation is in Adobe Reader: the embedded .docm file will not be extracted and launched without user interaction. First the user is presented a dialog box:

Only when clicking OK (the default option), will the .docm file be extracted and launched. Remark that the maldoc authors use some weak social engineering to entice the user to click OK: see in 996502.

When opened in Word, macros will be disabled:

This next mitigation is put into place by Microsoft Word: macros are detected, and by default, they are not executed. Here we see a better attempt at social engineering the user into executing the macros.

You might have expected that this document would be opened in Protected View first. After all, the PDF document was e-mailed to the victims, and Outlook will mark the PDF with a mark-of-web when it is saved to disk:

But Adobe Reader will not propagate that mark-of-web of the PDF document to the extracted Word document (at least the version I tested, version XI). Without mark-of-web, Word will open the document without Protected View.

Another simple mitigation for this type of malicious document that you can put into place but that is not enabled by default, is to disable JavaScript in Adobe Reader.

Remark that these documents do not contain exploits: they just use scripting.

Tuesday 18 April 2017


Filed under: maldoc,Malware,Vulnerabilities — Didier Stevens @ 0:00

I have an analysis of a CVE-2017-0199 maldoc with my tools here, and produced 2 videos:

In the second video, I use nixawk‘s Metasploit module for cve-2017-0199 (not yet merged into the Metasploit GitHub repository at time of writing).

Monday 10 April 2017

Update: re-search.py Version 0.0.4

Filed under: My Software,Update — Didier Stevens @ 0:00

This version has one new option: -G or –grepall.

re-search_V0_0_4.zip (https)
MD5: 965C484CC5BF447B390BA4E176698972
SHA256: D2F3A52F7590CD38E796B6F6209FC87A1BD6451F1787010557FA39E25AFDBC2F

Sunday 9 April 2017

Quickpost: Bash Bunny & Keyboard Layouts

Filed under: Bash Bunny,Hardware,Quickpost — Didier Stevens @ 12:50

This Quickpost is for my Bash Bunny with the original firmware. Since my first Bash Bunny post a couple of days ago, firmware 1.1 was released, but I have not yet upgraded.

When I used my Bash Bunny as a keyboard emulator (attackmode HID) to type string Attack! (QUACK STRING Attack!), I got the same result as with my Teensy: the string Qttqck1 was typed. That’s because by default, Bash Bunny emulates a US keyboard, and my computers are configured for a BE keyboard layout.

A keyboard doesn’t send characters to the computer when typed upon, but it sends so-called scancodes identifying the typed keys. Then the operating system converts those scancodes to characters, depending on the configured keyboard layout. So I have two solutions to fix my problem: change the keyboard layout of my machines to US, or have my Bash Bunny send the scancodes corresponding to a BE keyboard.

Solution 1 is not practical for me, so let’s take a look at solution 2. With my Teensy, I would send characters Qttqck8. Doing the same with my Bash Bunny, command “QUACK STRING Qttqck8” sends the correct scancodes for a BE keyboard to type Attack!.

Fortunately, the Bash Bunny can be configured to use keyboard layouts other than US, so that I don’t have to convert strings. But first, The DuckToolKit needs to be installed on the Bash Bunny via the DuckyInstall payload. After the toolkit is installed, you will find a folder (/root/tools/DuckToolkit/ducktoolkit/languages) with json files for different keyboard layouts on the Bash Bunny:

OK, so how do we use this in a payload? With command QUACK SET_LANGUAGE, like this:




SET_LANGUAGE will use the selected keyboard layout, and translate the strings to the correct scancodes. Remark that if you select a keyboard layout for which there is no corresponding json file on your Bash Bunny, then the HID key injection will not work. You will have to find or create a json file for your keyboard layout, and add it to the folder.

This is the be.json file (BE keyboard layout):

Notice that the scancodes for letter q are: 00, 00 and 04. The first byte (00) is the modifier key (indicating SHIFT for example), the second byte (00) is reserved, and the third byte (04) is the keycode.

This is the us.json file (US keyboard layout):

Notice that the same scancodes for letter q on a BE keyboard (00, 00 and 04) correspond to letter a on a US keyboard.

BTW, when my Bash Bunny is plugged-in for a couple of hours, it gets a little bit hot:

Quickpost info

« Previous PageNext Page »

Blog at WordPress.com.