carnal0wnage [Shared Reader]

Monday, May 23, 2011

carnal0wnage/Attack Research Blog Back On Blogger

Carnal0wnage/Attack Research Blog is back on blogspot. URL is still http://carnal0wnage.attackresearch.com and http://carnal0wnage.blogspot.com should redirect you to the right place. I doubt that RSS feeds will be so lucky though...you'll probably want to update your feeds.

Hopefully being back on blogger will allow for more and better discussions than on the drupal site and if the blind elephant guy is working on an update, hopefully this fucks up his talk and he doesn't get to call us out this year b/c Drupal sucks to update/manage.

-CG

Sunday, May 22, 2011

JRuby + Buby + wXf = fun

The Web Exploitation Framework has created two separate versions of the console. The version you get depends on the environment it is started in.

If JRuby, as of now, you get a version of the framework that allows you to interact with Burp from the console and run Buby scripts (with the flexibility of changing options easily and quickly).

Here is a video of this new step for the framework:


Buby Module from cktricky on Vimeo.

Documentation can be found at the wiki page for wXf.

For those of you who have been following the Buby Script Basics of this blog, I hope you'll apply that knowledge to creating a module in wXf. This is a great way for us to share our individual scripts in a way that allows them to be customized on the fly (because the console can set options like the rhost, rport, content to extract, etc.)

Anyway, hopefully this new feature of the framework can continue to grow and become a more powerful feature.

Happy Hacking,

~cktricky

Sunday, May 15, 2011

Buby Script Basics Part 6

√ evt_http_message     
√ evt_scan_issue         
 doActiveScan         
√ doPassiveScan         
√ excludeFromScope 
√ includeInScope       
√ isInScope
√ issueAlert   
√ sendToIntruder
√ sendToRepeater
√ sendToSpider
√ makeHttpRequest



















In this portion of the Buby Script Basics series (Part 6), we cover the sendToSpider and makeHttpRequest methods.

As always, you can find sample scripts for all of the code in this series under the examples directory of the buby-script repo located Here.

The script make_http_request.rb (under examples directory) will be used to demonstrate makeHttpRequest and sendToSpider.

$burp.get method
=============

Line 24 - We defined the method ($burp.get) which takes a url value

Lines 25-27 - If the url is NOT in scope, we send this to the spider function

Line 28 - We used regexp to extract the path of the url 

Line 29 - We instantiate an object called 'path' which is the same as path_match

Line 30 - An object called prefix is instantiated, this is where we extract http:// or https://

Line 31 - uri is basically the url minus the prefix (http:// or https://)

Line 32 - Prior to removing a port (such as url:9000), we extrapolate either an IP or hostname

Line 33 - Same deal for port, prior to removing the colon, we create a presub_port object which is the colon + port number.

Line 34 - The port object is created, this is presub_port cast to String type and the colon removed

Line 35 - pre object equals true or false depending on whether or not the prefix is http or https.

Line 36 - rpath (remote path) is the path object. If no path was specified it defaults to '/'.

Line 37 - host is cast to a String type and the presub_port and rpath values are stripped (gives us the true host value).

Line 38 - req_str object is the value of get_req (the method we discuss below).

Line 39 - res object is instantiated and it is the value of the response when makeHttpRequest call is made. 'res' will be a String type.

Line 40 - We print 'res' to the console






















get_req method
============

Line 10 - The method get_req is defined, takes three parameters. Host, Port and Path values.

Line 11 - 'str' object is created and cast as a String type.

The important lines here are 12, 13 and 20.

Line 12 - We take the path value and insert it into the first line of the request string.

Line 13 - host and port are concatenated so that www.example.com and 80 become one string value (www.example.com:80)

Line 20 - Notice how we append two newline characters ("\n\n") versus only one newline character like the rest of the string lines. This is important because Burp will error out and fail to send the request if this is missing. This is how Burp differentiates the Headers & Body and even if the body is missing Burp still needs the marker (two newlines) to mark the end of the headers section and understand the request.










That is it, go ahead and try the script out and when you run it make sure you choose the -i or interactive option. Example: 


$ jruby -S buby -i -B burp_pro.jar -r make_http_req.rb

At the console, to run the this method, you can type the following (examples):

$burp.get('http://www.example.com')

$burp.get('http://www.example.com:9050')

$burp.get('http://www.test.com:3333/test/test.aspx?error=error.jpg')









Saturday, May 14, 2011

Buby Script Basics Part 5

√ evt_http_message     
√ evt_scan_issue         
doActiveScan         
√ doPassiveScan         
√ excludeFromScope 
√ includeInScope       
√ isInScope
√ issueAlert   
√ sendToIntruder
√ sendToRepeater
   sendToSpider
   makeHttpRequest


In this portion of the Buby Script Basics series (Part 5), we will cover all but two of the remaining methods (methods without lines through them) on our checklist.


As always, you can find sample scripts for each of these under the examples directory of the buby-script repo located Here.


The three methods we will cover are issueAlert, sendToIntruder, and sendToRepeater. The example script is called sendto_and_issue_alert.rb and encompasses all three.


The purpose of this script is to check the body of post messages to see if one of the parameters matches our list of interesting parameters (FUZZ_PARAMS) which deserve manual analysis. We'll perform the manual analysis with intruder/repeater and then issue an alert when the request has been sent over.


Unlike the previous tutorials, this script will be ran by invoking the method via the command line. 


Example of how to run this script (covered in Part 1 of this series:


$ jruby -S buby -i -B burp_pro.jar -r sendto_and_issue_alert.rb


This script is going to be run against the proxy history, it's going to search the proxy history looking for the interesting requests. After you've interacted with the site type "$burp.run".






If the parameters in the body of the POST message match our interesting params, you should see the following:


Request sent to repeater, notice the name of the tab (it is our fuzz param "Price")



The request has been sent to intruder


Lastly, an alert will appear notifying you that the previously mentioned actions have been taken.


Time to discuss the code that does all this :-)

First we establish parameters that could be interesting to us in terms of performing manual analysis.


This method '$burp.run' is the catalyst for everything that comes next. When the user types $burp.run at the console they are invoking this method. 

Line 2 instantiates the proxy_hist object ($burp.get_proxy_history). The fourth line determines if the length is greater than 0. If so, start iterating thru each obj in the get_proxy_history array. Line 7 invokes the hmeth method (passes it the 'obj' object). Line 8 calls extract_str with the result of Line 7 (hmeth...which is the HTTP Method) and the 'obj' object.



The req_meth takes the request_headers, takes the first line and converts it to a string. The '[0..3]' method extracts the first 4 characters of the first line of the request headers. The method returns this value.










Part 1 of extract_str

The extract_str method is where the FUZZ_PARAMS are searched against the request message and sent to repeater/intruder (along with the alert). 

The second line splits objs into the http_meth and req objects. 

The third line ensures that we do not execute any further code unless the http_meth is a POST method. 

Then we instantiate the bparams object as a Hash on line 4.

On line 5, the request_body gets split by the ampersand (so that we break up all the params and their values into key/value pairs (ex: Price=2099.00).

Next, we split these pairs up by the '=' (equal sign) and place each param/value (key/value) into the bparam hash. Conceptually the bparam hash would look like

bparam = {'Price' => '2099.00}

The last line assigns either true or false to the proto object based on whether or not the protocol is https.


Part 2 of extract_str

Here we begin iterating thru each item in the FUZZ_PARAM array. If the bparam hash has as key which matches on of the items in FUZZ_PARAM, we send it to intruder/repeater and issue our alerts.

Explanation of methods:


sendToIntruder(host, port, https, req)
-host
-port
-true/false (for http/https)
-request string

sendToRepeater(host, port, https, req, tab = nil)
-host
-port
-true/false (for http/https)
-request string
-the name of the tab (String value) )


issueAlert(msg)
- Takes only one parameter, a string value. This is what shows up in the alert.

*We will cover the remaining two methods in the next portion of the series. This post turned into a rather long one so it was postponed.

Happy Hacking,

~cktricky

Buby Script Basics Part 4

√ evt_http_message     
√ evt_scan_issue         
√ doActiveScan         
√ doPassiveScan         
√ excludeFromScope 
√ includeInScope       
√ isInScope
   issueAlert
   makeHttpRequest
   sendToIntruder
   sendToRepeater
   sendToSpider


In Part 3 of this series we covered the two methods with lines drawn through them (above: evt_http_message and evt_scan_issue).


In Part 4, the methods with checks next to them will be described along with code examples.





You can find sample scripts for each of these under the examples directory of the buby-script repo located Here.






includeInScope, excludeFromScope
----------------------------------------------


The code here is nothing more than two arrays. The first array, EXCLUSION_LIST, contains items we'd like to exclude from scope. The second array, INCLUSION_LIST, contains items to include.




This following portion of code contains a PREFIX array (both http and https). We perform an iteration of both and while iterating through this prefix array, we start iterating through a second list (EXCLUSION_LIST) and concatenating the prefix + host + the item in the EXCLUSION_LIST. This step is repeated for the INCLUSION_LIST. The $burp.includeInScope() method is called and we submit the concatenated value (url) to it. 






do_active_scan, do_passive_scan, isInScope


----------------------------------------------------


The def $burp.evt_proxy_message is a familiar one at this point in the series so we won't discuss this in detail. The code @@msg = nil exists solely to instantiate a global object called msg. We will need to keep an object associated with the request message (headers/body) because passive scanning requires both a request message and response message.


pre = is_https? 'https' : 'http' is just a way to define the "pre" object based on whether or not it is http or https message.


pre_bool does the same thing as the pre object but instead of http/https it is a true/false.


uri = "#{pre}://#{rhost}:#{rport}#{url}" is just the url (string concatenation). 



The last three lines of code here basically set the @@msg value. We only want to do this if it is a request. Remember, we need an object to hold the request message so that even if the current message is a response we can call both the request message and response message.








Next bit of code basically says, if this message is in scope AND is a request message, start performing an active scan. Otherwise if it is a message which is in scope but a response message then perform passive scanning. 


$burp.do_active_scan takes 4 objects
-rhost           => host value
-rport           => port value
-pre_bool    => true/false based on whether or not it is https
-message    => String value (or Java bytes), full message (request only of course)


$burp.do_passive_scan takes 5 objects


-rhost           => host value
-rport           => port value
-pre_bool    => true/false based on whether or not it is https


-@@msg    => request message, string value (or Java bytes)
-message    =>  response message, string value (or Java bytes)








Okay, next up is Part 5 of this series where we will cover the rest of the methods listed above.


Happy Hacking,


~cktricky



Wednesday, May 11, 2011

Buby Script Basics Part 3

In part 2 of this series we covered the "evt_proxy_message" method. In part 3 of this series we will cover the two methods shown below which have "checks" next to them.


√ evt_http_message    
√ evt_scan_issue        
   doActiveScan        
   doPassiveScan        
   excludeFromScope
   includeInScope      
   isInScope
   issueAlert
   makeHttpRequest
   sendToIntruder
   sendToRepeater
   sendToSpider

    So let's cover each individually with brief explanation and a code example.

    You can find sample scripts for each of these under the examples directory of the buby-script repo located Here.


    EVT_HTTP_MESSAGE
    ---------------------------------


    The following code will allow you to obtain methods exposed by the message_info object (which is a class):




    The 3 separate objects that make up the param are:


    tool_name => This is a string value, it is the name of the tool for which the message originated. Examples include proxy, scanner and repeater.


    is_request => Boolean value (true/false), this returns true when it is a request and false when a response.


    message_info => This is a class. It is an instance of the IHttpRequestResponse Java class. So there are methods such as get_comment, set_comment and getUrl exposed. 


    An example of using evt_http_message can be seen here (code):






    ....and the result


    w00t!

    So what does the code actually do?

    Lines 1 and 2 - Define the method and separate param into 3 separate objects.

    Lines 3-5
    Ln 3 If the tool the message originated from was the spider and this is NOT a request proceed to Ln 4.
    Ln4 If the response status code is 200 (OK), then move to Ln 5.
    Ln 5 Puts "Yo, we received a 200 FTW!" to the console.

    Lines 6-9 Are closing statements/method and passing the param back up to the superclass method.


    You can find another example using this method in the zlib_inflate.rb script.




    EVT_SCAN_ISSUE
    ---------------------------


    The following code will allow you obtain methods exposed by the issue object (which is a class):



    Only one object is exposed, it is a class, it is called issue. Some of the methods exposed by this class are

    -issue_name
    -severity
    -confidence
    -protocol
    -host
    -url
    -port
    -issue_detail
    -issue_background
    -remediation_detail  
    -remediation_background

    The following code:




    ...produces:









































    Lets step through the code


    1.  def prnt(*objs)
    2.    strn, meth = objs  
    3.    str = ''
    4.    str << "\n#{strn}\n"
    5.    str << '=' * strn.length + "\n\n"
    6.    str << "#{meth}\n"
    7.    puts str
    8.  end


    Lines 1-2 - Defines the method (prnt) and separates objs into two objects (strn, meth).


    Lines 3-4 - This defines a string instance variable (str), and then proceeds to put the strn object onto it.

    Lines 5-7 - The length of strn gets multiplied by '=' so that we can create the following visual....

    Example:

    something
    =========

    ...then we push meth onto the string and then we "puts" or print it to the console.

    Lets step through the second method "hm_prnt".


    1.   def hm_prnt(*objs)
    2.     strn, meth = objs
    3.     str = ''
    4.     str << "\n#{strn}\n"
    5.     str << '=' * strn.length + "\n\n"
    6.     meth.each do |itm|
    7.       str << "#{itm.request_headers}\n"
    8.       str << "#{itm.request_body}\n"
    9.       str << "#{itm.response_headers}\n"
    10.     str << "#{itm.response_body}\n"
    11.    end
    12.    puts str 
    13 . end





    Lines 1-2 - Defines the method (prnt) and separates objs into two objects (strn, meth).

    Lines 3-4 - This defines a string instance variable (str), and then proceeds to put the strn object onto it. 

    Lines 6-10 - We take the meth object which is an Array, we iterate thru each item in the array, convert it to a string while calling the four methods it exposes (request_headers, request_body, response.headers, and response_body). Now these methods all belong to http_messages and itm really represents the http_messages class. So when we are iterating thru this array we are really iterating thru an array containing a bunch of http_messages classes. Hopefully that makes sense.


    Finally, we need to discuss the $burp.evt_scan_issue method.



    1.  def $burp.evt_scan_issue(issue)
    2.    meth_arry =  [
    3.      'issue_name',
    4.      'severity',
    5.      'confidence',
    6.      'protocol',
    7.      'host',
    8.      'url',
    9.      'port',
    10.     'issue_detail',
    11.     'issue_background',      
    12.     'remediation_detail',      
    13.     'remediation_background',     
    14.    ]
    15.   
    16.   meth_arry.each do |meth| 
    17.     prnt("#{meth}", "#{issue.send("#{meth}")}")
    18.   end
    19.   
    20.   hm_prnt('http_messages', issue.http_messages)
    21. 
    22. end


    Line 1 - Defines the method ($burp.evt_scan_issue) and instantiates the "issue" object.


    Lines 2-14  - Creates an Array called "meth_array" which consists of methods associated with the issue object instantiated on line 1.


    Lines 16-18 - Iterates thru the meth_arry we created on line 2 picking out each method and then sends the method name and the method itself to prnt.


    Line 20 - The http_message method attached to the issue object isn't in the meth_arry because it can't be called directly and converted to a string. This is because http_message is a an array of classes. Each class has it's own methods. So, we made a special prnt method for it called hm_prnt. 


    Well that is all for Part 3 of this series. Part 4 will cover some of the other methods listed in the first part of this post. If you have any feedback please provide it so that the series can be improved upon.

    Happy Hacking,


    ~cktricky