Idea for a new payload : Manipulate Internet Explorer with OLE AUTOMATION

[thierry.haven at xmcopartners.com (Thierry Haven)]

Hi,

The idea is to create and maintain a data stream between a client 
computer running an Internet browser and a remote management console.

The generic principles are explained here: 
http://www.xmcopartners.com/whitepapers/intrusion-agent.pdf


But we need to use an existing browser component as an "intrusion 
agent". Here's the deal.

To get a cmd.exe shell or to create a networkbridge, you need a 
permanent bidirectionnal channel between the hacked computer and your 
management console.
Thus, you need two sockets : one for the upload, the other one for the 
download. It's due to the way proxies handled response. (like with 
QuicktimeVR).

The client tries to establish a communication between the local 
(infected) computer and your remote console through a proxy server.

The idea is to create two outbound sockets from the hacked computer: one 
for a HTTP GET like http://you/get.jsp, and a second one with a 
never-ending HTTP POST.

Once established, the client sends a "GET" HTTP requests via the proxy, 
and wait the "200 OK" from the server. It's like a big file download.
Commands from the console are sent through the GET response (200 OK).

When a command is received, a response (data) may be sent with "POST" 
channel to the remote console.

Consequently, in our case here, the console behaves like an HTTP server.

Depending on the actual setup, proxies and firewalls are usually 
bypassed with a such trick because we use a trusted component to 
communicate.

Integrating the malicious code in a browser may be achieved by creating 
a browser helper object (like spywares/adwares usually do; see 
http://securityresponse.symantec.com/avcenter/venc/data/adware.browseraid.html) 
or by injecting a DLL into a network process 
(http://www.codeguru.com/Cpp/W-P/dll/article.php/c105/). Hard patching 
by modifying the IAT may also be done, but in this case, the Windows 
File Protection (WFP) has to be disabled or hooked.

Using OLE, there is a good PoC: http://nicob.net/jab/JAB-0.5.tgz. Please 
refer to http://www.nicob.net/jab/Presentation-SSTIC.pdf (French) for 
the presentation.

Another problem then comes : the proxy credentials (NTDLM, AD or Basic 
Authent). Nowadays, proxies needs authentification and the agent must 
use them.

However, good antiviruses usually detect code injection & hard patching 
& malicious components... There are still other (less known) solutions...


Best regards,

_______________________________________
Thierry Haven - Xmco Partners
Consultant S?curit? / Test d'intrusion

tel  : 33 1 53 45 28 63
web  : http://www.xmcopartners.com
16 place Vendome 75001 PARIS

ALLAIN Yann wrote:
> Hi all,
>
>  
>
> First , Thanks for your great great framework?continue !
>
>  
>
> Second,
>
>  
>
> May i suggest you a new payloads : Manipulate IE in OLE AUTOMATION to 
> create an outbound tunnel on http. Like the Setiri Troyan of SENSEPOST 
> or the GASPER troyan from rstack group.
>
>  
>
> I will try to inject DLL that manipulate IE in OLE with your marvelous 
> Meterpreter. But could you give me your feedback of this payloads 
> (feasibility,  stability, and so one)
>
>  
>
> Thanks by advance.
>
>  
>
> Yann
>
>  
>
>  
>
>  
>
> ______________________________________________________________________________________________________________________________
> This email, the information contained within and any files transmitted 
> with it (herein after referred as "the message")
> are confidential. It is intended solely for the addressees and access to 
> this message by any other person is not permitted.
> If you are not the named addressee, please send it back immediately to 
> the sender and delete it. Unauthorized disclosure,
> publication, use, dissemination, forwarding, printing or copying of this 
> message, either in whole or in part, is strictly
> prohibited.
> Emails are susceptible to alteration and their integrity cannot be 
> guaranteed. Our company shall not be liable for this
> message if modified or falsified.