Two you, or an audit with a break-in

As always without names and titles, and since I additionally are bound by the signature of non-disclosure, also with a slightly modified history (and omitting some details, for the publication of which I have not received permission).
Below follows the real story of the penetration of the employee's computer well, let's say some private bank. The events described by your humble servant took place in some European country, not so long ago, before DSGVO (GDPR, RGPD), but in the process of its formation, on the eve of so to speak.
Actually, everything began with the security audit - , interviews, examining everything and everything under a magnifying glass, searching for and exploring potential loopholes and bottlenecks to get through (both there and from there), and actually parsing flights. At which the customer received as a result a disappointing conclusion for him - "three with a stretch."
Let's drop the words that had to be heard from the blushing IT security guards, but the general lyric message is this: I rush with unfounded accusations, and they have everything on the lock, and the key is in
in a pocket under the heart.
Attempts to explain that the security system built around the firewall + proxy + webwasher like content-filter & antivirus, without any poorly tuned hybrid IDS (HIDS + APIDS), the honepots, etc. etc., in the first by definition is not safe, in the second I have already shown how several places, where it is at least not comme il faut. Attempts to return to a constructive dialogue (actually back to the analysis) broke about a three-story wall of resentment, built by the entire department.
Having curtailed the meeting and dismissed the employees,
in a compartment with two important bosses, he still tried to find out honestly where my dog ​​was digging and understand
how to go on living
how actually and what exactly, in my humble opinion, it is necessary to do.
Because a glimpse of understanding in the future, too, was not observed, enthusiastically met the proposal to show in practice. After explaining that de right now, well, does not work, settling formalities (signing a few more papers, etc.), I got the go-ahead for "breaking".
The remark that I do not like to work blindly (I'm dreary, long and expensive, and even pentaging, it's a matter of luck), and please provide some additional information (for example, some personal data of some employees, such as developers and safety workers ), did not meet a counter understanding either.
Are you a hacker or not ?!
(in fact, no, I developed, and then - more hobbies).
I will not dwell on the further discussion for a long time - I convinced the money and time (as a matter of fact, the same money) as always.
Those. As a result, we have some knowledge of the structure of the company's protection (obtained as a result of the preliminary audit), as well as a full name and a brief biography of 4 administrators and 3 developers.
Why actually admins and developed, because you could also ask for "accountants girls", send them some "kitty" with an attached a much less secure animal in addition (or turn something like that from the social-engineering area) . But
However, very many companies as a rule do not like very much when they are at the presentation of
will begin to tell such things, i.e. "hacking system" based on intrigues from the field of social engineering is at least not welcomed, no matter how brilliantly it would not have been built.
Returning to the techies, they are no less "social" in the first place (which does not mean that they will launch any "cat", but so far the fact itself is important), in the second they usually have a more "developed" in the functional plan computer ( that there only you will not meet). And what is more interesting, in addition, they often have some "privileges" in contrast to the same accountant girl, i.e. can either be less infringed in security rights and system restrictions (such as policies and for example somehow run the newly compiled exe-shnik) and /or can run through the "wall" built by the security personnel (for example, throwing a tunnel through a proxy) and so on. etc.
Again, to crawl through the defense, using the computer programmer or administrator, it sounds completely different than for example "forcing" the trojan to start the accountant.
Those. the initial ones are received, the tasks are announced - we went
The first step is gathering information about "customers" - who, what, where, when.
I'm not going to get very distracted here, the article is not really about that, so I'll just say - I stayed on a pretty social kid, with facshots and co, including your own youtube channel (YouTube, Vasya!), Several open-source projects (both in the group and own) and simply the giant contribution activity
(it is asked but he generally works at the main place)
To find out hu-from-hu for today is generally not a problem (somewhere popolzovat real name in place with a nickname, somewhere lighted the IP address of the proxy from the company and the picture has taken shape), but no one really hides.
To brake on him I was forced, including
my natural instinct is
the fact that in one of the communities our hero was engaged in more or less active support in the chat, and using the IRC-client, which in user-info provided besides IP, where the legs grow, also the name and version of the beloved, well, it was famous bugs /holes and by default it was wrapped by plugins for nothing.
Well, as usual, one evening,
the homeless fell asleep on the box one bit, ours are losing again :)
I found a familiar nickname in the same chat room as an active user with a connection that is longer than 12 hours (judging by the log with intermediate outages /re-connections, since the corporate proxy is such a thing, but more than half a day since the first connection), from the IP address I need those. with a "login" of the form [email protected] .
That is, either our client's day is 24 hours, or more likely (since it was 2 hours since his last message), he just did not shut down the working computer and left the IRC client active.
Or maybe he put the computer to sleep, but (here again the mistake of security personnel or admins) happens that the latter wakes up himself, for example, to roll updates for Windows (and after a 4-hour pause to reboot) or simply stupidly catching a wake-on-lan signal.

Whatever it was, I had some time to patch the computer, or rather the IRC client of our "victim".
Not finding any known hole in this particular (by the way relevant at that time) version of the IRC client, armed with ida, ollydbg, etc. and looking at the source (quiet horror, Vasya!) began to look for some vulnerability, which makes it possible at least to do something there, with an eye to how to remotely monitor the IRC client (and we remember plug-ins).


And it was found, even relatively quickly!
Intercept the control allowed the presence of an unsafe call sprintf on the buffer from the stack with % s internally from badly filtered foreign-input (in combination with encoding injections), which allows to load the exploit code loader into the appropriate place (thanks to the development of the client for the code, Microsoft for the lowland stack and a lucky coincidence).


Although it would still suffer - since we have DEP, we can not execute directly from the stack, we need to write down a copy of the "program code" for execution, find memcpy call from ret at the end, to copy to the right place (rewrite the little used class), redirect the output from several procedures to the desired location, rewrite several VTABLE values ​​so that by calling the next virtual method an event is generated that causes some python code as a plug-in as a result (and indeed change this python code to your own, as a bootloader from broken messages, in order to assemble a ready-made exploit-tulkit).


Oh yes, we also needed to assemble a plug-in (again thank you to the client for such generous functionality), as a proxy, changing messages on the fly (adding a wrapper for the initiation of an injection breaking encoding, while inserting incomplete surrogates in the right place, and t etc.), encode the initial loader of the message-injection, etc.
In addition, I had to build a small python script in the form of a new client plugin for the target system as a console emulator (taking my messages in its stdin, and sending stdout + stderr private message back to my nickname).


Gathering this all on my knee, I launched the IRC client to try myself as a victim, i.e. See how it will be in full, ready-made form.
And sending a few other private messages-injections through my plug-in from the second session of the second running version of the application, I was delighted to see the usual python greeting (which I stuck in the emulator, for clarity - python).
Satisfied as an elephant (noting that the attacked application did not fall), he saw what was happening in his message output window - it was full of various non-ascii symbols, the most notable of which was ?? with the serial number 90h (which at least does not comme il faut, and even gives out a hacking attempt with a head), I thought that it was necessary to remake the loader in order to mask the following messages (all of a sudden it still works and will notice).
I looked in the code, and there waiting for the NTS-line on the issue, I decided not to bother much and stupidly rewrite the first byte of the message after loading with zero (with the hope that the output to the message screen will be on the event a little later).


Repeating the whole process, and waiting for the desired again looked in another window and did not find there anything superfluous in the chat (I'm still a genius) , decided to continue the test.
Then the message flew away. from glob import glob as ls; ls ('*') and I happily saw the answer list of folders and files contained in the application folder.


True, I saw the same message in the attacker's client window as sent to my nickname. I also had to put 0-byte (NTS) at the beginning of the line after sending it to me.


Having finished with the preparatory phase, he noted that our guinea-pig is still in the chat (without messages, Vasya!), Has prepared an exploit already for our candidate.


Let's go


Messages-injections are gone And after a few long seconds (apparently the disk was asleep or the proxy was stupid), I again saw the inviter .
As I jumped around the room, I still will not tell (that sight is not for the faint-hearted, for as a result of an uncontrolled process of manifestation of joy, I still zazandalil little finger on the leg of the chair).


Scrambling with pain and immediately thinking, "And suddenly he has something wrong in the window of bestowal, I suddenly somewhere naportachil and the application as a result will fall through time," I remembered about a possible forced restart after update (if suddenly the computer from that woke up and already rolled update), in a cold sweat (glancing at the swollen little finger and shaking hands), I accelerated.


The first thing to check for just in case and there we are at all.

import os; os.environ['userdomain']


and the answer is:



Well, everything, hands untied Let's go.


Having checked with a small script that logonui is locked, having calmed down a bit, decided to see what is on the computer in general:

from glob import glob as ls; ls (r'C: Program Files * ')


and in the answer, not believing his luck, among many interesting things I saw the following:

   [,'C:Program FilesTeamViewer',]


Those. you do not have to do any extra gestures - you do not have to swing anything, compile and look for a folder where you can write it all without violating any policy.


And then, in the meantime, it flew:

import subprocess; ([r'C:Program FilesTeamViewerTeamViewer.exe'])


well and after the returned answer:


After waiting a little while for TeamViewer to get through the proxy and the server gave him the ID (with a password), I ran a script searching for the window of TeamViewer, removing the screenshot from it and sending it back to me as a base64-line, in which, bitmap, I was pleased to find both the ID and the password for the connection.
The next morning, I already heard a surprised
, who first received a letter from me (but for some reason came from the internal Exchange account of his employee), and then a frightened call from the same employee with the words "Chief, we lost - we broke", who discovered in the morning an open window of Word with a large text inside "Two to you on security.You have been hacked!", date, signature.
After that, communication with the safety personnel was more fruitful, without splashing saliva, ripping shirts and screams. Learned by the bitter experience ( ? for example, as described in this article
), I tried, as best I could, to postpone the analysis of the intrusion itself later (for at first I wanted to receive a money order for a new "safety concept"), but after long persuasions, hints of a long-term cooperation, etc., as well as promises on their part to "not touch" the blundering employee (a colleague after all), they had to lay out almost all the main points.
The bounty in charge for hacking (as well as the cost of the preliminary audit), I then received completely, but then the office behaved say, not quite sporting. To continue the concert, they hired a prominent and well-known audit firm, which basically refused to work with external in my face.
Well, well, as they say in Germany, "Man sieht sich immer zweim im im Leben", which means "We will definitely meet again."
+ 0 -

Comments 2

TOhoms 17 July 2018 15:42
An audit that is the confidential part of any company. So there must complete check and balance of it that there must not even a single mistake in it and keep it in a complete security otherwise you may suffer loss. So be careful about these sensitive parts of the company to make it successful. You can pay someone to do your assignment for Ph.D. students. Thanks for sharing such info.
viruman 15 September 2018 09:44

Add comment