viernes, mayo 30, 2008

sha0proxy v1 released

I have implemented new features to my multiprotocol proxy, you can get it from:

sha0proxy.pl



Imagine you want to see and interact with the communication between a client and server, with sha0proxy you can take control or automate replacements.

By now only TCP is available.

Samples:

1. I want to see the communication

./sha0proxy.pl 445 fileserver 445 view
./smbclient -L 127.0.0.1

I will see the number of current packet
If the client send to server: >>>>>
If the server send to client: <<<<<
And colorized data:

1>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
|00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f |
---+------------------------------------------------+---
000|00 00 00 be ff 53 4d 42 72 00 00 00 00 08 01 c8 .....SMBr.......
010|00 00 00 00 00 00 00 00 00 00 00 00 00 00 41 21 ..............A!
020|00 00 01 00 00 9b 00 02 50 43 20 4e 45 54 57 4f ........PC NETWO
030|52 4b 20 50 52 4f 47 52 41 4d 20 31 2e 30 00 02 RK PROGRAM 1.0..
040|4d 49 43 52 4f 53 4f 46 54 20 4e 45 54 57 4f 52 MICROSOFT NETWOR
050|4b 53 20 31 2e 30 33 00 02 4d 49 43 52 4f 53 4f KS 1.03..MICROSO
060|46 54 20 4e 45 54 57 4f 52 4b 53 20 33 2e 30 00 FT NETWORKS 3.0.
070|02 4c 41 4e 4d 41 4e 31 2e 30 00 02 4c 4d 31 2e .LANMAN1.0..LM1.
080|32 58 30 30 32 00 02 44 4f 53 20 4c 41 4e 4d 41 2X002..DOS LANMA
090|4e 32 2e 31 00 02 4c 41 4e 4d 41 4e 32 2e 31 00 N2.1..LANMAN2.1.
0a0|02 53 61 6d 62 61 00 02 4e 54 20 4c 41 4e 4d 41 .Samba..NT LANMA
0b0|4e 20 31 2e 30 00 02 4e 54 20 4c 4d 20 30 2e 31 N 1.0..NT LM 0.1
0c0|32 00 2.

...

2. I wish to interfere in trafic flow at runtime


./sha0proxy.pl 445 filserver 445 trap
./smbclient -L 127.0.0.1


1>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
|00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f |
---+------------------------------------------------+---
000|00 00 00 be ff 53 4d 42 72 00 00 00 00 08 01 c8 .....SMBr.......
010|00 00 00 00 00 00 00 00 00 00 00 00 00 00 14 24 ...............$
020|00 00 01 00 00 9b 00 02 50 43 20 4e 45 54 57 4f ........PC NETWO
030|52 4b 20 50 52 4f 47 52 41 4d 20 31 2e 30 00 02 RK PROGRAM 1.0..
040|4d 49 43 52 4f 53 4f 46 54 20 4e 45 54 57 4f 52 MICROSOFT NETWOR
050|4b 53 20 31 2e 30 33 00 02 4d 49 43 52 4f 53 4f KS 1.03..MICROSO
060|46 54 20 4e 45 54 57 4f 52 4b 53 20 33 2e 30 00 FT NETWORKS 3.0.
070|02 4c 41 4e 4d 41 4e 31 2e 30 00 02 4c 4d 31 2e .LANMAN1.0..LM1.
080|32 58 30 30 32 00 02 44 4f 53 20 4c 41 4e 4d 41 2X002..DOS LANMA
090|4e 32 2e 31 00 02 4c 41 4e 4d 41 4e 32 2e 31 00 N2.1..LANMAN2.1.
0a0|02 53 61 6d 62 61 00 02 4e 54 20 4c 41 4e 4d 41 .Samba..NT LANMA
0b0|4e 20 31 2e 30 00 02 4e 54 20 4c 4d 20 30 2e 31 N 1.0..NT LM 0.1
0c0|32 00 2.

where>
what>

I have pressed enter enter, don't want to change anything.

2<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
|00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f |
---+------------------------------------------------+---
000|00 00 00 b6 ff 53 4d 42 72 00 00 00 00 88 01 c8 .....SMBr.......
010|00 00 00 00 00 00 00 00 00 00 00 00 00 00 d6 24 ...............$
020|00 00 01 00 11 09 00 07 32 00 01 00 04 41 00 00 ........2....A..
030|00 00 01 00 00 00 00 00 fd f3 01 80 ae a3 02 87 ................
040|5b c2 c8 01 88 ff 00 71 00 88 c2 e4 e7 1d a3 83 [......q........
050|47 91 34 83 bf b4 7d ce b5 60 5f 06 06 2b 06 01 G.4...}..`_..+..
060|05 05 02 a0 55 30 53 a0 30 30 2e 06 09 2a 86 48 ....U0S.00...*.H
070|82 f7 12 01 02 02 06 09 2a 86 48 86 f7 12 01 02 ........*.H.....
080|02 06 0a 2a 86 48 86 f7 12 01 02 02 03 06 0a 2b ...*.H.........+
090|06 01 04 01 82 37 02 02 0a a3 1f 30 1d a0 1b 1b .....7.....0....

where>07a
what>AAAAA\x00

2<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
|00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f |
---+------------------------------------------------+---
000|00 00 00 b6 ff 53 4d 42 72 00 00 00 00 88 01 c8 .....SMBr.......
010|00 00 00 00 00 00 00 00 00 00 00 00 00 00 d6 24 ...............$
020|00 00 01 00 11 09 00 07 32 00 01 00 04 41 00 00 ........2....A..
030|00 00 01 00 00 00 00 00 fd f3 01 80 ae a3 02 87 ................
040|5b c2 c8 01 88 ff 00 71 00 88 c2 e4 e7 1d a3 83 [......q........
050|47 91 34 83 bf b4 7d ce b5 60 5f 06 06 2b 06 01 G.4...}..`_..+..
060|05 05 02 a0 55 30 53 a0 30 30 2e 06 09 2a 86 48 ....U0S.00...*.H
070|82 f7 12 01 02 02 06 09 2a 86 41 41 41 41 41 00 ........*.AAAAA.
080|02 06 0a 2a 86 48 86 f7 12 01 02 02 03 06 0a 2b ...*.H.........+
090|06 01 04 01 82 37 02 02 0a a3 1f 30 1d a0 1b 1b .....7.....0....


I have writed at 0x0a1 the AAAAA\x00 value and send the packet changed.
Note that I don't accept \0 nor \x0, (you have to put two hex digit and the x)
Note that sha0proxy show us again the second packet, but witch the changes applied.

3. I wish to make only one change quickly :)

/sha0proxy.pl 445 filserver 445 trap 2 07a 'AAAAA\x00'
./smbclient -L 127.0.0.1

Note that i called sha0 proxy with 3 extra params, the number of packet to modify, offset and value (please use '' in strange params)


1>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
|00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f |
---+------------------------------------------------+---
000|00 00 00 be ff 53 4d 42 72 00 00 00 00 08 01 c8 .....SMBr.......
010|00 00 00 00 00 00 00 00 00 00 00 00 00 00 14 24 ...............$
020|00 00 01 00 00 9b 00 02 50 43 20 4e 45 54 57 4f ........PC NETWO
030|52 4b 20 50 52 4f 47 52 41 4d 20 31 2e 30 00 02 RK PROGRAM 1.0..
040|4d 49 43 52 4f 53 4f 46 54 20 4e 45 54 57 4f 52 MICROSOFT NETWOR
050|4b 53 20 31 2e 30 33 00 02 4d 49 43 52 4f 53 4f KS 1.03..MICROSO
060|46 54 20 4e 45 54 57 4f 52 4b 53 20 33 2e 30 00 FT NETWORKS 3.0.
070|02 4c 41 4e 4d 41 4e 31 2e 30 00 02 4c 4d 31 2e .LANMAN1.0..LM1.
080|32 58 30 30 32 00 02 44 4f 53 20 4c 41 4e 4d 41 2X002..DOS LANMA
090|4e 32 2e 31 00 02 4c 41 4e 4d 41 4e 32 2e 31 00 N2.1..LANMAN2.1.
0a0|02 53 61 6d 62 61 00 02 4e 54 20 4c 41 4e 4d 41 .Samba..NT LANMA
0b0|4e 20 31 2e 30 00 02 4e 54 20 4c 4d 20 30 2e 31 N 1.0..NT LM 0.1
0c0|32 00 2.

where>
what>

Y have pressed enter enter, don't want to change anything.

2<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
|00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f |
---+------------------------------------------------+---
000|00 00 00 b6 ff 53 4d 42 72 00 00 00 00 88 01 c8 .....SMBr.......
010|00 00 00 00 00 00 00 00 00 00 00 00 00 00 d6 24 ...............$
020|00 00 01 00 11 09 00 07 32 00 01 00 04 41 00 00 ........2....A..
030|00 00 01 00 00 00 00 00 fd f3 01 80 ae a3 02 87 ................
040|5b c2 c8 01 88 ff 00 71 00 88 c2 e4 e7 1d a3 83 [......q........
050|47 91 34 83 bf b4 7d ce b5 60 5f 06 06 2b 06 01 G.4...}..`_..+..
060|05 05 02 a0 55 30 53 a0 30 30 2e 06 09 2a 86 48 ....U0S.00...*.H
070|82 f7 12 01 02 02 06 09 2a 86 48 86 f7 12 01 02 ........*.H.....
080|02 06 0a 2a 86 48 86 f7 12 01 02 02 03 06 0a 2b ...*.H.........+
090|06 01 04 01 82 37 02 02 0a a3 1f 30 1d a0 1b 1b .....7.....0....

where>
what>

Y have pressed enter enter, don't want to change anything.

2<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
|00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f |
---+------------------------------------------------+---
000|00 00 00 b6 ff 53 4d 42 72 00 00 00 00 88 01 c8 .....SMBr.......
010|00 00 00 00 00 00 00 00 00 00 00 00 00 00 d6 24 ...............$
020|00 00 01 00 11 09 00 07 32 00 01 00 04 41 00 00 ........2....A..
030|00 00 01 00 00 00 00 00 fd f3 01 80 ae a3 02 87 ................
040|5b c2 c8 01 88 ff 00 71 00 88 c2 e4 e7 1d a3 83 [......q........
050|47 91 34 83 bf b4 7d ce b5 60 5f 06 06 2b 06 01 G.4...}..`_..+..
060|05 05 02 a0 55 30 53 a0 30 30 2e 06 09 2a 86 48 ....U0S.00...*.H
070|82 f7 12 01 02 02 06 09 2a 86 41 41 41 41 41 00 ........*.AAAAA.
080|02 06 0a 2a 86 48 86 f7 12 01 02 02 03 06 0a 2b ...*.H.........+
090|06 01 04 01 82 37 02 02 0a a3 1f 30 1d a0 1b 1b .....7.....0....

I pressed enter, but in commandline i programed changes at second packet, we can see 07a


4. I wish to make many changes or write an exploit

cat > smbHeapBof
#This is not a real exploit
#but could be ;)
#

03 07a AAAAA\x00

#I can separate with one space or tab
#I can put comments
#I cant use \0 or \x0 the only alowed format is hexa \x00
^C

/sha0proxy.pl 445 filserver 445 trap smbHeapBof
./smbclient -L 127.0.0.1


1>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
|00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f |
---+------------------------------------------------+---
000|00 00 00 be ff 53 4d 42 72 00 00 00 00 08 01 c8 .....SMBr.......
010|00 00 00 00 00 00 00 00 00 00 00 00 00 00 14 24 ...............$
020|00 00 01 00 00 9b 00 02 50 43 20 4e 45 54 57 4f ........PC NETWO
030|52 4b 20 50 52 4f 47 52 41 4d 20 31 2e 30 00 02 RK PROGRAM 1.0..
040|4d 49 43 52 4f 53 4f 46 54 20 4e 45 54 57 4f 52 MICROSOFT NETWOR
050|4b 53 20 31 2e 30 33 00 02 4d 49 43 52 4f 53 4f KS 1.03..MICROSO
060|46 54 20 4e 45 54 57 4f 52 4b 53 20 33 2e 30 00 FT NETWORKS 3.0.
070|02 4c 41 4e 4d 41 4e 31 2e 30 00 02 4c 4d 31 2e .LANMAN1.0..LM1.
080|32 58 30 30 32 00 02 44 4f 53 20 4c 41 4e 4d 41 2X002..DOS LANMA
090|4e 32 2e 31 00 02 4c 41 4e 4d 41 4e 32 2e 31 00 N2.1..LANMAN2.1.
0a0|02 53 61 6d 62 61 00 02 4e 54 20 4c 41 4e 4d 41 .Samba..NT LANMA
0b0|4e 20 31 2e 30 00 02 4e 54 20 4c 4d 20 30 2e 31 N 1.0..NT LM 0.1
0c0|32 00 2.

where>
what>

Y have pressed enter enter, don't want to change anything.

2<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
|00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f |
---+------------------------------------------------+---
000|00 00 00 b6 ff 53 4d 42 72 00 00 00 00 88 01 c8 .....SMBr.......
010|00 00 00 00 00 00 00 00 00 00 00 00 00 00 d6 24 ...............$
020|00 00 01 00 11 09 00 07 32 00 01 00 04 41 00 00 ........2....A..
030|00 00 01 00 00 00 00 00 fd f3 01 80 ae a3 02 87 ................
040|5b c2 c8 01 88 ff 00 71 00 88 c2 e4 e7 1d a3 83 [......q........
050|47 91 34 83 bf b4 7d ce b5 60 5f 06 06 2b 06 01 G.4...}..`_..+..
060|05 05 02 a0 55 30 53 a0 30 30 2e 06 09 2a 86 48 ....U0S.00...*.H
070|82 f7 12 01 02 02 06 09 2a 86 48 86 f7 12 01 02 ........*.H.....
080|02 06 0a 2a 86 48 86 f7 12 01 02 02 03 06 0a 2b ...*.H.........+
090|06 01 04 01 82 37 02 02 0a a3 1f 30 1d a0 1b 1b .....7.....0....

where>
what>

Y have pressed enter enter, don't want to change anything.

2<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
|00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f |
---+------------------------------------------------+---
000|00 00 00 b6 ff 53 4d 42 72 00 00 00 00 88 01 c8 .....SMBr.......
010|00 00 00 00 00 00 00 00 00 00 00 00 00 00 d6 24 ...............$
020|00 00 01 00 11 09 00 07 32 00 01 00 04 41 00 00 ........2....A..
030|00 00 01 00 00 00 00 00 fd f3 01 80 ae a3 02 87 ................
040|5b c2 c8 01 88 ff 00 71 00 88 c2 e4 e7 1d a3 83 [......q........
050|47 91 34 83 bf b4 7d ce b5 60 5f 06 06 2b 06 01 G.4...}..`_..+..
060|05 05 02 a0 55 30 53 a0 30 30 2e 06 09 2a 86 48 ....U0S.00...*.H
070|82 f7 12 01 02 02 06 09 2a 86 41 41 41 41 41 00 ........*.AAAAA.
080|02 06 0a 2a 86 48 86 f7 12 01 02 02 03 06 0a 2b ...*.H.........+
090|06 01 04 01 82 37 02 02 0a a3 1f 30 1d a0 1b 1b .....7.....0....


I pressed enter, but in the file have programed changes at second packet, we can see 07a


5. I want to make an exploit file for sha0proxy, but with no interaction, i dont want press enter any time.

No problem, use view mode.

/sha0proxy.pl 445 filserver 445 view file
./smbclient -L 127.0.0.1

6. I have the server and client in my box, cant use the same port for server and sha0proxy :/

you mus use ip aliasing

ifconfig eth0:1 up
ifconfig eth0:1 up

listen the server in ip1 (eth0) and sha0proxy in ip2, the client attack to ip2.


EOF

No hay comentarios: