Thank you Ed Skoudis or 2011 Chrismas challenge

If I need to say thank you to someone for a nice time and for having fun, that would be Ed Skoudis. And If I need to hate someone for some nights without sleep, that would be definitely Ed.

But lets start with the beginning. I was kind of motivated by Ed’s post on the SANS web page to get over my old Turbo Pascal/Bash programming knowledge and move to something else like Python. And because I got some spare time around Christmas I decide myself to use Python for solving ED’s Christmas challenge (http://pen-testing.sans.org/holiday-challenge). I updated my Python install on Windows and got a big cup of tee (Phu Erh).

After I downloaded the pcap file and load that in wireshark I go normally to the Statistics -> Conversations and Statistics -> Endpoints in order to get some ideas regarding the kind of traffic that I’m dealing with.

First TCP conversations is a SMTP  conversation. In order to filter the SMTP traffic you can type smtp on the filter windows.

Selecting one of the packets and after this from the menu Analyse-> Follow TCP Stream, you can can see the SMTP conversation that contain an e-mail with an attachment. This attachment is a base64 encoded. In order to decoded I decide to use my „fu” in python.

import base64

a = []

newtext = []

inputstring = „”

inputfile = open(r”c:\smtptraffic.txt”,”r”)

for line in inputfile:

a.append(line.strip())

inputstring = „”.join(a)

inputfile.close()

outputfile = open(r”c:\Letter2Mel.doc”,”w”)

outputstring = base64.b64decode(inputstring)

outputfile.write(outputstring)

outputfile.close()

I was kind of happy when I did get the output,  but trying to open the file I got an error from the Microsoft Word that the file was corrupted. Checking in a hex editor I was kind of surprised because I was able to see the Microsoft Word file header ( EC A5 C1 00 with a 512 byte offset )  and read the text,  but I was not able to open it. By the way, a good source for information about this can be found at http://www.garykessler.net/library/file_sigs.html .

Python was helping me to check the right position of the header with the function:

>>>int(0x200)

521

I moved forward with the analyses and got the SQL code injection, DNS replacement, Shell download and SQLite „magic” to plant the fake position on the Iphone backup file, but I was not really ready to submit my response because the first part was kind of „not wright”.

I start to have a look on other Python library binascii with the function  in order to get the file decoded but I  get the same result.

a2b_base64(string)

Convert a block of base64 data back to binary and return the binary data. More than one line may be passed at a time.

Asking around what could be the reason for not being able to open the file,  I was asked by someone if there was no malware embedded on the document.. Why the hell I did not thought about that. (Thanks Stefan). A check on virustotal for the md5 hash (761c786733a586aac8d8da0ce8e5dde6) came empty. No one uploaded the file until now. Ok!

On the http://www.reconstructer.org/ , Frank Boldewin offer some software that is able to detect malware on office documents.

C:>OfficeMalScanner.exe L

etter2Mel_v0.doc scan

+––––––––––––––+

|           OfficeMalScanner v0.53         |

|  Frank Boldewin / www.reconstructer.org  |

+––––––––––––––+

[*] SCAN mode selected

[*] Opening file Letter2Mel_v0.doc

[*] Filesize is 19467 (0x4c0b) Bytes

[*] Ms Office OLE2 Compound Format document detected

[*] Scanning now…

Analysis finished!

–––––––––––––––––––––––

No malicious traces found in this file!

Assure that this file is being scanned with the „info” parameter too.

–––––––––––––––––––––––

Running the info option make me to wonder more and more. (the software just crushed). This is not f….ing  good. Maybe I missed something.

After some days I did ask one of my friends if he had a look on the challenge and he told me that everything worked well, he used also Python to decode the file and surprise..he was able to open the document. Damn again. The only difference between me and him was that he used Linux for decoding the file. This can not be.

Can I run into a Python  bug? This can not be. In this point I started to update my script and create a md5 hash of the values „before” and „after”  the decode function:

import md5

….

Text skipped

..

m = md5.new()

m.update(inputstring)

print „the hash of the input string is: ” + m.hexdigest()

m.update(outputstring)

print „the hash of the input string is: ” + m.hexdigest()

The values were the same with the linux version but still the  output was different. The only remain point was the write function in Python that was suppose to write the doc to the disk.

And ….damn one more time…I just realize that I was writing a binary to disk and I need to tell  to my script that the value is binary.

outputfile = open(r”c:\Letter2Mel.doc”,”wb„)

But why is not happening the same in Linux? I  thought for 10 sec that this was Ed’s evil way to punish the Windows fellows. But I finished, not looking for blame, being late for submission and  happy with the challenge.

Thank you Ed, was really fun…

PS. I.m pretty sure that Grandma is using BackTrack for sending mails, because of the X-X-Sender header on SMTP message created by the Pine like software used for writing the mail:

From: Grandma <root@grandma.gma>

X-X-Sender: root@bt

To: cousinmel@mail.gma