Jul
28

jjencode decoder (jjdecode)

So I’ve had a look at jjencode some time ago and today I decided to do a decoder for the bloody thing. Instead of creating an entire parser for JS I decided to trust the code a bit by evaling the code prior to the encoded part and thereby letting the browsers JS engine build up the scope for me to use afterwards.

If you have no clue what jjencode is then you can read this: http://pferrie2.tripod.com/papers/jjencode.pdf and this: http://utf-8.jp/public/20090710/jjencode.pps. And you can try it here: http://utf-8.jp/public/jjencode.html. Basicly it encoded your code into symbols only. alert(0) would be be encoded into this (with parameter g set to “_”):

 1: _=~[];
 2: _={___:++_,$$$$:(![]+"")[_],__$:++_,$_$_:(![]+"")[_],_$_:++_,$_$$:({}+"")[_],$$_$:(_[_]+"")[_],_$$:++_,$$$_:(!""+"")[_],$__:++_,$_$:++_,$$__:({}+"")[_],$$_:++_,$$$:++_,$___:++_,$__$:++_};
 3: _.$_=(_.$_=_+"")[_.$_$]+(_._$=_.$_[_.__$])+(_.$$=(_.$+"")[_.__$])+((!_)+"")[_._$$]+(_.__=_.$_[_.$$_])+(_.$=(!""+"")[_.__$])+(_._=(!""+"")[_._$_])+_.$_[_.$_$]+_.__+_._$+_.$;
 4: _.$$=_.$+(!""+"")[_._$$]+_.__+_._+_.$+_.$$;
 5: _.$=(_.___)[_.$_][_.$_];
 6: _.$(_.$(_.$$+"\""+_.$_$_+(![]+"")[_._$_]+_.$$$_+"\\"+_.__$+_.$$_+_._$_+_.__+"("+_.___+")"+"\"")())();

I’m aware that could lead to some code execution in the decoding part but if that code is incoded it needs the full scope inorder to eval it. All non-encoded code I would be able to filter of by myself. A code which could trigger a code execution at accident at this time would be:

 1: _=~[];
 2: alert(0);
 3: _={___:++_,$$$$:(![]+"")[_],__$:++_,$_$_:(![]+"")[_],_$_:++_,$_$$:({}+"")[_],$$_$:(_[_]+"")[_],_$$:++_,$$$_:(!""+"")[_],$__:++_,$_$:++_,$$__:({}+"")[_],$$_:++_,$$$:++_,$___:++_,$__$:++_};
 4: _.$_=(_.$_=_+"")[_.$_$]+(_._$=_.$_[_.__$])+(_.$$=(_.$+"")[_.__$])+((!_)+"")[_._$$]+(_.__=_.$_[_.$$_])+(_.$=(!""+"")[_.__$])+(_._=(!""+"")[_._$_])+_.$_[_.$_$]+_.__+_._$+_.$;
 5: _.$$=_.$+(!""+"")[_._$$]+_.__+_._+_.$+_.$$;
 6: _.$=(_.___)[_.$_][_.$_];
 7: _.$(_.$(_.$$+"\""+_.$_$_+(![]+"")[_._$_]+_.$$$_+"\\"+_.__$+_.$$_+_._$_+_.__+"("+_.___+")"+"\"")())();

The alert(0) in the second line would be fired off, but then again. It’s quite easy to spot in this example. If I get some more time, I’ll go the long was in decoding this the proper way.

In the decoder I start by finding the variable name of the main object (in the encoder that’s the paramter g) hereafter I start splitting the encoded code up at all semi-colons (;) with a RegEx. Here’s the two RegExs, first the one for parameter g and then the one for splitting up the lines (text is my input of encoded code).

 1: var g = text.match(/([^=])=~\[\];/)[1];
 2: var lines = text.match(/([^;]*);/g);

With g and the lines in hand I do a loop on the lines checking for the execution part of jjencode. If it’s not found I’ll eval the line, otherwise I’ll set the variable lookAhead to true and thereby concatinating the rest of the encoded lines before pulling out the encoded code out of the execution part and running eval on the thing for it to return it’s content. More explaning comes later on. Here’s the if from the loop, I’ll just run it through.

 1: if ( ! lines[i].match(/_.\$\(_.\$\(/) && ! lookAhead) {
 2:     eval(lines[i]);
 3: } else {
 4:     lookAhead = true;
 5:     finalLine = finalLine + lines[i];
 6:
 7:     if (i == lines.length - 1) {
 8:         // _.\$\((.*)(\)\(\))
 9:         var re = new RegExp(g + '.\\$\\((.*)(\\)\\(\\))');
 10:         var reString = finalLine.match(re);
 11:         output = eval(reString[1]);
 12:     }
 13: }

Line 1 if of course the check whether the execution part of jjencode is to be found in the line. If not I’ll eval the code at line 2. Inside the else I’ll start the lookAhead since the execution part was found, I’ll concat the line to the finalLine variable. When there is no more lines to concat it will trigger the if sentence at line 7. The RegEx at line 9 vill take the return code inside the execution part and take it out to eval it and return lastly.

You can try the thing here: http://e-x-e.dk/labs/jjdecode/index.php, go have some fun and let me know if you do something smiliar. Remeber to have your console open when fooling around with this. The decoder function can be found here: http://e-x-e.dk/labs/jjdecode/assets/decoder.js and the encoder here: http://e-x-e.dk/labs/jjdecode/assets/encoder.js (the encoder is from http://utf-8.jp/public/jjencode.html).

Jul
26

Looking into Hypem… and some exploits

Please note that this is not in any way an attack on Hypem. All work done here is done with great love to Hypem. Hypem have been notified about the exploits before this release in order to patch these. This is more of an exercise for myself.

So the last couple of days I’ve been fooling around with Hypem, both looking into finding their mp3 files and some of the mechanics in that. Moreover I did a quick look for some simple exploits as well. I’ll present my findings starting with the mechanics of finding their mp3 files and hereafter I’ll get to some exploits and some cookie stealing/session hijacking when going over some of their javascript.

If you don’t know what Hypem are then you have been living under a rock. But, this is how they describe themself: “The Hype Machine keeps track of what music bloggers write about. We handpick a set of kickass music blogs and then present what they discuss for easy analysis, consumption and discovery. This way, your odds of stumbling into awesome music or awesome blogs are high.” - http://hypem.com/about. Their rank on Alexa can be found here: http://www.alexa.com/siteinfo/hypem.com

Finding Hypem mp3 files

So I first wanted to be able to download the awesome music from Hypem which is why I downloaded some plugin for FF in order to do so. But the plugin was bad, I had to go through every song and press download or use another plugin which messed up the naming of the files. Therefore I broke down the plugin in order to find out how they got the files in the first place.

Basicly the url of the mp3 files can be found in two ways (found the second one later on):

http://hypem.com/serve/play/[id]/[key]

http://hypem.com/serve/source/[id]/[key]

The /serve/play one will do a redirect to the mp3 file which then can be downloaded. The /serve/source one on the other hand will give you a bit of JSON data with the id of the track, the url to the mp3 and a bool final which allways seems to be true (what I’ve seen so far). The JSON for one of the tracks is shown below (You don’t need to try to download the file, the link is broken on purpose)

{
   itemid: "gmef"
   url: "http://t01a.hypem.com/sec/5e3cf3001fck75d3bb1de182b959a89b/51ed41f1/archive/614/10/1eaca15ec90abcde181efk144d146d8b.mp3"
   final: true
}

Getting this far is quite easy when being in a browser (which is maybe why there are no standalone programs that I could find) which takes care of cookies etc etc. But when I was doing my own program in C# as a program on the side I ran into a couple of problems.

I started by getting the Hypem pages after remembering to add a User-Agent in the headers of the HTTP request. Otherwise I wouldn’t get any real content. Getting the ids and keys for the URLs was next on the agenda, luckily Hypem got all of that in their source in a format like this:

trackList[document.location.href].push({
   type:'normal',
   id:'ad5sf',
   postid:'1539980',
   posturl:'http://www.themusicninja.com/folk-st-vincent-surgeon/',
   time:'265',
   ts: '1311368622',
   fav:'0',
   key: '63f38d627b20d16aad38c67cbe1ed2b6',
   imeem_id:'',
   artist:'St. Vincent',
   song:'Surgeon',
   amazon:'',
   itunes:'',
   emusic:'',
   exact_track_avail:'0'
});

So I created a function which took the input in form of a Hypem HTML source and returned a list of Track objects which all had been extracted from the source. The extraction was quite simple; select all <script> tags where trackList[document.location.href].push({ was to find in the tags innerText. Then parsing the innerText of the selected tags using a couple of RegEx’s to extract the values. Fx. extracting the key could be done using this RegEx (returning the hex value of into the group keyValue):

\skey\:\s?\'(?<keyValue>([a-fA-F0-9])*)\'\,

From there I just needed to download the files, right? Almost, since the keys are uniqe to the AUTH cookie I first had to pretend being a browser by getting a AUTH cookie on my first request to Hypem (Header Set-Cokokie was recieved from the HTTP response) and then using it in the future requests including getting the download URLs. Here you can see the Set-Cookie header recieved, we’ll come back to that later on:

Set-Cookie: AUTH=03%3Adaae3967194bfaa0232a8b0e0aa0a331%3A1311612064%3A1047226477%3A07-DK; expires=Wed, 21-Jul-2027 16:41:04 GMT; path=/; domain=hypem.com

Otherwise I would get URLs that I could’t download. This is properly made in order prevent users from sharing the /serve/* URLs or some other reason that I havn’t found yet. When getting the download URLs I used the /serve/play option then following the HTTP 302, redirecting me to the right download URL.

So if you want to create your own fun little program for surfing Hypem remember to

  • Set your User-Agent header
  • Reuse your AUTH cookie

Another fun little thing with Hypem’s HTTP headers is the header X-Hacker:

X-hacker: Hey, if you're reading this, you should drop us an email at hypem.com/contact, maybe we can work together!

Exploits and other fun investigation

While I was at it I did a quick look for things like SQLi and XSS’s. I didn’t find any SQLi’s (so far), but I did found a couple of XSS’s:

http://hypem.com/soundcloud-embed.php?set=planningtorock/sets/w-hype-machine-exclusive/s-8ev0R';alert(document.cookie);var x='
http://hypem.com/search/"><script>alert(document.cookie)</script><div class="/1/

hypem-screen1hypem-screen2

Well these I think speak for themselves. Easy to do a lot of fun with and with some of Hypem’s custom JS functions it’s even easier if you want to automate the process. Hypem godt a HUGE (~2600 lines beautified) JS file with their own functions, helpers etc. If you want to have a look for yourself it’s here (minified): http://static-ak.hypem.net/rev_1311597164/js/hype_functions_min.js. These are some of the most fun I think:

  • get_cookie(name)
  • set_cookie(name, value, expires, path, domain, secure)

You can of misuse these two functions in an XSS, using get_cookie(‘AUTH’) (or just document.cookie) and send it to your own server for later use. Then XSS yourself and using the set_cookie(…) function to easily set the AUTH cookie. The path, domain etc. you could find in the Set-Cookie header gotten earlier. Mind that the expires variable indicates how many days from the current time the cookie should be set, you can really set it to whatever. An example use of set_cookie(…):

set_cookie('AUTH', '03:32ceca302374836fd91f11eb76e0bad9:1311506102:1047226477:07-DK', 10, 'hypem.com', '/', false);

Fixing the XSS’s is rather trivial, escape the strings properly in taking into account where the strings are being echoed and then that’s that. No more XSS and no more session hijacking.

I full list of functions you have here:

function set_ad_vars()
function dfp_extras_var_passthru()
function dfp_extras_passback(country)
function refresh_user_menu()
function page_url_state_init()
function load_url(url, action_src)
function check_hash_change()
function rewrite_links()
function get_cookie(name)
function set_cookie(name, value, expires, path, domain, secure)
function get_visitorid_from_cookie()
function hide_notice(cookie_key)
function set_site_queue(queueItems)
function get_site_queue()
function getQueryVariable(variable)
function load_search()
function urlencode_kinda(str)
function load_random_search(forced)
function load_random_track()
function trim(str)
function get_unix_time()
function sec_to_str(nSec)
function toggleLayer(whichLayer)
function getOffX(o)
function sm_onload()
function sm_onplay()
function sm_onresume()
function sm_onpause()
function sm_onfinish()
function sm_whileplaying()
function sm_whileloading()
function sm_start_drag(evt)
function sm_follow_volume_drag(evt)
function sm_follow_progress_drag(evt)
function sm_end_drag(evt)
function sm_update_volume(evt, t_elt, morph)
function sm_update_progress(evt, t_elt)
function sm_toggle_mute()
function loadNextTrack(skip)
function retryLoadTrack()
function beginFadeTransition()
function fadeInSound(soundObj, amount, ms_delay)
function fadeOutSound(soundObj, amount, ms_delay)
function is_fade_enabled()
function is_html5_history_compat()
function update_current_play_ctrl(mode)
function togglePlayByItemid(itemid, evt)
function is_spy_page()
function is_shuffle_page()
function togglePlaySimple()
function togglePlay(id, evt)
function stopTrack()
function playTrack(skip_prompts)
function nextTrack(clicked_obj)
function prevTrack(clicked_obj)
function set_track_bg(fileid, color)
function set_now_playing_info()
function toggle_favorite(type, id, gray, skip_prompt)
function show_all_tracks(elt)
function show_buy(pos)
function expand_hyped(list_parent)
function enable_notification_check()
function check_notification()
function disable_notification_check()
function enable_playback_check()
function playback_check()
function disable_playback_check()
function toggle_item_activity(type, fileid, page)
function update_item_activity(type, fileid, page)
function load_item_activity(type, id, pos, page)
function toggle_item_graph(id, force, pos)
function load_item_graph(id)
function show_sidebar_info(uid, method, section)
function set_nav_item_active(eltid)
function setup_player_bar()
function hide_player_bar()
function show_player_bar()
function blog_search()
function blog_search_keyup()
function blog_directory_switch(tab)
function radio_update()
function load_gs_player(pos, gs_id)
function next_review(pos)
function prev_review(pos)
function show_review(pos)
function updateUrl(value)
function checkEmail()
function create_account(type, id, form_type)
function user_login(type, id)
function post_login(type, id)
function post_username_change()
function cancel_iframe_dialog(redir_to)
function checkPw()
function change_password(old_pw, newpw, key)
function change_username(pw, new_username)
function change_email(pw, email)
function user_logout()
function user_forgot()
function display_twitter_score()
function save_location()
function UploadToS3()
function lightbox_close_handler(lightbox_url)
function contact_show_tips()
function save_account()
function request_confirmation()
function unlink_twitter()
function save_twitter()
function unlink_lastfm()
function save_lastfm()
function show_lightbox(type, url, arg1)

Also there is the wonderful function debug(q, w, e, r) defined like this:

window.debug = function(q, w, e, r) {
    if (!document.location.href.match(/dev.hypem.com/)) {
        return false;
    }
    try {
        if (typeof console != 'undefined') {
            console.log.apply(console, arguments);
        }
    } catch(err) {
        if (typeof console != 'undefined') {
            console.log(q, w, e, r);
        }
    }
};

This function is great, if you are a dev or someone interested in get a deeper look at the inside of Hypem. Unfortunately I’m not a Hypem dev (hint, hint) and the dev.hypem.com requires username/password, so I’ll just redefine the function with this:

function debug(q,w,e,r){
    if (do_debug==false) {
        return true;
    }
    try{
        if(typeof console!='undefined'){
            console.log.apply(console,arguments);
        }
    } catch(err){
        if(typeof console!='undefined'){
            console.log(q,w,e,r);
        }
    }
}

I introduced the variable do_debug, a bool enabling the debug in the console. You should really take a look at the debug messages, a lot of fun stuff to see actually.

Needless to say there are a lot of fun XHR requests going on at all times on Hypem which you’ll find out when debugging the site and looking at the XHR requests. Logging action, radio fun etc. etc. etc. All of this is kind of expected with a site like Hypem where almost all of the stuff is happening via AJAX in order to keep the music playing.

The site also got a bit of fun variables when being logged in and logged out. Without going into depth with all of them here’s the list:

var trackList = {};
var activeList = document.location.href;
var currentTrack = 0;
var currentPlayerObj = Array();
var activeItem;
var currentUrl;
var prevUrl;
var is_logged_in;
var logged_in_username;
var playback_allowed;
var dragging_position = false;
var dragging_x;
var isReady = 0;
var playerStatus = "";
var playerDisplayed = "normal";
var playback_event_timeout = 0;
var playback_event_count = 0;
var playback_manual = 0;
var player_position;
var player_duration;
var player_volume = 50;
var page_updater;
var notificationTimeout = 0;
var updateSpy = 1;
var album_rs = Array();
var album_r_curr = Array();
var autosearch_blogs;
var radio_timeout = 0;
var radio_now_fileid = 0;
var radio_now_data = {};
var radio_counter = 0;
var radio_notificationTimeout = 0;
var master_ord;
var master_passback;
var ad_feedback_code;
var ad_feedback_position;

I think all of the variable names makes so much sense that I don’t want to explain what each of them do, you’ll have to have fun with that yourself.

Domains, servers etc. etc.

Here’s just a little bit of info from a quick look at the server, domains and subdomains at Hypem. Not that interesting but there you have it.

Hypem.com is hosted at 205.251.139.43 (US) together with 2 other domains: buymusic.org and hypem.mobi. Properly a VPS for their main stuff I guess. 5 DNS servers from dnsmadeeasy.com used, some load balancing there also. (http://www.robtex.com/dns/hypem.com.html, http://toolbar.netcraft.com/site_report?url=http://hypem.com)

The subdomain dev.hypem.com is hosted at 205.251.142.11 (US). No sharing on that server, properly just an isolated test server for lulz. (http://www.robtex.com/dns/dev.hypem.com.html).

Subdomain blog.hypem.com is over at 69.163.207.2 (US). Sharing the IP with a couple of weird domains besides from thehypemachine.net.

Hypem uses a S3 bucket for their users profile pictures, that’s here: http://faces-s3.hypem.com/.

Furthermore they got (maybe) 8 servers for hosting their mp3 files at http://t01a.hypem.com/ –> http://t08a.hypem.com/. There are other hosting servers also I’m sure, maybe some soundcloud thingy.

 

I think that’s it for now, I’m going to beeed.

Jul
23

Oh look what I did: a simple Javascript deobfuscator in PHP

So I’ve got this assignment the other day, some Javascript which were obfuscated in an annoying but rather traditional way (seems like it was some variant of Koobface). All of the strings were encoded into hex and saved into a huge array in order to make it harder to analyse by security people like myself. So decoded the array and started doing a couple of functions myself. Then I got tired and felt that there were a smarter way doing this. So there were…

I started doing a fun regex for getting the large blobs of strings used to obfuscate a lot of the actions in the scripts:

/var ([_0-9a-zA-Z]*).?=.?\[([\"a-zA-Z0-9,\\\\]*)\]/

After obtaining this variable I split up the array and decode the values, building up the array for later use.

From there I take the input file (fx. Koobface) and let the code replace the obfuscated parts of the input with the decoded values from the blob of strings extracted.  After that I do a bit to beautify the code, but if you don’t really like it I recommend: http://jsbeautifier.org/. (You can disable the beautify bit by setting the third parameter of replaceDisassembleVars to false).

The code is split up in a couple of main functions with a couple of helper functions. No fancy classes etc at this point but it’ll maybe come later if I get to do some more work on this.

First get the input loaded to a variable fx. with file_get_contents($filePath). Hereafter you get the array extracted from the script with the getDisassembleVars($input). From there you get the deobfuscated script with replaceDisassembleVars($input, $disassembleVars, $beautify = true) which you then can echo.

The code can be downloaded here together with a couple of variants of Koobface in input_1.txt and input_2.txt. Password to the zip is “infected”: http://e-x-e.dk/stuff/js_deobfuscator.zip.

Jul
08

Blind SQli considerations and some development

Sooo hi! I hope you have a great summer so far. I finally got of from school so now I got time to do some more fun security stuff. I’ll start by talking about some SQLi things I' did today after reading a couple of papers/posts some time ago.

Faster blind MySQL injection using bit shifting

The first post I want to tie some thoughts to is the one by Jelmer De Hen (http://h.ackack.net/faster-blind-mysql-injection-using-bit-shifting.html). He came up with a method for blind SQLi using bit shifting, pretty clever, I really enjoyed that post for a couple of reasons:

  • First of all this method gets rid of the normal and very request-heavy method where you basicly takes a character at a time and tries requests like: “substr(user(), 1, 1) = ‘a’”, then “substr(user(), 1, 1) = ‘b’” etc. or by taking the ascii value of the character and then checking if it’s higher or lower than some value (and then using simple binary search)
  • Secondly the method Jelmer came up with uses only 8 requests per  character (assuming that not just ascii characters is the target).

But this method have some annoying features as well (when doing it manually), fx. the fact that you’ll have to a lot of binary –> decimal convertions (when using Jelmers exact method) which I for one find rather trivial but still time consuming. Furthermore when it comes to filter evasion this method is reliant on the shifting operator “>>” which I see as a disadvantage as well when evading simple filters (eventhough those could maybe still be evading using diffent encodings)

Blind Sql Injection with Regular Expressions Attack

This is a paper done by IHTeam (http://www.ihteam.net/papers/blind-sqli-regexp-attack.pdf) which uses regular expressions for blind SQLi which turns out to be pretty handy. They also uses some time on time attacks but I find that description trivial and will be for the reader it self to read.

So basicly the IHTeam uses regular expressions to do almost the same thing as the standard method with checking a characters ascii value and then using a binary search for getting the character. The thing I like with this method is that it’s very easy to see what you’ve found so far (take a look at the examples on page 5-6). But the method also got some pretty big disadvantages I think. It’s easy to find a letter or number using binary search on a regex range (a-z, A-Z, 0-9), but it’s not really as easy to find a special character like “!” or some UTF-8 character like “å” since there are no regex ranges for that kind of characters.

Furthermore the amount of requests of used by this method can end up being quite big if the character needed to find is not within the above commented ranges.

Therefore I find the regex method not as relevant for value extracting. But I see another use for it, more clever ways for locating data in a great dataset where a simple “=” or “LIKE” is sufficient. 

Blind SQLi using binary attributes and an and

So what I did today is a bit of a development on some of Jelmers stuff and a bit of my own thinking lately. I for some time have been enjoying the use of binary stuff in SQLi, which is also why I like the method Jelmer came up with. But as stated above there are some disadvangtes I would like to avoid.

First of all, the use of “&” in SQLi I think is really been overlooked. Maybe because of the fact that “&” is not allowed directly in querystings since it’s used as the delimiter. Nevertheless it’s still rather handy since it in SQL is used as the binary “AND” operator. The operator like any other AND operator got the property and 1 AND 1 is true and all other combinations are false. Futhermore the “&” operator got the property that it don’t need whitespace characters sourounding it for it function. “&” and be squeezed together like “1&1”. So just by url encode “&” it’s “allowed” in the querystring, so in a page with a blind SQLi “1%261” would return true (“1%260” would of course return false). The use of the binary and I’ll get back to.

Take a look at “bin(ascii('e'))” it’ll return the binary representation of “e” (1100101). Using this feature together with substr you can get the binary representation of each character in fx. user() like so: “bin(ascii(substr(user(),1,1)))”. But there’s still a bit of a problem, this is a blind SQLi so if we do a substr on the binary representation of the character we get: “substr(bin(ascii(substr(user(),1,1))),1,1)” which will return only “1” or “0”. This gives us a attack vector like: “id=1%26substr(bin(ascii(substr(user(),1,1))),1,1)—“ given that “1” is a valid id. I added “—“ at the end just for the sake of it. Now we can cycle through the bits of each character using the outer substr and cycle through the characters using the innner substr.

The vector not care whether the character is a number, letter, special character in ascii or an UTF-8 character. Just like the Jelmer method, but without the hazzel of converting the binary back to decimal before each request.

You should have gotten the idea by now. It’s easy and quick to get each character, if you do more with it let me know.

I know this can be improved, fx. by taking account for the length of each character you can save even more requests since some characters will only require 6 (the low ascii ones) requests while some will require 8 (UTF-8 ones).

Have a great summer, more will come!

Go back to top