Circumventing egress filtering by exploiting HTTP "transfer-encoding: chunked" for faster web shells

can you can you hear me in the back I give me a thumbs up if you can't hear me hi nice thank you sorry about that guys that happens normally when there is a video involved right so welcome to the presentation it's about transfer encoding chunked for fun and profit and web shells I'm not answer and I've worked for the guy it's a karma I'm gonna do a brief introduction about me not too long as well so it's not in security in 1998 when a friend sent me over mirc an executable something-something and then you click it and your cd-rom tray opens so there was back orifice and if you know what I'm talking about that you know panic

and this is interesting and then I got into security more interested in it but as I was doing more research and back then in Italy security wasn't really a job was mostly firewalls and where I lived in small town in northern Italy there wasn't really much security jobs and that the more I dug into it the more I realized that I couldn't do that there was I was really you know like Aleph zero or no buffer overflow exploit ation and so like about my head and I kept telling myself I'm never gonna be able to do this I'm not good enough and then life happens and then move on and then move country and then I've got jobs in

medical robotics I got you know studying neuroscience and all this stuff and then at some point I was like okay maybe I should try me I was into management and then my my boss said look you can still do something technical so I got back into security you know kind of 15 years later and and then I met my old boss at pentest know now say karma who believed in me and hired me as a developer so I started as a developer and then kept his word and and maybe become a let him let me become a pen tester and that's what I do now so if he wasn't for him I wouldn't be here today for just for myself I

wouldn't be believing that I could do this so I hope this might help somebody else out there for things was not good enough because those things happen and in the end is just Google or research and then time times parent into it anyway enough about this let's talk about what we're gonna do first a thanks word from our sponsor so thanks to well first of all the community because you voted me to be here today and again coming from where I come from that's my first technical talk at a technical conference like this and in what's not my native language so to me just to be here today is a massive achievement and that's thank you very

much for reporting for this talk secondly thanks to Sam who is here in the audience they had a research that coded up the prototype of this tool we're going to show later during the red team engagement yes we owned them the initial work was really really good and then I ended up developing this further and giving me feature parity with other tools as a kerr-mcgee for while believing in me and let me take time to do to continue and finish this research over a long period of time on and off between jobs - now that's the main tool that I used for inspiration and well then stock for flow - because there's nothing like you know going and reading

some vulnerable code examples I'll just do this in whatever and you click no no Bronk anyway so that's that's what we are yes is it only paint and you're welcome so we have the the evil evil hacker in there without a hoodie this time because it's summer go to the internet tries to get through a firewall to a web server where a web shell has been implanted doesn't matter how this works out there file upload whatever we're trying to get behind the web shell we weren't trying to get to the target but the web server has no outbound connectivity so you know it might be a proxy we haven't found it might be whatever just cannot go out okay so

that's what we're gonna get and this is how so what trying to do is to get bi-directional communications with the back and target or be able to exceed trade data and if we can you know get a shell because life is better with shells tuna is as I said this tool it's quite mature it does the job thunders TCP connections it works it was fine except you know in our conditions that we're gonna see evidence of why so the way it works again paint tuna has a client and a web shell so the client connects to the web shell over HTTP and then the client opens support locally in this case for for for for the web shell

is in started to go to three three eight nine so at a chaotic opens RDP client to port for for for for locally data goes through you get an RDP connection with a target win except that's that's how it works but behind the scenes tuna there's a poll request so there's a continuous request for data so you can if you imagine data from the RDP server which was on this side from the RDP server going back to the client then it needs to go you know it's buffered at the web server and then the client goes and gets have you got data there we go so there's a lot a small delay and this causes a

lot of requests in response traffic basically which can get suspicious personally perhaps throttling there is like you know something didn't go to numbers just too too slow so how do we solve this problem well now our directive are still to avoid polling right that's this is the keep on let's try to avoid polling continuance request in response polling the question that we had as we service is polling really necessary to get server to client data this is over HTTP and if you think about WebSockets you know for chats there is a case where the server has a send data back to the client the problem with WebSockets well not a problem like the issue we had is not

always enabled and is maybe not supported and we talk about legacy systems who still uses ie6 well if you don't really red teaming engagement you know there is always one server somewhere forgotten running stuff from the 90s in Java Enterprise whatever and that that's what we're targeting so we can't rely on anything that requires admin access to install like you know a library or something because you had admin access then we will be here right so HTTP basics I think this is on well anyway HTTP basics at the most basic level in a response the server tells the client I'm gonna send you four bytes of data that our client client knows to read four wise goes away happy

everybody's happy connection is closed or kept alive for more HTTP requests and response I've seen service like I think bits talk sometimes doesn't really like analyze to you and gives you more or less data not now but this is meant to be you know this is the lanterns meant to be arriving so there is another way to do this it's called a transfer encoding chunked transfer encoding and basically the server sends data in chunks and it chunks each chunk has its length as a hex value on top so it's this case first chunk is 4 bytes second chunk five bytes third chunk 15 bytes last chunk zero bytes newline end of data that's it so

it's used for when you don't know the length so you as a client you can start reading data without having to wait for the entire data to come and I hope you you're seeing what I'm going with this let's talk about chunky chunky tuna so chunky tuna does just that it's a web shell the server side is JSP PHP and net as native as I could make it really all the remote data comes in through the same HTTP response so client talks to server so you know 200 ok this connection stays open data continues to come from the server side to the client side right chunky tuna has three modes Connect listen and execution and the connect one

pretty much like a like tuna so in this case you know we open our connection from the attacker to the client port four four four four locally not just for for over HTTP TCP is encapsulated in HTTP and then it goes to the target on port 80 and every response for the target comes back as a chunk now let's see if this works yes fingers crossed oops that's way too big now mustard let's go Jackie so on the right hand side please work hey and right hand side you can see this is a darker container of a tongue cut basic talker no modifications down here you have the target server on the back end you know the server that you need to

connect to and then on the left hand side dark obviously is the attacker launching chunky tuna on top and then on the bottom will have the attackers console so this this server here runs open beta SSH server and Apache the demo page imagine this this is behind the firewall you don't see this so I now launch chunky tuna when chalky tuna starts I have to tell it which port to listen to so in this case is listening to port 4 4 4 4 and then is going to connect to the internal IP of the web server on port 80 it's ready I'm gonna connect when I connect chunky tuna then talks to the web to the

backend and here we go this is the back-end web server that because it's in terminal is behind the firewall I can put your adventures here and nobody's gonna notice right no evil hackers gonna not notice that so now that we have the credentials we can connect to port 22 of the remote target connection is established I'm gonna do just SSH to block low so I'm connecting locally and my SSH connection is going to go as an HTTP request and response single one same same response and all the traffic comes back and now I have interactive web shell this is there's no polling here there's no outbound connectivity just like imagine a firewall that prevents the server to

connect outwards now I'm trying to find the IP but doctor doesn't have IP config I've configured whatever doesn't matter now back to the main presentation why is this

presentation here we go okay hope that's that's all clear pretty simple chunk you tuned in listen mode does something similar so in this case we have a target that we have some degree of control on you know it's a you sent us can be emailed that since he tells people to you know click this link and but they can't go outside so the link sends them internally xxe whatever you want the target you have something on the target and you need to actual trade data data is going to come back as chunk again there's no connection initiated from the the web shell outside of bound everything goes in from the same HTTP and response and guess what it

is a demo which is going to go horribly wrong you know listen okay okay same as before docker container doctor container this is you've all seen this before so again the idea is that I'm trying to exchange rate data so I have some degree of control over my target server now all of those tools the docker container the images the testing scripts everything is already on github so go play with it oil means test it locally now we go the the attacker console the attacker launch launches chunky tuna and then when it's ready I'm gonna open another control and then go on till you get to the target server and then do something over there now you will see

that at some point the window in the top left is going to timeout main reason is that because we don't want to bind the port so in this case the remote web shell is binding to a port port one two three four five and we don't want to support a bib on forever this if something goes wrong so there's a timeout that if nothing happens just dies and kills the connection and frees the port the magic of reuse address so the attacker is preparing net cut listening on local port four four four four on the attacker machine type into to tower chunky tune is running now I'm gonna pretend I have this command execution on a remote server with no

outbound connectivity big this is on the target system okay so the target system I'm gonna start our getting to the docker container okay so I'm now on the target system and as I said something is going to happen so I had controlled some commands happen I'm gonna use power just because it's easy to see so it's gonna be piped where it is gonna go this is the internal port of the web server so the the web server is listening you know an internal network dmz whatever it is so the assumption is that the target can talk to the internal web server by some misconfigured federal rule and then I'm gonna just tar the entire EDC

directory again no advantage ability is initiated and then you'll see the connection happening after a while I stopped it and then when you go in the attacker console you see you have the entire e.t.c directory transferred with northbound connectivity win now

chunky tuna and tuna I'm gonna like skip forward a bit on those there's not like the questions from this later but it's basically feature parity junkie tuna supports proxy use a soft proxy for local communication I use TCP ports pretty much the same thing but we have reverse connections now the challenges about development is many was interesting mainly because I'm trying to push languages designed for web into something else especially PHP so you know you end up googling so much you get lost and you find you actually find people asking the same question you know 10 years ago and no answer like where is it I even found my own questions like I got it back into this like 6 months later

and they're like oh that's a very good question that's my own question that nobody answered that I cannot seriously they're still there actually anyway the good things POSIX is awesome if you have any problem maybe every new new file new things today in computer science has been solved in the 70s by some you know great beer guy and implemented later JSP turn out to be quite close to the metal which is ironic because it's meant to be platform independent and yet it has native streams threads everything I need out of the box wonderful as I said pushing web stuff into this was was fun was challenging and I basically not learned a lot because I wanted this to

be you know agnostic from server configuration so a lot of things I tried to do the answer were like oh yeah just enabled this in Bob config like yeah but I need admin so really can't so there are some design decisions that have to make Python generators like I used in a Python developer Python generators are awesome not very known not very well known but it's like a function that you can it returns data Midway and then when you call it again it starts from where I was left and so you can read chunks like literally by calling the function I will keep polling and so they will keep reading the chunk from the stream it's

really really wonderful let's talk about PHP a bit up a bit of a grudge against PHP again not the opinion of my my employer but it sucks it's like it does the job but it makes you write bad code it it has such limitations that you end up doing something bad for example long a while ago people put like a user ID as a cookie and if you change that that you could access other people sessions it becomes session are a file on disk so PHP native is sequential you can't access this you know different data is a same user will the same session cookie it just queues up things so unless you implement memcache which makes more code

more prone to errors it does like all those things persistent connections aren't really persistent really PHP has no threads which you know they have been around since 67 so I was kind of annoying not having being able to have like a clean heartbeat pull a loop to keep this alive a fully documented API bad examples mistakes you can't do this one way but if you do it doesn't work in the next version of PHP so you have like to have exceptional code so the basically went you know like you start coding in Python and then you get you get you know you learn you learn the HTTP spec and then you go like JSP SP X and then you get a PHP and you go

back no come on like this is just frustrating the ugly design decisions also dotnet and PHP cannot read the body of a chunk like on the transferred it this means that unlike JSP were this the server-side can read the chunks from the input from the client as they come in in PHP end of net not really so at issue you post for each data coming in from the client if not a loop because if there is no data if you don't type anything in your in your shell and you don't get any posts sent so it's not optimal but it does the job and then there are like issue such as.net takes a while to warm up I don't know how to

describe it like you see that if you look at the code there's a bunch of code that tries to connect to get a cookie back and takes a few seconds to get a cookie from a web server why but if you do in PHP you get twelve cookies okay why I is workers you know hogs resources they're as much of time outside to do so there are a bunch of you know trying to make this work in three languages it wasn't as clean as I wish it could have been and there's a bug in is where this is weird everything works but the first message takes 112 seconds to be read by IAS and send today to the target only the first

one and I have a perfect concept with with curve and the most basic aspx page Cheers now last thing let's talk about web shells so if user web shell this is a typical Cali one you drop the web shell you execute with it you know your command parameter is part of the request it does system exec and then it prints out the output boring right yes you proved you proven code execution but a we can do better than that so if you want to do nicely some a slightly better bug shell you might have a metric but your payload dropped onto the web store down loaded and maybe like executed on memory whatever it is and

then executed except this require support going out so again that's not boring interactive but you have outbound connectivity now what if we try it from a quarry you know transfer encoding chunked question mark it turns out it works really really well and again no one connectivity and you can use real-time input/output basically from the remote shell and this is gonna be the last demo which is yep okay simpler setup you can see this pretty much yeah it's good so on the top right and side we have T G just the web server there's no target behind it so we're on chunky tuna against a web server and we tell it to execute a command command is going to be

you know being SH and then once the command once the chunk even is ready we can connect to the local port so we just connect into chunky tuna and locally that's going to tell me the connection and then we're gonna have a shell and that's what's going to happen right now so we connect locally and then that's it we have a shell no outbound connectivity and this interactive show and that's that's pretty much it there are a couple of clarifications later but as a fully functional work shell with no you no need for a full upholding loop so just I'm going to show you the next slide in fact what's going to happen this is a

war shark dump so you can see the red is the client the blue is the web shell so the client sends a command and the response is as a chunk of length 2 of 8 which I'd notice it has but that's the immediate response and data comes in I can type you know she opened this and run netcat you can type on the server side and then you get data back right away without any any delay basically so yes we can have interactive web shells it had to be a meme somewhere so anyway in conclusion there's a blog post that's what chunky tuna does and that's all for me thank you very much [Applause]