tricky.lnk – Unicode Text Spoofing

Collaborative editing can quickly become a textual rap battle fought with increasingly convoluted invocations of U+202a to U+202e

Bidirectional Unicode spoofing is not a new concept, malware has been using the technique for the last decade, but I was toying around with unicode earlier today for a phishing engagement, by default Win7 doesn’t allow you to create filenames with unicode chars unless you:

    a. Open RegEdit
    b. Navigate to HKey_Current_User/Control Panel/Input Method
    c. Set REG_SZ “EnableHexNumpad” to be “1” (If there is no EnableHexNumpad, then add it and set its value to 1).
    d. Reboot your system.

I didnt want to do this so I created a .vbs script that creates a .lnk file that spoofs the file extension with Unicode chars. This allows you to reverse the “.lnk” file extension, append “.txt” to the end and change the icon to notepad.exe’s icon to make it appear as a text file. When executed, the Target payload is a powershell webdl and execute. Continue reading

Pivoting through Tomcat

On a recent pen-test engagement we had come across a Tomcat server with default creds. Trying to old tried and true methods with Metasploit did not work to get a shell on the box , which was running proprietary IBM_AIX. The exploit would be successful but no connect-back. Because of the limited time instead of trying to test for egress (and later finding out theres no payloads for metasploit), we tried another method of uploading a JSP .war file to the box that once deployed, enabled us to browse and run commands. Continue reading