Forced Evolution 2.0!

Forced Evolution 2.0

I'm happy to announce that Forced Evolution 2.0 is released!  It contains a number of updates to make the code cleaner and faster, some bug fixes, documentation (!),  and an expanded exploit database. You can download it here:

https://github.com/soen-vanned/forced-evolution/

Please feel free to email with questions / comments / bugs / feature requests at soen.vanned [@] gmail.com.

-soen

DEF CON 21 / Evolving Exploits Through Genetic Algorithms / Updated slides

I made significant changes between when the CD was created for the DEF CON attendees,and when I actually gave the presentation; Attached is the version I used during the talk:

http://ge.tt/35FJ5Ko/v/0?c

Please note that the statistics associated with various web scanners were performed over a series of 10 trials-5 SQLi, and 5 CMD injection using various vulnerable web pages.  As an addendum, I'm not the most proficient Burp user (I claim no significant proficiency / wizardry), so the extensive number of queries that I reported in the charts could be reduced with a more educated user of the tool in question.  My approach when gathering the data was to configure a given tool such that the following would hold true:

• The primary concern is non-manual interaction with the scanning tool
• The secondary concern with tool configuration is to create an exploit (if the tool allows for such)
• The tertiary concern is with vulnerability identification
• The quaternary concern is with stealth (I.E., least number of requests per amount of time)

Hopefully that should provide a better context for the results presented in the slides.

-soen

DEF CON 21 / Forced Evolution

Thanks to the Goons who gave me whiskey during my talk at DEF CON, it was a welcome interruption!

Well, now that conference is over, life is beginning to resume back to the slower pace of just a mild panic.  I'm a fair bit behind on a number of articles I was planning on posting, namely:

1. Posting my updated slides on Forced Evolution
2. ShakaCon 5 challenge write ups (as well as posting them to the CTF repo)
3. Forced Evolution revised code (which is significantly cleaner and easier to use than the current version at https://github.com/soen-vanned/forced-evolution)
4. Forced Evolution documentation / White paper, laying out my reasons for using the fitness functions I did / did not use, as well as the tweakings of the other settings in an attempt to avoid local (sub-optimal) solutions, and the roadmap for the future of the tool.
5. Publish / CVE stamp the ~6 blind-SQL 0days I found in the days leading up to DEF CON in a futile attempt to drop a non-blind-SQLi during my talk

So, as the weekend approaches, you can expect some progress to be made on the aforementioned articles :)

-soen

Blind SQL injection optimization

I was recently performing some blind SQL exploitation and was very frustrated at how long it was taking me to dump out the database.  The code I was using to exploit the blind SQL was retrieved from some old blind SQLi I had written a while ago (2004-ish, the only backups that were in place since the great HD crash of 2012) when I first learned this exploitation technique, and it consisted of something like this:

s = ‘’

# ‘ and 1=1 and substr(USER, 1, 1)=’S’; --‘ #example injection returning true or false

front_sqli = ‘\’ and 1=1 and substr(USER,’

middle_sqli = ‘, 1)=\’’

end_sqli = ‘\’; --\’’

try:

  for i in range(0,255):

    for j in range(0,255):

      if exploit(front_sqli + chr(i) + middle_sqli + chr(j) + end_sqli):

        s += chr(j)

except:

  pass

print s

Coming from a newby background, this is completely sufficient to enumerate strings in the database.  It’s really slow.

Really, really, really slow.

So, what are some optimizations we can do to this?  Firstly, we have to take in the constraints of what sort of return we get, and with this application I am getting success or failures (true / false).  We aren't just limited to comparisons of equality (=), we can do quality comparisons (<>), as well as use any SQL to assist in lowering the searchable space.

The first impulse I have is to perform a number of operations to limit the search space, so:

1. Is the character lower case?
1. Sequentially search through lower case alphabet a-z
2. Is the character upper case?
1.  Sequentially search through upper case alphabet A-Z
3. If neither,
1. sequentially search through numbers and symbols

But a couple of caveats come into place here.  The average search time is the following:

• 2 operations to find the character type (on average)
• Search space is roughly 32 characters long (a-z=26, A-Z=26, non-az=42 ASCII), average search time is 16 requests (This is not including binary data).

This comes out to an average of 18 operations on the characters for a sequential search.

What about implementing a more efficient search?  The one that comes in immediately is one of the most efficient, the binary search.  So, we now have the following number of operations:

• 2 operations to find the character type (on average)
• Search space is still roughly 32 characters long, so worst case we have 5 additional operations.

7 operations are MUCH more efficient than the 16, and given the average response time from the server (due to latency, internet traffic, etc.) I’m getting ~20 requests per second (using the python requests library), which means instead of an average of 1-2 characters per second I’m getting 2-3.

BUT, this current implementation has some problems, as the worst case scenario happens quite frequently when dumping passwords or other non-alpha data (like binary).  So, for a more efficient algo, I decided to use the following:

1. If dumping a database name / table name / column title, use a binary search WITHOUT the upper/lower comparison but using a printable ASCII searchspace (94 characters) for a worst case search time of 6 requests.
2. If dumping a column field, use a binary search WITHOUT the upper/lower comparison using the full ASCII searchspace (0-255), for a worst case search time of 8 requests.

The average search request for [1] was 4.21 and for [2] was 6.37, but this is heavily dependent upon the data being parsed.

There are plenty of other ways to optimize and get an extra instruction or two, but 4.21 and 6.37 are massive improvements upon the average of 18.21 requests I was having previously; I was very pleased at the improvement of performance as I am able to pull about 3-5 and 2-4 characters out of the database per second, respectively.

2013!

At the beginning of the new year!

Based on CTFtime.org (http://ctftime.org/stats/2012/), my team, V& placed 47th last year.  We competed in a couple of hacking competitions, culminating at the CTF at DefCon 20.  Unfortunately, we didn't do so hot at the big competition, finishing in 18th place (http://ddtek.biz/).  None-the-less, I had a fantastic experience and the ddtek team hosted a fantastic competition.  My team had a rock solid defense (least amount of keys stolen overall), but our attacking side was lacking: out of 20 possible services to exploit, we had 4 working exploits, with 1 exploit finished within 5 min of CTF end.

My teammates put in a monumental effort, and the experience was incredibly valuable to us.  With the dawn of the new year, it's time to prep for all the new competitions and challenges out there!


Go V&!  QR QR QR!!!!