Cатсн²² (in)sесuяitу / ChrisJohnRiley

Because we're damned if we do, and we're damned if we don't!

Tag Archives: ctypes

{quick post} PySC Project

Back at the beginning of 2012 I played around with some Python ctypes as part of a project I was working on in the background. At the time I released a few code snippets that used ctypes to do a few fun things, but never really got around to releasing the main project I was working on.

Python ctypes posts from 2012:

PySC_ascii_art

The main project I was working on was a simple Python script that injects shellcode into a running process using CreateRemoteThread (nothing brand new here). The interesting part of the project (for me anyway) was the ability for the Python script to request the shellcode to inject using DNS TXT requests, ICMP request/responses or simple HTTP(S) request (using SSPI if required). I demo’d the code at the BSides London conference in 2012 at the underground / lightning talks an had some positive feedback, however the time just hasn’t been there to finish things off since then.

As a result of the lack of time to finish things off, I’ve put up the latest modular version of PySC (version 0.8) on Github for people to use, tear apart , and generally laugh at as you see fit. As the project is still in prototype your mileage may vary.

PySC was designed to be configured using the config.py file present in /config directory, and run headless on a Windows system after being packed into an executable using something like PyInstaller. However you can run it using command line options as well by running it with -h to see the various options.

The /optional directory also includes some example server-side implementations for Metasploit and a Python Scapy ICMP listener for delivering Shellcode to the PySC client.

Check the source-code for details…

https://github.com/ChrisJohnRiley/PySC

PySC 0.8 (prototype release – 26 December 2013)

PySC expands on the numerous available tools and scripts to inject into a process on a
running system.

Aims of this project:

- Remove shellcode from the script to help avoid detection by AV and HIPS systems
– Offer a flexible command line based script
– Also provide the ability to run fully automated, as an EXE (by using pyinstaller)

To this end this prototype script offers the ability to download shellcode from a
remote DNS server (using TXT records) or through Internet Explorer (using SSPI to
utilize system-wide proxy settings and authorization tokens) and injects it into a
specified process. If injection into the specified process is not possible, the script
falls back to injecting into the current process.

Module dependancies: none

Notes:

PySC will by default run silent (no user feedback) to enable user
feedback (error/status messages) please use debug mode (-d/–debug
at command-line, or set debug = True in the script itself)

Any command-line options passed to PySC at runtime override the
hard-coded values within the script.

To use PySC as a stand-alone executable, set the desired parameters
in the script itself, and use pyinstaller to create an .exe

What, more Python ctypes! – DNS TXT records

Yeah I know, this is turning into a Python blog, and not a very good one at that. Still, hang in there, because all these handy little scripts will make sense soon. Yes, there’s method in the madness!

For those who missed the earlier posts, you can view info on IcmpSendEchoInternetConnectedState and WinInet (SSPI).

So we’ve covered some interesting stuff, but one thing was still bugging me… Thanks to a pointer by Didier Stevens (literally, it was a pointer issue), I managed to get a simple DnsQuery script running to gather and display DNS Text records.

Again, the script is a little large to post on the blog in its entirity, but I’ve included the dnsapi.DnsQuery_A function below for those searching for that specific function. There’s a lot more to getting this running than just the below code, but for the full info you can download the example source (dnstxt.py) below.

....
dnsquery = dnsapi.DnsQuery_A(
           dns,
           DNS_TYPE_TEXT,
           Options,
           False,
           precord,
           False,
           )
....

As with the other examples I’ve created a small (and narrowly focused) tool to retrieve DNS Text records and display them on the screen. It’s a simple script, that takes a dns name, and has options to restrict the request to UDP or TCP only if desired. It’s interesting to use UDP only to test of Text records are too large, and need TCP. Feel free to check it out on c22.cc (which is too large for UDP).

Those who’ve done any work with Python will know that there’s a few modules that you can download and install to handle DNS requests of various types. Modules like PyDNS and dnspython are going to give you more flexibility for most things. Unless you really need (or want) to go the ctypes route of course)… yes, I’m a sucker for punishment!

Example use:

The above example runs with the default UDP and TCP requests and merges the responses into a unique list to return to the user. By selecting –udponly you can restrict the request to only UDP traffic (see below)

Specifying –tcponly works the same way, but restricts to TCP only. Specifying both is just stupid ;)

dnstxt :

  • Python sourcecode –> HERE
  • dnstxt.exe –> HERE
Feel free to leave any comments if you have ideas, uses, or generally want to laugh at by bad coding ;)

Links:

  • DnsQuery Reference – MSDN

Yet more fun with Python ctypes – SSPI

Seems like these Python ctypes posts are really turning into a nice little series. Today I’m following up on my previous posts (covering IcmpSendEcho and InternetConnectedState) with a little bit about using Windows functions to access websites.

Normally you could go about using one of a thousand methods built into Python for this, but there’s good reason to use the built-in Windows functions as you’ll see in a minute.

When using Python (or any other scripting language I’d hazard a guess) to access a given URL, you’re bypassing the way that Windows handles the any proxy server and credentials associated with it. If you’re sitting on a system with direct internet access this isn’t much of an issue. However if you’re end goal is to run this code, or have this code execute, on an enterprise workstation, chances are you’ll need to consider proxies and authentication.

By using Windows functions to perform the access for you, you bypass these issues by tapping into Microsoft’s Security Support Provider Interface (SSPI). The Windows function that we’re interested here is WinInet.

Using Secure WinInet

Win32 Internet APIs, also known as WinInet, is another way of building secure distributed applications without having to deal with SSPI directly.

So by using functions within WinInet we can use SSPI to piggyback on whatever authentication tokens are present and in use on the system without needing to worry about it. Even a simple script to take advantage of this ends up in a few hundred lines (although I’m sure a good coder could write it in half that). Below is some example code to help those searching for a blogpost discussing the topic more than anything else.

....
hInternet = wininet.InternetOpenA(
             useragent,
             INTERNET_OPEN_TYPE_PRECONFIG,
             False,
             False,
             0,
             )

hConnect = wininet.InternetConnectA(
             hInternet,
             netloc[0],
             conn_port,
             conn_user,
             conn_pass,
             INTERNET_SERVICE_HTTP,
             0,
             0,
             )
....

I can’t really give a full example in this blogpost, so I’ve written up a simple URL downloader with the ability to either save or display the results to screen. It support HTTP and HTTPS (no FTP support as yet).

Again I’ve also converted this into a .exe using PyInstaller for those looking for something a bit more portable.

Example use:

Simpleurl :

  • Python sourcecode –> HERE
  • simpleurl.exe –> HERE
Feel free to leave any comments if you have ideas, uses, or generally want to laugh at by bad coding ;)

Links:

  • Microsoft’s SSPI
  • WinInet Reference – MSDN

{Quick Post} More fun with Python ctypes – InternetConnectedState

As a followup to my simpleicmp ctypes post, I thought I’d post something about the wininet InternetGetConnectedState function for checking if the network connection is up.

Obviously you can go through the process of sending an icmp echo request and checking if there’s a response, but this is a lot simpler and cleaner (also less prone to issues if echo request are blocked, or the host just doesn’t respond to them). There may also be situations where your script is trying to be as quiet as possible on the network, and firing off random packets to see if the network is up is bad form.

Here’s a simple script that will tell you if the network connection is up or not.

# !/usr/bin/python
# -*- coding: utf-8 -*-

from ctypes import *
from ctypes.wintypes import DWORD

wininet = windll.wininet
flags = DWORD()
connected = wininet.InternetGetConnectedState(
             byref(flags),
             None,
             )
if not connected:
   print ' [!] No internet connection, cannot retrieve data'
else:
   print ' [>] Connection check confirmed'

Again, this is only a small cog in the machine, but I thought it was worth documenting here if only to stop me from forgetting it next time I need to use it ;)

Example:

As you can see, this method checks the connection of the network by checking the status of the network port and not by sending anything across the wire.

Links:

  • InternetGetConnectedState Function –> HERE
Follow

Get every new post delivered to your Inbox.

Join 262 other followers