• Stars
    star
    145
  • Rank 254,144 (Top 6 %)
  • Language
    C
  • Created over 9 years ago
  • Updated over 1 year ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Wolves Among the Sheep

Wolves Among the Sheep

Some security tools still stick to MD5 when identifying malware samples years after practical collisions were shown against the algorithm. This can be exploited by first showing these tools a harmless sample (Sheep) and then a malicious one (Wolf) that have the same MD5 hash. Please use this code to test if the security products in your reach use MD5 internally to fingerprint binaries and share your results by issuing a pull request updating the contents of results/!

Works-on-a-different-machine-than-mine version, feedback is welcome!

Dependencies

  • 32-bit Windows (virtual) machine (64-bit breaks stuff)
  • Visual Studio 2012 to compile the projects (Express will do)
  • Fastcoll for collisions
  • Optional: Cygwin+MinGW to compile Evilize

Usage

Extract Fastcoll to the fastcoll directory. Name the executable fastcoll.exe

Use shepherd.bat to generate wolf.exe and sheep.exe (in the VS Development Command Prompt):

> shepherd.bat YOURPASSWORD your_shellcode.raw

After this step you should have your two colliding binaries (sheep.exe and wolf.exe in the evilize directory).

For more information see the tutorial of Peter Selinger, older revisions of this document or the source code...

How does it work?

  • shepherd.bat executes shepherd.exe with the user supplied command line arguments
    • shepher.exe generates a header file (sc.h) that contains the encrypted shellcode, the password and the CRC of the plain shellcode
  • shepherd.bat executes the build process of sheep.exe
    • sheep.exe is built with sc.hincluded by Visual Studio
  • shepherd.bat executes evilize.exe
    • evilize.exe calculates a special IV for the chunk of sheep.exe right before the block where the collision will happen
    • evilize.exe executes fastcoll.exe with the IV as a parameter
      • fastcoll.exe generates two 128 byte colliding blocks: a and b
    • evilize.exe replaces the original string buffers of sheep.exe so that they contain combinations a and b
    • The resulting files (evilize/wolf.exe and evilize/sheep.exe ) have the same MD5 hashes but behave differently. The real code to be executed only appears in the memory of evilize/wolf.exe.

Testing Methodology

To test the security products in your reach you should generate two pairs of samples (SHEEP1-WOLF1 and SHEEP2-WOLF2), preferably with the same payload. Since samples (or their fingerprints) are usually uploaded to central repositories (or "the cloud") precompiled samples are not included to avoid conflicts between independent testers.

After the samples are ready follow the methodology shown on the diagram below:

Testing Methodology

(*) If the product is not able to detect the first malicious sample, there are more serious problems to worry about than crypto-fu. In fact, the simple cryptography included in the provided boilerplate code poses as a hard challenge for various products... Try to use more obvious samples!

(**) The product most probably uses some trivial method to detect the boilerplate insted of the actual payload. You can try to introduce simple changes to the code like removing debug strings.

Please don't forget to share your positive results by issuing a pull request to the RESULTS.md file!

References

LICENSE

Licenced under GNU/GPL if not otherwise stated.

More Repositories

1

burp-log4shell

Log4Shell scanner for Burp Suite
Kotlin
470
star
2

burp-text4shell

Text4Shell scanner for Burp Suite
Kotlin
190
star
3

rsa_sign2n

Deriving RSA public keys from message-signature pairs
Python
180
star
4

burp-requests

Copy as requests plugin for Burp Suite
Java
106
star
5

burp-piper

Piper Burp Suite Extender plugin
Kotlin
100
star
6

burp-image-size

Image size issues plugin for Burp Suite
Java
92
star
7

wpc-ps

Windows Privesc Check - PowerShell
PowerShell
69
star
8

av-breaking

Bare Knuckled AV Breaking
59
star
9

duncan

Duncan - Blind SQL injector skeleton
Python
55
star
10

burp-uuid

UUID issues for Burp Suite
Java
48
star
11

DirBustErl

DirBuster successor in Erlang
Erlang
37
star
12

burp-json-jtree

JSON JTree viewer for Burp Suite
Java
37
star
13

burp-collab-gw

Simple socket-based gateway to the Burp Collaborator
Java
34
star
14

WebSphere-WSIF-gadget

CVE-2020-4464 / CVE-2020-4450
Java
33
star
15

ActiveScan3Plus

Modified version of ActiveScan++ Burp Suite extension
Python
31
star
16

zsca

Zero-trust SSH CA
Python
27
star
17

burp-pdml

PDML importer for Burp Suite
Java
27
star
18

sslproxy

Generic HTTPS proxy for logging non-HTTP traffic
Erlang
23
star
19

wpc

Windows Privesc Check
Python
21
star
20

burp-cfurl-cache

CFURL Cache inspector for Burp Suite
Java
18
star
21

damn-vulnerable-stateful-web-app

Short and simple vulnerable PHP web application that naïve scanners found to be perfectly safe
PHP
13
star
22

SemGWT

Semgrep rules to identify GWT attack surface
Python
10
star
23

eazfuscator.net-symbol-decrypter

Mass decryptor for Eazfuscator.net Symbol Names Encryption
Python
10
star
24

heureka

A toolset to assess the behavioral capabilities of AV/HIPS software
C++
8
star
25

burp-uniqueness

Uniqueness plugin for Burp Suite
Java
7
star
26

android-param-annotate

Android parameter annotator for Dalvik/Smali disassembly
Python
7
star
27

burp-commentator

Generates comments for selected request(s) based on regular expressions
Java
6
star
28

burp-git-version

Java
6
star
29

tickpredict

Predict the tick count of a remote ASP.NET application to achieve code execution
C#
5
star
30

xcoff-ghidra

Quick&Dirty XCOFF Loader for Ghidra
Java
5
star
31

crotch

Code Review on the Cheap
Python
5
star
32

burp-json-array

JSON Array issues plugin for Burp Suite
Java
4
star
33

burp-periscope

Quick scope settings for Burp Suite
Kotlin
4
star
34

nsmuggler

Little help to SQL/XSS smuggling
3
star
35

burp-asn1

ASN.1 toolbox for Burp Suite
Java
2
star
36

xcoff-ks

Kaitai Struct Declarations for XCOFF
Kaitai Struct
2
star
37

jms-codeql

CodeQL queries for JMS
CodeQL
2
star
38

SAVF

IBM i *PGM Save Files and their corresponding C sources
C
2
star
39

dhbrute

Brute force tool for poorly implemented Diffie-Hellman solutions
C++
1
star
40

mq-jms-spring

JMS Deserialization Vulnerabilities When Using Spring with IBM MQ
Java
1
star
41

ktool

experimental tool for storing/searching/converting RSA public keys
Python
1
star
42

simpli

Performs primitive Dalvik symbolic execution
Python
1
star
43

burp-ipv

Insertion point visualizer for Burp Suite
Kotlin
1
star
44

burp-sqlite-logger

SQLite logger for Burp Suite
Java
1
star