The best socket injection system just got better

Socket injection is big fun for sure. Easily drop XSS-based attacks on victim browsers with a simple regex, inject payloads within SMTP/POP emails, or simply embed raccoon pictures in every web page.

However, static strings can only take us so far. There comes a point when we start thinking it would be nice for the string to be a bit more flexible, maybe even dependent on specific conditions for each injection. This is taking us into the realm of dynamic injection.

Introducing dynamic injection

Instead of simply asking Syphoon to insert some text whenever a regex is matched, maybe we could ask it to run some code, and then use the output of that code as the injected text.

This is exactly what we've done in this new version. Syphoon 1.4.0 allows prefixing the 'MODE' parameter of the command-line arguments for injection with "dyn:". This in turn causes the 'STR' parameter of the injection to be considered as Ruby code. This code will be run anytime the 'REGEX' parameter matches some data being exchanged, and the resulting output (last Ruby statement) will be injected into the communication.

From within the Ruby code, the captured data matched from the regex
is made available as two global variables: '$match' (entire string matched by
REGEX) and '$match_cap' (1st capture group from REGEX). This opens up limitless possibilities for even more advanced exploitation.

A simple example - HTTP Content-Length

Let's say we want to inject a basic XSS payload into webpages. We can use the 'http-easy-inject' script to automatically setup socket smashing, strip HTTP encoding and disable caching. Then, we can configure a simple injection with '-i':

# syphoon -a 'http-easy-inject:80' -i 80 after '(<body>)' 0 '<img src=x onerror=alert("XSS")>' wlan0

While this is pretty nice, we can quickly realize an issue: the actual HTML document is now a few bytes larger. The HTTP "Content-Length" header sent by the server within the response will cause the client web browser to actually ignore the last few bytes of the document. This isn't too much of an issue for some pages and simple payloads, where only part of the page's ending will be "missing". However this can become more problematic for other protocols, strict clients or more complex payloads.

Dynamic injection allows us to dynamically adjust the Content-Length header to ensure transparent operation:

# syphoon -a 'http-easy-inject:80' -i 80 dyn:inplace 'Content-Length: ([0-9]*)' 0 '($match_cap.to_i + 32).to_s' -i 80 after '(<body>)' 0 '<img src=x onerror=alert("XSS")>' wlan0

This will automatically add 32 (the size of our payload) to the Content-Length response header, keeping the HTTP stream valid. Do keep in mind however that the example above is kind of a simplification... Blindly updating the Content-Length in every HTTP response would probably not be ideal. But the regex matching capabilities of Syphoon allow targeting more specific exchanges.

Extra bonus: HTFileSrv

To further assist in web-based attack scenarios, the new HTFileSrv is an embedded HTTP file server directly within Syphoon. It serves any file present in the DATA_ROOT/htfilesrv directory and can be configured with custom ports as well as response headers.

Using the '-x' command-line argument enables the HTFileSrv service on ports 1080 (HTTP) and 10443 (HTTPS) by default. These can be adjusted with the '-l' and '-L' arguments. Custom response headers can be set using the '-H' argument.

This will surely come in handy whenever a payload needs to be hosted somewhere for a victim to fetch over HTTP/HTTPS.

Get it today!

Get your Syphoon license from our online store and start pwning harder today :)

The full documentation is available here: Syphoon documentation.