Several services exist for decoding CAPTCHA, although DeathByCaptcha seems pretty good and from the initial tests I’m seeing a 99.7% accuracy rate (with reCAPTCHA at least) – The premise for most of these services is simple, upload your CAPTCHA to the API and poll for a response until it is solved by someone at the other end. DeathByCaptcha currently charges $13.90 per 10,000 solutions. The API is a simple REST interface and it normally takes only a few seconds to decode the image.

The concept:
Burp Extender allows you to hook and modify all HTTP responses before they are used by any of the tools in the Burp Suite. The idea behind the Burp Extender extension I’ve written is to intercept all of the HTTP responses, examine them for the reCAPTCHA script and replace the input fields with the solution from DeathByCaptcha. This will effectively turn reCAPTCHA into a nonce or one-time-token which Burp 1.4 macros can easily handle in a similar way to CSRF tokens.

How it works:
I’ve chosen reCAPTCHA as the target as its widely used – it also has the advantage that the solution can be directly validated against Google servers so you can check that the solution is correct before you post it to the target domain. The general structure of my Burp Extension looks like this:

To summarise the above the main steps are:

• Extract the reCAPTCHA site key from the Intercepted Server Response – these match the expression “6[A-Za-z\-_]{39}”
• Use the site key to request the Iframe that contains a link to a CAPTCHA image.
• Extract the reCAPTCHA JPEG location and reCAPTCHA challenge field from the Iframe HTML source.
• Post the JPEG to DeathByCaptcha for solving.
• Post the solution to the Iframe location.
• Obtain the challenge response from the reply from the previous post and modify the initial HTTP Response to contain the challenge/response codes.

Compiling:
To compile ensure you have the Java SDK installed and issue the following commands:

javac.exe BurpExtender.java
jar.exe -cf BurpExtender.jar BurpExtender.class

This should generate a burpExtender.jar file in the working directory.

Running:
The extension takes two command line arguments. The username and password for the DeathByCaptcha API (so if you want to run the extension you’ll need to sign up to the service). To run the extension make sure the extension is located in the same directory as the Burp Suite and run:

java -Xmx512m -classpath “*” burp.StartBurp “myusername” “mypassword”

When you now browse through the Burp Proxy to sites such as http://www.google.com/recaptcha/learnmore you should see the reCAPTCHA replaced with a challenge and response input box. Generally the API can take anywhere from 5 to 20 seconds to translate the CAPTCHA, while this is happening the page will not load. Once its decoded the image you should see something similar to below:

(Before / After - When browsing through the Burp Proxy)

The code isn’t pretty – its been hacked together – its more proof of concept. There isn’t a great deal of error handling and not being a Java Developer I may have used entirely the wrong methods in certain places.

Download the reCAPTCHA Burp Extension here

]]> http://www.idontplaydarts.com/2012/01/extending-burp-suite-to-solve-recaptcha/feed/ 1 http://www.idontplaydarts.com/2011/05/exploit-phpcaptcha-securimage/ http://www.idontplaydarts.com/2011/05/exploit-phpcaptcha-securimage/#comments Wed, 25 May 2011 10:00:20 +0000 Phil http://www.idontplaydarts.com/?p=307 Continue reading →]]> Recently I discovered an easy way to bypass PHPCaptcha also known as SecurImage. The method described below will break the CAPTCHA every time, without fail and affects versions 1.0.4 and above. Previous versions are also probably vulnerable tho only exploit code for the MP3 file format (implemented as default since version 2.0.0) is provided.

The flaw in the CAPTCHA stems from the way MP3 and WAV audio codes, intended for use by by the visually impaired, are generated. It is worth noting that even when the user of the site has removed the audio functionality from their displayed CAPTCHA the functionality can still be accessed via forceful browsing to the file called “/securimage_play.php”. This means that unless the administrator of the site has removed the securimage_play.php file that their site is vulnerable to attack.

The audio codes that are generated by PHPCaptcha are created by concatenating a set of audio files (that are publicly accessible in /audio directory). To prevent simple binary analysis of the output the author randomly changes the value of every 64th byte in the generated audio file starting from an initial offset that is also defined by a random integer in the range 1-64. The effect of the mutation means that when you listen to the audio its very hard to determine what letters are being heard. The code used for the mutation is shown below:

    function scrambleAudioData(&$data, $format)
    {
        if ($format == 'wav') {
            $start = strpos($data, 'data') + 4;
            if ($start === false) $start = 44;
        } else { // mp3
            $start = 4;
        }

        $start  += rand(1, 64);
        $datalen = strlen($data) - $start - 256;

        for ($i = $start; $i < $datalen; $i += 64) {
            $ch = ord($data{$i});
            if ($ch < 9 || $ch > 119) continue;

            $data{$i} = chr($ch + rand(-8, 8));
        }
    }

While this prevents simple binary analysis of the generated audio it does not prevent an attacker from building a list of 64 byte strings from the publicly accessible audio samples and using these in comparison against the concatenated audio file. By determining where in the file these strings occur its possible to decode the CAPTCHA with a 100% success rate. The decision by the author to change only the 64th byte of the final audio file is a fatal design flaw.

You can download the PHPCaptcha exploit capable of decoding the MP3 CAPTCHA format. It is currently configured to run against the “sample_form.php” script that comes by default with SecurImage / PHPCaptcha. Below is a video of the exploit running:

No fix is currently available from the author. The only current solution is to remove the securimage_play.php script from your site.