Since everyone else is releasing code to check for/exploit the vmware server/esx/esxi directory traversal vulnerability I pushed up my checker module to the metasploit trunk as an auxiliary scanner module.
If you want to just download a full guest host check out:
GuestStealer -- http://www.fyrmassociates.com/tools/gueststealer-v1.1.pl
or the
nmap script -- http://www.skullsecurity.org/blog/?p=436
I don't feel like re-implementing it and I for sure don't want anything ever auto-downloading several gigabytes of information for me, so if you want that functionality write it or use the above tools. Gueststealer works great.
Vulnerability References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3733
http://www.vmware.com/security/advisories/VMSA-2009-0015.html
The module:
The module is simple enough. By default it checks for:
FILE /etc/vmware/hostd/vmInventory.xml
If it receives a 200 to the traversal string and file it says its vulnerable. If you want to see the output of the file you can uncomment the following line from the code:
#print_status("Output Of Requested File:\n#{res.body}")
reload the module, then change the file to what you want (example: set FILE /etc/shadow).
Since VMWare runs as root you pretty much have access to anything on the file system.
Thursday, February 25, 2010
Thursday, February 11, 2010
BACKTRACK 4 / DEBIAN version of DirChex_v1.3
UPDATE:
DirChex_v1.3 has been created for BackTrack 4 (should also work for most Debian distros).
This is the GUI version which also has can test an App for vulnerable PUT enabled directories.
So, two new releases two different programs. Busy day.
Also, due to some requests for a Non-GUI (Console based) only version of DirChex this will be in the works along with some added features for path mutation.
Download Here
PICS:
Happy Hacking!
~cktricky
DirChex_v1.3 has been created for BackTrack 4 (should also work for most Debian distros).
This is the GUI version which also has can test an App for vulnerable PUT enabled directories.
So, two new releases two different programs. Busy day.
Also, due to some requests for a Non-GUI (Console based) only version of DirChex this will be in the works along with some added features for path mutation.
Download Here
PICS:
Happy Hacking!
~cktricky
New DirSnatch / DirSnatch_v2.1
New Version of DirSnatch can be downloaded Here .
So briefly I wanted to describe the new version of DirSnatch. Just as DirChex (tool for automatically requesting a list of URLs from a text thru your proxy) had a modification with the "PUT" tab so has DirSnatch.
RUNDOWN:
DirSnatch will allow you to save two different files. One dumps a web directory list in the full URL format (DirGet tab).
Sooo C:\inetpub\public\index.asp
becomes
http://example.com/public/index.asp
so on and so forth.
The other (DirPut) will dump the web directory with only the directories & sub-directories (still with URL format)so that we can automate the request of testing each directory for a vulnerable PUT permission issue.
Sooo C:\inetpub\public\index.asp
becomes
http://example.com/public/
BENEFIT:
The benefit of the new tab is the following. If you'd like to use Burp Suite or DirChex to test each directory for PUT the format that DirPut lists each directory in is suitable for simply concatenating the URL + "a test file".
MEANING:
When using the DirChex PUT tab you can provide a name of a file you would like to upload to the target Web App's directories, choose the the txt file containing URLs dumped with DirSnatch_v2.1 DirPut and it will do the concatenation and request for you. Voila.
PIC OF NEW VERSION:
Thoughts, comments, suggestions are welcome.
Happy Hacking!
~cktricky
So briefly I wanted to describe the new version of DirSnatch. Just as DirChex (tool for automatically requesting a list of URLs from a text thru your proxy) had a modification with the "PUT" tab so has DirSnatch.
RUNDOWN:
DirSnatch will allow you to save two different files. One dumps a web directory list in the full URL format (DirGet tab).
Sooo C:\inetpub\public\index.asp
becomes
http://example.com/public/index.asp
so on and so forth.
The other (DirPut) will dump the web directory with only the directories & sub-directories (still with URL format)so that we can automate the request of testing each directory for a vulnerable PUT permission issue.
Sooo C:\inetpub\public\index.asp
becomes
http://example.com/public/
BENEFIT:
The benefit of the new tab is the following. If you'd like to use Burp Suite or DirChex to test each directory for PUT the format that DirPut lists each directory in is suitable for simply concatenating the URL + "a test file".
MEANING:
When using the DirChex PUT tab you can provide a name of a file you would like to upload to the target Web App's directories, choose the the txt file containing URLs dumped with DirSnatch_v2.1 DirPut and it will do the concatenation and request for you. Voila.
PIC OF NEW VERSION:
Thoughts, comments, suggestions are welcome.
Happy Hacking!
~cktricky
Wednesday, February 3, 2010
Walk a mile in someone else's shoes.........
After what seems to be the hundredth time of explaining to a developer that hidden form fields mean nothing, client-side JavaScript controls are great for optimization but not for security blah blah blah I started thinking that if developers performed one or two dynamic analysis tests with an experienced AppSec consultant we'd be in a lot better shape.
Consider that there is a large number of developers out there that have never actually viewed an HTTP request/response sequence. Developers that aren't familiar with what is actually being passed in the ViewState and have no idea just how easy and quickly numerical, seemingly random character sequences and other controls can be iterated through and stomped all over.
Good application security consultants are expected to have some development experience. There are subtle nuances, coding decisions and framework protections that have to be taken into account and ultimately play into not just discovery of findings but considerations for mitigation.
To summarize, if it helps me the security consultant to build applications, utilize the latest and greatest whether it be Flash, HTML 5, or simply a newer framework in order to fully grasp my chosen profession.............shouldn't this mentality be the same for developers?
Consider that there is a large number of developers out there that have never actually viewed an HTTP request/response sequence. Developers that aren't familiar with what is actually being passed in the ViewState and have no idea just how easy and quickly numerical, seemingly random character sequences and other controls can be iterated through and stomped all over.
Good application security consultants are expected to have some development experience. There are subtle nuances, coding decisions and framework protections that have to be taken into account and ultimately play into not just discovery of findings but considerations for mitigation.
To summarize, if it helps me the security consultant to build applications, utilize the latest and greatest whether it be Flash, HTML 5, or simply a newer framework in order to fully grasp my chosen profession.............shouldn't this mentality be the same for developers?