Monday, January 26, 2015

DevOoops: Revision Control (GitList)


More info from the DevOoops talk

Remote Code Execution in GitList

background blog post here: http://hatriot.github.io/blog/2014/06/29/gitlist-rce/

P.S. if you don't read that blog, you should :-)

http://www.exploit-db.com/exploits/33929/

MSF module:
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/gitlist_exec.rb

Read the blog post for the interesting details.


fun screenies

Manually checking if a site is vulnerable


Backdoor PHP using the python POC


Shell via the metasploit module

I didn't think anyone used this stuff, but its apparently pretty popular


Fixes:

current stable version 0.5.0 fixes the issue


CG

Friday, January 23, 2015

Shmoocon Notes: Userland Persistence on Mac OS X


Notes from the conf for later

Userland Persistence on Mac OS X

by Josh Pitts @midnite_runr 


Video
https://archive.org/details/joshpitts_shmoocon2015

the backdoor factory
https://github.com/secretsquirrel/the-backdoor-factory

--framework to patch PE, elf, Mach-O binaries

BFDProxy will patch will stuff while it is being downloaded
https://github.com/secretsquirrel/BDFProxy

must have root or equivalent to patch the various programs


Background on OSX Persistence

methods of malware persistence on os x mavericks patrick wardle
https://s3.amazonaws.com/s3.synack.com/Synack_Shakacon_OSX_Malware_Persistence.pdf

userland persistence

-plists (launchd executed similar to init) on boot, onlogon, onsocket

-evil plugins

-startupitems folders (plist or script)

-cronjobs

-/etc/rc.common

-/etc/lanchd.conf

-binary infection (backdoor factory method)

prior work
-infecting Macho-O _PAGEZERO method
-BouBou Library Injection

josh's blog post related to the talk
http://secureallthethings.blogspot.com/2014/08/patching-mach-o-format-simple-and-easy.html

pre-test section infection method-->change entry point to the evil payload, for payload continue to parent process

BDF will automatically unsign a signed binary, OSX doesnt care its not signed, just that the signature is correct

interesting boot processes that were patchable
-/sbin/launchd - the first process
-/usr/libexec/xpcproxy  - almost everything uses it
-/usr/bin/security
-/usr/bin/awk  awk was a boot process
launchd launches a script that launches awk

Demos in the talk

launchd patch
python script from demo: https://gist.github.com/secretsquirrel/2ba497786027472f98dd

xpcproxy

awk


Detection?

Run script on your baseline. Make note of injection candidates and what is signed and take note if at some point it is NOT signed anymore. Should indicate some muckery going on.

CG

Monday, January 19, 2015

Enigma0x3's Generate Macro Powershell Script


Quick post/notes on Enigma0x3's Generate Macro payload since it got hot on twitter and reddit last week.

code is here:

https://github.com/enigma0x3/Generate-Macro


The screenshot above walks through the process

run it, pass in the URL to Invode-Shellcode.ps1, enter metasploit listener IP and port, and the name of the xls you want created.

You then pick a persistence method:

     -Logon Persistence

"Meterpreter Shell with Logon Persistence: This attack delivers a meterpreter shell and then persists in the registry by creating a hidden .vbs file in C:\Users\Public and then creates a registry key in HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\Load that executes the .vbs file on login."

     -Powershell Profile Persistence

"Meterpreter Shell with Powershell Profile Persistence: This attack requires the target user to have admin right but is quite creative. It will deliver you a shell and then drop a malicious .vbs file in C:\Users\Default\AppData\Roaming\Microsoft\Windows\Cookies\cookie.vbs. Once dropped, it creates an infected Powershell Profile file in C:\Windows\SysNative\WindowsPowerShell\v1.0\ and then creates a registry key in  HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\Load that executes Powershell.exe on startup. Since the Powershell profile loads automatically when  Powershell.exe is invoked, your code is executed automatically."

more info: https://enigma0x3.wordpress.com/2014/06/16/abusing-powershell-profiles/

     -Microsoft Outlook Email Persistence

"Meterpreter Shell with Microsoft Outlook Email Persistence: This attack will give you a shell and then download a malicious Powershell script in this location: C:\Users\Public\. Once downloaded, it will insert your defined IP address, Port, Email address and Trigger word.
It will then create a malicious .vbs file and drop it in C:\Users\Default\AppData\Roaming\Microsoft\Windows\Cookies\. Once dropped, it creates a registry key that executes it on login. When the Powershell script is executed, it monitors the user's Outlook Inbox for an email containing  the email address you specified as well as the subject. When it sees the email, it will delete it and send you a shell."

more info https://enigma0x3.wordpress.com/2014/10/14/persistence-using-microsoft-outlook/

Then pick Meterpreter shell you want HTTP or HTTPS


Once complete you'll have a blank XLS in office2k-2k3 version.


I did confirm you can add your excel content, save and repopen the xls and it works (you will have to remove the persistence method or you'll get an error).

If you peak inside, you'll see its relatively straightforward to see whats going on.


CG

Monday, January 12, 2015

DevOoops: Spoofing GitHub Users


The user information that gets loaded with a commit is locally controlled metadata.

What this means is that you can submit a commit as any user you please. Examples:





It even adds the GitHub icon automagically :-)

This was also discussed here:
https://news.ycombinator.com/item?id=7792026
CG

Friday, January 2, 2015

DevOoops: GitHub Search


GitHub supports advanced search operators much like Google

References:
http://seclists.org/fulldisclosure/2013/Jun/15
-->https://github.com/search?p=3&q=extension%3Aphp+mysql_query+%24_GET&ref=searchresults&type=Code

http://blog.conviso.com.br/2013/06/github-hacking-for-fun-and-sensitive.html

search cheat sheet:
https://github.com/search#search_cheatsheet_pane

Fun Examples:

password user:adobe -- references to password in all adobe repos

password user:adobe extension:sql --references to password in sql files in all adobe repos

user:adobe extension:pem private -- private keys in adobe's repos



You get the idea...check out the conviso blog post for other fun examples


CG