Posted by Trancer on Jun 16 2009
 As of June 1st, the Chinese government demands every personal computer in China to install or be sold with Green Dam Youth Escort Censorware program. Three security researchers – Scott Wolchok, Randy Yao, and J. Alex Halderman from University of Michigan have released an analysis of the Green Dam Censorware system, disclosing multiple vulnerabilities and weaknesses in it. You can read the whole story in the ZDNet Zero Day blog.
The vendor, Jinhui Computer System Engineering Ltd., already patched the vulnerabilities but you can still find vulnerable installations with Google if you want to test it.
One of the vulnerabilities disclosed in the security analysis is a remotely exploitable stack-based buffer overflow vulnerability in the way Green Dam process overly long URLs (OSVDB 55126). seer[N.N.U] posted a simple exploit for this vulnerability on milw0rm and exploit-database #8938.
And here, I wrote a Metasploit exploit module for Internet Explorer which exploits this stack-based buffer overflow vulnerability in Green Dam 3.17. This module uses the .NET DLL memory technique by Alexander Sotirov and Mark Dowd and should bypass Data Execution Prevention (DEP), NX bit and Address Space Layout Randomization (ASLR) Windows memory protections.
I’ve tested this exploit successfully on the following platforms:
– Microsoft Internet Explorer 6, Windows XP SP2
– Microsoft Internet Explorer 7, Windows XP SP3
– Microsoft Internet Explorer 7, Windows Vista SP1
Download greendam_url.rb.
Also on Metasploit, milw0rm and exploit-database #8969.
References:
OSVDB 55126
According to the latest Microsoft Security Intelligence Report, China is the world leading country in Malware distribution so I guess they deserve some pwning :P
Categories: Exploits • Metasploit
        
10 Comments |  Comments RSS |  TrackBack URL
Posted by Trancer on Jun 03 2009
 Here’s a new shiny mixin I wrote for the Metasploit framework – the Java Compilation mixin.
The purpose of this mixin is to bring the power of Metasploit and use it for writing and compiling Java code on-the-fly.
The mixin main usage is to write, compile and embed Java code (Java applets) in HTML pages, mainly for writing exploit and auxiliary modules that exploit vulnerabilities in the JRE\JVM.
The Java compilation mixin can also be used for creating fuzzers and other testing tools for the JRE\JVM.
Code:
javacompile.rb.
Installation:
Place the mixin in the following path:
\msf3\lib\msf\core\exploit
Include the mixin in \msf3\lib\msf\core\exploit.rb file:
# JavaCompile
require 'msf/core/exploit/javacompile'
Using the mixin in exploit and auxiliary modules:
include Msf::Exploit::JAVACOMPILE
The mixin requires JDK to be installed, get it from Sun.
Usage:
OUTPUTPATH – defines the path of the working directory (where the files will be created).
java_compile(filename,data) function is used to compile Java code. filename variable sets the file and public class name and data variable defines the Java code.
java_clean(filename) function is used to clean the working directory. filename variable sets the file name to delete (both .java and .class files) from the working directory.
Demonstration:
The following “exploit” module demonstrate the Java compilation mixin by calling a simple Java applet (displaying “Hello World”) from an HTML page:
java_hello.rb (See comments in the code).
This mixin is still in an early stage and will be modified and improved in time, any kind of feedback and suggestions are welcome.
Cool exploits soon to follow :-)
Categories: Exploitation • Metasploit
6 Comments | Comments RSS | TrackBack URL
Posted by Trancer on Mar 25 2009
 Collected a bunch of useful guides for some new capabilities of the Metasploit Framework.
Some of the capabilities are post 3.2 version. I strongly recommend updating your version to the latest 3.3-dev snapshot.
– Using the WMAP Metasploit module for web application penetration testing:
WMAP (Metasploit Module).
– Restricting the db_autopwn command to specific ports and modules when mass exploiting:
Metasploit Mass Exploitation for Dummies.
– Exploiting the Token Kidnapping vulnerability for privilege escalation:
Token Passing with Incognito (Part 2).
– Using msfpayload to export exploits as executables and go under the AV radar:
Bypassing Anti-Virus with Metasploit (Video).
– Dumping Memory to extract Password Hashes:
Part 1, Part 2.
– Keylogging are now made easy:
Remote Keystroke Sniffing with Meterpreter.
– Keylogging Windows logon screen credentials:
Capturing Logon Credentials with Meterpreter.
Happy pwnage :-)
Categories: Metasploit
0 Comments | Comments RSS | TrackBack URL
Posted by Trancer on Nov 20 2008
Metasploit 3.2 is out!
From the news:
the Metasploit Project announced today the free, world-wide availability of version 3.2 of their exploit development and attack framework. The latest version is provided under a true open source software license (BSD) and is backed by a community-based development team. Metasploit runs on all modern operating systems, including Linux, Windows, Mac OS X, and most flavors of BSD. Metasploit has been used on a wide range of hardware platforms, from massive Unix mainframes to the iPhone. Users can access Metasploit using the tab-completing console interface, the Gtk GUI, the command line scripting interface, or the AJAX-enabled web interface. The Windows version of Metasploit includes all software dependencies and a selection of useful networking tools.
Version 3.2 includes exploit modules for recent Microsoft flaws, such as MS08-041, MS08-053, MS08-059, MS08-067, MS08-068, and many more.
The module format has been changed in version 3.2. The new format removes the previous naming and location restrictions and paved the way to an improved module loading and caching backend. For users, this means being able to copy a module into nearly any subdirectory and be able to immediately use it without edits.
The Byakugan WinDBG extension developed by Pusscat has been integrated with this release, enabling exploit developers to quickly exploit new vulnerabilities using the best Win32 debugger available today.
The Context-Map payload encoding system development by I)ruid is now enabled in this release, allowing for any chunk of known process memory to be used as an encoding key for Windows payloads.
The Incognito token manipulation toolkit, written by Luke Jennings, has been integrated as a Meterpreter module. This allows an attacker to gain new privleges through token hopping. The most common use is to hijack domain admin credentials once remote system access is obtained.
The PcapRub, Scruby, and Packetfu libraries have all been linked into the Metasploit source tree, allowing easy packet injection and capture.
The METASM pure-Ruby assembler, written by Yoann Guillot and Julien Tinnes, has gone through a series of updates. The latest version has been integrated with Metasploit and now supports MIPS assembly and the ability to compile C code.
The Windows payload stagers have been updated to support targets with NX CPU support. These stagers now allocate a read/write/exec segment of memory for all payload downloads and execution.
Executables which have been generated by msfpayload or msfencode now support NX CPUs. The generated executable is now smaller and more reliable, opening the door to a wider range of uses. The psexec and smb_relay modules now use an executable template thats acts like a real Windows service, improving the reliability and cleanup requirements of these modules.
The Reflective DLL Injection technique pioneered by Stephen Fewer of Harmony Security has been integrated into the framework. The new payloads use the “reflectivedllinjection” stager prefix and share the same binaries as the older DLL injection method.
Client-side browser exploits now benefit from a set of new javascript obfuscation techniques developed by Egypt. This improvement leads to a greater degree of anti-virus bypass for client-side exploits.
Metasploit contains dozens of exploit modules for web browsers and third-party plugins. The new browser_autopwn module ties many of these together with advanced fingerprinting techniques to deliver more shells than most pen-testers know what to do with.
This release includes a set of man-in-the-middle, authentication relay, and authentication capture modules. These modules can be integrated with a fake proxy (WPAD), a malicious access point (Karmetasploit), or basic network traffic interception to gain access to client machines. These modules tie together browser_autopwn, SMB relaying, and HTTP credential and form capturing to pillage data from client systems.
Nearly all Metasploit modules now support IPv6 transports. IPv6 stagers exist for the Windows and Linux platforms, opening the door for penetration testing of pure IPv6 networks. The VNCInject and Meterpreter payloads have been extensively tested over IPv6 sockets.
Efrain Torres’s WMAP project has been merged into Metasploit. WMAP is general purpose web application scanning framework that can be automated through integration with an attack proxy (ratproxy) or be accessed as individual auxiliary modules.
Egypt’s new PHP payloads provide complete bind, reverse, and findsock support for PHP web application exploits. If you are sick of C99 and R57 and looking to gain a “real” shell from one of the hundreds of RFI flaws listed on milw0rm, the new PHP payloads work great against multiple operating systems.
The db_autopwn command has been revamped to support port-based limits, regex-based module matching, and limits on the number of spawned jobs. The end result is a way to quickly launch specific modules against a specific set of target machines. These changes were suggested and implemented by Marcell “SkyOut” Dietl (Helith).
Announcement.
Some of the new features are presented in Metasploit Prime.
Grab a copy from the Metasploit web site.
Categories: Metasploit • Tools
0 Comments | Comments RSS | TrackBack URL
Posted by Trancer on Jan 29 2008
Version 3.1 of this great project is out.
Offering tons of cool new features. From the news:
Austin, Texas, January 28th, 2008 — The Metasploit Project announced today the free, world-wide availability of version 3.1 of their exploit development and attack framework. The latest version features a graphical user interface, full support for the Windows platform, and over 450 modules, including 265 remote exploits. “Metasploit 3.1 consolidates a year of research and development, integrating ideas and code from some of the sharpest and most innovative folks in the security research community” said H D Moore, project manager. Moore is referring the numerous research projects that have lent code to the framework.
These projects include the METASM pure-ruby assembler developed by Yoann Guillot and Julien Tinnes, the “Hacking the iPhone” effort outlined in the Metasploit Blog, the Windows kernel-land payload staging system developed by Matt Miller, the heapLib browser exploitation library written by Alexander Sotirov, the Lorcon 802.11 raw transmit library created by Joshua Wright and Mike Kershaw, Scruby, the Ruby port of Philippe Biondi’s Scapy project, developed by Sylvain Sarmejeanne, and a contextual encoding system for Metasploit payloads. “Contextual encoding breaks most forms of shellcode analysis by encoding a payload with a target-specific key” said I)ruid, author of the Uninformed Journal (volume 9) article and developer of the contextual encoding system included with Metasploit 3.1.
The graphical user interface is a major step forward for Metasploit users on the Windows platform. Development of this interface was driven by Fabrice Mourron and provides a wizard-based exploitation system, a graphical file and process browser for the Meterpreter payloads, and a multi-tab console interface. “The Metasploit GUI puts Windows users on the same footing as those running Unix by giving them access to a console interface to the framework” said H D Moore, who worked with Fabrice on the GUI project.
The latest incarnation of the framework includes a bristling arsenal of exploit modules that are sure to put a smile on the face of every information warrior. Notable exploits in the 3.1 release include a remote, unpatched kernel-land exploit for Novell Netware, written by toto, a series of 802.11 fuzzing modules that can spray the local airspace with malformed frames, taking out a wide swath of wireless-enabled devices, and a battery of exploits targeted at Borland’s InterBase product line. “I found so many holes that I just gave up releasing all of them”, said Ramon de Carvalho, founder of RISE Security, and Metasploit contributor.
“Metasploit continues to be an indispensable and reliable penetration testing framework for our modern era”, says C. Wilson, a security engineer who uses Metasploit in his daily work. Metasploit is used by network security professionals to perform penetration tests, system administrators to verify patch installations, product vendors to perform regression testing, and security researchers world-wide. The framework is written in the Ruby programming language and includes components written in C and assembler.
Metasploit runs on all modern operating systems, including Linux, Windows, Mac OS X, and most flavors of BSD. Metasploit has been used on a wide range of hardware platforms, from massive Unix mainframes to the tiny Nokia n800 handheld. Users can access Metasploit using the tab-completing console interface, the Gtk GUI, the command line scripting interface, or the AJAX-enabled web interface. The Windows version of Metasploit includes all software dependencies and a selection of useful networking tools.
The latest version of the Metasploit Framework, as well as screen shots, video demonstrations, documentation and installation instructions for many platforms, can be found online at http://metasploit3.com/
Announcement.
Grab a copy from the Metasplot web site.
Categories: Metasploit • Tools
0 Comments | Comments RSS | TrackBack URL
« Newer Posts |
Wrote a new Metaspoit exploit module for the 
And another new exploit module for Metasploit.
Wrote a new Metaspoit exploit module for the 
Just finish writing a quick Metasploit exploit module for the Microsoft Internet Explorer Object Clone Deletion Memory Corruption vulnerability.
Wrote a new Metaspoit exploit module for 
Oh yeah, H D Moore’s Metasploit Framework v3.0 has been released.
RSS 2.0
ATOM 1.0
RDF 1.0
Links OPML
OpenSearch
