Minipost: Adding Packetstorm Exploits to Metasploit

I love to see an increasing number next to the exploits once I have issued msfconsole. To make myself happy I find it pretty cool to add packetstorm Exploits to the framework which are not yet merged or will never be merged into the framework.

To get all exploits from 2012 via wget from packetstorm  simply do a

wget http://packetstorm.igor.onlinedirect.bg/1212-exploits/2012-exploits.tgz 


(to get all exploit archives use fnord0's packetstorm leecher https://github.com/fnord0/packetstorm.pl )

and untar the file

tar xvzf 2012-exploits.tgz

a simple find . -iname \*.rb.txt will tell you which files are for the framework.

rename those *.txt.rb files by

rename s/rb.txt/rb/g *-exploits/*

create a new folder in your exploits folder (in my case)

mkdir /opt/metasploit-4.4.0/msf3/modules/exploits/packetstorm

I like to start msfconsole then to see the currently listed exploits

1003 is already nice. Lets exit the msfconsole

copy all packetstorm framework exploit files to the created directory

find . -iname \*.rb -exec cp {} /opt/metasploit-4.4.0/msf3/modules/exploits/packetstorm/ \;

and start msfconsole

 

1263 is the number that made me happy today. 

There will be some issues related to some modules but these are minor bugs. 

Meterpreter Anti Memory Forensics (Memoryze) Script

This is more of a Proof of Concept which is meant to demonstrate the weaknesses of contemporary memory acquisition tools. I have talked about this at BackTrack Day 2011 and in my opinion the memory acquisition process as well as the tools are only useful in situations when an attacker has not taken any precautions. Let's face it, these tools have to deal with systems which might be under full control by an attacker.

As I like Metasploit I would like to support my claim considering a presentation given in 2009 by Mandiant called Metasploit Autopsy: Reconstructing the scene of the crime.

The presentation really shows how to extract a meterpreter session from memory using Mandiants Memoryze. This is really amazing, as long as you are able to obtain a memory dump. Let me repeat the above sentence "these tools have to deal with systems which might be under full control by an attacker."

What if an attacker is just monitoring if a process emerges called "memoryze.exe" and will kill the process. Or if an attacker prevents that additional drivers can be loaded? To be able to obtain a full memory dump all of the contemporary tools use their own driver. If you prevent that additional drivers can be loaded they will fail (see below).




Now think about it: you are working on very critical systems and you are only allowed to do live response because shutting down the system would cost the system owner a hundred thousand dollars per hour. You decide to obtain a memory dump and an attacker is monitoring for a process called memoryze.exe and will shut down the system once the process occurs, guess who is fucked now?

I am not saying that this is the overall solution (it's actually ridiculous) and you can still change the name of the executable but the name of the driver (mktools.sys) doesn't change as well. This makes it very easy for attackers to use malware analysis strategies against the vendors of these tools. Create a signature for the tools and defeat them, for instance with yara http://averagesecurityguy.info/2012/01/30/hunting-for-artifacts-with-metasploit/

If you want to prevent other drivers from loading then the script will currently only work under Windows XP (not virtualised ) as it uses the preservation.sys driver from the Malware Analysts Cookbook to prevent other drivers from loading as a proof of concept.

I am aware of the fact that this approach writes to disk but it is only for demonstration purposes and I am quite sure that there are guys out there who will be able to modify this script so that it won't write to disk anymore and will even change your underwear without your notice.

Code is not available anymore, drop me a comment if you are interested.

Walk-through Kioptrix 1.2

I finally found the time to play with loneferret's Kioptrix (www.kioptrix.com) challenges and thought I would post another solution of the 3rd challenge which does not pull the hash values from the database via SQLi. Instead I decided to leverage the Local File Inclusion vulnerability together with SQLi and the sucrack tool (http://labs.portcullis.co.uk/application/sucrack/)

not very exciting but a different approach.

Another Solution for Kioptrix 1.2 from T0X1C on Vimeo.

Pissing on Snort with Metasploit

This is my first post on that blog which I am primarily using to store things which I would otherwise forget. I decided to start with a video (it's a bit slow because I have to use several VMs on my notebook) to make it easier for me as well ( yes I am a slacker) when I need that information again.

Before I start, I would like to take the opportunity to thank m-1-k-3 from the #back-track.de channel on freenode for pointing out the Metasploit NOP Generators. You guys should visit his web site www.s3cur1ty.de and also buy his book which he is going to release very soon and is definetely on my reading list.

Now to the actual post. There are plenty of guides out there which treat Antivirus Evasion but I haven't found much ( or maybe not tried hard enought ) which cover IDS Evasion. So, I was playing around with Snort and it's rules to see what is necessary to circumvent the alert mechanism. This is actually the same which applies to AV Evasion - you just change the stupid signature. Of course, this is much easier with snort because you can just look up the signature with in the rules but as I already mentioned, I am a slacker. ;)

So, here we go

Untitled from T0X1C on Vimeo.