1 min
IE DirectShow (msvidctl.dll) MPEG-2 Metasploit Exploit
Originally Posted by Jabra
There is a new IE exploit that has been recently released into the wild. The
exploit is for DirectShow (msvidctl.dll) MPEG-2. The exploit utilizes an ActiveX
control in addition to a GIF file include, to perform a memory corruption
attack. The vulnerability affects users of both IE 6 and IE7.
Today, the exploit was added to the Metasploit framework
[http://www.metasploit.com/] by HD Moore (the author of Metasploit). The module
was written by Trancer.
Thus far, I h
1 min
Mastering the Metasploit Framework
The next official Metasploit class
[http://blackhat.com/html/bh-usa-09/train-bh-usa-09-hdm-meta.html] will be held
in Las Vegas, Nevada during Black Hat USA on July 25th and 26th. This course
dives into the newest features of the Metasploit Framework and demonstrates how
to use these features in every aspect of a penetration test. Students will learn
how to create custom modules to solve specific tasks, launch wide-scale
client-side attacks, operate a malicious wireless access point, generate c
1 min
Capturing Logon Credentials with Meterpreter
In my previous post [/2009/03/22/remote-keystroke-sniffing-with-meterpreter], I
described the keystroke sniffing capabilities of the Meterpreter payload. One of
the key restrictions of this feature is that it can only sniff while running
inside of a process with interactive access to the desktop. In the case of the
MS08-067 exploit, we had to migrate into Explorer.exe in order to capture the
logged-on user's keystrokes.
While testing the keystroke sniffer, it occurred to me to migrate into the
2 min
Remote Keystroke Sniffing with Meterpreter
Earlier this afternoon, I committed some code
[http://trac.metasploit.com/changeset/6370] to allow keystroke sniffing through
Meterpreter sessions. This was implemented as set of new commands for the stdapi
extension of Meterpreter. Dark Operator, author of many great Meterpreter
scripts, already wrote a nice blog post describing how to use the new keystroke
sniffer, but I wanted to cover some of the internals and limitations as well.
The keyscan_start command spawns a new thread inside of the
3 min
VMWare, Virtual PC, and FDCC Images
Update: A couple [http://nicholsonsecurity.com/] folks
[http://www.blogger.com/profile/10734906797874214568] pointed out that the
VMWare Converter [http://www.vmware.com/products/converter/overview.html]
automates most of the issues covered in this post.
On August 20th, 2007 NIST's Federal Desktop Core Configuration
[http://nvd.nist.gov/fdcc/] project released its initial set of Windows virtual
machine images as a security reference. This set has been updated to consist of
Windows XP SP2 and
2 min
Metasploit Mass Exploitation for Dummies
One of the features added in the 3.2 release
[http://metasploit.com/documents/RELEASE-3.2.txt] of the Metasploit Framework
was the ability to restrict the db_autopwn command to specific ports and modules
matching a given regular expression. This feature can be used to run one or more
exploits against a specific range of hosts at the same time.
In the example below, we will demonstrate how to launch the MS08-067
[http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx] exploit
against e
1 min
Metasploit DDoS Redux
The good news is that the DDoS against the Metasploit web servers has stopped,
the bad is that I won't have time to go into the details of the attack and the
mitigation methods until next week. All Metasploit services should be
operational again, please let me know if you find something broken. I would like
to thank everyone who offered us assistance during the attack, without their
help this would have been much more frustrating.
The bandwidth graph for the affected period can be seen below.
0 min
Pathetic DDoS vs Metasploit (Round 3)
The incoming connection rate has exceeded 15Mbps of just SYN packets, so we
decided to point www.metasploit.com and metasploit.com back to 127.0.0.1 for a
little while. This is more to keep our ISP happy than any fear of bandwidth
charges. We ran a packet capture of the incoming SYN traffic for about 8 hours;
it takes up approximately 60Gb of disk space. In the meantime, if you want to
access the Metasploit web site, please use:
https://www.metasploit.com/
Thanks!
-HD
0 min
Pathetic DDoS vs Metasploit (Round 2)
It looks like our little DDoS buddy got sent home from school early today --
the flood started up again, this time ignoring the DNS name for the
metasploit.com web site and instead targeting both IP addresses configured on
the server. While SSL service is still unaffected (including Online Update over
SVN), folks who wish to visit the Metasploit web site will need to do so using
an alternate port until we roll out the next countermeasure.
<We also host the main web server for Attack Research.
1 min
Metasploit Decloak v2 (UnAnonymizer)
The Metasploit Decloak Engine [http://metasploit.com/data/decloak/] is now back
online with a handful of new updates and bug fixes. Decloak identifies the real
IP address of a web user, regardless of proxy settings, using a combination of
client-side technologies and custom services. The first version was announced in
June of 2006
[http://archives.neohapsis.com/archives/fulldisclosure/2006-06/0695.html] and
was eventually made obsolete by changes to the Flash plugin and improvements in
the Tor
4 min
MS08-068: Metasploit and SMB Relay
Today, Microsoft released bulletin MS08-068, which addresses a well-known flaw
in the SMB authentication protocol. This attack was first publicly documented by
Sir Dystic during @tlantacon in 2001 and implemented in Metasploit 3 in July of
2007. The attack abuses a design flaw in how SMB/NTLM authentication is
implemented and works as follows.
The SMB client tries to access a remote SMB service on an attacker's machine. A
user can be forced to access the SMB resource if they are running Intern
3 min
Metasploit 3.2 BSD Licensing
The slides from the talk egypt and I gave at SecTOR 2008 are now online
[http://metasploit.com/research/conferences/]. One of the highlights was a
change in licensing -- instead of the existing EULA-like license, the 3.2
release will be provided under the 3-clause BSD license. The text below is an
extended version of a rant I shared with Kelly Jackson Higgins over at Dark
Reading [http://www.darkreading.com/document.asp?doc_id=165636&WT.svl=news1_2].
The original version of Metasploit (1.0 and
1 min
Metasploit (2**5/10.0)
Silence can mean one of two things - the project is dead, or we are working on
some really big things and aren't quite ready to announce them. Well, the
project is not dead In the next two weeks, some major changes will be announced
that cover the source code, development team, and licensing of the Metasploit
Framework. Folks who have been following the development tree may not be
suprised, but we are taking some giant steps forward from the 3.1 release.
In the meantime, users should stay away
1 min
Improved WinDBG opcode searching
Goaded by some coworkers about the opcode searching functionality of windbg
prompted me to add a new option to jutsu today: searchOpcode
You can search for sets of instructions in conjunction, it will assemble them,
providing you the machine code, then search for the instructions in executable
memory. Instructions are delimited by pipes. I plan to add some limited wildcard
functionality in the near future as well.
0:000> !jutsu searchOpcode pop ecx | pop ecx | ret
[J] Searching for:
> pop e
1 min
Byakugan WinDBG Plugin Released!
Today, HD merged in an amalgamation of windbg tools and plugins with a funny
name into the main metasploit tree. We've been working on this collection for
awhile now, and currently it represents (I think) a good step towards turning
windbg from simply a good debugger into a powerful platform for exploit
development.
The work that's currently released includes:
tenketsu - the vista heap emulator/visualizer which allows you to track how
input to a program effects the heap in real time.
jutsu