DotDotPwn is a simple PERL tool which detects several Directory Traversal Vulnerabilities on HTTP/FTP Servers. This AttackDB version currently has 871 traversal payloads. This tool was tested against various Kolibri+ WebServer v2.0 and Gefest WebServer v1.0 (HTTP servers) giving good results identifying the right vulnerability strings. Those HTTP servers were vulnerable, and somebody reported those vulns on sites such as exploit-db, but those advisories just reported some (1 or 2) traversal strings with a difference with DotDotPwn which detected between 10 or 20 different attack strings on those vulnerable servers.
Features of DotDotPwn:
Detects Directory traversal vulnerabilities on remote HTTP/FTP server systems.
DotDotPwn checks the presence of boot.ini on the vulnerable systems through Directory traversal vulnerabilities, so it is assumed that the tested systems are Windows based HTTP/FTP servers.
Currently, the traversal database holds 871 attack payloads. Use the -update flag to perform an online fresh update.
Sample usage:
HTTP:
perl ddpwn.pl -http website.com
FTP:
perl ddpwn.pl -ftp ftphost.com
DotDotPwn is a very useful tool for web application penetration testers, who believe in open-source software. As it is PERL based, we can modify it as per the required environment. Hope there will be a nice front end which surely will make this tool more popular! It is also very easy to update the directory traversal database of this tool!
Requirements: Perl with support of HTTP::Lite and Net::FTP modules
Discovering new vulnerabilities for the now famous Microsoft article – KB 2269639 has become very easy these days! Why? Because there are a lot of these DLL hijack auditing tools out there that can help you find those. We already have mentioned about HD Moore’s DLL Hijacking kit. This post will try to list down the known DLL hijack kits.
But first, what is this vulnerability about? This vulnerability is caused by specific insecure programming practices that allow so-called “binary planting” or “DLL preloading attacks“. These practices could allow an attacker to remotely execute arbitrary code in the context of the user running the vulnerable application when the user opens a file from an untrusted location. Now that we know the basics, here we go -
DynamicLoadLibraryTest – This is somewhat an unknown tool by Mr. Gianni Amato. You can download this tool here. It never hurts to try out newer stuff.
DllHijackAuditor – DllHijackAuditor is the smart tool to audit against the DLL Hijacking Vulnerability on any Windows application. This is a recently discovered critical security issue affecting almost all Windows systems on the planet. It appears that large amount of Windows applications are currently susceptible to this vulnerability which can allow any attacker to completely take over the system. Download instructions and our write up about this tool can be found here.
DLLHijackAuditKit – Version two of this tool is out already. Probably, this is THE tool that most have used to find vulnerable Windows applications. This toolkit uses native JScript, automatically kills spawned processes, reduces the memory usage by ProcMon, and automatically validates every result from the CSV log. Download instructions and our write up about this tool can be found here.
UPDATE: You also can scan your computer online for this vulnerability by visiting this link.
As and when more tools are released, we plan to edit this post. Bookmark it if you want to be updated about developments on this subject!
The latest buzz word in the information security industry is “insecure DLL loading“, “DLL hijacking” or “DLL preloading“. Mr. HD Moore, the author of Metasploit has gone ahead and made it VERY easier for a lot of us to test such attacks at leisure. Hence you see such a spurt in proof-of-concept codes online! Mr. Peter Van Eeckhoutte has been maintaining a list of such vulnerable applications on his wonderful blog hosted here.
This toolkit uses native JScript, automatically kills spawned processes, reduces the memory usage by ProcMon, and automatically validates every result from the CSV log. This is a complete re-write from the version 1 of the tool. This kit will turn your desktop PC into a vulnerability mincing machine by launching the file handlers for every registered file type, while recording whether or not a DLL was accessed within the working directory of the associated file! The DLLHijackAuditKit will help you verify if a application is vulnerable to DLL preloading attacks.
How to use DLLHijackAuditKit v2? 1. Download ProcMon from here and copy the procmon.exe binary into the DLLHijackAuditKit directory. Launch the Process Monitor, accept the EULA, and exit. 2. Download Ruby from here and install it normally. 3 .Browse to this directory and launch 01_StartAudit.bat as an Administrator. The Administrator bit is important, as it will allow the script to kill background services that are spawned by the handlers and prevent UAC popups. 4. After the audit script completes (15-30 minutes), switch to the Process Monitor window, and access File->Save from the menu. Save the resulting log in CSV format to the local directory with the name “Logfile.CSV”. 5. Launch 02_Analyze.bat as an Administrator. This will scan through the CSV log, build test cases for each potential vulnerability, try them, and automatically create a proof-of-concept within the Exploits directory should they succeed. 6. Identify the affected vendor for each generated proof-of-concept and ask them nicely to fix their application. Send them the calc.exe-launching PoC if necessary.
It is very easy to use but looking at today’s emerging tool this is small and also does the work! There are some known issues with this tool working on a Windows XP machine, etc. Hopefully Mr. Moore fixes them soon. Till then you can try being a vulnerability discoverer with this simple tool! Grab your pie while this vuln is hot!
