Posts

Showing posts from January, 2015

Application Call to Missing DLL can lead to Meterpreter Shell

Image
This is a proof-of-concept to demonstrate how to gain a meterpreter shell through a call by an application to a dll that does not exist can be replaced by a Meterpreter DLL.  Granted I am using an Administrator account to copy the file to it's final location but this could be done by an exploit, through poorly set permissions, incorrect access control, or through privilege escalation.

1. I generated a Meterpreter DLL and saved it temporarily as meterpreter.dll:

2. Next I ran ProcMon.exe on a Windows 7 SP1 virtual machine.  I left it running for a while and then saved the logfile to a csv file because I was not sure what I was looking for in the output.

3. After working with the log file I found a command that would return dll files that were being called by a process that were not found:

cat Logfile.CSV | grep -i "name not found" | grep -i "createfile" | grep -v -i "procmon.exe" | grep -e "\.dll"

4. With running the command the following resu…

Using OfficeMalScanner to look at a Macro and more...

Image
I came across a Microsoft Word document that contained a macro.  I decided to tear it apart to understand it a little better.  The steps I took are below:

1.  I downloaded OfficeMalScanner from http://www.reconstructer.org/code.html and placed it in the same directory as the Word document.  OfficeMalScanner could be placed in a separate directory.

2. Ran OfficeMalScanner against the Macro:

3. Then used the "inflate" command to extract the contents of the file:

4. I then moved the location of the decompressed files to the location of where I am working.

5. I ran the scanner on the first binary in the word/vbaProject.bin file and it extracted the contents of the macro:

6. With the extracted macro lets take a look at the first few lines of it to find Indicators of Compromise (IOC)s:

Looking at the first part of the macro that was extracted we can see a filename that we can look for "updater.exe" in the directory "C:\Users\<Username>\AppData\Local\Temp"…

msf3 database for Metasploit not working - How to rebuild...

Today I ran into some issues with my msf3 database that I have been using with Metasploit.  I thought I would take a couple minutes and document how I rebuilt it.  This will delete all the current entries and information stored in the msf3 database.

Verify the postgresql server is running or restart the server by executing '/etc/init.d/postgresql restart'

The metasploit framework when it is installed creates the following file that contains the msf3 username and random password that is generated:

cat /opt/metasploit/apps/pro/ui/config/database.yml

Gather from the file the password for the msf3 user or change it to one you would like to use.

Then switch to the postgres user in Kali linux by executing 'su - postgres'.  You should see the prompt at that time 'postgres@machname:~$'

Execute 'psql' at the prompt to get into the postgres database.  To view the databases execute '\list'.

Let's first reset the password of the msf3 account.  Note if yo…

Updated Fuzzer for vulnserver.exe

I have updated the script to cycle through a series of characters instead of manually changing the character after each iteration of the script.  I also added the ability to include the new line, carriage return and line feed, and NOP characters.

I have built this script to introduce the concept of fuzzing in a Computer Science course that I will be teaching.

#!/usr/bin/python

import socket

def optionsMenu(currentCommand, currentChar, currentSeries, currentSize, currentMulti):
print 'Select from the Following Options: '
print '1. List Commands'
print '2. Set Command - "' + currentCommand + '"'
print '3. Set Initial Character or String ("' + currentChar + '")'
print '4. Set String Initial Size ("' + currentChar + '"*' + str(currentSize) + ')'
print '5. Set String Multiplier (("' + currentChar + '"*' + str(currentSize) + ')*' + str(currentMulti) + ')'
pri…

Volatility Bash Script v0.5

I have been using the volatility script that I wrote back in September and made some revisions to it.  Below is the source code:

 #!/bin/bash
# Script to collect information by utilizing volatility

# v0.5 - Added a registry key to pull out of the SOFTWARE registry file the Run keys
#      - Changed the home directory to the present working directory
#      - To get yarascan's to work successfully you may have to 'apt-get install libyara-dev python-yara' on Debian based systems
#      - Note on conducting a Yara scan on the memory image 'vol.py -f memimage.img yarascan -Y "3.5.7.3" # To search for a string or IP Address in memory or add a -p to only have it search in the memory of a particluar process.
#      - Create from psscan an output file that can be viewed by graphviz.org for the relationships of processes
#      - Added the output of the strings program with word sizes larger than 8 characters
#      - Added the output of privs envars and procdump
#      - Outpu…

Built Fuzzer for vulnserver.exe using Python

Through searching for information about buffer overflows and exploiting them I found "vulnserver.exe" created by "The Grey Corner" @ http://www.thegreycorner.com/2010/12/introducing-vulnserver.html.

Then I began fuzzing the vulnserver.exe and built the following fuzzer using python, it can be adapted to fuzz other programs by modifying the source code that is listed below.

#!/usr/bin/python

import socket

def optionsMenu(currentCommand, currentChar, currentSize, currentMulti):
print 'Select from the Following Options: '
print '1. List Commands'
print '2. Set Command - "' + currentCommand + '"'
print '3. Set Character or String ("' + currentChar + '")'
print '4. Set String Initial Size ("' + currentChar + '"*' + str(currentSize) + ')'
print '5. Set String Multiplier (("' + currentChar + '"*' + str(currentSize) + ')*' + str(currentMulti) + …