Exploiting the forensic investigator (AWE course training)

This summer i am attending the Advanced Windows Exploitation (AWE) course of Offensive PhotoRec-logoSecurity. The AWE course has been on my wishlist for a long time, because the previous courses (OSCP and OSCE) were amazing. One of the requirements for the AWE course, according to offsec, is a will to suffer intensely.

After completing OSCE, i’ve spend quite some time on exploit development. My thesis was to discover previously unknown vulnerabilities and exploit them. During this thesis i discovered a vulnerability in Wireshark (CVE-2014-2299).

However, this is around three years ago. To get ready for the AWE course, i really have to refresh my exploit development skills. So far, i wrote the following exploits to get ready for AWE:

Continue reading

How a spamfilter can help you to drop a shell

A while ago i discovered a cross-site scripting vulnerability (XSS) in the McAfee E-mail Gateway (MEG) 7.6.4. I reported this vulnerability to McAfee, they fixed it within a few months. The security advisory can be found over here. MEG is an application that can be used to filter out malicious attachments from e-mails, however due to the vulnerability an attacker is able to abuse this functionality to drop a malicious file.

The McAfee E-mail Gateway is replacing a malicious file with a warning HTML-file (1_warning.html). I saw that this HTML-file is displaying the filename of the replaced malicious file (e.g. malicious.xlsx). This made me curious, I decided to check whether it was possible to use this filename to perform a cross-site scripting attack because it was used within HTML-context.

In order to check whether the XSS was present, i created a malicious Excel document. The file needs to be malicious in order to be replaced by the McAfee E-mail Gateway. The file was named “file<IMG SRC=x onerror=”alert(‘XSS’)”>jem.xls“. I e-mailed this file to a e-mailbox that was protected by McAfee E-mail Gateway. When opening the warning HTML-file, the following behavior became clear:

Continue reading

Compromising a honeypot network through the Kippo password when logstash exec is used

This is a shared post by @rikvduijn and @wez3forsec.

We have been playing with Honeypots lately (shoutout to Theo and Sebastian for adding their honeypots to the network), collecting and visualizing the data from the honeypots is done via ELK. The environment contains a central server to centralize all the collected data from the honeypots that are connected to it. The environment is visualized in the following diagram:

tmo

In order to collect interesting data on Dutch IP’s we run every event through a filter adding Geo location based on IP. After that we run all events that pertain to Dutch IP’s through a Python script using the logstash function exec.

Continue reading

Windows credentials phishing using Metasploit

A while ago i came across a blog post from @enigma0x3. In this blog post a method was Untitled2described to perform a phishing attack to gather user credentials using Powershell. It is a great way to get the credentials of a user. This attack can be used if privilege escalation is hard (try harder) or not a option. In real life scenario’s i noticed that privilege escalation can be hard, for example on fully patched terminal servers. With this phishing method, you still can get the (network)credentials of the user. These credentials can be used to pivot into the network. I got some ideas to improve the attack:

  • Built the script into Metasploit, so the script code can be sent through the existing Metasploit connection
  • Popup the script on a certain user activity (starting new processes), if the popup is appearing without any action, it can be suspicious.
  • Also some bugfixes were possible in the existing Powershell script

Continue reading

Bash data exfiltration through DNS (using bash builtin functions)

After gaining ‘blind’ command execution access to a compromised Linux host, data exfiltration can be difficult when the system ibinbash2s protected by a firewall. Sometimes these firewalls prevent the compromised host to establish connections to the internet. In these cases, data exfiltration through the DNS-protocol can be useful. In a lot of cases DNS-queries are not blocked by a firewall.  I’ve had a real life situation like this, which i will describe later on.

There are several oneliners on the internet available to exfiltrate command output through DNS. However, i noticed that these are using Linux applications (xxd, od, hexdump, etc), which are not always present on a minimalistic target system. I decided to create a oneliner, which is only using Bash builtin functionalities. The oneliner can be used whenever command execution is possible and Bash is installed on the compromised system.

Continue reading

Reading Outlook using Metasploit

In penetration tests, it sometimes can be hard to escalate privileges on a (WindowsOutlook) target system. In this situation it can be useful to gain access to resources with sensitive information, such as passwords.

Metasploit does not have any module to read email messages from a local Outlook installation. Outlook can however contain a lot of sensitive and useful information in a penetration test, such as networkcredentials. I decided to create a Metasploit module which can read and/or search the local Outlook email messages.

How?

In order to do this, the module is using powershell. The following powershell script is used by the Metasploit module:

Continue reading

CVE-2014-6332: it’s raining shells

This is a shared post by me (@wez3forsec) and Rik van Duijn (@rikvduijn)

Today @yuange tweeted a proof of concept for CVE-2014-6223. CVE-2014-6332 is a critical Internet Explorer vulnerability that was patched with MS-14-064. The POC was able to execute the application notepad.exe. We wanted to pop some actual shells with this so now the race began to find a way of executing more than just notepad of calc. The “great” thing is this vulnerability affects Windows 95 IE 3.0 until Windows 10 IE 11 from a pentesters perspective this is awesome from a blue team perspective this will make you cry.

We wanted to pop shells that’s why we created a Metasploit module, this allows us to adapt our exploit when needed and gives us the usability of the Metasploit framework. This gives the ability to start lots of different payloads supported by the Metasploit framework. Continue reading

Shellshock: a lot of QNAP’s still vulnerable

Shellshock is a critical bug in the Bash software. Bash is software which is used on a lot of unix based operating systems. Shellshock was disclosed on QNAP_logothe 24th september of 2014, and the bug was assigned CVE-2014-6271. Analysis of the source code history of Bash shows the vulnerabilities had existed since version 1.03 of Bash released in September 1989.

QNAP’s Network Attached Storage (NAS) are vulnerable to Shellshock. The vulnerability can be exploited by (for example) executing the following post CURL command:

curl -H "User-Agent: () { :; }; /bin/cat /etc/passwd" http://ip:8080/cgi-bin/authLogin.cgi -v
There are two solutions offered by QNAP in order to fix this vulnerability:

  • Install firmware QTS 4.1.1 Build 1003
  • Install Qfix patch 1.0.1 (QTS 4.1.1 only) or 1.0.2 (QTS 3.8.x, QTS 4.0.x, QTS 4.1.0, QTS4.1.1)

Continue reading

CVE-2014-2299: Wireshark MPEG file parser buffer overflow

Around the 6th of March 2014 i reported a security issue (CVE-2014-2299) to the developers of Wireshark-logoWireshark. I discovered the vulnerability in Wireshark using file fuzzing. The versions 1.10.0 to 1.10.5 and 1.8.0 to 1.8.12 of Wireshark are affected by the vulnerability.

The vulnerability is present in the wiretap/mpeg.c file. The maximum packed size was not checked correctly, so the vulnerability could lead to a Denial of Service (DoS) or arbitrary code execution. The exact modification which is done by the developers of Wireshark to fix the problem, can be found here:

https://code.wireshark.org/review/#/c/533/2/wiretap/mpeg.c

Continue reading