Having fun with Windows Metafile Handling Code Execution

If you haven’t heard about the Windows Metafile exploit and are using Windows XP or Windows 2003 then you should be a little worried. This exploit allows someone to execute any command they want on your computer as easily as sending you a link and having you browse to it using Internet Explorer. To demonstrate how critical this issue is I am going to show you how to create a .wmf file that will pop up calc.exe on a Windows XP computer by only having them browse to a web page with the .wmf exploit on it.

To easily create the exploit we will be using Metasploit. To do this we will need to download the exploit code and then put it into Metasploit in the correct format. The code for this Metasploit module can be found at http://www.frsirt.com it is called ie_xp_pfv_metafile.pm.

Open up the link and then copy all of the code (from ## through 1; ) now open up TextEdit and paste the code into TextEdit and save the file as ie_xp_pfv_metafile.pm it is really important you name the file correctly or Metasploit will not be able to use it.

Now that you have a .pm file you need to put it in the correct place in Metasploit. Using Finder Browse to where you have your Metasploit folder named framework-2.5 inside the framework folder is a folder named exploits. You will want to place the ie_xp_pfv_metafile.pm file in the exploits folder. Now you want to set the permissions on the new file to the same permissions as the rest to the files in the exploits folder. The easiest way to do that is using Terminal and cd to the framework-2.5/exploits folder and then

ls -la

To see the permissions and owners of the file. If you need to, use chmod and chown to make the permissions match the other files exactly.

Now that the new exploit module is ready you can now fire up the msfcli or msfweb to create a .wmf file. I will be showing you the easy way to do this using msfweb.

Using Terminal cd to the framework-2.5 directory and then run msfweb with the following command

./msfweb

Now open up a web browser and point it to 127.0.0.1:55555 to get to the Metasploit web based GUI.

Using the Filter select app :: ie and click Filter Modules. Now click on Windows XP/2003 Picture and Fax Viewer Metafile Overflow to get started.

Click the Select Target link. We will be executing a harmless remote command so select win32_exec as the Payload.

Now under HTTPHOST put in 127.0.0.1 and in the CMD field type in calc.exe

and now click Exploit. You will now see [*] Waiting for connections to http://127.0.0.1:8080/anything.wmf.

Open up a new tab and browse to http://127.0.0.1:8080/anything.wmf and save that file to disk.

The file is now ready to be uploaded to your web server. Upload the file to your web server and set the correct file permissions. Now browse to the file’s URL using a Windows XP or 2003 computer and Internet Explorer and watch your calculator pop up.

Microsoft knows about this vulnerability and will release the patch on the 6th of January 2006. Until then if you have a vulnerable computer I suggest patching it with the patch available from SANS. Keep in mind though this patch is not authorized by Microsoft and has been found to cause some printing problems when the DLL is registered.

Running Bastille on OS X 10.3

Securing your Mac OS X 10.3 with Bastille.

Note: This tutorial assumes you have a basic understanding of the Mac OS X terminal command line and that you have the Apple Developer Tools installed on your computer and are comfortable compiling applications from source code. This tutorial is only good for OS X 10.2 and 10.3.

Bastille is an operating system hardening program. It was originally designed for *nix operating systems. Since Mac OS X is based on a flavor of BSD which is a branch of Unix it only makes sense that Bastille would work on OS X as well. The following is instructions on how to install and run the Bastille program on your Mac to either harden your current installation or to evaluate your current installation to see how secure it really is. Beware you are now going into the world of BSD so you better be comfortable on the command line.

The first thing you need to do is go and download yourself a copy of Bastille at http://www.bastille-linux.org/source.htm. We will want to get a copy of the source code for this installation. If you are still running OS X 10.2 you should read the OS X 10.2 specific instructions available here http://www.bastille-linux.org/os_x_10_2.htm.

Open up the terminal and browse to the directory you downloaded the tarball to. Now run the command

tar -xjvf Bastille.tar.bz2

This will un-zip and un-tar the sources and create a Directory named Bastille.

Now in order for you to run Bastille in Graphical Mode you will need to have X11 installed on your Mac. If you do not have it installed yet luckily X11 comes free on your Tiger or Panther Install DVD. Just open up the install DVD and Click on Optional Installs then select the X11 package.

Now that X11 is installed and working you can run the install script.

Open the Terminal and go Back into the directory you unpacked Bastille into.
Go into the Bastille directory

cd Bastille

Now run the install script for OS X

sh Install-OSX.sh

The GUI for the Bastille program depends on the Perl module Tk. By default it is not installed on a regular Mac OS X system. The easiest way to install the Tk module is to use the cpan program from the command line. You will need to have a few more programs installed in order for cpan to run correctly. They are wget, ncftp.

To install wget get the source code at ftp://ftp.gnu.org/pub/gnu/wget/wget-1.10.1.tar.gz.

Now go to the directory where you downloaded the sources to and run the following commands.
1. Untar and unzip the archive
tar xzvf wget-1.10.2.tar.gz

2. Go into the un-archived directory
cd wget-1.10.2

3. Run the configure script to get the source code configured for Mac OS X
./configure

4. Build the source code
make

5. Install the source code in its proper place (/usr/local/bin)
make install

You should now be able to run the wget commmand from the terminal command line. If you get command not found, check your PATH and make sure /usr/local/bin is in your shells path.

Ncftp is an easier install. You can get the .dmg from http://www.ncftp.com/download/ make sure you download the Ncftp Client and not the server. Install the .dmg as you would any other application.

Now that you have the required programs installed, run the cpan program from the commmand line

cpan

You will be asked to set up the cpan program if you have never used it before. I was able to configure it by accepting all of the defaults. If you use a proxy for HTTP or FTP then you will be prompted for the proxies during the cpan configuration. Once the configuration is complete you will be dropped into the cpan prompt that will look like this:

cpan>

Here we will need to install the Perl Tk module with the following command.

cpan> install module Tk

Be patient, this will take a few minutes to download, compile, and install.

Now you will be able to run the Bastille program to harden your install of OS X.

As soon as the new version of Bastille that supports OS X 10.4 is available I will revise this tutorial.

Using The Metasploit Framework on Mac OS X

One of the best open source and free pen testing applications available on the Internet today is The Metasploit Project. Metasploit is a very good tool to use to check and see if any services on your network are vulnerable for any one of the numerous publicly available exploits available in the Metasploit Framework. The reason you may want to use a utility like The Metasploit Framework can be summed up by this quote from Sun Tzu:

If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle.

To be able to protect our networks from individuals with malicious intent we need to think like those individuals. We also need to know how to use their tools or what types of exploits we may be vulnerable to. We are essentially using fire to fight fire by burning ourselves before they burn us.

The Metasploit Framework also has a command line interface for those of you who are command line junkies (like me). It also has a pretty good web interface that makes it easy to test your network even if you do not know your way around the command line.

The current version 2.5 was just released on October 18th has added many new exploits and maintains compatibility with older versions of the Metasploit Framework. One of the best things about Metasploit is that it is very easy to set up and get running on Mac OS X.

To install Metasploit on your Mac all you need to do is download the current version of The Metasploit Framework.

Make sure you download the Unix Compressed Tar Archive and then use Stuffit or on the command line use: tar xzf framework-2.5.tar.gz to extract the archive file

I will get you started by helping you set up the Metasploit Framework web interface.

Note: All command line commands are in italics.

Open up Terminal and cd to the directory where you un-archived the file.

Now:

1. Go into the unarchived directory.

cd framework-2.5

2.Now start the Metasploit Framework web server.

./mfsweb

Leave this window open or you will kill the webserver.

3. Now open up your web browser and go to the URL: http://127.0.0.1:55555

You will now be able to browse the exploit lists. By using the filter modules drop down menu, you can filter the exploits by application, architecture, and operating system. I suggest getting to know the Metasploit command line mfscli. It is a very powerful way to be able to use Metasploit. I also suggest reading the included documentation in the framework-2.5/docs folder.

Remember these exploits are the real thing and if you go around trying them on other networks without their permission you could get yourself in a lot of trouble. Remember that all actions have their consequences.

Have Fun!

Getting Started with PenTesting

One of the first steps in PenTesting is scanning. Today I am going to write a little about nmap for OS X. For those of you who don’t know what a scanner is, it is a program that will scan a range of IP addresses and return the IP addresses that have open ports available on them. Each open port represents a listening program or daemon running on that computer. This is of interest to pentesters because these ports can sometimes be used to gain unauthorized access to your computer via an exploit. So by finding these ports and making sure the processes listening have no vulnerabilities you are able to keep the bad guys out.

One of the greatest tools available for this type of scanning is Nmap which was written by Fyodor. Nmap is a great tool and is originally a command line/terminal utility. It is a very powerful scanner and it can even try and determine the OS of the remote host being scanned if you use the -O option when running the program. For those of you that are not command line savy, there is a GUI available for Nmap named NmapFe or Nmap Frontend.

I highly suggest getting to know the Mac Terminal program, many of the tools used in pentesting do not have the luxury of a GUI frontend.

To install Nmap you have three options. You can download install Nmap via DarwinPorts, or Fink. Both of Darwin Ports and Fink are package managers for Mac OS X. To install either of them please consult the documentation on their respective sites. The third way to install Nmap is via the source code. This is the best but also the hardest way to install Nmap. You will need to follow the directions included in the archive file the Nmap sources come in to properly configure and install Nmap on your Mac.

Once you have got it installed you can now have some fun scanning your own local area network. Nmap will also give you the type of service that is found on known ports. A list of known ports can be found here. Remember to consult the documentation to find out all of the features available from this great program. Keep in mind that some IDS will see your Nmap scans as a threat so remember to only scan network addresses that you have permission to scan before hand.