Category Archives: Metasploit

All my posts regarding Metasploit framework, auxiliaries, plugins and exploits.

Metasploit Meterpreter webcam_list webcam_snap record_mic

Metasploit provide some commands to extend the usage of meterpreter. We will describe here under the usage of webcam, webcam_list, webcam_snap  and record_mic.
First of all you require a valid meterpreter session on a Windows box to use these extensions.

  • webcam_list :

This stdapi command provide you a list of all webcams on the target system. Each webcam will have an index number.

Metasploit stdapi webcam_list
Metasploit stdapi webcam_list
  • webcam_snap :

This stdapi command take a snapshot for the specified webcam, by default number 1 and will try without argument precision to open the saved snapshot.

Metasploit stdapi webcam_snap default
Metasploit stdapi webcam_snap default

webcam_snap could have arguments :

-h : to display the help banner.

-i <opt> : The index number of the webcam to use.

-p <opt> : The JPEG image file path. By default $HOME/[randomname].jpeg

-q <opt> : The JPEG image quality, by default ’50’.

-v <opt> : Automatically view the JPEG image, by default ‘true’.

Metasploit stdapi webcam_snap extended
Metasploit stdapi webcam_snap extended
  • record_mic

This stdapi command record audio, by default 1 second, from the default microphone and will try without argument precision to play the captured audio wav file.

Metasploit stdapi record_mic basic
Metasploit stdapi record_mic basic

record_mic could have arguments :

-h : to display the help banner.

-d <opt> : Number of seconds to record, by default 1 second (useless).

-f <opt> : The wav file path. By default $HOME/[randomname].wav

-p <opt> : Automatically play the captured audio, by default ‘true’.

Metasploit stdapi record_mic advanced
Metasploit stdapi record_mic advanced
  • (bg)run webcam

Same as the stdapi webcam_snap command, but with loop delay interval to refresh the displayed jpeg snap. A refreshed HTML file, “webcam.htm”, will provide you each x milliseconds a new snapshot. You can invoke the webcam script with run or bgrun meterpreter command.

The possible arguments to begin a recording are :

-h : to display the help banner.

-d <opt> : Loop delay interval in milliseconds, by default 1000.

-f : Just grab a single frame.

-g : Send to the GUI instead of writing file.

-i <opt> : The index of the webcam to use, by default 1.

-l : Keep capturing in a loop, by default (useless).

-p <opt> : The path to the folder images will be saved in, by default current working directory.

-q <opt> : The JPEG quality, by default ’50’.

Metasploit Meterpreter run webcam ruby script
Metasploit Meterpreter run webcam ruby script

To stop the webcam recording, just type the following command :

Metasploit Meterpreter stop webcam ruby script
Metasploit Meterpreter stop webcam ruby script

CVE-2010-3867 : You wanna play with ProFTPD ?

ZDI has discovered, the 2010-09-24, a vulnerability for ProFTPd versions between 1.3.2rc3 and 1.3.3b. This vulnerability, Telnet IAC, allow a remote attacker to execute arbitraty remote code on vulnerable installations of ProFTPD without authentication.

The 2010-11-02, ZDI and ProFTPD teams have release coordinated advisories (ZDI-10-229) and version 1.3.3c fixing the Telnet IAC remote exploit.

As always, security researchers have jump on the advisories to create valid public PoC or exploit.

Rapid7 Team, between jduck, has integrate into Metasploit, the 2010-11-04, a valid exploit targeting :

The 2010-11-07, Kingcope has release on Exploit-DB (EDB-ID-15449) a valid exploit for :

  • ProFTPD 1.3.3a on FreeBSD 8.1 i386
  • ProFTPD 1.3.2a/e/c on FreeBSD 8.0/7.3/7.2 i386
  • ProFTPD 1.3.2e (Plesk binary) on Debian GNU/Linux 5.0
  • ProFTPD 1.3.3 (Plesk binary) on Debian GNU/Linux 5.0
  • ProFTPD 1.3.2e (Plesk binary) on Debian GNU/Linux 4.0
  • ProFTPD 1.3.3a (distro binary) on Debian Linux Squeeze/sid
  • ProFTPD 1.3.2e (Plesk binary) on SUSE Linux 9.3
  • ProFTPD 1.3.2e (Plesk binary) on SUSE Linux 10.0/10.3
  • ProFTPD 1.3.2e (Plesk binary) on SUSE Linux 10.2
  • ProFTPD 1.3.2e (Plesk binary) on SUSE Linux 11.0
  • ProFTPD 1.3.2e (Plesk binary) on SUSE Linux 11.1
  • ProFTPD 1.3.2e (Plesk binary) on SUSE Linux SLES 10
  • ProFTPD 1.3.2e (Plesk binary) on CentOS 5

What is interesting in the Kingcope exploit, is to see all the “Plesk binaries” impacted by the vulnerability. At least all Plesk versions between 9.5 and 10.0 included are vulnerables. Just play with Shodan and you will get a list of thousands vulnerables servers.

Here under a demonstration video of the both exploits.

CVE-2010-3962, le 0day confidentiel Internet Explorer ne l’est plus

Nous vous annoncions, il y a 2 jours, la découverte d’un nouveau “0day” ciblant les versions d’Internet Explorer 6, 7 et 8 sous différentes plate-formes Windows. Ce “0day” restait encore confidentiel, car entre les mains de Microsoft, de Symantec et d’autres professionnels de la sécurité informatique.

Dans son blog Microsoft donnait des détails sur la cause de la vulnérabilité. Internet Explorer aurait un soucis de gestion de mémoire lors de la combinaison de certaines feuilles de styles “CSS” et citait une “DLL” vulnérable.

Il ne fallait pas plus d’informations pour que d’autres chercheurs, qui n’était pas dans la confidence, se mettent à investiguer plus en détail la cause afin de pouvoir créer un “PoC” grand public. Bingo ! Moins d’une journée après l’annonce officielle de la vulnérabilité, un “PoC” était mis à disposition sur Internet, rendant cette vulnérabilité, à l’origine très limitée en impact, en une vulnérabilité pouvant affecter des millions d’ordinateurs.

Ci-dessous un vidéo maison, vous démontrons la simplicité d’exploitation de cette vulnérabilité.

Nous pensions aussi que la correction de la vulnérabilité serait incluse dans le cycle normal de mise à jour Microsoft, normalement prévu tous les deuxièmes mardi du mois. Mais malheureusement, la correction de cette nouvelle vulnérabilité n’est pas incluse dans l’annonce avancée des mises à jour prévues pour Mardi 9 Novembre.

Il faudra sûrement attendre une mise à jour “out-of-band” (hors cycle) entre le 9 Novembre et la prochaine mise à jour cyclique qui aura lieu le 14 Décembre.

En attendant, nous conseillons aux internautes d’utiliser “Enhanced Mitigation Experience Toolkit v2.0” (EMET) de Microsoft afin de limiter la portée vulnérabilité.

Metasploit Nessus bridge plugin unleashed – Part 3

The Metasploit Team has release a new plugin, a bridge between Metasploit and Nessus. This new plugin is a collaboration between HD Moore, James Lee, Zate Berg, darkoperator and the Nessus Team. If you follow the PaulDotCompodcast, you know that Paul is a employe of the Nessus team and that darkoperator (aka Carlos Perez) is an official developer of the Metasploit project. A good collaboration between the 2 teams how has uncorked on this new important step in Metasploit.

In the first par of the post serie, we have describe all the generic, user and policy command. In the second post we have describe the plugin and scan commands. In this post we will describe the report and “nessus_find_targets” command.

Reports Commands

  • Getting a list of all available reports – nessus_report_list :

To get a list off all available Nessus reports, type the following command :

List of all Nessus reports
List of all Nessus reports
  • Getting all detected hosts from a Nessus report – nessus_report_hosts :

To get all hosts detected by Nessus and present in a report, just run the following command :

nessus_report_hosts <report id>

Where “report id” is the unique ID of the report available with the “nessus_report_list” command.

Hosts reported in a Nessus report
Hosts reported in a Nessus report

You will get all the detected hostnames, in the Nessus report, with the number of potential vulnerabilities detected, classified by severities.

  • Getting details on ports vulnerabilities by host – nessus_report_host_ports :

To get ports vulnerabilities details, classified by severities, on a particular host, just run the following command :

nessus_report_host_ports <hostname> <report id>

Where “hostname” is the unique hostname available previous “nessus_report_hosts” command, and “report_id” the unique ID of the report.

Ports vulnerabilities for a host in a Nessus report
Ports vulnerabilities for a host in a Nessus report
  • Getting details on a particular port for a host present in a Nessus report – nessus_report_host_detail :

To get details on a particular port for a host present in a Nessus report, just run the following command :

nessus_report_host_detail <hostname> <port> <protocol> <report id>

Where “hostname” is the unique hostname available in the “nessus_report_hosts” command, “port” and “protocol” the unique port and protocol available with the previous “nessus_report_host_ports” command, and “report id” the unique ID of the report.

Vulnerabilities Port details by host in a Nessus report
Vulnerabilities Port details by host in a Nessus report
  • Deleting a report – nessus_report_del :

To delete a report just type the following command :

nessus_report_del <reportname>

Where “reportname” is the unique ID for the report available with the “nessus_report_list” command.

Report deletion
Report deletion
  • Importing a Nessus report into Metasploit – nessus_report_get :

To import a Nessus report, you will thirst need to create a ODBC connexion between Metasploit and your favorite database (for us MySQL).

The connexion, and the database creation is done by the following command, please don’t use these login and passwords 🙂

db_connect root:root@localhost/locallan

To verify that your ODBC connexion is active, use the following command :

Metasploit database connexion verification
Metasploit database connexion verification

Then execute the following command to import the Nessus report into Metasploit.

nessus_report_get <report id>

Where “report id” is the unique ID for the report available with the “nessus_report_list” command.

Nessus report importation in Metasploit
Nessus report importation in Metasploit

To check if every thing is imported, run the following commands :

db_hosts, will return you all imported hosts from the Nessus report

db_services, will return you all imported port, by protocols, by hosts from the Nessus report.

db_vulns, will return you all detected vulnerabilities by ports/protocols by hosts from the Nessus report.

  • Finding targets in a scan with CVSS2 > 7 and return scans info – nessus_find_targets :

To get a list of potential targets from the Nessus report, just run the following command.

nessus_find targets <report id>

Where “report id” is the unique ID for the report available with the “nessus_report_list” command.

Finding targets CVSS2 above 7 from a Nessus report
Finding targets CVSS2 above 7 from a Nessus report