Playing with Remote File Inclusion in Metasploit

15/05/2010Exploits, MetasploitRFIwow

Exploiting Remote File Inclusion (RFI) through Metasploit is a kid game. The 29 January 2010, RSnake has release a database of more than 2000 Remote File Inclusion vulnerable URL’s. This RFI vulnerable database was compiled mainly from Milw0rm and OSVDB, and integrated the 15 February 2010 by HD Moore into Metasploit with the objective to be integrated into the already existing “php_include” exploit.

All the URLs present into the database are finished with “XXpathXX” how will execute the desired payload, for example “reverse_php“.

If you don’t specify any specific RFI target the RFI database will be used by default. To focus on a specific URL, just set PHPURI to the desired URL and finish they with “XXpathXX“. For example :

set PHPURI /index.php?COLOR=XXpathXX

When you check the HTTP Server log, you will see the related RFI attempts, but no way to distinguish RFI bot scan to Metasploit scan, no specific user agent by default is provided by Metasploit for “php_include” exploit. You can configure one, by setting the advanced configurations of the exploit (show advanced). To setup a specific user agent is interesting to create specific IDS rules in order to detect the tool how has create theses attempts during an QA for example.

The RFI database integrated into Metasploit is actually 3 months old, and don’t represent any more the existing exploits, but you have the facility to create your own database and use it.

[youtube u6F-O32BR_Y]

SUC014 : Static source port 12200/TCP

14/05/2010Opportunists, Use CasesProxywow

Use Case Reference : SUC014
Use Case Title : Static source port 12200/TCP
Use Case Detection : Firewall logs / IDS
Attacker Class : Opportunists
Attack Sophistication : Unsophisticated
Identified tool(s) : Unknown
Source IP(s) : Random
Source Countries : Random, but most of them from China
Source Port(s) : 12200/TCP
Destination Port(s) : 1080/TCP, 2479/TCP, 3128/TCP, 3246/TCP, 8080/TCP, 9415/TCP, 9090/TCP

Possible(s) correlation(s) :

Proxy finder bot

Source(s) :

Most of time these trends are given by Firewall reporting, but an IDS how is configured to report activities on non used TCP, or UDP, ports, could also trigger alerts. If you use the Emerging Threats “Known Compromised Hosts” and “Recommended Block List“, correlation between Firewall activities and IDS signatures will give you a better overview on the attacker.

Source port 12200 source countries repartition

Source port 12200 destination ports repartition

SUC013 : Paros Proxy Scanner

14/05/2010Use CasesParos, Proxywow

Use Case Reference : SUC013
Use Case Title : Paros Proxy Scanner
Use Case Detection : IDS / HTTP logs
Targeted Attack : Yes, most of time using this tool is to target the Web Application
Identified tool(s) : Paros Proxy
Source IP(s) : Random
Source Countries : Random
Source Port(s) : Random, but static source port when scan is initiated
Destination Port(s) : 80/TCP, 443/TCP

Possible(s) correlation(s) :

Paros Proxy

Source(s) :

Emerging Threats SIG 2008187 create an alert if the user agent “Paros” is detected in destination of HTTP, or HTTPS, variables definitions. Each time, the user agent is detected an alert will be triggered. The sum of alert, from the same source, to the same destination, during an interval of time will give you the number of content how have been proxied by Paros.

Paros Proxy is used, normally, to evaluate to security of Web applications. All HTTP and HTTPS datas between server and client, including cookies and form fields are intercepted and could be modified. If you detect these kind of activities, you should add the attacker IP address to an “Aggressive Attacker” list for furthers trends and correlations.