n00bz Network

So you DLL Hijacked someone or they opened an Evil PDF that they found on the thumb drive in the bathroom!  Is this a big deal?  Yes!  Today I will show you how to go from one of the client side attacks to owning a Domain Controller. 

So when we last left our thumb drive in the bathroom, someone had taken it and we get a meterpreter session.

In this scenario, we are outside their firewall and we are able to have them connect back to us using reverse_tcp.  If the firewall rules were blocking random ports, an attacker could try 443 :)

We have our connection but we are outside the firewall and they are inside.  We can pivot.  Click on Add Session Route.  This will allow us to launch attacks from our new inside the firewall owned n00b who picked up our thumb drive and probably didn't wash their hands.  Disguising!

Now that we have our route, let's go after the Gibson/Domian Controller.

I have a tool I like to use called JoeWare ADFind.  ADFind allows one to query the LDAP server.  Lets upload our adfind.exe to our Bathroom system.

Running ADFind from the target reveals the domain controller.  You can also enumerate user groups such as the Domain Admins.  We have the server name, IP address and list of Domain Admins.

We also have the IP address range to scan that the Gibson resides in.  Using Discovery, we identified a SQL server that looks like a test instance. 

Maybe the user who set up this test system didn't protect it with a strong password because it is "TEST/DEV."  Let's Bruteforce this!

Successful login: "sa" with the password "sa."  In this case "sa" stands for "stupid administrator."

With the user name and password, we can run Microsoft SQL Server Payload Execution.  This module is awesome.  From JDuck (Author of the CoolTYPE PDF Exploit we used on our USB Drive) and David ReL1K Kennedy (Author of Social Engineering Toolkit/FastTrack)

We get a meterpreter session! Time to kick it up a notch, BAM!

Since this is a TEST/DEV box, perhaps a Domain Admin has accessed this box.  If we could capture the token, we could use their permission to add an account on the domain as a Domain Admin.

We click on Command Shell. 

After reading this awesome write up at carnal0wnage, we load incognito.

We list the tokens on our captured system.  Upon inspection, we identify a member of the Domain Admins group.

Now we commit some digital identify theft. 

Now that we have assumed the identify of the Domain Admin, lets add ourselves into the Domain Admin group.

AngryBirds is an awesome game.  I highly recommend it, now available on iPhone, iPad, and Droids.

Not only is the game awesome, the newly created domain account is awesome as well.

Using ADFind to verify, we now see AngryBirds is now a Domain Admin and we now have keys to the kingdom. 

In honor of the release of the findings from Defcon 18 Social Engineering CTF ‐ "How Strong Is Your Schmooze” as well as the weekly update from Metasploit Express I will walk through a Social Engineering attack using Metasploit Express.

Step 1: Under Modules, pick your exploit.  I am using the Adobe CoolType SING exploit.  (We don't want to leave out Windows Vista and Windows 7.)

Step 2:  Leave every option as the default and launch the attack.

Step 3:  We could just have our target browse to the web address however we are going to use a different attack vector.  Go and Find a USB drive and load up FireFox with NoScript enabled.  Browse to the target URL and save the PDF.  NoScript will stop it from executing on your machine.

Step 4: Rename the file something sneaky.  I chose HR.pdf.  Copy this to your thumb drive.

Step 5: Take your USB Drive and drop it off somewhere.

Step 6: Wait for the finder of the USB drive to open and click the evil HR.pdf.  Gotcha!  Time to give Mr. X a lesson on Social Engineering and how we don't use thumb drives we find in the bathroom.

Step 1: Fire up Metasploit Express and load the Exploit module

The module you are looking for is WEBDAV Application DLL Hijacker.  It is currently in the 10 most recent disclosures as of September 14th 2010.

Step 2: Select your options.  Here we are going to exploit Powerpoint!  The module will create the file "HR.ppt" in the directory "TopSecret."  When you are done setting your options, launch the attack.

Metasploit Express launches the attack and provides you with a link to send your target.

Step 3: Have the Target open your file and watch as you get a session.

Step 4: Collect that Loot!

Step 5: Well the sky is the limit.  I personally like to kill off AV.

So welcome to the madness of .dll hijacking... 

Lets recap everything that has happened thus far.

The current 2010 madness started with ACROS Security when they announced on 8/18/2010 about "binary planting" vulnerability in Apple iTunes for Windows.

HD Moore from Rapid7 said on twitter "The cat is out of the bag, this issue affects about 40 different apps, including the Windows shell" linking to the ACROS advisory.  The ACROS advisory hinted that it was more then just iTunes.  HD promised that the following Monday that he would announce more information. 

This was going to be a long weekend for some.  However for me, "Its the end of the world as we know it... and I feel fine."  I went out of town to the beach.  I had a great time and I recommend the Marriott Hutchinson Island in Florida.  This is not related to the story.  

@jcran sensing the world was going to end took a trip through the Midwest under the excuse of a bachelor party.  This will be the basis for the movie Hangover 2.  This maybe related but we need to wait to see how the movie turns out.

Ok back to the .DLL!  Monday rolls around.  HD Moore releases a post on Rapid7's Security Blog titled "Application DLL Load Hijacking." 

In his post, he notes that this has been around since 2000.  It was originally noted by Georgi Guninski on Sep. 18, 2000 and links to a Microsoft MSDN article.  He also notes that earlier this year, Taeho Kwon and Zhendong Su published a paper titled Automatic Detection of Vulnerable Dynamic Component Loadings.  Since the "cat was out of the bag" HD pushed a generic exploit module to the Metasploit Framework.

So how do I protect myself?

HD also released an audit kit that can be used to identify naughty applications.  <~ Download this right now!

Microsoft as helpful as always issued their Security Advisory and Support.  This issue can not be fixed by Microsoft alone.  It is up to the individual application programmers.  Since this is not a buffer overflow/stack smash, there is not a simple fix.  A fix could break other applications!

Microsoft has offered guidance to developers here.

Dave Marcus from McAfee has released a PodCast on it.  It is also available on iTunes.

Ok... So how hard is this to exploit?  Do I need to be an evil genius?

Hell NO!  Let's get to some fun stuff... our first video comes from David Kennedy aka dave_rel1k. 

  Another great video is from Offensive Security.  This one has awesome music by DualCore.

If this seems too technical for you, you can get a trial copy of Metasploit Express. This application has the exploit ready to go with a point, click, pwn interface.

Ok... So where do I find a list of applications that are vulnerable?

I recommend going to the following 3 sites.

DLL Hijacking (KB 2269637) – the unofficial list

DLL Hijacking – Vulnerable Applications- Exploit DB

VUPEN Security Advisories- Insecure Library Loading

You should also test your own system with HD Moore's audit kit. 

It has been an interesting week in the world of information security.  I can't wait to see what next week brings!