Posts

Showing posts from June, 2012

toolsmith: Security Investigations with PowerShell

Image
toolsmith: Security Investigations with PowerShell : Prerequisites Windows, ideally Windows 7 or Windows Server 2008 R2 as PowerShell is native There are 32-bit & 64bit versions of PowerShell for Windows XP, Windows Server 2003, Windows Vista and Windows Server 2008 as well. Introduction Windows power users have long sought strong fu at the command line. In the beginning, Bill said “Let there be shell.” And lo, there was command.com and cmd.exe . Then Jim said, there must be scripting support and automation, and thus the likes of Windows Script Host and WMIC were brought to light. But alas, there were challenges; no shell integration, no interoperability. Then unto thee was delivered the shell prophet Monad (see the Monad Manifesto ), later renamed Window PowerShell in 2006. In a nutshell, PowerShell is powerful. Alright, enough of the PowerShell parable. Really though, any sysadmin running modern Windows platforms is likely using or has used PowerShell. Full disclosure: I work...

Malicious PowerPoint File Contains Exploit, Drops Backdoor

Image
Malicious PowerPoint File Contains Exploit, Drops Backdoor : We discovered a malicious MS PowerPoint document that arrives via an attached file attached to specific email messages. The file contains an embedded Flash file, which exploits a software bug found in specific versions of Flash Player ( CVE-2011-0611 ) to drop a backdoor onto users’ systems. Users who open the malicious  .PPT file triggers the shellcode within the Flash file that exploits CVE-2011-0611, and then drops “Winword.tmp” in the Temp folder. Simultaneously, it also drops a non-malicious PowerPoint presentation file “Powerpoint.pps”, tricking users into thinking that the malicious file is just your average presentation file. Based on our analysis, “Winword.tmp” is a backdoor that connects to remote sites to communicate with a possible malicious user. It is also capable of downloading and executing other malware leaving infected systems susceptible to other, more menacing threats such as data stealing malwar...

WebDAV Server to Download Custom Executable or MSF Generated Executables

Image
WebDAV Server to Download Custom Executable or MSF Generated Executables : Metasploit comes with dllhijacker module The current module does not allow you to download exe's, in fact these are specifically blacklisted. This makes sense because that's not what the exploit is for.  Anyway, someone asked me if it was  possible to download a file (specifically a pre-generated exe) over WebDAV.  I know an auxiliary module to be a webdav server has been a request for awhile, but it looked like the dll_hijacker module could accomplish it. I added a block of code to the process_get function to handle the exe and then removed .exe from the blacklist. So if LOCALEXE is set to TRUE then serve up the local exe in the path/filename you specify, if not generate an executable based on the payload options (Yes, I realize AV will essentially make this part useless). The below is a "show options" with nothing set, default is to generate a EXE payload, if you want to set yo...