Lets see how we can use the Metasploit framework to pawn an MS SQL Server
A MacBook with Vmware Fusion on it
Target: A Vrtual Guest with Windows 2003 Server with the Ip address 172.16.226.131
Attacker: A Virtual Guest with Backtrack 5R1 with the Ip address 172.16.226.128
So Lets go….
The SQL Database TCP port 1433.
Setting the RHOSTS option we can get information about the database including version information, server name etc
Setting the options RHOSTS, PASS_FILE, VERBOSE we can brute-force attack the target for valid credentials. If the server is misconfigured or the passwords are weak we can find accounts that we can use in the next command. Here I am attacking to the “sa” account. The “sa” account is the DBO (db_owner) for all databases created on the server. The account has administrative privileges on the database.
[+] 172.16.226.131:1433 – MSSQL – successful login ‘sa’ : ‘password’
Setting the options RHOSTS,PASSWORD which are set from the previous command we can try to exploit the Server. The exploit uses the “xp_cmdshell” stored procedure to execute commands on the Server.
[*] Meterpreter session 1 opened
I am working on a new post about metepreter so stay tuned….
In this post I show a way to inject data in an executable, and some code, to encrypt with xor the whole code segment.. As an example, I’ll use a virus executable, encrypt it in this way and upload it in VirusTotal and check it 🙂
Tools I used:
1. Hex Editor (I Recommend HxD http://mh-nexus.de/en/downloads.php?product=HxD)
2. PEditor by yoda&M.o.D. ( PEditor )
3. Ollydbg ( http://www.ollydbg.de/download.htm )
I will follow the below steps:
1. Find a dummy image to use it’s raw data… (1)
2. Find an executable with virus
3. Check the results in VirusTotal..
4. Modify the PE Header of infected executable, to add a new segment
5. Select some data from the image file (1) and add them in the new segment
6. Encrypt permanently the original segments
7. Inject some code to make the XOR decryption using olly to check step by step the execution flow
8. Confirming that exe is working fine, and upload to VirusTotal to check for the new results 😀
1. Find a dummy image to use it’s raw data
Well, this is easy.. Let’s use google to search an image… What i searched is “virus” 🙂 Now we have to select an image with complexity.. It has to be a bit complex, cos if you think the jpeg contents, they have to be as much complex as they can, in order not to be a repeatable pattern.. So i select this image for the example http://www.healthinitiative.org/IMAGES/virus_big.jpg ..it has some complexity but not so much.. anyway i like this image 😀 ..Also think that u can use a fractal image.. it gonna give you a cool complexity! 😉
2. Find an executable with virus
These days i receive a spam from a brazilian friend (who is infected with the virus) with a trojan executable.. A quick analysis of this will be presented in a future post, cos atm is still active, and victim’s personnal info (user;pass) are available publicly…. The executable is packed with ASPack.
3. Check the results in VirusTotal
Uploading that executable to VirusTotal I take the following results
VirusTotal Scan before encryption
- The following stuff is done in an environment of Win XP SP3 VM w/ .NET v2.0 .. Also tested in Win7x64 and Win7x86 -
- Tools used : Just ollydbg
- App can be found in :http://www.flexcrypt.com/flexcryptfree.html .
Everything started when I firstly saw the security magazine “Hakin9” (http://hakin9.org/) presenting FlexCrypt .. I downloaded flexcrypt, and started to testing functionality etc… But I have a bad habit… after some minutes, instead of looking the functionality, i fired up Ollydbg and started exploring its code… I focused on every interface that was accepting user’s input. I wanted to check some BoF vulnerabilities. My attention was caught by the Registration Dialogbox. Fuzzing the input by hand (exception appears in string length > 452) I noticed that the application throws an exception…! That needs examination..
First of all, we assume that the operation is simple : U press Validate -> some function (1) reads your input storing it to a buffer -> string manipulations and memory allocations happen -> some function (2) validates your input -> message for good or bad news 🙂
So, hands on.. attaching Olly on the process, cause the application to overflow entering a long input. Olly shows up, and we land in KERNEL32 :
Here we go.
We need knowledge, we need tools and targets we need a lab environment.
It is illegal to try penetration procedures in live environments without the written permissions of the owner so a test environment is a must have. In a another post I will analyze how we can create a lab environment, for now lets see a list in no particular order of toolkits and targets. Luckily enough there are plenty out there.!
This list will always be updated .
These are live CDs or DVDs. I am not going to analyze any of this right now. I am using the Backtrack linux distribution probably because is the first one I started with or…….
These are live CDs, projects or vmdk files. You can use them for pen-testing skill development and testing.