<div>Hi Darren!</div><div> </div><div>Thanks, I am glad that you found it of interest! Your idea of running a MOSDEF/Meterpreter shellcode should work fine and I expect you could substitute the shellcode the exploit comes with for the appropriate staged MOSDEF loader with little or no change. If the shellcode is greatly in excess of 0x300 bytes (if memory serves me) you may need to put it into the buffer formed by the BuildMalicious_OverwriteStack function rather than the one formed by BuildMalicious_FillBuf, and jump back into it once the stack is marked RWX, as there is limited stack space before we reach the top of the stack.</div>
<div> </div><div>Your approach would definitely avoid the need for psexec (or some other technique), however since local admin <=> local system (but for a little token work) I figured it would be good enough - seeing as how the exploit was not ported to Canvas or Metasploit I figured this would be the nicest way of providing the attacker with a shell (considering also that, in the domain exploit context, the attacker would have to be able to access the target over SMB anyway you can be pretty sure psexec will work consistently too).</div>
<div> </div><div>If you want to try the exploit out as is, please use the later version (which unfortunately I had to pull for personal reasons, but which is mirrored at <a href="http://www.anonpaste.me/anonpaste2/index.php?7d9084b36b95d57e#LEVd4vMjqQlGzfip5uveBNezuKqIG3vulNwpOr5rUf4">http://www.anonpaste.me/anonpaste2/index.php?7d9084b36b95d57e#LEVd4vMjqQlGzfip5uveBNezuKqIG3vulNwpOr5rUf4</a>=) as the Aug 2012 target seems to work for most of the laptops the exploit has been tested on).</div>
<div> </div><div>Do let me know if it bawks and you'd like me to take a look.</div><div> </div><div>Thanks!</div><div>-Peter<br><br></div><div class="gmail_quote">On Tue, Dec 25, 2012 at 8:28 PM, Darren Martyn <span dir="ltr"><<a href="mailto:darren@insecurety.net" target="_blank">darren@insecurety.net</a>></span> wrote:<br>
<blockquote style="margin:0px 0px 0px 0.8ex;padding-left:1ex;border-left-color:rgb(204,204,204);border-left-width:1px;border-left-style:solid" class="gmail_quote">-----BEGIN PGP SIGNED MESSAGE-----<br>
Hash: SHA1<br>
<br>
Peter,<br>
Interesting exploit, especially that it can be exploited remotely in<br>
that context!<br>
<br>
Now, my exploit writing skills are not great, but seeing as the code<br>
is executed in the context of a local service, could one not use<br>
shellcode such as a MOSDEF loader/stager or a Metasploit Meterpreter<br>
stager and gain remote access under the context of the local service<br>
(which, unless I am mistaken, runs with SYSTEM privs? Looking to test<br>
it later as I have a vuln laptop!). This would obiviate the need to<br>
(for remote exploitation) run psexec with the new creds.<br>
Or am I an idiot (who'se mind may be slowed down a little by the food<br>
and drink :3 )<br>
<br>
Best regards, and seasons greetings to all :)<br>
<br>
- - Darren Martyn<br>
<div><div class="h5"><br>
On 25/12/12 16:36, Peter WS wrote:<br>
> Dear list,<br>
><br>
> I've written an exploit for an interesting bug which I found a day<br>
> or so ago, and thought I'd share it with you.<br>
><br>
> <a href="http://pastebin.com/QP7eZaJt" target="_blank">http://pastebin.com/QP7eZaJt</a><br>
><br>
> Hope you enjoy! -Peter<br>
><br>
><br>
><br>
><br>
</div></div><div class="im">> _______________________________________________ Dailydave mailing<br>
> list <a href="mailto:Dailydave@lists.immunityinc.com">Dailydave@lists.immunityinc.com</a><br>
> <a href="https://lists.immunityinc.com/mailman/listinfo/dailydave" target="_blank">https://lists.immunityinc.com/mailman/listinfo/dailydave</a><br>
<br>
<br>
</div>- --<br>
Insecurety Research - <a href="http://insecurety.net" target="_blank">http://insecurety.net</a><br>
-----BEGIN PGP SIGNATURE-----<br>
Version: GnuPG v1.4.12 (GNU/Linux)<br>
Comment: Using GnuPG with Mozilla - <a href="http://enigmail.mozdev.org/" target="_blank">http://enigmail.mozdev.org/</a><br>
<br>
iQEcBAEBAgAGBQJQ2gxrAAoJEEqUSoN8D1ViDYMH/iXJwNBdCGhO8jnCG7pz/wYi<br>
HSXAJDS3NZBnb7B1mXj2X3XVVVq0IOHTXuJSPQHdYFGOnuC4fU9af8TbwuL8g0Uw<br>
ModJ5KYkVUgkLlD8yuQq5gj3amKm1DtNlDuzEiycQaArueO7dp4EnQ3QJKyoKSDm<br>
f5f/wmqLfUOX57cFEAaR4lE+tnttJ7S1yWtw741L1YIpywvZf/iK81ptuzho4j8s<br>
yyNFsR5pmxTgkoSYHktMMucSrBR3TufZ4kzSlWnZnirY3u67CbqNeHGq6NRt4NUq<br>
nZ/iMVUzCNWndD56IaRSVlNJBxbWZ4a8cxC8vuEcWdHJoHUY1r6Pr7S6Kf2geWY=<br>
=lEpb<br>
-----END PGP SIGNATURE-----<br>
<div class="HOEnZb"><div class="h5">_______________________________________________<br>
Dailydave mailing list<br>
<a href="mailto:Dailydave@lists.immunityinc.com">Dailydave@lists.immunityinc.com</a><br>
<a href="https://lists.immunityinc.com/mailman/listinfo/dailydave" target="_blank">https://lists.immunityinc.com/mailman/listinfo/dailydave</a><br>
</div></div></blockquote></div><br>