Point, Click, Root. 216
An anonymous reader writes "The Metasploit Project just released version 2.2 of the Metasploit Framework. This release includes a VNC server payload that can be used with almost any of the Windows exploits. The scary thing about this payload is that the VNC server executes as a new thread in the exploited process; without writing any files to the disk drive. Is this the end as we know it for simple remote command shell exploits? A couple
articles have already mentioned this project."
Obligatory non-ugly URL for this article (Score:5, Informative)
Re:Obligatory non-ugly URL for this article (Score:5, Informative)
Re:Obligatory non-ugly URL for this article (Score:2)
Re:Obligatory non-ugly URL for this article (Score:5, Funny)
You have to log in to see/use them.
The undisclosed source from the DoD... (Score:3)
hummmm... that helps.
Re:The undisclosed source from the DoD... (Score:4, Insightful)
"MetaSploit isn't being taken seriously enough" by his peers in government security, the DoD employee added.
Nothing that... (Score:5, Funny)
Re:Nothing that... (Score:4, Funny)
What n00bs.
Re:Nothing that... (Score:4, Funny)
Don't look at me - I post to Slashdot through a command line.
Re:Nothing that... (Score:4, Interesting)
-
What a sad day when even taking over someone's machine can be done point-and-click style. Seemed so much more personal when you just had a remote shell.
Those days have been gone for a while, script kiddies routinely point n' click to take over machines. They might have to *gasp* type something in an IRC channel to control their zombies but it's all highly idiot-proof. (Which is good I suppose since most script kiddies seem to be idiots.)My Brother's Sad Day. (Score:5, Funny)
It happens to all of us, our hard won skills, honed to perfection over years of use, the knowledge and techniques that make us special and separate us from the common man, get packaged into a user friendly, idiot proof tool. It's called progress.
Works when the machine is locked too (Score:5, Interesting)
Re:Works when the machine is locked too (Score:3, Interesting)
Parent has a good point, how often do you leave your servers logged in? Could be fun for unsuspecting people at their workstations, though. I can see it now, the calls coming in "OMG MY MOUSE IS TEH MOVING....HAXORS IN TEH MY pC!!11".
Sigh. Never a dull moment in IT.
Re:Works when the machine is locked too (Score:4, Interesting)
On the other hand, hackers can VNC in and watch what you do without you knowing they're connected. Or while you're trying to type your password to log in, they could just keep typing a letter or two, thereby keeping you from logging in.
Re:Works when the machine is locked too (Score:2)
Last time I ran a VNC server on a windows desktop machine it used enough CPU time whenever anyone was connected for me to be aware it was happening. Unless this problem has been fixed, I wouldn't worry about not realizing it has happened.
Re:Works when the machine is locked too (Score:2, Interesting)
Re:Works when the machine is locked too (Score:2, Interesting)
Re:Works when the machine is locked too (Score:5, Interesting)
I assume you're saying this because you saw the screen shot linked in the summary. Notice that it says "System" at the top of the start menu. This is not the user's desktop, and you won't get to see the user's running apps. You'll have to exploit something running in the user's session to do that.
This won't let you do anything that you could not already have done by installing, say, netcat with the same exploit.
Re:Works when the machine is locked too (Score:2)
It's time to give up (Score:5, Funny)
Re:It's time to give up (Score:5, Funny)
Re:It's time to give up (Score:5, Funny)
Re:It's time to give up (Score:2)
And here, ladies and gents (Score:5, Funny)
Umm... (Score:5, Interesting)
Re:Umm... (Score:5, Funny)
Re:Umm... (Score:2)
Re:Umm... (Score:4, Funny)
Re:Umm... (Score:5, Interesting)
I suppose, the same way Goldeneye started as a game and ended up as the boot disk for Xbox Linux...
Re:Umm... (Score:3, Interesting)
Actually, it was Mechwarrior [xbox-linux.org], though 007:Agent Under Fire can be used as well.
(an aside: anyone know if Robertson ever paid up on the whole "run linux on physically untouched xbox"?)
Re:Umm... (Score:2)
the answer: (Score:2, Interesting)
Re:Umm... (Score:2)
Could it be any more simple?????
It's about time (Score:4, Funny)
Hey, Australians... (Score:4, Funny)
Whoah (Score:3, Funny)
This is not very responsible. (Score:3, Insightful)
I am not against full disclosure or the dissemation of security tools I just happen to think that for every one security pro who uses this tool for good there will be a hundred script kiddies who use it for causing havoc. Rather than make life easier for the good guys this will just make it that much more difficult.
Re:This is not very responsible. (Score:4, Insightful)
Re:This is not very responsible. (Score:2)
A medical analogy is actually very apt for security.
Obscurity is a good first line of defense--comparable to keeping away from sick people--but it can and will be compromised, and more rigerous plans must accompany it.
Re:This is not very responsible. (Score:2)
Re:This is not very responsible. (Score:2)
Oh bosh. Quit with the high-road superior morality stuff. In a perfect world I would side with you but this is REALITY. "Responsibility" has no real meaning. No one cares unless they have a personal axe to grind.
Tough. Security testing should be this easy. (Score:5, Insightful)
There are already plenty of tools out there for that, with more being created every day. I for one am fed up with people who complain every single time something like this, which makes my life easier since I don't have to do any actual work to test out the machines on my network, is introduced.
Isn't it better to discover, identify, and eliminate the weaknesses in one's network rather than wait for someone less trustworthy to discover, identify, and exploit them without your permission? Isn't that what software like this can help us accomplish?
There's no stopping software like this. More and better software is being created all the time, and some of it can indeed be used by bad people to do bad things. Rather than complain and fret about the potential evil uses to which it can be put, the sensible person would welcome it as yet another useful tool in their security arsenal.
Did you also whine about "nmap"?
- A.P.
Attention MetaSploit (Score:5, Funny)
Our lawyers will be getting in touch with the MetaSploit group to discuss licensing options.
Thank you,
Jeff Bezos
Founder and CEO
amazon.com
More like... (Score:4, Funny)
Rapid 'sploit development? (Score:3, Funny)
NetHack version 4? (Score:5, Funny)
Your quest is at an end for you have reached the root of NetHack.
Within, the Wizard of MS RAS has no power, the Oracle 8i speaks with utmost clarity, and the stack overflow bugs do not bite.
OT: Sig Reply (Score:2)
http://www.reason.com/hod/jb072604.shtml
If you don't feel like reading, here's some highlights:
This isn't the first time Kerry and Ashcroft have been at odds over civil liberties. In the 1990s, government proposals to restrict encryption inspired a national debate. Then as now, the American Civil Liberties Union (ACLU) and e
Re:Off-topic: Sig Reply (Score:2)
Finally... (Score:2)
Nasty. (Score:5, Insightful)
I wonder if running your own (password-protected) vncserver will be any protection against this. I guess it depends on whether the payloaded vncserver can have its port changed or whether it is stuck with the default.
If it can be changed then this is going to be very nasty. You couldn't even simply firewall all the vnc ports any more as the kiddie could configure the server to run on an unprivileged port. I suppose that SYN flag checking or using a connection-stateful firewall should protect against this.
Yuck.
Re:Nasty. (Score:3, Interesting)
I agree: Yuck.
Re:Nasty. (Score:4, Insightful)
That doesn't answer whether it'd change ports if an existing VNC is there, but nevertheless, it looks like a particularly nasty and hard-to-track rootkit.
Re:Nasty. (Score:5, Informative)
Negative. One of the r-parameters you throw back (depending on whether you do a direct inject or a reverse tunnel inject) is what port the daemon is listening on. Keep in mind, you're not adding a VNC service or using an existing one, you're injecting the code into running memory. It will run even if there's another one hanging out on the system. Hell, it even bypasses the GINA.
One of the things we haven't done over here is test it while another remote user is actively VNC-ing the box. That would be interesting.
Also, keep in mind that VNC injection is only one of many payloads, and in my opinion, not nearly the most useful (but definitely the most fun).
What a cool tool (Score:5, Interesting)
Re:What a cool tool (Score:3, Insightful)
A simple true/false (exploited/no exploited) is all an admin needs to know. Break it down to which specific exploit worked.
This is just backorifice/subseven revisited.
Re:What a cool tool (Score:2)
Checking for exploits and fixing them could be done as part of one operation.
Thus making things easier for the admins.
Re:What a cool tool (Score:2)
As a self-appointed representative of ... (Score:4, Funny)
It goes without saying... (Score:3, Informative)
Re:It goes without saying... (Score:4, Informative)
5w33t!!!!!!!1111 (Score:5, Funny)
Stop slashdoting the site! (Score:4, Funny)
The real objective, as usual, is... (Score:5, Insightful)
Just like in the movies (Score:5, Interesting)
Incidentally, note that this isn't a hole in VNC. It's an attack that installs VNC. VNC doesn't have to be present on the target before the attack.
Great! (Score:4, Insightful)
"I'm so l33t, I don't 3v3n type!"
Root display or new? (Score:2)
Re:Root display or new? (Score:2, Insightful)
Demonstrating Need for Security... Good 4 devlpmnt (Score:2, Insightful)
Also tools like this are good for exploit developers becuase they can stop spending their time creating a vaguely usable interface for their proof of concepts and find more holes to get fixed.
CLI vs. GUI Exploits (Score:2)
No, it's not. First there is the issue of bandwidth, but even more compelling is the "leetness" of the options. The CLI will always appeal to the more dangerous crackers - and those that immitate them.
Legitimate use of this kit (Score:2, Insightful)
The best thing is that it allows you to use SYSTEM, which is has higher privilege than ADMINISTRATOR.
Windows admin are gonna love this damn thing.
Why all the negative response? (Score:4, Insightful)
So what's so bad about metasploit? It does little more than automate the installer for a concept which isn't new. If anything the public may start to see the real value of those of us who have been labeled as paranoid freaks for the last 10 years. This is the dawn of an age when the computer security expert may begin to receive the respect that we deserve. Previously we had been pooh-poohed by the general public aided in their derision by self-important sysadmins with the personality characteristics of the Simpsons' comic [doheth.co.uk] book [billbam.com] guy [freshmeat.net].
Re:Why all the negative response? (Score:2, Informative)
If you own a box and put Netbus on it any forensics monkey can figure out what was going on. With metasploit framework they'll be totally useless...time to find a new job forensics guys!
Oh and if people think you
More importantly (Score:4, Funny)
Metasploit stable : This branch has only been tested to work on unpatched machines.
Metasploit -dev ($49.95 membership and password required): This branch has been tested to work against fully up to date and patched machines.
That'd be | |_|63r-|337
Nice spamfilter option. (Score:3, Funny)
Confused (Score:2)
Where are all of the windows and old linux kernel exploits? What exactly is this program going after? I'd think there'd be tons of other exploits, like how the Sasser virus gets into Win2k/XP and stuff.
Or is this really a more childish project that finds one hole, inserts VNC, and lets you do whatever you want to it without testing all of those holes...?
So which versions of VNC are affected? (Score:2)
Re:So which versions of VNC are affected? (Score:2, Informative)
what we need now (Score:2)
or, i could see a rootkit maker integrate something like this and then use it to gain access to all the zombied machines of the people that employed the rootkit... that would likely be bad.
Re:Why? (Score:5, Informative)
"This is the Metasploit Project. The goal is to provide useful information to people who perform penetration testing, IDS signature development, and exploit research. This site was created to fill the gaps in the information publicly available on various exploitation techniques and to create a useful resource for exploit developers. The tools and information on this site are provided for legal penetration testing and research purposes only."
Re:Why? (Score:2, Insightful)
Re:Why? (Score:3, Insightful)
Re:Why? (Score:2, Insightful)
how the hell would it help if the only people allowed to test their security is... who? you need a CS degree? you need to work for a security company? you need to prove you could write your own tools?
Re:Why? (Score:2)
Re:Why? (Score:3, Funny)
Re:Why? (Score:5, Insightful)
You're much better off with a powerful spam relay or self-replicating worm than control over a user's PC, nevermind access via a remote shell like some of the recent worms have allowed.
Other than fucking with the heads of the users you have infected I don't really see the point. You'd have to be using their machine when they aren't around, you'd have to be doing this in person over VNC which could be very very slow depending on upstream, and it just wouldn't be as useful as a shell which *could* be scripted to automate your desired effect.
Re:Why? (Score:5, Insightful)
Re:Why? (Score:2)
I think the poster meant that a separate firewall be used between your PC and the Internet, not that you should forego Internet access entirely!
Re:Why? (Score:3, Interesting)
Re:Why? (Score:5, Funny)
However, script kiddies probably won't know how to code something up like that without someone holding their hands.
Re:Why? (Score:2)
I wish that were true, but many VNC clients come with file transfer agents now. I refuse to allow them on our network when logging into a machine using admin priveledges.
Re:Why? (Score:3, Interesting)
I didn't really care either way, but I would hop on from time to time to make sure they were doing the
Because it's there (Score:2)
Re:Because it's there (Score:2, Funny)
Re:Why? (Score:3, Insightful)
I mean, what good is "hacking" into a box if you HAVE NO FUCKING IDEA HOW TO ACTUALLY USE IT?
This could just as easily spawn a cygwin shell if it wanted.
Re:Why? (Score:3, Interesting)
Or maybe it's time to find my tin-foil hat...
Re:Why? (Score:4, Interesting)
The easier it is for any 13 year old asshat to exploit these vulnerabilities, the more the value of self-titled "security experts" goes up. Then they can jack small businesses for a 5 grand "consulting fee" to recommend they install a firewall.
They're creating a problem in the hopes they'll be paid to solve it, in short.
Kind of like a windshield salesman going around daring
Re:VNC ? (Score:5, Informative)
Umm....RTFA.
It's a exploit for Windows (from the screenshot it seems to use the LSASS vulnerability that Sasser uses) that includes a VNC server in the payload, allowing remote GUI access under SYSTEM priveledges (SYSTEM is like root in *nix, higher than even the Administrators group).
Better hope all your boxes are patched against this vulnerability, or prepare to watch the kiddies go to work.
Any yes I do mean watch, that's the only "problem" with this system, whatever you do directly shows up on the real screen, so the user is likely to notice suspicious things happening.
Re:VNC ? (Score:4, Informative)
Re:An example need for change (Score:2)
> model to fall fully in line with "everything is
> a file" - including blocks of memory! Treat
> memory as though it were simply a buffer for a
> file, and make the concept of "in memory" merely
> a detail for the disk cache controller.
Yeah, so instead of
a = 42;
you can write
if (lseek(memfd,A_OFFSET,L_SET)) == A_OFFSET) {
int retcode = write(memfd,&newvalue,sizeof(newvalue));
Beginning
Re:An example need for change (Score:2)
I'm amazed by the uncreative dumb-ass comments on this thread. What amazing lack of vision!
Have you never really used Novell Netware? Back in the 1980s, Novell had "Network File Server" down in ways that still can only be approximated.
Let's say you had a file on the server. It tracked how often you accessed it. When it defragged the disk,