Slashdot Mirror
Point, Click, Root.
An anonymous reader writes "The Metasploit Project just released version 2.2 of the Metasploit Framework. This release includes a VNC server payload that can be used with almost any of the Windows exploits. The scary thing about this payload is that the VNC server executes as a new thread in the exploited process; without writing any files to the disk drive. Is this the end as we know it for simple remote command shell exploits? A couple
articles have already mentioned this project."
Here
... stated that they're not paying any attention to this.
hummmm... that helps.
I think that's the question most people would have on thier minds...
What a sad day when even taking over someone's machine can be done point-and-click style. Seemed so much more personal when you just had a remote shell.
Anyone else get a 404 when first trying to load this story?
Sounds like script-kiddie heaven!
A house divided against itself cannot stand.
The cool thing about the VNC payload is that it works if the machine is not logged in, or if the screen is locked.
Well good news is that their server didn't handle the Metasploit ;)
This is a test. This is a test of the emergency sig system. This has been only a test.
Microsoft should just post a big list of hacked machines, and turn everything wide open. After the script kiddie deluge is done, then we all go "phew! Wasn't that fun!" and go buy something else.
stuff |
... is a preview of the site's front page in a few days, courtesy of your friends at dhs.gov.
"A door is what a dog is perpetually on the wrong side of" - Ogden Nash
How does something start off as a "portable network game" and end up as a f*cking remote GUI root?
Un-news
I was seriously getting bummed by the low quality of todays script kiddie exploits. With the metasploits project finally real security minded people, tinkerers (hackers) and just plain good programmers can have a common place to post their hard won knowledge for "1337" kids online to use.
Free Teekid! 1st Amendment!
Yes, free the dumb kid! The justice usually shows leniency toward the mentally disadvantaged, why not in this case?
...now this is a subject line you can get on board with.
Imagine a DMCA cluster of these!
There is no reason to include a VNC server payload like this. Those legitimate security professionals who use Metasploit for pen testing should have the skills to create their own VNC payload, if they actually have a use for it. To include it ready made, point and click, easy to use like this just makes it that much easier for the script kiddiots out there.
I am not against full disclosure or the dissemation of security tools I just happen to think that for every one security pro who uses this tool for good there will be a hundred script kiddies who use it for causing havoc. Rather than make life easier for the good guys this will just make it that much more difficult.
I have recently obtained a patent on One-Click Cracking.
Our lawyers will be getting in touch with the MetaSploit group to discuss licensing options.
Thank you,
Jeff Bezos
Founder and CEO
amazon.com
P01NT CL1CK W00T!
An Indian-American Hindu committed to non-violent thought/speech/action alarmed by the global explosion of radical Islam
Has Microsoft released a timeline of when this toolkit will be integrated into VS.NET 2003?
that wasn't a rhetorical "why?", was it?
"I'd rather be a lightning rod than a seismometer." -Ken Kesey
Congratulations adventurer!
Your quest is at an end for you have reached the root of NetHack.
Within, the Wizard of MS RAS has no power, the Oracle 8i speaks with utmost clarity, and the stack overflow bugs do not bite.
This comment does not necessarily represent the views and opinions of the author.
We are starting to see tools that really show what can be done out there in the wild... :)
"Since when has it been news that VNC is shitty and insecure?"
Umm....RTFA.
It's a exploit for Windows (from the screenshot it seems to use the LSASS vulnerability that Sasser uses) that includes a VNC server in the payload, allowing remote GUI access under SYSTEM priveledges (SYSTEM is like root in *nix, higher than even the Administrators group).
Better hope all your boxes are patched against this vulnerability, or prepare to watch the kiddies go to work.
Any yes I do mean watch, that's the only "problem" with this system, whatever you do directly shows up on the real screen, so the user is likely to notice suspicious things happening.
I used to get high on life, but I developed a tolerance. Now I need something stronger.
Ugh. This is going to be really popular with the script kiddies. I have to (grudgingly) admit that this is quite elegant though.
I wonder if running your own (password-protected) vncserver will be any protection against this. I guess it depends on whether the payloaded vncserver can have its port changed or whether it is stuck with the default.
If it can be changed then this is going to be very nasty. You couldn't even simply firewall all the vnc ports any more as the kiddie could configure the server to run on an unprivileged port. I suppose that SYN flag checking or using a connection-stateful firewall should protect against this.
Yuck.
For all the whining about how this makes it so easy for script kiddies, consider that it also makes it so easy for admins who are not in tune with the latest script kiddy 'sploits. This allows them to quickly test their networks in click-n-drool fashion. This can be a very useful tool.
visually impaired black hat hackers, we resent that this program is not designed for wider access. It's just another example of the systematic discrimination that we face as we try to gain root and own you all. We will eventually succeed. And when we do, we'll make all web pages look like bad!
For those interested in RealVNC's response, see here - http://www.realvnc.com/faq.html#security
Isn't VNC open source? If so, isn't that supposed to make it not shitty and insecure?
My Tech Posts on Twitter
that anybody running VNC servers (or any remote access software) should have in place good firewalls and a good quality VPN requiring strong authentication.
cuz, like, lurning all thoze command line thingz wuz totally hard, this wil maek me s0 much m0re 1337!!!!!!!one I totale r0x0rz n0w!!!!LOLOL
do not read this line twice.
I'll just leave it.slashdot.org full. That will teach those darn dirty hackers.
Amusing. Why does it go to www.microsoft.com?
Can you guys stop slashdoting the site? I want to download it just to show some co-workers a little "surprise"...
ahem...torrent please?
... to make security experts more valuable by making security vulnerablities easier to exploit.
Mathematics is not a crime.
RTFA. They're using an unpassworded VNC server as the payload for your favorite win32 exploit. Thus, once you can root their machine, you can run a full VNC server in RAM and then wait till said luser sets their aim away message and goes to their boyfriend's house and have fun looking through their files remotely.
http://fugly.slashdot.org/article.pl?sid=04/08/12/ 1550237&tid=172
That's all I've got.
Jesus was all right but his disciples were thick and ordinary. -John Lennon
Incidentally, note that this isn't a hole in VNC. It's an attack that installs VNC. VNC doesn't have to be present on the target before the attack.
This is the truth.
If they wanted to create a truly useful tool to help admins, it would simply check a machine, and return a true/false for each exploit, if it was successful - but would carry no payload.
This is just creating a problem, hoping someone will pay them to solve it. Sad.
Sad that the metasploit project is also only about windows exploits. There are exploits for various *nix services, and plenty of 'em. No real reason to patch your linux or BSD boxes, though, since noone's creating script kiddy tools to exploit these, though I don't see why not. Of course, that would go against the "See! Linux is unpernetrable an Winblows is teh suck!" mantra.
I don't need no instructions to know how to rock!!!!
You need to Read The Friggen Parent. I was responding to "Since when has it been news that VNC is shitty and insecure?"
My Tech Posts on Twitter
There was a three part series on Metasploit on SecurityFocus in July. See here
So instead of a script kiddie, we're going to now have "click kiddie"...
"I'm so l33t, I don't 3v3n type!"
Yes Francis, the world has gone crazy.
I can't seem to be able to reach the site. Does this run on the root display like VNC and PCAnywhere normally do under Windows or does it create a new display. It doesn't seem as useful except for as a prank if the user sees you take over the machine. So if this is able to create a new display then this is what I've been looking for. It would potentially allow me to run multiple sessions under Windows which is something I've been wanting to do but couldn't afford. Citrix or the server edition of Win4Lin could have solved my problem but this might do it too. Anyone know how this works?
Apparantly metasploit got slash.sploited
"If any question why we died, Tell them because our fathers lied."
I did this exact thing in college, but it only worked for one kind of exploit. It was the ultimate backdoor because it was the front door. If I ever found that a floormate had left their door unlocked, I'd walk in with a CD with a VNC server on it, install it and then own their away messages forever!!! l33t h4x0r!!!
Tools like this are GREAT at demonstrating the need for greater security at board meetingings, or initial consultations as a security consultant. Nothing opens peoples eyes to the need for mass patching of workstations or servers like breaking into a machine using a tool that a 4yo could use.
Also tools like this are good for exploit developers becuase they can stop spending their time creating a vaguely usable interface for their proof of concepts and find more holes to get fixed.
Is this the end as we know it for simple remote command shell exploits?
No, it's not. First there is the issue of bandwidth, but even more compelling is the "leetness" of the options. The CLI will always appeal to the more dangerous crackers - and those that immitate them.
dmiessler.com -- grep understanding knowledge
It's because by default in Firefox when something is entered into the location bar that is not a URL, google does an "I'm Feeling Lucky" search on the string. The string "http;slashdot.org" terminates with the semicolon. You may notice if you google for "http" microsoft.com is the first result. Therefore entering "http;billgateseatsbabies.com" will also go to microsoft.com
Microsoft Baseline Security Analyzer
It even has a command line testing tool.
This kit allows quick remote access to windows system, without the need to preconfigure anything on the far side before hand.
The best thing is that it allows you to use SYSTEM, which is has higher privilege than ADMINISTRATOR.
Windows admin are gonna love this damn thing.
This is a pretty clear example of why we need to make a change in the way files/memory are kept.
Here's the heirarchy for data storage:
cpu registers (where the data is requested)
l1 cache
l2 cache
l3 cache
RAM
<snip>
disk/network
Notice the disconnect between RAM and disk. All levels of storage above disk are essentially buffers for the RAM - Why the disconnect at disk/network?
I think we should remodel the memory/storage model to fall fully in line with "everything is a file" - including blocks of memory! Treat memory as though it were simply a buffer for a file, and make the concept of "in memory" merely a detail for the disk cache controller.
Writing to memory and writing to disk/network share etc. should be the same operation and would eliminate all kinds of un-needed software complexity.
I have no problem with your religion until you decide it's reason to deprive others of the truth.
... the computer went all beep beep beep?
Got a catcher sub-domain, dontcha think?
/ 12/1550237&tid=172
1 2/1550237&tid=172
http://neutered.slashdot.org/article.pl?sid=04/08
or how about this one?
http://yourmom.slashdot.org/article.pl?sid=04/08/
Because firefox does an Im Feeling Lucky search on everything up to the semicolon. It does this for any non-valid URL. microsoft.com just happens to be the first hit for the string "http;"
I don't need no instructions to know how to rock!!!!
Has the /. community been hiding in a dark cave someplace? Back Orifice, Netbus, and Sub7 were all available YEARS ago. All three offered graphical user interfaces which allowed the exploiter to launch programs, change text, take screenshots, and many other wonderful functions (in the case of Back Orifice there was even a plugin system called Butt-Plugs). As time has passed Netbus has even become a commercial remote administration tool. The only thing that was required was a little knowledge of a network exploit which allowed the execution of remote code. In many cases it wasn't that difficult to come by. In other cases it was easy enough, especially in the early years, to send an e-card to someone. In the beginning, if any of you remember, e-cards were often self-contained .exe files and it wasn't that uncommon to receive an .exe e-card. Additionally many people who were studying computer science would write cute nifty little programs for their girl/boyfriends/family members.
So what's so bad about metasploit? It does little more than automate the installer for a concept which isn't new. If anything the public may start to see the real value of those of us who have been labeled as paranoid freaks for the last 10 years. This is the dawn of an age when the computer security expert may begin to receive the respect that we deserve. Previously we had been pooh-poohed by the general public aided in their derision by self-important sysadmins with the personality characteristics of the Simpsons' comic book guy.
+++ATHZ 99:5:80
good design.
; -- the corruption of government starts with its secrets. a truly free people keep no secrets. --
So when your computer bluescreens, the state of the computer is written to disk. Great idea.
Will the -devel branch of metasploit become the central hub for 0-day exploits?
Metasploit stable : This branch has only been tested to work on unpatched machines.
Metasploit -dev ($49.95 membership and password required): This branch has been tested to work against fully up to date and patched machines.
That'd be | |_|63r-|337
+++ATHZ 99:5:80
I think I'll incorporate this project in my spam-filter to execute a remote shut-down after receiving the first spam. After a 2nd spam I'll think of a more permanent way to opt-out. ;)
Privacy is terrorism.
Now we have
Command line Entry -> Visual Entry.
'twas so much simpler when you only had ppl who could actually type.
--LWM
Where are all of the windows and old linux kernel exploits? What exactly is this program going after? I'd think there'd be tons of other exploits, like how the Sasser virus gets into Win2k/XP and stuff.
Or is this really a more childish project that finds one hole, inserts VNC, and lets you do whatever you want to it without testing all of those holes...?
Berto
In case you seriously think Kerry will install someone better than Ashcroft, this should be an interesting read. Keep in mind that Kerry authored several sections of the Patriot Act.
http://www.reason.com/hod/jb072604.shtml
If you don't feel like reading, here's some highlights:
This isn't the first time Kerry and Ashcroft have been at odds over civil liberties. In the 1990s, government proposals to restrict encryption inspired a national debate. Then as now, the American Civil Liberties Union (ACLU) and electronic privacy groups locked horns with the DOJ and law enforcement agencies. Then as now, Kerry and Ashcroft were on opposite sides.
But there was noteworthy difference in those days. Then it was Sen. John Ashcroft (R-Mo.) who argued alongside the ACLU in favor of the individual's right to encrypt messages and export encryption software. Ashcroft "was kind of the go-to guy for all of us on the Republican side of the Senate," recalls David Sobel, general counsel of the Electronic Privacy Information Center.
And in what now seems like a bizarre parallel universe, it was John Kerry who was on the side of the FBI, the National Security Agency, and the DOJ. Ashcroft's predecessor at the Justice Department, Janet Reno, wanted to force companies to create a "clipper chip" for the government--a chip that could "unlock" the encryption codes individuals use to keep their messages private. When that wouldn't fly in Congress, the DOJ pushed for a "key escrow" system in which a third-party agency would have a "backdoor" key to read encrypted messages.
- - - -
Responding directly to a column in Wired on encryption that said "trusting the government with your privacy is like having a Peeping Tom install your window blinds," Kerry invoked the Americans killed in 1993 bombing of the World Trade Center and the 1995 bombing of the Alfred P. Murrah Building in Oklahoma City. "[O]ne would be hard-pressed," he wrote, "to find a single grieving relative of those killed in the bombings of the World Trade Center in New York or the federal building in Oklahoma City who would not have gladly sacrificed a measure of personal privacy if it could have saved a loved one."
Sure it's entertaining to view a hacked PC remotely, but a VNC payload is not a greater security threat than anything else out there. The second your PC is running a hacker's program (w/ or w/o the VNC payload), everything is at risk.
I am not against full disclosure or the dissemation of security tools I just happen to think that for every one security pro who uses this tool for good there will be a hundred script kiddies who use it for causing havoc.
There are already plenty of tools out there for that, with more being created every day. I for one am fed up with people who complain every single time something like this, which makes my life easier since I don't have to do any actual work to test out the machines on my network, is introduced.
Isn't it better to discover, identify, and eliminate the weaknesses in one's network rather than wait for someone less trustworthy to discover, identify, and exploit them without your permission? Isn't that what software like this can help us accomplish?
There's no stopping software like this. More and better software is being created all the time, and some of it can indeed be used by bad people to do bad things. Rather than complain and fret about the potential evil uses to which it can be put, the sensible person would welcome it as yet another useful tool in their security arsenal.
Did you also whine about "nmap"?
- A.P.
"Remember when the U.S. had a drug problem, and then we declared a War On Drugs, and now you can't buy drugs anymore?"
All? "This release includes the DLL injection payloads (VNC)" isn't very helpful and the documentation doesn't seem to mention anything. Anyone? Bueller?
If you wanna get rich, you know that payback is a bitch
Industry security analyst Kevin Mitnick was laughing uncontrollably and unable to comment.
Help stamp out iliturcy.
Anyone have a torrent or a mirror for the Cygwin version?
what we need now is a root kit which installs a remote shell on the machine of the person rooting, and then send off a snippet of information to a central authority (FBI? vigilante forces?) who would then use the information to take these fools out.
or, i could see a rootkit maker integrate something like this and then use it to gain access to all the zombied machines of the people that employed the rootkit... that would likely be bad.
~/ssh slashdot.org ssh: connect to host slashdot.org port 22: too many beers
Rather than complain and fret about the potential evil uses to which it can be put, the sensible person would welcome it as yet another useful tool in their security arsenal.
You completely missed my point. I said I am not against full disclosure or the dissemation of security tools. I think that tools like metasploit can be very valuable. What I was saying was that the inclusion of the VNC server payload was irresponsible. I don't see the point in the metasploit team creating and including this payload. That is my point.
Did you also whine about "nmap"?
WTF are you talking about? Didn't I say "I am not against full disclosure or the dissemation of security tools?!" My problem is that I don't understand the point with them creating this specific payload and nobody seems to give me a valid explanation why they did it. I mean if you are vulnerable to the exploit that this payload uses then that's all you need to know, why include a payload like this? Why not just release the exploit with a payload that is already being used, why introduce new payloads into the wild?
Core Impact. Just that its commercial doesn't mean it's not the same issue.
Good pals.
Flash movie with sample attack
Back in the days of yore, my brother and his friends used to take pride in knowing a wide variety of tools and techniques for opening beer bottles. Then along came the twist off beer bottle cap, and my brother was heard to say: "Crap, now any idiot can open a beer.".
It happens to all of us, our hard won skills, honed to perfection over years of use, the knowledge and techniques that make us special and separate us from the common man, get packaged into a user friendly, idiot proof tool. It's called progress.
"I'm not impatient. I just hate waiting." - My Dad
Let's never mind how easy this makes it for amateurs to break into systems.
How easy does this make it for *machines* to break into systems? How long before we see worms in the wild that just grab exploits straight from the site? Offering shrink-wrapped exploits sure reduces the configuration space over which a mutating worm would need to vary its programming.
As much of a curmudgeon about machine intelligence as you may be, I know a number of people who would be hard pressed to say which was dumber: your average script kiddie, or your average worm.
/* Keep in mind that Kerry authored several sections of the Patriot Act. */
That's simply not true.
Kerry voted for U.S.A.P.A.T.R.I.O.T. - the only presidential candidate against it was Kusinich.
However, right now Kerry is working of SAFE Act that would hopefully restrict that "Patriot" thing.
All that from article you linked to.
That's what connecting an unprotected computer to the Internet is like. The parent post was good advice.