Slashdot Mirror

← Back to Stories (view on slashdot.org)

Point, Click, Root.

Posted by CmdrTaco on from the thats-just-plain-scary dept.

An anonymous reader writes "The Metasploit Project just released version 2.2 of the Metasploit Framework. This release includes a VNC server payload that can be used with almost any of the Windows exploits. The scary thing about this payload is that the VNC server executes as a new thread in the exploited process; without writing any files to the disk drive. Is this the end as we know it for simple remote command shell exploits? A couple articles have already mentioned this project."

21 of 216 comments (clear)

  1. Why? by KangXii · · Score: 1, Insightful

    I think that's the question most people would have on thier minds...

    1. Re:Why? by garcia · · Score: 4, Insightful

      exactly. VNC, while great if you are really interested in controlling a PC remotely, isn't all that useful for trojans/worms.

      You're much better off with a powerful spam relay or self-replicating worm than control over a user's PC, nevermind access via a remote shell like some of the recent worms have allowed.

      Other than fucking with the heads of the users you have infected I don't really see the point. You'd have to be using their machine when they aren't around, you'd have to be doing this in person over VNC which could be very very slow depending on upstream, and it just wouldn't be as useful as a shell which *could* be scripted to automate your desired effect.

    2. Re:Why? by KangXii · · Score: 2, Insightful

      If that were thier real goal, the wouldn't release thier tools to the vast public, don't you think?

    3. Re:Why? by stratjakt · · Score: 3, Insightful

      Think about it, script kiddies cant use a remote shell. They can only point and click. Thats what metasploit is for, to make it easy for "1337 5kr1p7 k1dd13z".

      I mean, what good is "hacking" into a box if you HAVE NO FUCKING IDEA HOW TO ACTUALLY USE IT?

      This could just as easily spawn a cygwin shell if it wanted.

      --
      I don't need no instructions to know how to rock!!!!
    4. Re:Why? by Trolling4Dollars · · Score: 5, Insightful

      Or... you could connect in view-only mode and watch them type in sensitive data. Maybe install a key logger when they aren't around. Dig through their personal file stash and find nudies of their husband or wife and upload them to yafro.com. There's a whole lot of personal nastiness and ID theft that could result from this. Which leads me to lesson #1. NEVER put your PC directly on the internet. If you do, you deserve whatever happens to you.

      --
      Un-news
    5. Re:Why? by Curtman · · Score: 2, Insightful

      If you've ever tried to get support from Microsoft, you'd know thats the only way to get them to do anything. Sad but true.

    6. Re:Why? by rokzy · · Score: 1, Insightful

      no I don't think that.

      how the hell would it help if the only people allowed to test their security is... who? you need a CS degree? you need to work for a security company? you need to prove you could write your own tools?

  2. This is not very responsible. by JAD+lifter · · Score: 3, Insightful

    There is no reason to include a VNC server payload like this. Those legitimate security professionals who use Metasploit for pen testing should have the skills to create their own VNC payload, if they actually have a use for it. To include it ready made, point and click, easy to use like this just makes it that much easier for the script kiddiots out there.

    I am not against full disclosure or the dissemation of security tools I just happen to think that for every one security pro who uses this tool for good there will be a hundred script kiddies who use it for causing havoc. Rather than make life easier for the good guys this will just make it that much more difficult.

    1. Re:This is not very responsible. by winkydink · · Score: 3, Insightful

      You could say the same thing about virtually any cracking tool out there. Your logic ultimately falls back to "security through obscurity". To us a medial analogy, this never cures the disease, it only delays the onset of symptoms.

      --

      "I'd rather be a lightning rod than a seismometer." -Ken Kesey

  3. Nasty. by genixia · · Score: 5, Insightful

    Ugh. This is going to be really popular with the script kiddies. I have to (grudgingly) admit that this is quite elegant though.

    I wonder if running your own (password-protected) vncserver will be any protection against this. I guess it depends on whether the payloaded vncserver can have its port changed or whether it is stuck with the default.

    If it can be changed then this is going to be very nasty. You couldn't even simply firewall all the vnc ports any more as the kiddie could configure the server to run on an unprivileged port. I suppose that SYN flag checking or using a connection-stateful firewall should protect against this.

    Yuck.

    1. Re:Nasty. by Firehawke · · Score: 3, Insightful

      Well, if that screenshot is any indication, it's running as System.. you wouldn't even have to have a logged-in Admin. You've got kernel-level access to the machine from that VNC.

      That doesn't answer whether it'd change ports if an existing VNC is there, but nevertheless, it looks like a particularly nasty and hard-to-track rootkit.

  4. Re:What a cool tool by stratjakt · · Score: 3, Insightful

    What does the VNC server payload have to do with using the tool to test your machines?

    A simple true/false (exploited/no exploited) is all an admin needs to know. Break it down to which specific exploit worked.

    This is just backorifice/subseven revisited.

    --
    I don't need no instructions to know how to rock!!!!
  5. The real objective, as usual, is... by James+Turpin · · Score: 5, Insightful

    ... to make security experts more valuable by making security vulnerablities easier to exploit.

    --
    Mathematics is not a crime.
  6. Great! by Mysticalfruit · · Score: 3, Insightful

    So instead of a script kiddie, we're going to now have "click kiddie"...

    "I'm so l33t, I don't 3v3n type!"

    --
    Yes Francis, the world has gone crazy.
  7. Demonstrating Need for Security... Good 4 devlpmnt by Anonymous Coward · · Score: 2, Insightful

    Tools like this are GREAT at demonstrating the need for greater security at board meetingings, or initial consultations as a security consultant. Nothing opens peoples eyes to the need for mass patching of workstations or servers like breaking into a machine using a tool that a 4yo could use.

    Also tools like this are good for exploit developers becuase they can stop spending their time creating a vaguely usable interface for their proof of concepts and find more holes to get fixed.

  8. Legitimate use of this kit by dillee1 · · Score: 2, Insightful

    This kit allows quick remote access to windows system, without the need to preconfigure anything on the far side before hand.
    The best thing is that it allows you to use SYSTEM, which is has higher privilege than ADMINISTRATOR.

    Windows admin are gonna love this damn thing.

  9. Why all the negative response? by maximilln · · Score: 3, Insightful

    Has the /. community been hiding in a dark cave someplace? Back Orifice, Netbus, and Sub7 were all available YEARS ago. All three offered graphical user interfaces which allowed the exploiter to launch programs, change text, take screenshots, and many other wonderful functions (in the case of Back Orifice there was even a plugin system called Butt-Plugs). As time has passed Netbus has even become a commercial remote administration tool. The only thing that was required was a little knowledge of a network exploit which allowed the execution of remote code. In many cases it wasn't that difficult to come by. In other cases it was easy enough, especially in the early years, to send an e-card to someone. In the beginning, if any of you remember, e-cards were often self-contained .exe files and it wasn't that uncommon to receive an .exe e-card. Additionally many people who were studying computer science would write cute nifty little programs for their girl/boyfriends/family members.

    So what's so bad about metasploit? It does little more than automate the installer for a concept which isn't new. If anything the public may start to see the real value of those of us who have been labeled as paranoid freaks for the last 10 years. This is the dawn of an age when the computer security expert may begin to receive the respect that we deserve. Previously we had been pooh-poohed by the general public aided in their derision by self-important sysadmins with the personality characteristics of the Simpsons' comic book guy.

    --
    +++ATHZ 99:5:80
  10. Re:Root display or new? by Anonymous Coward · · Score: 2, Insightful

    There is a limitation in the Win32 desktop API that only allows one desktop to be the 'input desktop'. While many services create a hidden desktop/windowstation to run in, it is not possible to read the 'screen' of this desktop or send input to it. Presumably this was a concious decision to prevent competition in the terminal services licensing department...

  11. Re:The undisclosed source from the DoD... by jabbo · · Score: 3, Insightful
    not exactly. the quote was:

    "MetaSploit isn't being taken seriously enough" by his peers in government security, the DoD employee added.

    --
    Remember that what's inside of you doesn't matter because nobody can see it.
  12. Tough. Security testing should be this easy. by Wakko+Warner · · Score: 4, Insightful

    I am not against full disclosure or the dissemation of security tools I just happen to think that for every one security pro who uses this tool for good there will be a hundred script kiddies who use it for causing havoc.

    There are already plenty of tools out there for that, with more being created every day. I for one am fed up with people who complain every single time something like this, which makes my life easier since I don't have to do any actual work to test out the machines on my network, is introduced.

    Isn't it better to discover, identify, and eliminate the weaknesses in one's network rather than wait for someone less trustworthy to discover, identify, and exploit them without your permission? Isn't that what software like this can help us accomplish?

    There's no stopping software like this. More and better software is being created all the time, and some of it can indeed be used by bad people to do bad things. Rather than complain and fret about the potential evil uses to which it can be put, the sensible person would welcome it as yet another useful tool in their security arsenal.

    Did you also whine about "nmap"?

    - A.P.

    --
    "Remember when the U.S. had a drug problem, and then we declared a War On Drugs, and now you can't buy drugs anymore?"
  13. Re:Works when the machine is locked too by Anonymous Coward · · Score: 1, Insightful

    "Or while you're trying to type your password to log in, they could just keep typing a letter or two, thereby keeping you from logging in."

    Or, indeed, running a program to reveal the password being typed...