Slashdot Mirror

← Back to Stories (view on slashdot.org)

Point, Click, Root.

Posted by CmdrTaco on from the thats-just-plain-scary dept.

An anonymous reader writes "The Metasploit Project just released version 2.2 of the Metasploit Framework. This release includes a VNC server payload that can be used with almost any of the Windows exploits. The scary thing about this payload is that the VNC server executes as a new thread in the exploited process; without writing any files to the disk drive. Is this the end as we know it for simple remote command shell exploits? A couple articles have already mentioned this project."

18 of 216 comments (clear)

  1. Works when the machine is locked too by Anonymous Coward · · Score: 5, Interesting

    The cool thing about the VNC payload is that it works if the machine is not logged in, or if the screen is locked.

    1. Re:Works when the machine is locked too by TedCheshireAcad · · Score: 2, Interesting

      The cool thing about the VNC payload is that it works if the machine is not logged in, or if the screen is locked.

      Parent has a good point, how often do you leave your servers logged in? Could be fun for unsuspecting people at their workstations, though. I can see it now, the calls coming in "OMG MY MOUSE IS TEH MOVING....HAXORS IN TEH MY pC!!11".

      Sigh. Never a dull moment in IT.

    2. Re:Works when the machine is locked too by nine-times · · Score: 3, Interesting
      Parent has a good point, how often do you leave your servers logged in?

      On the other hand, hackers can VNC in and watch what you do without you knowing they're connected. Or while you're trying to type your password to log in, they could just keep typing a letter or two, thereby keeping you from logging in.

    3. Re:Works when the machine is locked too by Ytsejam-03 · · Score: 5, Interesting
      The cool thing about the VNC payload is that it works if the machine is not logged in, or if the screen is locked.
      So does anything else that exploits a service running as LocalSystem. As long as the service is running, it does not matter the workstation is locked or not logged in.

      I assume you're saying this because you saw the screen shot linked in the summary. Notice that it says "System" at the top of the start menu. This is not the user's desktop, and you won't get to see the user's running apps. You'll have to exploit something running in the user's session to do that.

      This won't let you do anything that you could not already have done by installing, say, netcat with the same exploit.
    4. Re:Works when the machine is locked too by johnrob · · Score: 2, Interesting

      Since VNC is based on graphic updates and mouse clicks, a locked machine is actually safe from a VNC "hacker". The hacker would only see the Windows locked workstation screen (not very exciting). Perhaps the payload could be used to catch login keystrokes, but I doubt Windows makes it possible to receive keystroke events during a login/unlock-workstation screen. If doing so is possible, it's a huge security flaw in Windows.

    5. Re:Works when the machine is locked too by andreyw · · Score: 2, Interesting

      Trapping passwords would be likely impossible without patching msgina.dll

  2. Umm... by Trolling4Dollars · · Score: 5, Interesting

    How does something start off as a "portable network game" and end up as a f*cking remote GUI root?

    --
    Un-news
    1. Re:Umm... by Otter · · Score: 5, Interesting
      How does something start off as a "portable network game" and end up as a f*cking remote GUI root?

      I suppose, the same way Goldeneye started as a game and ended up as the boot disk for Xbox Linux...

      --
      What I'm listening to now on Pandora...
    2. Re:Umm... by mbourgon · · Score: 2, Interesting

      I suppose, the same way Goldeneye started as a game and ended up as the boot disk for Xbox Linux...

      Actually, it was Mechwarrior , though 007:Agent Under Fire can be used as well.

      (an aside: anyone know if Robertson ever paid up on the whole "run linux on physically untouched xbox"?)

      --
      "Sometimes a woman is a kind of religion, she can save your soul & set you free from all your sins" - Bad Examples
  3. What a cool tool by ikeleib · · Score: 4, Interesting

    For all the whining about how this makes it so easy for script kiddies, consider that it also makes it so easy for admins who are not in tune with the latest script kiddy 'sploits. This allows them to quickly test their networks in click-n-drool fashion. This can be a very useful tool.

  4. Re:Nothing that... by Maestro4k · · Score: 3, Interesting
    • What a sad day when even taking over someone's machine can be done point-and-click style. Seemed so much more personal when you just had a remote shell.
    Those days have been gone for a while, script kiddies routinely point n' click to take over machines. They might have to *gasp* type something in an IRC channel to control their zombies but it's all highly idiot-proof. (Which is good I suppose since most script kiddies seem to be idiots.)
  5. Re:Why? by aborchers · · Score: 3, Interesting

    So, what you're saying is that the tool is only useful if it allows you to do something malicous with the machine? I guess we know which side of the computer security fence you're on. ;-)

    --
    Trouble making decisions? Just flip for it.
  6. Re:Nasty. by peacefinder · · Score: 2, Interesting

    I imagine the exploit could include a VNC password change attempt. It would presumably only work on machines with a currently-logged-in admin user, but that's just the sort of thing a blackhat wants to find, no? It would be tamper-evident, at least.

    I agree: Yuck.

    --
    With reasonable men I will reason; with humane men I will plead; but to tyrants I will give no quarter. -- William Lloyd
  7. Just like in the movies by Animats · · Score: 4, Interesting
    Now, at long last, hacking tools have caught up with the movie versions. Point and click at last. The attack even shows up on the attacked PC on screen! With windows opening and mouse movement, even. Watch for this tool showing up in a movie within a year.

    Incidentally, note that this isn't a hole in VNC. It's an attack that installs VNC. VNC doesn't have to be present on the target before the attack.

  8. Re:Why? by Wizzo1138 · · Score: 3, Interesting

    I would hope that any self-respecting cracker would scoff at using this. So I wonder if it wasn't some self-respecting cracker who came up with this, just to give the script kiddies something to play with. While they keep the admins concerned about VNC hacks, the real crackers can get their work done under the radar, using the good ol' command line.

    Or maybe it's time to find my tin-foil hat...

    --
    Always go to other people's funerals, otherwise they won't come to yours.
  9. Re:Why? by stratjakt · · Score: 4, Interesting

    No, it's quite simple.

    The easier it is for any 13 year old asshat to exploit these vulnerabilities, the more the value of self-titled "security experts" goes up. Then they can jack small businesses for a 5 grand "consulting fee" to recommend they install a firewall.

    They're creating a problem in the hopes they'll be paid to solve it, in short.

    Kind of like a windshield salesman going around daring /encouraging neighbourhood kids to throw rocks at passing cars.

    --
    I don't need no instructions to know how to rock!!!!
  10. the answer: by torpor · · Score: 2, Interesting

    good design.

    --
    ; -- the corruption of government starts with its secrets. a truly free people keep no secrets. --
  11. Re:Why? by KReilly · · Score: 2, Interesting
    Actually, I remember when I was first introduced to VNC. It was when I was 16 and started as an IT guy on a medium sized LAN at a theme park. We had VNC installed on all computers to save time when something broke. And there were stations setup to print id cards for season passes. Well, when they were not printing passes, they were supposed to be doing data entry, but all too often ended up play solitare.

    I didn't really care either way, but I would hop on from time to time to make sure they were doing their job. Everytime I caught them playing solitare, I would call down there, and tell them to stop. Well, I remember more then a few times you would catch someone playing who was bad at the game, and missed some obvious moves, so I decided to start playing with them. Funny part was, they would think the computer was broken, so they would call me! So, I would ask what they were doing, until they finally confessed, at which I would laugh at them and told them I knew... They were always happier with me catching them cause if their boss did, they would have been fired.

    none the less, it was always fun.