Slashdot Mirror
Point, Click, Root.
An anonymous reader writes "The Metasploit Project just released version 2.2 of the Metasploit Framework. This release includes a VNC server payload that can be used with almost any of the Windows exploits. The scary thing about this payload is that the VNC server executes as a new thread in the exploited process; without writing any files to the disk drive. Is this the end as we know it for simple remote command shell exploits? A couple
articles have already mentioned this project."
Here
... stated that they're not paying any attention to this.
hummmm... that helps.
What a sad day when even taking over someone's machine can be done point-and-click style. Seemed so much more personal when you just had a remote shell.
The cool thing about the VNC payload is that it works if the machine is not logged in, or if the screen is locked.
Microsoft should just post a big list of hacked machines, and turn everything wide open. After the script kiddie deluge is done, then we all go "phew! Wasn't that fun!" and go buy something else.
stuff |
... is a preview of the site's front page in a few days, courtesy of your friends at dhs.gov.
"A door is what a dog is perpetually on the wrong side of" - Ogden Nash
How does something start off as a "portable network game" and end up as a f*cking remote GUI root?
Un-news
According to metasploit.com:
"This is the Metasploit Project. The goal is to provide useful information to people who perform penetration testing, IDS signature development, and exploit research. This site was created to fill the gaps in the information publicly available on various exploitation techniques and to create a useful resource for exploit developers. The tools and information on this site are provided for legal penetration testing and research purposes only."
I was seriously getting bummed by the low quality of todays script kiddie exploits. With the metasploits project finally real security minded people, tinkerers (hackers) and just plain good programmers can have a common place to post their hard won knowledge for "1337" kids online to use.
exactly. VNC, while great if you are really interested in controlling a PC remotely, isn't all that useful for trojans/worms.
You're much better off with a powerful spam relay or self-replicating worm than control over a user's PC, nevermind access via a remote shell like some of the recent worms have allowed.
Other than fucking with the heads of the users you have infected I don't really see the point. You'd have to be using their machine when they aren't around, you'd have to be doing this in person over VNC which could be very very slow depending on upstream, and it just wouldn't be as useful as a shell which *could* be scripted to automate your desired effect.
...now this is a subject line you can get on board with.
Imagine a DMCA cluster of these!
There is no reason to include a VNC server payload like this. Those legitimate security professionals who use Metasploit for pen testing should have the skills to create their own VNC payload, if they actually have a use for it. To include it ready made, point and click, easy to use like this just makes it that much easier for the script kiddiots out there.
I am not against full disclosure or the dissemation of security tools I just happen to think that for every one security pro who uses this tool for good there will be a hundred script kiddies who use it for causing havoc. Rather than make life easier for the good guys this will just make it that much more difficult.
If that were thier real goal, the wouldn't release thier tools to the vast public, don't you think?
I have recently obtained a patent on One-Click Cracking.
Our lawyers will be getting in touch with the MetaSploit group to discuss licensing options.
Thank you,
Jeff Bezos
Founder and CEO
amazon.com
P01NT CL1CK W00T!
An Indian-American Hindu committed to non-violent thought/speech/action alarmed by the global explosion of radical Islam
Has Microsoft released a timeline of when this toolkit will be integrated into VS.NET 2003?
Congratulations adventurer!
Your quest is at an end for you have reached the root of NetHack.
Within, the Wizard of MS RAS has no power, the Oracle 8i speaks with utmost clarity, and the stack overflow bugs do not bite.
This comment does not necessarily represent the views and opinions of the author.
Think about it, script kiddies cant use a remote shell. They can only point and click. Thats what metasploit is for, to make it easy for "1337 5kr1p7 k1dd13z".
I mean, what good is "hacking" into a box if you HAVE NO FUCKING IDEA HOW TO ACTUALLY USE IT?
This could just as easily spawn a cygwin shell if it wanted.
I don't need no instructions to know how to rock!!!!
"Since when has it been news that VNC is shitty and insecure?"
Umm....RTFA.
It's a exploit for Windows (from the screenshot it seems to use the LSASS vulnerability that Sasser uses) that includes a VNC server in the payload, allowing remote GUI access under SYSTEM priveledges (SYSTEM is like root in *nix, higher than even the Administrators group).
Better hope all your boxes are patched against this vulnerability, or prepare to watch the kiddies go to work.
Any yes I do mean watch, that's the only "problem" with this system, whatever you do directly shows up on the real screen, so the user is likely to notice suspicious things happening.
I used to get high on life, but I developed a tolerance. Now I need something stronger.
Or... you could connect in view-only mode and watch them type in sensitive data. Maybe install a key logger when they aren't around. Dig through their personal file stash and find nudies of their husband or wife and upload them to yafro.com. There's a whole lot of personal nastiness and ID theft that could result from this. Which leads me to lesson #1. NEVER put your PC directly on the internet. If you do, you deserve whatever happens to you.
Un-news
Ugh. This is going to be really popular with the script kiddies. I have to (grudgingly) admit that this is quite elegant though.
I wonder if running your own (password-protected) vncserver will be any protection against this. I guess it depends on whether the payloaded vncserver can have its port changed or whether it is stuck with the default.
If it can be changed then this is going to be very nasty. You couldn't even simply firewall all the vnc ports any more as the kiddie could configure the server to run on an unprivileged port. I suppose that SYN flag checking or using a connection-stateful firewall should protect against this.
Yuck.
For all the whining about how this makes it so easy for script kiddies, consider that it also makes it so easy for admins who are not in tune with the latest script kiddy 'sploits. This allows them to quickly test their networks in click-n-drool fashion. This can be a very useful tool.
visually impaired black hat hackers, we resent that this program is not designed for wider access. It's just another example of the systematic discrimination that we face as we try to gain root and own you all. We will eventually succeed. And when we do, we'll make all web pages look like bad!
that anybody running VNC servers (or any remote access software) should have in place good firewalls and a good quality VPN requiring strong authentication.
cuz, like, lurning all thoze command line thingz wuz totally hard, this wil maek me s0 much m0re 1337!!!!!!!one I totale r0x0rz n0w!!!!LOLOL
do not read this line twice.
If you've ever tried to get support from Microsoft, you'd know thats the only way to get them to do anything. Sad but true.
Can you guys stop slashdoting the site? I want to download it just to show some co-workers a little "surprise"...
So, what you're saying is that the tool is only useful if it allows you to do something malicous with the machine? I guess we know which side of the computer security fence you're on. ;-)
Trouble making decisions? Just flip for it.
... to make security experts more valuable by making security vulnerablities easier to exploit.
Mathematics is not a crime.
RTFA. They're using an unpassworded VNC server as the payload for your favorite win32 exploit. Thus, once you can root their machine, you can run a full VNC server in RAM and then wait till said luser sets their aim away message and goes to their boyfriend's house and have fun looking through their files remotely.
Incidentally, note that this isn't a hole in VNC. It's an attack that installs VNC. VNC doesn't have to be present on the target before the attack.
I would hope that any self-respecting cracker would scoff at using this. So I wonder if it wasn't some self-respecting cracker who came up with this, just to give the script kiddies something to play with. While they keep the admins concerned about VNC hacks, the real crackers can get their work done under the radar, using the good ol' command line.
Or maybe it's time to find my tin-foil hat...
Always go to other people's funerals, otherwise they won't come to yours.
Well, you can still fuck around with the user without actually having to manually do anything. If you can execute arbitrary code, then you can create a bot to do random things with the mouse or look for a running copy of Word and randomly type, "Help! I'm trapped in the word processor!" into the document the user is typing.
However, script kiddies probably won't know how to code something up like that without someone holding their hands.
So instead of a script kiddie, we're going to now have "click kiddie"...
"I'm so l33t, I don't 3v3n type!"
Yes Francis, the world has gone crazy.
No, it's quite simple.
/encouraging neighbourhood kids to throw rocks at passing cars.
The easier it is for any 13 year old asshat to exploit these vulnerabilities, the more the value of self-titled "security experts" goes up. Then they can jack small businesses for a 5 grand "consulting fee" to recommend they install a firewall.
They're creating a problem in the hopes they'll be paid to solve it, in short.
Kind of like a windshield salesman going around daring
I don't need no instructions to know how to rock!!!!
Tools like this are GREAT at demonstrating the need for greater security at board meetingings, or initial consultations as a security consultant. Nothing opens peoples eyes to the need for mass patching of workstations or servers like breaking into a machine using a tool that a 4yo could use.
Also tools like this are good for exploit developers becuase they can stop spending their time creating a vaguely usable interface for their proof of concepts and find more holes to get fixed.
This kit allows quick remote access to windows system, without the need to preconfigure anything on the far side before hand.
The best thing is that it allows you to use SYSTEM, which is has higher privilege than ADMINISTRATOR.
Windows admin are gonna love this damn thing.
Has the /. community been hiding in a dark cave someplace? Back Orifice, Netbus, and Sub7 were all available YEARS ago. All three offered graphical user interfaces which allowed the exploiter to launch programs, change text, take screenshots, and many other wonderful functions (in the case of Back Orifice there was even a plugin system called Butt-Plugs). As time has passed Netbus has even become a commercial remote administration tool. The only thing that was required was a little knowledge of a network exploit which allowed the execution of remote code. In many cases it wasn't that difficult to come by. In other cases it was easy enough, especially in the early years, to send an e-card to someone. In the beginning, if any of you remember, e-cards were often self-contained .exe files and it wasn't that uncommon to receive an .exe e-card. Additionally many people who were studying computer science would write cute nifty little programs for their girl/boyfriends/family members.
So what's so bad about metasploit? It does little more than automate the installer for a concept which isn't new. If anything the public may start to see the real value of those of us who have been labeled as paranoid freaks for the last 10 years. This is the dawn of an age when the computer security expert may begin to receive the respect that we deserve. Previously we had been pooh-poohed by the general public aided in their derision by self-important sysadmins with the personality characteristics of the Simpsons' comic book guy.
+++ATHZ 99:5:80
good design.
; -- the corruption of government starts with its secrets. a truly free people keep no secrets. --
There is a limitation in the Win32 desktop API that only allows one desktop to be the 'input desktop'. While many services create a hidden desktop/windowstation to run in, it is not possible to read the 'screen' of this desktop or send input to it. Presumably this was a concious decision to prevent competition in the terminal services licensing department...
Will the -devel branch of metasploit become the central hub for 0-day exploits?
Metasploit stable : This branch has only been tested to work on unpatched machines.
Metasploit -dev ($49.95 membership and password required): This branch has been tested to work against fully up to date and patched machines.
That'd be | |_|63r-|337
+++ATHZ 99:5:80
I think I'll incorporate this project in my spam-filter to execute a remote shut-down after receiving the first spam. After a 2nd spam I'll think of a more permanent way to opt-out. ;)
Privacy is terrorism.
Yes, that is what the legit people would use this tool for. But for every 1 person who is honestly using it for its "intended" purpose, there are 100 script kiddies using it to cause problems.
...And 1000 one who, like will use it to play joke on unsuspecting Buiness students from the across the campus :)
I live in Soviet Canuckistan you insensitive clod!
I am not against full disclosure or the dissemation of security tools I just happen to think that for every one security pro who uses this tool for good there will be a hundred script kiddies who use it for causing havoc.
There are already plenty of tools out there for that, with more being created every day. I for one am fed up with people who complain every single time something like this, which makes my life easier since I don't have to do any actual work to test out the machines on my network, is introduced.
Isn't it better to discover, identify, and eliminate the weaknesses in one's network rather than wait for someone less trustworthy to discover, identify, and exploit them without your permission? Isn't that what software like this can help us accomplish?
There's no stopping software like this. More and better software is being created all the time, and some of it can indeed be used by bad people to do bad things. Rather than complain and fret about the potential evil uses to which it can be put, the sensible person would welcome it as yet another useful tool in their security arsenal.
Did you also whine about "nmap"?
- A.P.
"Remember when the U.S. had a drug problem, and then we declared a War On Drugs, and now you can't buy drugs anymore?"
It is not a VNC exploit - it exploits some vulnerability on the system and then has VNC as its payload. So once you have exploited the hole you have a nice VNC session for your personal use.
Back in the days of yore, my brother and his friends used to take pride in knowing a wide variety of tools and techniques for opening beer bottles. Then along came the twist off beer bottle cap, and my brother was heard to say: "Crap, now any idiot can open a beer.".
It happens to all of us, our hard won skills, honed to perfection over years of use, the knowledge and techniques that make us special and separate us from the common man, get packaged into a user friendly, idiot proof tool. It's called progress.
"I'm not impatient. I just hate waiting." - My Dad
I didn't really care either way, but I would hop on from time to time to make sure they were doing their job. Everytime I caught them playing solitare, I would call down there, and tell them to stop. Well, I remember more then a few times you would catch someone playing who was bad at the game, and missed some obvious moves, so I decided to start playing with them. Funny part was, they would think the computer was broken, so they would call me! So, I would ask what they were doing, until they finally confessed, at which I would laugh at them and told them I knew... They were always happier with me catching them cause if their boss did, they would have been fired.
none the less, it was always fun.
Why?