Slashdot Mirror

← Back to Stories (view on slashdot.org)

Point, Click, Root.

Posted by CmdrTaco on from the thats-just-plain-scary dept.

An anonymous reader writes "The Metasploit Project just released version 2.2 of the Metasploit Framework. This release includes a VNC server payload that can be used with almost any of the Windows exploits. The scary thing about this payload is that the VNC server executes as a new thread in the exploited process; without writing any files to the disk drive. Is this the end as we know it for simple remote command shell exploits? A couple articles have already mentioned this project."

30 of 216 comments (clear)

  1. Obligatory non-ugly URL for this article by Anonymous Coward · · Score: 5, Informative

    Here

    1. Re:Obligatory non-ugly URL for this article by Anonymous Coward · · Score: 5, Informative

      Or you could change it without typing at all.

    2. Re:Obligatory non-ugly URL for this article by Kristoffer+Lunden · · Score: 5, Funny

      crap, where are my mod points!

      You have to log in to see/use them. ;-)

      --
      Spine World
  2. Nothing that... by BJZQ8 · · Score: 5, Funny

    What a sad day when even taking over someone's machine can be done point-and-click style. Seemed so much more personal when you just had a remote shell.

  3. Works when the machine is locked too by Anonymous Coward · · Score: 5, Interesting

    The cool thing about the VNC payload is that it works if the machine is not logged in, or if the screen is locked.

    1. Re:Works when the machine is locked too by Ytsejam-03 · · Score: 5, Interesting
      The cool thing about the VNC payload is that it works if the machine is not logged in, or if the screen is locked.
      So does anything else that exploits a service running as LocalSystem. As long as the service is running, it does not matter the workstation is locked or not logged in.

      I assume you're saying this because you saw the screen shot linked in the summary. Notice that it says "System" at the top of the start menu. This is not the user's desktop, and you won't get to see the user's running apps. You'll have to exploit something running in the user's session to do that.

      This won't let you do anything that you could not already have done by installing, say, netcat with the same exploit.
  4. It's time to give up by 192939495969798999 · · Score: 4, Funny

    Microsoft should just post a big list of hacked machines, and turn everything wide open. After the script kiddie deluge is done, then we all go "phew! Wasn't that fun!" and go buy something else.

    --
    stuff |
    1. Re:It's time to give up by SpaceLifeForm · · Score: 4, Funny

      This list would be shorter to post the non-hacked machines.

      --
      You are being MICROattacked, from various angles, in a SOFT manner.
    2. Re:It's time to give up by eufreka · · Score: 5, Funny
      Microsoft should just post a big list of hacked machines...

      ...It's called Network Neighborhood...

  5. And here, ladies and gents by Rosco+P.+Coltrane · · Score: 4, Funny

    ... is a preview of the site's front page in a few days, courtesy of your friends at dhs.gov.

    --
    "A door is what a dog is perpetually on the wrong side of" - Ogden Nash
  6. Umm... by Trolling4Dollars · · Score: 5, Interesting

    How does something start off as a "portable network game" and end up as a f*cking remote GUI root?

    --
    Un-news
    1. Re:Umm... by Trolling4Dollars · · Score: 4, Funny

      That's like saying, "This started off as a Jello brand recipe for jello jigglers and has developed into a handy way to make the ultimate death ray"!

      --
      Un-news
    2. Re:Umm... by Otter · · Score: 5, Interesting
      How does something start off as a "portable network game" and end up as a f*cking remote GUI root?

      I suppose, the same way Goldeneye started as a game and ended up as the boot disk for Xbox Linux...

      --
      What I'm listening to now on Pandora...
  7. Re:Why? by isotropique · · Score: 5, Informative

    According to metasploit.com:
    "This is the Metasploit Project. The goal is to provide useful information to people who perform penetration testing, IDS signature development, and exploit research. This site was created to fill the gaps in the information publicly available on various exploitation techniques and to create a useful resource for exploit developers. The tools and information on this site are provided for legal penetration testing and research purposes only."

  8. Re:Why? by garcia · · Score: 4, Insightful

    exactly. VNC, while great if you are really interested in controlling a PC remotely, isn't all that useful for trojans/worms.

    You're much better off with a powerful spam relay or self-replicating worm than control over a user's PC, nevermind access via a remote shell like some of the recent worms have allowed.

    Other than fucking with the heads of the users you have infected I don't really see the point. You'd have to be using their machine when they aren't around, you'd have to be doing this in person over VNC which could be very very slow depending on upstream, and it just wouldn't be as useful as a shell which *could* be scripted to automate your desired effect.

  9. Attention MetaSploit by grakwell · · Score: 5, Funny

    I have recently obtained a patent on One-Click Cracking.

    Our lawyers will be getting in touch with the MetaSploit group to discuss licensing options.

    Thank you,
    Jeff Bezos
    Founder and CEO
    amazon.com

  10. NetHack version 4? by TommydCat · · Score: 5, Funny

    Congratulations adventurer!
    Your quest is at an end for you have reached the root of NetHack.
    Within, the Wizard of MS RAS has no power, the Oracle 8i speaks with utmost clarity, and the stack overflow bugs do not bite.

    --
    This comment does not necessarily represent the views and opinions of the author.
  11. Re:VNC ? by wolrahnaes · · Score: 5, Informative

    "Since when has it been news that VNC is shitty and insecure?"

    Umm....RTFA.

    It's a exploit for Windows (from the screenshot it seems to use the LSASS vulnerability that Sasser uses) that includes a VNC server in the payload, allowing remote GUI access under SYSTEM priveledges (SYSTEM is like root in *nix, higher than even the Administrators group).

    Better hope all your boxes are patched against this vulnerability, or prepare to watch the kiddies go to work.

    Any yes I do mean watch, that's the only "problem" with this system, whatever you do directly shows up on the real screen, so the user is likely to notice suspicious things happening.

    --
    I used to get high on life, but I developed a tolerance. Now I need something stronger.
  12. Re:Why? by Trolling4Dollars · · Score: 5, Insightful

    Or... you could connect in view-only mode and watch them type in sensitive data. Maybe install a key logger when they aren't around. Dig through their personal file stash and find nudies of their husband or wife and upload them to yafro.com. There's a whole lot of personal nastiness and ID theft that could result from this. Which leads me to lesson #1. NEVER put your PC directly on the internet. If you do, you deserve whatever happens to you.

    --
    Un-news
  13. Nasty. by genixia · · Score: 5, Insightful

    Ugh. This is going to be really popular with the script kiddies. I have to (grudgingly) admit that this is quite elegant though.

    I wonder if running your own (password-protected) vncserver will be any protection against this. I guess it depends on whether the payloaded vncserver can have its port changed or whether it is stuck with the default.

    If it can be changed then this is going to be very nasty. You couldn't even simply firewall all the vnc ports any more as the kiddie could configure the server to run on an unprivileged port. I suppose that SYN flag checking or using a connection-stateful firewall should protect against this.

    Yuck.

    1. Re:Nasty. by Maradine · · Score: 4, Informative

      I wonder if running your own (password-protected) vncserver will be any protection against this.

      Negative. One of the r-parameters you throw back (depending on whether you do a direct inject or a reverse tunnel inject) is what port the daemon is listening on. Keep in mind, you're not adding a VNC service or using an existing one, you're injecting the code into running memory. It will run even if there's another one hanging out on the system. Hell, it even bypasses the GINA.

      One of the things we haven't done over here is test it while another remote user is actively VNC-ing the box. That would be interesting.

      Also, keep in mind that VNC injection is only one of many payloads, and in my opinion, not nearly the most useful (but definitely the most fun).

      --

      trustedworlds.net - gaming, security, and the gunk that lives in between

  14. What a cool tool by ikeleib · · Score: 4, Interesting

    For all the whining about how this makes it so easy for script kiddies, consider that it also makes it so easy for admins who are not in tune with the latest script kiddy 'sploits. This allows them to quickly test their networks in click-n-drool fashion. This can be a very useful tool.

  15. 5w33t!!!!!!!1111 by liquidsin · · Score: 4, Funny

    cuz, like, lurning all thoze command line thingz wuz totally hard, this wil maek me s0 much m0re 1337!!!!!!!one I totale r0x0rz n0w!!!!LOLOL

    --
    do not read this line twice.
  16. Stop slashdoting the site! by BRSloth · · Score: 4, Funny

    Can you guys stop slashdoting the site? I want to download it just to show some co-workers a little "surprise"...

  17. The real objective, as usual, is... by James+Turpin · · Score: 5, Insightful

    ... to make security experts more valuable by making security vulnerablities easier to exploit.

    --
    Mathematics is not a crime.
  18. Just like in the movies by Animats · · Score: 4, Interesting
    Now, at long last, hacking tools have caught up with the movie versions. Point and click at last. The attack even shows up on the attacked PC on screen! With windows opening and mouse movement, even. Watch for this tool showing up in a movie within a year.

    Incidentally, note that this isn't a hole in VNC. It's an attack that installs VNC. VNC doesn't have to be present on the target before the attack.

  19. Re:Why? by foidulus · · Score: 4, Funny

    Well, you can still fuck around with the user without actually having to manually do anything. If you can execute arbitrary code, then you can create a bot to do random things with the mouse or look for a running copy of Word and randomly type, "Help! I'm trapped in the word processor!" into the document the user is typing.
    However, script kiddies probably won't know how to code something up like that without someone holding their hands.

  20. Re:Why? by stratjakt · · Score: 4, Interesting

    No, it's quite simple.

    The easier it is for any 13 year old asshat to exploit these vulnerabilities, the more the value of self-titled "security experts" goes up. Then they can jack small businesses for a 5 grand "consulting fee" to recommend they install a firewall.

    They're creating a problem in the hopes they'll be paid to solve it, in short.

    Kind of like a windshield salesman going around daring /encouraging neighbourhood kids to throw rocks at passing cars.

    --
    I don't need no instructions to know how to rock!!!!
  21. Tough. Security testing should be this easy. by Wakko+Warner · · Score: 4, Insightful

    I am not against full disclosure or the dissemation of security tools I just happen to think that for every one security pro who uses this tool for good there will be a hundred script kiddies who use it for causing havoc.

    There are already plenty of tools out there for that, with more being created every day. I for one am fed up with people who complain every single time something like this, which makes my life easier since I don't have to do any actual work to test out the machines on my network, is introduced.

    Isn't it better to discover, identify, and eliminate the weaknesses in one's network rather than wait for someone less trustworthy to discover, identify, and exploit them without your permission? Isn't that what software like this can help us accomplish?

    There's no stopping software like this. More and better software is being created all the time, and some of it can indeed be used by bad people to do bad things. Rather than complain and fret about the potential evil uses to which it can be put, the sensible person would welcome it as yet another useful tool in their security arsenal.

    Did you also whine about "nmap"?

    - A.P.

    --
    "Remember when the U.S. had a drug problem, and then we declared a War On Drugs, and now you can't buy drugs anymore?"
  22. My Brother's Sad Day. by uberdave · · Score: 4, Funny

    Back in the days of yore, my brother and his friends used to take pride in knowing a wide variety of tools and techniques for opening beer bottles. Then along came the twist off beer bottle cap, and my brother was heard to say: "Crap, now any idiot can open a beer.".

    It happens to all of us, our hard won skills, honed to perfection over years of use, the knowledge and techniques that make us special and separate us from the common man, get packaged into a user friendly, idiot proof tool. It's called progress.

    --
    "I'm not impatient. I just hate waiting." - My Dad