Back in 2009 the “ikee” rick-rolling worm went around the iPhone world via the password of ‘alpine’ on the root account. You are now warned to change your root password when you pop into Cydia and Rock the first time. But this thing just wont stay down. If you have jailbroken your iPad you might want to check out a little file called “master.passwd”. In it, there is another user called ‘mobile’ which has been pointed out since 2008 (here) on the iPhone as another account to change the password of.
Ever set up a multi/handler and get an odd IP hitting it? Probably forgot about it as internet chatter? Think again, you might have just been caught AV Tracker - http://avtracker.info/ is a site that tracks the different IP addresses, hostnames, computer names and user agents that AV and other “Submit-your-malware-here” drop boxes use. Peter Kleissner and his team provide ranges that the hosts use a dynamic text file with the IP addresses listed if you want to add it to some auto updating block list a line by line IPTABLES block config and even C code to add into your binary to make sure it doesn’t talk out from one of those addresses (I could be reading it wrong, still a beginner in C) The team has been criticized a lot by AV vendors, enough so the took down the site in January of this year.
Metasploit’s Railgun is awesome, but getting things to work correctly can be a pain. Here are some of the resources that have helped me out: System Error Codes.aspx”) - This is hands down the best resource you have, it will tell you what that stupid “5” or “1314” means in your return value. Keep this tab open to circumvent crazed bovine attacks. theForger’s Win32 API Programming Tutorial - A really good place to start when you are getting to know the Windows API and the frustrations that come along with it.
Back on June 13th, “Patrick HVE” released RAILGUN: http://mail.metasploit.com/pipermail/framework/2010-June/006382.html And it was merged into the the Metasploit trunk with 9709, 9710, 9711 and 9712: http://www.metasploit.com/redmine/projects/framework/repository/revisions/9712 Basically what this allows you to do is make Windows API calls from Meterpreter without compiling your own DLL. It currently supports a number of Windows API dlls: iphlpapi ws2_32 kernel32 ntdll user32 advapi32 (You can find out exactly what functions are available by default in the api.
Certainly nothing to fuss over, but I’ve had a fascination with setting my target’s wallpaper as sort of a calling card for years now. I’ve been able to set the registry key (HKCUControl PanelDesktopWallpaper), but until recently I didn’t know how to get it to refresh so that it displayed without forcing the user to log out… First, is the most important part, selection of the wallpaper. This is my first selection:
I was recently approached by savant, who told me that a bunch of my Twitpics had geo location in them. Larry Pesce from PaulDotCom has been doing research in this field for a while and each time he brings it up I casually checked a couple of my twitpics and came up empty handed. But, he gave me exact references, so I went to Twitpic to check them out for myself.
*WARNING* if you use fgdump like I did, it extracts pwdump to %TEMP% at run time, which is detected by AV. First of all, I was floored when this worked. Really AV? It’s that easy? Really? So here is the break down, go get “Resource Hacker“… You’re almost done. Only 3 steps left. (1 of which is optional) I started with fgdump, a well known hashdumping/pwdump tool. It’s detected by 80% of all AVs and by all the top 10.
Normally I save links for my “Mubix Links” blog to keep the clutter down on this one, but I think this is one that I would like to highlight as important. The NFO, credits and summary to this copyrighted video is what I wish to highlight. http://thepiratebay.org/torrent/5573874/HackersWanted%282008%29 I am against the misuse of copyrighted material, and it is a violation of laws in many countries, including my own. I really wish this video would have been published, I’m sure it would have been a very interesting video, that I definitely would have purchased.
The other day Chris Gates posted an excellent blog post about the WebDAV hotness that Chris Sullo (author of Nikto) cooked up (DAVTest) which Ryan Linn popped out a Metasploit module for. Anyways, the story left off being a very limited user called “Network Service”. This user has Read and Execute, but no Write access, and a very limited field of view to boot. meterpreter > getuid Server username: **NT AUTHORITYNETWORK SERVICE** Lets look around a bit.
I have an admittedly limited view of the exploit dev world. However, from what I’ve seen devs have very few options: (Please correct me if I’m wrong) Responsible Disclosure Direct Contact => depending on the size of the vendor and their view on security, this could result in anything from a simple thanks, a reward, to a court hearing. Exploit Broker => possibly sell, possibly not, depends on the broker.