We continue our series of tweaking Metasploit modules to bypass EMET, without changing Metasploit’s payloads. Last time, we talked about bypassing EMET’s EAF using SEH. Since this technique may not necessarily fit your exploit, we present a second technique that bypasses EMET’s EAF without using SEH or changing Metasploit’s payload.
Continue reading
Microsoft’s Enhanced Mitigation Experience Toolkit (EMET) is designed to increase the protection of your system against exploitation. It can render current Metasploit modules useless, as they’re currently not designed to bypass it. We discuss ways to tweak Metasploit modules in as much a generic way as possible, so they can work against targets utilizing EMET.
Continue reading
The official Poison Ivy Metasploit module has just been released. With the help of Juan Vazquez, the official module is a major upgrade to the original module I published. Here is some important information on how to use it.
Continue reading
After providing a detailed exploit for Poison Ivy’s C&C server, the natural course of things was to incorporate it into the Metasploit framework. So here is a fully functional Metasploit module that exploits a remote Poison Ivy C&C server, bypassing DEP and ASLR, for all Windows versions.
Continue reading
While working on Poison Ivy’s communication, one of my students approached me and asked me if the fact that an infected computer can connect to the C&C server means that the compromised host can break into the server. Well folks, it appears that it’s possible. We will now present a fully working exploit for all Windows platforms (i.e., bypassing DEP and ASLR), allowing a computer infected by Poison Ivy (or any other computer, for that matter) to assume control of PI’s C&C server.
Continue reading
After successfully decrypting Poison Ivy’s communication, we proceed to analyze the way the Poison Ivy (PI) server and client components interact. We prefer not to reverse engineer the components, but rather look at the data they send to each other and deduce what is going on. As you’ll soon see, we are way too optimistic.
Continue reading
Not so long ago a friend of mine came to me telling me that he thinks his web server is acting as a command and control (C&C) server for some hacker. I took a look, and indeed found the Poison Ivy (PI) C&C app (or as its author calls it, “remote administration tool”) installed on the machine. After realizing that the network administrator has some pcap files of network traffic, my friend asked me to see if I can find out what the hacker did with the app on his machine. Unfortunately, PI’s traffic is encrypted, so I asked my friend for the C&C app to see if I can find out how to decrypt the data.
Continue reading