Metasploit/Armitage vs. Win2k with Outpost Firewall

Discussion in 'other anti-malware software' started by Gullible Jones, Nov 6, 2013.

Thread Status:
Not open for further replies.
  1. Gullible Jones

    Gullible Jones Registered Member

    Joined:
    May 16, 2013
    Posts:
    1,461
    perhaps better described as Godzilla vs. Bambi.

    I have spent this evening experimenting with Kali Linux and Win2k KVM sessions. The Win2k VM is equipped with Outpost Firewall Free 6.51, with full paranoid settings - full system call interception, ask for all unknown executables, etc.

    To say that Outpost fails miserably would be a vast understatement.

    This is what I did:
    - Set up the IE exploit used in Operation Aurora:
    http://en.wikipedia.org/wiki/Operation_Aurora
    - Directed IE6 to the exploit page
    - Waited ~5 seconds for Metasploit to compromise the process
    - Migrated to another process
    - Got a view of the filesystem and uploaded an unsigned executable installer
    - Ran the installer
    - Ran the (also unsigned) program installed by the installer

    All of this was without a single notification from Outpost. Even when running unsigned, unknown, third-party executables. Not only did the EXEs run without complaint, they weren't even visible to Outpost - they didn't show up in its list of known programs after running.

    I'm not sure about other FW/HIPS software, but Outpost Free seems to be very broken.

    Next up, Sunbelt Personal Firewall. Let's see if that fairs any better.

    Edit: I'll probably test old versions of Online Armor and Privatefirewall after Sunbelt. Maybe System Safety Monitor or such as well. I would use WinXP and more recent versions, but I don't have a spare XP license; and anyway the Aurora exploit works on XP, and with newer versions of IE.
     
  2. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    Awesome! Armitage is great, I've loved using it. Nothing proves how terrible security software out there is like opening up your own shell and poking around.
     
  3. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    When IE6 was successfully exploited, it's pretty much game over. IE6 was little more than an easy path to the kernel. If you want to explore this farther, make a 2nd test setup. Use IEradicator or XPLite to completely remove IE6, then attack the setup via a non-MS attack surface app. Compare the results.
     
  4. Gullible Jones

    Gullible Jones Registered Member

    Joined:
    May 16, 2013
    Posts:
    1,461
    Okay, Sunbelt does a bit better. It doesn't raise any alarms when IE is compromised... But it does force IE to crash when I try to migrate to or inject code into another process. Executables and scripts can be written to the hard drive, but Sunbelt successfully blocks attempts to execute them.

    So, not bad! It would still be possible to upload a nasty binary somewhere and set up an autorun entry, but this firewall at least does what it claims to.
     
  5. Gullible Jones

    Gullible Jones Registered Member

    Joined:
    May 16, 2013
    Posts:
    1,461
    It shouldn't matter that it's IE6 in this case, it's running as admin anyway. But the Aurora exploit works on Windows XP, and on newer versions of IE (though IIRC less reliably).
     
  6. Gullible Jones

    Gullible Jones Registered Member

    Joined:
    May 16, 2013
    Posts:
    1,461
    System Safety Monitor: works as advertised. Doesn't block the exploit, but does intercept attempts to migrate to other processes and to start command shells. Also seems to prevent token stealing.

    (But sadly this doesn't change the fact that SSM is an utter pain to use!)

    Edit: I'm having trouble finding old enough versions of PF and OA. I think I'll try an antivirus next, assuming any current ones still work on 2k.

    (I'll probably try this with an XP VM tomorrow. Or maybe 2003, if I can find a copy of the evaluation version...)
     
    Last edited: Nov 7, 2013
  7. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    IE6, the most targeted attack surface app of its day, was almost completely integrated into the desktop. Attack surface apps should be as isolated from the OS as possible, not tightly integrated into them. Exploiting IE6 gave you access to most every part of the system. Experiment with a few of the exploits and you'll see just how vulnerable that integration made those systems.

    Which version of SSM did you test?
     
  8. Gullible Jones

    Gullible Jones Registered Member

    Joined:
    May 16, 2013
    Posts:
    1,461
    As I said, it shouldn't matter. Exploits are definitely more plentiful in IE6, maybe in part because of the desktop integration and other added functionality; but in the end a compromised program running as Administrator is a compromised program running as Administrator.
     
Loading...
Thread Status:
Not open for further replies.