TipRadar.com - Forums and community

Full Version: ges wall and others on xp
You're currently viewing a stripped down version of our content. View the full version with proper formatting.
Pages: 1 2
gullible jones useing metasploit aganist xpsp3..

below you will find this member of another forum recently doing all sorts of attacks againest xp.. he chooses several security applications in his tests.
however i do use geswall and defense wall and many others in a rotateing defense grid. so therefore i disagree with some of his findings do too these being done on seperate applications and not on a team. also this is implemented on a normal untouched version of xpsp3. nothing ripped from the core, and a basic setup.


info below:

First off, this is not intended as an instructional post. Seriously, don't take anything I say as necessarily accurate. If you actually intend to try and secure a legacy OS, you do so at your own risk, and against my advice. If you keep running Windows XP on your desktop, and get burned, don't blame me; I told you it was a bad idea, okay?

Now that that's out of the way...

This is basically intended as a less biased, and hopefully less inflamatory, continuation of my earlier tests with Metasploit. What I'm lookin at is how effective different programs and setups seem to be at containing a successful userspace exploit. I'm using a legacy system (Windows XP SP3, no further updates) on the target VM so that said exploits are plentiful and reliable, not because I think there's anything cool about it.

Anyway, I'll start where I left of, with Geswall...

Geswall 2.9.2
Setup: allow Geswall to isolate IE6, and point the browser at the Aurora exploit.

Results...

- Keylogging fails.
- Screenshot fails.
- Attempts to execute programs are intercepted, resulting in a query popup.
- All attempts to escalate privilege in userspace are unsuccessful.
- Kernel font rendering exploit once again triggers an OS crash, and is unsuccessful. I think this may be a Metasploit bug, as I've been unable to get the font exploit to work with anything thus far.
- Viewing other processes is rather limited.
- Code injection into unsandboxed processes fails.
- Migration into unsandboxed processes fails.
- No tokens are stealable (or visible for that matter).
- Attempting to view the contents of the "Confidential" folder does not work, unless specifically allowed by the user. The query popup's wording is a little confusing, but it basically works.


end of post:


geswall did very good in my opinion againest his exploit. however if you combine hips and behavior protocols with other watchdogs applications within the system the fails can be overturned. i know, because i have tested also useing network attacks.

in fact you can even go a step further and double freeze the entire operateing system with the core first. then freeze the ram into a bubble zone.. so the exploit has to break out of frozen system in ram, and then break out of the core. and this is after it breaks from geswall, defense wall, and 2 firewalls.. good luck to that exploit..

anyway i thought it was interesting and wanted to share.
this was done yesterday by gullible jones whom i respect but still disagree with on certain issues. my opinion of course.
Thanks for info
Thanks for the info.
(11-11-2013, 11:40 AM)skittles Wrote: Guests cannot see links. Registration or Login is required.
in fact you can even go a step further and double freeze the entire operateing system with the core first. then freeze the ram into a bubble zone.. so the exploit has to break out of frozen system in ram, and then break out of the core. and this is after it breaks from geswall, defense wall, and 2 firewalls.. good luck to that exploit..

faint
gullible jones trying to attack defensewall with metasploit on november 11th 2013...

Defensewall HIPS


Setup:
- Install the thing
- Make sure IE is set as untrusted
- Point IE to Aurora exploit page

Results:
- Aurora exploit succeeds
- Can spawn applications, but not migrate to them (and the shell session gets killed when trying ) Also the processes seem to be in some kind of filesystem sandbox.
- Cannot inject payloads into apps running as the same user (access denied, can't attach to process)
- Screenshot comes out completely blank.
- Keylogging fails with Explorer
- Secured files and folders are inaccessible. Others can be downloaded, but not deleted, and uploads get tagged as untrusted.
- Tokens can't be seen or stolen
- getsystem() results in the shell session getting killed.

Okay, now the heavy stuff:
- ppr_flatten_rec kernel exploit fails because Notepad's attempt to make an internet connection gets blocked. Oh, and the shell session gets killed. Clever!
- The Stuxnet kbdlayout exploit (MS10-073) fails. No, it doesn't crash the VM, it fails! because the malicious file created cannot be deleted.
- DropLNK attack fails.
- Can't get password hashes.
- Serving up C: as a network block device succeeds.
- Running PXExploit results in IE getting killed.
- Logging keystrokes with Winlogon works, but Defensewall notifies you that IE is logging keystrokes
- The AdfJoinLeaf kernel exploit fails due to inability to allocate memory properly.

Comments:
... Wow. I'm trying not to be biased here, but it seems as if the Defensewall developers have thought of everything. This product contains all manner of attacks, and stays a step ahead of ones it can't contain; and it does so with very little configuration. Impressive.
Never tried out the geswall so maybe that will explain why I don't understand what you mean but.... would you mind elaborating on the "freeze the entire operateing system with the core first" and "then freeze the ram into a bubble zone"

When I hear 'freeze' I think pausing a program but that doesn't make much sense as you can't pause the kernel or the core OS and continue to use it. My second thought was you meant virtualization but then there is the 'bubble zone' part of your comment which seems more likely to be the virtual so what is it you mean by freeze here?
i should practice not useing street slang, and geek lingo. i apologize.

you can use any number of lockdown applications such as toolwhiz, timefreeze2, deepfreeze, shadow defender etc etc.. then after you got one of those listed installed then use returnil, deepfreeze2, or any others that have a physical memory buffer mode.. this way you have a 2 teir protection. lets use a example.. install deepfreeze first and then install returnil..lockdown deepfreeze so it freezes (slang) the core of your system.. this means everything is destroyed on reboot as it hooks to the boot process and the deep kernel. only just a scant few pieces of malware can bypass deepfreeze. now after your locked down turn on returnil physical memory buffer mode, and place everything in ram persay.. this is like a double bubble,lol... (slang again) hope you understad my point. there are many other ways to do this also, you can experiment with virtual, sandboxie, bufferzone pro, and many others.. attempt to dual layer beyond the norm.
ah thanks for elaborating. I understand what you mean now. I've never had much luck with those types of products. I did LIKE returnil but it failed with a BSOD loop on reboot after attempting to allow it to save changes made in the session So that was never installed again...and think I tested deepfreeze once but can't recall why I didn't like it. Which of this type of program is the most stable in your experience?

I generally stick with a full VM for testing apps. I recently had a near noob experience on my host due to some formerly lax firewall rules for specific apps so I started using sandboxie by default for skype, firefox, and most other online apps. I'm also considering throwing appguard into the mix as it appears to be fairly easy to get them to play along together from what I've read on the forums.
(11-14-2013, 11:59 AM)skittles Wrote: Guests cannot see links. Registration or Login is required.
i should practice not useing street slang, and geek lingo. i apologize.

you can use any number of lockdown applications such as toolwhiz, timefreeze2, deepfreeze, shadow defender etc etc.. then after you got one of those listed installed then use returnil, deepfreeze2, or any others that have a physical memory buffer mode.. this way you have a 2 teir protection. lets use a example.. install deepfreeze first and then install returnil..lockdown deepfreeze so it freezes (slang) the core of your system.. this means everything is destroyed on reboot as it hooks to the boot process and the deep kernel. only just a scant few pieces of malware can bypass deepfreeze. now after your locked down turn on returnil physical memory buffer mode, and place everything in ram persay.. this is like a double bubble,lol... (slang again) hope you understad my point. there are many other ways to do this also, you can experiment with virtual, sandboxie, bufferzone pro, and many others.. attempt to dual layer beyond the norm.

looks like we are talking about 8GB RAM here...Bang3
you would be surprised grr, hardly anywhere close to that. alot lower..!! but i always appreciate your input regardless of the thread or post or catergory. i always look at your posts!!
Pages: 1 2