Re: Volatile Worm

[Kish Pent <kish_pent () yahoo com>]

Hey p1g,

You're not the only one who's hesitant to do so, lot
of pen-testers are ... it really depends on the scope
laid out basically, and Rafael's concept of volatile
worm is not something new. You guys might have to
check out Dave Aitel's presentation called Nematodes.
It's a different vantage point for everyone in
different situations and I have to say, Dave's idea
during his period was nice. I think he presented in 05
he updated it around 2006 iirc, given below is the
resources section of ImmunitySec.

URL :
http://www.immunitysec.com/resources-papers.shtml

The idea of using botnet, worm, trojans, and malicious
code on client networks is best avoided to spare
downtime, but if you know how to use them carefully,
it's equally a good idea to test their AV / Firewall
and other defenses, after all that's what a pen-tester
is supposed to simulate (a real attack). There are two
ways to looking at it, and as mentioned earlier it
depends on the scope. Basically, Rafael's point is to
use it like a automated tool to pwn boxes, and Dave's
idea to just assess, and patch using a beneficial
worm. 

Cheers,
Kish

--- p1g <killfactory () gmail com> wrote:

> Am i only one that is hesitant to execute a worm on
> a customers network?
>
> I noticed that no one has replied.
>
> On 2/11/08, Rafael Silva <listas () geekworld com br>
> wrote:
> > Hello everyone,
> >
> > I'm here to publish a tool that exploits the
> concept of web
> > application worms.
> > It's not a brand new thing but I hope to help
> sysadmins and the
> > security community.
> > Volatine Worm is a web worm for MSSQL web
> applications vulnerable to
> > SQL Injection and forces
> > them into executing store procedures like
> xp_cmdshell.
> > The concept of this worm is pretty simple: Find
> vulnerable hosts in an
> > automated fashion searching
> > in Google for URLs like:
> >
> > news.asp
> > noticias.asp
> > comments.asp
> > ...
> >
> > When the worm finds a potential vulnerable
> application it tests if it
> > is flawed by simply appending
> > a single quote in the URL. It analyzes the error
> code returned to
> > determine if it is running MSSQL.
> > If it succedes to find a MSSQL, the worm issues a
> 'ping' command using
> > xp_cmdshell, performing
> > a phone home. Then you can test a lot of things
> like setup a ftp
> > server and send any file to the
> > vulnerable host.
> >
> > Feel free to improve the code.
> >
> > Download: http://www.rfdslabs.com.br/volatile.txt
> >
> >
> >
> >
> >
> > rfds@gland:~/codes/volatile$ perl volatile.pl  -h
> >
> > Volatile [Automatic SQL Injection Exploit]
> > Written by rfds and hash
> >
> > use volatile.pl [-h|-q <query>|-w <walk>|-d
> <device>|-i <ip>]
> >        -h:     print this help
> >        -q:     the magic query string  [required]
> >        -w:     rounds per search       [required]
> >        -d:     external device         [required]
> >        -i:     the device's ip         [required]
> >
> > happy hacking
> > rfds@gland:~/codes/volatile$
> >
> >
> > Cheers,
> > -Rafael Silva
------------------------------------------------------------------------
> > This list is sponsored by: Cenzic
> >
> > Need to secure your web apps NOW?
> > Cenzic finds more, "real" vulnerabilities fast.
> > Click to try it, buy it or download a solution
> FREE today!
> > http://www.cenzic.com/downloads
------------------------------------------------------------------------
> >
>
>
> -- 
> -p1g
> SnortCP, C|HFI, TNCP, TECP, NACP, A+
>   ,,__
> o"     )~  oink oink
>    ' ' ' '
>
> If you spend more on coffee than on IT security, you
> will be hacked.
> What's more, you deserve to be hacked.
> -- former White House cybersecurity czar Richard
> Clarke
------------------------------------------------------------------------
> This list is sponsored by: Cenzic
>
> Need to secure your web apps NOW?
> Cenzic finds more, "real" vulnerabilities fast.
> Click to try it, buy it or download a solution FREE
> today!
>
> http://www.cenzic.com/downloads
------------------------------------------------------------------------
>


--
Kishore Parthasarathy, 
Penetration Tester,
Smart Security,
17/1,Upstairs,
Sarojini St,T.Nagar, 
Chennai - 600 017

Phone: 91 98841 80767


      ____________________________________________________________________________________
Looking for last minute shopping deals?  
Find them fast with Yahoo! Search.  http://tools.search.yahoo.com/newsearch/category.php?category=shopping

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------