The FYRM Blog » ShmooCon

GuestStealer Wrapup

Tony Flick — Tue, 02 Mar 2010 02:30:03 +0000

In addition to the previously mentioned Nmap script, GuestStealer has now made its way into a Nessus plugin and a Metasploit module. Nessus Plugin 44646 was released by Tenable a few weeks ago and the Metasploit module was pushed up to the trunk last week.

GuestStealer has been mentioned in several articles and blog posts recently, including DarkReading – Tech Insight: Securing The Virtualized Server Environment and The Hacker News Network. While most have been accurate, several early blogs stated that GuestStealer used a cross site scripting attack to steal the guests. So to clarify and avoid any confusion, GuestStealer exploits the directory traversal vulnerability described in CVE-2009-3733. For further information, check out the presentation slides or presentation video.

GuestStealer 1.1 and PaulDotCom Webcast

Tony Flick — Fri, 19 Feb 2010 00:11:59 +0000

Justin and I will be on the PaulDotCom podcast tonight to discuss the latest developments with GuestStealer and the Smart Grid book. For more information, check out tonight’s episode guide and join the live discussion tonight.

Also, GuestStealer v1.1 is now available for download. This is a bug fix release that improves the error handling and prevention of downloading the same vmdk file twice (when that vmdk self-references itself). Thanks to the efforts by Ron at Skull Security, the new version is available on the tools page.

ShmooCon 2010 Stealing Guests… Slides Online

Tony Flick — Thu, 11 Feb 2010 04:51:31 +0000

Luckily I was able to escape Washington DC’s 3rd round of snow to enjoy the tropical 40 degree weather here in Tampa today and write this post. Despite the blizzard and its many names, the ShmooCon faithful came out in full force to make another great conference. As usual, ShmooCon featured interesting presentations, shenanigans, and a chance to hang out with those friends you usually only see at Cons.

I want to thank everyone who attended the Stealing Guests…The VMware Way talk, especially since no one threw shmooballs at us. For those of you who haven’t done so yet, head on over to the Tools section of the Web site to grab GuestStealer and try it out yourself. Also, Ron over at Skull Security created an Nmap script to identify vulnerable VMware systems. Visit his blog to download the script and view instructions for installing the script.

For those of you who were unable to attend the talk…or find a video, here are the slides.

I would also like to thank everyone who came up to the FYRM booth and talked to Matt and I. The security bug killing/reaction time testing flash game appeared to be a big hit, which drew many contestants…some more determined than others. For those of you that didn’t win this time, check back often to find out details for round 2!

Stealing Guests…For a Free Hard Drive

Tony Flick — Tue, 02 Feb 2010 06:15:56 +0000

During the Stealing Guests…The VMware Way presentation at ShmooCon this weekend, FYRM will be holding a contest to give away an external hard drive. The first person to exploit the discussed vulnerability on the target virtual machine and yell out the hidden phrase will win the hard drive.

In the presentation, a Perl script will be released to easily exploit the vulnerability. The to-be-released tool runs on Mac OS X (with MacPorts) and most Linux distros. Currently, the tool requires the following Perl dependencies:

LWP::Simple
XML::Simple
Data::Dumper
Crypt::SSLeay

Bring your laptops and netbooks to the presentation to try the tool and win the hard drive. Check back often for any updates.