1 min
Metasploit (2**5/10.0)
Silence can mean one of two things - the project is dead, or we are working on
some really big things and aren't quite ready to announce them. Well, the
project is not dead In the next two weeks, some major changes will be announced
that cover the source code, development team, and licensing of the Metasploit
Framework. Folks who have been following the development tree may not be
suprised, but we are taking some giant steps forward from the 3.1 release.
In the meantime, users should stay away
1 min
Improved WinDBG opcode searching
Goaded by some coworkers about the opcode searching functionality of windbg
prompted me to add a new option to jutsu today: searchOpcode
You can search for sets of instructions in conjunction, it will assemble them,
providing you the machine code, then search for the instructions in executable
memory. Instructions are delimited by pipes. I plan to add some limited wildcard
functionality in the near future as well.
0:000> !jutsu searchOpcode pop ecx | pop ecx | ret
Searching for:
> pop e
1 min
Byakugan WinDBG Plugin Released!
Today, HD merged in an amalgamation of windbg tools and plugins with a funny
name into the main metasploit tree. We've been working on this collection for
awhile now, and currently it represents (I think) a good step towards turning
windbg from simply a good debugger into a powerful platform for exploit
development.
The work that's currently released includes:
tenketsu - the vista heap emulator/visualizer which allows you to track how
input to a program effects the heap in real time.
jutsu
1 min
Karmetasploit Wireless Fun
I just posted the first public documentation on Karmetasploit. This project is
a combination of Dino Dai Zovi and Shane Macaulay's KARMA
and the Metasploit Framework. The
result is an extremely effective way to absorb information and remote shells
from the wireless-enabled machines around you. This first version is still a
proof-of-concept, but it already has an impressive feature list:
- Capture POP3 and IMAP4 passwords (clear-text and SSL)
- Accept
4 min
DNS Attacks in the Wild
In a recent conversation with Robert McMillan (IDG), I described a in-the-wild
attack against one of AT&T's DNS cache servers, specifically one that was
configured as an upstream forwarder for an internal DNS machine at BreakingPoint
Systems. The attackers had replaced the cache entry for www.google.com with a
web page that loaded advertisements hidden inside an iframe. This attack
affected anyone in the Austin, Texas region using that AT&T Internet Services
(previously SBC) DNS server. The att
1 min
Evilgrade Will Destroy Us All
Francisco Amato of Infobyte Security Research just
announced ISR-evilgrade v1.0.0 , a
toolkit for exploiting products which perform online updates in an insecure
fashion. This tool works in conjunction with man-in-the-middle techniques (DNS,
ARP, DHCP, etc) to exploit a wide variety applications. The demonstration video
uses the CAU/Metasploit DNS
exploit
3 min
BailiWicked
If you haven't already noticed by now, we've recently published two modules
which exploit Kaminsky's DNS cache poisoning flaw. I'll get to those in a
second, but first a word about disclosure.
In the short time that these modules have been available, I've received personal
responses from a LOT of people, spanning the spectrum from "OMG how could you do
this to the Internet users???" to "Great work, now I know what I'm up
against... We need more open researchers like you guys." In all honest
3 min
METASPLOIT UNLEASHES VERSION 3.1
Austin, Texas, January 28th, 2008 -- The Metasploit Project announced today the
free, world-wide availability of version 3.1 of their exploit development and
attack framework. The latest version features a graphical user interface, full
support for the Windows platform, and over 450 modules, including 265 remote
exploits. "Metasploit 3.1 consolidates a year of research and development,
integrating ideas and code from some of the sharpest and most innovative folks
in the security research comm
14 min
Cracking the iPhone (part 2)
In part one of "Cracking the iPhone", I described the libtiff vulnerability,
its impact on iPhone users, and released the first version of my hacked up
debugger. In this post, I will walk through the process of actually writing the
exploit.
First off, a new version of weasel (hdm-0.02
) has been
released. This version includes an entirely new disassembly backend, courtesy of
libopcodes, and supports thumb-mode instructions. Thumb is
4 min
A root shell in my pocket (and maybe yours)
After the recent price drop and toolchain release
, I bit the bullet and bought a shiny new
iPhone. The first thing I did is bypass activation, run jailbreak, and install
the AppTapp Installer . Using the installer,
I added OpenSSH and a VT-100 Terminal to the phone. Once I had shell access, I
made a few observations:
1) The processor is actually decent. Compare the iPhone (400Mhz*) with the
Nokia
n770
4 min
An easier way to create payload modules in 3.0
Thanks to Yoann GUILLOT and Julien TINNES, Metasploit 3.0 (the trunk version)
includes integrated support for metasm , a 100% ruby
assembler, disassembler, and linker. It currently supports x86 and MIPS, but
support for many other architectures is in development. Using metasm, we've
taken some steps to improve the framework's payload module interface. This
improvement is designed to make it possible for payload modules to contain
assembly rather than the typical large
2 min
HeapLib Support Added to Metasploit 3
If you were able to attend Black Hat Europe this year, you had the opportunity
to catch Alexander Sotirov's talk on Heap Feng Shui. The focus of his talk was
on describing ways to use javascript in browsers to control heap layout with
surgical precision. This has obvious benefits when it comes to exploiting heap
related vulnerabilities in browsers. At present, many browser-based exploits
will blindly spray payloads and other structures across the heap in ways that
won't always guarantee that
4 min
1495-Metasploit Framework 3.0 RELEASED!
Metasploit is pleased to announce the immediate free
availability of the Metasploit Framework version 3.0.
The Metasploit Framework ("Metasploit") is a development platform for creating
security tools and exploits. Version 3.0 contains 177 exploits 104 payloads 17
encoders and 3 nop modules. Additionally 30 auxiliary modules are included that
perform a wide range of tasks including host discovery protocol fuzzing and
denial of service testing.
Metasploit is used by ne
3 min
Kernel-Mode Payloads in Metasploit 3.0
We recently decided to finally take a stab at integrating kernel-mode payloads
into Metasploit 3.0. This presented an interesting challenge for us in terms of
architectural integration. We wanted to make it so users could continue to use
the existing set of user-mode payloads for both kernel and non-kernel exploits.
Strictly speaking, every payload in Metasploit to date is a user-mode payload,
and as such they will not function properly with a kernel-mode exploit.
However, the goal of makin
8 min
Metasploit
Metasploit 3.0 Automated Exploitation
A recurring theme in my presentations about Metasploit 3.0 is the need for
exploit automation. As of tonight, we finally have enough code to give a quick
demonstration :-)
Metasploit 3 uses the ActiveRecord
module (part of RoR
) to provide an object-oriented interface to an
arbitrary database service. Database support is enabled by installing RubyGems
, ActiveRecord ("gem install activerec
