Peter Van Eeckhoutte's Blog

Posts Tagged ‘metasploit’

Over the last couple of months, I have written a set of tutorials about building exploits that target the Windows stack. One of the primary goals of anyone writing an exploit is to modify the normal execution flow of the application and trigger the application to run arbitrary code… code that is injected by the attacker and that could allow the attacker to take control of the computer running the application. This type of code is often called “shellcode”, because one of the most used targets of running arbitrary code is to allow an attacker to get access to a remote shell / command prompt on the host, which will allow him/her to take further control of the host.  While this type of shellcode is still used in a lot of cases, tools such as Metasploit have …

Introduction Easter is still far away, so this is probably the right time to talk about ways to hunting for eggs (so you would be prepared when the easter bunny brings you another 0day vulnerability) In the first parts of this exploit writing tutorial series, we have talked about stack based overflows and how they can lead to arbitrary code execution. In all of the exploits that we have built so far, the location of where the shellcode is placed is more or less static and/or could be referenced by using a register (instead of a hardcoded stack address), taking care of stability and reliability. In some parts of the series, I have talked about various techniques to jump to shellcode, including techniques that would use one or more trampolines to get to the shellcode.  In …

Just a few moments ago, Neil Roiter has reported on SearchSecurity that The Metasploit Project (and the Metasploit Framework) has been acquired by Rapid7, a network vulnerability management vendor. This news has been confirmed by Rapid7 (see website) and by Metasploit (see blog)

A podcast of a discussion (on the acquisition) between HD Moore and Corey Thomas can be found here

Base on the SearchSecurity report, Metasploit will remain open source (free licensing), and Rapid7 seems to be exploring ways to integrate Metasploit into their own NeXpose products.

It is not clear whether a commercial version of Metasploit framework will be developed in the future (to compete with similar tools from companies such as Immunity and Core Security), but let’s hope the framework will remain free, maintained and updated in the future as it has been in …

Just wanted to drop a quick note about the release of another free script. This time I’ve written a simple FTP fuzzer (with a little help from HDMoore) in Metasploit. You can read more about it (and download the script) at http://www.corelan.be:8800/index.php/my-free-tools/security/metasploit/simple-ftp-fuzzer-metasploit-module/

This is why I like Metasploit so much… :-)

Update : after running some fuzzing instances against a couple of FTP servers (Win32), I have noticed that some odd folders were created in my ftp root folder, and that these folders cannot be renamed or removed anymore

(Error message : “Cannot read from the source file or disk”)

Solution : the rmdir command allow you to remove these folders using a \\?\ reference

Let’s say the ftp root is located at ftp, and the folder that cannot be removed looks like a bunch of A’s, with spaces in between, then …

In the first parts of this exploit writing tutorial, I have mainly used Windbg as a tool to watch registers and stack contents while evaluating crashes and building exploits. Today, I will discuss some other debuggers and debugger plugins that will help you speed up this process. A typical exploit writing toolkit arsenal should at least contain the following tools : windbg (for a list of Windbg commands, click here) ollydbg immunity debugger (requires python) metasploit pyDbg (if you are using python and want to build your own custom debugger, as explained in the awesome Gray Hay Python book scripting tools …

In the first parts of the exploit writing tutorial, I have discussed some common vulnerabilities that can lead to 2 types of exploits : stack based buffer overflows (with direct EIP overwrite), and stack based buffer overflows that take advantage of SEH chains. In my examples, I have used perl to demonstrate how to build a working exploit. Obviously, writing exploits is not limited to perl only. I guess every programming language could be used to write exploits… so you can just pick the one that you are most familiar with. (python, c, c++, C#, etc) Despite the fact that these custom written exploits will work just fine, it may be nice to be able to include your own exploits in the metasploit framework in order to take advantage of some of the unique metasploit features. So …

Where do you want to jmp today ? In one of my previous posts (part 1 of writing stack based buffer overflow exploits), I have explained the basisc about discovering a vulnerability and using that information to build a working exploit. In the example I have used in that post, we have seen that ESP pointed almost directly at the begin of our buffer (we only had to prepend 4 bytes to the shellcode to make ESP point directly at the shellcode), and we could use a “jmp esp” statement to get the shellcode to run. Note : This tutorial heavily builds on part 1 of the tutorial series, so please take the time to fully read and understand part 1 before reading part 2. The fact that we could use “jmp esp” was an …