Peter Van Eeckhoutte's Blog

Posts Tagged ‘plugin’

When I started Win32 exploit development many years ago, my preferred debugger at the time was WinDbg (and some Olly). While Windbg is a great and fast debugger, I quickly figured out that some additional/external tools were required to improve my exploit development experience. Despite the fact that the command line oriented approach in windbg has many advantages, it appeared not the best tool to search for good jump addresses, or to list non-safeseh compiled / non-aslr aware modules, etc….  Ok, looking for a simple “jmp esp” is trivial, but what if you are looking for all pop pop ret combinations in non-safeseh compiled modules…   Not an easy task. It is perfectly possible to build plugins for Windbg, but the ones that I have found (MSEC, byakugan (Metasploit)) don’t always work the way I want them …

Introduction In all previous tutorials in this Exploit writing tutorial series, we have looked at building exploits that would work on Windows XP / 2003 server. The success of all of these exploits (whether they are based on direct ret overwrite or exception handler structure overwrites) are based on the fact that a reliable return address or pop/pop/ret address must be found, making the application jump to your shellcode. In all of these cases, we were able to find a more or less reliable address in one of the OS dll’s or application dll’s. Even after a reboot, this address stays the same, making the exploit work reliably. Fortunately for the zillions Windows end-users out there, a number of protection mechanisms have been built-in into the Windows Operating systems. – Stack cookies (/GS Switch cookie) …

ike-scan is a great tool to audit VPN/IPSec implementations.  This tool, which runs under Lunix, Unix, MacOS and Windows, can be found at www.nta-monitor.com/tools/ike-scan/ (Latest version at time of writing is 1.9). My Nessus ike-scan NASL wrapper may or may not work with earlier versions or newer versions, so test test test)
Some of the great features of ike-scan include extracting the PSK, or transform attributes to find all algorithms that are enabled on a device. Especially this last function may require some scripting and lots of time to go through the log files in order to see whether your solution is configured the way it should be configured.
So I decided to write a nessus nasl plugin to run ike-scans.
The plugin is in fact a wrapper around ike-scan and will parse the output, looking for specific settings :

Does the …