Skip navigation
All Places > Metasploit > Blog > 2008 > August
2008

Originally Posted by Pusscat

 

 

Goaded by some coworkers about the opcode searching functionality of windbg prompted me to add a new option to jutsu today: searchOpcode

 

You can search for sets of instructions in conjunction, it will assemble them, providing you the machine code, then search for the instructions in executable memory. Instructions are delimited by pipes. I plan to add some limited wildcard functionality in the near future as well.

 

0:000> !jutsu searchOpcode  pop ecx | pop ecx | ret
[J] Searching for:
>  pop ecx
>  pop ecx
>  ret
[J] Machine Code:
> 59 59 c3
[J] Opcode sequence found at: 0x004012f9

Originally Posted by Pusscat

 

 

Today, HD merged in an amalgamation of windbg tools and plugins with a funny name into the main metasploit tree.  We've been working on this collection for awhile now, and currently it represents (I think) a good step towards turning windbg from simply a good debugger into a powerful platform for exploit development.

 

The work that's currently released includes:

 

tenketsu - the vista heap emulator/visualizer which allows you to track how input to a program effects the heap in real time.

 

jutsu - a set of tools for tracking buffers through memory, determining what is controlled at crash time, and discovery of valid relative return addresses based on it

 

mushishi - a framework (with examples) for the detection and defeat of anti-debugging methods.

 

Used in conjunction with metasploit, jutsu in particular can significantly speed up exploit development time as it understands and makes use of msfpattern buffers natively. The README file can be found in the tree at external/source/byakugan/README and details functionality, usage, build, and installation.  For the slides from the preliminary release at toorcon seattle, go here.

 

Currently we're looking for more suggestions for functionality. Anything that you do commonly and think may be automatable is up for discussion.

Originally Posted by hdm

 

 

I just posted the first public documentation on Karmetasploit. This project is a combination of Dino Dai Zovi and Shane Macaulay's KARMA and the Metasploit Framework. The result is an extremely effective way to absorb information and remote shells from the wireless-enabled machines around you. This first version is still a proof-of-concept, but it already has an impressive feature list:

 

- Capture POP3 and IMAP4 passwords (clear-text and SSL)
- Accept outbound email sent over SMTP
- Parse out FTP and HTTP login information
- Steal cookies from large lists of popular web sites
- Steal saved form fields from the same web sites
- Use SMB relay attacks to load the Meterpreter payload
- Automatically exploit a wide range of browser flaws

 

One of the cool features is the probe-to-beacon code that we submitted as a patch to airbase-ng. Windows XP and Mac OS X systems use probe requests to determine if any of their preferred wireless networks are in range. Windows Vista no longer sends probes, instead it listens for a beacon containing the name of a preferred network. The  new feature of airbase-ng (-C XX)  allows one probing client to be used to discover a client that is listening for beacons. This works by rebroadcasting all probed networks as beacons for a short period of time. The result is that all actively-probing clients can be used to discover passive clients that are listening for the same network name

Originally Posted by hdm

 

 

InfoWorld has just released the Best of Open Source Software Awards. The Metasploit Framework received an award in the category of Best of open source in security:

 

"When we first saw Metasploit back in 2004 at the DefCon hacker conference, we knew it would become a staple for security professionals the world over. And sure enough, Metasploit has become the de facto standard attack and penetration toolkit. Extremely extensible, and constantly updated to home in on the latest server and host vulnerabilities, Metasploit has the right stuff to test the perimeter of your network for holes, or determine whether your SQL or Web server or Unix, Linux, or Windows host can be compromised. If you have important systems to protect, point Metasploit at them yourself before someone else does"

Originally Posted by hdm

 

 

AR of Securebits released a new DNS poisoning tool today. The DNS Multiple Race Exploiter is unique in that it can overwrite any A record by using a CNAME response. This differs from any of the existing public tools (including those in Metasploit, which only poison uncached "A" records and "NS" records). Note for lazy IPS/IDS developers, this tool uses a static TTL of 0x7BEDABED in all spoofed replies.

Filter Blog

By date: By tag: