Thursday, March 08, 2007

Exploit frameworks are the best

This week I wrote an exploit for a JRun vulnerability released in 2002! I was proud of myself as we rarely get the chance to write an overflow during a penetration test. Usually it's all web exploits, unpatched windows systems, poor administration, etc. My friend said we found "the oldest box on his network." So much for "no public exploits exist" as a mitigation! HA!

The hardest part of all this was getting a copy of the JRun software installed and running in a VM. It was so old the company (Allaire) had been bought twice so no installers could easily be found! A few hurdles later and within half a day I had a stable module written for Metasploit. Later in the evening I wrapped one up for Canvas. I don't have a copy of CORE Impact - it's a little expensive and, well, we do alright with what we have. :)

Dave Aitel once said he envisioned a future of exploit writing becoming a marketplace where they can be sold by third parties like ActiveX objects were in the early days of IE. Needed to do some video? Here's a library that'll help!

To be honest I don't see that happening. There's little value for me to spend some amount ($100 to $5000?) for a single exploit that may or may not work to "prove" the system is vulnerable. There's so much wiggle area when exploiting a system, even with the protections provided by today's frameworks, that it'll just be too unreliable. I'd have a hard time justifying the cost but maybe that's just me.

There's been talk on the Metasploit mailing list of putting together an exploit module repository. Something centralized that can be maintained by developers. I've been searching for a project, maybe this will be it. :) Anyone else that's interested drop me a line. I envision a Trac Wiki + SVN repository with some core supporters and community submissions/requests. Of course we'll have to weed out the 100s of "writemesumthin 2 hax myspace/yahoo/aim" but that's part of the fun!

Until then.. enjoy my meager contributions: http://grutz.jingojango.net/exploits/

SecurityOPUS is coming up March 19-21 here in San Francisco. It's an awesome conference and I highly recommend coming -- registration is still open. We don't have many get-togethers here for some reason other than big marketing events like RSA. There's a lot of talent in the bay area and this is a great way for the security community to come together more. Come! Learn! Enjoy! Eat some great food on Rich's dime! Then later come to our OWASP meetings. They're lots of fun and free beer when iSEC Partners hosts. :)

1 comment:

Seth said...

It warms my heart to see you learning ruby, especially after all those years of you making fun of me for using it :)