1 min
Karmetasploit Wireless Fun
I just posted the first public documentation on Karmetasploit. This project is
a combination of Dino Dai Zovi and Shane Macaulay's KARMA
[http://www.theta44.org/karma/index.html] and the Metasploit Framework. The
result is an extremely effective way to absorb information and remote shells
from the wireless-enabled machines around you. This first version is still a
proof-of-concept, but it already has an impressive feature list:
- Capture POP3 and IMAP4 passwords (clear-text and SSL)
- Accept
4 min
DNS Attacks in the Wild
In a recent conversation with Robert McMillan (IDG), I described a in-the-wild
attack against one of AT&T's DNS cache servers, specifically one that was
configured as an upstream forwarder for an internal DNS machine at BreakingPoint
Systems. The attackers had replaced the cache entry for www.google.com with a
web page that loaded advertisements hidden inside an iframe. This attack
affected anyone in the Austin, Texas region using that AT&T Internet Services
(previously SBC) DNS server. The att
1 min
Evilgrade Will Destroy Us All
Francisco Amato of Infobyte Security Research [http://www.infobyte.com.ar] just
announced ISR-evilgrade v1.0.0 [http://www.infobyte.com.ar/developments.html], a
toolkit for exploiting products which perform online updates in an insecure
fashion. This tool works in conjunction with man-in-the-middle techniques (DNS,
ARP, DHCP, etc) to exploit a wide variety applications. The demonstration video
[http://www.infobyte.com.ar/demo/evilgrade.htm] uses the CAU/Metasploit DNS
exploit [/2008/07/24/baili
3 min
BailiWicked
If you haven't already noticed by now, we've recently published two modules
which exploit Kaminsky's DNS cache poisoning flaw. I'll get to those in a
second, but first a word about disclosure.
In the short time that these modules have been available, I've received personal
responses from a LOT of people, spanning the spectrum from "OMG how could you do
this to the Internet users???" to "Great work, now I know what I'm up
against... We need more open researchers like you guys." In all honest
3 min
METASPLOIT UNLEASHES VERSION 3.1
Austin, Texas, January 28th, 2008 -- The Metasploit Project announced today the
free, world-wide availability of version 3.1 of their exploit development and
attack framework. The latest version features a graphical user interface, full
support for the Windows platform, and over 450 modules, including 265 remote
exploits. "Metasploit 3.1 consolidates a year of research and development,
integrating ideas and code from some of the sharpest and most innovative folks
in the security research comm
14 min
Cracking the iPhone (part 2)
In part one of "Cracking the iPhone", I described the libtiff vulnerability,
its impact on iPhone users, and released the first version of my hacked up
debugger. In this post, I will walk through the process of actually writing the
exploit.
First off, a new version of weasel (hdm-0.02
[http://metasploit.com/users/hdm/tools/weasel-hdm-0.02.tar.gz]) has been
released. This version includes an entirely new disassembly backend, courtesy of
libopcodes, and supports thumb-mode instructions. Thumb is
4 min
A root shell in my pocket (and maybe yours)
After the recent price drop and toolchain release
[http://code.google.com/p/iphone-dev/], I bit the bullet and bought a shiny new
iPhone. The first thing I did is bypass activation, run jailbreak, and install
the AppTapp Installer [http://iphone.nullriver.com/beta/]. Using the installer,
I added OpenSSH and a VT-100 Terminal to the phone. Once I had shell access, I
made a few observations:
1) The processor is actually decent. Compare the iPhone (400Mhz*) with the
Nokia
n770 [http://www.linuxd
4 min
An easier way to create payload modules in 3.0
Thanks to Yoann GUILLOT and Julien TINNES, Metasploit 3.0 (the trunk version)
includes integrated support for metasm [http://metasm.cr0.org/], a 100% ruby
assembler, disassembler, and linker. It currently supports x86 and MIPS, but
support for many other architectures is in development. Using metasm, we've
taken some steps to improve the framework's payload module interface. This
improvement is designed to make it possible for payload modules to contain
assembly rather than the typical large
2 min
HeapLib Support Added to Metasploit 3
If you were able to attend Black Hat Europe this year, you had the opportunity
to catch Alexander Sotirov's talk on Heap Feng Shui. The focus of his talk was
on describing ways to use javascript in browsers to control heap layout with
surgical precision. This has obvious benefits when it comes to exploiting heap
related vulnerabilities in browsers. At present, many browser-based exploits
will blindly spray payloads and other structures across the heap in ways that
won't always guarantee that
4 min
1495-Metasploit Framework 3.0 RELEASED!
Metasploit [http://metasploit.com] is pleased to announce the immediate free
availability of the Metasploit Framework version 3.0.
The Metasploit Framework ("Metasploit") is a development platform for creating
security tools and exploits. Version 3.0 contains 177 exploits 104 payloads 17
encoders and 3 nop modules. Additionally 30 auxiliary modules are included that
perform a wide range of tasks including host discovery protocol fuzzing and
denial of service testing.
Metasploit is used by ne
3 min
Kernel-Mode Payloads in Metasploit 3.0
We recently decided to finally take a stab at integrating kernel-mode payloads
into Metasploit 3.0. This presented an interesting challenge for us in terms of
architectural integration. We wanted to make it so users could continue to use
the existing set of user-mode payloads for both kernel and non-kernel exploits.
Strictly speaking, every payload in Metasploit to date is a user-mode payload,
and as such they will not function properly with a kernel-mode exploit.
However, the goal of makin
8 min
Metasploit
Metasploit 3.0 Automated Exploitation
A recurring theme in my presentations about Metasploit 3.0 is the need for
exploit automation. As of tonight, we finally have enough code to give a quick
demonstration :-)
Metasploit 3 uses the ActiveRecord
[http://wiki.rubyonrails.org/rails/pages/ActiveRecord] module (part of RoR
[http://rubyonrails.org/]) to provide an object-oriented interface to an
arbitrary database service. Database support is enabled by installing RubyGems
[http://www.rubygems.org/], ActiveRecord ("gem install activerec
2 min
Metasploit Framework 3.0 Beta 2
We are happy to announce that the second beta release of the 3.0 tree is now
ready for download. This release includes incremental improvements to the first
beta as well as some new features and modules. 3.0 Beta 2 is fully compatible
with Linux, BSD, Mac OS X, and Windows using our custom Cygwin installer. If you
would like to discuss the beta release with other users, please subscribe to the
framework-beta mailing list by sending a blank email to
framework-beta-subscribe[at]metasploit.com.
4 min
Metasploit Framework 3.0 Beta 1
We are happy to announce that the first beta release of the 3.0 tree is now
ready for download. This release contains numerous bug fixes and improvements to
the previous alpha release. 3.0 Beta 1 is fully compatible with Linux, BSD, Mac
OS X, and Windows using our custom Cygwin installer. If you would like to
discuss the beta release with other users, please subscribe to the
framework-beta mailing list by sending a blank email to
framework-beta-subscribe[at]metasploit.com.
If you are attending
6 min
Interprocedural Data Flow Dependencies
In a previous post [/2006/03/29/a-few-msrt-graph-illustrations] I illustrated a
very basic data flow dependency graph. This graph was meant to describe the
order (and thus dependencies) of memory read and write operations within the
context of a given function. While this graph may be useful in some
circumstances, the simple fact that it's limited to a specific function means
that there will be no broad applicability or understanding of the program as a
whole. To help solve that problem, it