Active users of Metasploit will no doubt be aware that Meterpreter is still being actively developed and enhanced by a bunch of people. I’m lucky enough to still be one of them! In this post I just want to cover a few things that have been done to it recently, and to give a bit of visbility of how I am able to continue contributing in the way that I do.
As many of you are already aware, Metasploit and Meterpreter talk to each other using a variety of transports. While the transports may vary from session to session, one thing that doesn’t vary is the “protocol” that travels over those transports. This information fits a well-known structure, and is referred to as TLV Packets (Type, Length, Value).
Once a session has been established, the TLV traffic that is sent across the wire contains a bunch of very easily recognisable content, and as such can be detected by Antivirus software, or Intrusion Detection Systems.
Recently, I made a change to the way the packets are formed prior to transmission, and this post is intended to explain the detail of how it works.
Warning: It’s really simple.
This post contains a walk-through of the process required to solve The Blender. The Blender was a reverse engineering challenge that I built and submitted to hyprwired for inclusion in the Kiwicon CTF. The challenge wasn’t intended to be too mind-boggling, but it turned out that nobody was able to solve it on the day.
I won’t deny that this didn’t me feel awful and great at the same time! However, I don’t want this lying in the depths of history unsolved, so I wanted to show people the story behind the challenge, and how to nail it using IDA and your brain.
Please download it if you would like to follow along.
In October last year, while conducting an internal assessment for a client in Sydney, I found a vulnerability in a vendor product. The flaw allows for remote code execution on the device, as the root user, without requiring authentication. Needless to say, “instant remote root” vulnerabilities are bad. On the scale of bug severity, they’re up pretty high. For a device such as this, it doesn’t really get any worse.
Once I had a working proof-of-concept which demonstrated the flaw, I made contact with the vendor in an effort to disclose the issue in a secure and responsible manner. I was aware that other options were available, such as handing the issue over to CERT or some other initiative that deals with the pain of disclosure, but I wanted to get first-hand experience of the process, hence I decided to do it myself.
I’m not going to lie, it has been frustrating.
In November last year, I was fortunate enough to participate in the beta testing of “The Playground” – a new product from the folks who gave us OSCP, OSCE and others, Offensive Security. The Playground, otherwise known as the “Virtual Penetration Test Labs”, is an environment designed to aid in practising and honing your skills as a penetration tester.
Offensive Security have posted some detail of this lab on their site. It’s worth reading to give context to this post.
This post is a mini-review of the lab, along with some thoughts as to why this could be good for you and/or your organisation.
This post contains a detailed account of how I solved the Saturn exploitation challenge during CSAW 2014 CTF. I thought that this challenge was very entertaining, hopefully you will too.
During the course of exploit development it is not uncommon to require jumps in your shellcode. The most common case for these jumps is when doing SEH overwrites, due to their nature. There are times when the author of the exploit has a hard time performing these jumps due to the fact that only a subset of characters are deemed valid for use by the target application in that particular input field.
In this post I want to briefly cover a few options for performing those jumps in such a scenario.
In my previous post I covered off, in relative detail, how to exploit the IDSECCONF offline CTF myftpd server running on Windows XP. This exploit makes use of a Vanilla EIP overwrite along with some shellcode golf to allow for execution of arbitrary payloads. At the time I had intended to write up a way of making this work on other versions of Windows, but that post ended up long enough so I decided to publish without the extra detail.
In this post I am going to show how you can make this exploit work on Windows 7 SP1. This doesn’t really bypass ASLR, it just avoids it.
If you haven’t read the previous post, then please go and read that now. If you’re ready, then let’s dive in.
With OSCE out of the way and the family in need of a break from me doing study and certifications, I decided to turn my hand to some fun exploit challenges to keep up the practice. To a wannabe bug exploiter such as myself, there are plenty of options out there which are great for fun and practice. Some of those options are:
On this particular day I thought I’d try one of the harder exploitme challenges and it just so happened that something appeared in my Twitter feed that pointed me to Ammar’s post discussing a level 500 exploit challenge from the IDSECCONF 2013 CTF. To quote Ammar:
… during the IDSECCONF offline CTF, none of the team were able to wrap up a working remote exploit, although one team were able to get [the] correct offset to overwrite EIP …
This had the hallmarks of being tricky and fun! I asked Ammar if the binary was still available and he kindly made it available for download (head to his site if you would like to have a shot at it yourself).
What follows is my dissection of the binary, along with my approach to exploiting it so that it would allow the attacker to submit any payload including reverse Meterpreter shells, bind shells and VNC injection. If you’re keen to take this challenge on by yourself, please don’t read this as it’s a blatant spoiler. Otherwise, let’s get stuck in!
I might not have mentioned this before, but I have to tell you that building Meterpreter is easy. In the old days, downloading the source was the easy bit and compiling it was the hard bit. The steps involved in getting a Meterpreter build environment together were extensive and prone to error. In fact if you got one wrong, or you did things in the wrong order, then you could end up having to remove everything from your machine and starting again.