4 min
A root shell in my pocket (and maybe yours)
After the recent price drop and toolchain release
[http://code.google.com/p/iphone-dev/], I bit the bullet and bought a shiny new
iPhone. The first thing I did is bypass activation, run jailbreak, and install
the AppTapp Installer [http://iphone.nullriver.com/beta/]. Using the installer,
I added OpenSSH and a VT-100 Terminal to the phone. Once I had shell access, I
made a few observations:
1) The processor is actually decent. Compare the iPhone (400Mhz*) with the
Nokia
n770 [http://www.linuxd
4 min
An easier way to create payload modules in 3.0
Thanks to Yoann GUILLOT and Julien TINNES, Metasploit 3.0 (the trunk version)
includes integrated support for metasm [http://metasm.cr0.org/], a 100% ruby
assembler, disassembler, and linker. It currently supports x86 and MIPS, but
support for many other architectures is in development. Using metasm, we've
taken some steps to improve the framework's payload module interface. This
improvement is designed to make it possible for payload modules to contain
assembly rather than the typical large
2 min
HeapLib Support Added to Metasploit 3
If you were able to attend Black Hat Europe this year, you had the opportunity
to catch Alexander Sotirov's talk on Heap Feng Shui. The focus of his talk was
on describing ways to use javascript in browsers to control heap layout with
surgical precision. This has obvious benefits when it comes to exploiting heap
related vulnerabilities in browsers. At present, many browser-based exploits
will blindly spray payloads and other structures across the heap in ways that
won't always guarantee that
4 min
1495-Metasploit Framework 3.0 RELEASED!
Metasploit [http://metasploit.com] is pleased to announce the immediate free
availability of the Metasploit Framework version 3.0.
The Metasploit Framework ("Metasploit") is a development platform for creating
security tools and exploits. Version 3.0 contains 177 exploits 104 payloads 17
encoders and 3 nop modules. Additionally 30 auxiliary modules are included that
perform a wide range of tasks including host discovery protocol fuzzing and
denial of service testing.
Metasploit is used by ne
3 min
Kernel-Mode Payloads in Metasploit 3.0
We recently decided to finally take a stab at integrating kernel-mode payloads
into Metasploit 3.0. This presented an interesting challenge for us in terms of
architectural integration. We wanted to make it so users could continue to use
the existing set of user-mode payloads for both kernel and non-kernel exploits.
Strictly speaking, every payload in Metasploit to date is a user-mode payload,
and as such they will not function properly with a kernel-mode exploit.
However, the goal of makin
8 min
Metasploit
Metasploit 3.0 Automated Exploitation
A recurring theme in my presentations about Metasploit 3.0 is the need for
exploit automation. As of tonight, we finally have enough code to give a quick
demonstration :-)
Metasploit 3 uses the ActiveRecord
[http://wiki.rubyonrails.org/rails/pages/ActiveRecord] module (part of RoR
[http://rubyonrails.org/]) to provide an object-oriented interface to an
arbitrary database service. Database support is enabled by installing RubyGems
[http://www.rubygems.org/], ActiveRecord ("gem install activerec
2 min
Metasploit Framework 3.0 Beta 2
We are happy to announce that the second beta release of the 3.0 tree is now
ready for download. This release includes incremental improvements to the first
beta as well as some new features and modules. 3.0 Beta 2 is fully compatible
with Linux, BSD, Mac OS X, and Windows using our custom Cygwin installer. If you
would like to discuss the beta release with other users, please subscribe to the
framework-beta mailing list by sending a blank email to
framework-beta-subscribe[at]metasploit.com.
4 min
Metasploit Framework 3.0 Beta 1
We are happy to announce that the first beta release of the 3.0 tree is now
ready for download. This release contains numerous bug fixes and improvements to
the previous alpha release. 3.0 Beta 1 is fully compatible with Linux, BSD, Mac
OS X, and Windows using our custom Cygwin installer. If you would like to
discuss the beta release with other users, please subscribe to the
framework-beta mailing list by sending a blank email to
framework-beta-subscribe[at]metasploit.com.
If you are attending
6 min
Interprocedural Data Flow Dependencies
In a previous post [/2006/03/29/a-few-msrt-graph-illustrations] I illustrated a
very basic data flow dependency graph. This graph was meant to describe the
order (and thus dependencies) of memory read and write operations within the
context of a given function. While this graph may be useful in some
circumstances, the simple fact that it's limited to a specific function means
that there will be no broad applicability or understanding of the program as a
whole. To help solve that problem, it
4 min
Metasploit
Post-Exploitation Fun in Metasploit 3.0
So what does it mean when we talk about all the cool automation support that
Metasploit 3.0 has? Well, the answer is fairly broad. It means you can implement
plugins and other tools that can be used to extend and automate a number of
features included in the framework. By virtue of this fact, it means that you
can extend and automate one of the areas that I personally find the most
interesting: post-exploitation payloads. Spoonm and I recently completed a tour
of duty describing some of the coo
1 min
Metasploit Reversing Toolkit (Intro)
One of the goals of the Metasploit Project is to provide a useful and friendly
outlet for security related research. Examples of this can be seen in the
Metasploit Framework, the Opcode Database, and the Metasploit Anti-Forensics
tools. Though the focus of the project has been mostly oriented toward
exploitation research, the interests of those involved in the project generally
don't stop there. Most recently, I've been spending some time designing and
implementing a library that can be used to