lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20031007132631.2156.qmail@sf-www2-symnsj.securityfocus.com>
Date: 7 Oct 2003 13:26:31 -0000
From: <dave@...unitysec.com>
To: bugtraq@...urityfocus.com
Subject: Re: The joys of impurity (was: MOSDEF, InlineEgg)


In-Reply-To: <20031006210520.GA3033@....net>

Well, MOSDEF is fairly far along, but the C compiler is not quite done, so no, you can't compile nmap and send it over for execution. 

Of course, that's not even an intended application. MOSDEF doesn't attach stdin and stdout to anything in particular. All communication with the little shellcode stubs you send over is done via an included "sendbuffer, sendint, sendstring" API. This is so you can transparantly spawn two (or more) little shellcodes at once and not have them interleave their data over the socket as they send data back to you.

Most of a MOSDEF application is actually written in Python. Only loops and other sorts of small things are sent over for execution. This is because it makes sense to have high-level decision making done by a "decision making entity" with access to the larger picture. It's also non-optimal to break into a client's box in China and then have to send a meg of static binary across to it before you can do anything.

Another benefit of this design is that you won't have to collect staticly linked binaries that happen to work on every architecture you want to hack. MOSDEF is a lot like GCC and a sourceforge subscription in that regard.

Of course, impurity is working right now, for small things, and MOSDEF needs to get another 40 hours or so before [#include,while,for,if,struct] are done, so for the "where do you want to go today?" question impurity might be the right answer.

Dave Aitel
Immunity, Inc.
"Where do you want to go tomarrow?"

>Hi,
>I enclose the impurity-1.0 release. The README follows. I would like to hear
>some comparisons with MOSDEF and InlineEgg; can you guys implement nmap in
>your shellcode ;) ?
>peace,=20
>algo
>
>	Impurity-1.0
>	by Alexander E. Cuttergo <cuttergo@....net>
>=09
>	Concept
>	Impurity is a set of scripts which make it easy to produce a
>shellcode ("first stage") which is able to download over the net an=20
>executable ELF file ("second stage") and execute it without writing it to
>the disk first. The first stage shellcode itself is almost constant (except=
>=20
>for one parameter, the executable length) and very short - 46 bytes. Using=
>=20
>this approach, one does not waste hours composing and debugging a complex=
>=20
>shellcode - just write a .c program, run impurity (which creates the second
>stage ELF binary) and you are all set.
>	Impurity is mostly useful when exploiting a daemon which runs
>chrooted and with dropped privileges; in such case one cannot simply execute
>/bin/sh. Compare it with MOSDEF and InlineEgg.
>	Currently impurity is implemented for Linux/i386 only; however,=20
>porting to other OS/architectures should be trivial, provided they use ELF=
>=20
>standard.
>


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ