Re: no standards for webapp exploitation

Well - and this is all "In My Opinion" of course - I've written a VulnXML engine (SPIKE Proxy) and a commercial exploitation engine that has quite a few Web exploits in it (Immunity CANVAS).

Taking the recent Abyss X1 Web Server exploit as an example, I had to do many things:

1. Set up the shellcode using an encoder with a list of bad characters and including the current host and port to call back to
2. Set up the searchshellcode (much smaller) with the same list of bad characters
3. urllib.quote_plus() where necessary
4. initialize the server by making some requests and leaving them open (each with a copy of the searchcode)
5. send one request with the real shellcode
6. send one request with the heap overflow (and a copy of the search code)
7. if a callback comes back, then the exploit was successful.
8. if the server goes down, then it was not successful (never happens :>)
9. if the server stays up, either there is a bad character I don't know about, or the server is patched (which should never happen, since you always know the server version from the Server: header). So try the exploit again until it works.

Somewhere in there I do a regex to get the Server: header and know which version of the server I'm targeting.

So the major problems I see with VulnXML for this as it stands right now: 1. Shellcode is an issue. Good shellcode is hard to come by. Eventually I'll GPL MOSDEF (a Python shellcode creation engine with dynamic remote linking), but until then there is really no good shellcode library out there. There are no really good encoder/decoder libraries out there either.
2. Doing multiple things at one time is difficult with the current VulnXML format. Like, I have 15 sockets open to the target at once here... 3. VulnXML is oriented towards a single execution - it doesn't do loops (i.e. it is not a real language, just a description language). This makes it hard to do some of the things a real exploit will need to do. 4. You definately need a long list of things the engine is going to have to support - urllib, various encoding mechanisms (%uxxxx, %xx) and various other things

In short, I think VulnXML and ExploitXML are two very different things. As it stands, VulnXML is great for _detecting_ bugs, but not useful for actuall exploiting them. For that, a Python class-based infrastructure makes a lot of sense.

Dave Aitel
R&D
Immunity, Inc.

> Hi...
Received on Thu Jul 3 11:42:23 2003

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek