6

I have been thinking about this subject a lot. Exploit Development is nearly the same as normal development, you need to test quite a lot of platforms (eg. Windows XP, Windows Vista, x64, x86, Chinese, English versions). This problem asks for unit tests and continuous integration.

Till now I've been hacking some Python scripts to automatic launch metasploit load my custom exploit launch it. And as payload to set execute my back connector to tell me everything is going well. Now I can have one system on auto-update and get an alarm when then 0day has been fixed (without reporting it) or very quickly test a range of virtual systems.

I am wondering, if their are systems or papers out there on this subject. Things to consider etc etc.

Edit

I've upgraded my method by building the environment as well. I build deploy scripts for my exploits now, the script:

  • clones a VM
  • transfers the vulnerable version of the software from my software library (read NAS)
  • installs the software with the most-basic (Next, Next, I Agree bot method for windows, apt-get install for Linux)
  • Checks if the software is running
  • Gets the port it is running on (netstat / grep hackish (very breakable)
  • Launch Exploit
  • Connect back
  • Write Result

It is cool still hoping to get at least one reply for my Bounty (+100..)

Stolas
  • 303
  • 1
  • 13
  • Your question seems to have two parts, one seems about testing the same exploit on different versions and the other checking whether the exploit is patched or not. Is this correct? – Omair . Sep 30 '13 at 19:08
  • @Omair. Exactly, as a software developer we use Jenkins etc for these things with 'normal' software. Python scripts, etc etc. I figured (as an exploit developer) I could leverage this to ExploitDevelopment to see when my 0day is not a 0day anymore or to test my exploits. Eg, installing software, firing at it and closing it. By doing this daily both tests will be done in an automatic fashion. I know I can keep an eye on CVE-RSS Feeds to see when a vuln has been found but this method you'll also see the silent patches. – Stolas Oct 01 '13 at 06:22
  • I don't understand why you can't use Jenkins in this case. It is a general purpose scheduling web app at core, and can execute local and remote scripts on a timed or triggered basis (and lots of other things with its various plugins). And then send various emails (or trigger other tasks) based upon the results. If the exploit testing part is the "build", then the checking part is the "test". – WeaponsGrade Oct 01 '13 at 20:54
  • I have been thinking of using Jenkins, Buildbot and even been considering of using CMake, CTest and CDash for this. However the Python thing gives me a tad more flexibility for a temp setup before I know what I want to get a server for this. Now this is running in a breakable environment. I was just wondering if there are papers on this subject. – Stolas Oct 02 '13 at 06:46

2 Answers2

1

For checking if a vulnerability has been patched or not, why not just have a fixed value for EIP, say like DEADDAED and make sure it matches by getting the output through some debugging module. If it matches the vulnerability is still there. If it doesn't match but the application crashes, you most likely have the vulnerability there but need to modify the exploit code for it to work properly.

For testing it on new versions, the exploit shouldn't work. For example, I have an IE exploit and the ASLR is bypassed using mshtml. If mshtml is updated in the next IE update, my exploit will not work because of the offset changes that have occurred in the patched mshtml. Unless maybe, you are using some other dll in which no changes have occurred.

As far as I can see it, you need to test it on one version of the software in concern to determine if it is patched or not.

The other parts of cloning a VM, updating the software etc. should be as you stated. The only thing with a MSI installer is you could try doing a silent install, so you avoid the dialog boxes.

Omair .
  • 331
  • 1
  • 2
-1

Some kinds of exploits indeed need testing on a lot of environments. A good paper on this subject is "Uncovering Zero Days and advanced fuzzing" by Nikolaos Rangos slides: http://kingcope.files.wordpress.com/2012/05/uncovering-zerodays-and-advanced-fuzzing.pdf script: http://kingcope.files.wordpress.com/2012/05/uncovering-zerodays-and-advanced-fuzzing_script.pdf

banana
  • 1
  • 2
    Please consider quoting parts of the PDF to improve your answer. – Simon Sep 18 '13 at 14:31
  • I would like see what the exact thing you meant? He is not really talking about continues testing his exploitation techniques? – Stolas Sep 24 '13 at 09:47