Exploit Pack – Open Source Security Project for Penetration Testing and Exploit Development

 

Exploit Pack, is an open source GPLv3 security tool, this means it is fully free and you can use it without any kind of restriction. Other security tools like Metasploit, Immunity Canvas, or Core Impact are ready to use as well but you will require an expensive license to get access to all the features, for example: automatic exploit launching, full report capabilities, reverse shell agent customization, etc.

 

Exploit Pack is fully free, open source and GPLv3. Because this is an open source project you can always modify it, add or replace features and get involved into the next project decisions, everyone is more than welcome to participate. We developed this tool thinking for and as pentesters. As security professionals we use Exploit Pack on a daily basis to deploy real environment attacks into real corporate clients.

 

Video demonstration of the latest Exploit Pack release:

 

More than 300+ exploits
Military grade professional security tool
Exploit Pack comes into the scene when you need to execute a pentest in a real environment, it will provide you with all the tools needed to gain access and persist by the use of remote reverse agents.

 

Remote Persistent Agents
Reverse a shell and escalate privileges
Exploit Pack will provide you with a complete set of features to create your own custom agents, you can include exploits or deploy your own personalized shell-codes directly into the agent.

 

Write your own Exploits
Use Exploit Pack as a learning platform
Quick exploit development, extend your capabilities and code your own custom exploits using the Exploit Wizard and the built-in Python Editor moded to fulfill the needs of an Exploit Writer.

 

 
 

What The Massive Shellshock Exploit Means For You

shellshock The Plain Mans 10 Point Guide to What The Massive Shellshock Exploit Means For You

The big tech news of the moment, and probably of the year or decade, is the revelation about a massive security hole in something called Bash, which is an arcane bit of geek code which is installed on many of the computers which power and host the Internet (and also Apple Mac computers). Here’s our plain man’s guide to what it means for you.

1. Over 51% of all web servers (i.e. websites) are running on the Linux operating system. Bash was historically a commonly used software component of Linux. Therefore the vulnerability instantly makes all these machines potentially susceptible to attack. That is a Very Big Deal. Because Apple Macs also use Linux as the basic system, this means Macs are also vulnerable. But see below.

2. The exploit only affects web servers directly, i.e. computers which are connected to the Internet, and operate webcode or websites. So your laptop computer will likely not be vulnerable unless you have some web server programs installed. In addition this web server code needs to include CGI and Bash for it to be exploitable. Very geek.

3. It is not clear how many web server computers are vulnerable, because it is not clear how much CGI and Bash is still being used. Most websites now use newer technologies, but there are still a not insignificant number of web computers using ‘back-end’ functions where Bash/CGI may be employed. However in general terms, Linux hardware like Android phones and home Internet routers should be safe, because they do not use those components.

shellshock3 The Plain Mans 10 Point Guide to What The Massive Shellshock Exploit Means For You

4. In order for the most serious part of the exploit to be run, the attacker needs to have access to the system in the first place (i.e. login, permissions etc), which immediately means the server then has much more of a security problem than just Shellshock. However, there is a form of attack where a remote attacker could add a nasty command to a web browser, which could suck private data from a web server like passwords, or other private information. This second form of attack is the one which worries security people the most.

5. Almost all of the major distributions of Linux have already had patches installed. Shellshock is therefore primarily of concern mainly for older, or small business computer installations, which may be running unpatched (i.e. unfixed) versions for a long period. Apple has yet to issue a patch for the problem. Similarly older or smaller web hosting services with sloppy security and upgrade procedures will be vulnerable.

6. How to test if your computer is vulnerable (warning – geek stuff): Run –

env x=’() { :;}; echo vulnerable’ bash -c “echo this is a test”

If your computer is OK, you will see :

bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x’
this is a test

If your computer is NOT OK, you will see:

env x=’() { :;}; echo vulnerable’ bash -c “echo this is a test”
vulnerable
this is a test

7. How to fix your computer if it is vulnerable (see above warning):
1) open a terminal
2) type “sudo yum -y update bash”
3) wait until it says it’s finished, then log out of your computer and log back in.

8. Just to repeat: Shellshock is not a problem in and of itself if your device is securely protected by having authentication on all open ports, and full blown security systems in place around the CGI/Bash implementation. So while there are 78 million web servers which may potentially be vulnerable right now, it will still require the other components of the attack to be in place. Even so, one estimate suggests that between 3000 and 3 million computers (!) POSSIBLY could be vulnerable.

9. Again, if you do not run a web connected computer with CGI and Bash components installed, you will not be vulnerable at all. Windows itself is not vulnerable, it is only Linux systems (and to a lesser degree ordinary consumer Apple Macs). Despite rumours, there are no reports as yet of small Linux hardware devices (e.g. GPS, phones, security etc) being vulnerable, because most of them do not use Bash.

shellshockscanner The Plain Mans 10 Point Guide to What The Massive Shellshock Exploit Means For You

10. You can use this Shellshock Scanner to test whether your website or webserver is vulnerable to the problem.

Note: You can read an excellent, more technical, summary of the bug here.

 

 

Credit:  Nigel

Remote exploit vulnerability in bash CVE-2014-6271

 

A remotely exploitable vulnerability has been discovered by Stephane Chazelas in bash on Linux and it is unpleasant. The vulnerability has the CVE identifier CVE-2014-6271 and has been given the name Shellshock by some. This affects Debian as well as other Linux distributions. You will need to patch ASAP.

Bash supports exporting shell variables as well as shell functions to other bash instances. This is accomplished through the process environment to a child process.

The major attack vectors that have been identified in this case are HTTP requests and CGI scripts.

From Akamai:

“Akamai has validated the existence of the vulnerability in bash, and confirmed its presence in bash for an extended period of time. We have also verified that this vulnerability is exposed in ssh—but only to authenticated sessions. Web applications like cgi-scripts may be vulnerable based on a number of factors; including calling other applications through a shell, or evaluating sections of code through a shell.”

There are several functional mitigations for this vulnerability: upgrading to a new version of bash, replacing bash with an alternate shell, limiting access to vulnerable services, or filtering inputs to vulnerable services. Akamai has created a WAF rule to filter this exploit; see “For Web Applications” below for details.
If you have a username in your authorization header this could also be an attack vector.

Another attack surface is OpenSSH through the use of AcceptEnv variables. As well through TERM and SSH_ORIGINAL_COMMAND. An environmental variable with an arbitrary name can carry a nefarious function which can enable network exploitation. This is fire bad.

The race is on. Will you be able to patch before Metasploit has a working exploit?

Tod Beardsley, engineering manager from Rapid7, had this to say,

“As you might have guessed, we’re busy at work putting together a Metasploit module that demonstrates the bash bug (CVE-2014-6271), as is the rest of the world of open source security contributors. I expect to see a first version today.

That said, it’s difficult to write one “bash bug” exploit — this is the sort of exploit that will be lurking around in all various and sundry sorts of software, both local and remote. It’s quite common for embedded devices with web-enabled front-ends to shuttle user input back and forth via bash shells, for example — routers, SCADA/ICS devices, medical equipment, and all sorts of webified gadgets are likely to be exposed.

The module we’re cooking up today will be as generic as we can make it, so people have a realistic chance of testing their devices. I expect that this will show up in more than one software package, though, so stay tuned.”

[UPDATE]: Received word from Tod at Rapid7 that the Metasploit module for the bash vulnerability was completed at 8:26 pm EDT.

Patch your systems now…GO!

Support Information:

Novel/SuSE
Debian
Ubuntu
Mint
Redhat/Fedora
Mageia
CentOS

 

 

Credit:  Dave Lewis

Major Android Bug is a Privacy Disaster (CVE-2014-6041)

 

On the night of September 7, 2014, Joe Vennix of Rapid7’s Metasploit Products team wrote, “I did not believe this at first, but after some testing it seems true: in AOSP browser before Android 4.4, you can load javascript into any arbitrary frame or window […]” and provided a Metasploit module to exploit this condition. After some of the usual testing and confirmation of the vulnerability, this module is available in all versions of Metasploit.

 

The vulnerability that Joe didn’t believe is CVE-2014-6041, and was disclosed on September 1, 2014 by Rafay Baloch on his blog, Rafay Hacking Articles. By malforming a javascript: URL handler with a prepended null byte, an attacker can avoid the Android Open Source Platform (AOSP) Browser’s Same-Origin Policy (SOP) browser security control.

 

What this means is, any arbitrary website (say, one controlled by a spammer or a spy) can peek into the contents of any other web page. Imagine you went to an attackers site while you had your webmail open in another window — the attacker could scrape your e-mail data and see what your browser sees. Worse, he could snag a copy of your session cookie and hijack your session completely, and read and write webmail on your behalf.

 

This is a privacy disaster. The Same-Origin Policy is the cornerstone of web privacy, and is a critical set of components for web browser security. Oh, and it gets worse.

 

When this vulnerability was announced by Balcoh, it was met with… total silence. There has been no acknowledgement of the bug from Google, as far as we can tell. There’s no listing of this bug on CVEDetail’s readout of Android issues, and no chatter (we could find) in the Android security community about this bug.

 

Research and testing is still ongoing to plumb the depths of this issue. We’d like to pin down exactly when the bug was fixed, and to determine just how widespread this vector really is. After all, pre-4.4 builds of Android account for about 75% of the total Android ecosystem today.

 

More importantly, 4.2 (Jellybean) and prior phones account for nearly 100% of off-the-shelf, lower-end prepaid phones from major manufacturers and carriers. They still ship the unsupported AOSP browser. These are the kinds of phones that account for a huge chunk of total market share, and yet are still vulnerable to this bug and the WebView addJavascriptInterface vulnerability.

 

While the AOSP browser has “been killed off” by Google, it is wildly popular, even on modern devices used by sophisticated users who prefer the stock browser over Google Chrome, Firefox, Dolphin, or other browsers. A quick search for “AOSP browser” turns up page after page of instructions and HOWTOs on re-installing this defunct, unsupported-by-Google software. Among the top pages, I could find absolutely no mention of security concerns in reinstalling the original stock browser.

 

Later this week, I’ll have a demo of the bug all videoed up that’s sufficiently shocking. I’d really like to continue the conversation about security for mid- to low-end devices that people trust with the details of their lives. I hope this Metasploit module (which is available today in all versions of Metasploit) spurs along the conversation on what we can do to ensure that the users of normal, off-the-shelf, brand-new phones aren’t so vulnerable to privacy violations.

 

 

CREDIT:  Tod Beardsley

Installing BeEF on Ubuntu 12.10 LTS

BeEF - Browser Exploitation Frame

BeEF – The Browser Exploitation Framework Project is a penetration testing tool that focuses on the web browser.

Amid growing concerns about web-borne attacks against clients, including mobile clients, BeEF allows the professional penetration tester to assess the actual security posture of a target environment by using client-side attack vectors. Unlike other security frameworks, BeEF looks past the hardened network perimeter and client system, and examines exploitability within the context of the one open door: the web browser. BeEF will hook one or more web browsers and use them as beachheads for launching directed command modules and further attacks against the system from within the browser context.

Step 1 :

To download the latest version of BeEF to the current directory.

sudo -sH
cd /opt
apt-get install git
git clone git://github.com/beefproject/beef.git

Step 2 :

To install BeEF and her related packages.

cd beef

sudo apt-get install ruby1.9.1-dev libsqlite3-dev sqlite3 sqlite3-doc build-essential

sudo gem install bundler

sudo bundle install

Step 3 :

To run it.

sudo -sH
cd /opt/beef

./beef

Then point the Firefox to hxxp://[your IP address]:3000/ui/panel

Step 4 :

To update it.

sudo -sH
cd /opt/beef

./update-beef

Remarks :

If you also installed Metasploit, you can integrate Metasploit to BeEF to perform attacks, such as browsers autopwn.

Credit: Samiux

Exploit Research and Development Course

I.C.F is proud to announce of the new official Exploit’s Research and Development course as part of the cyber warfare intelligence program. The workshop is the first out of a total of three courses all from the cyber warfare intelligence program.

About the workshop

Exploit’s Research and Development is the field of finding security vulnerabilities in software, while writing programs and tools to exploit them. This field is very interesting yet requires a lot of technical background and knowledge as a baseline in order to go in depth into.

In this workshop:

  •  We will start from the very basics and learn assembly language programming in order to prepare you for the task ahead.
  • We will learn how to exploit different vulnerabilities and bypass various security mechanisms such as DEP and ASLR.
  • We will conclude by looking at how to integrate our exploit code with frameworks such as Metasploit.

Location: Herzelia, Israel.

For additional information, please contact via email: icf@frogteam.co.il

Download Syllabus