This article can also be found in the Premium Editorial Download "Information Security magazine: With SSL VPNs on the offense, will IPSec VPNs eventually be benched?."
Download it now to read this article plus other related content.
Exploit frameworks are the machine guns of automated attacks. Don't get caught on the wrong end of the barrel.
The time between discovery of a vulnerability and the appearance of its exploit in the wild is shrinking from months to weeks to days. Soon, it could be a matter of hours.
The reason: frameworks that make exploits alarmingly easy to create and launch.
Sploits, street lingo for exploits, were once painstakingly difficult to create. Attackers would have to manually craft their scripts to exploit a buffer-overflow vulnerability or format-string flaw, manipulate a machine's memory locations, load their machine language code, and calculate the offsets needed to make the target box execute the code. It was a tedious process that gave software vendors the time to develop patches and workarounds, and enterprises the time to apply fixes. Sloppy coding often produced bug-ridden sploits that were unable to take full advantage of their target's vulnerability.
No more. High-quality sploits are much easier to create with the maturation of exploit frameworks (also known as automated penetration-testing tools) that simplify the crafting of exploits and trivialize launching an attack. They're assembly lines for the mass production of exploits, providing a consistent environment for developing, packaging and using exploits.
This is both good and bad news. Exploit frameworks give security pros a powerful, flexible tool for conducting
Workings of Frameworks
Exploit frameworks are a fundamental component of automated penetration-testing tools; the best of these are Core Security Technologies' CORE IMPACT and Immu-nity's CANVAS, and the rapidly maturing open-source Metasploit Framework. Each holds a collection of common exploits, including buffer-overflow attacks, and a set of payloads. The exploit code manipulates a vulnerability on the target machine, with the goal of executing the attacking software's payload of choice.
In Metasploit and CANVAS, some payloads create a command-shell listener on a network port and simply wait for the attacker to connect and get a command prompt. Other payloads give the attacker direct control of the victim machine's GUI by surreptitiously installing a remote-control tool, such as VNC. CORE IMPACT includes a generic agent payload that can seamlessly run the attacker's programs on the target machine.
The magic of these frameworks is the collection of exploits and payloads under a unified, object-oriented management console (see "Making a Sploit," above). Users with no software development skills can create a series of automated attacks by selecting options from the menu. The exploit framework's user interface makes it trivial to select an exploit and apply a payload to run on a target system.
Unlike handcrafted scripts, the sploits written in an exploit framework are built with interchangeable modules designed by skilled engineers who carefully refined their code to ensure reliability. Beyond using canned exploits, developers can use built-in modules to craft exploits and apply existing payloads quickly. This is part of what's closing the window between the discovery of a vulnerability and the appearance of its exploit in the wild. Some researchers are working to further automate the reverse engineering of security patches to create exploit modules within a matter of hours--or minutes-- after a patch is released.
The frameworks also feature a collection of tools that help create exploits and payloads. Some of these tools review potentially vulnerable programs to find buffer-overflows and related flaws. A vulnerability researcher can use these tools to search an executable and locate function calls and returns--areas where coding mistakes could create flaws. Other tools help to identify the size and location of memory regions in a vulnerable program that will hold and run the exploit and payload, so the developer can make sure everything fits and set up crucial payload triggers. Some tools include code samples to inject a payload into the target's memory in a consistent fashion across different operating systems and builds. Still others mask attack code from IDS/IPS detection and user input scrubbers in the target program.
The real power of these tools is that, if a developer builds an exploit or payload within the framework, the payload can be used interchangeably with other exploits. A developer coding in Perl (for Metasploit) or Python (for CORE IMPACT and CANVAS) can write and publish a new module, giving thousands of exploit framework users a building block for their own attacks.
This was first published in May 2005