Published: 30 May 2005
Exploit frameworks are the machine guns of automated attacks. Don't get caught on the wrong end of the barrel.
The time between discovery of a vulnerability and the appearance of its exploit in the wild is shrinking from months to weeks to days. Soon, it could be a matter of hours.
The reason: frameworks that make exploits alarmingly easy to create and launch.
Sploits, street lingo for exploits, were once painstakingly difficult to create. Attackers would have to manually craft their scripts to exploit a buffer-overflow vulnerability or format-string flaw, manipulate a machine's memory locations, load their machine language code, and calculate the offsets needed to make the target box execute the code. It was a tedious process that gave software vendors the time to develop patches and workarounds, and enterprises the time to apply fixes. Sloppy coding often produced bug-ridden sploits that were unable to take full advantage of their target's vulnerability.
No more. High-quality sploits are much easier to create with the maturation of exploit frameworks (also known as automated penetration-testing tools) that simplify the crafting of exploits and trivialize launching an attack. They're assembly lines for the mass production of exploits, providing a consistent environment for developing, packaging and using exploits.
This is both good and bad news. Exploit frameworks give security pros a powerful, flexible tool for conducting deep and accurate penetration tests. But, in the wrong hands, these tools give attackers the equivalent of a machine gun where they once had a slingshot.
Workings of Frameworks
Exploit frameworks are a fundamental component of automated penetration-testing tools; the best of these are Core Security Technologies' CORE IMPACT and Immu-nity's CANVAS, and the rapidly maturing open-source Metasploit Framework. Each holds a collection of common exploits, including buffer-overflow attacks, and a set of payloads. The exploit code manipulates a vulnerability on the target machine, with the goal of executing the attacking software's payload of choice.
In Metasploit and CANVAS, some payloads create a command-shell listener on a network port and simply wait for the attacker to connect and get a command prompt. Other payloads give the attacker direct control of the victim machine's GUI by surreptitiously installing a remote-control tool, such as VNC. CORE IMPACT includes a generic agent payload that can seamlessly run the attacker's programs on the target machine.
The magic of these frameworks is the collection of exploits and payloads under a unified, object-oriented management console (see "Making a Sploit," above). Users with no software development skills can create a series of automated attacks by selecting options from the menu. The exploit framework's user interface makes it trivial to select an exploit and apply a payload to run on a target system.
Unlike handcrafted scripts, the sploits written in an exploit framework are built with interchangeable modules designed by skilled engineers who carefully refined their code to ensure reliability. Beyond using canned exploits, developers can use built-in modules to craft exploits and apply existing payloads quickly. This is part of what's closing the window between the discovery of a vulnerability and the appearance of its exploit in the wild. Some researchers are working to further automate the reverse engineering of security patches to create exploit modules within a matter of hours--or minutes-- after a patch is released.
The frameworks also feature a collection of tools that help create exploits and payloads. Some of these tools review potentially vulnerable programs to find buffer-overflows and related flaws. A vulnerability researcher can use these tools to search an executable and locate function calls and returns--areas where coding mistakes could create flaws. Other tools help to identify the size and location of memory regions in a vulnerable program that will hold and run the exploit and payload, so the developer can make sure everything fits and set up crucial payload triggers. Some tools include code samples to inject a payload into the target's memory in a consistent fashion across different operating systems and builds. Still others mask attack code from IDS/IPS detection and user input scrubbers in the target program.
The real power of these tools is that, if a developer builds an exploit or payload within the framework, the payload can be used interchangeably with other exploits. A developer coding in Perl (for Metasploit) or Python (for CORE IMPACT and CANVAS) can write and publish a new module, giving thousands of exploit framework users a building block for their own attacks.
Exploit frameworks are the stuff of script-kiddies' dreams. It's trivially easy to use Metasploit, which includes three UIs: a command-line tool for scripting,a console prompt with specialized keywords as simple as "use [exploit]" and "set [payload]," and a point-and-click browser-based interface. Once the exploit and payload are assembled, the user executes the "exploit" command, launching the attack against a target.
CORE IMPACT's interface is even simpler to use; it shows a bird's-eye view of all penetrated machines on the network and the level of control the attacker has gained. The attacker merely needs to learn a single exploit framework's interface to choose, configure and launch exploits.
The attacker starts with a reconnaissance scan of the target. CORE IMPACT and CANVAS include built-in vulnerability and port scanners, while Metasploit users rely on third-party tools, such as the free Nessus or a commercial application such as Tenable Network Secu-rity's NeWT or Internet Security Systems' Internet Scan-ner. The attacker then runs the framework to launch an attack against vulnerabilities on the target machine.
The reconnaissance scanning and actual attack buy time for the IDS/IPS tools to detect the invasion. Although exploit frameworks increasingly include IDS and IPS evasion tactics, most attacks can still be spotted by up-to-date signatures. Nonetheless, these kinds of exploit tools make it more urgent than ever to harden and patch systems.
Sploits for the Good Guys
Exploit frameworks may aid the bad guys, but they also help security pros test their systems and harden their infrastructure.
Traditional scanners merely show whether a vulnerability might be present by checking version numbers and the behavior of a target machine. Exploit frameworks go further by actually attempting to exploit the vulnerability. Security managers can get a better picture of the holes in their network and the risks they face based on the difficulty of exploiting vulnerabilities.
Ideally, a security manager should use a vulnerability scanner and exploit framework in concert. The assess- ment team first runs a vulnerability scan and generates a report. For each identified vulnerability, the team employs an exploit framework to verify the flaw. Verifi-cation reduces false positives.
While this high degree of certainty is invaluable, some framework exploits can cause a target system or service to crash. Users need to exercise caution when running such tools and make sure the operations team is on standby to restart a service or reboot a system if things go awry.
Exploit frameworks can also help check IDS and IPS tools' functionality. When an IDS or IPS seems especially quiet, security managers often worry that their sensors are dead, misconfigured or simply inaccessible. Com-pounding the concern, enterprises may soon face attacks that disable IDS/IPS detection functionality, while putting the system in an endless loop and making them appear to be just fine.
To make sure your IDS/IPS tools are running properly, consider using an exploit framework to fire sploits at them on a periodic basis. Admittedly, a traditional vulnerability scanner would tell you if a sensor is functional, but it would also trigger an avalanche of alerts. A single sploit will tell you if your detector is still running properly without driving your analysis team batty.
One of the most common and obvious ways to use exploit frameworks is to enhance in-house penetration testing by performing more comprehensive tests in less time. Using an exploit framework, you can create a more systematic, repeatable test process with specifically chosen sploits and payloads to achieve the goals of the test, such as grabbing a given file from a target machine or getting command-shell access.
In the pre-framework days, many pen testers relied on a hodgepodge of sploits developed and collected over the years, with varying quality and different payloads. With exploit frameworks' comprehensive and constantly updated sets of exploits and payloads, a pen tester can focus more on the overall orchestration of an attack and the analysis of the results rather than spending exorbitant amounts of time researching, reviewing and tweaking individual exploits. The frameworks also offer an excellent development environment for pen testers who devise their own exploit code and payloads.
Exploiting the Sploits
Although exploit frameworks can greatly enhance your pen test exercises, they can't completely automate them. An experienced hand still needs to plan the test, launch the various tools, correlate tool output, analyze the results and dive deeper into the targets.
However, exploit frameworks shouldn't be overlooked as a means for improving management's security awareness. Most security pros have to work hard to make sure management understands security risks by emphasizing the need for hardened systems, thorough patching and solid incident response plans. Management's eyes glaze over after hearing for the umpteenth time the importance of good security practices, yet a single sploit is often worth more than a thousand words.
To help make your case, set up a lab demo of an exploit framework. Build a naked machine that contains a simple text file, such as "Please don't steal this important file!" Pick a reliable exploit, such as the Windows RPC-DCOM attack, and then show management how easy it is to compromise the target and snag that file.
Exploit frameworks are revolutionizing the development, distribution and usage of computer exploit code. Yes, these frameworks are indeed nasty weapons in the hands of the bad guys, but security pros can leverage them as handy tools to improve their operations. These tools provide deeper security assessments and verification of detection capabilities, improved pen tests and solidified management awareness. Security managers would be wise to learn how to exploit these frameworks as well as, if not better than, their adversaries.