[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: The joys of impurity (was: MOSDEF, InlineEgg)

To: bugtraq@securityfocus.com
Subject: Re: The joys of impurity (was: MOSDEF, InlineEgg)
From: <dave@immunitysec.com>
Date: 7 Oct 2003 13:26:31 -0000

In-Reply-To: <20031006210520.GA3033@gmx.net>

Well, MOSDEF is fairly far along, but the C compiler is not quite done, so no, 
you can't compile nmap and send it over for execution. 

Of course, that's not even an intended application. MOSDEF doesn't attach stdin 
and stdout to anything in particular. All communication with the little 
shellcode stubs you send over is done via an included "sendbuffer, sendint, 
sendstring" API. This is so you can transparantly spawn two (or more) little 
shellcodes at once and not have them interleave their data over the socket as 
they send data back to you.

Most of a MOSDEF application is actually written in Python. Only loops and 
other sorts of small things are sent over for execution. This is because it 
makes sense to have high-level decision making done by a "decision making 
entity" with access to the larger picture. It's also non-optimal to break into 
a client's box in China and then have to send a meg of static binary across to 
it before you can do anything.

Another benefit of this design is that you won't have to collect staticly 
linked binaries that happen to work on every architecture you want to hack. 
MOSDEF is a lot like GCC and a sourceforge subscription in that regard.

Of course, impurity is working right now, for small things, and MOSDEF needs to 
get another 40 hours or so before [#include,while,for,if,struct] are done, so 
for the "where do you want to go today?" question impurity might be the right 
answer.

Dave Aitel
Immunity, Inc.
"Where do you want to go tomarrow?"

>Hi,
>I enclose the impurity-1.0 release. The README follows. I would like to hear
>some comparisons with MOSDEF and InlineEgg; can you guys implement nmap in
>your shellcode ;) ?
>peace,=20
>algo
>
>       Impurity-1.0
>       by Alexander E. Cuttergo <cuttergo@gmx.net>
>=09
>       Concept
>       Impurity is a set of scripts which make it easy to produce a
>shellcode ("first stage") which is able to download over the net an=20
>executable ELF file ("second stage") and execute it without writing it to
>the disk first. The first stage shellcode itself is almost constant (except=
>=20
>for one parameter, the executable length) and very short - 46 bytes. Using=
>=20
>this approach, one does not waste hours composing and debugging a complex=
>=20
>shellcode - just write a .c program, run impurity (which creates the second
>stage ELF binary) and you are all set.
>       Impurity is mostly useful when exploiting a daemon which runs
>chrooted and with dropped privileges; in such case one cannot simply execute
>/bin/sh. Compare it with MOSDEF and InlineEgg.
>       Currently impurity is implemented for Linux/i386 only; however,=20
>porting to other OS/architectures should be trivial, provided they use ELF=
>=20
>standard.
>

Prev by Date: Medieval Total War <= 1.1 broadcast crash
Next by Date: Adobe SVG Viewer Local and Remote File Reading (GM#003-MC)
Previous by thread: The joys of impurity (was: MOSDEF, InlineEgg)
Next by thread: Adobe SVG Viewer Active Scripting Bypass (GM#002-MC)
Index(es):
- Date
- Thread