1. ExtraBacon's Sploit Framework
Or: How to break the Ruby Bonds of
Metasploit
By: Daniel Reilly (Oni)
https://github.com/dreilly369
https://the-it-ninja.blogspot.com/
https://www.linkedin.com/in/daniel-reilly-58b28171
2. Disclaimer
● This is my own work not endorsed, supported,
or generally approved of, by good people.
● I don't encourage malicious attacks.
● I do encourage offensive security and
asymmetric layered defense
3. Where'd this come from?
● ShadowBrokers announces their supposed Equation Group
tool dump and teaser files.
● Cisco Confirms EXBA is effective against several versions of
ASA *
● Researchers report porting the exploit to newer ASA versions
*
● Gov't (sort of) acknowledges tools by charging Harold T.
Martin III *
● I Decide to fork the core Sploit code and port one of my
favorite configuration exploits (postgeSQL lo_creat()) as a
PoC
4. Let me be clear
● I love Metasploit...but -
– You don't always need a tank.
– I am not a fan of Ruby.
– Custom Tools F.T.W.
– Sploits can run from much smaller devices.
● Possibly IoT small (currently a hypothesis)
5. Workflow of a MSF Exploit
● Make sure Postgres is configured/running
● Start MSFConsole or Armitage
● db_nmap the target subnet
● Run some favorite exploit/payload combos
based on services discovered
● If you're fancy you export all of these
commands to a resource script
6. Sploit's place in the world
● Sploit is for turning an exploit into a tool.
● Metasploit is for when you have a target and need to find
an exploit. Sploit is the opposite.
● Normal flow might be:
– Find an exploitable flaw (or borrow one like I have)
– Write Exploit by extending the Sploit class
– Convert exploit script to command line tool using distutils
● Py2exe compile a windows executable? Sure why not.
– Distribute tool to minions.
– Minions hack the Gibsons
7. What is a Sploit?
● Sploit is a Python class for flexible exploit delivery. By default it was
designed to deliver custom SNMP packets to firewalls. But why stop
there?
● extrabacon_1.1.0.1.py can be thought of as similar to a MSF resource
script...on steroids. It handles fingerprinting, version selection, exploit
running, post exploit cleanup, etc. It extends the Sploit Class with exploit-
specific functionality
● Zen of Sploit Development: “Define exploit workflow as subcommands”.
These in turn define the actions available for each step.
10. Types of Subcommands
● Information Subcommands
– Generate data about systems. In my example the “seek” and
“dict” Subcommands. Also the Crypto Key Management
subcommands
● Action Subcommands
– Attempt to change the state of the target in some way. In my
example the “destroy” Subcommand
● Shortcut Subcommands
– Combine two or more Subcommand ideas into one command.
In my example I combine all three exploit steps into one
command “seek-and-destroy”
11. Versions
● The Extrabacon release had ~17 different version
files focused between 8.0.1 and 8.4.4 (with the
notable exception of 8.1.x)
● Version files hold the details about the modifications
to the exploit needed for specific version of the target
app (NOP length, offsets, etc.)
● The Versions files could also be used to differentiate
between O.S.es, architectures, payload choice, etc.
● Not all Sploits need multiple version files.
13. Veganowner
● Based on
msf/modules/exploits/multi/postgres/postgres_createlang.rb
● Uses C instead of scripting
● Writes a pseudo-randomly named malicious DLL to the
system which contains a reverse_tcp Shell.
● Credit and thanks for the original exploit module go to :
– 'Micheal Cottingham', # author of this module
– 'midnitesnake', # the postgres_payload module that this is based
on,
– 'Nixawk' # Improves the module
23. Sockets & Spoofing
● Original EXBA Exploit can use Scapy to manually
construct TCP packets with Spoofed src info
● PostgreSQL uses TCP 5432
● Conclusion: IP white-listing/black-listing is not a
sufficient defense.
– TCP traffic NEEDS IPSec and/or a separate VPN/C.
– Check out Karyn Benson's research on Internet
Background Radiation (IBR)