July 25, 2011

Commercial Exploits: Capabilities

Posted in Exploits at 16:49 by Alex McGeorge

I’m in a rare position in that I get to see and use a lot of professionally written exploits as part of my job. Not all exploits are created equal, these are my thoughts on what traits a commercial exploit needs to have. Part one of at least two.

Word Count: 488

I expect a fair amount of the people who write their own exploits are going to look askance at my opinion. It’s hard to argue with 100 lines of self written Python that let you topple a 2k8 server. Minimalism is a good thing, you don’t want to over engineer your tool. But commercial exploits need to be more robust than what lives in your ~/secret/0days/ directory.

One of the realities of the commercial exploit game (from where I sit) is that you’re typically not selling to other people who love nothing more than kernel reversing. They exist but are atypical. When you sell a functional exploit the less customization and configuration for your customer, the better. Otherwise they have to spend their time (money) on getting the bloody thing to work. Its been my experience that most people who wield commercial exploits professionally (and legally) never look at the source. Here are some capabilities to consider:

Target Coverage: The exploit should work against the maximum number of OS, language1 and vulnerable software version combinations with the minimum number of distinct payloads. When I go to use your exploit I want simple targeting. Example: The Windows version will work against WinXP -> Win7 without any additional configuration required. I recognize this isn’t always possible but it’s something to strive towards.

Modularity: Sometimes you worry about what your ‘signature on the wire is’. If you complete a task in the same way enough times it starts looking familiar to observers. Have a favorite ROP chain that you haven’t seen anywhere else? Be careful of over use. Using your IRC nickname to construct your padding? Probably a bad idea.

Easily swapping parts of the exploit in and out when possible is a nice feature to have. If you can get 9/10 with the pray after free technique it might make sense to have that as an option in addition to doing it The Right Way TM. Further, having an easy ability to swap in callback techniques and automate post exploit actions (like disable AV) is also a significant boon.

Sometimes looking like the Chinese government works in your favor. This is applicable certainly if you’re trying to evade IDS (or to trigger it explicitly). If you’re playing big league ball not giving forensics teams a smoking gun, ‘X is the only person who exploits this bug this way’, is a concern.

Documentation: This has enough meat for a whole separate post. SPOILER: It’s important.

Integration into a Framework: Again enough meat for another post, I’m trying to focus on what’s in the actual exploit executable (or script) rather than capabilities of a framework.

This post brought to you by: Mos Def and Diverse – Wylin’ Out (Kutmasta Kurt rmx)

[1] Explanation of MS11-056, only able to be triggered on Chinese-Japanese-Korean Windows http://j00ru.vexillium.org/?p=932

%d bloggers like this: