Exploit frameworks were first developed with the main objective of facilitating the task of exploit writing, which normally requires a range of diverse skills. A good working exploit requires many steps and laborious work to properly craft from scratch. Exploit frameworks were developed to remove much of the hard work.
This chapter first provides an overview of the various tasks that must be done in order to create a good exploit, and how exploit frameworks relate to those tasks. It then introduces a couple of the available exploit frameworks and how to use them to make exploit writing an easier task. Frameworks covered include Core Impact (starting in Core Impact Overview), and Immunity Canvas (starting in The Canvas Exploit Framework). Metasploit is covered separately in Chapter 7.
Anyone who has performed their own vulnerability research knows that taking the step from finding an issue, such as a buffer overflow, to actually exploiting that issue can be a daunting one. Once you have overwritten the execution point, the next task is finding a valid return address that can be used to reach your code. In some cases, finding that return address for your specific setup is easy, but it can be a lot harder to find one that will work while taking into account varied and even unknown configurations. For example, there are many variations of Microsoft Windows, and few people have each software version available in a test lab. Exploit frameworks can help you mitigate this challenge. For instance, the Metasploit Framework Project helps you choose the best and most reliable return address by providing a database of Opcodes (http://metasploit.com/users/opcode/msfopcode.cgi) for most variations of Windows operating systems from Windows NT to Windows 2003.
Once you find the correct return address to use in your exploit, the next step is to write a shellcode. Shellcode is an assembly language program that is used to execute a shell and then run arbitrary commands on the exploited system. It is this shellcode that you want to execute when your exploit runs on the target system.
The key to writing a good shellcode is to make it perform the desired task while keeping the code very compact. In some cases, you need to accomplish this in as little of 50 bytes of space, which can be a very difficult task. One of the advantages to an exploit framework is the fact that they usually come with a large selection of different shellcode samples or agents that can load code on the fly. This completely removes the work of constantly having to analyze and rewrite your shellcode just to remove a few bytes and make it fit into the available memory.
Once you have your working shellcode, it is a good idea to encode it to insure that the code runs reliably on the target system. For example, if a target application accepts readable characters only and rejects anything else, you will want to encode your shellcode with an alphanumeric encoder. This also helps get past simple filtering mechanisms. For example, simply sending raw binary shellcode to an SMTP server might not work, while sending the same shellcode encoded as an alphanumeric string would.
At this point, you have code to exploit the vulnerability and some shellcode to deliver. The final task in writing a good exploit and ensuring that the shellcode is properly delivered is to write a subprogram to handle all the basic steps of protocol negotiation that are required before the exploit can be delivered. Exploit frameworks are able to make this task much easier than it has been in the past because they typically include templates for most common protocols.
Imagine attempting to do all of these tasks without using an exploit framework. You would require in-depth knowledge of networking, assembly language, programming, and operating system architecture. While it has always been possible to generate great exploits without a framework, the frameworks have taken most of the hard work away, which has been welcomed by even the most skilled exploit writers.
Exploit frameworks provide all the tools required to perform the tasks just listed, including multistage shellcode, multiple types of encoders, and even sometimes a C compiler. Some frameworks also provide the ability to emulate different protocols for exploit delivery. The exploit frameworks have literally turned days of work into hours.
Frameworks are also good penetration testing tools. They provide the resources to exploit hosts, penetrate deeper into the network, and perform local tasks on a newly attacked host. Some frameworks also provide a very detailed and clean report feature that creates a full exploitation report, including the results of the test. Features such as this are very useful during corporate penetration testing, when the output of the penetration test is mostly a report of recommendations.
Frameworks can also help you test your network's ability to survive specific exploits or worms. Using the framework software allows the user to create real worm propagation scenarios with a nonmalicious payload. You can discover the effect of a real worm in advance, and it is even possible to use the pseudo-worm to patch vulnerable systems.