Re: The joys of impurity (was: MOSDEF, InlineEgg)
In-Reply-To: <20031006210520.GA3033@xxxxxxx>
Well, MOSDEF is fairly far along, but the C compiler is not quite done, so no,
you can't compile nmap and send it over for execution.
Of course, that's not even an intended application. MOSDEF doesn't attach stdin
and stdout to anything in particular. All communication with the little
shellcode stubs you send over is done via an included "sendbuffer, sendint,
sendstring" API. This is so you can transparantly spawn two (or more) little
shellcodes at once and not have them interleave their data over the socket as
they send data back to you.
Most of a MOSDEF application is actually written in Python. Only loops and
other sorts of small things are sent over for execution. This is because it
makes sense to have high-level decision making done by a "decision making
entity" with access to the larger picture. It's also non-optimal to break into
a client's box in China and then have to send a meg of static binary across to
it before you can do anything.
Another benefit of this design is that you won't have to collect staticly
linked binaries that happen to work on every architecture you want to hack.
MOSDEF is a lot like GCC and a sourceforge subscription in that regard.
Of course, impurity is working right now, for small things, and MOSDEF needs to
get another 40 hours or so before [#include,while,for,if,struct] are done, so
for the "where do you want to go today?" question impurity might be the right
answer.
Dave Aitel
Immunity, Inc.
"Where do you want to go tomarrow?"
>Hi,
>I enclose the impurity-1.0 release. The README follows. I would like to hear
>some comparisons with MOSDEF and InlineEgg; can you guys implement nmap in
>your shellcode ;) ?
>peace,=20
>algo
>
> Impurity-1.0
> by Alexander E. Cuttergo <cuttergo@xxxxxxx>
>=09
> Concept
> Impurity is a set of scripts which make it easy to produce a
>shellcode ("first stage") which is able to download over the net an=20
>executable ELF file ("second stage") and execute it without writing it to
>the disk first. The first stage shellcode itself is almost constant (except=
>=20
>for one parameter, the executable length) and very short - 46 bytes. Using=
>=20
>this approach, one does not waste hours composing and debugging a complex=
>=20
>shellcode - just write a .c program, run impurity (which creates the second
>stage ELF binary) and you are all set.
> Impurity is mostly useful when exploiting a daemon which runs
>chrooted and with dropped privileges; in such case one cannot simply execute
>/bin/sh. Compare it with MOSDEF and InlineEgg.
> Currently impurity is implemented for Linux/i386 only; however,=20
>porting to other OS/architectures should be trivial, provided they use ELF=
>=20
>standard.
>