Saturday, April 30, 2005

SecurityForest.com ExploitTree

This afternoon I was researching a bot for a chapter in my latest book. I don't spend a lot of time on exploit sites because I am not a penetration tester by trade. I think the last time I really looked at exploits, sites like www.hack.co.za were still around!

While searching for the bot in question, I happened to find SecurityForest.com, although the site was announced on BugTraq in March. SecurityForest.com is an impressive piece of work. The site is essentially a giant CVS archive of attack code, called the ExploitTree. They provide a Client Utility, which at least for UNIX, is an interface to a native CVS client. For Windows, they provide everything you need to access a CVS server.

Here is how a session using the ExploitTree Client Utility appears under UNIX.


./ExploitTree.pl anonymous

ExploitTree Client Utility Manager v0.6
----------------------------------------

1) Initialize (first time download)
2) Update Repository
3) Print Exploit Statistics
q) Quit

> 1
Password is blank (press enter), then wait...

Logging in to :pserver:anonymous@cvs.securityforest.com:2401/home/security/cvsroot
CVS password:
cvs login: warning: failed to open /home/richard/.cvspass for reading:
No such file or directory
cvs server: Updating ExploitTree
U ExploitTree/_SecurityForest
U ExploitTree/_Ver
U ExploitTree/bids.txt
U ExploitTree/exploit_db.txt
U ExploitTree/xsearch.pl
U ExploitTree/xsearch2-beta.pl
cvs server: Updating ExploitTree/application
U ExploitTree/application/_SecurityForest
cvs server: Updating ExploitTree/application/_uncategorized
U ExploitTree/application/_uncategorized/0verkill-exploit.c
U ExploitTree/application/_uncategorized/0x82-GNATS_sux.c
U ExploitTree/application/_uncategorized/0x82-Remote.tannehehe.xpl.c
U ExploitTree/application/_uncategorized/0x82-libCGIfpxpl.c
U ExploitTree/application/_uncategorized/101_shixx.cpp
...edited...
U ExploitTree/system/tru64/TRU64_xkb.pl
U ExploitTree/system/tru64/_SecurityForest
Quiting...

Here's an example of what one finds when the download process is finished.

janney:/home/richard/exploittree/ExploitTree$ ls
CVS bids.txt xsearch.pl
_SecurityForest exploit_db.txt xsearch2-beta.pl
_Ver network
application system
janney:/home/richard/exploittree/ExploitTree$ cd system/
janney:/home/richard/exploittree/ExploitTree/system$ ls
CVS atheos irix novell tru64
_SecurityForest beos linux qnx
_uncategorized bsd mac_osx sco
aix hpux microsoft solaris
janney:/home/richard/exploittree/ExploitTree/system$ cd bsd
janney:/home/richard/exploittree/ExploitTree/system/bsd$ ls
CVS _SecurityForest local remote
janney:/home/richard/exploittree/ExploitTree/system/bsd$ cd remote/
janney:/home/richard/exploittree/ExploitTree/system/bsd/remote$ ls
CVS animal.c freebsd obooptd.c rpc.autofsd.c
_SecurityForest bsdi netbuf.c openbsd stream3.c
janney:/home/richard/exploittree/ExploitTree/system/bsd/remote$ cd freebsd/
janney:/home/richard/exploittree/ExploitTree/system/bsd/remote/freebsd$ ls
CVS fbsd-DoS.c ronin.c
DSR-cfengine.pl fbsd-bnc.c turkey2.c
_SecurityForest ftpspy.c
cURL-remote-FBSD.pl ppp.c

I chose a sparsely populated set of directories. The Microsoft section is much longer.

What's nice about this set-up is that you can synchronize your local copy of the ExploitTree with the SecurityForest.com version using CVS.

Other helpful exploit sites include milw0rm.com and ExploitWatch, which reports on newly available exploits by linking to them.

1 comment:

red said...
This comment has been removed by a blog administrator.