I’ve started to poke around with the BB10 simulator. Found a couple interesting things, will post more when I have a writeup.
I just realized that the APK available for download as part of my FTPServer DoS is the incorrect version. This has been fixed and the proper version has been uploaded.
I was able to find some time to do a bit more research this month. The Allscripts vulnerability is an old one I finally got around to publishing:
- Inventory 1.0 Cross Site Scripting
- Inventory 1.0 SQL Injection
- Gramophone 0.01b1 Cross Site Scripting
- Allscripts Homecare Client Local Memory Corruption
I know it has been a few weeks since these conferences ended, but life is very busy! Both conferences were simply amazing. I met many new people and was able to put faces to names of people I have been talking to for awhile.
A big shout out to all the staff at the two cons for putting on an amazing show. I can’t wait for next year and hopefully I’ll be able to speak at both again!
I would also like to thank all those who attended my talks and to those who came up to me afterward! Both talks were recorded but as of right now only the DerbyCON talk has been posted:
Wow I totally spaced about posting these updates on here. I have been selected to speak at both DerbyCON and GrrCON!!
GrrCON is Sept 27-28 in Grand Rapids, MI. http://www.grrcon.org
DerbyCON is Sept 28-30th in Louisville, KY. http://www.derbycon.com
I will be presenting my Android in Healthcare: A Case Study talk at both conferences. Come check it out!
The Raspberry Pi(http://www.raspberrypi.org) is a $25 ARM GNU/Linux box that is the size of a credit card. The applications for this little device are seemingly endless. So naturally I picked one up and started working on some penetration testing scripts for this box. One of my goals was to get BeEF running; which I have done.
BeEF comes with a couple installation scripts. I used these as a starting ground to get BeEF running on the Raspberry Pi. The script I started with was the “install-beef” script.
After running the script, I noticed that the install failed after trying to install rvm. It appeared that even though rvm installed, it was not available to run. I was able to track this down to a PATH issue. In the install-beef script, the $HOME/.rvm/scripts/rvm file is referenced. That file was never created.
I changed the install-beef script to contain a line which created the symbolic link between /usr/local/rvm/scripts/rvm and the one in my local path. After that, everything went off without a hitch! I also removed some of the code to detect other OSes as the script is intended to only run on the Raspberry Pi.
I would also like to note that during the installation, Ruby 1.9.2 is compiled and installed. I highly recommend changing the RAM allocation from 128/128 to 224/32. This will speed up compile time. If you are not familiar with how to do that, here is the command:
As Root: cp /boot/arm224-start.elf /boot/start.elf
BeEF takes about 1 minute to load after the RAM changes are made. It is not recommended to run X while running BeEF. Navigating to the UI from another machine is decent, but not as snappy if BeEF was run from more powerful hardware. I tested hooking a few clients and the performance in the UI did not degrade.
Of course, what would this post be without a screen shot of BeEF running on the Pi:
I have finally gotten around to releasing my own set of scripts/packages for the Raspberry Pi! I would like to introduce everyone to PwnBerryPi! What started off as contributions to PwnieExpress’s Raspberry Pwn project has been spun off on its own.
Why another Raspberry Pi pentesting distro? Short answer: because I can. Long answer: my goals for the project are different from PwnieExpress’s. I have a feeling that PE is trying to align both their commercial set and the Raspberry Pi suite. They are also working on some other cool projects that just don’t meet what I am looking for.
I also plan on making several OS customizations and a downloadable image; I don’t think these are in the pipeline for Raspberry Pwn. These are still in the works.
What else makes it different? Metasploit, reverse shells, and webshells. When the RAM settings are changed, Metasploit is usable on the device. Also I included several reverse shells; Rel1k’s encrypted HTTP shell, a PHP shell, and a perl shell. The webshells were from a collection on Backtrack.
So please give PwnBerryPi a try and let me know of any changes/issues.
Download the code from github: https://github.com/g13net/PwnBerryPi
If you have been living under a rock and don’t know what a Raspberry Pi is, it is a $35 ARM GNU/Linux computer. When I first heard of it, my first thoughts were that this would make an awesome pentesting tool. It is the size of a credit card and has low power requirements(5V 7mA). I ordered mine in March and it finally arrived this week.
On the idea of pentesting, I was not alone in thinking this is a cool platform to use. My first Google searches brought me to Pwn Pi. They eventually released a standalone OS on sourceforge. After looking at the tool list, I noticed they were missing a key competent; having the system call back home.
So I started a project, Raspberry Pwn. The goal of the project was to create a distro that would aid pentesters once they got inside the network. It was not to be a Backtrack copy, but a focused set of tools. The main thing for it is to provide scripted reverse shells to give the pentester access once the device has been delivered/plugged into the target network.
As I found out yesterday, the name Raspberry Pwn was not very unique. Pwnie Express came out with a set of scripts that they call Raspberry-Pwn. It seems pretty straight forward; prep an SD card and run the install scripts. Now where does this leave my project?
Pwnie Express’ current scripts include no reverse shell scripts. It is also missing exploits. Exploit-DB and Metasploit are not included in the initial script release. With the project on github, it gave me a starting point.
I forked the project and have already begun making changes. The script gives me a good starting point and hopefully I can have a decent release soon. I also have to come up with a new name. My plan is to also deploy a standalone OS which already has the script run to install the tools.
Stay tuned for more!
April has been over for awhile now. I was slightly busy in that month and have added 4 disclosures to my list:
- phpMyBible 0.5.1 Multiple XSS
- ChurchCMS 0.0.1 Multiple SQLi
- PHP Ticket System Beta 1 SQL Injection
- PHP Volunteer Management 1.0.2 Multiple Vulnerabilities
With travel for work calming down, I’m hoping to have my time to hack stuff in May!