Successfully reported this slideshow.
Activate your 14 day free trial to unlock unlimited reading.
ExtraBacon's Sploit Framework
Or: How to break the Ruby Bonds of
By: Daniel Reilly (Oni)
● This is my own work not endorsed, supported,
or generally approved of, by good people.
● I don't encourage malicious attacks.
● I do encourage offensive security and
asymmetric layered defense
Where'd this come from?
● ShadowBrokers announces their supposed Equation Group
tool dump and teaser files.
● Cisco Confirms EXBA is effective against several versions of
● Researchers report porting the exploit to newer ASA versions
● Gov't (sort of) acknowledges tools by charging Harold T.
Martin III *
● I Decide to fork the core Sploit code and port one of my
favorite configuration exploits (postgeSQL lo_creat()) as a
Let me be clear
● I love Metasploit...but -
– You don't always need a tank.
– I am not a fan of Ruby.
– Custom Tools F.T.W.
– Sploits can run from much smaller devices.
● Possibly IoT small (currently a hypothesis)
Workflow of a MSF Exploit
● Make sure Postgres is configured/running
● Start MSFConsole or Armitage
● db_nmap the target subnet
● Run some favorite exploit/payload combos
based on services discovered
● If you're fancy you export all of these
commands to a resource script
Sploit's place in the world
● Sploit is for turning an exploit into a tool.
● Metasploit is for when you have a target and need to find
an exploit. Sploit is the opposite.
● Normal flow might be:
– Find an exploitable flaw (or borrow one like I have)
– Write Exploit by extending the Sploit class
– Convert exploit script to command line tool using distutils
● Py2exe compile a windows executable? Sure why not.
– Distribute tool to minions.
– Minions hack the Gibsons
What is a Sploit?
● Sploit is a Python class for flexible exploit delivery. By default it was
designed to deliver custom SNMP packets to firewalls. But why stop
● extrabacon_184.108.40.206.py can be thought of as similar to a MSF resource
script...on steroids. It handles fingerprinting, version selection, exploit
running, post exploit cleanup, etc. It extends the Sploit Class with exploit-
● Zen of Sploit Development: “Define exploit workflow as subcommands”.
These in turn define the actions available for each step.
Types of Subcommands
● Information Subcommands
– Generate data about systems. In my example the “seek” and
“dict” Subcommands. Also the Crypto Key Management
● Action Subcommands
– Attempt to change the state of the target in some way. In my
example the “destroy” Subcommand
● Shortcut Subcommands
– Combine two or more Subcommand ideas into one command.
In my example I combine all three exploit steps into one
● The Extrabacon release had ~17 different version
files focused between 8.0.1 and 8.4.4 (with the
notable exception of 8.1.x)
● Version files hold the details about the modifications
to the exploit needed for specific version of the target
app (NOP length, offsets, etc.)
● The Versions files could also be used to differentiate
between O.S.es, architectures, payload choice, etc.
● Not all Sploits need multiple version files.
● Based on
● Uses C instead of scripting
● Writes a pseudo-randomly named malicious DLL to the
system which contains a reverse_tcp Shell.
● Credit and thanks for the original exploit module go to :
– 'Micheal Cottingham', # author of this module
– 'midnitesnake', # the postgres_payload module that this is based
– 'Nixawk' # Improves the module
Sockets & Spoofing
● Original EXBA Exploit can use Scapy to manually
construct TCP packets with Spoofed src info
● PostgreSQL uses TCP 5432
● Conclusion: IP white-listing/black-listing is not a
– TCP traffic NEEDS IPSec and/or a separate VPN/C.
– Check out Karyn Benson's research on Internet
Background Radiation (IBR)