Exploit Frameworks
From SCADApedia
Exploit frameworks are the keystone of both hostile attackers and penetration tester’s toolkits. These frameworks provide a consistent environment from which to create and/or run exploit code against a given target. A far cry from the days when an attacker would have to code his own custom exploit for each vulnerability the scripts used within these frameworks are both freely shared and sold as part of a subscription service, and the basic set contain exploits for hundreds of different targets, along with the tools to allow an attacker to stay hidden. Currently there are three frameworks that are widely used.
Contents |
Benefits
Of the many benefits provided by exploit frameworks the most valuable would be modularization of exploit code. Before these frameworks were created exploits and payloads were heavily coupled and often a given exploit script would only do one thing, such as create a new user on the compromised system, or execute a command shell, but now a given exploit can be used to deliver virtually any payload. Code reuse and modularization allowed exploitation scripts to become much cleaner and much more concise as the basic functionality it would need was already included in the frameworks library.
Frameworks
Metasploit
Metasploit is the open source exploit framework. Originally written by H D Moore using Perl, the current version is now written in Ruby and maintained by a group of contributors. As of the time of this writing the current version of metasploit ships with 303 exploits, the majority of which are targeted at the Microsoft Windows platform, but also include exploits for Apple OSX, Linux, and various other Unix style operating systems. Many of the exploits publically released today on sites such as milw0rm are published as a metasploit module.
CANVAS
CANVAS, produced by Immunity, is sold on a subscription model. Shipping with over 400 exploits an average of 4 exploits are added each month. Source code is available to those who purchase CANVAS, and the exploits themselves are rigorously QA'd before release. Users are not limited to those exploits created by Immunity, as several other vendors offer exploit packages for it as well. Also included are numerous freely available tools such as the exploit creation framework MOSDEF and the recently released DR Rootkit.
IMPACT
IMPACT, produced by Core, is another commercially available exploit framework that delivers point and click exploitation with the additional functionality of report creation. As with CANVAS, IMPACT modules are QA'd before and after release and are continuously updated. Core also provides "Agent" technology that helps an attacker gather information control compromised systems; this framework sets itself apart in the areas of information gathering and management. IMPACT also integrates with many popular vulnerability scanners and patch management tools.
Control System Specific Vulnerabilities
As of the time of this writing Core IMPACT has modules for both the Wonderware Suitelink vulnerability as well as the CitectSCADA ODBC vulnerability, while Metasploit has publicly released modules for only the latter. Currently it is unknown any control system specific exploits are included in CANVAS.
