metasploit-framework/dev/csw05/csw05.tex

808 lines
22 KiB
TeX
Raw Normal View History

% $Header$
\documentclass{beamer}
\usepackage{graphicx}
\usepackage{color}
\mode<presentation>
{
% \usetheme{}
% or ...
% \usecolortheme{seahorse}
% \usecolortheme{crane}
% \useinnertheme{inmargin}
% \setbeamercovered{transparent}
% or whatever (possibly just delete it)
}
\usepackage[english]{babel}
\usepackage[latin1]{inputenc}
\usepackage{times}
\usepackage[T1]{fontenc}
% \usepackage{beamerthemeshadow}
% Love from spoon
\newcommand{\pdfpart}[1]{\label{pdfpart-#1}\pdfbookmark[0]{#1}{pdfpart-#1}\part{#1}}
\newenvironment{sitemize}{\vspace{1mm}\begin{itemize}\itemsep 4pt\small}{\end{itemize}}
% Presentation meta-information
\title{Advances in Exploit Technology}
\author[hdm \& spoonm] {hdm \& spoonm}
\date[CSW 2005] {CanSecWest, 2005}
\subject{Advances in Exploit Technology}
% Add a spacer between each part
\AtBeginPart{\frame{\partpage}}
% Turn off the navigation on the bottom yo
\setbeamertemplate{navigation symbols}{}
% Kick this sucker open
\begin{document}
% Throw down the title
\begin{frame}
\titlepage
\end{frame}
%--------------------------------------%
\pdfpart{Introduction}
%--------------------------------------%
\section{Who are we?}
\begin{frame}
\frametitle{Who are we?}
\begin{sitemize}
\item spoonm
\begin{sitemize}
\item Full-time student at a Canadian university
\item Metasploit developer since late 2003
\end{sitemize}
\end{itemize}
\begin{itemize}
\item H D Moore
\begin{sitemize}
\item Full-time employee at a network security firm
\item Metasploit project founder and developer
\end{sitemize}
\end{sitemize}
\end{frame}
\section{What is Metasploit?}
\begin{frame}
\frametitle{What is Metasploit?}
\begin{sitemize}
\item Research project with 8 members
\begin{sitemize}
\item Focused on improving the state of security
\item Provide information and tools for researchers
\item Resource for IDS and security tool vendors
\end{sitemize}
\end{sitemize}
\begin{sitemize}
\item Created the Metasploit Framework
\begin{sitemize}
\item Open-source exploit dev platform
\item Includes 60 exploits and 70 payloads
\item Implements ideas from everywhere
\item Currently four primary developers
\item Handful of external contributors
\end{sitemize}
\end{sitemize}
\end{frame}
\section{What is this about?}
\begin{frame}
\frametitle{What is this about?}
\begin{sitemize}
\item Recent advances in exploit technology
\item Exploiting Windows XP SP2 and Mac OS X
\item New research, techniques, and code
\item Metasploit Framework 3.0 architecture
\end{sitemize}
\end{frame}
%--------------------------------------%
\pdfpart{Windows Exploitation}
%--------------------------------------%
\section{Exploit Trends}
\begin{frame}
\frametitle{Exploit Trends}
\begin{sitemize}
\item Public Windows exploits are still terrible...
\begin{sitemize}
\item Tons of ugly, inflexible, hardcoded crap
\item Demonstrate no knowledge of underlying flaw
\item Rarely use information leakage for system targetting
\end{sitemize}
\end{sitemize}
\pause
\begin{sitemize}
\item ...but they have improved over the last year!
\begin{sitemize}
\item More exploits are supporting multiple payloads
\item Return addresses are more reliable
\item Payloads are getting slightly less ghetto
\end{sitemize}
\end{sitemize}
\end{frame}
\begin{frame}
\frametitle{PoC Community}
\begin{sitemize}
\item The number of people capable of writing exploits is going up...
\begin{sitemize}
\item The number of PoC writers is picking up steam
\item Nearly 250 PoC authors in 2004 (packetstorm, etc)
\item Win32 exploit dev information has hit critical mass
\item Exploit development training is in high demand ;-)
\end{sitemize}
\end{sitemize}
\pause
\begin{sitemize}
\item ...but the number of "hard" exploits made public is the same
\begin{sitemize}
\item People are lazy, skilled people tend to horde their code
\item Example: Microsoft ASN.1 Bit String Heap Corruption
\item Most "difficult" exploits are disclosed due to leaks
\item Win32 kernel exploits are still the domain of a few :-)
\end{sitemize}
\end{sitemize}
\end{frame}
\section{Windows XP SP2}
\begin{frame}
\frametitle{Windows XP SP2}
\begin{sitemize}
\item Microsoft's "patch of the year" for 2004
\begin{sitemize}
\item SP2 included a handful of anti-exploit changes
\item The important ones were already in 2003
\item Page protection is dependent on hardware
\end{sitemize}
\end{sitemize}
\pause
\begin{sitemize}
\item Most of the SP2 protections can be avoided
\begin{sitemize}
\item David Litchfield demonstrated SEH exploitation
\item Matt Conover continues to dismantle the heap
\item Third-party applications basically unaffected
\end{sitemize}
\end{sitemize}
\end{frame}
\begin{frame}
\frametitle{Metasploit and SP2}
\begin{sitemize}
\item Exploit development barely affected by SP2
\item Third-parties are not using Visual Studio 7
\item Registered SEH has yet to be encountered
\item A handful of nice XP SP2 and 2003 addresses
\end{sitemize}
\pause
\begin{sitemize}
\item Still too early to guess effectiveness
\begin{sitemize}
\item Not many remote Windows XP OS vulnerabilities
\item XXX fill in more stuff here
\end{sitemize}
\end{sitemize}
\end{frame}
%--------------------------------------%
\pdfpart{Mac OS X Exploitation}
%--------------------------------------%
\section{PowerPC Constraints}
\begin{frame}
\frametitle{PowerPC Contraints}
\begin{sitemize}
\item Mac OS X runs on PowerPC
\item PowerPC is a RISC-platform
\item Independent instruction and data caches
\item Fixed-width 32-bit insutrctions
\item Stack overflows need to return twice to be explotable
\item (Similar to exploits on SPARCs, etc)
\end{sitemize}
\end{frame}
\section{Exploits are annoying}
\begin{frame}
\frametitle{Exploits are annoying }
\begin{sitemize}
\item Double-return means having to patch other pointers
\item Code which calls \_exit before sometimes unexploitable
\item Shellcode must be placed into location not in i-cache
\item Exploits can have different results between diff CPUs
\end{sitemize}
\end{frame}
\section{Shellcode issues}
\begin{frame}
\frametitle{Shellcode issues }
\begin{sitemize}
\item Double-return means having to patch other pointers
\item Shellcode must be placed into location not in i-cache
\item Exploits can have different results between diff CPUs
\end{sitemize}
\end{frame}
%--------------------------------------%
\pdfpart{Return Addresses}
%--------------------------------------%
\section{Reliability}
\begin{frame}
\frametitle{Return Address Reliability}
\begin{sitemize}
\item An exploit is only as good as the return address it uses
\item Many vulnerabilities only allow one exploit attempt
\item Returning directly to shellcode is not always possible
\begin{sitemize}
\item Most Windows exploits use a "bounce" address
\item Indirect returns are useful on other platforms as well
\end{sitemize}
\end{sitemize}
\end{frame}
\section{Windows Addresses}
\begin{frame}
\frametitle{Windows Return Addresses}
\begin{sitemize}
\item Windows stack addresses are usually not predictable
\item Executable and library addresses {\em are} predictable
\begin{sitemize}
\item System libraries are often static between patch levels
\item Application libraries change even less frequently
\item Executable addresses only change between app versions
\end{sitemize}
\end{sitemize}
\begin{sitemize}
\item Static system libraries can go a long way...
\pause
\item A great example is the "ws2help.dll" library:
\begin{sitemize}
\item Static across all versions of Windows 2000
\item Static across Windows XP SP0 and SP1
\item Used in dozens of exploits in the Framework
\end{sitemize}
\end{sitemize}
\end{frame}
\begin{frame}[fragile]
\frametitle{The Magic SEH}
\begin{sitemize}
\item Stack overflows rarely exploit return address overwrites
\item Overwriting the structured exception handler (SEH) is easier
\item The first exception causes smashed SEH to be called
\item SEH frame can exist before or after the return address
\end{sitemize}
{\footnotesize
\begin{verbatim}
/* Struction Exception Handler */
typedef struct _EXCEPTION_REGISTRATION
{
struct _EXCEPTION_REGISTRATION* prev;
PEXCEPTION_HANDLER handler;
} EXCEPTION_REGISTRATION, *PEXCEPTION_REGISTRATION;
\end{verbatim}
}
\end{frame}
\begin{frame}[fragile]
\frametitle{The Magic SEH}
\begin{sitemize}
\item Overwrite the frame, trigger exception, got EIP :-)
\item The prototype for the SEH function is:
\end{sitemize}
{\footnotesize
\begin{verbatim}
EXCEPTION_DISPOSITION
__cdecl _except_handler(
struct _EXCEPTION_RECORD *ExceptionRecord,
void * EstablisherFrame,
struct _CONTEXT *ContextRecord,
void * DispatcherContext );
\end{verbatim}
}
\pause
\begin{sitemize}
\item \texttt{EstablisherFrame} points 4 bytes before handler address
\pause
\item Can return back to code via \texttt{pop reg, pop reg, ret}
\pause
\item The pop/pop/ret combination is easy to find in memory
\pause
\item Registered SEH on Windows XP/2003 has some restrictions
\end{sitemize}
\end{frame}
\section{Unix Addresses}
\begin{frame}
\frametitle{Unix Return Addresses}
\begin{sitemize}
\item Linux and BSD
\begin{sitemize}
\item Library addresses are usually not predictable
\item Every executable has a static load address
\begin{sitemize}
\item Every distribution has compiled its own executable
\item Exploits must target specific versions and operating systems
\item Commercial (binary-only) applications are mostly static
\end{sitemize}
\end{sitemize}
\end{sitemize}
\pause
\begin{sitemize}
\item Commercial Unix
\begin{sitemize}
\item Library addresses are sometimes predictable
\item Every executable has a static load address
\begin{sitemize}
\item These addresses are static per package version
\item Windows-style return addresses work well
\item This includes Mac OS X, Solaris, HP-UX, AIX, etc
\end{sitemize}
\end{sitemize}
\end{sitemize}
\end{frame}
\section{Analysis Tools}
\begin{frame}
\frametitle{Analysis Methods}
\begin{sitemize}
\item Finding solid return addresses involves a few steps
\begin{sitemize}
\item Load the executable or library into memory
\item Determine all permutations of the desired opcode
\item Search memory contents to find these bytes
\item Determine the virtual address for each offset
\end{sitemize}
\end{sitemize}
\pause
\begin{sitemize}
\item Many people use a debugger to accomplish this task
\begin{sitemize}
\item This is a tedious process to do manually
\item Limited to one version at a time, even with a plugin
\item Requires the installation of each tested version
\end{sitemize}
\end{sitemize}
\end{frame}
\begin{frame}
\frametitle{The Metasploit msfpescan utility}
\begin{sitemize}
\item msfpescan - a utility included in the Metasploit Framework
\begin{sitemize}
\item Can analyze any PE executable or DLL in offline mode
\item Simple to automate and cross-reference results
\item Does not require a Windows system to run
\item Easily analyze multiple versions on the command line
\item Capable of dumping other information as well
\begin{sitemize}
\item Imports, Exports, and IAT addresses
\item Resource information, internal versions
\item Standard PE header information
\end{sitemize}
\end{sitemize}
\end{sitemize}
\end{frame}
\begin{frame}[fragile]
\frametitle{Using msfpescan to find addresses}
\begin{sitemize}
\item Install the Metasploit Framework (2.3 or newer)
\item Place your target executable or DLL into some directory
\item Use msfpescan to quickly find return addresses:
\end{sitemize}
{\footnotesize
\begin{verbatim}
# Locate any form of pop/pop/ret opcodes
$ msfpescan -f mod_oiplus.dll -s
0x1001413c esi edi ret
0x10009ea2 esi ecx ret
0x100113bd esi ebx ret
# Locate any opcodes that take us to [eax]
$ msfpescan -f mod_oiplus.dll -j eax
0x1000969d push eax
0x100141a3 jmp eax
0x10010e69 call eax
\end{verbatim}
}
\end{frame}
\begin{frame}
\frametitle{Opcode Databases}
\begin{sitemize}
\item Contains opcodes across every executable and DLL in Windows
\item The new version includes over nine million records
\item Data is generated directly from the files themselves
\item Quickly cross-reference return address over the entire DB
\item Publicly available from http://www.metasploit.com/
\end{sitemize}
\end{frame}
\begin{frame}
\frametitle{Current Development}
\begin{sitemize}
\item Executable analysis tools for Solaris, Mac OS X, Linux, BSD
\item Usefulness limited compared to Windows platform
\item Static libraries are great for cross-version exploits
\end{sitemize}
\end{frame}
%--------------------------------------%
\pdfpart{Post-Exploitation}
%--------------------------------------%
\section{Windows Payloads}
\begin{frame}
\frametitle{The Meterpreter}
\begin{sitemize}
\item Windows version uses in-memory DLL injection techniques
\item Dynamically extensible over the network
\item Extensions are standard Windows DLLs
\item Loading an extension updates available commands
\item Support for network encryption
\item Huge feature set in the public version
\begin{sitemize}
\item Upload, download, and list files
\item List, create, and kill processes
\item Spawn "channelized" commands in the background
\item Create port forwarding channels to pivot attacks
\end{sitemize}
\end{sitemize}
\end{frame}
\begin{frame}
\frametitle{Ordinal-based Stagers}
\begin{sitemize}
\item Technique from Oded's lightning talk from core04
\item 92 bytes and works on every Windows version/SP
\item Staging system can chain vnc injection or Meterpreter
\end{sitemize}
\end{frame}
\begin{frame}
\frametitle{PassiveX}
\begin{sitemize}
\item Payload modifies registry and launches IE
\item IE loads custom ActiveX control to stage the payload
\item Communications channel is via HTTP requests
\item Can be used to inject VNC, Meterpreter, etc
\item Uses IE settings to bypass firewalls (proxy, auth, etc)
\end{sitemize}
\end{frame}
\section{Unix Payloads}
\begin{frame}
\frametitle{Non-standard Network Stagers}
\begin{sitemize}
\item UDP-based stager and network shell for Linux
\item UDP-based DNS request staging system
\item ICMP-based listener and "reverse" payloads
\item Find and recv socket re-use stagers
\item Source code in MSF, but many not integrated
\end{sitemize}
\end{frame}
%--------------------------------------%
\pdfpart{Improving Randomness in Attacks}
%--------------------------------------%
\begin{frame}
\frametitle{Outline}
\tableofcontents
\end{frame}
\section{Introduction}
\begin{frame}
\frametitle{Randomness, who cares?}
\begin{sitemize}
\item NOTE: this slide can probably be trashed.. just temp for now
\item Adding randomness to exploits
\begin{sitemize}
\item Less to signature / anti-nids
\item Helps to uncover bugs in your exploit
\end{sitemize}
\pause
\item Adding randomness to exploit code
\begin{sitemize}
\item Modify attacks by setting protocol options (frags)
\item All padding data can be randomized (englishtext)
\item Helper functions to generate types of random data
\end{sitemize}
\item Adding randomness to machine code
\begin{sitemize}
\item Less to signature / anti-nids
\item Increased robustness (bad chars / bad regs)
\item Street credz? :-)
\end{sitemize}
\end{sitemize}
\end{frame}
\section{Conservative Polymorphism}
\newcommand{\incshi}[1]{\includegraphics[height=3in]{#1}}
\begin{frame}
\frametitle{R0x Iterationz}
\only<9>{\incshi{shi8}}
\only<8>{\incshi{shi7}}
\only<7>{\incshi{shi6}}
\only<6>{\incshi{shi5}}
\only<5>{\incshi{shi4}}
\only<4>{\incshi{shi3}}
\only<3>{\incshi{shi2}}
\only<2>{\incshi{shi1}}
\only<1>{\incshi{shi0}}
\end{frame}
\section{Building a Nop Sled}
\subsection{Tekneek}
\begin{frame}
\frametitle{Multibyte Sled Concept}
\begin{sitemize}
\item Optyx released multibyte generator at Interz0ne 1
\item Generates instructions 1 to 6 bytes long, and 0x66 prefix
\item 1 byte aligned, land anywhere, end at the same byte
\end{sitemize}
\begin{sitemize}
\pause
\item Builds the sled from back to front
\item Continually prepending byte (opcode) to sled
\item Generates random byte and check against tables
\pause
\begin{sitemize}
\item Is the instruction length too long?
\item Is it a valid instruction?
\item Does it have any bad bytes?
\item Does it modify don't-smash registers?
\end{sitemize}
\end{sitemize}
\end{frame}
\begin{frame}[fragile]
\frametitle{Backwardz}
{\footnotesize
\begin{semiverbatim}
\textbf<11>{bb} \textbf<10,11>{b0} \textbf<9,10,11>{bf} \textbf<8,9,11>{2c} \textbf<7,8,9,11>{b6} \textbf<6,7,9>{27} \textbf<5,9>{67} \textbf<4,5>{2F} \textbf<3>{4A} \textbf<2>{1b} \textbf<1,2>{f9} --- shellcode
| | | | | | | | | | | \textbf<1>{... stc}
| | | | | | | | | |____^ \textbf<2>{. sbb edi,ecx}
| | | | | | | | | \textbf<3>{......... dec edx}
| | | | | | | | \textbf<4>{............ das}
| | | | | | |____^ \textbf<5>{.......... a16 das}
| | | | | | \textbf<6>{.................. daa}
| | | | |____^ \textbf<7>{................ mov dh, 0x27}
| | | |____^ \textbf<8>{................... sub al, 0xb6}
| | |_____________^ \textbf<9>{............. mov edi, 0x6727b62c}
| |____^ \textbf<10>{......................... mov al, 0xbf}
|_____________^ \textbf<11>{................... mov ebx, 0xb62cbfb0}
\end{semiverbatim}
}
\end{frame}
\subsection{Implementation}
\begin{frame}[fragile]
\frametitle{OptyNop2 Output}
{\footnotesize
\begin{verbatim}
$ ./waka 1000 4 5 | ndisasm -u - | head -700 | tail -20
000003B6 05419F40D4 add eax,0xd4409f41
000003BB 711C jno 0x3d9
000003BD 9B wait
000003BE 2C98 sub al,0x98
000003C0 37 aaa
000003C1 24A8 and al,0xa8
000003C3 27 daa
000003C4 E00D loopne 0x3d3
000003C6 6692 xchg ax,dx
000003C8 2F das
000003C9 49 dec ecx
000003CA B34A mov bl,0x4a
000003CC F5 cmc
000003CD BA4B257715 mov edx,0x1577254b
000003D2 700C jo 0x3e0
000003D4 C0D6B0 rcl dh,0xb0
000003D7 A9FD469342 test eax,0x429346fd
000003DC 67BBB191B23D a16 mov ebx,0x3db291b1
000003E2 1D9938FCB6 sbb eax,0xb6fc3899
000003E7 43 inc ebx
\end{verbatim}
}
\end{frame}
\subsection{Analysis}
\begin{frame}[fragile]
\frametitle{ADMmutate and optyx-mutate Gzip'd}
{\footnotesize
\begin{verbatim}
# ADMmutate
$ time ./nops 1000000| gzip -v >/dev/null
27.3%
real 0m0.241s
# optyx's interz0ne mutate
$ time ./driver nop 1000000 | gzip -v >/dev/null
29.7%
real 0m0.467s
\end{verbatim}
}
\end{frame}
\begin{frame}[fragile]
\frametitle{OptyNop2 Gzip'd}
{\footnotesize
\begin{verbatim}
# C version, save ESP and EBP
$ time ./waka 1000000 4 5 | gzip -v >/dev/null
12.2%
real 0m11.900s
# save just ESP
$ time ./waka 1000000 4 | gzip -v >/dev/null
11.7%
real 0m11.277s
# save nothing (good way to crash process)
$ time ./waka 1000000 | gzip -v >/dev/null
8.3%
real 0m12.404s
\end{verbatim}
}
\end{frame}
\begin{frame}[fragile]
\frametitle{ADMmutate Distribution - 1}
\include{admtable}
\end{frame}
\begin{frame}[fragile]
\frametitle{ADMmutate Distribution - 2}
\include{admtable2}
\end{frame}
\begin{frame}[fragile]
\frametitle{OptyNop2 Distribution - 1}
\include{optytable}
\end{frame}
\begin{frame}[fragile]
\frametitle{OptyNop2 Distribution - 2}
\include{optytable2}
\end{frame}
\subsection{Conclusion}
\begin{frame}
\frametitle{Benefits}
\begin{sitemize}
\item Not very difficult to gain lots more randomness
\item NIDS is far, far, behind
\item Added robustness (bad char / bad regs)
\item More versatile sled generation (nop stuffing, etc)
\end{sitemize}
\end{frame}
\begin{frame}
\frametitle{Possible Improvements}
\begin{sitemize}
\item Support processor flags (nop stuffing)
\item Support 2-byte opcodes / escape groups (not worth it)
\item Improved scoring systems, look-ahead, etc
\item Try to output according to a given byte distribution
\item Make it faster and use less memory
\end{sitemize}
\end{frame}
\section*{Summary}
\begin{frame}
\frametitle<presentation>{Summary}
% Keep the summary *very short*.
\begin{sitemize}
\item
The \alert{first main message} of your talk in one or two lines.
\item
The \alert{second main message} of your talk in one or two lines.
\item
Perhaps a \alert{third message}, but not more than that.
\end{sitemize}
% The following outlook is optional.
\vskip0pt plus.5fill
\begin{sitemize}
\item
Outlook
\begin{sitemize}
\item
Something you haven't solved.
\item
Something else you haven't solved.
\end{sitemize}
\end{sitemize}
\end{frame}
% All of the following is optional and typically not needed.
\appendix
\section<presentation>*{\appendixname}
\subsection<presentation>*{Materials}
\begin{frame}[allowframebreaks]
\frametitle<presentation>{Materials}
\begin{thebibliography}{10}
\beamertemplatebookbibitems
% Start with overview books.
\bibitem{Author1990}
A.~Author.
\newblock {\em Handbook of Everything}.
\newblock Some Press, 1990.
\beamertemplatearticlebibitems
% Followed by interesting articles. Keep the list short.
\bibitem{Someone2000}
S.~Someone.
\newblock On this and that.
\newblock {\em Journal of This and That}, 2(1):50--100,
2000.
\end{thebibliography}
\end{frame}
\end{document}