2005-04-16 20:47:33 +00:00
|
|
|
% $Header$
|
|
|
|
|
2005-04-17 22:01:24 +00:00
|
|
|
\documentclass{beamer}
|
2005-04-17 03:08:23 +00:00
|
|
|
\usepackage{graphicx}
|
2005-04-17 06:08:31 +00:00
|
|
|
\usepackage{color}
|
2005-04-22 09:00:26 +00:00
|
|
|
\usepackage{comment}
|
2005-04-16 20:47:33 +00:00
|
|
|
|
|
|
|
\mode<presentation>
|
|
|
|
{
|
2005-04-16 20:52:14 +00:00
|
|
|
% \usetheme{}
|
2005-04-16 20:47:33 +00:00
|
|
|
% or ...
|
|
|
|
|
|
|
|
% \usecolortheme{seahorse}
|
|
|
|
% \usecolortheme{crane}
|
|
|
|
% \useinnertheme{inmargin}
|
|
|
|
|
|
|
|
% \setbeamercovered{transparent}
|
2005-04-18 05:34:00 +00:00
|
|
|
% or whatever (possibly just delete it)
|
2005-04-16 20:47:33 +00:00
|
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
\usepackage[english]{babel}
|
|
|
|
\usepackage[latin1]{inputenc}
|
|
|
|
\usepackage{times}
|
|
|
|
\usepackage[T1]{fontenc}
|
2005-04-18 05:34:00 +00:00
|
|
|
% \usepackage{beamerthemeshadow}
|
2005-04-16 20:47:33 +00:00
|
|
|
|
2005-04-18 05:34:00 +00:00
|
|
|
% Love from spoon
|
|
|
|
\newcommand{\pdfpart}[1]{\label{pdfpart-#1}\pdfbookmark[0]{#1}{pdfpart-#1}\part{#1}}
|
|
|
|
\newenvironment{sitemize}{\vspace{1mm}\begin{itemize}\itemsep 4pt\small}{\end{itemize}}
|
2005-04-16 20:47:33 +00:00
|
|
|
|
2005-04-18 05:34:00 +00:00
|
|
|
% Presentation meta-information
|
2005-04-18 08:35:47 +00:00
|
|
|
\title{Advances in Exploit Technology}
|
2005-04-18 05:34:00 +00:00
|
|
|
\author[hdm \& spoonm] {hdm \& spoonm}
|
|
|
|
\date[CSW 2005] {CanSecWest, 2005}
|
2005-04-18 08:35:47 +00:00
|
|
|
\subject{Advances in Exploit Technology}
|
2005-04-16 20:47:33 +00:00
|
|
|
|
2005-04-18 05:34:00 +00:00
|
|
|
% Add a spacer between each part
|
|
|
|
\AtBeginPart{\frame{\partpage}}
|
2005-04-16 20:47:33 +00:00
|
|
|
|
2005-04-18 05:34:00 +00:00
|
|
|
% Turn off the navigation on the bottom yo
|
|
|
|
\setbeamertemplate{navigation symbols}{}
|
2005-04-16 20:47:33 +00:00
|
|
|
|
2005-04-18 05:34:00 +00:00
|
|
|
% Kick this sucker open
|
|
|
|
\begin{document}
|
2005-04-16 20:47:33 +00:00
|
|
|
|
2005-04-18 05:34:00 +00:00
|
|
|
% Throw down the title
|
2005-04-22 09:08:16 +00:00
|
|
|
\begin{frame}[t]
|
2005-04-18 05:34:00 +00:00
|
|
|
\titlepage
|
|
|
|
\end{frame}
|
2005-04-16 20:47:33 +00:00
|
|
|
|
|
|
|
|
2005-04-18 05:34:00 +00:00
|
|
|
%--------------------------------------%
|
|
|
|
\pdfpart{Introduction}
|
|
|
|
%--------------------------------------%
|
2005-04-17 21:47:28 +00:00
|
|
|
|
2005-04-18 05:34:00 +00:00
|
|
|
\section{Who are we?}
|
2005-04-22 09:08:16 +00:00
|
|
|
\begin{frame}[t]
|
2005-04-18 05:34:00 +00:00
|
|
|
\frametitle{Who are we?}
|
|
|
|
|
|
|
|
\begin{sitemize}
|
|
|
|
\item spoonm
|
|
|
|
\begin{sitemize}
|
|
|
|
\item Full-time student at a Canadian university
|
|
|
|
\item Metasploit developer since late 2003
|
|
|
|
\end{sitemize}
|
|
|
|
\end{itemize}
|
|
|
|
|
|
|
|
\begin{itemize}
|
|
|
|
\item H D Moore
|
|
|
|
\begin{sitemize}
|
|
|
|
\item Full-time employee at a network security firm
|
|
|
|
\item Metasploit project founder and developer
|
|
|
|
\end{sitemize}
|
|
|
|
\end{sitemize}
|
|
|
|
\end{frame}
|
2005-04-16 20:47:33 +00:00
|
|
|
|
2005-04-18 05:34:00 +00:00
|
|
|
\section{What is Metasploit?}
|
2005-04-22 09:08:16 +00:00
|
|
|
\begin{frame}[t]
|
2005-04-18 05:34:00 +00:00
|
|
|
\frametitle{What is Metasploit?}
|
|
|
|
\begin{sitemize}
|
|
|
|
\item Research project with 8 members
|
|
|
|
\begin{sitemize}
|
|
|
|
\item Focused on improving the state of security
|
|
|
|
\item Provide information and tools for researchers
|
|
|
|
\item Resource for IDS and security tool vendors
|
|
|
|
\end{sitemize}
|
|
|
|
\end{sitemize}
|
|
|
|
|
|
|
|
\begin{sitemize}
|
|
|
|
\item Created the Metasploit Framework
|
|
|
|
\begin{sitemize}
|
|
|
|
\item Open-source exploit dev platform
|
|
|
|
\item Includes 60 exploits and 70 payloads
|
|
|
|
\item Implements ideas from everywhere
|
|
|
|
\item Currently four primary developers
|
|
|
|
\item Handful of external contributors
|
|
|
|
\end{sitemize}
|
|
|
|
\end{sitemize}
|
|
|
|
\end{frame}
|
2005-04-16 20:47:33 +00:00
|
|
|
|
2005-04-18 05:34:00 +00:00
|
|
|
\section{What is this about?}
|
2005-04-22 09:08:16 +00:00
|
|
|
\begin{frame}[t]
|
2005-04-18 05:34:00 +00:00
|
|
|
\frametitle{What is this about?}
|
|
|
|
\begin{sitemize}
|
|
|
|
\item Recent advances in exploit technology
|
2005-04-22 09:00:26 +00:00
|
|
|
\item Exploit development trends and XP SP2
|
2005-04-22 09:08:16 +00:00
|
|
|
\item Interesting post-exploitation techniques
|
|
|
|
\item Improving the exploit randomness
|
2005-04-18 05:34:00 +00:00
|
|
|
\item Metasploit Framework 3.0 architecture
|
|
|
|
\end{sitemize}
|
2005-04-16 20:47:33 +00:00
|
|
|
\end{frame}
|
|
|
|
|
2005-04-17 21:47:28 +00:00
|
|
|
|
2005-04-18 05:34:00 +00:00
|
|
|
%--------------------------------------%
|
|
|
|
\pdfpart{Windows Exploitation}
|
|
|
|
%--------------------------------------%
|
2005-04-17 21:47:28 +00:00
|
|
|
|
2005-04-18 08:35:47 +00:00
|
|
|
\section{Exploit Trends}
|
2005-04-22 09:08:16 +00:00
|
|
|
\begin{frame}[t]
|
2005-04-18 08:35:47 +00:00
|
|
|
\frametitle{Exploit Trends}
|
2005-04-18 05:34:00 +00:00
|
|
|
\begin{sitemize}
|
2005-04-18 08:35:47 +00:00
|
|
|
\item Public Windows exploits are still terrible...
|
|
|
|
\begin{sitemize}
|
|
|
|
\item Tons of ugly, inflexible, hardcoded crap
|
|
|
|
\item Demonstrate no knowledge of underlying flaw
|
|
|
|
\item Rarely use information leakage for system targetting
|
|
|
|
\end{sitemize}
|
|
|
|
\end{sitemize}
|
|
|
|
|
|
|
|
\pause
|
|
|
|
\begin{sitemize}
|
|
|
|
\item ...but they have improved over the last year!
|
|
|
|
\begin{sitemize}
|
|
|
|
\item More exploits are supporting multiple payloads
|
|
|
|
\item Return addresses are more reliable
|
|
|
|
\item Payloads are getting slightly less ghetto
|
|
|
|
\end{sitemize}
|
2005-04-18 05:34:00 +00:00
|
|
|
\end{sitemize}
|
2005-04-16 20:47:33 +00:00
|
|
|
\end{frame}
|
|
|
|
|
2005-04-22 09:08:16 +00:00
|
|
|
\begin{frame}[t]
|
2005-04-18 08:35:47 +00:00
|
|
|
\frametitle{PoC Community}
|
|
|
|
|
|
|
|
\begin{sitemize}
|
|
|
|
\item The number of people capable of writing exploits is going up...
|
|
|
|
\begin{sitemize}
|
|
|
|
\item Nearly 250 PoC authors in 2004 (packetstorm, etc)
|
|
|
|
\item Win32 exploit dev information has hit critical mass
|
2005-04-22 09:00:26 +00:00
|
|
|
\item Exploit development training is in high demand
|
2005-04-18 08:35:47 +00:00
|
|
|
\end{sitemize}
|
|
|
|
\end{sitemize}
|
|
|
|
|
|
|
|
\pause
|
|
|
|
\begin{sitemize}
|
|
|
|
\item ...but the number of "hard" exploits made public is the same
|
|
|
|
\begin{sitemize}
|
|
|
|
\item People are lazy, skilled people tend to horde their code
|
|
|
|
\item Example: Microsoft ASN.1 Bit String Heap Corruption
|
|
|
|
\item Most "difficult" exploits are disclosed due to leaks
|
|
|
|
\item Win32 kernel exploits are still the domain of a few :-)
|
|
|
|
\end{sitemize}
|
|
|
|
\end{sitemize}
|
|
|
|
\end{frame}
|
2005-04-18 05:34:00 +00:00
|
|
|
|
|
|
|
\section{Windows XP SP2}
|
2005-04-22 09:08:16 +00:00
|
|
|
\begin{frame}[t]
|
2005-04-18 08:35:47 +00:00
|
|
|
\frametitle{Windows XP SP2}
|
|
|
|
\begin{sitemize}
|
|
|
|
\item Microsoft's "patch of the year" for 2004
|
|
|
|
\begin{sitemize}
|
|
|
|
\item SP2 included a handful of anti-exploit changes
|
|
|
|
\item The important ones were already in 2003
|
2005-04-22 09:00:26 +00:00
|
|
|
\begin{sitemize}
|
|
|
|
\item Use of registered system exception handlers
|
|
|
|
\item Core services compiled with stack protection
|
|
|
|
\end{sitemize}
|
|
|
|
\item Page protection is still dependent on hardware
|
2005-04-18 08:35:47 +00:00
|
|
|
\end{sitemize}
|
|
|
|
\end{sitemize}
|
|
|
|
\end{frame}
|
|
|
|
|
2005-04-22 09:08:16 +00:00
|
|
|
\begin{frame}[t]
|
2005-04-18 08:35:47 +00:00
|
|
|
\frametitle{Metasploit and SP2}
|
|
|
|
\begin{sitemize}
|
|
|
|
\item Exploit development barely affected by SP2
|
2005-04-22 09:00:26 +00:00
|
|
|
\item A handful of XP SP2 and 2003 SEH return addresses
|
2005-04-18 08:35:47 +00:00
|
|
|
\item Third-parties are not using Visual Studio 7
|
|
|
|
\begin{sitemize}
|
2005-04-22 09:00:26 +00:00
|
|
|
\item Most commercial applications do not use /GS
|
|
|
|
\item Have yet to see one that uses Registered SEH
|
2005-04-18 08:35:47 +00:00
|
|
|
\end{sitemize}
|
|
|
|
\end{sitemize}
|
|
|
|
\end{frame}
|
2005-04-18 05:34:00 +00:00
|
|
|
|
|
|
|
|
2005-04-22 09:00:26 +00:00
|
|
|
\begin{comment}
|
2005-04-18 05:34:00 +00:00
|
|
|
%--------------------------------------%
|
|
|
|
\pdfpart{Mac OS X Exploitation}
|
|
|
|
%--------------------------------------%
|
|
|
|
|
2005-04-22 09:00:26 +00:00
|
|
|
\section{PowerPC Processor}
|
2005-04-22 09:08:16 +00:00
|
|
|
\begin{frame}[t]
|
2005-04-18 05:34:00 +00:00
|
|
|
\frametitle{PowerPC Contraints}
|
|
|
|
\begin{sitemize}
|
2005-04-22 09:00:26 +00:00
|
|
|
\item Mac OS X runs on the PowerPC processor
|
|
|
|
\begin{sitemize}
|
|
|
|
\item PowerPC uses fixed-width 32-bit instructions
|
|
|
|
\item Data and instruction caches are independent
|
|
|
|
\item The instruction cache runs in "incoherent" mode
|
|
|
|
\end{sitemize}
|
|
|
|
\pause
|
|
|
|
|
|
|
|
\item Stack overflows need to return twice to be exploitable
|
2005-04-18 05:34:00 +00:00
|
|
|
\item (Similar to exploits on SPARCs, etc)
|
|
|
|
\end{sitemize}
|
2005-04-16 20:47:33 +00:00
|
|
|
\end{frame}
|
|
|
|
|
2005-05-05 15:39:41 +00:00
|
|
|
%%%% FIXME
|
|
|
|
% These two slides repeat the same 3 bullets or something...
|
|
|
|
% Also, talk about your new flush foo!
|
|
|
|
%%%%
|
|
|
|
|
2005-04-18 05:34:00 +00:00
|
|
|
\section{Exploits are annoying}
|
2005-04-22 09:08:16 +00:00
|
|
|
\begin{frame}[t]
|
2005-04-18 05:34:00 +00:00
|
|
|
\frametitle{Exploits are annoying }
|
|
|
|
\begin{sitemize}
|
|
|
|
\item Double-return means having to patch other pointers
|
|
|
|
\item Code which calls \_exit before sometimes unexploitable
|
|
|
|
\item Shellcode must be placed into location not in i-cache
|
|
|
|
\item Exploits can have different results between diff CPUs
|
|
|
|
\end{sitemize}
|
|
|
|
\end{frame}
|
|
|
|
|
|
|
|
\section{Shellcode issues}
|
2005-04-22 09:08:16 +00:00
|
|
|
\begin{frame}[t]
|
2005-04-18 05:34:00 +00:00
|
|
|
\frametitle{Shellcode issues }
|
|
|
|
\begin{sitemize}
|
|
|
|
\item Double-return means having to patch other pointers
|
|
|
|
\item Shellcode must be placed into location not in i-cache
|
|
|
|
\item Exploits can have different results between diff CPUs
|
|
|
|
\end{sitemize}
|
|
|
|
\end{frame}
|
2005-04-22 09:00:26 +00:00
|
|
|
\end{comment}
|
2005-04-18 05:34:00 +00:00
|
|
|
|
|
|
|
%--------------------------------------%
|
|
|
|
\pdfpart{Return Addresses}
|
|
|
|
%--------------------------------------%
|
|
|
|
|
|
|
|
\section{Reliability}
|
2005-04-22 09:08:16 +00:00
|
|
|
\begin{frame}[t]
|
2005-04-18 08:35:47 +00:00
|
|
|
\frametitle{Return Address Reliability}
|
2005-04-18 05:34:00 +00:00
|
|
|
\begin{sitemize}
|
|
|
|
\item An exploit is only as good as the return address it uses
|
|
|
|
\item Many vulnerabilities only allow one exploit attempt
|
|
|
|
\item Returning directly to shellcode is not always possible
|
|
|
|
\begin{sitemize}
|
|
|
|
\item Most Windows exploits use a "bounce" address
|
|
|
|
\item Indirect returns are useful on other platforms as well
|
|
|
|
\end{sitemize}
|
|
|
|
\end{sitemize}
|
|
|
|
\end{frame}
|
|
|
|
|
|
|
|
\section{Windows Addresses}
|
2005-04-22 09:08:16 +00:00
|
|
|
\begin{frame}[t]
|
2005-04-18 05:34:00 +00:00
|
|
|
\frametitle{Windows Return Addresses}
|
|
|
|
\begin{sitemize}
|
|
|
|
\item Windows stack addresses are usually not predictable
|
2005-04-22 03:15:05 +00:00
|
|
|
\item Executable and library addresses {\em are} predictable
|
2005-04-18 05:34:00 +00:00
|
|
|
\begin{sitemize}
|
|
|
|
\item System libraries are often static between patch levels
|
|
|
|
\item Application libraries change even less frequently
|
|
|
|
\item Executable addresses only change between app versions
|
|
|
|
\end{sitemize}
|
|
|
|
\end{sitemize}
|
|
|
|
|
|
|
|
\begin{sitemize}
|
|
|
|
\item Static system libraries can go a long way...
|
|
|
|
\pause
|
|
|
|
\item A great example is the "ws2help.dll" library:
|
|
|
|
\begin{sitemize}
|
|
|
|
\item Static across all versions of Windows 2000
|
|
|
|
\item Static across Windows XP SP0 and SP1
|
|
|
|
\item Used in dozens of exploits in the Framework
|
|
|
|
\end{sitemize}
|
|
|
|
\end{sitemize}
|
|
|
|
\end{frame}
|
|
|
|
|
2005-04-18 08:35:47 +00:00
|
|
|
\begin{frame}[fragile]
|
|
|
|
\frametitle{The Magic SEH}
|
|
|
|
\begin{sitemize}
|
|
|
|
\item Stack overflows rarely exploit return address overwrites
|
|
|
|
\item Overwriting the structured exception handler (SEH) is easier
|
|
|
|
\item The first exception causes smashed SEH to be called
|
|
|
|
\item SEH frame can exist before or after the return address
|
|
|
|
\end{sitemize}
|
|
|
|
{\footnotesize
|
|
|
|
\begin{verbatim}
|
|
|
|
/* Struction Exception Handler */
|
|
|
|
typedef struct _EXCEPTION_REGISTRATION
|
|
|
|
{
|
|
|
|
struct _EXCEPTION_REGISTRATION* prev;
|
|
|
|
PEXCEPTION_HANDLER handler;
|
|
|
|
} EXCEPTION_REGISTRATION, *PEXCEPTION_REGISTRATION;
|
|
|
|
\end{verbatim}
|
|
|
|
}
|
|
|
|
\end{frame}
|
|
|
|
|
|
|
|
|
|
|
|
\begin{frame}[fragile]
|
|
|
|
\frametitle{The Magic SEH}
|
|
|
|
\begin{sitemize}
|
|
|
|
\item Overwrite the frame, trigger exception, got EIP :-)
|
|
|
|
\item The prototype for the SEH function is:
|
|
|
|
\end{sitemize}
|
|
|
|
{\footnotesize
|
|
|
|
\begin{verbatim}
|
|
|
|
EXCEPTION_DISPOSITION
|
|
|
|
__cdecl _except_handler(
|
|
|
|
struct _EXCEPTION_RECORD *ExceptionRecord,
|
|
|
|
void * EstablisherFrame,
|
|
|
|
struct _CONTEXT *ContextRecord,
|
|
|
|
void * DispatcherContext );
|
|
|
|
\end{verbatim}
|
|
|
|
}
|
|
|
|
\pause
|
|
|
|
\begin{sitemize}
|
|
|
|
\item \texttt{EstablisherFrame} points 4 bytes before handler address
|
|
|
|
\pause
|
2005-04-22 09:00:26 +00:00
|
|
|
\item Passed to exeception handler function \texttt{[esp+8]}
|
|
|
|
\pause
|
|
|
|
\item Return back to code via \texttt{pop reg, pop reg, ret}
|
2005-04-18 08:35:47 +00:00
|
|
|
\pause
|
2005-04-22 09:00:26 +00:00
|
|
|
\item The pop + pop + ret combination is easy to find in memory
|
2005-04-18 08:35:47 +00:00
|
|
|
\pause
|
2005-04-22 09:00:26 +00:00
|
|
|
\item Registered SEH and Windows XP/2003 limit this type of abuse
|
2005-04-18 08:35:47 +00:00
|
|
|
\end{sitemize}
|
|
|
|
\end{frame}
|
2005-04-18 05:34:00 +00:00
|
|
|
|
|
|
|
\section{Unix Addresses}
|
2005-04-22 09:08:16 +00:00
|
|
|
\begin{frame}[t]
|
2005-04-18 05:34:00 +00:00
|
|
|
\frametitle{Unix Return Addresses}
|
|
|
|
|
|
|
|
\begin{sitemize}
|
|
|
|
\item Linux and BSD
|
|
|
|
\begin{sitemize}
|
|
|
|
\item Library addresses are usually not predictable
|
|
|
|
\item Every executable has a static load address
|
|
|
|
\begin{sitemize}
|
2005-05-05 16:14:06 +00:00
|
|
|
\item Every distribution compiles its own binaries
|
2005-04-18 05:34:00 +00:00
|
|
|
\item Exploits must target specific versions and operating systems
|
|
|
|
\item Commercial (binary-only) applications are mostly static
|
|
|
|
\end{sitemize}
|
|
|
|
\end{sitemize}
|
|
|
|
\end{sitemize}
|
|
|
|
|
|
|
|
\pause
|
|
|
|
\begin{sitemize}
|
|
|
|
\item Commercial Unix
|
|
|
|
\begin{sitemize}
|
|
|
|
\item Library addresses are sometimes predictable
|
|
|
|
\item Every executable has a static load address
|
|
|
|
\begin{sitemize}
|
|
|
|
\item These addresses are static per package version
|
|
|
|
\item Windows-style return addresses work well
|
|
|
|
\item This includes Mac OS X, Solaris, HP-UX, AIX, etc
|
|
|
|
\end{sitemize}
|
|
|
|
\end{sitemize}
|
|
|
|
\end{sitemize}
|
|
|
|
\end{frame}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
\section{Analysis Tools}
|
2005-04-22 09:08:16 +00:00
|
|
|
\begin{frame}[t]
|
2005-04-18 05:34:00 +00:00
|
|
|
\frametitle{Analysis Methods}
|
|
|
|
\begin{sitemize}
|
|
|
|
\item Finding solid return addresses involves a few steps
|
|
|
|
\begin{sitemize}
|
|
|
|
\item Load the executable or library into memory
|
|
|
|
\item Determine all permutations of the desired opcode
|
|
|
|
\item Search memory contents to find these bytes
|
|
|
|
\item Determine the virtual address for each offset
|
|
|
|
\end{sitemize}
|
|
|
|
\end{sitemize}
|
|
|
|
|
|
|
|
\pause
|
|
|
|
\begin{sitemize}
|
|
|
|
\item Many people use a debugger to accomplish this task
|
|
|
|
\begin{sitemize}
|
|
|
|
\item This is a tedious process to do manually
|
|
|
|
\item Limited to one version at a time, even with a plugin
|
|
|
|
\item Requires the installation of each tested version
|
|
|
|
\end{sitemize}
|
|
|
|
\end{sitemize}
|
2005-04-16 20:47:33 +00:00
|
|
|
\end{frame}
|
|
|
|
|
2005-04-22 09:08:16 +00:00
|
|
|
\begin{frame}[t]
|
2005-04-22 09:00:26 +00:00
|
|
|
\frametitle{msfpescan}
|
2005-04-18 05:34:00 +00:00
|
|
|
\begin{sitemize}
|
|
|
|
\item msfpescan - a utility included in the Metasploit Framework
|
|
|
|
\begin{sitemize}
|
|
|
|
\item Can analyze any PE executable or DLL in offline mode
|
|
|
|
\item Simple to automate and cross-reference results
|
|
|
|
\item Does not require a Windows system to run
|
|
|
|
\item Easily analyze multiple versions on the command line
|
|
|
|
\item Capable of dumping other information as well
|
|
|
|
\begin{sitemize}
|
|
|
|
\item Imports, Exports, and IAT addresses
|
|
|
|
\item Resource information, internal versions
|
|
|
|
\item Standard PE header information
|
|
|
|
\end{sitemize}
|
|
|
|
\end{sitemize}
|
|
|
|
\end{sitemize}
|
|
|
|
\end{frame}
|
|
|
|
|
|
|
|
\begin{frame}[fragile]
|
|
|
|
\frametitle{Using msfpescan to find addresses}
|
|
|
|
\begin{sitemize}
|
|
|
|
\item Install the Metasploit Framework (2.3 or newer)
|
|
|
|
\item Place your target executable or DLL into some directory
|
|
|
|
\item Use msfpescan to quickly find return addresses:
|
|
|
|
\end{sitemize}
|
|
|
|
|
|
|
|
{\footnotesize
|
|
|
|
\begin{verbatim}
|
|
|
|
# Locate any form of pop/pop/ret opcodes
|
|
|
|
$ msfpescan -f mod_oiplus.dll -s
|
|
|
|
0x1001413c esi edi ret
|
|
|
|
0x10009ea2 esi ecx ret
|
|
|
|
0x100113bd esi ebx ret
|
|
|
|
|
|
|
|
# Locate any opcodes that take us to [eax]
|
|
|
|
$ msfpescan -f mod_oiplus.dll -j eax
|
|
|
|
0x1000969d push eax
|
|
|
|
0x100141a3 jmp eax
|
|
|
|
0x10010e69 call eax
|
|
|
|
\end{verbatim}
|
|
|
|
}
|
|
|
|
\end{frame}
|
|
|
|
|
2005-04-22 09:08:16 +00:00
|
|
|
\begin{frame}[t]
|
2005-04-18 05:34:00 +00:00
|
|
|
\frametitle{Opcode Databases}
|
|
|
|
\begin{sitemize}
|
|
|
|
\item Contains opcodes across every executable and DLL in Windows
|
|
|
|
\item The new version includes over nine million records
|
|
|
|
\item Data is generated directly from the files themselves
|
2005-04-22 09:00:26 +00:00
|
|
|
\item Quickly cross-reference return addresses over the entire DB
|
2005-04-18 05:34:00 +00:00
|
|
|
\item Publicly available from http://www.metasploit.com/
|
|
|
|
\end{sitemize}
|
|
|
|
\end{frame}
|
2005-04-16 20:47:33 +00:00
|
|
|
|
2005-04-22 09:08:16 +00:00
|
|
|
\begin{frame}[t]
|
2005-04-22 09:00:26 +00:00
|
|
|
\frametitle{Future Development}
|
|
|
|
\begin{sitemize}
|
|
|
|
\item Context-aware return address discovery
|
|
|
|
\begin{sitemize}
|
|
|
|
\item Demonstrated by eEye at Black Hat 2004
|
|
|
|
\item Similar project in development from Metasploit
|
|
|
|
\end{sitemize}
|
|
|
|
\end{sitemize}
|
|
|
|
\pause
|
|
|
|
|
2005-04-18 05:34:00 +00:00
|
|
|
\begin{sitemize}
|
|
|
|
\item Executable analysis tools for Solaris, Mac OS X, Linux, BSD
|
2005-04-22 09:00:26 +00:00
|
|
|
\begin{sitemize}
|
|
|
|
\item Usefulness limited compared to Windows platform
|
|
|
|
\item Static libraries are great for cross-version exploits
|
|
|
|
\end{sitemize}
|
2005-04-18 05:34:00 +00:00
|
|
|
\end{sitemize}
|
|
|
|
\end{frame}
|
2005-04-16 20:47:33 +00:00
|
|
|
|
|
|
|
|
2005-04-18 05:34:00 +00:00
|
|
|
%--------------------------------------%
|
|
|
|
\pdfpart{Post-Exploitation}
|
|
|
|
%--------------------------------------%
|
2005-04-16 20:47:33 +00:00
|
|
|
|
2005-04-18 05:34:00 +00:00
|
|
|
\section{Windows Payloads}
|
|
|
|
|
2005-04-22 09:08:16 +00:00
|
|
|
\begin{frame}[t]
|
2005-04-18 05:34:00 +00:00
|
|
|
\frametitle{The Meterpreter}
|
|
|
|
\begin{sitemize}
|
|
|
|
\item Windows version uses in-memory DLL injection techniques
|
|
|
|
\item Dynamically extensible over the network
|
|
|
|
\item Extensions are standard Windows DLLs
|
|
|
|
\item Loading an extension updates available commands
|
|
|
|
\item Support for network encryption
|
|
|
|
\item Huge feature set in the public version
|
|
|
|
\begin{sitemize}
|
|
|
|
\item Upload, download, and list files
|
|
|
|
\item List, create, and kill processes
|
|
|
|
\item Spawn "channelized" commands in the background
|
|
|
|
\item Create port forwarding channels to pivot attacks
|
|
|
|
\end{sitemize}
|
|
|
|
\end{sitemize}
|
|
|
|
\end{frame}
|
2005-04-16 20:47:33 +00:00
|
|
|
|
2005-04-22 09:08:16 +00:00
|
|
|
\begin{frame}[t]
|
2005-04-22 09:00:26 +00:00
|
|
|
\frametitle{Ordinal-based Payload Stagers}
|
2005-04-18 05:34:00 +00:00
|
|
|
\begin{sitemize}
|
2005-04-22 09:00:26 +00:00
|
|
|
\item Techniques borrowed from Oded's lightning talk from core04
|
|
|
|
\item 92 bytes and works on every Windows OS and SP
|
|
|
|
\item Staging system can chain any other Windows payload
|
|
|
|
\item Implementation also has a few size reductions:
|
|
|
|
\begin{sitemize}
|
|
|
|
\item Optimized module walked finds ws2\_32.dll
|
|
|
|
\item Functions are loaded from base + ordinal offset
|
|
|
|
\item Chained calls return to the next function
|
|
|
|
\end{sitemize}
|
2005-04-18 05:34:00 +00:00
|
|
|
\end{sitemize}
|
2005-04-17 02:55:24 +00:00
|
|
|
\end{frame}
|
2005-04-16 20:47:33 +00:00
|
|
|
|
2005-04-22 09:08:16 +00:00
|
|
|
\begin{frame}[t]
|
2005-04-18 05:34:00 +00:00
|
|
|
\frametitle{PassiveX}
|
|
|
|
\begin{sitemize}
|
|
|
|
\item Payload modifies registry and launches IE
|
|
|
|
\item IE loads custom ActiveX control to stage the payload
|
|
|
|
\item Communications channel is via HTTP requests
|
2005-04-22 09:00:26 +00:00
|
|
|
\begin{sitemize}
|
|
|
|
\item Uses standard IE proxy and auth settings
|
|
|
|
\item Useful on heavily firewalled DMZ hosts
|
|
|
|
\item Providers bi-directional channel for next stage
|
|
|
|
\end{sitemize}
|
|
|
|
\end{sitemize}
|
|
|
|
|
|
|
|
\begin{sitemize}
|
2005-04-18 05:34:00 +00:00
|
|
|
\item Can be used to inject VNC, Meterpreter, etc
|
2005-04-22 09:00:26 +00:00
|
|
|
\item Fully-functional and part of version 2.4
|
2005-04-18 05:34:00 +00:00
|
|
|
\end{sitemize}
|
2005-04-17 21:47:28 +00:00
|
|
|
\end{frame}
|
2005-04-18 05:34:00 +00:00
|
|
|
|
|
|
|
|
|
|
|
\section{Unix Payloads}
|
|
|
|
|
2005-04-22 09:08:16 +00:00
|
|
|
\begin{frame}[t]
|
2005-04-22 09:00:26 +00:00
|
|
|
\frametitle{Other Network Stagers}
|
2005-04-18 05:34:00 +00:00
|
|
|
\begin{sitemize}
|
|
|
|
\item UDP-based stager and network shell for Linux
|
|
|
|
\item UDP-based DNS request staging system
|
2005-04-22 09:00:26 +00:00
|
|
|
\begin{sitemize}
|
|
|
|
\item UDP shell depends on the bash --noediting option
|
|
|
|
\item Can pass through strict firewall rulesets
|
|
|
|
\end{sitemize}
|
|
|
|
\end{sitemize}
|
|
|
|
|
|
|
|
\begin{sitemize}
|
2005-04-18 05:34:00 +00:00
|
|
|
\item ICMP-based listener and "reverse" payloads
|
2005-04-22 09:00:26 +00:00
|
|
|
\item Findsock stagers being replaced by "findrecvtag"
|
|
|
|
\item Source code included in Metasploit Framework
|
2005-04-18 05:34:00 +00:00
|
|
|
\end{sitemize}
|
|
|
|
\end{frame}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
%--------------------------------------%
|
2005-04-22 09:00:26 +00:00
|
|
|
\pdfpart{Improving Attack Randomness}
|
2005-04-18 05:34:00 +00:00
|
|
|
%--------------------------------------%
|
2005-04-16 20:47:33 +00:00
|
|
|
|
2005-04-22 09:08:16 +00:00
|
|
|
%\begin{frame}[t]
|
2005-04-22 09:00:26 +00:00
|
|
|
% \frametitle{Outline}
|
|
|
|
% \tableofcontents
|
|
|
|
%\end{frame}
|
2005-04-16 20:47:33 +00:00
|
|
|
|
2005-04-17 18:32:41 +00:00
|
|
|
\section{Introduction}
|
2005-04-22 09:08:16 +00:00
|
|
|
\begin{frame}[t]
|
2005-04-22 09:00:26 +00:00
|
|
|
\frametitle{Introduction}
|
|
|
|
|
2005-04-17 23:05:05 +00:00
|
|
|
\begin{sitemize}
|
2005-04-22 09:00:26 +00:00
|
|
|
\item Randomness, who cares?
|
2005-04-17 23:05:05 +00:00
|
|
|
\begin{sitemize}
|
2005-04-22 09:00:26 +00:00
|
|
|
\item Make IDS analysts work for their paycheck
|
|
|
|
\item Uncover flaws in your exploit code
|
2005-04-17 23:05:05 +00:00
|
|
|
\end{sitemize}
|
2005-04-17 18:32:41 +00:00
|
|
|
\pause
|
2005-04-22 09:00:26 +00:00
|
|
|
\end{sitemize}
|
|
|
|
|
|
|
|
\begin{sitemize}
|
2005-04-18 05:34:00 +00:00
|
|
|
\item Adding randomness to exploit code
|
|
|
|
\begin{sitemize}
|
2005-04-22 09:00:26 +00:00
|
|
|
\item Modify attacks by setting protocol options
|
|
|
|
\item Randmomize all padding and non-critical data
|
|
|
|
\item Helper functions for different types of random data
|
2005-04-18 05:34:00 +00:00
|
|
|
\end{sitemize}
|
2005-04-22 09:00:26 +00:00
|
|
|
\pause
|
|
|
|
\end{sitemize}
|
|
|
|
|
|
|
|
\begin{sitemize}
|
2005-04-17 18:32:41 +00:00
|
|
|
\item Adding randomness to machine code
|
2005-04-17 23:05:05 +00:00
|
|
|
\begin{sitemize}
|
2005-04-22 09:00:26 +00:00
|
|
|
\item Avoid "static" payload encoding systems
|
|
|
|
\item Substitute like instructions and reorder tasks
|
|
|
|
\item Randomize nop sleds and any other opcode fills
|
2005-04-17 23:05:05 +00:00
|
|
|
\end{sitemize}
|
|
|
|
\end{sitemize}
|
2005-04-22 09:00:26 +00:00
|
|
|
|
2005-04-17 18:32:41 +00:00
|
|
|
\end{frame}
|
2005-04-16 20:47:33 +00:00
|
|
|
|
2005-04-29 05:01:55 +00:00
|
|
|
\begin{frame}[t]
|
|
|
|
\frametitle{Polymorphism}
|
|
|
|
\begin{sitemize}
|
2005-05-04 01:59:55 +00:00
|
|
|
\item Viruses morphed to evade signature anti-virus
|
|
|
|
\item Shellcode doesn't morph, isn't really polymorphic
|
|
|
|
\item Generators produce functionally equivalent permutations
|
2005-05-05 15:39:41 +00:00
|
|
|
\item Simple examples: random 0x90 nops, add/sub switching
|
2005-04-29 05:01:55 +00:00
|
|
|
\end{sitemize}
|
|
|
|
\end{frame}
|
|
|
|
|
2005-04-27 18:37:24 +00:00
|
|
|
\section{Conservative "Polymorphism"}
|
|
|
|
|
2005-05-02 01:34:39 +00:00
|
|
|
\subsection{CLET}
|
|
|
|
|
2005-04-29 05:01:55 +00:00
|
|
|
% clet was in phrack 61..
|
2005-04-27 18:37:24 +00:00
|
|
|
\begin{frame}[t]
|
2005-04-29 05:01:55 +00:00
|
|
|
%%
|
|
|
|
\frametitle{CLET}
|
|
|
|
%%
|
2005-04-27 18:37:24 +00:00
|
|
|
\begin{sitemize}
|
2005-04-29 05:01:55 +00:00
|
|
|
\item Generates permutations of decoder stubs
|
|
|
|
\item Inserts reversing instructions, nop equivalents
|
2005-05-02 01:40:37 +00:00
|
|
|
\item All decoders are C code to generate themselves
|
2005-04-27 18:37:24 +00:00
|
|
|
\pause
|
|
|
|
\item Pros:
|
|
|
|
\begin{sitemize}
|
2005-04-29 05:01:55 +00:00
|
|
|
\item Well thought out - analyzed attacks against NIDS
|
|
|
|
\item Mathematica files output, mathy backing
|
2005-04-27 18:37:24 +00:00
|
|
|
\item Specturm analysis - push sled to byte distribution
|
|
|
|
\end{sitemize}
|
|
|
|
\pause
|
|
|
|
\item Cons:
|
|
|
|
\begin{sitemize}
|
2005-05-04 01:59:55 +00:00
|
|
|
\item Complicated system, really hard to build upon
|
2005-04-29 05:01:55 +00:00
|
|
|
\item Decoder generation isn't that great
|
2005-04-27 18:37:24 +00:00
|
|
|
\item Making compromises for size/robustness
|
|
|
|
\end{sitemize}
|
2005-04-29 05:01:55 +00:00
|
|
|
\end{sitemize}
|
|
|
|
\end{frame}
|
|
|
|
|
2005-05-02 01:34:39 +00:00
|
|
|
\subsection{Pex::Poly}
|
|
|
|
|
2005-04-29 05:01:55 +00:00
|
|
|
\begin{frame}[t]
|
|
|
|
%%
|
|
|
|
\frametitle{Metasploit Pex::Poly}
|
|
|
|
%%
|
|
|
|
\begin{sitemize}
|
|
|
|
\item "Conservative Polymorphism"
|
|
|
|
\item Uses the inherit variability in shellcode
|
2005-05-02 01:47:37 +00:00
|
|
|
\pause
|
2005-04-27 18:37:24 +00:00
|
|
|
\item Pros:
|
|
|
|
\begin{sitemize}
|
2005-04-29 05:01:55 +00:00
|
|
|
\item Polymorphizing code is pretty easy
|
2005-04-27 18:37:24 +00:00
|
|
|
\item No size or functionality compromises
|
|
|
|
\item Bad character and register avoidence
|
|
|
|
\end{sitemize}
|
2005-05-02 01:47:37 +00:00
|
|
|
\pause
|
2005-04-27 18:37:24 +00:00
|
|
|
\item Cons:
|
|
|
|
\begin{sitemize}
|
2005-04-29 05:01:55 +00:00
|
|
|
\item Less thought out, NIDS attacks not deeply analyzed
|
2005-04-27 18:37:24 +00:00
|
|
|
\item Hard to push to arbitrary byte distribution
|
2005-04-29 05:01:55 +00:00
|
|
|
\item Less "polymorphism", more restrictions
|
2005-04-27 18:37:24 +00:00
|
|
|
\end{sitemize}
|
|
|
|
\end{sitemize}
|
|
|
|
\end{frame}
|
|
|
|
|
|
|
|
\begin{frame}[t]
|
|
|
|
\frametitle{Implementation - Pex::Poly}
|
|
|
|
\begin{sitemize}
|
|
|
|
\item "Blocks" are dependency graph nodes
|
|
|
|
\item "Blocks" consist of 0 or more possibilities
|
2005-04-29 05:01:55 +00:00
|
|
|
\item Register pool assignment (mov reg1, reg2)
|
2005-05-05 15:39:41 +00:00
|
|
|
\item Gained robustness as a nice effect
|
2005-05-02 01:47:37 +00:00
|
|
|
\pause
|
2005-04-27 18:37:24 +00:00
|
|
|
\item Current implementation
|
|
|
|
\begin{sitemize}
|
2005-04-29 05:01:55 +00:00
|
|
|
\item Current system is a bit ugly
|
|
|
|
\item Hard without writing a real assembler
|
2005-04-27 18:37:24 +00:00
|
|
|
\item Want it to be fairly fast
|
2005-04-29 05:01:55 +00:00
|
|
|
\pause
|
2005-04-27 18:37:24 +00:00
|
|
|
\item Pex::Poly has 3 phases
|
|
|
|
\item Dependency iteration and block selection
|
|
|
|
\item Instruction offset calculations
|
|
|
|
\item Instruction register assignment
|
|
|
|
\end{sitemize}
|
2005-04-28 23:45:54 +00:00
|
|
|
\end{sitemize}
|
2005-04-27 18:37:24 +00:00
|
|
|
\end{frame}
|
|
|
|
|
2005-05-02 01:34:39 +00:00
|
|
|
\subsection{Shikata Ga Nai}
|
|
|
|
|
2005-04-28 23:45:54 +00:00
|
|
|
\begin{frame}[t]
|
2005-04-27 18:37:24 +00:00
|
|
|
\frametitle{Shikata Ga Nai}
|
|
|
|
\begin{sitemize}
|
2005-04-29 05:01:55 +00:00
|
|
|
\item It's too much work to polyize every payload
|
|
|
|
\item Created one decent "polymorphic" encoder
|
|
|
|
\pause
|
2005-04-27 18:37:24 +00:00
|
|
|
\item Noir's FPU geteip technique
|
|
|
|
\item Approximately 1.3 million permutations
|
|
|
|
\item Additive feedback xor, encodes it's own end
|
|
|
|
\item 27 bytes for the stub, 4 key, 4 encoded
|
|
|
|
\end{sitemize}
|
|
|
|
\end{frame}
|
2005-04-16 20:47:33 +00:00
|
|
|
|
2005-04-17 04:33:08 +00:00
|
|
|
\newcommand{\incshi}[1]{\includegraphics[height=3in]{#1}}
|
|
|
|
|
2005-04-22 09:08:16 +00:00
|
|
|
\begin{frame}[t]
|
2005-04-27 18:37:24 +00:00
|
|
|
\frametitle{Shikata dependency iteration}
|
2005-04-17 04:33:08 +00:00
|
|
|
\only<9>{\incshi{shi8}}
|
|
|
|
\only<8>{\incshi{shi7}}
|
|
|
|
\only<7>{\incshi{shi6}}
|
|
|
|
\only<6>{\incshi{shi5}}
|
|
|
|
\only<5>{\incshi{shi4}}
|
|
|
|
\only<4>{\incshi{shi3}}
|
|
|
|
\only<3>{\incshi{shi2}}
|
|
|
|
\only<2>{\incshi{shi1}}
|
|
|
|
\only<1>{\incshi{shi0}}
|
2005-04-17 03:08:23 +00:00
|
|
|
\end{frame}
|
|
|
|
|
2005-04-28 23:45:54 +00:00
|
|
|
\begin{frame}[fragile]
|
|
|
|
\frametitle{Example output}
|
|
|
|
|
|
|
|
\begin{onlyenv}<1>
|
|
|
|
\begin{verbatim}
|
|
|
|
00000000 BB6E887A69 mov ebx,0x697a886e
|
|
|
|
00000005 DDC4 ffree st4
|
|
|
|
00000007 D97424F4 fnstenv [esp-0xc]
|
|
|
|
0000000B 58 pop eax
|
|
|
|
0000000C 29C9 sub ecx,ecx
|
|
|
|
0000000E B101 mov cl,0x1
|
|
|
|
00000010 83E8FC sub eax,byte -0x4
|
|
|
|
00000013 31580E xor [eax+0xe],ebx
|
|
|
|
00000016 03580E add ebx,[eax+0xe]
|
|
|
|
00000019 E2F5 loop 0x10
|
|
|
|
\end{verbatim}
|
|
|
|
\end{onlyenv}
|
|
|
|
|
|
|
|
\begin{onlyenv}<2>
|
|
|
|
\begin{verbatim}
|
|
|
|
00000000 DBC1 fcmovnb st1
|
|
|
|
00000002 31C9 xor ecx,ecx
|
|
|
|
00000004 B101 mov cl,0x1
|
|
|
|
00000006 D97424F4 fnstenv [esp-0xc]
|
|
|
|
0000000A 5B pop ebx
|
|
|
|
0000000B BAC8E2C8F8 mov edx,0xf8c8e2c8
|
|
|
|
00000010 83C304 add ebx,byte +0x4
|
|
|
|
00000013 315313 xor [ebx+0x13],edx
|
|
|
|
00000016 035313 add edx,[ebx+0x13]
|
|
|
|
00000019 E2F5 loop 0x10
|
|
|
|
\end{verbatim}
|
|
|
|
\end{onlyenv}
|
|
|
|
|
|
|
|
\begin{onlyenv}<3>
|
|
|
|
\begin{verbatim}
|
|
|
|
00000000 BB7B833BB9 mov ebx,0xb93b837b
|
|
|
|
00000005 DAC0 fcmovb st0
|
|
|
|
00000007 D97424F4 fnstenv [esp-0xc]
|
|
|
|
0000000B 2BC9 sub ecx,ecx
|
|
|
|
0000000D 5E pop esi
|
|
|
|
0000000E B101 mov cl,0x1
|
|
|
|
00000010 315E12 xor [esi+0x12],ebx
|
|
|
|
00000013 83C604 add esi,byte +0x4
|
|
|
|
00000016 03 db 0x03
|
|
|
|
00000017 25 db 0x25
|
|
|
|
00000018 8D db 0x8D
|
|
|
|
00000019 D9 db 0xD9
|
|
|
|
0000001A 4C dec esp
|
|
|
|
\end{verbatim}
|
|
|
|
\end{onlyenv}
|
|
|
|
|
|
|
|
\end{frame}
|
|
|
|
|
2005-04-17 18:32:41 +00:00
|
|
|
\section{Building a Nop Sled}
|
2005-04-17 07:23:50 +00:00
|
|
|
|
2005-04-17 18:32:41 +00:00
|
|
|
\subsection{Tekneek}
|
2005-04-17 07:23:50 +00:00
|
|
|
|
2005-04-22 09:08:16 +00:00
|
|
|
\begin{frame}[t]
|
2005-04-22 09:00:26 +00:00
|
|
|
\frametitle{Multibyte Nop Sled Concept}
|
2005-04-17 23:05:05 +00:00
|
|
|
\begin{sitemize}
|
2005-04-22 09:00:26 +00:00
|
|
|
\item Optyx released multibyte nop generator at Interz0ne 1
|
|
|
|
\item Generates instructions 1 to 6 bytes long, and uses 0x66 prefix
|
2005-05-04 01:59:55 +00:00
|
|
|
\item Aligned to 1 byte, land anywhere, end up at the final target
|
2005-04-17 23:05:05 +00:00
|
|
|
\end{sitemize}
|
|
|
|
\begin{sitemize}
|
2005-04-17 18:32:41 +00:00
|
|
|
\pause
|
|
|
|
\item Builds the sled from back to front
|
2005-05-04 01:59:55 +00:00
|
|
|
\item Prepends to the sled 1 byte at a time
|
2005-04-22 09:00:26 +00:00
|
|
|
\item Generates a random byte and checks against tables
|
2005-04-17 18:32:41 +00:00
|
|
|
\pause
|
2005-04-17 23:05:05 +00:00
|
|
|
\begin{sitemize}
|
2005-04-17 18:32:41 +00:00
|
|
|
\item Is the instruction length too long?
|
|
|
|
\item Is it a valid instruction?
|
|
|
|
\item Does it have any bad bytes?
|
2005-04-22 09:00:26 +00:00
|
|
|
\item Does it modify restricted registers?
|
2005-04-17 23:05:05 +00:00
|
|
|
\end{sitemize}
|
|
|
|
\end{sitemize}
|
2005-04-17 07:23:50 +00:00
|
|
|
\end{frame}
|
|
|
|
|
|
|
|
\begin{frame}[fragile]
|
|
|
|
\frametitle{Backwardz}
|
|
|
|
{\footnotesize
|
|
|
|
\begin{semiverbatim}
|
2005-04-17 07:25:53 +00:00
|
|
|
\textbf<11>{bb} \textbf<10,11>{b0} \textbf<9,10,11>{bf} \textbf<8,9,11>{2c} \textbf<7,8,9,11>{b6} \textbf<6,7,9>{27} \textbf<5,9>{67} \textbf<4,5>{2F} \textbf<3>{4A} \textbf<2>{1b} \textbf<1,2>{f9} --- shellcode
|
2005-04-17 07:23:50 +00:00
|
|
|
| | | | | | | | | | | \textbf<1>{... stc}
|
|
|
|
| | | | | | | | | |____^ \textbf<2>{. sbb edi,ecx}
|
|
|
|
| | | | | | | | | \textbf<3>{......... dec edx}
|
|
|
|
| | | | | | | | \textbf<4>{............ das}
|
|
|
|
| | | | | | |____^ \textbf<5>{.......... a16 das}
|
|
|
|
| | | | | | \textbf<6>{.................. daa}
|
|
|
|
| | | | |____^ \textbf<7>{................ mov dh, 0x27}
|
|
|
|
| | | |____^ \textbf<8>{................... sub al, 0xb6}
|
|
|
|
| | |_____________^ \textbf<9>{............. mov edi, 0x6727b62c}
|
|
|
|
| |____^ \textbf<10>{......................... mov al, 0xbf}
|
|
|
|
|_____________^ \textbf<11>{................... mov ebx, 0xb62cbfb0}
|
|
|
|
\end{semiverbatim}
|
|
|
|
}
|
|
|
|
\end{frame}
|
|
|
|
|
2005-04-17 18:32:41 +00:00
|
|
|
\subsection{Implementation}
|
|
|
|
|
2005-05-04 01:59:55 +00:00
|
|
|
\begin{frame}
|
|
|
|
\frametitle{OptyNop2 Implementation}
|
|
|
|
\begin{sitemize}
|
|
|
|
\item Generate random byte and check against tables
|
|
|
|
\begin{sitemize}
|
|
|
|
\item Inefficent, hard to get even distributions
|
|
|
|
\end{sitemize}
|
|
|
|
\pause
|
|
|
|
|
|
|
|
\item Generate random byte and check against disassembler
|
|
|
|
\begin{sitemize}
|
|
|
|
\item Need a good disassembler
|
|
|
|
\item Same problems as tables
|
|
|
|
\end{sitemize}
|
|
|
|
\pause
|
|
|
|
|
|
|
|
\item Precompiled state transition tables
|
|
|
|
\begin{sitemize}
|
|
|
|
\item Previous byte: 0x90 -> \{0x04, 1, EAX\} ... \# add al,0x90
|
|
|
|
\pause
|
|
|
|
\item Fairly language independent, C version 100 lines
|
|
|
|
\item Very fast, simple, deterministic
|
|
|
|
\item Allows for different scoring systems, recursion...
|
|
|
|
\pause
|
|
|
|
\item Can't support multibyte opcodes, escape groups, etc
|
|
|
|
\item Tables are pretty large, about 124k
|
|
|
|
\end{sitemize}
|
|
|
|
|
|
|
|
\end{sitemize}
|
|
|
|
\end{frame}
|
|
|
|
|
2005-04-17 07:23:50 +00:00
|
|
|
\begin{frame}[fragile]
|
|
|
|
\frametitle{OptyNop2 Output}
|
|
|
|
{\footnotesize
|
|
|
|
\begin{verbatim}
|
|
|
|
$ ./waka 1000 4 5 | ndisasm -u - | head -700 | tail -20
|
|
|
|
000003B6 05419F40D4 add eax,0xd4409f41
|
|
|
|
000003BB 711C jno 0x3d9
|
|
|
|
000003BD 9B wait
|
|
|
|
000003BE 2C98 sub al,0x98
|
|
|
|
000003C0 37 aaa
|
|
|
|
000003C1 24A8 and al,0xa8
|
|
|
|
000003C3 27 daa
|
|
|
|
000003C4 E00D loopne 0x3d3
|
|
|
|
000003C6 6692 xchg ax,dx
|
|
|
|
000003C8 2F das
|
|
|
|
000003C9 49 dec ecx
|
|
|
|
000003CA B34A mov bl,0x4a
|
|
|
|
000003CC F5 cmc
|
|
|
|
000003CD BA4B257715 mov edx,0x1577254b
|
|
|
|
000003D2 700C jo 0x3e0
|
|
|
|
000003D4 C0D6B0 rcl dh,0xb0
|
|
|
|
000003D7 A9FD469342 test eax,0x429346fd
|
|
|
|
000003DC 67BBB191B23D a16 mov ebx,0x3db291b1
|
|
|
|
000003E2 1D9938FCB6 sbb eax,0xb6fc3899
|
|
|
|
000003E7 43 inc ebx
|
|
|
|
\end{verbatim}
|
|
|
|
}
|
2005-04-28 23:45:54 +00:00
|
|
|
|
2005-04-17 07:23:50 +00:00
|
|
|
\end{frame}
|
|
|
|
|
2005-04-17 18:32:41 +00:00
|
|
|
\subsection{Analysis}
|
|
|
|
|
2005-05-04 01:59:55 +00:00
|
|
|
\begin{frame}[fragile]
|
|
|
|
\frametitle{ADMmutate Distribution - 1}
|
|
|
|
\include{admtable}
|
|
|
|
\end{frame}
|
|
|
|
\begin{frame}[fragile]
|
|
|
|
\frametitle{ADMmutate Distribution - 2}
|
|
|
|
\include{admtable2}
|
|
|
|
\end{frame}
|
|
|
|
\begin{frame}[fragile]
|
|
|
|
\frametitle{OptyNop2 Distribution - 1}
|
|
|
|
\include{optytable}
|
|
|
|
\end{frame}
|
|
|
|
\begin{frame}[fragile]
|
|
|
|
\frametitle{OptyNop2 Distribution - 2}
|
|
|
|
\include{optytable2}
|
|
|
|
\end{frame}
|
|
|
|
|
2005-04-17 18:32:41 +00:00
|
|
|
\begin{frame}[fragile]
|
|
|
|
\frametitle{ADMmutate and optyx-mutate Gzip'd}
|
|
|
|
{\footnotesize
|
|
|
|
\begin{verbatim}
|
|
|
|
# ADMmutate
|
|
|
|
|
|
|
|
$ time ./nops 1000000| gzip -v >/dev/null
|
|
|
|
27.3%
|
|
|
|
real 0m0.241s
|
|
|
|
|
|
|
|
# optyx's interz0ne mutate
|
|
|
|
|
|
|
|
$ time ./driver nop 1000000 | gzip -v >/dev/null
|
|
|
|
29.7%
|
|
|
|
real 0m0.467s
|
|
|
|
\end{verbatim}
|
|
|
|
}
|
|
|
|
\end{frame}
|
|
|
|
|
2005-04-17 07:23:50 +00:00
|
|
|
\begin{frame}[fragile]
|
|
|
|
\frametitle{OptyNop2 Gzip'd}
|
|
|
|
{\footnotesize
|
|
|
|
\begin{verbatim}
|
|
|
|
# C version, save ESP and EBP
|
|
|
|
|
|
|
|
$ time ./waka 1000000 4 5 | gzip -v >/dev/null
|
|
|
|
12.2%
|
|
|
|
real 0m11.900s
|
|
|
|
|
|
|
|
# save just ESP
|
|
|
|
|
|
|
|
$ time ./waka 1000000 4 | gzip -v >/dev/null
|
|
|
|
11.7%
|
|
|
|
real 0m11.277s
|
|
|
|
|
|
|
|
# save nothing (good way to crash process)
|
|
|
|
|
|
|
|
$ time ./waka 1000000 | gzip -v >/dev/null
|
|
|
|
8.3%
|
|
|
|
real 0m12.404s
|
|
|
|
\end{verbatim}
|
|
|
|
}
|
|
|
|
\end{frame}
|
|
|
|
|
2005-04-17 18:32:41 +00:00
|
|
|
\subsection{Conclusion}
|
2005-04-22 09:08:16 +00:00
|
|
|
\begin{frame}[t]
|
2005-05-04 01:59:55 +00:00
|
|
|
%%
|
|
|
|
\frametitle{Conclusion}
|
|
|
|
%%
|
|
|
|
|
|
|
|
\begin{sitemize}
|
|
|
|
\item Benefits
|
2005-04-17 23:05:05 +00:00
|
|
|
\begin{sitemize}
|
2005-04-22 09:00:26 +00:00
|
|
|
\item Handles restricted bytes and registers
|
2005-04-17 18:32:41 +00:00
|
|
|
\item More versatile sled generation (nop stuffing, etc)
|
2005-05-04 01:59:55 +00:00
|
|
|
\item Implementation and theory are simple
|
2005-04-17 23:05:05 +00:00
|
|
|
\end{sitemize}
|
2005-05-04 01:59:55 +00:00
|
|
|
\end{sitemize}
|
|
|
|
|
|
|
|
\pause
|
|
|
|
|
|
|
|
\begin{sitemize}
|
|
|
|
\item Possible Improvements
|
2005-04-17 23:05:05 +00:00
|
|
|
\begin{sitemize}
|
2005-04-17 18:32:41 +00:00
|
|
|
\item Support processor flags (nop stuffing)
|
2005-04-22 09:00:26 +00:00
|
|
|
\item Support 2-byte opcodes and escape groups
|
|
|
|
\item Improved byte scoring systems and look-ahead
|
|
|
|
\item Output according to a given byte distribution
|
2005-05-04 01:59:55 +00:00
|
|
|
\item Reduce the table sizes, memory usage
|
|
|
|
\end{sitemize}
|
2005-04-17 23:05:05 +00:00
|
|
|
\end{sitemize}
|
2005-04-16 20:47:33 +00:00
|
|
|
\end{frame}
|
|
|
|
|
|
|
|
|
2005-04-22 09:00:26 +00:00
|
|
|
%--------------------------------------%
|
|
|
|
\pdfpart{Metasploit Framework 3.0}
|
|
|
|
%--------------------------------------%
|
|
|
|
|
2005-04-30 04:49:32 +00:00
|
|
|
\section{Introduction}
|
|
|
|
|
2005-04-22 09:08:16 +00:00
|
|
|
\begin{frame}[t]
|
2005-04-30 04:49:32 +00:00
|
|
|
%%
|
|
|
|
\frametitle{Lessons learned}
|
|
|
|
%%
|
2005-04-22 09:00:26 +00:00
|
|
|
|
|
|
|
\begin{sitemize}
|
2005-04-30 04:49:32 +00:00
|
|
|
\item "Hackers" run 98\% win32, 2\% linux/bsd/osx
|
|
|
|
\item Portability sucks, win32 sucks, and cygwin sucks
|
2005-04-22 09:00:26 +00:00
|
|
|
\end{sitemize}
|
2005-04-30 04:49:32 +00:00
|
|
|
\pause
|
|
|
|
\begin{sitemize}
|
2005-05-05 16:20:56 +00:00
|
|
|
\item Version 2.x is difficult to automate
|
|
|
|
\item Everyone wants a completely automatic hack tool...
|
2005-04-30 04:49:32 +00:00
|
|
|
\pause
|
2005-05-05 16:20:56 +00:00
|
|
|
\item ...Everyone else will hate us if we write one
|
2005-04-30 04:49:32 +00:00
|
|
|
\end{sitemize}
|
|
|
|
\pause
|
|
|
|
\begin{sitemize}
|
2005-05-05 16:14:06 +00:00
|
|
|
\item External contributors inversely proportional to user base
|
2005-04-30 04:49:32 +00:00
|
|
|
\item The ones who complain the loudest contribute the least
|
|
|
|
\pause
|
|
|
|
\item Don't pick your language in hopes of contributions
|
|
|
|
\item Perl is falling short as we grow more complex
|
|
|
|
\end{sitemize}
|
|
|
|
\pause
|
|
|
|
\begin{sitemize}
|
|
|
|
\item Metasploit 2.0 mostly designed around exploits
|
|
|
|
\item Payloads have grown more important and complex
|
|
|
|
\end{sitemize}
|
|
|
|
|
|
|
|
\end{frame}
|
|
|
|
|
|
|
|
\section{Architecture}
|
|
|
|
\subsection{Introduction}
|
|
|
|
|
|
|
|
\begin{frame}[t]
|
|
|
|
\frametitle{Metasploit 3.0 goals}
|
2005-04-22 09:00:26 +00:00
|
|
|
|
2005-04-30 04:49:32 +00:00
|
|
|
\begin{sitemize}
|
|
|
|
\item A capable language we \emph{enjoy} writing in
|
|
|
|
\begin{sitemize}
|
|
|
|
\item Portability less important, support major OS's
|
|
|
|
\end{sitemize}
|
|
|
|
\pause
|
2005-05-05 16:20:56 +00:00
|
|
|
\item Embeddable for use in other tools
|
2005-04-30 04:49:32 +00:00
|
|
|
\pause
|
|
|
|
\item Strong custom automation
|
|
|
|
\begin{sitemize}
|
|
|
|
\item Test suites for the framework itself
|
|
|
|
\item Ability to test defensive infrastructure
|
|
|
|
\end{sitemize}
|
|
|
|
\pause
|
|
|
|
\item Staged payloads as first class citizens
|
|
|
|
\pause
|
|
|
|
\item "Pivoting" through owned hosts
|
|
|
|
\pause
|
|
|
|
\item Thread designed, not just thread safe
|
|
|
|
\end{sitemize}
|
2005-04-22 09:00:26 +00:00
|
|
|
\end{frame}
|
2005-04-16 20:47:33 +00:00
|
|
|
|
2005-04-30 04:49:32 +00:00
|
|
|
\subsection{Ruby to the rescue}
|
|
|
|
|
|
|
|
\begin{frame}[t]
|
|
|
|
\frametitle{We love Ruby}
|
|
|
|
\begin{sitemize}
|
|
|
|
\item Used for our prototypes, leading candidate for msf3
|
|
|
|
\item Clean, simple language and easy to learn
|
|
|
|
\item Strong object model, and we use every inch
|
|
|
|
\pause
|
|
|
|
\item Library support is decent, often better than Perl
|
|
|
|
\item Native Win32 builds, cygwin as backup
|
|
|
|
\item 2.x will stay Perl and continue in parallel
|
|
|
|
\end{sitemize}
|
|
|
|
\end{frame}
|
|
|
|
|
|
|
|
\subsection{Embedding}
|
|
|
|
|
|
|
|
\begin{frame}[t]
|
|
|
|
\frametitle{Metasploit embedded}
|
|
|
|
\begin{sitemize}
|
|
|
|
\item Metasploit: A hacker tool framework
|
|
|
|
\pause
|
|
|
|
\item Tools built upon "framework-core" libraries
|
|
|
|
\item Clear and documented SDK and interfaces
|
|
|
|
\pause
|
|
|
|
\item Similar 2.x interfaces written by us
|
|
|
|
\item Automation tools written by you
|
|
|
|
\end{sitemize}
|
|
|
|
\end{frame}
|
|
|
|
|
|
|
|
|
|
|
|
\begin{frame}[t, fragile]
|
|
|
|
\frametitle{Payload model}
|
|
|
|
\begin{sitemize}
|
|
|
|
\item Payloads subscribe to unified API layers
|
|
|
|
\item APIs emulate and extend the native Ruby APIs
|
|
|
|
\item Port existing applications to be remote with no changes
|
|
|
|
\item Great for scripting, great for testing
|
|
|
|
\pause
|
|
|
|
\item Better post-exploitation tools, more fun
|
|
|
|
\begin{sitemize}
|
|
|
|
\item Mirror victims harddrive:
|
|
|
|
\begin{verbatim}
|
|
|
|
client.fs.dir.download('./victim', 'c:\\', true)
|
|
|
|
\end{verbatim}
|
|
|
|
\pause
|
|
|
|
\item Migrate to a different process
|
|
|
|
\begin{verbatim}
|
|
|
|
pid = client.sys.process['calc.exe']
|
|
|
|
client.core.migrate(pid)
|
|
|
|
\end{verbatim}
|
|
|
|
\pause
|
|
|
|
\item Socket support, inefficent network pivoting
|
|
|
|
\pause
|
|
|
|
\item Support for Unix too, improved tools on their way
|
|
|
|
\end{sitemize}
|
|
|
|
\end{sitemize}
|
|
|
|
\end{frame}
|
2005-04-17 03:08:23 +00:00
|
|
|
|
2005-05-04 01:59:55 +00:00
|
|
|
\subsection{Other...}
|
|
|
|
|
2005-05-02 01:04:00 +00:00
|
|
|
\begin{frame}[t]
|
2005-05-04 01:59:55 +00:00
|
|
|
%%
|
|
|
|
\frametitle{Other Stuff}
|
|
|
|
%%
|
2005-05-02 01:04:00 +00:00
|
|
|
|
|
|
|
\begin{sitemize}
|
2005-05-04 01:59:55 +00:00
|
|
|
\item Threading
|
|
|
|
\begin{sitemize}
|
2005-05-05 15:39:41 +00:00
|
|
|
\item Ruby threads will work in theory
|
2005-05-04 01:59:55 +00:00
|
|
|
\item Meterpreter protocol asynchronous
|
|
|
|
\item Hopefully you can hack the planet in parallel
|
|
|
|
\end{sitemize}
|
|
|
|
\end{sitemize}
|
|
|
|
|
|
|
|
\pause
|
|
|
|
|
|
|
|
\begin{sitemize}
|
|
|
|
\item Pivoting
|
|
|
|
\begin{sitemize}
|
|
|
|
\item Pivoting through custom metasploit proxying protocol
|
|
|
|
\item Fairly easy to implement, cross platform
|
|
|
|
\item More efficent than syscall proxying
|
2005-05-05 15:39:41 +00:00
|
|
|
\item "Network paths" should be really slick
|
2005-05-04 01:59:55 +00:00
|
|
|
\end{sitemize}
|
|
|
|
\end{sitemize}
|
2005-05-05 16:14:06 +00:00
|
|
|
|
2005-05-04 01:59:55 +00:00
|
|
|
\end{frame}
|
|
|
|
|
|
|
|
\section{Conclusion}
|
|
|
|
|
|
|
|
\begin{frame}[t]
|
|
|
|
\frametitle{Conclusion}
|
|
|
|
|
|
|
|
\begin{sitemize}
|
|
|
|
\item Should be cool
|
|
|
|
\item Give us a year or more to make it
|
2005-05-02 01:04:00 +00:00
|
|
|
\end{sitemize}
|
|
|
|
\end{frame}
|
|
|
|
|
2005-05-04 01:59:55 +00:00
|
|
|
\pdfpart{Questions?}
|
|
|
|
|
2005-04-22 09:00:26 +00:00
|
|
|
%%% summary and bib has been removed %%%
|
|
|
|
\begin{comment}
|
|
|
|
\section*{Summary}
|
2005-04-22 09:08:16 +00:00
|
|
|
\begin{frame}[t]
|
2005-04-16 20:47:33 +00:00
|
|
|
\frametitle<presentation>{Summary}
|
|
|
|
|
|
|
|
% Keep the summary *very short*.
|
2005-04-17 23:05:05 +00:00
|
|
|
\begin{sitemize}
|
2005-04-16 20:47:33 +00:00
|
|
|
\item
|
|
|
|
The \alert{first main message} of your talk in one or two lines.
|
|
|
|
\item
|
|
|
|
The \alert{second main message} of your talk in one or two lines.
|
|
|
|
\item
|
|
|
|
Perhaps a \alert{third message}, but not more than that.
|
2005-04-17 23:05:05 +00:00
|
|
|
\end{sitemize}
|
2005-04-16 20:47:33 +00:00
|
|
|
|
|
|
|
% The following outlook is optional.
|
|
|
|
\vskip0pt plus.5fill
|
2005-04-17 23:05:05 +00:00
|
|
|
\begin{sitemize}
|
2005-04-16 20:47:33 +00:00
|
|
|
\item
|
|
|
|
Outlook
|
2005-04-17 23:05:05 +00:00
|
|
|
\begin{sitemize}
|
2005-04-16 20:47:33 +00:00
|
|
|
\item
|
|
|
|
Something you haven't solved.
|
|
|
|
\item
|
|
|
|
Something else you haven't solved.
|
2005-04-17 23:05:05 +00:00
|
|
|
\end{sitemize}
|
|
|
|
\end{sitemize}
|
2005-04-16 20:47:33 +00:00
|
|
|
\end{frame}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
% All of the following is optional and typically not needed.
|
|
|
|
\appendix
|
|
|
|
\section<presentation>*{\appendixname}
|
2005-04-22 03:15:05 +00:00
|
|
|
\subsection<presentation>*{Materials}
|
2005-04-16 20:47:33 +00:00
|
|
|
|
|
|
|
\begin{frame}[allowframebreaks]
|
2005-04-22 03:15:05 +00:00
|
|
|
\frametitle<presentation>{Materials}
|
2005-04-16 20:47:33 +00:00
|
|
|
|
|
|
|
\begin{thebibliography}{10}
|
|
|
|
|
|
|
|
\beamertemplatebookbibitems
|
|
|
|
% Start with overview books.
|
|
|
|
|
|
|
|
\bibitem{Author1990}
|
|
|
|
A.~Author.
|
|
|
|
\newblock {\em Handbook of Everything}.
|
|
|
|
\newblock Some Press, 1990.
|
|
|
|
|
|
|
|
|
|
|
|
\beamertemplatearticlebibitems
|
|
|
|
% Followed by interesting articles. Keep the list short.
|
|
|
|
|
|
|
|
\bibitem{Someone2000}
|
|
|
|
S.~Someone.
|
|
|
|
\newblock On this and that.
|
|
|
|
\newblock {\em Journal of This and That}, 2(1):50--100,
|
|
|
|
2000.
|
|
|
|
\end{thebibliography}
|
|
|
|
\end{frame}
|
2005-04-22 09:00:26 +00:00
|
|
|
\end{comment}
|
2005-04-16 20:47:33 +00:00
|
|
|
|
|
|
|
\end{document}
|