metasploit-framework/dev/csw05/csw05.tex

459 lines
11 KiB
TeX
Raw Normal View History

% $Header$
\documentclass{beamer}
\usepackage{graphicx}
\usepackage{color}
% This file is a solution template for:
% - Talk at a conference/colloquium.
% - Talk length is about 20min.
% - Style is ornate.
% Copyright 2004 by Till Tantau <tantau@users.sourceforge.net>.
%
% In principle, this file can be redistributed and/or modified under
% the terms of the GNU Public License, version 2.
%
% However, this file is supposed to be a template to be modified
% for your own needs. For this reason, if you use this file as a
% template and not specifically distribute it as part of a another
% package/program, I grant the extra permission to freely copy and
% modify this file as you see fit and even to delete this copyright
% notice.
\mode<presentation>
{
% \usetheme{}
% or ...
% \usecolortheme{seahorse}
% \usecolortheme{crane}
% \useinnertheme{inmargin}
% \setbeamercovered{transparent}
% or whatever (possibly just delete it)
}
\usepackage[english]{babel}
% or whatever
\usepackage[latin1]{inputenc}
% or whatever
\usepackage{times}
\usepackage[T1]{fontenc}
% Or whatever. Note that the encoding and the font should match. If T1
% does not look nice, try deleting the line with the fontenc.
\title{What what, oh what}
\author[HD Moore, spoonm]
{HD Moore \and spoonm}
\date[CSW 2005] % (optional, should be abbreviation of conference name)
{CanSecWest, 2005}
\subject{Hax0ring}
% This is only inserted into the PDF information catalog. Can be left
% out.
% \pgfdeclareimage[height=0.5cm]{university-logo}{mp}
% \logo{\pgfuseimage{university-logo}}
% Delete this, if you do not want the table of contents to pop up at
% the beginning of each subsection:
\AtBeginSubsection[]
{
\begin{frame}<beamer>
\frametitle{Outline}
\tableofcontents[currentsection,currentsubsection]
\end{frame}
}
% turn off the navigation on the bottom yo
\setbeamertemplate{navigation symbols}{}
\begin{document}
\begin{frame}
\titlepage
\end{frame}
\begin{frame}
\frametitle{Hawwt}
\begin{definition}
A \alert{foo}
\end{definition}
\begin{example}
\begin{itemize}
\item holla
\item back
\pause
\item killa
\end{itemize}
\end{example}
\end{frame}
\begin{frame}
\frametitle{holla backz}
\begin{columns}[t]
\column{.5\textwidth}
foo
\pause
\column{.5\textwidth}
bar \\
car \\
zar
\end{columns}
\end{frame}
\begin{frame}
\frametitle{Outline}
\tableofcontents
\end{frame}
% Structuring a talk is a difficult task and the following structure
% may not be suitable. Here are some rules that apply for this
% solution:
% - Exactly two or three sections (other than the summary).
% - At *most* three subsections per section.
% - Talk about 30s to 2min per frame. So there should be between about
% 15 and 30 frames, all told.
% - A conference audience is likely to know very little of what you
% are going to talk about. So *simplify*!
% - In a 20min talk, getting the main ideas across is hard
% enough. Leave out details, even if it means being less precise than
% you think necessary.
% - If you omit details that are vital to the proof/implementation,
% just say so once. Everybody will be happy with that.
\section{Meta-what?}
\subsection{Who we are}
\begin{frame}
\frametitle{foo}
\end{frame}
\subsection{What our project is}
\part{waka}
\part{Improving Randomness in Attacks}
\begin{frame}
\frametitle{Outline}
\tableofcontents
\end{frame}
\section{Introduction}
\begin{frame}
\frametitle{Randomness, who cares?}
\begin{itemize}
\item NOTE: this slide can probably be trashed.. just temp for now
\item Adding randomness to exploits
\begin{itemize}
\item Less to signature / anti-nids
\item Helps to uncover bugs in your exploit
\end{itemize}
\pause
\item Adding randomness to machine code
\begin{itemize}
\item Less to signature / anti-nids
\item Increased robustness (bad chars / bad regs)
\item Street credz? :-)
\end{itemize}
\end{itemize}
\end{frame}
\section{Conservative Polymorphism}
\newcommand{\incshi}[1]{\includegraphics[height=3in]{#1}}
\begin{frame}
\frametitle{R0x Iterationz}
\only<9>{\incshi{shi8}}
\only<8>{\incshi{shi7}}
\only<7>{\incshi{shi6}}
\only<6>{\incshi{shi5}}
\only<5>{\incshi{shi4}}
\only<4>{\incshi{shi3}}
\only<3>{\incshi{shi2}}
\only<2>{\incshi{shi1}}
\only<1>{\incshi{shi0}}
\end{frame}
\section{Building a Nop Sled}
\subsection{Tekneek}
\begin{frame}
\frametitle{Multibyte Sled Concept}
\begin{itemize}
\item Optyx released multibyte generator at Interz0ne 1
\item Generates instructions 1 to 6 bytes long, and 0x66 prefix
\item 1 byte aligned, land anywhere, end at the same byte
\end{itemize}
\begin{itemize}
\pause
\item Builds the sled from back to front
\item Continually prepending byte (opcode) to sled
\item Generates random byte and check against tables
\pause
\begin{itemize}
\item Is the instruction length too long?
\item Is it a valid instruction?
\item Does it have any bad bytes?
\item Does it modify don't-smash registers?
\end{itemize}
\end{itemize}
\end{frame}
\begin{frame}[fragile]
\frametitle{Backwardz}
{\footnotesize
\begin{semiverbatim}
\textbf<11>{bb} \textbf<10,11>{b0} \textbf<9,10,11>{bf} \textbf<8,9,11>{2c} \textbf<7,8,9,11>{b6} \textbf<6,7,9>{27} \textbf<5,9>{67} \textbf<4,5>{2F} \textbf<3>{4A} \textbf<2>{1b} \textbf<1,2>{f9} --- shellcode
| | | | | | | | | | | \textbf<1>{... stc}
| | | | | | | | | |____^ \textbf<2>{. sbb edi,ecx}
| | | | | | | | | \textbf<3>{......... dec edx}
| | | | | | | | \textbf<4>{............ das}
| | | | | | |____^ \textbf<5>{.......... a16 das}
| | | | | | \textbf<6>{.................. daa}
| | | | |____^ \textbf<7>{................ mov dh, 0x27}
| | | |____^ \textbf<8>{................... sub al, 0xb6}
| | |_____________^ \textbf<9>{............. mov edi, 0x6727b62c}
| |____^ \textbf<10>{......................... mov al, 0xbf}
|_____________^ \textbf<11>{................... mov ebx, 0xb62cbfb0}
\end{semiverbatim}
}
\end{frame}
\subsection{Implementation}
\begin{frame}[fragile]
\frametitle{OptyNop2 Output}
{\footnotesize
\begin{verbatim}
$ ./waka 1000 4 5 | ndisasm -u - | head -700 | tail -20
000003B6 05419F40D4 add eax,0xd4409f41
000003BB 711C jno 0x3d9
000003BD 9B wait
000003BE 2C98 sub al,0x98
000003C0 37 aaa
000003C1 24A8 and al,0xa8
000003C3 27 daa
000003C4 E00D loopne 0x3d3
000003C6 6692 xchg ax,dx
000003C8 2F das
000003C9 49 dec ecx
000003CA B34A mov bl,0x4a
000003CC F5 cmc
000003CD BA4B257715 mov edx,0x1577254b
000003D2 700C jo 0x3e0
000003D4 C0D6B0 rcl dh,0xb0
000003D7 A9FD469342 test eax,0x429346fd
000003DC 67BBB191B23D a16 mov ebx,0x3db291b1
000003E2 1D9938FCB6 sbb eax,0xb6fc3899
000003E7 43 inc ebx
\end{verbatim}
}
\end{frame}
\subsection{Analysis}
\begin{frame}[fragile]
\frametitle{ADMmutate and optyx-mutate Gzip'd}
{\footnotesize
\begin{verbatim}
# ADMmutate
$ time ./nops 1000000| gzip -v >/dev/null
27.3%
real 0m0.241s
# optyx's interz0ne mutate
$ time ./driver nop 1000000 | gzip -v >/dev/null
29.7%
real 0m0.467s
\end{verbatim}
}
\end{frame}
\begin{frame}[fragile]
\frametitle{OptyNop2 Gzip'd}
{\footnotesize
\begin{verbatim}
# C version, save ESP and EBP
$ time ./waka 1000000 4 5 | gzip -v >/dev/null
12.2%
real 0m11.900s
# save just ESP
$ time ./waka 1000000 4 | gzip -v >/dev/null
11.7%
real 0m11.277s
# save nothing (good way to crash process)
$ time ./waka 1000000 | gzip -v >/dev/null
8.3%
real 0m12.404s
\end{verbatim}
}
\end{frame}
\begin{frame}[fragile]
\frametitle{ADMmutate Distribution - 1}
\include{admtable}
\end{frame}
\begin{frame}[fragile]
\frametitle{ADMmutate Distribution - 2}
\include{admtable2}
\end{frame}
\begin{frame}[fragile]
\frametitle{OptyNop2 Distribution - 1}
\include{optytable}
\end{frame}
\begin{frame}[fragile]
\frametitle{OptyNop2 Distribution - 2}
\include{optytable2}
\end{frame}
\subsection{Conclusion}
\begin{frame}
\frametitle{Benefits}
\begin{itemize}
\item Not very difficult to gain lots more randomness
\item NIDS is far, far, behind
\item Added robustness (bad char / bad regs)
\item More versatile sled generation (nop stuffing, etc)
\end{itemize}
\end{frame}
\begin{frame}
\frametitle{Possible Improvements}
\begin{itemize}
\item Support processor flags (nop stuffing)
\item Support 2-byte opcodes / escape groups (not worth it)
\item Improved scoring systems, look-ahead, etc
\item Try to output according to a given byte distribution
\item Make it faster and use less memory
\end{itemize}
\end{frame}
\section{Our Results/Contribution}
\subsection{Main Results}
\begin{frame}
\frametitle{Make Titles Informative.}
\end{frame}
\begin{frame}
\frametitle{Make Titles Informative.}
\end{frame}
\begin{frame}
\frametitle{Make Titles Informative.}
\end{frame}
\subsection{Basic Ideas for Proofs/Implementation}
\begin{frame}
\frametitle{Make Titles Informative.}
\end{frame}
\begin{frame}
\frametitle{Make Titles Informative.}
\end{frame}
\begin{frame}
\frametitle{Make Titles Informative.}
\end{frame}
\section*{Summary}
\begin{frame}
\frametitle<presentation>{Summary}
% Keep the summary *very short*.
\begin{itemize}
\item
The \alert{first main message} of your talk in one or two lines.
\item
The \alert{second main message} of your talk in one or two lines.
\item
Perhaps a \alert{third message}, but not more than that.
\end{itemize}
% The following outlook is optional.
\vskip0pt plus.5fill
\begin{itemize}
\item
Outlook
\begin{itemize}
\item
Something you haven't solved.
\item
Something else you haven't solved.
\end{itemize}
\end{itemize}
\end{frame}
% All of the following is optional and typically not needed.
\appendix
\section<presentation>*{\appendixname}
\subsection<presentation>*{For Further Reading}
\begin{frame}[allowframebreaks]
\frametitle<presentation>{For Further Reading}
\begin{thebibliography}{10}
\beamertemplatebookbibitems
% Start with overview books.
\bibitem{Author1990}
A.~Author.
\newblock {\em Handbook of Everything}.
\newblock Some Press, 1990.
\beamertemplatearticlebibitems
% Followed by interesting articles. Keep the list short.
\bibitem{Someone2000}
S.~Someone.
\newblock On this and that.
\newblock {\em Journal of This and That}, 2(1):50--100,
2000.
\end{thebibliography}
\end{frame}
\end{document}