2005-04-16 20:47:33 +00:00
|
|
|
% $Header$
|
|
|
|
|
2005-04-17 22:01:24 +00:00
|
|
|
\documentclass{beamer}
|
2005-04-17 03:08:23 +00:00
|
|
|
\usepackage{graphicx}
|
2005-04-17 06:08:31 +00:00
|
|
|
\usepackage{color}
|
2005-04-16 20:47:33 +00:00
|
|
|
|
|
|
|
|
|
|
|
\mode<presentation>
|
|
|
|
{
|
2005-04-16 20:52:14 +00:00
|
|
|
% \usetheme{}
|
2005-04-16 20:47:33 +00:00
|
|
|
% or ...
|
|
|
|
|
|
|
|
% \usecolortheme{seahorse}
|
|
|
|
% \usecolortheme{crane}
|
|
|
|
% \useinnertheme{inmargin}
|
|
|
|
|
|
|
|
% \setbeamercovered{transparent}
|
2005-04-18 05:34:00 +00:00
|
|
|
% or whatever (possibly just delete it)
|
2005-04-16 20:47:33 +00:00
|
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
\usepackage[english]{babel}
|
|
|
|
\usepackage[latin1]{inputenc}
|
|
|
|
\usepackage{times}
|
|
|
|
\usepackage[T1]{fontenc}
|
2005-04-18 05:34:00 +00:00
|
|
|
% \usepackage{beamerthemeshadow}
|
2005-04-16 20:47:33 +00:00
|
|
|
|
2005-04-18 05:34:00 +00:00
|
|
|
% Love from spoon
|
|
|
|
\newcommand{\pdfpart}[1]{\label{pdfpart-#1}\pdfbookmark[0]{#1}{pdfpart-#1}\part{#1}}
|
|
|
|
\newenvironment{sitemize}{\vspace{1mm}\begin{itemize}\itemsep 4pt\small}{\end{itemize}}
|
2005-04-16 20:47:33 +00:00
|
|
|
|
2005-04-18 05:34:00 +00:00
|
|
|
% Presentation meta-information
|
|
|
|
\title{Advanced Exploitation}
|
|
|
|
\author[hdm \& spoonm] {hdm \& spoonm}
|
|
|
|
\date[CSW 2005] {CanSecWest, 2005}
|
|
|
|
\subject{Metasploit - Advanced Exploitation}
|
2005-04-16 20:47:33 +00:00
|
|
|
|
2005-04-18 05:34:00 +00:00
|
|
|
% Add a spacer between each part
|
|
|
|
\AtBeginPart{\frame{\partpage}}
|
2005-04-16 20:47:33 +00:00
|
|
|
|
2005-04-18 05:34:00 +00:00
|
|
|
% Turn off the navigation on the bottom yo
|
|
|
|
\setbeamertemplate{navigation symbols}{}
|
2005-04-16 20:47:33 +00:00
|
|
|
|
2005-04-18 05:34:00 +00:00
|
|
|
% Kick this sucker open
|
|
|
|
\begin{document}
|
2005-04-16 20:47:33 +00:00
|
|
|
|
2005-04-18 05:34:00 +00:00
|
|
|
% Throw down the title
|
|
|
|
\begin{frame}
|
|
|
|
\titlepage
|
|
|
|
\end{frame}
|
2005-04-16 20:47:33 +00:00
|
|
|
|
|
|
|
|
2005-04-18 05:34:00 +00:00
|
|
|
%--------------------------------------%
|
|
|
|
\pdfpart{Introduction}
|
|
|
|
%--------------------------------------%
|
2005-04-17 21:47:28 +00:00
|
|
|
|
2005-04-18 05:34:00 +00:00
|
|
|
\section{Who are we?}
|
|
|
|
\begin{frame}
|
|
|
|
\frametitle{Who are we?}
|
|
|
|
|
|
|
|
\begin{sitemize}
|
|
|
|
\item spoonm
|
|
|
|
\begin{sitemize}
|
|
|
|
\item Full-time student at a Canadian university
|
|
|
|
\item Metasploit developer since late 2003
|
|
|
|
\end{sitemize}
|
|
|
|
\end{itemize}
|
|
|
|
|
|
|
|
\begin{itemize}
|
|
|
|
\item H D Moore
|
|
|
|
\begin{sitemize}
|
|
|
|
\item Full-time employee at a network security firm
|
|
|
|
\item Metasploit project founder and developer
|
|
|
|
\end{sitemize}
|
|
|
|
\end{sitemize}
|
|
|
|
\end{frame}
|
2005-04-16 20:47:33 +00:00
|
|
|
|
2005-04-18 05:34:00 +00:00
|
|
|
\section{What is Metasploit?}
|
|
|
|
\begin{frame}
|
|
|
|
\frametitle{What is Metasploit?}
|
|
|
|
\begin{sitemize}
|
|
|
|
\item Research project with 8 members
|
|
|
|
\begin{sitemize}
|
|
|
|
\item Focused on improving the state of security
|
|
|
|
\item Provide information and tools for researchers
|
|
|
|
\item Resource for IDS and security tool vendors
|
|
|
|
\end{sitemize}
|
|
|
|
\end{sitemize}
|
|
|
|
|
|
|
|
\begin{sitemize}
|
|
|
|
\item Created the Metasploit Framework
|
|
|
|
\begin{sitemize}
|
|
|
|
\item Open-source exploit dev platform
|
|
|
|
\item Includes 60 exploits and 70 payloads
|
|
|
|
\item Implements ideas from everywhere
|
|
|
|
\item Currently four primary developers
|
|
|
|
\item Handful of external contributors
|
|
|
|
\end{sitemize}
|
|
|
|
\end{sitemize}
|
|
|
|
\end{frame}
|
2005-04-16 20:47:33 +00:00
|
|
|
|
2005-04-18 05:34:00 +00:00
|
|
|
\section{What is this about?}
|
2005-04-16 20:47:33 +00:00
|
|
|
\begin{frame}
|
2005-04-18 05:34:00 +00:00
|
|
|
\frametitle{What is this about?}
|
|
|
|
\begin{sitemize}
|
|
|
|
\item Recent advances in exploit technology
|
|
|
|
\item Exploiting Windows XP SP2 and Mac OS X
|
|
|
|
\item New research, techniques, and code
|
|
|
|
\item Metasploit Framework 3.0 architecture
|
|
|
|
\end{sitemize}
|
2005-04-16 20:47:33 +00:00
|
|
|
\end{frame}
|
|
|
|
|
2005-04-17 21:47:28 +00:00
|
|
|
|
2005-04-18 05:34:00 +00:00
|
|
|
%--------------------------------------%
|
|
|
|
\pdfpart{Windows Exploitation}
|
|
|
|
%--------------------------------------%
|
2005-04-17 21:47:28 +00:00
|
|
|
|
2005-04-16 20:47:33 +00:00
|
|
|
\begin{frame}
|
2005-04-18 05:34:00 +00:00
|
|
|
\frametitle{Windows Exploitation}
|
|
|
|
\begin{sitemize}
|
|
|
|
\item The
|
|
|
|
\item SEH frame overwrites still easy to exploit
|
|
|
|
\item Third-party applications buggy as ever
|
|
|
|
\end{sitemize}
|
2005-04-16 20:47:33 +00:00
|
|
|
\end{frame}
|
|
|
|
|
2005-04-18 05:34:00 +00:00
|
|
|
|
|
|
|
|
|
|
|
\section{Windows XP SP2}
|
|
|
|
\section{Windows 2003 SP1}
|
|
|
|
|
|
|
|
|
|
|
|
%--------------------------------------%
|
|
|
|
\pdfpart{Mac OS X Exploitation}
|
|
|
|
%--------------------------------------%
|
|
|
|
|
|
|
|
\section{PowerPC Constraints}
|
2005-04-16 20:47:33 +00:00
|
|
|
\begin{frame}
|
2005-04-18 05:34:00 +00:00
|
|
|
\frametitle{PowerPC Contraints}
|
|
|
|
\begin{sitemize}
|
|
|
|
\item Mac OS X runs on PowerPC
|
|
|
|
\item PowerPC is a RISC-platform
|
|
|
|
\item Independent instruction and data caches
|
|
|
|
\item Fixed-width 32-bit insutrctions
|
|
|
|
\item Stack overflows need to return twice to be explotable
|
|
|
|
\item (Similar to exploits on SPARCs, etc)
|
|
|
|
\end{sitemize}
|
2005-04-16 20:47:33 +00:00
|
|
|
\end{frame}
|
|
|
|
|
2005-04-18 05:34:00 +00:00
|
|
|
\section{Exploits are annoying}
|
2005-04-16 20:47:33 +00:00
|
|
|
\begin{frame}
|
2005-04-18 05:34:00 +00:00
|
|
|
\frametitle{Exploits are annoying }
|
|
|
|
\begin{sitemize}
|
|
|
|
\item Double-return means having to patch other pointers
|
|
|
|
\item Code which calls \_exit before sometimes unexploitable
|
|
|
|
\item Shellcode must be placed into location not in i-cache
|
|
|
|
\item Exploits can have different results between diff CPUs
|
|
|
|
\end{sitemize}
|
|
|
|
\end{frame}
|
|
|
|
|
|
|
|
\section{Shellcode issues}
|
|
|
|
\begin{frame}
|
|
|
|
\frametitle{Shellcode issues }
|
|
|
|
\begin{sitemize}
|
|
|
|
\item Double-return means having to patch other pointers
|
|
|
|
\item Shellcode must be placed into location not in i-cache
|
|
|
|
\item Exploits can have different results between diff CPUs
|
|
|
|
\end{sitemize}
|
|
|
|
\end{frame}
|
|
|
|
|
|
|
|
|
|
|
|
%--------------------------------------%
|
|
|
|
\pdfpart{Return Addresses}
|
|
|
|
%--------------------------------------%
|
|
|
|
|
|
|
|
\section{Reliability}
|
|
|
|
\begin{frame}
|
|
|
|
\frametitle{Reliability}
|
|
|
|
\begin{sitemize}
|
|
|
|
\item An exploit is only as good as the return address it uses
|
|
|
|
\item Many vulnerabilities only allow one exploit attempt
|
|
|
|
\item Returning directly to shellcode is not always possible
|
|
|
|
\begin{sitemize}
|
|
|
|
\item Most Windows exploits use a "bounce" address
|
|
|
|
\item Indirect returns are useful on other platforms as well
|
|
|
|
\end{sitemize}
|
|
|
|
\end{sitemize}
|
|
|
|
\end{frame}
|
|
|
|
|
|
|
|
\section{Windows Addresses}
|
|
|
|
\begin{frame}
|
|
|
|
\frametitle{Windows Return Addresses}
|
|
|
|
\begin{sitemize}
|
|
|
|
\item Windows stack addresses are usually not predictable
|
|
|
|
\item Executable and library address {\em are} predictable
|
|
|
|
\begin{sitemize}
|
|
|
|
\item System libraries are often static between patch levels
|
|
|
|
\item Application libraries change even less frequently
|
|
|
|
\item Executable addresses only change between app versions
|
|
|
|
\end{sitemize}
|
|
|
|
\end{sitemize}
|
|
|
|
|
|
|
|
\begin{sitemize}
|
|
|
|
\item Static system libraries can go a long way...
|
|
|
|
\pause
|
|
|
|
\item A great example is the "ws2help.dll" library:
|
|
|
|
\begin{sitemize}
|
|
|
|
\item Static across all versions of Windows 2000
|
|
|
|
\item Static across Windows XP SP0 and SP1
|
|
|
|
\item Used in dozens of exploits in the Framework
|
|
|
|
\end{sitemize}
|
|
|
|
\end{sitemize}
|
|
|
|
\end{frame}
|
|
|
|
|
|
|
|
|
|
|
|
\section{Unix Addresses}
|
|
|
|
\begin{frame}
|
|
|
|
\frametitle{Unix Return Addresses}
|
|
|
|
|
|
|
|
\begin{sitemize}
|
|
|
|
\item Linux and BSD
|
|
|
|
\begin{sitemize}
|
|
|
|
\item Library addresses are usually not predictable
|
|
|
|
\item Every executable has a static load address
|
|
|
|
\begin{sitemize}
|
|
|
|
\item Every distribution has compiled its own executable
|
|
|
|
\item Exploits must target specific versions and operating systems
|
|
|
|
\item Commercial (binary-only) applications are mostly static
|
|
|
|
\end{sitemize}
|
|
|
|
\end{sitemize}
|
|
|
|
\end{sitemize}
|
|
|
|
|
|
|
|
\pause
|
|
|
|
\begin{sitemize}
|
|
|
|
\item Commercial Unix
|
|
|
|
\begin{sitemize}
|
|
|
|
\item Library addresses are sometimes predictable
|
|
|
|
\item Every executable has a static load address
|
|
|
|
\begin{sitemize}
|
|
|
|
\item These addresses are static per package version
|
|
|
|
\item Windows-style return addresses work well
|
|
|
|
\item This includes Mac OS X, Solaris, HP-UX, AIX, etc
|
|
|
|
\end{sitemize}
|
|
|
|
\end{sitemize}
|
|
|
|
\end{sitemize}
|
|
|
|
\end{frame}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
\section{Analysis Tools}
|
|
|
|
\begin{frame}
|
|
|
|
\frametitle{Analysis Methods}
|
|
|
|
\begin{sitemize}
|
|
|
|
\item Finding solid return addresses involves a few steps
|
|
|
|
\begin{sitemize}
|
|
|
|
\item Load the executable or library into memory
|
|
|
|
\item Determine all permutations of the desired opcode
|
|
|
|
\item Search memory contents to find these bytes
|
|
|
|
\item Determine the virtual address for each offset
|
|
|
|
\end{sitemize}
|
|
|
|
\end{sitemize}
|
|
|
|
|
|
|
|
\pause
|
|
|
|
\begin{sitemize}
|
|
|
|
\item Many people use a debugger to accomplish this task
|
|
|
|
\begin{sitemize}
|
|
|
|
\item This is a tedious process to do manually
|
|
|
|
\item Limited to one version at a time, even with a plugin
|
|
|
|
\item Requires the installation of each tested version
|
|
|
|
\end{sitemize}
|
|
|
|
\end{sitemize}
|
2005-04-16 20:47:33 +00:00
|
|
|
\end{frame}
|
|
|
|
|
2005-04-18 05:34:00 +00:00
|
|
|
\begin{frame}
|
|
|
|
\frametitle{The Metasploit msfpescan utility}
|
|
|
|
\begin{sitemize}
|
|
|
|
\item msfpescan - a utility included in the Metasploit Framework
|
|
|
|
\begin{sitemize}
|
|
|
|
\item Can analyze any PE executable or DLL in offline mode
|
|
|
|
\item Simple to automate and cross-reference results
|
|
|
|
\item Does not require a Windows system to run
|
|
|
|
\item Easily analyze multiple versions on the command line
|
|
|
|
\item Capable of dumping other information as well
|
|
|
|
\begin{sitemize}
|
|
|
|
\item Imports, Exports, and IAT addresses
|
|
|
|
\item Resource information, internal versions
|
|
|
|
\item Standard PE header information
|
|
|
|
\end{sitemize}
|
|
|
|
\end{sitemize}
|
|
|
|
\end{sitemize}
|
|
|
|
\end{frame}
|
|
|
|
|
|
|
|
\begin{frame}[fragile]
|
|
|
|
\frametitle{Using msfpescan to find addresses}
|
|
|
|
\begin{sitemize}
|
|
|
|
\item Install the Metasploit Framework (2.3 or newer)
|
|
|
|
\item Place your target executable or DLL into some directory
|
|
|
|
\item Use msfpescan to quickly find return addresses:
|
|
|
|
\end{sitemize}
|
|
|
|
|
|
|
|
{\footnotesize
|
|
|
|
\begin{verbatim}
|
|
|
|
# Locate any form of pop/pop/ret opcodes
|
|
|
|
$ msfpescan -f mod_oiplus.dll -s
|
|
|
|
0x1001413c esi edi ret
|
|
|
|
0x10009ea2 esi ecx ret
|
|
|
|
0x100113bd esi ebx ret
|
|
|
|
|
|
|
|
# Locate any opcodes that take us to [eax]
|
|
|
|
$ msfpescan -f mod_oiplus.dll -j eax
|
|
|
|
0x1000969d push eax
|
|
|
|
0x100141a3 jmp eax
|
|
|
|
0x10010e69 call eax
|
|
|
|
\end{verbatim}
|
|
|
|
}
|
|
|
|
\end{frame}
|
|
|
|
|
|
|
|
\begin{frame}
|
|
|
|
\frametitle{Opcode Databases}
|
|
|
|
\begin{sitemize}
|
|
|
|
\item Contains opcodes across every executable and DLL in Windows
|
|
|
|
\item The new version includes over nine million records
|
|
|
|
\item Data is generated directly from the files themselves
|
|
|
|
\item Quickly cross-reference return address over the entire DB
|
|
|
|
\item Publicly available from http://www.metasploit.com/
|
|
|
|
|
|
|
|
\end{sitemize}
|
|
|
|
\end{frame}
|
2005-04-16 20:47:33 +00:00
|
|
|
|
2005-04-18 05:34:00 +00:00
|
|
|
\begin{frame}
|
|
|
|
\frametitle{Current Development}
|
|
|
|
\begin{sitemize}
|
|
|
|
\item Executable analysis tools for Solaris, Mac OS X, Linux, BSD
|
|
|
|
\item Usefulness limited compared to Windows platform
|
|
|
|
\item Static libraries are great for cross-version exploits
|
|
|
|
\end{sitemize}
|
|
|
|
\end{frame}
|
2005-04-16 20:47:33 +00:00
|
|
|
|
|
|
|
|
2005-04-18 05:34:00 +00:00
|
|
|
%--------------------------------------%
|
|
|
|
\pdfpart{Post-Exploitation}
|
|
|
|
%--------------------------------------%
|
2005-04-16 20:47:33 +00:00
|
|
|
|
2005-04-18 05:34:00 +00:00
|
|
|
\section{Windows Payloads}
|
|
|
|
|
|
|
|
\begin{frame}
|
|
|
|
\frametitle{The Meterpreter}
|
|
|
|
\begin{sitemize}
|
|
|
|
\item Windows version uses in-memory DLL injection techniques
|
|
|
|
\item Dynamically extensible over the network
|
|
|
|
\item Extensions are standard Windows DLLs
|
|
|
|
\item Loading an extension updates available commands
|
|
|
|
\item Support for network encryption
|
|
|
|
\item Huge feature set in the public version
|
|
|
|
\begin{sitemize}
|
|
|
|
\item Upload, download, and list files
|
|
|
|
\item List, create, and kill processes
|
|
|
|
\item Spawn "channelized" commands in the background
|
|
|
|
\item Create port forwarding channels to pivot attacks
|
|
|
|
\end{sitemize}
|
|
|
|
\end{sitemize}
|
|
|
|
\end{frame}
|
2005-04-16 20:47:33 +00:00
|
|
|
|
2005-04-17 02:55:24 +00:00
|
|
|
\begin{frame}
|
2005-04-18 05:34:00 +00:00
|
|
|
\frametitle{Ordinal-based Stagers}
|
|
|
|
\begin{sitemize}
|
|
|
|
\item Technique from Oded's lightning talk from core04
|
|
|
|
\item 92 bytes and works on every Windows version/SP
|
|
|
|
\item Staging system can chain vnc injection or Meterpreter
|
|
|
|
\end{sitemize}
|
2005-04-17 02:55:24 +00:00
|
|
|
\end{frame}
|
2005-04-16 20:47:33 +00:00
|
|
|
|
2005-04-17 21:47:28 +00:00
|
|
|
\begin{frame}
|
2005-04-18 05:34:00 +00:00
|
|
|
\frametitle{PassiveX}
|
|
|
|
\begin{sitemize}
|
|
|
|
\item Payload modifies registry and launches IE
|
|
|
|
\item IE loads custom ActiveX control to stage the payload
|
|
|
|
\item Communications channel is via HTTP requests
|
|
|
|
\item Can be used to inject VNC, Meterpreter, etc
|
|
|
|
\item Uses IE settings to bypass firewalls (proxy, auth, etc)
|
|
|
|
\end{sitemize}
|
2005-04-17 21:47:28 +00:00
|
|
|
\end{frame}
|
2005-04-18 05:34:00 +00:00
|
|
|
|
|
|
|
|
|
|
|
\section{Unix Payloads}
|
|
|
|
|
|
|
|
\begin{frame}
|
|
|
|
\frametitle{Non-standard Network Stagers}
|
|
|
|
\begin{sitemize}
|
|
|
|
\item UDP-based stager and network shell for Linux
|
|
|
|
\item UDP-based DNS request staging system
|
|
|
|
\item ICMP-based listener and "reverse" payloads
|
|
|
|
\item Find and recv socket re-use stagers
|
|
|
|
\item Source code in MSF, but many not integrated
|
|
|
|
\end{sitemize}
|
|
|
|
\end{frame}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
%--------------------------------------%
|
2005-04-17 21:47:28 +00:00
|
|
|
\pdfpart{Improving Randomness in Attacks}
|
2005-04-18 05:34:00 +00:00
|
|
|
%--------------------------------------%
|
2005-04-16 20:47:33 +00:00
|
|
|
|
2005-04-17 18:32:41 +00:00
|
|
|
\begin{frame}
|
|
|
|
\frametitle{Outline}
|
|
|
|
\tableofcontents
|
|
|
|
\end{frame}
|
2005-04-16 20:47:33 +00:00
|
|
|
|
2005-04-17 18:32:41 +00:00
|
|
|
\section{Introduction}
|
|
|
|
\begin{frame}
|
|
|
|
\frametitle{Randomness, who cares?}
|
2005-04-17 23:05:05 +00:00
|
|
|
\begin{sitemize}
|
2005-04-17 18:32:41 +00:00
|
|
|
\item NOTE: this slide can probably be trashed.. just temp for now
|
|
|
|
\item Adding randomness to exploits
|
2005-04-17 23:05:05 +00:00
|
|
|
\begin{sitemize}
|
2005-04-17 18:32:41 +00:00
|
|
|
\item Less to signature / anti-nids
|
|
|
|
\item Helps to uncover bugs in your exploit
|
2005-04-17 23:05:05 +00:00
|
|
|
\end{sitemize}
|
2005-04-17 18:32:41 +00:00
|
|
|
\pause
|
2005-04-18 05:34:00 +00:00
|
|
|
|
|
|
|
\item Adding randomness to exploit code
|
|
|
|
\begin{sitemize}
|
|
|
|
\item Modify attacks by setting protocol options (frags)
|
|
|
|
\item All padding data can be randomized (englishtext)
|
|
|
|
\item Helper functions to generate types of random data
|
|
|
|
\end{sitemize}
|
|
|
|
|
2005-04-17 18:32:41 +00:00
|
|
|
\item Adding randomness to machine code
|
2005-04-17 23:05:05 +00:00
|
|
|
\begin{sitemize}
|
2005-04-17 18:32:41 +00:00
|
|
|
\item Less to signature / anti-nids
|
|
|
|
\item Increased robustness (bad chars / bad regs)
|
|
|
|
\item Street credz? :-)
|
2005-04-17 23:05:05 +00:00
|
|
|
\end{sitemize}
|
2005-04-18 05:34:00 +00:00
|
|
|
|
2005-04-17 23:05:05 +00:00
|
|
|
\end{sitemize}
|
2005-04-17 18:32:41 +00:00
|
|
|
\end{frame}
|
2005-04-16 20:47:33 +00:00
|
|
|
|
2005-04-17 18:32:41 +00:00
|
|
|
\section{Conservative Polymorphism}
|
2005-04-16 20:47:33 +00:00
|
|
|
|
2005-04-17 04:33:08 +00:00
|
|
|
\newcommand{\incshi}[1]{\includegraphics[height=3in]{#1}}
|
|
|
|
|
2005-04-17 03:08:23 +00:00
|
|
|
\begin{frame}
|
2005-04-17 04:33:08 +00:00
|
|
|
\frametitle{R0x Iterationz}
|
|
|
|
\only<9>{\incshi{shi8}}
|
|
|
|
\only<8>{\incshi{shi7}}
|
|
|
|
\only<7>{\incshi{shi6}}
|
|
|
|
\only<6>{\incshi{shi5}}
|
|
|
|
\only<5>{\incshi{shi4}}
|
|
|
|
\only<4>{\incshi{shi3}}
|
|
|
|
\only<3>{\incshi{shi2}}
|
|
|
|
\only<2>{\incshi{shi1}}
|
|
|
|
\only<1>{\incshi{shi0}}
|
2005-04-17 03:08:23 +00:00
|
|
|
\end{frame}
|
|
|
|
|
2005-04-17 18:32:41 +00:00
|
|
|
\section{Building a Nop Sled}
|
2005-04-17 07:23:50 +00:00
|
|
|
|
2005-04-17 18:32:41 +00:00
|
|
|
\subsection{Tekneek}
|
2005-04-17 07:23:50 +00:00
|
|
|
|
2005-04-17 18:32:41 +00:00
|
|
|
\begin{frame}
|
|
|
|
\frametitle{Multibyte Sled Concept}
|
2005-04-17 23:05:05 +00:00
|
|
|
\begin{sitemize}
|
2005-04-17 18:32:41 +00:00
|
|
|
\item Optyx released multibyte generator at Interz0ne 1
|
|
|
|
\item Generates instructions 1 to 6 bytes long, and 0x66 prefix
|
|
|
|
\item 1 byte aligned, land anywhere, end at the same byte
|
2005-04-17 23:05:05 +00:00
|
|
|
\end{sitemize}
|
|
|
|
\begin{sitemize}
|
2005-04-17 18:32:41 +00:00
|
|
|
\pause
|
|
|
|
\item Builds the sled from back to front
|
|
|
|
\item Continually prepending byte (opcode) to sled
|
|
|
|
\item Generates random byte and check against tables
|
|
|
|
\pause
|
2005-04-17 23:05:05 +00:00
|
|
|
\begin{sitemize}
|
2005-04-17 18:32:41 +00:00
|
|
|
\item Is the instruction length too long?
|
|
|
|
\item Is it a valid instruction?
|
|
|
|
\item Does it have any bad bytes?
|
|
|
|
\item Does it modify don't-smash registers?
|
2005-04-17 23:05:05 +00:00
|
|
|
\end{sitemize}
|
|
|
|
\end{sitemize}
|
2005-04-17 07:23:50 +00:00
|
|
|
\end{frame}
|
|
|
|
|
|
|
|
\begin{frame}[fragile]
|
|
|
|
\frametitle{Backwardz}
|
|
|
|
{\footnotesize
|
|
|
|
\begin{semiverbatim}
|
2005-04-17 07:25:53 +00:00
|
|
|
\textbf<11>{bb} \textbf<10,11>{b0} \textbf<9,10,11>{bf} \textbf<8,9,11>{2c} \textbf<7,8,9,11>{b6} \textbf<6,7,9>{27} \textbf<5,9>{67} \textbf<4,5>{2F} \textbf<3>{4A} \textbf<2>{1b} \textbf<1,2>{f9} --- shellcode
|
2005-04-17 07:23:50 +00:00
|
|
|
| | | | | | | | | | | \textbf<1>{... stc}
|
|
|
|
| | | | | | | | | |____^ \textbf<2>{. sbb edi,ecx}
|
|
|
|
| | | | | | | | | \textbf<3>{......... dec edx}
|
|
|
|
| | | | | | | | \textbf<4>{............ das}
|
|
|
|
| | | | | | |____^ \textbf<5>{.......... a16 das}
|
|
|
|
| | | | | | \textbf<6>{.................. daa}
|
|
|
|
| | | | |____^ \textbf<7>{................ mov dh, 0x27}
|
|
|
|
| | | |____^ \textbf<8>{................... sub al, 0xb6}
|
|
|
|
| | |_____________^ \textbf<9>{............. mov edi, 0x6727b62c}
|
|
|
|
| |____^ \textbf<10>{......................... mov al, 0xbf}
|
|
|
|
|_____________^ \textbf<11>{................... mov ebx, 0xb62cbfb0}
|
|
|
|
\end{semiverbatim}
|
|
|
|
}
|
|
|
|
\end{frame}
|
|
|
|
|
2005-04-17 18:32:41 +00:00
|
|
|
\subsection{Implementation}
|
|
|
|
|
2005-04-17 07:23:50 +00:00
|
|
|
\begin{frame}[fragile]
|
|
|
|
\frametitle{OptyNop2 Output}
|
|
|
|
{\footnotesize
|
|
|
|
\begin{verbatim}
|
|
|
|
$ ./waka 1000 4 5 | ndisasm -u - | head -700 | tail -20
|
|
|
|
000003B6 05419F40D4 add eax,0xd4409f41
|
|
|
|
000003BB 711C jno 0x3d9
|
|
|
|
000003BD 9B wait
|
|
|
|
000003BE 2C98 sub al,0x98
|
|
|
|
000003C0 37 aaa
|
|
|
|
000003C1 24A8 and al,0xa8
|
|
|
|
000003C3 27 daa
|
|
|
|
000003C4 E00D loopne 0x3d3
|
|
|
|
000003C6 6692 xchg ax,dx
|
|
|
|
000003C8 2F das
|
|
|
|
000003C9 49 dec ecx
|
|
|
|
000003CA B34A mov bl,0x4a
|
|
|
|
000003CC F5 cmc
|
|
|
|
000003CD BA4B257715 mov edx,0x1577254b
|
|
|
|
000003D2 700C jo 0x3e0
|
|
|
|
000003D4 C0D6B0 rcl dh,0xb0
|
|
|
|
000003D7 A9FD469342 test eax,0x429346fd
|
|
|
|
000003DC 67BBB191B23D a16 mov ebx,0x3db291b1
|
|
|
|
000003E2 1D9938FCB6 sbb eax,0xb6fc3899
|
|
|
|
000003E7 43 inc ebx
|
|
|
|
\end{verbatim}
|
|
|
|
}
|
|
|
|
\end{frame}
|
|
|
|
|
|
|
|
|
2005-04-17 18:32:41 +00:00
|
|
|
|
|
|
|
\subsection{Analysis}
|
|
|
|
|
|
|
|
\begin{frame}[fragile]
|
|
|
|
\frametitle{ADMmutate and optyx-mutate Gzip'd}
|
|
|
|
{\footnotesize
|
|
|
|
\begin{verbatim}
|
|
|
|
# ADMmutate
|
|
|
|
|
|
|
|
$ time ./nops 1000000| gzip -v >/dev/null
|
|
|
|
27.3%
|
|
|
|
real 0m0.241s
|
|
|
|
|
|
|
|
# optyx's interz0ne mutate
|
|
|
|
|
|
|
|
$ time ./driver nop 1000000 | gzip -v >/dev/null
|
|
|
|
29.7%
|
|
|
|
real 0m0.467s
|
|
|
|
\end{verbatim}
|
|
|
|
}
|
|
|
|
\end{frame}
|
|
|
|
|
2005-04-17 07:23:50 +00:00
|
|
|
\begin{frame}[fragile]
|
|
|
|
\frametitle{OptyNop2 Gzip'd}
|
|
|
|
{\footnotesize
|
|
|
|
\begin{verbatim}
|
|
|
|
# C version, save ESP and EBP
|
|
|
|
|
|
|
|
$ time ./waka 1000000 4 5 | gzip -v >/dev/null
|
|
|
|
12.2%
|
|
|
|
real 0m11.900s
|
|
|
|
|
|
|
|
# save just ESP
|
|
|
|
|
|
|
|
$ time ./waka 1000000 4 | gzip -v >/dev/null
|
|
|
|
11.7%
|
|
|
|
real 0m11.277s
|
|
|
|
|
|
|
|
# save nothing (good way to crash process)
|
|
|
|
|
|
|
|
$ time ./waka 1000000 | gzip -v >/dev/null
|
|
|
|
8.3%
|
|
|
|
real 0m12.404s
|
|
|
|
\end{verbatim}
|
|
|
|
}
|
|
|
|
\end{frame}
|
|
|
|
|
2005-04-17 06:08:31 +00:00
|
|
|
\begin{frame}[fragile]
|
|
|
|
\frametitle{ADMmutate Distribution - 1}
|
|
|
|
\include{admtable}
|
|
|
|
\end{frame}
|
|
|
|
\begin{frame}[fragile]
|
|
|
|
\frametitle{ADMmutate Distribution - 2}
|
|
|
|
\include{admtable2}
|
|
|
|
\end{frame}
|
|
|
|
\begin{frame}[fragile]
|
|
|
|
\frametitle{OptyNop2 Distribution - 1}
|
|
|
|
\include{optytable}
|
|
|
|
\end{frame}
|
|
|
|
\begin{frame}[fragile]
|
|
|
|
\frametitle{OptyNop2 Distribution - 2}
|
|
|
|
\include{optytable2}
|
|
|
|
\end{frame}
|
|
|
|
|
2005-04-17 18:32:41 +00:00
|
|
|
\subsection{Conclusion}
|
2005-04-16 20:47:33 +00:00
|
|
|
\begin{frame}
|
2005-04-17 18:32:41 +00:00
|
|
|
\frametitle{Benefits}
|
2005-04-17 23:05:05 +00:00
|
|
|
\begin{sitemize}
|
2005-04-17 18:32:41 +00:00
|
|
|
\item Not very difficult to gain lots more randomness
|
|
|
|
\item NIDS is far, far, behind
|
|
|
|
\item Added robustness (bad char / bad regs)
|
|
|
|
\item More versatile sled generation (nop stuffing, etc)
|
2005-04-17 23:05:05 +00:00
|
|
|
\end{sitemize}
|
2005-04-16 20:47:33 +00:00
|
|
|
\end{frame}
|
|
|
|
\begin{frame}
|
2005-04-17 18:32:41 +00:00
|
|
|
\frametitle{Possible Improvements}
|
2005-04-17 23:05:05 +00:00
|
|
|
\begin{sitemize}
|
2005-04-17 18:32:41 +00:00
|
|
|
\item Support processor flags (nop stuffing)
|
|
|
|
\item Support 2-byte opcodes / escape groups (not worth it)
|
|
|
|
\item Improved scoring systems, look-ahead, etc
|
|
|
|
\item Try to output according to a given byte distribution
|
|
|
|
\item Make it faster and use less memory
|
2005-04-17 23:05:05 +00:00
|
|
|
\end{sitemize}
|
2005-04-16 20:47:33 +00:00
|
|
|
\end{frame}
|
|
|
|
|
|
|
|
|
|
|
|
\section*{Summary}
|
|
|
|
|
2005-04-17 03:08:23 +00:00
|
|
|
|
2005-04-16 20:47:33 +00:00
|
|
|
\begin{frame}
|
|
|
|
\frametitle<presentation>{Summary}
|
|
|
|
|
|
|
|
% Keep the summary *very short*.
|
2005-04-17 23:05:05 +00:00
|
|
|
\begin{sitemize}
|
2005-04-16 20:47:33 +00:00
|
|
|
\item
|
|
|
|
The \alert{first main message} of your talk in one or two lines.
|
|
|
|
\item
|
|
|
|
The \alert{second main message} of your talk in one or two lines.
|
|
|
|
\item
|
|
|
|
Perhaps a \alert{third message}, but not more than that.
|
2005-04-17 23:05:05 +00:00
|
|
|
\end{sitemize}
|
2005-04-16 20:47:33 +00:00
|
|
|
|
|
|
|
% The following outlook is optional.
|
|
|
|
\vskip0pt plus.5fill
|
2005-04-17 23:05:05 +00:00
|
|
|
\begin{sitemize}
|
2005-04-16 20:47:33 +00:00
|
|
|
\item
|
|
|
|
Outlook
|
2005-04-17 23:05:05 +00:00
|
|
|
\begin{sitemize}
|
2005-04-16 20:47:33 +00:00
|
|
|
\item
|
|
|
|
Something you haven't solved.
|
|
|
|
\item
|
|
|
|
Something else you haven't solved.
|
2005-04-17 23:05:05 +00:00
|
|
|
\end{sitemize}
|
|
|
|
\end{sitemize}
|
2005-04-16 20:47:33 +00:00
|
|
|
\end{frame}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
% All of the following is optional and typically not needed.
|
|
|
|
\appendix
|
|
|
|
\section<presentation>*{\appendixname}
|
|
|
|
\subsection<presentation>*{For Further Reading}
|
|
|
|
|
|
|
|
\begin{frame}[allowframebreaks]
|
|
|
|
\frametitle<presentation>{For Further Reading}
|
|
|
|
|
|
|
|
\begin{thebibliography}{10}
|
|
|
|
|
|
|
|
\beamertemplatebookbibitems
|
|
|
|
% Start with overview books.
|
|
|
|
|
|
|
|
\bibitem{Author1990}
|
|
|
|
A.~Author.
|
|
|
|
\newblock {\em Handbook of Everything}.
|
|
|
|
\newblock Some Press, 1990.
|
|
|
|
|
|
|
|
|
|
|
|
\beamertemplatearticlebibitems
|
|
|
|
% Followed by interesting articles. Keep the list short.
|
|
|
|
|
|
|
|
\bibitem{Someone2000}
|
|
|
|
S.~Someone.
|
|
|
|
\newblock On this and that.
|
|
|
|
\newblock {\em Journal of This and That}, 2(1):50--100,
|
|
|
|
2000.
|
|
|
|
\end{thebibliography}
|
|
|
|
\end{frame}
|
|
|
|
|
|
|
|
\end{document}
|
|
|
|
|
|
|
|
|