slides update
git-svn-id: file:///home/svn/incoming/trunk@2624 4d416f70-5f16-0410-b530-b9f4589650daunstable
parent
6fabe8b176
commit
11004b5a6a
BIN
dev/bh/bh05.pdf
BIN
dev/bh/bh05.pdf
Binary file not shown.
141
dev/bh/bh05.tex
141
dev/bh/bh05.tex
|
@ -14,6 +14,7 @@
|
||||||
% Love from spoon
|
% Love from spoon
|
||||||
\newcommand{\pdfpart}[1]{\label{pdfpart-#1}\pdfbookmark[0]{#1}{pdfpart-#1}\part{#1}}
|
\newcommand{\pdfpart}[1]{\label{pdfpart-#1}\pdfbookmark[0]{#1}{pdfpart-#1}\part{#1}}
|
||||||
\newenvironment{sitemize}{\vspace{1mm}\begin{itemize}\itemsep 4pt\small}{\end{itemize}}
|
\newenvironment{sitemize}{\vspace{1mm}\begin{itemize}\itemsep 4pt\small}{\end{itemize}}
|
||||||
|
\newenvironment{senumerate}{\vspace{1mm}\begin{enumerate}\itemsep 4pt\small}{\end{enumerate}}
|
||||||
|
|
||||||
% Presentation meta-information
|
% Presentation meta-information
|
||||||
\title{Beyond EIP}
|
\title{Beyond EIP}
|
||||||
|
@ -65,7 +66,6 @@
|
||||||
\begin{sitemize}
|
\begin{sitemize}
|
||||||
\item Windows Ordinal Stagers
|
\item Windows Ordinal Stagers
|
||||||
\item PassiveX
|
\item PassiveX
|
||||||
\item Egghunt
|
|
||||||
\end{sitemize}
|
\end{sitemize}
|
||||||
|
|
||||||
\pause
|
\pause
|
||||||
|
@ -521,36 +521,136 @@
|
||||||
\end{sitemize}
|
\end{sitemize}
|
||||||
\end{frame}
|
\end{frame}
|
||||||
|
|
||||||
\section{Egghunt}
|
|
||||||
\begin{frame}[t]
|
|
||||||
\frametitle{Overview}
|
|
||||||
\end{frame}
|
|
||||||
\begin{frame}[t]
|
|
||||||
\frametitle{Hunting for eggs with SEH}
|
|
||||||
\end{frame}
|
|
||||||
\begin{frame}[t]
|
|
||||||
\frametitle{Hunting for eggs with system calls}
|
|
||||||
\end{frame}
|
|
||||||
|
|
||||||
\pdfpart{Payload Stages}
|
\pdfpart{Payload Stages}
|
||||||
|
|
||||||
\begin{frame}[t]
|
\begin{frame}[t]
|
||||||
\frametitle{What are post-exploitation stages?}
|
\frametitle{What are payload stages?}
|
||||||
|
|
||||||
|
\begin{sitemize}
|
||||||
|
\item Payload stages are executed by payload stagers and
|
||||||
|
perform arbitrary tasks
|
||||||
|
|
||||||
|
\pause
|
||||||
|
\item Some examples of payload stages include
|
||||||
|
\begin{sitemize}
|
||||||
|
\item Execute a command shell and redirect IO to the
|
||||||
|
attacker
|
||||||
|
\item Execute an arbitrary command
|
||||||
|
\item Download an executable from a URL and execute it
|
||||||
|
\end{sitemize}
|
||||||
|
\end{sitemize}
|
||||||
|
\end{frame}
|
||||||
|
|
||||||
|
\begin{frame}[t]
|
||||||
|
\frametitle{Why are payload stages useful?}
|
||||||
|
|
||||||
|
\begin{sitemize}
|
||||||
|
\item Can be executed independent of connection method
|
||||||
|
(portbind, reverse)
|
||||||
|
\begin{sitemize}
|
||||||
|
\item All stagers store the connection file descriptor
|
||||||
|
in a common register
|
||||||
|
\end{sitemize}
|
||||||
|
|
||||||
|
\pause
|
||||||
|
\item Not subject to size limitations of individual
|
||||||
|
vulnerabilities
|
||||||
|
\end{sitemize}
|
||||||
\end{frame}
|
\end{frame}
|
||||||
|
|
||||||
\section{Library Injection}
|
\section{Library Injection}
|
||||||
|
|
||||||
|
\subsection{Overview}
|
||||||
|
|
||||||
\begin{frame}[t]
|
\begin{frame}[t]
|
||||||
\frametitle{Overview}
|
\frametitle{The library injection stage}
|
||||||
|
|
||||||
|
\begin{sitemize}
|
||||||
|
\item Payload stage that provides a method of loading a
|
||||||
|
library (DLL) into the exploited process
|
||||||
|
|
||||||
|
\pause
|
||||||
|
\item Libraries are functionally equivalent to executables
|
||||||
|
\begin{sitemize}
|
||||||
|
\item Full access to various OS-provided APIs
|
||||||
|
\item Can do anything an executable can do
|
||||||
|
\end{sitemize}
|
||||||
|
|
||||||
|
\pause
|
||||||
|
\item Library injection is covert; no new processes
|
||||||
|
need to be created
|
||||||
|
|
||||||
|
\pause
|
||||||
|
\item Technical write-up at \\
|
||||||
|
\footnotesize{\url{http://www.nologin.org/Downloads/Papers/remote-library-injection.pdf}}
|
||||||
|
|
||||||
|
% TODO: elaborate?
|
||||||
|
\end{sitemize}
|
||||||
\end{frame}
|
\end{frame}
|
||||||
|
|
||||||
\begin{frame}[t]
|
\begin{frame}[t]
|
||||||
\frametitle{Types of library injection}
|
\frametitle{Types of library injection}
|
||||||
|
|
||||||
|
\begin{sitemize}
|
||||||
|
\item Three primary methods exist to inject a library
|
||||||
|
\begin{senumerate}
|
||||||
|
\item \textbf{On-Disk}: loading a library from the target's
|
||||||
|
harddrive or a file share
|
||||||
|
\item \textbf{In-Memory}: loading a library entirely from memory
|
||||||
|
\item \textbf{ActiveX}: loading a library through Internet
|
||||||
|
Explorer's ActiveX support
|
||||||
|
\end{senumerate}
|
||||||
|
\item On-Disk and In-Memory techniques are conceptually
|
||||||
|
portable to non-Windows platforms
|
||||||
|
\end{sitemize}
|
||||||
\end{frame}
|
\end{frame}
|
||||||
|
|
||||||
\begin{frame}[t]
|
\begin{frame}[t]
|
||||||
\frametitle{In-memory library injection on Windows}
|
\frametitle{On-Disk library injection}
|
||||||
|
|
||||||
|
\begin{sitemize}
|
||||||
|
\item Loading a library from disk has been the defacto
|
||||||
|
standard for Windows payloads
|
||||||
|
\item Loading a library from a file share first
|
||||||
|
discussed by Brett Moore
|
||||||
|
|
||||||
|
\pause
|
||||||
|
\item Subject to filtering by Antivirus due to
|
||||||
|
filesystem access
|
||||||
|
\item Requires that the library file exist on the target's
|
||||||
|
harddrive or that the file share be reachable
|
||||||
|
\end{sitemize}
|
||||||
\end{frame}
|
\end{frame}
|
||||||
|
|
||||||
\begin{frame}[t]
|
\begin{frame}[t]
|
||||||
\frametitle{In-memory library injection on UNIX}
|
\frametitle{In-Memory library injection}
|
||||||
|
|
||||||
|
\begin{sitemize}
|
||||||
|
\item First Windows implementation released with Metasploit 2.2
|
||||||
|
|
||||||
|
\pause
|
||||||
|
\item Libraries are loaded entirely from memory
|
||||||
|
|
||||||
|
\pause
|
||||||
|
\item No disk access means no Antivirus interference
|
||||||
|
|
||||||
|
\pause
|
||||||
|
\item Most stealthy form of library injection thus far
|
||||||
|
identified
|
||||||
|
\end{sitemize}
|
||||||
\end{frame}
|
\end{frame}
|
||||||
|
|
||||||
|
\subsection{Implementation on Windows}
|
||||||
|
|
||||||
|
\begin{frame}[t]
|
||||||
|
\frametitle{Implementing In-Memory library injection on Windows}
|
||||||
|
|
||||||
|
\begin{sitemize}
|
||||||
|
\item Loading libraries from memory means tricking the
|
||||||
|
native loader provided in \texttt{NTDLL.DLL}
|
||||||
|
\end{sitemize}
|
||||||
|
\end{frame}
|
||||||
|
|
||||||
\begin{frame}[t]
|
\begin{frame}[t]
|
||||||
\frametitle{Library injection in action: VNC}
|
\frametitle{Library injection in action: VNC}
|
||||||
\end{frame}
|
\end{frame}
|
||||||
|
@ -601,6 +701,11 @@
|
||||||
\item PassiveX \\
|
\item PassiveX \\
|
||||||
\footnotesize{\url{http://www.uninformed.org/?v=1&a=3&t=sumry}}
|
\footnotesize{\url{http://www.uninformed.org/?v=1&a=3&t=sumry}}
|
||||||
\end{sitemize}
|
\end{sitemize}
|
||||||
|
\textbf{Payload Stages}
|
||||||
|
\begin{sitemize}
|
||||||
|
\item Library Injection \\
|
||||||
|
\footnotesize{\url{http://www.nologin.org/Downloads/Papers/remote-library-injection.pdf}}
|
||||||
|
\end{sitemize}
|
||||||
\end{frame}
|
\end{frame}
|
||||||
|
|
||||||
\appendix
|
\appendix
|
||||||
|
@ -644,8 +749,8 @@ AD lodsd ; eax = [esi] ; esi += 4
|
||||||
01E9 add ecx,ebp ; ecx += ws2base
|
01E9 add ecx,ebp ; ecx += ws2base
|
||||||
8B4158 mov eax,[ecx+0x58] ; eax = socket rva
|
8B4158 mov eax,[ecx+0x58] ; eax = socket rva
|
||||||
01E8 add eax,ebp ; eax += ws2base
|
01E8 add eax,ebp ; eax += ws2base
|
||||||
8B713C mov esi,[ecx+0x3c] ; eax = recv rva
|
8B713C mov esi,[ecx+0x3c] ; esi = recv rva
|
||||||
01EE add esi,ebp ; eax += ws2base
|
01EE add esi,ebp ; esi += ws2base
|
||||||
03690C add ebp,[ecx+0xc] ; ebp += connect rva
|
03690C add ebp,[ecx+0xc] ; ebp += connect rva
|
||||||
\end{verbatim}
|
\end{verbatim}
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in New Issue