From 9e745d219c30fb64c1b6c77410c3fc1167db5503 Mon Sep 17 00:00:00 2001 From: Spoon M Date: Mon, 13 Jun 2005 18:49:36 +0000 Subject: [PATCH] ug git-svn-id: file:///home/svn/incoming/trunk@2639 4d416f70-5f16-0410-b530-b9f4589650da --- dev/bh/bh05.tex | 192 +++++++++++++++++++++++------------------------- 1 file changed, 92 insertions(+), 100 deletions(-) diff --git a/dev/bh/bh05.tex b/dev/bh/bh05.tex index 054328439b..48beb13116 100644 --- a/dev/bh/bh05.tex +++ b/dev/bh/bh05.tex @@ -37,6 +37,13 @@ \titlepage \end{frame} + +% +% Introduction +% - Who are we +% - Why are we here, what will we say +% - What order we're going to say it in +% \pdfpart{Introduction} \begin{frame}[t] @@ -126,6 +133,25 @@ \end{sitemize} \end{frame} +% +% This section is basically here to introduce them to all of the mechanisms +% of a modern day payload system. Just introduce and define the pieces, and +% explain their roles. Then, later, we will discuss the details of them.. +% +% We should try hard not to introduce anything new in this section!, Any +% examples in explainations +% +% This section should be an _introduction_ to what payload infrastructure is +% but it should not have any specific details about our implementations. +% +% - What is a nop sled, and why / how / when do we use them +% - What is an encoder, and why / how / when do we use them +% - What is a stager and stage, why / how / when do we use them +% +% We should also talk about egghunt, heapfix, jmpcode, etc. We should have +% a name for these sort of things, they are like "bootstrap" codes, or +% something. Like, we need a a good name for them dude! +% \pdfpart{Payload Infrastructure} \section{Introduction} @@ -154,82 +180,21 @@ % Don't really need them for win32, why? % Previous work (0x90, admutate) -\subsection{OptyNop2} -% Multi byte sled, just an example output -% Things it supports -% - jmps, loops -% - prefixes -% - badchar/reg avoidence, etc - \section{Encoders} \subsection{Introduction} -\subsection{Shikata} +% Why, etc +% Talk about any previous work? \section{Payloads} \subsection{Introduction} -% Previous work -% InlineEgg, mosdef +% Previous work? % Explain singles/stagers/stages \subsection{Egg Hunters} % What is an egghunter and why -% Syscall research -% Maybe some of the linux stuff too + \subsection{Stagers} % What is a stager and why -% Ordinal -% General staging architecture... -% DLL injection.. stager? -\subsection{Stages} -% Command shell -% Piped shell for socket() (ordinal stuff) -% mention how post-exploitatoin tools would generally be a stage.. - -\section{Post-exploitation} -\begin{frame}[t] - \frametitle{Standard payloads} - - \begin{sitemize} - \item Standard payloads provide the most basic manipulation - of a target - \begin{sitemize} - \item Port-bind command shell - \item Reverse (connectback) command shell - \item Arbitrary command execution - \end{sitemize} - - \pause - \item Nearly all PoC exploits use standard payloads - - \pause - \item Command shells have poor automation support - \begin{sitemize} - \item Platform dependent intrinsic commands and - scripting - \item Reliant on the set of applications installed on the - machine - \item Hindered by chroot jails and host-based ACLs - \end{sitemize} - \end{sitemize} -\end{frame} - -\begin{frame}[t] - \frametitle{``Advantage'' payloads} - - \begin{sitemize} - \item Advantage payloads provide enhanced manipulation of - hosts, commonly through the native API - \item Help to reduce the tediousness of writing payloads - - \item Core ST's InlineEgg - - % TODO: Elaborate on InlineEgg - % TODO: others... - \end{sitemize} -\end{frame} - -\pdfpart{Payload Stagers} - \begin{frame}[t] \frametitle{What are payload stagers?} @@ -281,6 +246,68 @@ \end{sitemize} \end{frame} +\subsection{Stages} +% Command shell +% or whatever +\begin{frame}[t] + \frametitle{What are payload stages?} + + \begin{sitemize} + \item Payload stages are executed by payload stagers and + perform arbitrary tasks + + \pause + \item Some examples of payload stages include + \begin{sitemize} + \item Execute a command shell and redirect IO to the + attacker + \item Execute an arbitrary command + \item Download an executable from a URL and execute it + \end{sitemize} + \end{sitemize} +\end{frame} + +\begin{frame}[t] + \frametitle{Why are payload stages useful?} + + \begin{sitemize} + \item Can be executed independent of connection method + (portbind, reverse) + \begin{sitemize} + \item All stagers store the connection file descriptor + in a common register + \end{sitemize} + + \pause + \item Not subject to size limitations of individual + vulnerabilities + \end{sitemize} +\end{frame} + + +\begin{frame}[t] + \frametitle{``Advantage'' payloads} + + \begin{sitemize} + \item Advantage payloads provide enhanced manipulation of + hosts, commonly through the native API + \item Help to reduce the tediousness of writing payloads + + \item Core ST's InlineEgg + + % TODO: Elaborate on InlineEgg + % TODO: others... + \end{sitemize} +\end{frame} + +\pdfpart{Nop Sleds} + +\section{OptyNop2} + +\begin{frame} +\end{frame} + +\pdfpart{Payload Stagers} \section{Windows Ordinal Stagers} \subsection{Overview} @@ -524,41 +551,6 @@ \pdfpart{Payload Stages} -\begin{frame}[t] - \frametitle{What are payload stages?} - - \begin{sitemize} - \item Payload stages are executed by payload stagers and - perform arbitrary tasks - - \pause - \item Some examples of payload stages include - \begin{sitemize} - \item Execute a command shell and redirect IO to the - attacker - \item Execute an arbitrary command - \item Download an executable from a URL and execute it - \end{sitemize} - \end{sitemize} -\end{frame} - -\begin{frame}[t] - \frametitle{Why are payload stages useful?} - - \begin{sitemize} - \item Can be executed independent of connection method - (portbind, reverse) - \begin{sitemize} - \item All stagers store the connection file descriptor - in a common register - \end{sitemize} - - \pause - \item Not subject to size limitations of individual - vulnerabilities - \end{sitemize} -\end{frame} - \section{Library Injection} \subsection{Overview}