328 lines
8.6 KiB
TeX
328 lines
8.6 KiB
TeX
\documentclass{beamer}
|
|
\usepackage{graphicx}
|
|
\usepackage{color}
|
|
|
|
\mode<presentation> { }
|
|
|
|
\usepackage[english]{babel}
|
|
\usepackage[latin1]{inputenc}
|
|
\usepackage{times}
|
|
\usepackage[T1]{fontenc}
|
|
% I think this looks cool, but whateva! - skape
|
|
%\usepackage{beamerthemeshadow}
|
|
|
|
% Love from spoon
|
|
\newcommand{\pdfpart}[1]{\label{pdfpart-#1}\pdfbookmark[0]{#1}{pdfpart-#1}\part{#1}}
|
|
\newenvironment{sitemize}{\vspace{1mm}\begin{itemize}\itemsep 4pt\small}{\end{itemize}}
|
|
|
|
% Presentation meta-information
|
|
\title{Beyond EIP}
|
|
\author[spoonm \& skape] {spoonm \& skape}
|
|
\date[BlackHat 2005] {BlackHat, 2005}
|
|
\subject{Beyond EIP}
|
|
|
|
% Add a spacer between each part
|
|
\AtBeginPart{\frame{\partpage}}
|
|
|
|
% Turn off the navigation on the bottom yo
|
|
\setbeamertemplate{navigation symbols}{}
|
|
% spoon hates berkeley!
|
|
%\usetheme[width=2.2cm]{Berkeley}
|
|
%\usecolortheme{sidebartab}
|
|
|
|
\begin{document}
|
|
|
|
\begin{frame}[t]
|
|
\titlepage
|
|
\end{frame}
|
|
|
|
\part{Introduction}
|
|
|
|
\section{Introduction}
|
|
\begin{frame}[t]
|
|
\frametitle{Who are we?}
|
|
|
|
\begin{sitemize}
|
|
\item spoonm
|
|
\begin{sitemize}
|
|
\item Full-time student at a Canadian university
|
|
\item Metasploit developer since late 2003
|
|
\end{sitemize}
|
|
|
|
\item skape
|
|
\begin{sitemize}
|
|
\item Lead software developer by day
|
|
\item Independent security researcher by night
|
|
\item Joined the Metasploit project in 2004
|
|
\end{sitemize}
|
|
\end{sitemize}
|
|
\end{frame}
|
|
\begin{frame}[t]
|
|
\frametitle{What will we discuss?}
|
|
|
|
\begin{sitemize}
|
|
\item Payload stagers
|
|
\begin{sitemize}
|
|
\item Windows Ordinal Stagers
|
|
\item PassiveX
|
|
\item Egghunt
|
|
\end{sitemize}
|
|
|
|
\pause
|
|
\item Payload stages
|
|
\begin{sitemize}
|
|
\item Library Injection
|
|
\item The Meterpreter
|
|
\item DispatchNinja
|
|
\end{sitemize}
|
|
|
|
\pause
|
|
\item Post-exploitation suites
|
|
\begin{sitemize}
|
|
\item Very hot area of research for the Metasploit team
|
|
\item Suites built off of advanced payload research
|
|
\item Client-side APIs create uniform automation interfaces
|
|
\item Primary focus of Metasploit 3.0
|
|
\end{sitemize}
|
|
\end{sitemize}
|
|
\end{frame}
|
|
\begin{frame}[t]
|
|
\frametitle{Background: the exploitation cycle}
|
|
|
|
\begin{sitemize}
|
|
\item \textbf{Pre-exploitation} - Before the attack
|
|
\begin{sitemize}
|
|
\item Find a bug and isolate it
|
|
\item Write the exploit, payloads, and tools
|
|
\end{sitemize}
|
|
|
|
\pause
|
|
\item \textbf{Exploitation} - Leveraging the vulnerability
|
|
\begin{sitemize}
|
|
\item Find a vulnerable target
|
|
\item Gather information
|
|
\item Initialize tools and post-exploitation handlers
|
|
\item Launch the exploit
|
|
\end{sitemize}
|
|
|
|
\pause
|
|
\item \textbf{Post-exploitation} - Manipulating the target
|
|
\begin{sitemize}
|
|
\item Command shell redirection
|
|
\item Arbitrary command execution
|
|
\item Pivoting
|
|
\item Advanced payload interaction
|
|
\end{sitemize}
|
|
\end{sitemize}
|
|
\end{frame}
|
|
|
|
\pdfpart{Exploitation Technology's State of Affairs}
|
|
|
|
\section{Pre-exploitation}
|
|
\begin{frame}[t]
|
|
\frametitle{Payload encoders}
|
|
|
|
\begin{sitemize}
|
|
\item Robust and elegant encoders do exist
|
|
\begin{sitemize}
|
|
\item SkyLined's Alpha2 x86 alphanumeric encoder
|
|
\item Spoonm's high-permutation Shikata Ga Nai
|
|
\end{sitemize}
|
|
|
|
\pause
|
|
\item Payload encoders generally taken for granted
|
|
\begin{sitemize}
|
|
\item Most encoders use a static decoder stub
|
|
\item Makes NIDS signatures easy to write
|
|
\end{sitemize}
|
|
\end{sitemize}
|
|
\end{frame}
|
|
|
|
\begin{frame}[t]
|
|
\frametitle{NOP generators}
|
|
|
|
\begin{sitemize}
|
|
\item NOP generation hasn't publicly changed much
|
|
\begin{sitemize}
|
|
\item Most PoC exploits use predictable single-byte NOPs (\texttt{0x90}), if any
|
|
\item ADMmutate's NOP generator easily signatured by NIDS (Snort, Fnord)
|
|
\item Not considered an important research topic to most
|
|
\end{sitemize}
|
|
|
|
\pause
|
|
\item Still, NIDS continues to play chase the tail
|
|
\begin{sitemize}
|
|
\item The mouse always has the advantage; NIDS is reactive
|
|
\item Advanced NOP generators and encoders push NIDS to its limits
|
|
\item Many protocols can be complex to signature (DCERPC fragmentation)
|
|
\end{sitemize}
|
|
|
|
\pause
|
|
\item Metasploit 2.4 released with a wide-distribution
|
|
multi-byte x86 NOP generator (Opty2)
|
|
\end{sitemize}
|
|
\end{frame}
|
|
|
|
\section{Exploitation}
|
|
\begin{frame}[t]
|
|
\frametitle{Exploitation techniques}
|
|
|
|
\begin{sitemize}
|
|
\item Exploitation techniques have become very mature
|
|
\begin{sitemize}
|
|
\item Linux/BSD/Solaris techniques are largely unchanged
|
|
\item Windows heap overflows can be made more reliable (Oded/Shok)
|
|
\item Windows SEH overwrites make exploitation easy, even on XPSP2
|
|
\end{sitemize}
|
|
|
|
\pause
|
|
\item Exploitation vectors have been beaten to death
|
|
\pause
|
|
\item ...so we wont be talking about them
|
|
\end{sitemize}
|
|
\end{frame}
|
|
|
|
\section{Post-exploitation}
|
|
\begin{frame}[t]
|
|
\frametitle{Standard payloads}
|
|
|
|
\begin{sitemize}
|
|
\item Standard payloads provide the most basic manipulation
|
|
of a target
|
|
\begin{sitemize}
|
|
\item Port-bind command shell
|
|
\item Reverse (connectback) command shell
|
|
\item Arbitrary command execution
|
|
\end{sitemize}
|
|
|
|
\pause
|
|
\item Nearly all PoC exploits use standard payloads
|
|
|
|
\pause
|
|
\item Command shells have poor automation support
|
|
\begin{sitemize}
|
|
\item Platform dependent intrinsic commands and
|
|
scripting
|
|
\item Reliant on the set of applications installed on the
|
|
machine
|
|
\item Hindered by by chroot jails and host-based ACLs
|
|
\end{sitemize}
|
|
\end{sitemize}
|
|
\end{frame}
|
|
|
|
\begin{frame}[t]
|
|
\frametitle{``Advantage'' payloads}
|
|
|
|
\begin{sitemize}
|
|
\item Advantage payloads provide enhanced manipulation of
|
|
hosts, commonly through the native API
|
|
\item Help to reduce the tediousness of writing payloads
|
|
|
|
\item Core ST's InlineEgg
|
|
|
|
% TODO: Elaborate on InlineEgg
|
|
% TODO: others...
|
|
\end{sitemize}
|
|
\end{frame}
|
|
|
|
\pdfpart{Payload Stagers}
|
|
|
|
\begin{frame}[t]
|
|
\frametitle{What are payload stagers?}
|
|
|
|
\begin{sitemize}
|
|
\item Typically small stubs that load and execute another payload
|
|
\item Useful in conditions where size is limited
|
|
\end{sitemize}
|
|
|
|
% TODO: diagram of a stager?
|
|
\end{frame}
|
|
|
|
\section{Windows Ordinal Stagers}
|
|
\begin{frame}[t]
|
|
\frametitle{Introduction}
|
|
\end{frame}
|
|
\begin{frame}[t]
|
|
\frametitle{Implementation: reverse stager}
|
|
\end{frame}
|
|
|
|
\section{PassiveX}
|
|
\begin{frame}[t]
|
|
\frametitle{Overview}
|
|
\end{frame}
|
|
\begin{frame}[t]
|
|
\frametitle{Implementation}
|
|
\end{frame}
|
|
\begin{frame}[t]
|
|
\frametitle{Practical use: HTTP tunneling}
|
|
\end{frame}
|
|
\begin{frame}[t]
|
|
\frametitle{Pros \& cons}
|
|
\end{frame}
|
|
|
|
\section{Egghunt}
|
|
\begin{frame}[t]
|
|
\frametitle{Overview}
|
|
\end{frame}
|
|
\begin{frame}[t]
|
|
\frametitle{Hunting for eggs with SEH}
|
|
\end{frame}
|
|
\begin{frame}[t]
|
|
\frametitle{Hunting for eggs with system calls}
|
|
\end{frame}
|
|
|
|
\pdfpart{Payload Stages}
|
|
|
|
\begin{frame}[t]
|
|
\frametitle{What are post-exploitation stages?}
|
|
\end{frame}
|
|
|
|
\section{Library Injection}
|
|
\begin{frame}[t]
|
|
\frametitle{Overview}
|
|
\end{frame}
|
|
\begin{frame}[t]
|
|
\frametitle{Types of library injection}
|
|
\end{frame}
|
|
\begin{frame}[t]
|
|
\frametitle{In-memory library injection on Windows}
|
|
\end{frame}
|
|
\begin{frame}[t]
|
|
\frametitle{In-memory library injection on UNIX}
|
|
\end{frame}
|
|
\begin{frame}[t]
|
|
\frametitle{Library injection in action: VNC}
|
|
\end{frame}
|
|
|
|
\section{Meterpreter}
|
|
\begin{frame}[t]
|
|
\frametitle{Overview}
|
|
\end{frame}
|
|
\begin{frame}[t]
|
|
\frametitle{Design goals}
|
|
\end{frame}
|
|
\begin{frame}[t]
|
|
\frametitle{Communication protocol specification}
|
|
\end{frame}
|
|
\begin{frame}[t]
|
|
\frametitle{Client/Server architecture}
|
|
\end{frame}
|
|
\begin{frame}[t]
|
|
\frametitle{Extension flexibilities}
|
|
\end{frame}
|
|
\begin{frame}[t]
|
|
\frametitle{Meterpreter extensions in action: Stdapi}
|
|
\end{frame}
|
|
|
|
\section{DispatchNinja}
|
|
\begin{frame}[t]
|
|
\frametitle{Cool dN stuff here}
|
|
\end{frame}
|
|
|
|
\pdfpart{Post-Exploitation Suites}
|
|
|
|
\section{Post-Exploitation Suites}
|
|
\subsection{Motivations \& Goals}
|
|
|
|
\end{document}
|