627 lines
16 KiB
TeX
627 lines
16 KiB
TeX
% $Header$
|
|
|
|
\documentclass{beamer}
|
|
\usepackage{graphicx}
|
|
\usepackage{color}
|
|
|
|
% This file is a solution template for:
|
|
|
|
% - Talk at a conference/colloquium.
|
|
% - Talk length is about 20min.
|
|
% - Style is ornate.
|
|
|
|
|
|
|
|
% Copyright 2004 by Till Tantau <tantau@users.sourceforge.net>.
|
|
%
|
|
% In principle, this file can be redistributed and/or modified under
|
|
% the terms of the GNU Public License, version 2.
|
|
%
|
|
% However, this file is supposed to be a template to be modified
|
|
% for your own needs. For this reason, if you use this file as a
|
|
% template and not specifically distribute it as part of a another
|
|
% package/program, I grant the extra permission to freely copy and
|
|
% modify this file as you see fit and even to delete this copyright
|
|
% notice.
|
|
|
|
|
|
\mode<presentation>
|
|
{
|
|
% \usetheme{}
|
|
% or ...
|
|
|
|
\usecolortheme{seahorse}
|
|
% \usecolortheme{crane}
|
|
% \useinnertheme{inmargin}
|
|
|
|
\setbeamercovered{transparent}
|
|
% or whatever (possibly just delete it)
|
|
|
|
}
|
|
|
|
\usepackage[english]{babel}
|
|
% or whatever
|
|
|
|
\usepackage[latin1]{inputenc}
|
|
% or whatever
|
|
|
|
\usepackage{times}
|
|
\usepackage[T1]{fontenc}
|
|
% Or whatever. Note that the encoding and the font should match. If T1
|
|
% does not look nice, try deleting the line with the fontenc.
|
|
|
|
\newcommand{\pdfpart}[1]{\label{pdfpart-#1}\pdfbookmark[0]{#1}{pdfpart-#1}\pdfpart{#1}}
|
|
|
|
|
|
\title{Advanced Exploitation}
|
|
\author[hdm \& spoonm]
|
|
{hdm \& spoonm}
|
|
|
|
\date[CSW 2005] % (optional, should be abbreviation of conference name)
|
|
{CanSecWest, 2005}
|
|
|
|
\subject{Metasploit - Advanced Exploitation}
|
|
|
|
% Delete this, if you do not want the table of contents to pop up at
|
|
% the beginning of each subsection:
|
|
%\AtBeginSubsection[]
|
|
%{
|
|
% \begin{frame}<beamer>
|
|
% \frametitle{Outline}
|
|
% \tableofcontents[currentsection,currentsubsection]
|
|
% \end{frame}
|
|
%}
|
|
|
|
|
|
% turn off the navigation on the bottom yo
|
|
\setbeamertemplate{navigation symbols}{}
|
|
|
|
\begin{document}
|
|
|
|
\begin{frame}
|
|
\titlepage
|
|
\end{frame}
|
|
|
|
|
|
%--------------------------------------%
|
|
\pdfpart{Introduction}
|
|
%--------------------------------------%
|
|
|
|
\section{Introduction}
|
|
|
|
\subsection{Who are we?}
|
|
\begin{frame}
|
|
\frametitle{Who are we?}
|
|
\begin{itemize}
|
|
\item spoonm
|
|
\begin{itemize}
|
|
\item Security researcher
|
|
\item Full-time student
|
|
\item Metasploit developer
|
|
\end{itemize}
|
|
|
|
\item H D Moore
|
|
\begin{itemize}
|
|
\item Security researcher
|
|
\item Full-time employee
|
|
\item Metasploit developer
|
|
\end{itemize}
|
|
\end{itemize}
|
|
\end{frame}
|
|
|
|
\subsection{What is Metasploit?}
|
|
\begin{frame}
|
|
\frametitle{What is Metasploit?}
|
|
\begin{itemize}
|
|
\item Research project with 8 members
|
|
\item Created the Metasploit Framework
|
|
\begin{itemize}
|
|
\item Open-source exploit dev platform
|
|
\item Includes 60 exploits and 70 payloads
|
|
\item Implements ideas from everywhere
|
|
\item Currently four primary developers
|
|
\item Handful of external contributors
|
|
\end{itemize}
|
|
\end{itemize}
|
|
\end{frame}
|
|
|
|
\subsection{What is this about?}
|
|
\begin{frame}
|
|
\frametitle{What is this about?}
|
|
\begin{itemize}
|
|
\item Recent advances in exploit technology
|
|
\item New research, techniques, and code
|
|
\item Metasploit Framework 3.0
|
|
\end{itemize}
|
|
\end{frame}
|
|
|
|
|
|
%--------------------------------------%
|
|
\pdfpart{Windows Exploitation}
|
|
%--------------------------------------%
|
|
\section{Windows Exploitation}
|
|
\begin{frame}
|
|
\frametitle{Windows Exploitation}
|
|
\begin{itemize}
|
|
\item The
|
|
\item SEH frame overwrites still easy to exploit
|
|
\item Third-party applications buggy as ever
|
|
\end{itemize}
|
|
\end{frame}
|
|
|
|
|
|
|
|
\subsection{Windows XP SP2}
|
|
\subsection{Windows 2003 SP1}
|
|
|
|
|
|
%--------------------------------------%
|
|
\pdfpart{Mac OS X Exploitation}
|
|
%--------------------------------------%
|
|
\section{Mac OS X Exploitation}
|
|
\subsection{PowerPC Constraints}
|
|
\begin{frame}
|
|
\frametitle{PowerPC Contrainsts title}
|
|
\begin{itemize}
|
|
\item Mac OS X runs on PowerPC
|
|
\item PowerPC is a RISC-platform
|
|
\item Independent insturction and data cache
|
|
\item Fixed-width insutrctions
|
|
\item Stack overflows need to return twice to be explotable
|
|
\item (Similar to exploits on SPARCs, etc)
|
|
\end{itemize}
|
|
\end{frame}
|
|
|
|
\subsection{Exploits are annoying}
|
|
\begin{frame}
|
|
\frametitle{Exploits are annoying title}
|
|
\begin{itemize}
|
|
\item Double-return means having to patch other pointers
|
|
\item Code which calls \_exit before sometimes unexploitable
|
|
\item Shellcode must be placed into location not in i-cache
|
|
\item Exploits can have different results between diff CPUs
|
|
\end{itemize}
|
|
\end{frame}
|
|
|
|
\subsection{Shellcode issues}
|
|
\begin{frame}
|
|
\frametitle{Shellcode issues title}
|
|
\begin{itemize}
|
|
\item Double-return means having to patch other pointers
|
|
\item Code which calls \_exit before sometimes unexploitable
|
|
\item Shellcode must be placed into location not in i-cache
|
|
\item Exploits can have different results between diff CPUs
|
|
\end{itemize}
|
|
\end{frame}
|
|
|
|
|
|
%--------------------------------------%
|
|
\pdfpart{Return Addresses}
|
|
%--------------------------------------%
|
|
\section{Return Address Analysis}
|
|
\subsection{Reliability}
|
|
|
|
\begin{frame}
|
|
\frametitle{Who cares}
|
|
\begin{itemize}
|
|
\item An exploit is only as good as its return address
|
|
\item Many exploits allow one attempt before service crashes
|
|
\item Returning direct to shellcode usually not possible
|
|
\item Returning to code which jumps to shellcode is
|
|
\end{itemize}
|
|
\end{frame}
|
|
|
|
\subsection{Analysis Tools}
|
|
\begin{frame}
|
|
\frametitle{Automated analysis}
|
|
\begin{itemize}
|
|
\item Tools like msfpescan and msfelfscan scan executables for rets
|
|
\item Very simple to cross-reference return addresses across versions
|
|
\item Memory dumping and offline scanning also useful technqiues
|
|
\end{itemize}
|
|
\end{frame}
|
|
|
|
\begin{frame}
|
|
\frametitle{Opcode Databases}
|
|
\begin{itemize}
|
|
\item Searchable index of different types of return addresses
|
|
\item Only useful when addresses do not change between instances
|
|
\item Useful for operatin systems like Windows, Mac OS X, Soalris
|
|
\item Per-executable addresses potentially useful but DB is overkill
|
|
\end{itemize}
|
|
\end{frame}
|
|
|
|
\begin{frame}
|
|
\frametitle{Current Development}
|
|
\begin{itemize}
|
|
\item Executable analysis tools for Solaris, Mac OS X, Linux, BSD
|
|
\item Usefulness limited compared to Windows platform
|
|
\item Static libraries are great for cross-version exploits
|
|
\end{itemize}
|
|
\end{frame}
|
|
|
|
\subsection{Impact of ASLR}
|
|
|
|
\begin{frame}
|
|
\frametitle{Address Space Layout Randomization}
|
|
\begin{itemize}
|
|
\item Randomize common memory addreses
|
|
\begin{itemize}
|
|
\item Stack
|
|
\item Heap
|
|
\item Anonymous memory mappings
|
|
\item Executable load addresses
|
|
\item Library load addresses
|
|
\end{itemize}
|
|
\item Simple way to break off-the-shelf exploits
|
|
\item Solid implementations can be difficult to avoid
|
|
\item Nearly zero overhead compared with page protection
|
|
\end{itemize}
|
|
\end{frame}
|
|
|
|
\begin{frame}
|
|
\frametitle{Windows ASLR}
|
|
\begin{itemize}
|
|
\item WehnTrust only compelte ASLR available for Win32
|
|
\item Breaks nearly all Win32 exploits
|
|
\item Partial overwrites and address leaks can be used to avoid
|
|
\item Massive memory/heap consumption may help too
|
|
\end{itemize}
|
|
\end{frame}
|
|
|
|
\begin{frame}
|
|
\frametitle{Unix ASLR}
|
|
\begin{itemize}
|
|
\item OpenBSD and Linux implementations available
|
|
\item Work with page protection to prevent code execution
|
|
\item Partial overwrites can sometimes avoid this
|
|
\item Return to library code may still be useful
|
|
\end{itemize}
|
|
\end{frame}
|
|
|
|
|
|
%--------------------------------------%
|
|
\pdfpart{Post-Exploitation}
|
|
%--------------------------------------%
|
|
\section{Post-Exploitation}
|
|
\subsection{Windows Payloads}
|
|
|
|
\begin{frame}
|
|
\frametitle{The Meterpreter}
|
|
\begin{itemize}
|
|
\item Windows version uses in-memory DLL injection techniques
|
|
\item Dynamically extensible over the network
|
|
\item Extensions are standard Windows DLLs
|
|
\item Loading an extension updates available commands
|
|
\item Support for network encryption
|
|
\item Huge feature set in the public version
|
|
\begin{itemize}
|
|
\item Upload, download, and list files
|
|
\item List, create, and kill processes
|
|
\item Spawn "channelized" commands in the background
|
|
\item Create port forwarding channels to pivot attacks
|
|
\end{itemize}
|
|
\end{itemize}
|
|
\end{frame}
|
|
|
|
\begin{frame}
|
|
\frametitle{Ordinal-based Stagers}
|
|
\begin{itemize}
|
|
\item Technique from Oded's lightning talk from core04
|
|
\item 92 bytes and works on every Windows version/SP
|
|
\item Staging system can chain vnc injection or Meterpreter
|
|
\end{itemize}
|
|
\end{frame}
|
|
|
|
\begin{frame}
|
|
\frametitle{PassiveX}
|
|
\begin{itemize}
|
|
\item Payload modifies registry and launches IE
|
|
\item IE loads custom ActiveX control to stage the payload
|
|
\item Communications channel is via HTTP requests
|
|
\item Can be used to inject VNC, Meterpreter, etc
|
|
\item Uses IE settings to bypass firewalls (proxy, auth, etc)
|
|
\end{itemize}
|
|
\end{frame}
|
|
|
|
|
|
\subsection{Unix Payloads}
|
|
|
|
\begin{frame}
|
|
\frametitle{Non-standard Network Stagers}
|
|
\begin{itemize}
|
|
\item UDP-based stager and network shell for Linux
|
|
\item UDP-based DNS request staging system
|
|
\item ICMP-based listener and "reverse" payloads
|
|
\item Find and recv socket re-use stagers
|
|
\item Source code in MSF, but many not integrated
|
|
\end{itemize}
|
|
\end{frame}
|
|
|
|
|
|
|
|
%--------------------------------------%
|
|
\pdfpart{Improving Randomness in Attacks}
|
|
%--------------------------------------%
|
|
|
|
\begin{frame}
|
|
\frametitle{Outline}
|
|
\tableofcontents
|
|
\end{frame}
|
|
|
|
\section{Introduction}
|
|
\begin{frame}
|
|
\frametitle{Randomness, who cares?}
|
|
\begin{itemize}
|
|
\item NOTE: this slide can probably be trashed.. just temp for now
|
|
\item Adding randomness to exploits
|
|
\begin{itemize}
|
|
\item Less to signature / anti-nids
|
|
\item Helps to uncover bugs in your exploit
|
|
\end{itemize}
|
|
\pause
|
|
|
|
\item Adding randomness to exploit code
|
|
\begin{itemize}
|
|
\item Modify attacks by setting protocol options (frags)
|
|
\item All padding data can be randomized (englishtext)
|
|
\item Helper functions to generate types of random data
|
|
\end{itemize}
|
|
|
|
\item Adding randomness to machine code
|
|
\begin{itemize}
|
|
\item Less to signature / anti-nids
|
|
\item Increased robustness (bad chars / bad regs)
|
|
\item Street credz? :-)
|
|
\end{itemize}
|
|
|
|
\end{itemize}
|
|
\end{frame}
|
|
|
|
\section{Conservative Polymorphism}
|
|
|
|
\newcommand{\incshi}[1]{\includegraphics[height=3in]{#1}}
|
|
|
|
\begin{frame}
|
|
\frametitle{R0x Iterationz}
|
|
\only<9>{\incshi{shi8}}
|
|
\only<8>{\incshi{shi7}}
|
|
\only<7>{\incshi{shi6}}
|
|
\only<6>{\incshi{shi5}}
|
|
\only<5>{\incshi{shi4}}
|
|
\only<4>{\incshi{shi3}}
|
|
\only<3>{\incshi{shi2}}
|
|
\only<2>{\incshi{shi1}}
|
|
\only<1>{\incshi{shi0}}
|
|
\end{frame}
|
|
|
|
\section{Building a Nop Sled}
|
|
|
|
\subsection{Tekneek}
|
|
|
|
\begin{frame}
|
|
\frametitle{Multibyte Sled Concept}
|
|
\begin{itemize}
|
|
\item Optyx released multibyte generator at Interz0ne 1
|
|
\item Generates instructions 1 to 6 bytes long, and 0x66 prefix
|
|
\item 1 byte aligned, land anywhere, end at the same byte
|
|
\end{itemize}
|
|
\begin{itemize}
|
|
\pause
|
|
\item Builds the sled from back to front
|
|
\item Continually prepending byte (opcode) to sled
|
|
\item Generates random byte and check against tables
|
|
\pause
|
|
\begin{itemize}
|
|
\item Is the instruction length too long?
|
|
\item Is it a valid instruction?
|
|
\item Does it have any bad bytes?
|
|
\item Does it modify don't-smash registers?
|
|
\end{itemize}
|
|
\end{itemize}
|
|
\end{frame}
|
|
|
|
\begin{frame}[fragile]
|
|
\frametitle{Backwardz}
|
|
{\footnotesize
|
|
\begin{semiverbatim}
|
|
\textbf<11>{bb} \textbf<10,11>{b0} \textbf<9,10,11>{bf} \textbf<8,9,11>{2c} \textbf<7,8,9,11>{b6} \textbf<6,7,9>{27} \textbf<5,9>{67} \textbf<4,5>{2F} \textbf<3>{4A} \textbf<2>{1b} \textbf<1,2>{f9} --- shellcode
|
|
| | | | | | | | | | | \textbf<1>{... stc}
|
|
| | | | | | | | | |____^ \textbf<2>{. sbb edi,ecx}
|
|
| | | | | | | | | \textbf<3>{......... dec edx}
|
|
| | | | | | | | \textbf<4>{............ das}
|
|
| | | | | | |____^ \textbf<5>{.......... a16 das}
|
|
| | | | | | \textbf<6>{.................. daa}
|
|
| | | | |____^ \textbf<7>{................ mov dh, 0x27}
|
|
| | | |____^ \textbf<8>{................... sub al, 0xb6}
|
|
| | |_____________^ \textbf<9>{............. mov edi, 0x6727b62c}
|
|
| |____^ \textbf<10>{......................... mov al, 0xbf}
|
|
|_____________^ \textbf<11>{................... mov ebx, 0xb62cbfb0}
|
|
\end{semiverbatim}
|
|
}
|
|
\end{frame}
|
|
|
|
\subsection{Implementation}
|
|
|
|
\begin{frame}[fragile]
|
|
\frametitle{OptyNop2 Output}
|
|
{\footnotesize
|
|
\begin{verbatim}
|
|
$ ./waka 1000 4 5 | ndisasm -u - | head -700 | tail -20
|
|
000003B6 05419F40D4 add eax,0xd4409f41
|
|
000003BB 711C jno 0x3d9
|
|
000003BD 9B wait
|
|
000003BE 2C98 sub al,0x98
|
|
000003C0 37 aaa
|
|
000003C1 24A8 and al,0xa8
|
|
000003C3 27 daa
|
|
000003C4 E00D loopne 0x3d3
|
|
000003C6 6692 xchg ax,dx
|
|
000003C8 2F das
|
|
000003C9 49 dec ecx
|
|
000003CA B34A mov bl,0x4a
|
|
000003CC F5 cmc
|
|
000003CD BA4B257715 mov edx,0x1577254b
|
|
000003D2 700C jo 0x3e0
|
|
000003D4 C0D6B0 rcl dh,0xb0
|
|
000003D7 A9FD469342 test eax,0x429346fd
|
|
000003DC 67BBB191B23D a16 mov ebx,0x3db291b1
|
|
000003E2 1D9938FCB6 sbb eax,0xb6fc3899
|
|
000003E7 43 inc ebx
|
|
\end{verbatim}
|
|
}
|
|
\end{frame}
|
|
|
|
|
|
|
|
\subsection{Analysis}
|
|
|
|
\begin{frame}[fragile]
|
|
\frametitle{ADMmutate and optyx-mutate Gzip'd}
|
|
{\footnotesize
|
|
\begin{verbatim}
|
|
# ADMmutate
|
|
|
|
$ time ./nops 1000000| gzip -v >/dev/null
|
|
27.3%
|
|
real 0m0.241s
|
|
|
|
# optyx's interz0ne mutate
|
|
|
|
$ time ./driver nop 1000000 | gzip -v >/dev/null
|
|
29.7%
|
|
real 0m0.467s
|
|
\end{verbatim}
|
|
}
|
|
\end{frame}
|
|
|
|
\begin{frame}[fragile]
|
|
\frametitle{OptyNop2 Gzip'd}
|
|
{\footnotesize
|
|
\begin{verbatim}
|
|
# C version, save ESP and EBP
|
|
|
|
$ time ./waka 1000000 4 5 | gzip -v >/dev/null
|
|
12.2%
|
|
real 0m11.900s
|
|
|
|
# save just ESP
|
|
|
|
$ time ./waka 1000000 4 | gzip -v >/dev/null
|
|
11.7%
|
|
real 0m11.277s
|
|
|
|
# save nothing (good way to crash process)
|
|
|
|
$ time ./waka 1000000 | gzip -v >/dev/null
|
|
8.3%
|
|
real 0m12.404s
|
|
\end{verbatim}
|
|
}
|
|
\end{frame}
|
|
|
|
\begin{frame}[fragile]
|
|
\frametitle{ADMmutate Distribution - 1}
|
|
\include{admtable}
|
|
\end{frame}
|
|
\begin{frame}[fragile]
|
|
\frametitle{ADMmutate Distribution - 2}
|
|
\include{admtable2}
|
|
\end{frame}
|
|
\begin{frame}[fragile]
|
|
\frametitle{OptyNop2 Distribution - 1}
|
|
\include{optytable}
|
|
\end{frame}
|
|
\begin{frame}[fragile]
|
|
\frametitle{OptyNop2 Distribution - 2}
|
|
\include{optytable2}
|
|
\end{frame}
|
|
|
|
\subsection{Conclusion}
|
|
\begin{frame}
|
|
\frametitle{Benefits}
|
|
\begin{itemize}
|
|
\item Not very difficult to gain lots more randomness
|
|
\item NIDS is far, far, behind
|
|
\item Added robustness (bad char / bad regs)
|
|
\item More versatile sled generation (nop stuffing, etc)
|
|
\end{itemize}
|
|
\end{frame}
|
|
\begin{frame}
|
|
\frametitle{Possible Improvements}
|
|
\begin{itemize}
|
|
\item Support processor flags (nop stuffing)
|
|
\item Support 2-byte opcodes / escape groups (not worth it)
|
|
\item Improved scoring systems, look-ahead, etc
|
|
\item Try to output according to a given byte distribution
|
|
\item Make it faster and use less memory
|
|
\end{itemize}
|
|
\end{frame}
|
|
|
|
|
|
\section*{Summary}
|
|
|
|
|
|
\begin{frame}
|
|
\frametitle<presentation>{Summary}
|
|
|
|
% Keep the summary *very short*.
|
|
\begin{itemize}
|
|
\item
|
|
The \alert{first main message} of your talk in one or two lines.
|
|
\item
|
|
The \alert{second main message} of your talk in one or two lines.
|
|
\item
|
|
Perhaps a \alert{third message}, but not more than that.
|
|
\end{itemize}
|
|
|
|
% The following outlook is optional.
|
|
\vskip0pt plus.5fill
|
|
\begin{itemize}
|
|
\item
|
|
Outlook
|
|
\begin{itemize}
|
|
\item
|
|
Something you haven't solved.
|
|
\item
|
|
Something else you haven't solved.
|
|
\end{itemize}
|
|
\end{itemize}
|
|
\end{frame}
|
|
|
|
|
|
|
|
% All of the following is optional and typically not needed.
|
|
\appendix
|
|
\section<presentation>*{\appendixname}
|
|
\subsection<presentation>*{For Further Reading}
|
|
|
|
\begin{frame}[allowframebreaks]
|
|
\frametitle<presentation>{For Further Reading}
|
|
|
|
\begin{thebibliography}{10}
|
|
|
|
\beamertemplatebookbibitems
|
|
% Start with overview books.
|
|
|
|
\bibitem{Author1990}
|
|
A.~Author.
|
|
\newblock {\em Handbook of Everything}.
|
|
\newblock Some Press, 1990.
|
|
|
|
|
|
\beamertemplatearticlebibitems
|
|
% Followed by interesting articles. Keep the list short.
|
|
|
|
\bibitem{Someone2000}
|
|
S.~Someone.
|
|
\newblock On this and that.
|
|
\newblock {\em Journal of This and That}, 2(1):50--100,
|
|
2000.
|
|
\end{thebibliography}
|
|
\end{frame}
|
|
|
|
\end{document}
|
|
|
|
|