metasploit-framework/dev/dev.tex

627 lines
16 KiB
TeX

% $Header$
\documentclass{beamer}
\usepackage{graphicx}
\usepackage{color}
% This file is a solution template for:
% - Talk at a conference/colloquium.
% - Talk length is about 20min.
% - Style is ornate.
% Copyright 2004 by Till Tantau <tantau@users.sourceforge.net>.
%
% In principle, this file can be redistributed and/or modified under
% the terms of the GNU Public License, version 2.
%
% However, this file is supposed to be a template to be modified
% for your own needs. For this reason, if you use this file as a
% template and not specifically distribute it as part of a another
% package/program, I grant the extra permission to freely copy and
% modify this file as you see fit and even to delete this copyright
% notice.
\mode<presentation>
{
% \usetheme{}
% or ...
\usecolortheme{seahorse}
% \usecolortheme{crane}
% \useinnertheme{inmargin}
\setbeamercovered{transparent}
% or whatever (possibly just delete it)
}
\usepackage[english]{babel}
% or whatever
\usepackage[latin1]{inputenc}
% or whatever
\usepackage{times}
\usepackage[T1]{fontenc}
% Or whatever. Note that the encoding and the font should match. If T1
% does not look nice, try deleting the line with the fontenc.
\newcommand{\pdfpart}[1]{\label{pdfpart-#1}\pdfbookmark[0]{#1}{pdfpart-#1}\pdfpart{#1}}
\title{Advanced Exploitation}
\author[hdm \& spoonm]
{hdm \& spoonm}
\date[CSW 2005] % (optional, should be abbreviation of conference name)
{CanSecWest, 2005}
\subject{Metasploit - Advanced Exploitation}
% Delete this, if you do not want the table of contents to pop up at
% the beginning of each subsection:
%\AtBeginSubsection[]
%{
% \begin{frame}<beamer>
% \frametitle{Outline}
% \tableofcontents[currentsection,currentsubsection]
% \end{frame}
%}
% turn off the navigation on the bottom yo
\setbeamertemplate{navigation symbols}{}
\begin{document}
\begin{frame}
\titlepage
\end{frame}
%--------------------------------------%
\pdfpart{Introduction}
%--------------------------------------%
\section{Introduction}
\subsection{Who are we?}
\begin{frame}
\frametitle{Who are we?}
\begin{itemize}
\item spoonm
\begin{itemize}
\item Security researcher
\item Full-time student
\item Metasploit developer
\end{itemize}
\item H D Moore
\begin{itemize}
\item Security researcher
\item Full-time employee
\item Metasploit developer
\end{itemize}
\end{itemize}
\end{frame}
\subsection{What is Metasploit?}
\begin{frame}
\frametitle{What is Metasploit?}
\begin{itemize}
\item Research project with 8 members
\item Created the Metasploit Framework
\begin{itemize}
\item Open-source exploit dev platform
\item Includes 60 exploits and 70 payloads
\item Implements ideas from everywhere
\item Currently four primary developers
\item Handful of external contributors
\end{itemize}
\end{itemize}
\end{frame}
\subsection{What is this about?}
\begin{frame}
\frametitle{What is this about?}
\begin{itemize}
\item Recent advances in exploit technology
\item New research, techniques, and code
\item Metasploit Framework 3.0
\end{itemize}
\end{frame}
%--------------------------------------%
\pdfpart{Windows Exploitation}
%--------------------------------------%
\section{Windows Exploitation}
\begin{frame}
\frametitle{Windows Exploitation}
\begin{itemize}
\item The
\item SEH frame overwrites still easy to exploit
\item Third-party applications buggy as ever
\end{itemize}
\end{frame}
\subsection{Windows XP SP2}
\subsection{Windows 2003 SP1}
%--------------------------------------%
\pdfpart{Mac OS X Exploitation}
%--------------------------------------%
\section{Mac OS X Exploitation}
\subsection{PowerPC Constraints}
\begin{frame}
\frametitle{PowerPC Contrainsts title}
\begin{itemize}
\item Mac OS X runs on PowerPC
\item PowerPC is a RISC-platform
\item Independent insturction and data cache
\item Fixed-width insutrctions
\item Stack overflows need to return twice to be explotable
\item (Similar to exploits on SPARCs, etc)
\end{itemize}
\end{frame}
\subsection{Exploits are annoying}
\begin{frame}
\frametitle{Exploits are annoying title}
\begin{itemize}
\item Double-return means having to patch other pointers
\item Code which calls \_exit before sometimes unexploitable
\item Shellcode must be placed into location not in i-cache
\item Exploits can have different results between diff CPUs
\end{itemize}
\end{frame}
\subsection{Shellcode issues}
\begin{frame}
\frametitle{Shellcode issues title}
\begin{itemize}
\item Double-return means having to patch other pointers
\item Code which calls \_exit before sometimes unexploitable
\item Shellcode must be placed into location not in i-cache
\item Exploits can have different results between diff CPUs
\end{itemize}
\end{frame}
%--------------------------------------%
\pdfpart{Return Addresses}
%--------------------------------------%
\section{Return Address Analysis}
\subsection{Reliability}
\begin{frame}
\frametitle{Who cares}
\begin{itemize}
\item An exploit is only as good as its return address
\item Many exploits allow one attempt before service crashes
\item Returning direct to shellcode usually not possible
\item Returning to code which jumps to shellcode is
\end{itemize}
\end{frame}
\subsection{Analysis Tools}
\begin{frame}
\frametitle{Automated analysis}
\begin{itemize}
\item Tools like msfpescan and msfelfscan scan executables for rets
\item Very simple to cross-reference return addresses across versions
\item Memory dumping and offline scanning also useful technqiues
\end{itemize}
\end{frame}
\begin{frame}
\frametitle{Opcode Databases}
\begin{itemize}
\item Searchable index of different types of return addresses
\item Only useful when addresses do not change between instances
\item Useful for operatin systems like Windows, Mac OS X, Soalris
\item Per-executable addresses potentially useful but DB is overkill
\end{itemize}
\end{frame}
\begin{frame}
\frametitle{Current Development}
\begin{itemize}
\item Executable analysis tools for Solaris, Mac OS X, Linux, BSD
\item Usefulness limited compared to Windows platform
\item Static libraries are great for cross-version exploits
\end{itemize}
\end{frame}
\subsection{Impact of ASLR}
\begin{frame}
\frametitle{Address Space Layout Randomization}
\begin{itemize}
\item Randomize common memory addreses
\begin{itemize}
\item Stack
\item Heap
\item Anonymous memory mappings
\item Executable load addresses
\item Library load addresses
\end{itemize}
\item Simple way to break off-the-shelf exploits
\item Solid implementations can be difficult to avoid
\item Nearly zero overhead compared with page protection
\end{itemize}
\end{frame}
\begin{frame}
\frametitle{Windows ASLR}
\begin{itemize}
\item WehnTrust only compelte ASLR available for Win32
\item Breaks nearly all Win32 exploits
\item Partial overwrites and address leaks can be used to avoid
\item Massive memory/heap consumption may help too
\end{itemize}
\end{frame}
\begin{frame}
\frametitle{Unix ASLR}
\begin{itemize}
\item OpenBSD and Linux implementations available
\item Work with page protection to prevent code execution
\item Partial overwrites can sometimes avoid this
\item Return to library code may still be useful
\end{itemize}
\end{frame}
%--------------------------------------%
\pdfpart{Post-Exploitation}
%--------------------------------------%
\section{Post-Exploitation}
\subsection{Windows Payloads}
\begin{frame}
\frametitle{The Meterpreter}
\begin{itemize}
\item Windows version uses in-memory DLL injection techniques
\item Dynamically extensible over the network
\item Extensions are standard Windows DLLs
\item Loading an extension updates available commands
\item Support for network encryption
\item Huge feature set in the public version
\begin{itemize}
\item Upload, download, and list files
\item List, create, and kill processes
\item Spawn "channelized" commands in the background
\item Create port forwarding channels to pivot attacks
\end{itemize}
\end{itemize}
\end{frame}
\begin{frame}
\frametitle{Ordinal-based Stagers}
\begin{itemize}
\item Technique from Oded's lightning talk from core04
\item 92 bytes and works on every Windows version/SP
\item Staging system can chain vnc injection or Meterpreter
\end{itemize}
\end{frame}
\begin{frame}
\frametitle{PassiveX}
\begin{itemize}
\item Payload modifies registry and launches IE
\item IE loads custom ActiveX control to stage the payload
\item Communications channel is via HTTP requests
\item Can be used to inject VNC, Meterpreter, etc
\item Uses IE settings to bypass firewalls (proxy, auth, etc)
\end{itemize}
\end{frame}
\subsection{Unix Payloads}
\begin{frame}
\frametitle{Non-standard Network Stagers}
\begin{itemize}
\item UDP-based stager and network shell for Linux
\item UDP-based DNS request staging system
\item ICMP-based listener and "reverse" payloads
\item Find and recv socket re-use stagers
\item Source code in MSF, but many not integrated
\end{itemize}
\end{frame}
%--------------------------------------%
\pdfpart{Improving Randomness in Attacks}
%--------------------------------------%
\begin{frame}
\frametitle{Outline}
\tableofcontents
\end{frame}
\section{Introduction}
\begin{frame}
\frametitle{Randomness, who cares?}
\begin{itemize}
\item NOTE: this slide can probably be trashed.. just temp for now
\item Adding randomness to exploits
\begin{itemize}
\item Less to signature / anti-nids
\item Helps to uncover bugs in your exploit
\end{itemize}
\pause
\item Adding randomness to exploit code
\begin{itemize}
\item Modify attacks by setting protocol options (frags)
\item All padding data can be randomized (englishtext)
\item Helper functions to generate types of random data
\end{itemize}
\item Adding randomness to machine code
\begin{itemize}
\item Less to signature / anti-nids
\item Increased robustness (bad chars / bad regs)
\item Street credz? :-)
\end{itemize}
\end{itemize}
\end{frame}
\section{Conservative Polymorphism}
\newcommand{\incshi}[1]{\includegraphics[height=3in]{#1}}
\begin{frame}
\frametitle{R0x Iterationz}
\only<9>{\incshi{shi8}}
\only<8>{\incshi{shi7}}
\only<7>{\incshi{shi6}}
\only<6>{\incshi{shi5}}
\only<5>{\incshi{shi4}}
\only<4>{\incshi{shi3}}
\only<3>{\incshi{shi2}}
\only<2>{\incshi{shi1}}
\only<1>{\incshi{shi0}}
\end{frame}
\section{Building a Nop Sled}
\subsection{Tekneek}
\begin{frame}
\frametitle{Multibyte Sled Concept}
\begin{itemize}
\item Optyx released multibyte generator at Interz0ne 1
\item Generates instructions 1 to 6 bytes long, and 0x66 prefix
\item 1 byte aligned, land anywhere, end at the same byte
\end{itemize}
\begin{itemize}
\pause
\item Builds the sled from back to front
\item Continually prepending byte (opcode) to sled
\item Generates random byte and check against tables
\pause
\begin{itemize}
\item Is the instruction length too long?
\item Is it a valid instruction?
\item Does it have any bad bytes?
\item Does it modify don't-smash registers?
\end{itemize}
\end{itemize}
\end{frame}
\begin{frame}[fragile]
\frametitle{Backwardz}
{\footnotesize
\begin{semiverbatim}
\textbf<11>{bb} \textbf<10,11>{b0} \textbf<9,10,11>{bf} \textbf<8,9,11>{2c} \textbf<7,8,9,11>{b6} \textbf<6,7,9>{27} \textbf<5,9>{67} \textbf<4,5>{2F} \textbf<3>{4A} \textbf<2>{1b} \textbf<1,2>{f9} --- shellcode
| | | | | | | | | | | \textbf<1>{... stc}
| | | | | | | | | |____^ \textbf<2>{. sbb edi,ecx}
| | | | | | | | | \textbf<3>{......... dec edx}
| | | | | | | | \textbf<4>{............ das}
| | | | | | |____^ \textbf<5>{.......... a16 das}
| | | | | | \textbf<6>{.................. daa}
| | | | |____^ \textbf<7>{................ mov dh, 0x27}
| | | |____^ \textbf<8>{................... sub al, 0xb6}
| | |_____________^ \textbf<9>{............. mov edi, 0x6727b62c}
| |____^ \textbf<10>{......................... mov al, 0xbf}
|_____________^ \textbf<11>{................... mov ebx, 0xb62cbfb0}
\end{semiverbatim}
}
\end{frame}
\subsection{Implementation}
\begin{frame}[fragile]
\frametitle{OptyNop2 Output}
{\footnotesize
\begin{verbatim}
$ ./waka 1000 4 5 | ndisasm -u - | head -700 | tail -20
000003B6 05419F40D4 add eax,0xd4409f41
000003BB 711C jno 0x3d9
000003BD 9B wait
000003BE 2C98 sub al,0x98
000003C0 37 aaa
000003C1 24A8 and al,0xa8
000003C3 27 daa
000003C4 E00D loopne 0x3d3
000003C6 6692 xchg ax,dx
000003C8 2F das
000003C9 49 dec ecx
000003CA B34A mov bl,0x4a
000003CC F5 cmc
000003CD BA4B257715 mov edx,0x1577254b
000003D2 700C jo 0x3e0
000003D4 C0D6B0 rcl dh,0xb0
000003D7 A9FD469342 test eax,0x429346fd
000003DC 67BBB191B23D a16 mov ebx,0x3db291b1
000003E2 1D9938FCB6 sbb eax,0xb6fc3899
000003E7 43 inc ebx
\end{verbatim}
}
\end{frame}
\subsection{Analysis}
\begin{frame}[fragile]
\frametitle{ADMmutate and optyx-mutate Gzip'd}
{\footnotesize
\begin{verbatim}
# ADMmutate
$ time ./nops 1000000| gzip -v >/dev/null
27.3%
real 0m0.241s
# optyx's interz0ne mutate
$ time ./driver nop 1000000 | gzip -v >/dev/null
29.7%
real 0m0.467s
\end{verbatim}
}
\end{frame}
\begin{frame}[fragile]
\frametitle{OptyNop2 Gzip'd}
{\footnotesize
\begin{verbatim}
# C version, save ESP and EBP
$ time ./waka 1000000 4 5 | gzip -v >/dev/null
12.2%
real 0m11.900s
# save just ESP
$ time ./waka 1000000 4 | gzip -v >/dev/null
11.7%
real 0m11.277s
# save nothing (good way to crash process)
$ time ./waka 1000000 | gzip -v >/dev/null
8.3%
real 0m12.404s
\end{verbatim}
}
\end{frame}
\begin{frame}[fragile]
\frametitle{ADMmutate Distribution - 1}
\include{admtable}
\end{frame}
\begin{frame}[fragile]
\frametitle{ADMmutate Distribution - 2}
\include{admtable2}
\end{frame}
\begin{frame}[fragile]
\frametitle{OptyNop2 Distribution - 1}
\include{optytable}
\end{frame}
\begin{frame}[fragile]
\frametitle{OptyNop2 Distribution - 2}
\include{optytable2}
\end{frame}
\subsection{Conclusion}
\begin{frame}
\frametitle{Benefits}
\begin{itemize}
\item Not very difficult to gain lots more randomness
\item NIDS is far, far, behind
\item Added robustness (bad char / bad regs)
\item More versatile sled generation (nop stuffing, etc)
\end{itemize}
\end{frame}
\begin{frame}
\frametitle{Possible Improvements}
\begin{itemize}
\item Support processor flags (nop stuffing)
\item Support 2-byte opcodes / escape groups (not worth it)
\item Improved scoring systems, look-ahead, etc
\item Try to output according to a given byte distribution
\item Make it faster and use less memory
\end{itemize}
\end{frame}
\section*{Summary}
\begin{frame}
\frametitle<presentation>{Summary}
% Keep the summary *very short*.
\begin{itemize}
\item
The \alert{first main message} of your talk in one or two lines.
\item
The \alert{second main message} of your talk in one or two lines.
\item
Perhaps a \alert{third message}, but not more than that.
\end{itemize}
% The following outlook is optional.
\vskip0pt plus.5fill
\begin{itemize}
\item
Outlook
\begin{itemize}
\item
Something you haven't solved.
\item
Something else you haven't solved.
\end{itemize}
\end{itemize}
\end{frame}
% All of the following is optional and typically not needed.
\appendix
\section<presentation>*{\appendixname}
\subsection<presentation>*{For Further Reading}
\begin{frame}[allowframebreaks]
\frametitle<presentation>{For Further Reading}
\begin{thebibliography}{10}
\beamertemplatebookbibitems
% Start with overview books.
\bibitem{Author1990}
A.~Author.
\newblock {\em Handbook of Everything}.
\newblock Some Press, 1990.
\beamertemplatearticlebibitems
% Followed by interesting articles. Keep the list short.
\bibitem{Someone2000}
S.~Someone.
\newblock On this and that.
\newblock {\em Journal of This and That}, 2(1):50--100,
2000.
\end{thebibliography}
\end{frame}
\end{document}