Beyond r57
Post on 20-Jun-2015
2301 Views
Preview:
DESCRIPTION
Transcript
Beyond r57
egypt@metasploit.com
Outline
PHP Background
• It’s terrible
• It’s always been terrible
• Objects are an afterthought
• Function names aren’t consistent
Why bother?
• They have to be uploaded and configured
– Leaves logs, files on disk
• Some call home to the authors
• They all focus on the server
– Maybe the database, too
• Nothing looks beyond, to the network
Rome Wasn’t Sacked in a Day
• Build payloads from simple -> complex
Essence of Payloads
• Create form of communication
• Do your bidding
Simplest: Exec
• Just run a system command
• Don’t care about input/output
• php/exec
Slightly Less Simple: download-exec
• Go grab an executable from a listening webserver
• Save it to disk and run it
• Still don’t care about input/output
• php/download_exec
More Complex: shell
• Need to have a comm channel
• Listen for input and send back output
• php/reverse_tcp
• php/bind_tcp
Meterpreter
• Flexible, extensible, capable
• php/meterpreter/reverse_tcp
• php/meterpreter/bind_tcp
Meterpreter for Pwned Home Pages
• Doesn’t have to be on disk
• Uses the same protocol and extension system
– The existing client works just fine
• Does as much as possible w/o using a shell
– Works in a chroot, doesn’t require /bin/sh
• Platform independent; works anywhere PHP works
Meterpreter Required Reading
• “Beyond EIP” 2006
– skape and spoonm, Blackhat Federal
• “Hacking Macs for Fun and Profit” 2009
– Dino dai Zovi and Charlie Miller, CanSecWest
Why is Meterpreter cool?
• Works even in restrictive environments
• Not limited to installed commands
• If it has more access, it can do cooler stuff
• Programmatically automatable
Meterpreter screenie
Meterpreter
• Flexible extension system
• Uses a (mostly) binary protocol
– TLV (Type, Length, Value)
– Designed for extensibility
Meterpreter Protocol
Length Type Value …..
4 bytes 4 bytes ($length - 8) bytes
Length Type Value …..
Meterpreter Protocol
• Packets are themselves TLVs
• TLVs make parsing simple and flexible
– No formatting knowledge is required outside of the TLV structure
– Allows a core packet parsing engine without any knowledge of extensions or their protocols
Meterpreter Ruby API
• Powerful and flexible scripting capabilities
• Extensions create an attribute under the main client object
• Various bits of info in each extension
– client.sys.config.sysinfo
– client.net.socket.create_tcp_client_channel
Challenges of doing all this in PHP
Liabilities
• Magic Quotes
• Size restrictions
• Safe mode
• disable_functions setting in php.ini
• PHP Quirks
We Don’t Need No Stinking Quotes
Size Restrictions
• URL length is limited to 4000 bytes on Apache
• Total length of an HTTP header value is 8190
• Solution is the same as for other kinds of shellcode: stagers
– Setup some kind of communication with the attacker, read in more code, eval
Safe Mode
• Kind of a bummer for some things
• Restricts files and command exec
• Doesn’t limit sockets in any way
disable_functions setting
• Sucks
• Can try a bunch of different functions with similar purposes until one works
– shell_exec -> passthru -> system -> popen …
• Esser’s memory corruption fu
PHP Quirks
• Stream vs Socket Resources
– stream_select() vs socket_select()
• Operator precedence
– $var & CONST == CONST
– $var & (CONST == CONST)
– $var & 1
• Can’t assume to have > version 4.3
Assets
• Many ways of doing the same thing
– System Commands, Sockets
• Your brains, his strength, my steel.
Running System Commands
• system, exec, popen, pctl_open, shell_exec, passthru, proc_open
• A few non-default extensions: perl, win32std, win32services, almost certainly others
Communications
• Use the webserver
– Simple, effective. Most existing payloads do this
– Leaves logs =(
• Programs on the system: nc, bash, ftp, …
– No guarantee they’ll be there or work
• Sockets
Sockets
• fsockopen, pfsockopen, socket_create, stream_socket, fopen
• Extensions: curl, perl (wtf?)
Files
• fopen is usually enough
– Nobody disables it because it would break everything
Future
• Javaterpreter, JSPterpreter
– Already in the works, written by mihi
• ASPterpreter?
• Macterpreter/POSIX Meterpreter
– Most of the code is there but is not really usable
What should I call it?
• PHP Meterpreter, php-terpreter
• meterphpreter (pronounced “meterfpreter”)
• phpterpreter (pronounced “fapterpreter”)
• phpsucksmyballsterpreter
Demos
Questions
8=====D
top related