This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
All Rights Reserved. Reproduction is Strictly Prohibited 5
Smashing the Stack forFun and Profit (cont’d)Fun and Profit (cont d)
Since there are no bounds checking, anything larger than the buffer runs off into uncontrolled memory space. This gives us the potential to overwrite the EIP pointer, hijacking the execution flow of the program. p g
With control of EIP, we can write our own RET address in, and f th t t d f d i i d it force the program to execute code of our devising under its security context.
For example, code might spawn a remote netcat shell with the privileges of the user-context exploited. If this context is Root or Administrator, the system is completely compromised.
All Rights Reserved. Reproduction is Strictly Prohibited 9
Format Strings forChaos and MayhemChaos and Mayhem
Format string vulnerabilities
Did you really mean to type ‘printf(buffer)’? Or did you mean ‘printf(‘%s’, buffer)’? In the first example, the buffer is evaluated as a format string, and any formatting instructions will be parsed.
If buffer is made up of user input, things can get interesting.
Use formatting tokens (%s, %x) to start exploring the stack space, returning memory addressesreturning memory addresses.
With some cleverness you can map out memory space nicely, return
All Rights Reserved. Reproduction is Strictly Prohibited 11
printf("%s", tmp); }
}
Format Strings forChaos and Mayhem (cont’d)Chaos and Mayhem (cont d)
Format string vulnerabilities:
• How do you get the buffer to be displayed? Simple. Just use the four-byte address of the buffer as an argument to %s. printf “\x41\x41\x41\x41%s\n” piped to your program, for example.
• You can use this to dump arbitrary memory locations. No more hunting for RET addresses. You can inspect memory and find it.
All Rights Reserved. Reproduction is Strictly Prohibited 12
Format Strings for Chaos and Mayhem (cont’d)Chaos and Mayhem (cont d)
Format strings: writing into memory:
%n is a very useful little formatting token. It takes an int *as an argument and writes the number of bytes alreadyas an argument, and writes the number of bytes alreadywritten, to that location.
By carefully controlling the number of bytes written, andbreaking the writes up into small operations, you canconstruct a memory address to be written to an arbitrarylocation using %n.
All Rights Reserved. Reproduction is Strictly Prohibited 15
and puts the first command line argument into it
Shellcode
We have 500 bytes to play with.
Since we have to fill up the buffer anyway, why not fill it with our malicious code?
Shellcode is the code to be loaded; we mention malicious code into memory for execution. It is in the format of raw ‘opcodes’, which are executed directly by the CPU.
Shellcode is often architecture and OS dependant. Code written for Linux on Sparc won’t work on an X86 Linux system. Likewise, code for Windows is different than code for Linux.
All Rights Reserved. Reproduction is Strictly Prohibited 17
Root shell spawned with execve() call for Linux
Shellcode (cont’d)
Null Operations
NOPs are any exploit writer’s friends. All they do is tell the CPU to wait for a bit, then go on to the next instruction.
How do you tell where your shellcode is in memory? Often times you can’t find the exact start of the code.
Instead, you can pad your code with NOPs. With our 500 byte buffer we have quite a lot of f b t f Sh ll d t li space for, say, 50 bytes of Shellcode to live.
Since it is difficult to tell where exactly the code starts, stick in 450 bytes of null operations before the shell code.
Redirect the execution flow to point somewhere towards where you think the beginning of the buffer is.
The CPU will hit the NOPs, and ‘slide’ through them until it hits the shellcode payload, thus
All Rights Reserved. Reproduction is Strictly Prohibited 20
exit(0);}
Linux Exploits versus Windows
Shellcode is simpler and smaller than in Windows Examples run as small as Shellcode is simpler and smaller than in Windows. Examples run as small as 24 bytes. Syscalls make life much easier.
Syscalls are predefined standard functions that the kernel will perform for you.
To use a syscall, you fill a few registers with data, then fill another register with the number of the syscall you want to use, and execute an interrupt.
Using execve(), you can fork the current process and execute a file. For example, fork the current and execute /bin/sh.
All Rights Reserved. Reproduction is Strictly Prohibited 23
Windows versus Linux(cont’d)(cont d)
Writing shellcode is more complex. g p
Windows shellcode doesn’t seem to get much smaller than about 800 bytes. This places a lower limit on the size of buffer than can be exploited.
Denial-of-Service attacks are still possible with smaller buffers, however.
Windows doesn’t use Syscalls. You have to directly manipulate the Windows API.
There aren’t any clean methods for spawning a shell All of this combines to There aren t any clean methods for spawning a shell. All of this combines to greatly increase the size of shellcode necessary for a successful ‘sploit.
Offsets and RET addresses can change from Service Pack to Service Pack as well, f th li ti i
All Rights Reserved. Reproduction is Strictly Prohibited 29
Tools of the Trade:MetasploitMetasploit
Why do it all yourself? Repeatability is yourfriend:
• The Metasploit framework in an open source platform for vulnerability research and development, and penetration testing.
• Metasploit handles building shellcode and delivery code for you. You p o d b d g od d d y od o yo oselect the payload you want, then select the exploit to use. Push a button, and it fires, attempting to exploit the remote service.
Global environmental variables allow you to set options that are the same across multiple exploits to save time:
• For example if you are using only a certain payload you can specify the• For example, if you are using only a certain payload, you can specify thePAYLOAD variable in the Global Environment to set it across all machines.
Using the Environment effectively is key to making Metasploit fast and effective for you.
The Framework can be controlled in a very fine grained manner via the various variable options available.
All Rights Reserved. Reproduction is Strictly Prohibited 40
Environment: Global Environment Global Environment
To interact with the global environment, use the commands ‘setg’ and ‘unsetg’:
• Setg, by itself, displays the current Global Environment. To set a variable use setg foo bar where foo is the variable and bar is its value.
• Unsetg will clear the entire Global Environment• Unsetg will clear the entire Global Environment.
The global environment is loaded from defaults on startup. You can save new Global and Temporary Environments with the ‘save’ commandnew Global and Temporary Environments with the save command.
Th T E i i d h h h d The Temporary Environment is accessed through the set and unset commands.
Variables that are set are specific to the exploit that is loaded. oaded.
Inactive environments are simply stored in memory until the Inactive environments are simply stored in memory until the exploit they are associated with is loaded.
h d h th il bl di i•show encoders – shows the available encoding engines•show nops – shows the available NOP engines •show options – shows the configurable options for an exploit•show advanced shows advanced options for an exploit•show advanced – shows advanced options for an exploit
info. Info gives you detailed information on a payload or an exploit.
All Rights Reserved. Reproduction is Strictly Prohibited 48
• If an exploits supports multiple platforms, then you will need to set the target variable.
• Default is bruteforcing the remote system’s type, which often isn’t desirable.
Metasploit: Launching the ExploitLaunching the Exploit
• Now comes the most complicated part of all. Once you have all of the
Launching the exploit:
p p ycommands set up, you now have to go through an intricate dance comprised of memorized sequences and good timing. Only the most 1337 of h@x0z will master the final steps….the pathway to pwnage….
All Rights Reserved. Reproduction is Strictly Prohibited 54
Advanced Features (cont’d)
Wi DLL I j i l d
• Metasploit is able to execute staged payloads that can inject
Win32 DLL Injection payloads:
• Metasploit is able to execute staged payloads that can injectcustom DLLs into memory, using any win32 exploit.
• The DLLs are not written to disk, and reside only in memory,forked off the owned process.
• Build a standard DLL. Export a function called ‘init’, and have ittake a single argument an int which is the socket descriptor oftake a single argument, an int, which is the socket descriptor ofthe connection.
• Init is launched in a new thread when the process is exploited.
All Rights Reserved. Reproduction is Strictly Prohibited 59
Tools of the Trade: Canvas (cont’d)Canvas (cont d)
Some exploits in CANVAS are available
h lTake advantage of over 50 exploits, written and
tested by Immunity's team
Completely open design allows a team to adapt
CANVAS to their environment and needs
Advanced infrastructure is second
to none, and exploits get updated as often as
weekly
nowhere else:•Microsoft ASN.1 exploit•Exploits for Immunity Research vulnerabilities such as:•NAI ePolicy Orchestrator•Compaq Web Management •Computer Associates Unicenter
All Rights Reserved. Reproduction is Strictly Prohibited 60
Tools of the Trade: Canvas (cont’d)Canvas (cont d)
Does not restrict your use of CANVAS to any particular IP range or useDoes not restrict your use of CANVAS to any particular IP range or use
Does not expire when your support period is over
CANVAS works on Windows 2000, XP, and Linux (or any other system that runs Python 2.2 or greater and pyGTK)
Delivery of CANVAS is purely over the Internet
Notifications are sent to your email address and you can download CANVAS at Notifications are sent to your email address, and you can download CANVAS at any time from the Immunity website
Watermarked to the customer, if your copy of CANVAS leaks, b f d dditi l t d d t
All Rights Reserved. Reproduction is Strictly Prohibited 65
Tools of the Trade: CORE Impact (cont’d)CORE Impact (cont d)
CORE Impact is an automated, comprehensive penetration testing product for assessing specific information security threats to an organizationspecific information security threats to an organization.
CORE IMPACT can be run completely autonomously. The steps in this process include:
All Rights Reserved. Reproduction is Strictly Prohibited 66
6 • Report Generation.
Tools of the Trade: CORE Impact (cont’d)CORE Impact (cont d)
Identify the real risk to your organization with
• Automates, and reduces the cost of the critical, but previously l d i i i
Identify the real risk to your organization with CORE Impact:
manual and expensive penetration testing process.• Allows organizations to safely launch real-world attacks by running
exploits against a target network without altering the system.• Conducts all testing procedures methodically in one visual software • Conducts all testing procedures methodically in one visual software
package.• Tests for external and internal vulnerabilities, including those that
relate to how network components work together.• Eliminates false positives, reports precisely where a network could
be penetrated and the associated security risks.• Helps prioritize remediation efforts.
Mimics attacker behavior ⏐ launches real-world attacks safely and
WHAT DOES CORE IMPACT DO?
Mimics attacker behavior ⏐ launches real world attacks safely and efficiently, demonstrating exactly what an attacker can do.
Industrializes penetration testing ⏐ automates previously manual, expensive process with Core Impact Rapid Penetration Test (RPT).expensive process with Core Impact Rapid Penetration Test (RPT).
Provides important features:
• Commercial-grade exploits• Innovative agent technology• Powerful user interface• Automation of repetitive tasks• Complete log of all activities• Customizable reporting• Links to fixes
All Rights Reserved. Reproduction is Strictly Prohibited 74
Microsoft Baseline Security Analyzer (MBSA) Analyzer (MBSA)
MBSA detects common security misconfigurations and missing security y g g yupdates on your computer systems.
It helps small- and medium-sized businesses to determine their security state p yin accordance with Microsoft security recommendations and offers specific remediation guidance.
Some of the features of MBSA are as follows:
• Scans for insecure computer configurations local remote or group of computers• Scans for insecure computer configurations, local, remote, or group of computers• Scans for common administrative vulnerabilities• Reports updates that are not yet approved on the Update Services server• Specifies alternate user name and password for remote administrative vulnerability
SNSI is licensed per Administrator, and lets you scan unlimited machines and IP addresses.
SNSI uses the latest Mitre Common Vulnerabilities and Exposures (CVE) and SNSI uses the latest Mitre Common Vulnerabilities and Exposures (CVE) and contains the latest SANS/FBI top 20 vulnerability list.
Following are the features of SNSI:
• It has large number of vulnerabilities in its databaseg• Scans and analyzes entire domain or selected systems in the domain• It performs frequent vulnerability database updates • It provides the detailed report after scanning
All Rights Reserved. Reproduction is Strictly Prohibited
Summary
Common vulnerabilities have been revisited and discussed.
The anatomy of an exploit and a typical overflow has been explained.
Strengths and uses of payload generators and exploitation tools including: GDB Metasploit Canvas and CORE Impact were discussedincluding: GDB, Metasploit, Canvas, and CORE Impact were discussed.