Vulnerability, exploit to metasploit

Vulnerability, Exploit to Metasploit

[email protected]

Before we start

• Some slides might seem like they have too much text, the reason this happens is that I want you to be able to get home after this presentation and start messing around with the stuff you will learn about here. To do that there is a lot of text you need as a reference that even though it is on the slides I might not read.

• Also this presentation will be compiled in a package, with all the software, notes and cheat sheets that you need to hack away as soon as you are out of here.

Who Am I ?

• Tiago Henriques• @balgan• 23• BSc• MSc• CEH• CHFI

• CISSP• MCSA• CISA• CISM• CPT• CCNA

• OSCP

file:///C:/Users/balgan/Downloads/11545_192585389754_513599754_3020198_333349_n.jpg

Next project

Team Leader of these guise

Currently employed by these guise

WhichMeansYouShouldProbablyLeaveBecauseI will Talk shitAmirite?

What we are going to (try) to cover today

Terminology

• Vulnerability - Security hole in a piece of software, or hardware and can provide a potential vector to attack a system. It can go from something simple like a weak password to something more complex like buffer overflow, or SQL injection.

• Exploit – A program whose only reason is to take advantage of a vulnerability. Exploits often deliver payloads to a target system.

• Payload – Piece of software that allows an attacker to control the exploited system.

• DEP – Data Execution Prevention – First introduced in Win XP SP2 – Used to mark certain parts of the stack as non-executable.

• ASLR – Address Space Layout Randomization – Windows Vista onwards – Randomizes the base addresses of executables, dll’s, stack and heap.

Step 1 - VulnerabilityWhere can I find one? Why should I look for one ?What am I looking for?

Why do I want to look for vulnerabilities?

• There are plenty of reasons why you would want to look for vulnerabilities:

1. Fame – Who doesn’t know people like Charlie Miller, Dino Dai Zovi, and Alex Sotirov?

2. Money – You can make a living out of this! ZDI and other programs buy vulns and

depending on how critical it is you can get quite a lot of money for it!

3. Technical knowledge – You can learn a lot more by digging into the internals of

software/hardware then just using it normally.

How to find one?

• Multiple techniques exist to find vulnerabilities but we will mention only these three main ones:

• Static analysis – Analyse the programs without running them, reading source code or using tools for static analysis. Analyse how the program flow works and how data enters the software.

• Potentially vulnerable Code Locations – Look at specific parts of source code, mainly at “unsafe” locations, such as strcpy() and strcat() which are amazing for buffer overflows.

• Fuzzing – Fuzzing is a completely different approach to finding vulnerabilities, it’s a dynamic analysis that consists of testing the application by throwing malformed or unexpected data as input. Though its easy to automate, the problem with this approach is that you can crash an application 70000 times and out of those you get 10 vulns and only 2 are exploitable.

… and messing around with the aplication.

More theory

• Every windows application uses memory! The process memory has 3 major components:• Code segment – Instructions that the CPU executes – EIP keeps track of next

instruction (!very important!) • Data segment – used for variables, dynamic buffers• Stack segment – used to pass data /arguments to functions.

• If you want to access the stack memory directly, you can use the ESP (Stack Pointer) which points at the top (lowest memory address ) of the stack.

• The CPU’s general purpose registers (Intel, x86) are :• EAX : accumulator : used for performing calculations, and used to store return values from

function calls. Basic operations such as add, subtract, compare use this general-purpose register

• EBX : base (does not have anything to do with base pointer). It has no general purpose and can be used to store data.

• ECX : counter : used for iterations. ECX counts downward.• EDX : data : this is an extension of the EAX register. It allows for more complex calculations

(multiply, divide) by allowing extra data to be stored to facilitate those calculations.• ESP : stack pointer• EBP : base pointer• ESI : source index : holds location of input data• EDI : destination index : points to location of where result of data operation is stored• EIP : instruction pointer

For more information on this check the notes for extra links.

Tools

• So we are now going to crash our first application. • Application name: Free MP3 CD Ripper• Type of Vulnerability: Buffer Overflow• Tools of Trade: ImmunityDebugger, Mona.py, Python, Notepad++

• ImmunityDebugger – Variant of OllyDbg easily scriptable since its python compatible!

• Mona.py – Amazing script created by Corelan Team that integrates with ImmunityDebugger and provides lots of functionality for finding vulns and writing exploits

• Python – Best scripting language ever for fast prototyping and testing shit.

• Notepad++ - Pretty colors on notepad ftw! • Virtual Machines -

Mona.py

• Installing mona – Copy mona.py to the PyCommands folder.• Useful inicial commands:

• !mona help• !mona update –t trunk • !mona config –set workingfolder c:\logs\%p

Constructor code

DEMO 1 - CRASHAPP

DEMO 2 - Crash-EIPControl

Step 2 - ExploitDeveloping a working exploit and Integration into Metasploit framework using mona

Quick recap

• Where are we at the moment:• We can crash the app• We sort of know how much we have to pass onto it to crash it (5k A’s)• We know we control the EIP! (41414141)

• What do we need:• Know exactly how much “junk” we have to pass onto it• Get proper shellcode and pointers without bad characters

Getting IT!

• Know exactly how much “junk” we have to pass onto it – Mona can do this for us,We need to turn our A’s into a cyclic pattern :

!mona pc 5000

• Get proper shellcode and pointers without bad characters – null pointers are bad!!mona suggest –cpb ‘\x00\x0a\x0d’

DEMO 3 - Generate Cyclic Pattern

Cyclic Patterns

• !mona pc 5000 - Generates cyclic pattern with 5000 characters and insert them into our constructor script.

DEMO 4 - Mona-suggest

Exploit.rb

Now let’s analyse the file created by mona.py - exploit.rb

Also and more important, does it work ?

DEMO 5 - Exploit - metasploit - exploitation

Quick Recap

• So the process goes likes this:

1. Manage to crash an app using the normal constructors

2. Confirm that we control the registers

3. Create a cyclic pattern and replace it on the constructors

4. Use mona.py suggest to generate the exploit.rb

5. Check if it works out of the box by copying it to correct folder and trying it

6. Fix it if needed

7. Done.

8. (Optional) – Submit module to metasploit development and have it implemented onto the framework.

Step 3 - MetasploitLearning a bit about metasploit, why you want your exploits integrated and and use it.

Metasploit Quick Background

• Exploitation framework• Is made of lots of different

modules and tools that work together

• First written in PERL• Then changed to Ruby (HELL

YEAH!)• 4 Versions – Pro, Express ,

Community (Free), Development (Free)

• On the last year more then 1 million downloads were made

• Open sauce

Metasploit Architecture

Mad Paint Skillz

Metasploit

• There is a world of functionality within metasploit, however today we will focus only on meterpreter and a bit of metasm!

• If I was to talk of all the funcionality within metasploit I would need at least a 2 hour slot only to grasp the top features of this amazing framework.

Meterpreter

• Meterpreter is what you could call Shell Ultimate Gold Over 9000 level edition!

• The best way in my opinion to show you the power of meterpreter is to do a demo!

Explaining this Francisco Guerreiro style

DEMO 6 - Payload Generation - Normal

DEMO 6.1 - Session established

DEMO 6.2 - Meterpreter First

Meterpreter

• This is all really cool ! However not a real scenario, so lets up the stakes a bit!

DEMO 7 - METASM SHIZZLE

DEMO 7.1 - Meterpreter windows 7

Meterpreter

• There are a few other things about meterpreter I didn’t show you:

• post/windows/gather/smart_hashdump – This module sumps local accounts from SAM Database, if the target is a Domain Controller it will dump the Domain Account Database.

• post/windows/gather/screen_spy – Get your popcorn, this module makes an almost real time movie of the targets screen.

• post/windows/gather/enum_shares – This script will enumerate all the shares that are currently configured on the target

• post/windows/gather/enum_services – This script will enumerate all the services that are currently configured on the target

• post/windows/gather/enum_computers – This script will enumerate all the computers that are included in the primary Domain

And my favourites:

post/windows/gather/bitcoin_jacker – Downloads any Bitcoin wallet.dat on the target system.

post/windows/manage/autoroute - Allows you to attack other machines via our first compromised machine (PIVOTING).

Wrapping things upTypical questions

• Want to attack: Windows ?

Linux ?

F.A.Q.

F.A.Q.

• Want to attack: Solaris?

FreeBSD?

Scada? Yup! OS X ? Yup!Netware? YupIrix? Yup

Want to attack virtualization stuff?Vmauthd_versionEsx_fingerprintVmauthd_loginVmware_enum_usersVmware_enum_vmsPoweroff_vm /Poweron_vm

• IPv6 Fully Compatible

• And most important….

F.A.Q.

F.A.Q.

How does Mona deal with:

ASLR:Mona will, by default, only query non-ASLR and non-rebase modules.If you can find a memory leak, you can still query ASLR/rebase modules . For partial overwrite : say you need to overwrite half of the saved return pointer and make it point to jmp eax from module1.dll, which has base 0xAABB0000, then you could search for these pointers using !mona find –type instr –s “jmp eax” –b 0xAABB0000 -t 0xAABBFFFF This will get you all pointers from that memory region, so you can use the last 2 bytes in the partial overwrite

F.A.Q.

How does Mona deal with:

DEP:

Mona will attempt to automatically generate ROP chains Also, Usually, people only think about bad chars when creating payload… but especially in case of ROP chains, a lot of the payload may be pointersSo… when using mona, you can use for example –cpb ‘\x00\x0a\x0d\x20’ to exclude pointers that have those bad chars(this option is available for any command) Mona will also create a stackpivot file, which you can use in case of SEH overwrite

Becoming a vuln researcher

1st – Corelan.be – Read through the exploit development tutorial - Learn a scripting language and ASM

2nd – Read “ A Bug Hunter’s diary” – Side by side: Learn how to use tools of the trade such as: Immunity Dbg, Scapy, WinDbg, IDA.

3rd – Read Metasploit book

4th – Proceed to learn about fuzzing and other techniques.

For extra directions go to: http://myne-us.blogspot.com/2010/08/from-0x90-to-0x4c454554-journey-into.html

References

1. Corelan.be – AMAZING Team and you can learn so much on their website and IRC chan

2. https://www.corelan.be/index.php/2011/07/14/mona-py-the-manual/ - Mona stuff

3. www.metasploit.com/modules/

4. http://www.offensive-security.com/metasploit-unleashed/