Presentation is loading. Please wait.

Presentation is loading. Please wait.

Writing Metasploit Plugins from vulnerability to exploit Saumil Shah ceo, net-square hack.lu - Luxembourg 2006.

Published byGervais O’Brien’ Modified over 8 years ago

Similar presentations

Presentation on theme: "Writing Metasploit Plugins from vulnerability to exploit Saumil Shah ceo, net-square hack.lu - Luxembourg 2006."— Presentation transcript:

1 Writing Metasploit Plugins from vulnerability to exploit Saumil Shah ceo, net-square hack.lu - Luxembourg 2006

2 © Saumil Shah Saumil Shah - “krafty” ceo, net-square solutions saumil@saumil.net author: “Web Hacking - Attacks and Defense” # who am i 16:08 up 4:26, 1 user, load averages: 0.28 0.40 0.33 USER TTY FROM LOGIN@ IDLE WHAT saumil console - 11:43 0:05 bash # who am i

3 © Saumil Shah From Vulnerability to Exploit Fuzzing EIP = 0x41414141 Debugger Attack Vector Reliable EIP return address Bad characters Test Shellcode (INT 3) INT 3? Final Shellcode Working exploit Shellcode Handling

4 © Saumil Shah The CPU’s registers The Intel 32-bit x86 registers: ESPEAX EBPEBX ESIECX EDIEDX EIP accumulator base counter data instruction pointer destination index source index base pointer stack pointer

5 © Saumil Shah The Process Memory Map environment vars cmd line arguments **envp **argv argc main() local vars … v heap ^ stack … heap - malloc’ed data.bss.data.text 0xc0000000 0x08000000

6 © Saumil Shah Stack Overflows Error condition when a larger chunk of data is attempted to be written into a smaller container (local var on the stack). What will happen if “argv[1]” is more than 128 bytes? char buffer[128]; strcpy(buffer, argv[1]);

7 © Saumil Shah Overflowing victim1.c It’s easy, have an input of more than 128 characters Post-mortem of victim1 $./victim1 AAAAAAAAAAAAAAAAA……AAAAAAAAA Segmentation fault (core dumped) $ $ gdb (gdb) target core core Core was generated by `./victim1 AAAAAAA……AAAA'. Program terminated with signal 11, Segmentation fault. #0 0x41414141 in ?? () (gdb)

8 © Saumil Shah Post mortem debugging Register dump after a stack overflow: EIP’s value is “0x41414141”, i.e. “AAAA” EIP got overwritten with bytes from the overflowed buffer. (gdb) info registers esp 0xbffffb24 -1073743068 ebp 0x41414141 1094795585 esi 0x4000ae60 1073786464 edi 0xbffffb74 -1073742988 eip 0x41414141 1094795585

9 © Saumil Shah Calling a function When a function is called, the following are pushed onto the stack: function parameters saved value of registers such as EBP and EIP When the function returns, EIP is popped off from the stack, which resumes the normal course of program execution

10 © Saumil Shah Calling a function main() { : func1(str) : } func1(str) { : } push str CALL (push EIP) push EBP RET (pop EIP)

11 © Saumil Shah victim’s Memory Map - before envp, argv, etc… main() local vars ptr to param1 saved EIP saved EBP func1::buffer[128].bss.data.text Bottom of stack Top of stack ESP frame 0 - func1() frame 1 - main()

12 © Saumil Shah victim’s Memory Map - after envp, argv, etc… main() local vars ptr to param1 saved EIP saved EBP func1::buffer[128].bss.data.text Bottom of stack Top of stack ESP Stack frame for func1() AAAAAAAAAAAAAAAAAAA A A

13 © Saumil Shah The Stack Overflowed envp, argv, etc… main() local vars ptr to param1 saved EIP saved EBP func1::buffer[128].bss.data.text Bottom of stack Top of stack ESP when func1 returns EIP will be popped EIP = 0x41414141 (“AAAA”) AAAAAAAAAAAAAAAAAAA A A POP

14 © Saumil Shah Registers after the Stack Overflow After func1() returns, EIP and EBP are popped off the stack We have control of the instruction pointer. (gdb) info registers esp 0xbffffa24 -1073743324 ebp 0x41414141 1094795585 esi 0x4000ae60 1073786464 edi 0xbffffa74 -1073743244 eip 0x41414141 1094795585

15 © Saumil Shah Controlling EIP Vulnerabilities may lead to EIP control. We can set the instruction pointer to go to wherever we want… …the question is, “where do we want to go?” Can we inject our own code, and make EIP jump to it? And, where do we inject our code?

16 © Saumil Shah Introducing Metasploit An advanced open-source exploit research and development framework. http://metasploit.com Current stable version: 2.6 Written in Perl, runs on Unix and Win32 (cygwin) 160+ exploits, 77 payloads, 13 encoders Brand new 3.0 beta1 Complete rewrite in Ruby

17 © Saumil Shah Introducing Metasploit Generate shellcode. Shellcode encoding. Shellcode handlers. Scanning binaries for specific instructions: e.g. POP/POP/RET, JMP ESI, etc. Ability to add custom exploits, shellcode, encoders. …and lots more.

18 © Saumil Shah EIP = 0x41414141 How do we determine which 4 bytes go into EIP? Use a cyclic pattern as input: Metasploit’s Pex::Text::PatternOffset() Generate patterns, find substring. Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1 Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3 Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5 Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5…………

19 © Saumil Shah Distance to EIP Use Metasploit’s patternOffset.pl Based on what EIP gets overwritten with, we can find the “distance to EIP” with this pattern. krafty:~/metasploit$ perl sdk/patternOffset.pl 0x68423768 2000 1012 EIPbuffer Bottom of stack 1012 bytes A a 0 A a 1 A a 2 A a 2 A a 3 ……(cyclic pattern)………………………….… h 8 B h …..

20 © Saumil Shah Getting Control of Program Counter Stack Overflows Direct Program Counter overwrite Exception Handler overwrite Format String bugs Heap Overflows Integer Overflows Overwrite pc vs. “what” and “where”

21 © Saumil Shah Enter Shellcode Code assembled in the CPU’s native instruction set. Injected as a part of the buffer that is overflowed. Most typical function of the injected code is to “spawn a shell” - ergo “shellcode”. A buffer containing shellcode is termed as “payload”.

22 © Saumil Shah Writing Shellcode Need to know the CPU’s native instruction set: e.g. x86 (ia32), x86-64 (ia64), ppc, sparc, etc. Tight assembly language. OS specific system calls. Shellcode libraries and generators. Metasploit Framework.

23 © Saumil Shah Injecting the shellcode Easiest way is to pack it in the buffer overflow data itself. Place it somewhere in the payload data. Need to figure out where it will reside in the memory of the target process.

24 © Saumil Shah Where do you want to go…today? EIP can be made to: Return to Stack Jump directly into the payload. (reliability issues - addr jitter, stack protection) Return to Shared library Jump through registers. Requires certain conditions to be meet. (highly stable technique)

25 © Saumil Shah Return to Stack EIPbuffer[128] Bottom of stack 0xbffff7900xbffff81c func1(str) EIPbuffer[128] 0xbffff790 nop nop nop nop nop… 0xbffff7c0 0xbffff7c0 0xbffff7c0…… shellcode ……. func1() returns - pop EIP 0xbffff7c0 EIP EBPbuffer[128] 0xbffff7c0 nop nop nop nop nop… 0xbffff7c0 0xbffff7c0 0xbffff7c0…… shellcode ……. execute shellcode

26 © Saumil Shah Jump through Register EIPbuffer[] Bottom of stack saved EIP overwritten AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA strcpy(buffer, s) EAX EBXEBP ESP ECX EDXEDI ESI EBX points within the buffer (in this case) ESP points beyond the saved EIP AAAAAAAA frame 1….frame 0

27 © Saumil Shah Jump through Register EIP Return to a known location within a DLL DLL addrnop nop nopshellcode xyz.dll call EBX AAAAAAAA EAX EBXEBP ESP ECX EDXEDI ESI shellcode at the beginning of the buffer

28 © Saumil Shah Jump through Register EIP DLL addrAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA abc.dll jmp ESP nop nop shellcode ESP EBX EAX EBP ECX EDXEDI ESI shellcode at the end of the buffer

29 © Saumil Shah Looking for CALL or JMP instructions We need to find locations in memory which contain CALL or JMP instructions, at fixed addresses. Shared libraries get loaded at fixed addresses within the process memory. Ideal for finding CALLs, JMPs. We can try manual pattern searching with opcodes, using a debugger… …or we can use msfpescan or msfelfscan.

30 © Saumil Shah msfpescan, msfelfscan Utilities to scan binaries (executables or shared libraries). Support for ELF and PE binaries. Uses metasploit’s built-in disassemblers. Can find CALLs, JMPs, or POP/POP/RET instruction sets. Can be used to find instruction groups specified by regular expressions.

31 © Saumil Shah msfpescan’ning Windows DLLs If we need to search for a jump to ESI: We can point EIP to any of these values… …and it will then execute a JMP/CALL ESI ~/framework$./msfpescan -f windlls/USER32.DLL -j esi 0x77e11c46 call esi 0x77e121b7 call esi 0x77e121c5 call esi 0x77e1222a call esi : : 0x77e6ca97 jmp esi

32 © Saumil Shah Candidate binaries First, search the executing binary itself. Independent of Kernel, Service Packs, libs. Second, search shared libraries or DLLs included with the software itself. (e.g. in_mp3.dll for Winamp) Last, search default shared libraries that get included from the OS: e.g. KERNEL32.DLL, libc.so, etc. Makes the exploit OS kernel, SP specific.

33 © Saumil Shah Case Study - peercast HTTP overflow 1000 byte payload. first 780 bytes can be AAAA’s. Bytes 781-784 shall contain an address which will go into EIP. Bytes 785 onwards contain shellcode. EIP RETAAAAAAAAAAAAAAAAAAAAAAAAAAAAshellcode ESP

34 © Saumil Shah A little about shellcode Types of shellcode: Bind shell Exec command Reverse shell Staged shell, etc. Advanced techniques: Meterpreter Uploading and running DLLs “in-process” …etc.

35 © Saumil Shah Payload Encoders Payload encoders create encoded shellcode, which meets certain criteria. e.g. Alpha2 generates resultant shellcode which is only alphanumeric. Allows us to bypass any protocol parsing mechanisms / byte filters. An extra “decoder” is added to the beginning of the shellcode. size may increase.

36 © Saumil Shah Payload Encoders Example: Alpha2 encoding Transforms raw payload into alphanumeric only shellcode. Decoder decodes the payload “in-memory”. decoderUnWQ89Jas281EEIIkla2wnhaAS901las original shellcode (ascii 0-255)

37 © Saumil Shah Payload Encoders Metasploit offers many types of encoders. Work around protocol parsing e.g. avoid CR, LF, NULL toupper(), tolower(), etc. Defeat IDS Polymorphic Shellcode Shikata Ga Nai

38 © Saumil Shah Exploiting Exception Handling Try / catch block Pointer to the exception handling code also saved on the stack, for each code block. try { : code that may throw : an exception. } catch { : attempt to recover from : the exception gracefully. }

39 © Saumil Shah Exception handling … implementation params saved EIP saved EBP Bottom of stack more frames frame w/ exception handling local vars addr of exception handler exception handler code (catch block)

40 © Saumil Shah Windows SEH SEH - Structured Exception Handler Windows pops up a dialog box: Default handler kicking in.

41 © Saumil Shah Custom exception handlers Default SEH should be the last resort. Many languages including C++ provide exception handling coding features. Compiler generates links and calls to exception handling code in accordance with the underlying OS. In Windows, exception handlers form a LINKED LIST chain on the stack.

42 © Saumil Shah SEH Record Each SEH record is of 8 bytes These SEH records are found on the stack. In sequence with the functions being called, interspersed among function (block) frames. WinDBG command - !exchain address of exception handler ptr to next SEH record

43 © Saumil Shah SEH Chain Each SEH record is of 8 bytes addr of ex_handler1 ptr to SEH_record_2 addr of ex_handler2 ptr to next SEH_record_n default exception handler 0xFFFFFFFF MSVCRT!exhandler ex_handler1() ex_handler2() bottom of stack

44 © Saumil Shah SEH on the stack address of exception handler 0xFFFFFFFF main() ^ stack func_z() initial entry frame MSVCRT!exhandler address of exception handler ptr to next SEH record ex_handler_z() params saved EBP saved EIP local vars

45 © Saumil Shah Yet another way of getting EIP Overwrite one of the addresses of the registered exception handlers… …and, make the process throw an exception! If no custom exception handlers are registered, overwrite the default SEH. Might have to travel way down the stack… …but in doing so, you get a long buffer!

46 © Saumil Shah Overwriting SEH address of exception handler ptr to next SEH record ex_handler() params saved EBP saved EIP buffer[12]

47 © Saumil Shah BBBB : : : Overwriting SEH BBBB AAAA ex_handler() AAAA EIP = 0x41414141 causes segmentation fault. OS invokes registered exception handler in the chain EIP = 0x42424242

48 © Saumil Shah Case study - sipXtapi CSeq overflow sipXtapi library - popular open source VoIP library. Used in many soft phones AOL Triton soft phone uses sipXtapi. 24 byte buffer overflow in the CSeq SIP header. Too small for any practical shellcode. We can hack it up by overwriting SEH.

49 © Saumil Shah Writing Metasploit exploit modules Integration within the Metasploit framework. Multiple target support. Dynamic payload selection. Dynamic payload encoding. Built-in payload handlers. Can use advanced payloads. …a highly portable, flexible and rugged exploit!

50 © Saumil Shah How Metasploit runs an exploit create payload launch attack get connection EXPLOIT preamble List of known target values user supplied exploit info Metasploit Shellcode Library Encoders Payload handlers

51 © Saumil Shah Writing a Metasploit exploit Perl module (2.6), Ruby module (3.0) Pre-existing data structures %info, %advanced Constructor sub new {…} Exploit code sub Exploit {…}

52 © Saumil Shah Structure of the exploit perl module package Msf::Exploit::name; use base “Msf::Exploit”; use strict; use Pex::Text; my $advanced = { }; my $info = { }; sub new { } sub Exploit { } information block constructor return an instance of our exploit exploit block

53 © Saumil Shah %info Name Version Authors Arch OS Priv UserOpts Payload Encoder Refs DefaultTarget Targets Keys

54 © Saumil Shah Metasploit Pex Perl EXtensions. /lib/Pex.pm /lib/Pex/ Text processing routines. Socket management routines. Protocol specific routines. These and more are available for us to use in our exploit code.

55 © Saumil Shah Pex::Text Encoding and Decoding (e.g. Base64) Pattern Generation Random text generation (to defeat IDS) Padding …etc

56 © Saumil Shah Pex::Socket TCP UDP SSL TCP Raw UDP

57 © Saumil Shah Pex - protocol specific utilities SMB DCE RPC SunRPC MSSQL …etc

58 © Saumil Shah Pex - miscellaneous utilities Pex::Utils Array and hash manipulation Bit rotates Read and write files Format String generator Create Win32 PE files Create Javascript arrays …a whole lot of miscellany!

59 © Saumil Shah metasploit_skel.pm A skeleton exploit module. Walk-through. Can use this skeleton to code up exploit modules. Place finished exploit modules in: /exploits/

60 © Saumil Shah Finished examples my_peercast.pm my_sipxtapi.pm

61 © Saumil Shah Some command line Metasploit tools msfcli Metasploit command line interface. Can script up metasploit framework actions in a non-interactive manner. msfpayload Generate payload with specific options. msfencode Encode generated payload.

62 © Saumil Shah More command line Metasploit tools msfweb Web interface to the Metasploit framework. msfupdate Live update for the Metasploit framework.

63 © Saumil Shah New in Version 3.0 msfd Metasploit daemon, allows for client-server operation of Metasploit. msfopcode command line interface to Metasploit’s online opcode database. msfwx a GUI interface using wxruby.

64 © Saumil Shah New in Version 3.0 New payloads, new encoders. Ruby extension - Rex (similar to Pex) NASM shell. Back end Database support. …whole lot of goodies here and there.

65 Thank You! Saumil Shah saumil@saumil.net http://net-square.com +91 98254 31192

Download ppt "Writing Metasploit Plugins from vulnerability to exploit Saumil Shah ceo, net-square hack.lu - Luxembourg 2006."

Similar presentations

Smashing the Stack for Fun and Profit

Smashing the Stack for Fun and Profit
David Brumley Carnegie Mellon University Credit: Some slides from Ed Schwartz.

David Brumley Carnegie Mellon University Credit: Some slides from Ed Schwartz.
Introduction to Information Security ROP – Recitation 5 nirkrako at post.tau.ac.il itamarg at post.tau.ac.il.

Introduction to Information Security ROP – Recitation 5 nirkrako at post.tau.ac.il itamarg at post.tau.ac.il.
Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 10: Buffer Overflow.

Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 10: Buffer Overflow.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 11 – Buffer Overflow.

Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 11 – Buffer Overflow.
Lecture 16 Buffer Overflow modified from slides of Lawrie Brown.

Lecture 16 Buffer Overflow modified from slides of Lawrie Brown.
Review: Software Security David Brumley Carnegie Mellon University.

Review: Software Security David Brumley Carnegie Mellon University.
Intro to Exploitation Stack Overflows James McFadyen UTD Computer Security Group 10/20/2011.

Intro to Exploitation Stack Overflows James McFadyen UTD Computer Security Group 10/20/2011.
1 CHAPTER 8 BUFFER OVERFLOW. 2 Introduction One of the more advanced attack techniques is the buffer overflow attack Buffer Overflows occurs when software.

1 CHAPTER 8 BUFFER OVERFLOW. 2 Introduction One of the more advanced attack techniques is the buffer overflow attack Buffer Overflows occurs when software.
Memory Image of Running Programs Executable file on disk, running program in memory, activation record, C-style and Pascal-style parameter passing.

Memory Image of Running Programs Executable file on disk, running program in memory, activation record, C-style and Pascal-style parameter passing.
1 Function Calls Professor Jennifer Rexford COS 217 Reading: Chapter 4 of “Programming From the Ground Up” (available online from the course Web site)

1 Function Calls Professor Jennifer Rexford COS 217 Reading: Chapter 4 of “Programming From the Ground Up” (available online from the course Web site)
Assembly תרגול 8 פונקציות והתקפת buffer.. Procedures (Functions) A procedure call involves passing both data and control from one part of the code to.

Assembly תרגול 8 פונקציות והתקפת buffer.. Procedures (Functions) A procedure call involves passing both data and control from one part of the code to.
September 22, 2014 Pengju (Jimmy) Jin Section E

September 22, 2014 Pengju (Jimmy) Jin Section E
Security Exploiting Overflows. Introduction r See the following link for more info: operating-systems-and-applications-in-

Security Exploiting Overflows. Introduction r See the following link for more info: operating-systems-and-applications-in-
Introduction to InfoSec – Recitation 2 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)

Introduction to InfoSec – Recitation 2 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)
Web Application Access to Databases. Logistics Test 2: May 1 st (24 hours) Extra office hours: Friday 2:30 – 4:00 pm Tuesday May 5 th – you can review.

Web Application Access to Databases. Logistics Test 2: May 1 st (24 hours) Extra office hours: Friday 2:30 – 4:00 pm Tuesday May 5 th – you can review.
CAP6135: Malware and Software Vulnerability Analysis Buffer Overflow : Example of Using GDB to Check Stack Memory Cliff Zou Spring 2011.

CAP6135: Malware and Software Vulnerability Analysis Buffer Overflow : Example of Using GDB to Check Stack Memory Cliff Zou Spring 2011.
Exploiting Buffer Overflows on AIX/PowerPC HP-UX/PA-RISC Solaris/SPARC.

Exploiting Buffer Overflows on AIX/PowerPC HP-UX/PA-RISC Solaris/SPARC.
Let’s look at an example I want to write an application that reports the course scores to you. Requirements: –Every student can only get his/her score.

Let’s look at an example I want to write an application that reports the course scores to you. Requirements: –Every student can only get his/her score.
Buffer Overflows : An In-depth Analysis. Introduction Buffer overflows were understood as early as 1972 The legendary Morris Worm made use of a Buffer.

Buffer Overflows : An In-depth Analysis. Introduction Buffer overflows were understood as early as 1972 The legendary Morris Worm made use of a Buffer.

Similar presentations

Ads by Google