[PH-Neutral 0x7db] Exploit Next Generation®

3,437 views
3,329 views

Published on

PH-Neutral lecture about Permutation Oriented Programming (formerly known as Exploit Next Generation® Methodology).

Permutation Oriented Programming is the simplest way to avoid security solution detection and shows the Pattern Matching technology weakness.

Published in: Technology, Economy & Finance
0 Comments
4 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
3,437
On SlideShare
0
From Embeds
0
Number of Embeds
1,937
Actions
Shares
0
Downloads
0
Comments
0
Likes
4
Embeds 0
No embeds

No notes for slide

[PH-Neutral 0x7db] Exploit Next Generation®

  1. 1. Exploit Next Generation®“Missão dada é missão cumprida!”
  2. 2. Agenda
  3. 3. Agenda• 0001 – Introduction
  4. 4. Agenda• 0001 – Introduction• 0010 – Brain at work
  5. 5. Agenda• 0001 – Introduction• 0010 – Brain at work• 0011 – ENG++ approach
  6. 6. Agenda• 0001 – Introduction • 0100 – Demonstration• 0010 – Brain at work• 0011 – ENG++ approach
  7. 7. Agenda• 0001 – Introduction • 0100 – Demonstration• 0010 – Brain at work • 0101 – Conclusions• 0011 – ENG++ approach
  8. 8. Agenda• 0001 – Introduction • 0100 – Demonstration• 0010 – Brain at work • 0101 – Conclusions• 0011 – ENG++ approach • 0110 – Questions and Answers
  9. 9. nbrito@pitbull:~$ whoami
  10. 10. nbrito@pitbull:~$ whoami• Nelson Brito: • Security researcher enthusiast • Addict for (in)security systems
  11. 11. nbrito@pitbull:~$ whoami• Nelson Brito: • Security researcher enthusiast • Addict for (in)security systems• Home town: – Rio de Janeiro
  12. 12. nbrito@pitbull:~$ whoami• Nelson Brito: • Security researcher enthusiast • Addict for (in)security systems• Home town: – Rio de Janeiro• Public tools: • T50 Experimental Mixed Packet Injector • ENG++ SQL Fingerprint™
  13. 13. nbrito@pitbull:~$ whoami• Nelson Brito: • Security researcher enthusiast • Addict for (in)security systems• Home town: – Rio de Janeiro• Public tools: • T50 Experimental Mixed Packet Injector • ENG++ SQL Fingerprint™• WEB: • http://fnstenv.blogspot.com/ • http://twitter.com/nbrito
  14. 14. 0001 – Introduction“Because five bytes can make the difference”
  15. 15. Before starting0-Day Pattern-matching• 0-day is cool, isn’t it? But only if nobody is aware • This technology is as need today as it was in the of its existence. past, but the security solution cannot rely only on this.• Once the unknown vulnerability becomes known, the 0-day will expire – since a patch or • No matter how fast is the pattern-matching a mitigation is released (which comes first). algorithm, if a pattern does not match, it means that there is no vulnerability exploitation.• So we can conclude that, once expired (patched or mitigated), 0-day has no more value. If you • No vulnerability exploitation, no protection do not believe me, you can try to sell a well- action… But what if the pattern is wrong? known vulnerability to your vulnerability- broker. • How can we guarantee that the pattern, which was not matched, is the correct approach for a• Some security solutions fight against 0-day faster protection action? Was the detection really than the affected vendor. designed to detect the vulnerability?
  16. 16. Current evasion techniques (a.k.a. TT)Techniques Tools• Packet fragmentation – Overlapping fragments • Fragroute / Fragrouter• Stream segmentation – Overlapping segments • ADMutate / ALPHA[2-3] / BETA3 / Others• Byte and traffic insertion • Whisker / Nikto / Sandcat• Polymorphic shellcode • Snot / Stick / IDS-wakeup / Others• Denial of Service • Sidestep / “rpc-evade-poc.pl” / Others• URL obfuscation (+ SSL encryption) • “predator”• RPC fragmentation • Etc…• HTML and JavaScript obfuscation• Etc…
  17. 17. What is Exploit Next Generation®?The scenario The methodology• Remember: “Some security solutions fight against • To circumvent or avoid a pattern-matching 0-day faster than the affected vendor”. detection, there are two options: – Easier: know how the vulnerability is• This protection (mitigation) has a long life, and detected (access to signature/vaccine). sometimes the correct protection (patch) is not – Harder: know deeply how to trigger the applied. vulnerability and how to exploit it (access to vulnerable ecosystem).• People’s hope, consequently their security strategy, resides on this security model: • ENG++ is the hardest option: vulnerability mitigated, no patch… – Deep analysis of a vulnerability. – Use all the acquired knowledge to offer a• But what if an old and well-known variety of decision points (variants). vulnerability could be exploited, even on this – Interact with the trigger and the security approach model? additional entities, preparing the vulnerable ecosystem and performing• According to pattern-matching, any new some memory manipulation . variant of an old vulnerability exploitation is – Use randomness to provide unpredictable considered a new vulnerability, because there is payloads, i.e., permutation. no pattern to be matched yet!
  18. 18. ENG++ (pronounced /ěn’jĭn/ incremented)The truth The examples• ENG++ methodology deals with vulnerable • Server-side vulnerabilities: ecosystem and memory manipulation, rather – MS02-039: CVE-2002-0649/CWE-120. than shellcode – it is neither a new polymorphic shellcode technique, nor an – MS02-056: CVE-2002-1123/CWE-120. obfuscation technique, instead, ENG++ employs “Permutation Oriented Programming”. • Client-side vulnerabilities: – MS08-078: CVE-2008-4844/CWE-367.• ENG++ methodology can be applied to work with: Rapid7 Metasploit Framework, CORE Impact Pro, – MS09-002: CVE-2009-0075/CWE-367. Immunity CANVAS Professional, and stand-alone proof-of-concepts (a.k.a. freestyle coding). • Windows 32-bit shellcodes: – 波動拳: “CMD /k”.• ENG++ methodology is neither an additional – 昇龍拳: “CMD /k set DIRCMD=/b”. entropy for tools mentioned above, nor an Advanced Evasion Technique (AET). Instead, ENG++ methodology can empower both of them. • All example modules were ported to work with Rapid7 Metasploit Framework, but there are also• ENG++ methodology maintains the exploitation examples for client-side in HTML and JavaScript. reliability, even using random decisions, it is able to achieve all exploitation requirements.
  19. 19. What if… exploit #1
  20. 20. What if… exploit #1 exploit #2
  21. 21. What if… exploit #1exploit #N exploit #2
  22. 22. What if… exploit #1exploit #N exploit #2 shared zone
  23. 23. What if… exploit #1exploit #N exploit #2 shared zone
  24. 24. What if… exploit #1exploit #N exploit #2 shared zone Exploit Next Generation®
  25. 25. 0010 – Brain at work“Hardest option”
  26. 26. VulnerabilitiesMS02-039 MS08-078• Common Vulnerabilities and Exposures: • Common Vulnerabilities and Exposures: – CVE-2002-0649. – CVE-2008-4844.• Common Weakness Enumeration: • Common Weakness Enumeration: – CWE-120. – CWE-367.• CVSS Severity: 7.5 (HIGH). • CVSS Severity: 9.3 (HIGH).• Target: • Target: – Microsoft SQL Server 2000 SP0-2. – Microsoft Internet Explorer 5.01 SP4, 6 SP0- 1, 7 and 8 Beta 2.• Vulnerable ecosystem: – Protocol UDP. • Vulnerable ecosystem: – Communication Port 1434. – XML Data Island feature enabled (default). – SQL Request CLNT_UCAST_INST. – DHTML with embedded Data binding. – INSTANCENAME >= 96 bytes. – XML Data Source Object (DSO). – INSTANCENAME != NULL. – Data Consumer (HTML element) pointing to a dereferenced XML DSO.
  27. 27. MS02-039 (CVE-2002-0649/CWE-120)
  28. 28. MS02-039 (CVE-2002-0649/CWE-120)trigger ↓
  29. 29. MS02-039 (CVE-2002-0649/CWE-120)trigger ↓
  30. 30. MS02-039 (CVE-2002-0649/CWE-120) trigger ↓additional entities ↓
  31. 31. MS02-039 (CVE-2002-0649/CWE-120) trigger ↓additional entities ↓
  32. 32. MS02-039 (CVE-2002-0649/CWE-120) trigger ↓additional entities ↓
  33. 33. MS02-039 (CVE-2002-0649/CWE-120) trigger ↓additional entities ↓
  34. 34. MS02-039 (CVE-2002-0649/CWE-120) trigger ↓additional entities ↓
  35. 35. arbitrary additional code entities trigger ↓ ↓ ↓ MS02-039 (CVE-2002-0649/CWE-120)
  36. 36. arbitrary additional code entities trigger ↓ ↓ ↓ MS02-039 (CVE-2002-0649/CWE-120)
  37. 37. arbitrary additional code entities trigger ↓ ↓ ↓ MS02-039 (CVE-2002-0649/CWE-120)
  38. 38. arbitrary additional code entities trigger ↓ ↓ ↓ MS02-039 (CVE-2002-0649/CWE-120)
  39. 39. arbitrary additional code entities trigger ↓ ↓ ↓ MS02-039 (CVE-2002-0649/CWE-120)
  40. 40. arbitrary additional code entities trigger ↓ ↓ ↓ MS02-039 (CVE-2002-0649/CWE-120)
  41. 41. MS08-078 (CVE-2008-4844/CWE-367)
  42. 42. MS08-078 (CVE-2008-4844/CWE-367)trigger ↓
  43. 43. MS08-078 (CVE-2008-4844/CWE-367)trigger ↓
  44. 44. MS08-078 (CVE-2008-4844/CWE-367)trigger ↓
  45. 45. MS08-078 (CVE-2008-4844/CWE-367)trigger ↓
  46. 46. MS08-078 (CVE-2008-4844/CWE-367)trigger ↓
  47. 47. MS08-078 (CVE-2008-4844/CWE-367)trigger ↓
  48. 48. MS08-078 (CVE-2008-4844/CWE-367)trigger ↓
  49. 49. MS08-078 (CVE-2008-4844/CWE-367)trigger ↓
  50. 50. MS08-078 (CVE-2008-4844/CWE-367)trigger ↓
  51. 51. MS08-078 (CVE-2008-4844/CWE-367)trigger ↓
  52. 52. MS08-078 (CVE-2008-4844/CWE-367)trigger ↓
  53. 53. MS08-078 (CVE-2008-4844/CWE-367)trigger ↓
  54. 54. MS08-078 (CVE-2008-4844/CWE-367)trigger ↓
  55. 55. MS08-078 (CVE-2008-4844/CWE-367)trigger ↓
  56. 56. MS08-078 (CVE-2008-4844/CWE-367)trigger ↓
  57. 57. MS08-078 (CVE-2008-4844/CWE-367)trigger ↓
  58. 58. MS08-078 (CVE-2008-4844/CWE-367)trigger ↓
  59. 59. MS08-078 (CVE-2008-4844/CWE-367)trigger ↓
  60. 60. MS08-078 (CVE-2008-4844/CWE-367)trigger ↓
  61. 61. MS08-078 (CVE-2008-4844/CWE-367)trigger ↓
  62. 62. MS08-078 (CVE-2008-4844/CWE-367) trigger ↓arbitrary code ↓
  63. 63. MS08-078 (CVE-2008-4844/CWE-367) trigger ↓arbitrary code ↓
  64. 64. MS08-078 (CVE-2008-4844/CWE-367) trigger ↓arbitrary code ↓
  65. 65. MS08-078 (CVE-2008-4844/CWE-367) trigger ↓arbitrary code ↓
  66. 66. MS08-078 (CVE-2008-4844/CWE-367) trigger ↓arbitrary code ↓
  67. 67. MS08-078 (CVE-2008-4844/CWE-367) trigger ↓arbitrary code ↓
  68. 68. MS08-078 (CVE-2008-4844/CWE-367)
  69. 69. MS08-078 (CVE-2008-4844/CWE-367)
  70. 70. MS08-078 (CVE-2008-4844/CWE-367)
  71. 71. MS08-078 (CVE-2008-4844/CWE-367)
  72. 72. MS08-078 (CVE-2008-4844/CWE-367)
  73. 73. MS08-078 (CVE-2008-4844/CWE-367) bp mshtml!CRecordInstance::CRecordInstance bp mshtml!CRecordInstance::SetHRow bp mshtml!CCurrentRecordConsumer::Bind bp mshtml!CXfer::CreateBinding bp mshtml!CRecordInstance::AddBinding bp mshtml!CRecordInstance::TransfertoDestination bp mshtml!CXfer::TransferFromSrc bp mshtml!CXfer::Detach bp mshtml!CXfer::ColumnsChanged bp mshtml!CRecordInstance::RemoveBinding bp mshtml!CRecordInstance::Detach bp mshtml!CRecordInstance::~CRecordInstance
  74. 74. MS08-078 (CVE-2008-4844/CWE-367) bp mshtml!CRecordInstance::CRecordInstance bp mshtml!CRecordInstance::SetHRow bp mshtml!CCurrentRecordConsumer::Bind bp mshtml!CXfer::CreateBinding bp mshtml!CRecordInstance::AddBinding bp mshtml!CRecordInstance::TransfertoDestination bp mshtml!CXfer::TransferFromSrc bp mshtml!CXfer::Detach bp mshtml!CXfer::ColumnsChanged bp mshtml!CRecordInstance::RemoveBinding bp mshtml!CRecordInstance::Detach bp mshtml!CRecordInstance::~CRecordInstance
  75. 75. 0011 – ENG++ approachPermutation Oriented ProgrammingAlso known as “(Re)searching for alternatives”
  76. 76. ENG++ approachVulnerability
  77. 77. ENG++ approachVulnerabilityVulnerableEcosystem
  78. 78. ENG++ approachVulnerabilityVulnerable Documentation?Ecosystem
  79. 79. ENG++ approachVulnerabilityVulnerable Documentation? DocumentEcosystem
  80. 80. ENG++ approachVulnerabilityVulnerable Documentation? Document Alternatives?Ecosystem
  81. 81. ENG++ approachVulnerabilityVulnerable Documentation? Document Alternatives?Ecosystem Alternatives
  82. 82. ENG++ approachVulnerabilityVulnerable Documentation? Document Alternatives?Ecosystem Alternatives
  83. 83. ENG++ approachVulnerabilityVulnerable Documentation? Document Alternatives?Ecosystem Reversing Alternatives
  84. 84. ENG++ approachVulnerabilityVulnerable Documentation? Document Alternatives?Ecosystem Reversing Alternatives
  85. 85. ENG++ approachVulnerabilityVulnerable Documentation? Document Alternatives?Ecosystem Reversing Alternatives? Alternatives
  86. 86. ENG++ approachVulnerabilityVulnerable Documentation? Document Alternatives?Ecosystem Reversing Alternatives? Alternatives
  87. 87. ENG++ approachVulnerabilityVulnerable Documentation? Document Alternatives?Ecosystem Reversing Alternatives? Alternatives
  88. 88. ENG++ approachVulnerabilityVulnerable Documentation? Document Alternatives?Ecosystem Reversing Alternatives? Alternatives Trigger Additional Entities
  89. 89. ENG++ approachVulnerabilityVulnerable Documentation? Document Alternatives?Ecosystem Reversing Alternatives? TriggerAlternatives Additional Entities
  90. 90. ENG++ approachVulnerabilityVulnerable Documentation? Document Alternatives?Ecosystem Reversing Alternatives? TriggerAlternatives Additional Entities
  91. 91. ENG++ approachVulnerabilityVulnerable Documentation? Document Alternatives?Ecosystem Reversing Alternatives? Trigger Arbitrary codeAlternatives Additional Entities Attack detection
  92. 92. ENG++ approachVulnerabilityVulnerable Documentation? Document Alternatives?Ecosystem Reversing Alternatives? Obfuscation? Trigger Arbitrary codeAlternatives Additional Entities Attack detection
  93. 93. ENG++ approachVulnerabilityVulnerable Documentation? Document Alternatives?Ecosystem Reversing Alternatives? Trigger Arbitrary codeAlternatives Additional Entities Attack detection Permutation?
  94. 94. ENG++ approachVulnerabilityVulnerable Documentation? Document Alternatives?Ecosystem Reversing Alternatives? Alternatives Obfuscation? Trigger Arbitrary codeAlternatives Additional Entities Attack detection Permutation?
  95. 95. MS02-039 (CVE-2002-0649/CWE-120) POPed• SQL Request: • JUMP: – CLNT_UCAST_INST (0x04). – Unconditional JUMP short, relative, and forward to REL8.• SQL INSTANCENAME: – There are 115 possible values to REL8. – ASCII hexa values from 0x01 to 0xff, – 115 permutations. except: 0x0a, 0x0d, , 0x2f, 0x3a and 0x5c. • Writable address and memory alignment: – 24,000 permutations. – There are 26,758 new writable addresses within SQLSORT.DLL (Microsoft SQL Server• Return address: 2000 SP0-2). There are much more – Uses the “jump to register” technique, in writable addresses if do not mind making this case the ESP register. it hardcoded. – Tools: “IDA Pro 5.0 Freeware” by Hex- – There are four (4) new possible return addresses within SQLSORT.DLL (Microsoft Rays, and “OlyDBG 2.01 alpha 2” by SQL Server 2000 SP0-2). There are much Oleh Yuschuk. more return addresses if do not mind – 26,758 permutations. making it hardcoded. – Tools: “Findjmp.c” by Ryan Permeh, • Padding and memory alignment: (“Hacking Proof your Network – Second – ASCII hexa values from 0x01 to 0xff. Edition”, 2002), and “DumpOp.c” by Koskya – The length may vary, depending on JUMP, Kortchinsky (“Macro reliability in Win32 from 3,048 to 29,210 possibilities. Exploits” – Black Hat Europe, 2007). – 29,210 permutations. – 4 permutations.
  96. 96. MS08-078 (CVE-2008-4844/CWE-367) POPed
  97. 97. MS08-078 (CVE-2008-4844/CWE-367) POPed
  98. 98. MS08-078 (CVE-2008-4844/CWE-367) POPed• CVE-2008-4844: “…crafted XML document • Data Consumer (HTML elements): containing nested <SPAN> elements”? I do not – According to MSDN (“Binding HTML Elements think so… to Data”) there are, at least, fifteen (15) bindable HTML elements available, but only• XML Data Island: five (5) elements are useful. – There are two (2) options: using the – The HTML element is a key trigger, because Dynamic HTML (DHTML) <XML> element it points to a dereferenced XML DSO, but it within the HTML document or overloading does not have to be the same HTML element the HTML <SCRIPT> element. Unfortunately, to do so – it can be any mixed HTML the HTML <SCRIPT> element is useless. element. – The <XML> element accepts a combination – 25 permutations. of different types of elements, i.e., they can be anything. • Return address: – Uses “Heap Spray” technique, in this case• XML Data Source Object (DSO): the XML DSO handles the return address, – Characters like “<” and “&” are illegal in and can use “.NET DLL” technique by Mark <XML> element. To avoid errors <XML> Dowd and Alexander Sotirov (“How to element can be defined as CDATA (Unparsed Impress Girls with Browser Memory Character Data). But the <XML> element Protection Bypasses” – Black Hat USA, 2008). can be also defined as “&lt;” instead of “<”. – There are, at least, four (4) new possible – Both <IMG SRC= > and <IMAGE SRC= > return addresses. elements are useful as a XML DSO. – 4 permutations. – 4 permutations.
  99. 99. 0100 – Demonstration
  100. 100. What demo? The examples applying ENG++ methodology will be available – as soon as I connect to Internet. Thus you will be able to test by yourselves!!!
  101. 101. 0101 – Conclusions
  102. 102. Conclusions• Some examples, applying ENG++ methodology, • The ENG++ methodology is not part of any will be available. For further details, please refer commercial or public tool and is freely available, to: although the examples were ported to work with Rapid7 Metasploit Framework – this is to show – http://fnstenv.blogspot.com/ how flexible its approach and deployment is – hoping it can help people to understand the• ENG++ examples are licensed under GNU threat, improving their infra-structure, security General Public License version 2. solutions and development approach. • ENG++ methodology can be freely applied, there• The examples cover pretty old vulnerabilities, such are no restrictions… No other than laziness. as: – MS02-039: 3,231 days since published. • ENG++ methodology can help different people, – MS02-056: 3,161 days since published. performing different tasks, such as: – MS08-078: 893 days since published. – Penetration-testing. – MS09-002: 838 days since published. – Development of exploit and proof-of-concept tools. – Evaluation and analysis of security solutions.• ENG++ is also not new: – Quality assurance for security solution. – Encore-NG: 980 days since BUGTRAQ and – Development of detection and protection FULL-DISCLOSURE. mechanisms. – ENG++ : 546 days since H2HC 6th Edition. – Etc…
  103. 103. 0110 – Questions & Answers
  104. 104. Any questions?

×