[PH-Neutral 0x7db] Exploit Next Generation®

Exploit Next Generation®“Missão dada é missão cumprida!”

Agenda

Agenda• 0001 – Introduction

Agenda• 0001 – Introduction• 0010 – Brain at work

Agenda• 0001 – Introduction• 0010 – Brain at work• 0011 – ENG++ approach

Agenda• 0001 – Introduction • 0100 – Demonstration• 0010 – Brain at work• 0011 – ENG++ approach

Agenda• 0001 – Introduction • 0100 – Demonstration• 0010 – Brain at work • 0101 – Conclusions• 0011 – ENG++ approach

Agenda• 0001 – Introduction • 0100 – Demonstration• 0010 – Brain at work • 0101 – Conclusions• 0011 – ENG++ approach • 0110 – Questions and Answers

nbrito@pitbull:~$ whoami

nbrito@pitbull:~$ whoami• Nelson Brito: • Security researcher enthusiast • Addict for (in)security systems

nbrito@pitbull:~$ whoami• Nelson Brito: • Security researcher enthusiast • Addict for (in)security systems• Home town: – Rio de Janeiro

nbrito@pitbull:~$ whoami• Nelson Brito: • Security researcher enthusiast • Addict for (in)security systems• Home town: – Rio de Janeiro• Public tools: • T50 Experimental Mixed Packet Injector • ENG++ SQL Fingerprint™

nbrito@pitbull:~$ whoami• Nelson Brito: • Security researcher enthusiast • Addict for (in)security systems• Home town: – Rio de Janeiro• Public tools: • T50 Experimental Mixed Packet Injector • ENG++ SQL Fingerprint™• WEB: • http://fnstenv.blogspot.com/ • http://twitter.com/nbrito

0001 – Introduction“Because five bytes can make the difference”

Before starting0-Day Pattern-matching• 0-day is cool, isn’t it? But only if nobody is aware • This technology is as need today as it was in the of its existence. past, but the security solution cannot rely only on this.• Once the unknown vulnerability becomes known, the 0-day will expire – since a patch or • No matter how fast is the pattern-matching a mitigation is released (which comes first). algorithm, if a pattern does not match, it means that there is no vulnerability exploitation.• So we can conclude that, once expired (patched or mitigated), 0-day has no more value. If you • No vulnerability exploitation, no protection do not believe me, you can try to sell a well- action… But what if the pattern is wrong? known vulnerability to your vulnerability- broker. • How can we guarantee that the pattern, which was not matched, is the correct approach for a• Some security solutions fight against 0-day faster protection action? Was the detection really than the affected vendor. designed to detect the vulnerability?

Current evasion techniques (a.k.a. TT)Techniques Tools• Packet fragmentation – Overlapping fragments • Fragroute / Fragrouter• Stream segmentation – Overlapping segments • ADMutate / ALPHA[2-3] / BETA3 / Others• Byte and traffic insertion • Whisker / Nikto / Sandcat• Polymorphic shellcode • Snot / Stick / IDS-wakeup / Others• Denial of Service • Sidestep / “rpc-evade-poc.pl” / Others• URL obfuscation (+ SSL encryption) • “predator”• RPC fragmentation • Etc…• HTML and JavaScript obfuscation• Etc…

What is Exploit Next Generation®?The scenario The methodology• Remember: “Some security solutions fight against • To circumvent or avoid a pattern-matching 0-day faster than the affected vendor”. detection, there are two options: – Easier: know how the vulnerability is• This protection (mitigation) has a long life, and detected (access to signature/vaccine). sometimes the correct protection (patch) is not – Harder: know deeply how to trigger the applied. vulnerability and how to exploit it (access to vulnerable ecosystem).• People’s hope, consequently their security strategy, resides on this security model: • ENG++ is the hardest option: vulnerability mitigated, no patch… – Deep analysis of a vulnerability. – Use all the acquired knowledge to offer a• But what if an old and well-known variety of decision points (variants). vulnerability could be exploited, even on this – Interact with the trigger and the security approach model? additional entities, preparing the vulnerable ecosystem and performing• According to pattern-matching, any new some memory manipulation . variant of an old vulnerability exploitation is – Use randomness to provide unpredictable considered a new vulnerability, because there is payloads, i.e., permutation. no pattern to be matched yet!

ENG++ (pronounced /ěn’jĭn/ incremented)The truth The examples• ENG++ methodology deals with vulnerable • Server-side vulnerabilities: ecosystem and memory manipulation, rather – MS02-039: CVE-2002-0649/CWE-120. than shellcode – it is neither a new polymorphic shellcode technique, nor an – MS02-056: CVE-2002-1123/CWE-120. obfuscation technique, instead, ENG++ employs “Permutation Oriented Programming”. • Client-side vulnerabilities: – MS08-078: CVE-2008-4844/CWE-367.• ENG++ methodology can be applied to work with: Rapid7 Metasploit Framework, CORE Impact Pro, – MS09-002: CVE-2009-0075/CWE-367. Immunity CANVAS Professional, and stand-alone proof-of-concepts (a.k.a. freestyle coding). • Windows 32-bit shellcodes: – 波動拳: “CMD /k”.• ENG++ methodology is neither an additional – 昇龍拳: “CMD /k set DIRCMD=/b”. entropy for tools mentioned above, nor an Advanced Evasion Technique (AET). Instead, ENG++ methodology can empower both of them. • All example modules were ported to work with Rapid7 Metasploit Framework, but there are also• ENG++ methodology maintains the exploitation examples for client-side in HTML and JavaScript. reliability, even using random decisions, it is able to achieve all exploitation requirements.

What if… exploit #1

What if… exploit #1 exploit #2

What if… exploit #1exploit #N exploit #2

What if… exploit #1exploit #N exploit #2 shared zone

What if… exploit #1exploit #N exploit #2 shared zone Exploit Next Generation®

0010 – Brain at work“Hardest option”

VulnerabilitiesMS02-039 MS08-078• Common Vulnerabilities and Exposures: • Common Vulnerabilities and Exposures: – CVE-2002-0649. – CVE-2008-4844.• Common Weakness Enumeration: • Common Weakness Enumeration: – CWE-120. – CWE-367.• CVSS Severity: 7.5 (HIGH). • CVSS Severity: 9.3 (HIGH).• Target: • Target: – Microsoft SQL Server 2000 SP0-2. – Microsoft Internet Explorer 5.01 SP4, 6 SP0- 1, 7 and 8 Beta 2.• Vulnerable ecosystem: – Protocol UDP. • Vulnerable ecosystem: – Communication Port 1434. – XML Data Island feature enabled (default). – SQL Request CLNT_UCAST_INST. – DHTML with embedded Data binding. – INSTANCENAME >= 96 bytes. – XML Data Source Object (DSO). – INSTANCENAME != NULL. – Data Consumer (HTML element) pointing to a dereferenced XML DSO.

MS02-039 (CVE-2002-0649/CWE-120)

MS02-039 (CVE-2002-0649/CWE-120)trigger ↓

MS02-039 (CVE-2002-0649/CWE-120) trigger ↓additional entities ↓

arbitrary additional code entities trigger ↓ ↓ ↓ MS02-039 (CVE-2002-0649/CWE-120)

MS08-078 (CVE-2008-4844/CWE-367)

MS08-078 (CVE-2008-4844/CWE-367)trigger ↓

MS08-078 (CVE-2008-4844/CWE-367) trigger ↓arbitrary code ↓

MS08-078 (CVE-2008-4844/CWE-367)

MS08-078 (CVE-2008-4844/CWE-367) bp mshtml!CRecordInstance::CRecordInstance bp mshtml!CRecordInstance::SetHRow bp mshtml!CCurrentRecordConsumer::Bind bp mshtml!CXfer::CreateBinding bp mshtml!CRecordInstance::AddBinding bp mshtml!CRecordInstance::TransfertoDestination bp mshtml!CXfer::TransferFromSrc bp mshtml!CXfer::Detach bp mshtml!CXfer::ColumnsChanged bp mshtml!CRecordInstance::RemoveBinding bp mshtml!CRecordInstance::Detach bp mshtml!CRecordInstance::~CRecordInstance

0011 – ENG++ approachPermutation Oriented ProgrammingAlso known as “(Re)searching for alternatives”

ENG++ approachVulnerability

ENG++ approachVulnerabilityVulnerableEcosystem

ENG++ approachVulnerabilityVulnerable Documentation?Ecosystem

ENG++ approachVulnerabilityVulnerable Documentation? DocumentEcosystem

ENG++ approachVulnerabilityVulnerable Documentation? Document Alternatives?Ecosystem

ENG++ approachVulnerabilityVulnerable Documentation? Document Alternatives?Ecosystem Alternatives

ENG++ approachVulnerabilityVulnerable Documentation? Document Alternatives?Ecosystem Reversing Alternatives

ENG++ approachVulnerabilityVulnerable Documentation? Document Alternatives?Ecosystem Reversing Alternatives? Alternatives

ENG++ approachVulnerabilityVulnerable Documentation? Document Alternatives?Ecosystem Reversing Alternatives? Alternatives Trigger Additional Entities

ENG++ approachVulnerabilityVulnerable Documentation? Document Alternatives?Ecosystem Reversing Alternatives? TriggerAlternatives Additional Entities

ENG++ approachVulnerabilityVulnerable Documentation? Document Alternatives?Ecosystem Reversing Alternatives? Trigger Arbitrary codeAlternatives Additional Entities Attack detection

ENG++ approachVulnerabilityVulnerable Documentation? Document Alternatives?Ecosystem Reversing Alternatives? Obfuscation? Trigger Arbitrary codeAlternatives Additional Entities Attack detection

ENG++ approachVulnerabilityVulnerable Documentation? Document Alternatives?Ecosystem Reversing Alternatives? Trigger Arbitrary codeAlternatives Additional Entities Attack detection Permutation?

ENG++ approachVulnerabilityVulnerable Documentation? Document Alternatives?Ecosystem Reversing Alternatives? Alternatives Obfuscation? Trigger Arbitrary codeAlternatives Additional Entities Attack detection Permutation?

MS02-039 (CVE-2002-0649/CWE-120) POPed• SQL Request: • JUMP: – CLNT_UCAST_INST (0x04). – Unconditional JUMP short, relative, and forward to REL8.• SQL INSTANCENAME: – There are 115 possible values to REL8. – ASCII hexa values from 0x01 to 0xff, – 115 permutations. except: 0x0a, 0x0d, , 0x2f, 0x3a and 0x5c. • Writable address and memory alignment: – 24,000 permutations. – There are 26,758 new writable addresses within SQLSORT.DLL (Microsoft SQL Server• Return address: 2000 SP0-2). There are much more – Uses the “jump to register” technique, in writable addresses if do not mind making this case the ESP register. it hardcoded. – Tools: “IDA Pro 5.0 Freeware” by Hex- – There are four (4) new possible return addresses within SQLSORT.DLL (Microsoft Rays, and “OlyDBG 2.01 alpha 2” by SQL Server 2000 SP0-2). There are much Oleh Yuschuk. more return addresses if do not mind – 26,758 permutations. making it hardcoded. – Tools: “Findjmp.c” by Ryan Permeh, • Padding and memory alignment: (“Hacking Proof your Network – Second – ASCII hexa values from 0x01 to 0xff. Edition”, 2002), and “DumpOp.c” by Koskya – The length may vary, depending on JUMP, Kortchinsky (“Macro reliability in Win32 from 3,048 to 29,210 possibilities. Exploits” – Black Hat Europe, 2007). – 29,210 permutations. – 4 permutations.

MS08-078 (CVE-2008-4844/CWE-367) POPed

MS08-078 (CVE-2008-4844/CWE-367) POPed• CVE-2008-4844: “…crafted XML document • Data Consumer (HTML elements): containing nested <SPAN> elements”? I do not – According to MSDN (“Binding HTML Elements think so… to Data”) there are, at least, fifteen (15) bindable HTML elements available, but only• XML Data Island: five (5) elements are useful. – There are two (2) options: using the – The HTML element is a key trigger, because Dynamic HTML (DHTML) <XML> element it points to a dereferenced XML DSO, but it within the HTML document or overloading does not have to be the same HTML element the HTML <SCRIPT> element. Unfortunately, to do so – it can be any mixed HTML the HTML <SCRIPT> element is useless. element. – The <XML> element accepts a combination – 25 permutations. of different types of elements, i.e., they can be anything. • Return address: – Uses “Heap Spray” technique, in this case• XML Data Source Object (DSO): the XML DSO handles the return address, – Characters like “<” and “&” are illegal in and can use “.NET DLL” technique by Mark <XML> element. To avoid errors <XML> Dowd and Alexander Sotirov (“How to element can be defined as CDATA (Unparsed Impress Girls with Browser Memory Character Data). But the <XML> element Protection Bypasses” – Black Hat USA, 2008). can be also defined as “<” instead of “<”. – There are, at least, four (4) new possible – Both <IMG SRC= > and <IMAGE SRC= > return addresses. elements are useful as a XML DSO. – 4 permutations. – 4 permutations.

0100 – Demonstration

What demo? The examples applying ENG++ methodology will be available – as soon as I connect to Internet. Thus you will be able to test by yourselves!!!

0101 – Conclusions

Conclusions• Some examples, applying ENG++ methodology, • The ENG++ methodology is not part of any will be available. For further details, please refer commercial or public tool and is freely available, to: although the examples were ported to work with Rapid7 Metasploit Framework – this is to show – http://fnstenv.blogspot.com/ how flexible its approach and deployment is – hoping it can help people to understand the• ENG++ examples are licensed under GNU threat, improving their infra-structure, security General Public License version 2. solutions and development approach. • ENG++ methodology can be freely applied, there• The examples cover pretty old vulnerabilities, such are no restrictions… No other than laziness. as: – MS02-039: 3,231 days since published. • ENG++ methodology can help different people, – MS02-056: 3,161 days since published. performing different tasks, such as: – MS08-078: 893 days since published. – Penetration-testing. – MS09-002: 838 days since published. – Development of exploit and proof-of-concept tools. – Evaluation and analysis of security solutions.• ENG++ is also not new: – Quality assurance for security solution. – Encore-NG: 980 days since BUGTRAQ and – Development of detection and protection FULL-DISCLOSURE. mechanisms. – ENG++ : 546 days since H2HC 6th Edition. – Etc…

0110 – Questions & Answers

Any questions?

http://fnstenv.blogspot.com	1612
http://translate.googleusercontent.com	20
http://www.fnstenv.blogspot.com	4
http://www.blogger.com	1

[PH-Neutral 0x7db] Exploit Next Generation®

by Nelson Brito

Accessibility

Categories

Upload Details

Usage Rights

4 Embeds 1,637

Statistics