Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Static PIE, How and Why - Metasploit's new POSIX payload: Mettle


Published on

This talk discusses methods for building and injecting position-independent payloads into ELF processes. It also introduces Metasploit's new POSIX payload 'mettle' and outlines goals and future directions for Unix and Linux exploitation with Metasploit.

Published in: Internet
  • Be the first to comment

Static PIE, How and Why - Metasploit's new POSIX payload: Mettle

  1. 1. Static PIE How and Why Adam Cammack and Brent Cook Rapid7
  2. 2. About US
  3. 3. Adam Cammack Metasploit Erlang Musician
  4. 4. Brent Cook Programmer: 30 years Father: 13 years OpenBSD: 3 years Metasploit: 2 years @busterbcook
  5. 5. The ABCs of Executable File Formats
  6. 6. A is for a.out "Assembler output" – 1968 Ken Thompson The file header is literally PDP-7 machine code
  7. 7. C is for.COM DEC -> CP/M -> MS-DOS Just code + data, no headers
  8. 8. E is for EXE MS-DOS to Windows 10, everything in between Many different things over time Mostly PE/COFF these days
  9. 9. M is for Mach-O NeXTStep, iOS, OS X (aka Mac OS :) Covers libraries, core dumps,and executables Multi-architecture
  10. 10. E is also for ELF Also used for executables, libraries and core dumps The standard (almost) file format for Unix systems and Clones
  11. 11. $(CC) -o hello hello.c Of file formats and dynamic linkers
  12. 12. Stages of compilation and goals of ELF • Flexible [1] • Orthogonal segments and sections • Arbitrary sections and data • Configurable element widths for standard arrays • Each binary explicitly says how it should be loaded and run • Universal • Lots of version fields • Lots of machine-dependent fields • Big and little endian modes [1]
  13. 13. Flavor of ELF: static, dynamic, shared libraries • Insert Diagrams here
  14. 14. Magic: -fPIC & runtime (re-)linking • .dynamic section/DYNAMIC segment • Everything a linker could want • Mostly duplicates info from the section headers • Includes helpful info like needed libraries and dynamic object type • Offset and procedure linking tables galore • All symbols resolve to the linker for the first call • Lazy lookup
  15. 15. Securing ELF
  16. 16. Address Space Layout Resolution (ASLR) • Buffer overflows require jumping to known offsets • ASLR randomizes executable layout, making offsets _less_ predictable • Implemented to varying degrees on many operating systems • BSD Linux Windows Solaris • Catch – only works with Dynamic executables (shared libraries)
  17. 17. Breaking security without even trying #include <stdio.h> int main() { printf("%pn", printf); return 0; }
  18. 18. Breaking security without even trying bcook@toaster:~$ uname -a Linux toaster 4.4.0-36-generic #55-Ubuntu SMP Thu Aug 11 18:01:55 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux bcook@toaster:~$ gcc hello .c -o hello bcook@toaster:~$ ./hello 0x400400 bcook@toaster:~$ ./hello 0x400400
  19. 19. Position Independent Executables (PIE) • We want to solve 2 problems • Code can be relocated for security (Position independent code) • Code can be relocated to avoid conflicts (no MMU)
  20. 20. This is easy, until... bcook@toaster:~$ gcc hello.c -o hello -fPIC bcook@toaster:~$ ./hello 0x7f10c8aca7b0 bcook@toaster:~$ ./hello 0x7f8a8a1cd7b0 bcook@toaster:~$ gcc hello. c -o hello -fPIC -static bcook@toaster:~$ ./hello 0x40f300 bcook@toaster:~$ ./hello 0x40f300
  21. 21. This is easy, until... bcook@toaster:~$ gcc hello.c -o hello -fPIC bcook@toaster:~$ ./hello 0x7f10c8aca7b0 bcook@toaster:~$ ./hello 0x7f8a8a1cd7b0 bcook@toaster:~$ gcc hello. c -o hello -fPIC -static bcook@toaster:~$ ./hello 0x40f300 bcook@toaster:~$ ./hello 0x40f300
  22. 22. Binaries for offensive use
  23. 23. Position independent shellcode • Often unpredictable and uncontrollable injection addresses • Often can’t rely on specifics of target system • Hand written out of necessity • All jumps and memory operations relative to instruction pointer or allocated memory
  24. 24. Static Position-dependent Executables • No dependencies on target libraries • Straightforward to build • Requires specific memory addresses to be allocable or clobbered
  25. 25. Static Position-independent Executables • Would remove memory dependency • Great for embedded/NOMMU • Simplifies shellcode • Simplifies payload generation • Possible??????
  26. 26. Static Position-independent Executables • Yes!!! Static PIE is implemented in: • OpenBSD 5.7 (on by default on x86/x64) • Musl libc on Linux with a custom toolchain (2012)
  27. 27. Prior Work in Metasploit
  28. 28. Reflective DLL injection & Windows Meterpreter • From Stephen Fewer: • TL; DR: Inject a small loader thread that identifies library functions from kernel32, use these to further load dependent libraries and the target library image.
  29. 29. Linux Meterpreter custom linker & loader • From Philip Sanderson • Uses an embedded copy of Android Bionic plus custom linker scripts and compiler magic to embed shared libraries as zip archives • Not fully Position Independent, leading to loading issues • At runtime, the loader unpacks and links shared libraries in memory to bootstrap the PIE part of the payload
  30. 30. Pedal to the mettle A new POSIX meterpreter
  31. 31. Utilizing out-of-tree dependencies • With our powers combined… • curl • libdnet • libev • libeio • libsigar • mbedtls • Reliable code we don’t have to write • We need a toolchain that takes arbitrary libraries and spits out payloads
  32. 32. Generating ELF process images • It’s simple, just do whatever it is the kernel does • Ok, so we just mmap(2) these segments… • And then do some stack magic • Reference docs to the rescue [1] [1]
  33. 33. Minimizing setup in shellcode • read(2) the process image • Push the stack • Jump • … • Profit?
  34. 34. Minimum Stack Layout
  35. 35. Deep magic: -shared -Bstatic -Bsymbolic • -shared • Generate a useful dynamic section • Suppress generation of PT_INTERP segment • -Bstatic • Pull in all symbols instead of linking • Make sure all symbols are resolved • -Bsymbolic • Generate self-contained relocations • Self-interpreting executable (with special crt.o)
  36. 36. Flexible multi-architecture support • Cross-compile ALL THE THINGS • Lots of embedded developers interested in building cross-compilers • Liberal use of endian.h
  37. 37. export QEMU_STRACE=1 • User-mode qemu doesn’t have man pages • qemu supports strace-like format (see title) • It can also host a gdb server for all your favorite tools (-g <port>) • We can also compile for native Linux and OSX targets to use even more tools
  38. 38. It’s a *NIX system, I know this! • Portable RAT • Works on OS X, Linux, Android • Memory footprint is < 500K • supports SOHO routers to large servers with minimal disruption
  39. 39. Future Work FreeBSD / OpenBSD / Solaris support Windows Foothold for other payloads
  40. 40. Demo & QA