Extrabacon's sploit core

1. ExtraBacon's Sploit Framework Or: How to break the Ruby Bonds of Metasploit By: Daniel Reilly (Oni) https://github.com/dreilly369 https://the-it-ninja.blogspot.com/ https://www.linkedin.com/in/daniel-reilly-58b28171

2. Disclaimer ● This is my own work not endorsed, supported, or generally approved of, by good people. ● I don't encourage malicious attacks. ● I do encourage offensive security and asymmetric layered defense

3. Where'd this come from? ● ShadowBrokers announces their supposed Equation Group tool dump and teaser files. ● Cisco Confirms EXBA is effective against several versions of ASA * ● Researchers report porting the exploit to newer ASA versions * ● Gov't (sort of) acknowledges tools by charging Harold T. Martin III * ● I Decide to fork the core Sploit code and port one of my favorite configuration exploits (postgeSQL lo_creat()) as a PoC

4. Let me be clear ● I love Metasploit...but - – You don't always need a tank. – I am not a fan of Ruby. – Custom Tools F.T.W. – Sploits can run from much smaller devices. ● Possibly IoT small (currently a hypothesis)

5. Workflow of a MSF Exploit ● Make sure Postgres is configured/running ● Start MSFConsole or Armitage ● db_nmap the target subnet ● Run some favorite exploit/payload combos based on services discovered ● If you're fancy you export all of these commands to a resource script

6. Sploit's place in the world ● Sploit is for turning an exploit into a tool. ● Metasploit is for when you have a target and need to find an exploit. Sploit is the opposite. ● Normal flow might be: – Find an exploitable flaw (or borrow one like I have) – Write Exploit by extending the Sploit class – Convert exploit script to command line tool using distutils ● Py2exe compile a windows executable? Sure why not. – Distribute tool to minions. – Minions hack the Gibsons

7. What is a Sploit? ● Sploit is a Python class for flexible exploit delivery. By default it was designed to deliver custom SNMP packets to firewalls. But why stop there? ● extrabacon_1.1.0.1.py can be thought of as similar to a MSF resource script...on steroids. It handles fingerprinting, version selection, exploit running, post exploit cleanup, etc. It extends the Sploit Class with exploit- specific functionality ● Zen of Sploit Development: “Define exploit workflow as subcommands”. These in turn define the actions available for each step.

8. Structure of a Sploit

9. Sploit Functions Core ● __init__() ● __del__() ● _init_parser() ● description() ● enable_debugging() ● launch() ● pre_exploit() ● send_exploit() ● post_exploit() ● run() ● send_touch() Communication Management ● create_socket() ● build_payload() ● build_shellcode() ● version_check() ● generate_exploit() ● generate_touch() ● parse_error() ● perform_healthcheck() Data Management ● get_key_dir() ● get_key_file() ● list_from_file() ● post_touch() ● report_key() CLI Parameter Management ● add_connection_params() ● add_healthcheck_params() ● add_key_params() ● add_logging_params() ● add_subcommand() ● pre_parse() ● post_parse() ● setup_parser()

10. Types of Subcommands ● Information Subcommands – Generate data about systems. In my example the “seek” and “dict” Subcommands. Also the Crypto Key Management subcommands ● Action Subcommands – Attempt to change the state of the target in some way. In my example the “destroy” Subcommand ● Shortcut Subcommands – Combine two or more Subcommand ideas into one command. In my example I combine all three exploit steps into one command “seek-and-destroy”

11. Versions ● The Extrabacon release had ~17 different version files focused between 8.0.1 and 8.4.4 (with the notable exception of 8.1.x) ● Version files hold the details about the modifications to the exploit needed for specific version of the target app (NOP length, offsets, etc.) ● The Versions files could also be used to differentiate between O.S.es, architectures, payload choice, etc. ● Not all Sploits need multiple version files.

12. Versions Files

13. Veganowner ● Based on msf/modules/exploits/multi/postgres/postgres_createlang.rb ● Uses C instead of scripting ● Writes a pseudo-randomly named malicious DLL to the system which contains a reverse_tcp Shell. ● Credit and thanks for the original exploit module go to : – 'Micheal Cottingham', # author of this module – 'midnitesnake', # the postgres_payload module that this is based on, – 'Nixawk' # Improves the module

14. Veganowner Subcommands

15. Seek

16. Dict(ionary)

17. Destroy

18. Seek-And-Destroy

19. Demo Time

20. Initial Infection

21. Reverse TCP Callback

22. Persistent Bot

23. Sockets & Spoofing ● Original EXBA Exploit can use Scapy to manually construct TCP packets with Spoofed src info ● PostgreSQL uses TCP 5432 ● Conclusion: IP white-listing/black-listing is not a sufficient defense. – TCP traffic NEEDS IPSec and/or a separate VPN/C. – Check out Karyn Benson's research on Internet Background Radiation (IBR)

24. Concluding thought

25. Resources ● http://www.securityweek.com/leaked-cisco-asa-exploit-adapted-newer-versions ● https://blog.silentsignal.eu/2016/08/25/bake-your-own-extrabacon/ ● https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160817-asa-snmp ● https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/admin/cisco/cisco_asa_extrabacon.rb ● https://www.youtube.com/watch?v=wjva6ZJyhwE ● https://gist.github.com/sampsyo/462717 ● https://www.goodreads.com/author/show/3787.Daniel_Schorr ● Audio Track - “BackOUt” by BlakOpz ● https://www.youtube.com/watch?v=OJgOUITOpQ8

Extrabacon's sploit core

You are reading a preview.

Extrabacon's sploit core

More Related Content

Viewers also liked

Similar to Extrabacon's sploit core

Featured

Related Books

Related Audiobooks