Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Vulnerability, exploit to metasploit


Published on

My Talk @ Confraria February 2012

Published in: Technology
  • These are one of the best companies for review articles. High quality with cheap rates. ⇒⇒⇒ ⇐⇐⇐ I highly recommend it :)
    Are you sure you want to  Yes  No
    Your message goes here
  • My brother found Custom Writing Service ⇒ ⇐ and ordered a couple of works. Their customer service is outstanding, never left a query unanswered.
    Are you sure you want to  Yes  No
    Your message goes here
  • Follow the link, new dating source: ♥♥♥ ♥♥♥
    Are you sure you want to  Yes  No
    Your message goes here
  • Sex in your area is here: ❶❶❶ ❶❶❶
    Are you sure you want to  Yes  No
    Your message goes here

Vulnerability, exploit to metasploit

  1. 1. Vulnerability, Exploit to
  2. 2. Before we start• Some slides might seem like they have too much text, the reason this happens is that I want you to be able to get home after this presentation and start messing around with the stuff you will learn about here. To do that there is a lot of text you need as a reference that even though it is on the slides I might not read.• Also this presentation will be compiled in a package, with all the software, notes and cheat sheets that you need to hack away as soon as you are out of here.
  3. 3. Who Am I ? Team Leader of these guise• Tiago Henriques• @balgan• 23• BSc• MSc• CEH Which• CHFI Means file:///C:/Users/balga You n/Downloads/11545_• CISSP Should 192585389754_51359• MCSA Probably 9754_3020198_33334• CISA Leave 9_n.jpg• CISM Because Currently employed• CPT I will by these guise• CCNA Talk shit Amirite?• OSCP Next project
  4. 4. What we are going to (try) to cover today
  5. 5. Terminology• Vulnerability - Security hole in a piece of software, or hardware and can provide a potential vector to attack a system. It can go from something simple like a weak password to something more complex like buffer overflow, or SQL injection.• Exploit – A program whose only reason is to take advantage of a vulnerability. Exploits often deliver payloads to a target system.• Payload – Piece of software that allows an attacker to control the exploited system.• DEP – Data Execution Prevention – First introduced in Win XP SP2 – Used to mark certain parts of the stack as non-executable.• ASLR – Address Space Layout Randomization – Windows Vista onwards – Randomizes the base addresses of executables, dll’s, stack and heap.
  6. 6. Step 1 - VulnerabilityWhere can I find one? Why should I look for one ?What am I looking for?
  7. 7. Why do I want to look for vulnerabilities?• There are plenty of reasons why you would want to look for vulnerabilities:1. Fame – Who doesn’t know people like Charlie Miller, Dino Dai Zovi, and Alex Sotirov?2. Money – You can make a living out of this! ZDI and other programs buy vulns and depending on how critical it is you can get quite a lot of money for it!3. Technical knowledge – You can learn a lot more by digging into the internals of software/hardware then just using it normally.
  8. 8. How to find one?• Multiple techniques exist to find vulnerabilities but we will mention only these three main ones: • Static analysis – Analyse the programs without running them, reading source code or using tools for static analysis. Analyse how the program flow works and how data enters the software. • Potentially vulnerable Code Locations – Look at specific parts of source code, mainly at “unsafe” locations, such as strcpy() and strcat() which are amazing for buffer overflows. • Fuzzing – Fuzzing is a completely different approach to finding vulnerabilities, it’s a dynamic analysis that consists of testing the application by throwing malformed or unexpected data as input. Though its easy to automate, the problem with this approach is that you can crash an application 70000 times and out of those you get 10 vulns and only 2 are exploitable. … and messing around with the aplication.
  9. 9. More theory• Every windows application uses memory! The process memory has 3 major components: • Code segment – Instructions that the CPU executes – EIP keeps track of next instruction (!very important!) • Data segment – used for variables, dynamic buffers • Stack segment – used to pass data /arguments to functions.• If you want to access the stack memory directly, you can use the ESP (Stack Pointer) which points at the top (lowest memory address ) of the stack.• The CPU’s general purpose registers (Intel, x86) are : • EAX : accumulator : used for performing calculations, and used to store return values from function calls. Basic operations such as add, subtract, compare use this general-purpose register • EBX : base (does not have anything to do with base pointer). It has no general purpose and can be used to store data. • ECX : counter : used for iterations. ECX counts downward. • EDX : data : this is an extension of the EAX register. It allows for more complex calculations (multiply, divide) by allowing extra data to be stored to facilitate those calculations. • ESP : stack pointer • EBP : base pointer • ESI : source index : holds location of input data • EDI : destination index : points to location of where result of data operation is stored • EIP : instruction pointer For more information on this check the notes for extra links.
  10. 10. Tools• So we are now going to crash our first application. • Application name: Free MP3 CD Ripper • Type of Vulnerability: Buffer Overflow • Tools of Trade: ImmunityDebugger,, Python, Notepad++• ImmunityDebugger – Variant of OllyDbg easily scriptable since its python compatible!• – Amazing script created by Corelan Team that integrates with ImmunityDebugger and provides lots of functionality for finding vulns and writing exploits• Python – Best scripting language ever for fast prototyping and testing shit.• Notepad++ - Pretty colors on notepad ftw! • Virtual Machines -
  11. 11.• Installing mona – Copy to the PyCommands folder.• Useful inicial commands: • !mona help • !mona update –t trunk • !mona config –set workingfolder c:logs%p Constructor code
  12. 12. DEMO 1 - CRASHAPP
  13. 13. DEMO 2 - Crash- EIPControl
  14. 14. Step 2 - ExploitDeveloping a working exploit and Integration into Metasploit framework using mona
  15. 15. Quick recap• Where are we at the moment: • We can crash the app • We sort of know how much we have to pass onto it to crash it (5k A’s) • We know we control the EIP! (41414141)• What do we need: • Know exactly how much “junk” we have to pass onto it • Get proper shellcode and pointers without bad characters
  16. 16. Getting IT!• Know exactly how much “junk” we have to pass onto it – Mona can do this for us,We need to turn our A’s into a cyclic pattern : !mona pc 5000• Get proper shellcode and pointers without bad characters – null pointers are bad! !mona suggest –cpb ‘x00x0ax0d’
  17. 17. DEMO 3 - Generate Cyclic Pattern
  18. 18. Cyclic Patterns• !mona pc 5000 - Generates cyclic pattern with 5000 characters andinsert them into our constructor script.
  19. 19. DEMO 4 - Mona- suggest
  20. 20. Exploit.rbNow let’s analyse the file created by - exploit.rbAlso and more important, does it work ?
  21. 21. DEMO 5 - Exploit - metasploit - exploitation
  22. 22. Quick Recap• So the process goes likes this: 1. Manage to crash an app using the normal constructors 2. Confirm that we control the registers 3. Create a cyclic pattern and replace it on the constructors 4. Use suggest to generate the exploit.rb 5. Check if it works out of the box by copying it to correct folder and trying it 6. Fix it if needed 7. Done. 8. (Optional) – Submit module to metasploit development and have it implemented onto the framework.
  23. 23. Step 3 - MetasploitLearning a bit about metasploit, why you want your exploits integrated and and use it.
  24. 24. Metasploit Quick Background• Exploitation framework• Is made of lots of different modules and tools that work together• First written in PERL• Then changed to Ruby (HELL YEAH!)• 4 Versions – Pro, Express , Community (Free), Development (Free)• On the last year more then 1 million downloads were made• Open sauce
  25. 25. Metasploit ArchitectureMad Paint Skillz
  26. 26. Metasploit• There is a world of functionality within metasploit, however today we will focus only on meterpreter and a bit of metasm!• If I was to talk of all the funcionality within metasploit I would need at least a 2 hour slot only to grasp the top features of this amazing framework.
  27. 27. Meterpreter• Meterpreter is what you could call Shell Ultimate Gold Over 9000 level edition!• The best way in my opinion to show you the power of meterpreter is to do a demo! Explaining this Francisco Guerreiro style
  28. 28. DEMO 6 - Payload Generation - Normal DEMO 6.1 - Session established DEMO 6.2 - Meterpreter First
  29. 29. Meterpreter• This is all really cool ! However not a real scenario, so lets up the stakes a bit!
  30. 30. DEMO 7 - METASM SHIZZLEDEMO 7.1 - Meterpreter windows 7
  31. 31. Meterpreter • There are a few other things about meterpreter I didn’t show you: • post/windows/gather/smart_hashdump – This module sumps local accounts from SAM Database, if the target is a Domain Controller it will dump the Domain Account Database. • post/windows/gather/screen_spy – Get your popcorn, this module makes an almost real time movie of the targets screen. • post/windows/gather/enum_shares – This script will enumerate all the shares that are currently configured on the target • post/windows/gather/enum_services – This script will enumerate all the services that are currently configured on the target • post/windows/gather/enum_computers – This script will enumerate all the computers that are included in the primary Domain And my favourites:post/windows/gather/bitcoin_jacker – Downloads any Bitcoin wallet.dat on the target - Allows you to attack other machines via our first compromised machine (PIVOTING).
  32. 32. Wrapping things up Typical questions
  33. 33. F.A.Q.• Want to attack: Windows ? Linux ?
  34. 34. F.A.Q.• Want to attack: Solaris? FreeBSD? Want to attack virtualization stuff? Vmauthd_version Scada? Yup! Esx_fingerprint OS X ? Yup! Vmauthd_login Netware? Yup Vmware_enum_users Irix? Yup Vmware_enum_vms Poweroff_vm /Poweron_vm
  35. 35. F.A.Q.• IPv6 Fully Compatible• And most important….
  36. 36. F.A.Q.How does Mona deal with:ASLR:Mona will, by default, only query non-ASLR and non-rebase modules.If you can find a memory leak, you can still query ASLR/rebase modules .For partial overwrite : say you need to overwrite half of the saved return pointer and makeit point to jmp eax from module1.dll, which has base 0xAABB0000, then you could searchfor these pointers using!mona find –type instr –s “jmp eax” –b 0xAABB0000 -t 0xAABBFFFFThis will get you all pointers from that memory region, so you can use the last 2 bytes in thepartial overwrite
  37. 37. F.A.Q.How does Mona deal with:DEP:Mona will attempt to automatically generate ROP chainsAlso, Usually, people only think about bad chars when creating payload… but especially incase of ROP chains, a lot of the payload may be pointersSo… when using mona, you can use for example –cpb ‘x00x0ax0dx20’ to excludepointers that have those bad chars(this option is available for any command)Mona will also create a stackpivot file, which you can use in case of SEH overwrite
  38. 38. Becoming a vuln researcher1st – – Read through the exploit development tutorial - Learn a scriptinglanguage and ASM2nd – Read “ A Bug Hunter’s diary” – Side by side: Learn how to use tools of the trade suchas: Immunity Dbg, Scapy, WinDbg, IDA.3rd – Read Metasploit book4th – Proceed to learn about fuzzing and other techniques.For extra directions go to:
  39. 39. References1. – AMAZING Team and you can learn so much on their website and IRC chan2. - Mona stuff3.