Simple demo of running multiple wav files built with constructors and app crashes on one of them
DEMO2 - Crash-EIPControl
DEMO 3 - Generate Cyclic Pattern
DEMO4 - Mona-suggest
DEMO5 - Exploit - metasploit - exploitation
DEMO5 - Exploit - metasploit - exploitation
ROP is a generalization of the classic return-to-libc attack that involves leveraging small sequences of instructions, typically function epilogues, at known addresses to execute arbitrary code incrementally. This is achieved by controlling data pointed to by ESP, the stack pointer register, such that each ret instruction results in incrementing ESP and transferring execution to the next address chosen by the attacker.
Vulnerability, exploit to metasploit
Vulnerability, Exploit to Metasploitbalgan@ptcoresec.eu
Before we start• Some slides might seem like they have too much text, the reason this happens is that I want you to be able to get home after this presentation and start messing around with the stuff you will learn about here. To do that there is a lot of text you need as a reference that even though it is on the slides I might not read.• Also this presentation will be compiled in a package, with all the software, notes and cheat sheets that you need to hack away as soon as you are out of here.
Who Am I ? Team Leader of these guise• Tiago Henriques• @balgan• 23• BSc• MSc• CEH Which• CHFI Means file:///C:/Users/balga You n/Downloads/11545_• CISSP Should 192585389754_51359• MCSA Probably 9754_3020198_33334• CISA Leave 9_n.jpg• CISM Because Currently employed• CPT I will by these guise• CCNA Talk shit Amirite?• OSCP Next project
Terminology• Vulnerability - Security hole in a piece of software, or hardware and can provide a potential vector to attack a system. It can go from something simple like a weak password to something more complex like buffer overflow, or SQL injection.• Exploit – A program whose only reason is to take advantage of a vulnerability. Exploits often deliver payloads to a target system.• Payload – Piece of software that allows an attacker to control the exploited system.• DEP – Data Execution Prevention – First introduced in Win XP SP2 – Used to mark certain parts of the stack as non-executable.• ASLR – Address Space Layout Randomization – Windows Vista onwards – Randomizes the base addresses of executables, dll’s, stack and heap.
Step 1 - VulnerabilityWhere can I find one? Why should I look for one ?What am I looking for?
Why do I want to look for vulnerabilities?• There are plenty of reasons why you would want to look for vulnerabilities:1. Fame – Who doesn’t know people like Charlie Miller, Dino Dai Zovi, and Alex Sotirov?2. Money – You can make a living out of this! ZDI and other programs buy vulns and depending on how critical it is you can get quite a lot of money for it!3. Technical knowledge – You can learn a lot more by digging into the internals of software/hardware then just using it normally.
How to find one?• Multiple techniques exist to find vulnerabilities but we will mention only these three main ones: • Static analysis – Analyse the programs without running them, reading source code or using tools for static analysis. Analyse how the program flow works and how data enters the software. • Potentially vulnerable Code Locations – Look at specific parts of source code, mainly at “unsafe” locations, such as strcpy() and strcat() which are amazing for buffer overflows. • Fuzzing – Fuzzing is a completely different approach to finding vulnerabilities, it’s a dynamic analysis that consists of testing the application by throwing malformed or unexpected data as input. Though its easy to automate, the problem with this approach is that you can crash an application 70000 times and out of those you get 10 vulns and only 2 are exploitable. … and messing around with the aplication.
More theory• Every windows application uses memory! The process memory has 3 major components: • Code segment – Instructions that the CPU executes – EIP keeps track of next instruction (!very important!) • Data segment – used for variables, dynamic buffers • Stack segment – used to pass data /arguments to functions.• If you want to access the stack memory directly, you can use the ESP (Stack Pointer) which points at the top (lowest memory address ) of the stack.• The CPU’s general purpose registers (Intel, x86) are : • EAX : accumulator : used for performing calculations, and used to store return values from function calls. Basic operations such as add, subtract, compare use this general-purpose register • EBX : base (does not have anything to do with base pointer). It has no general purpose and can be used to store data. • ECX : counter : used for iterations. ECX counts downward. • EDX : data : this is an extension of the EAX register. It allows for more complex calculations (multiply, divide) by allowing extra data to be stored to facilitate those calculations. • ESP : stack pointer • EBP : base pointer • ESI : source index : holds location of input data • EDI : destination index : points to location of where result of data operation is stored • EIP : instruction pointer For more information on this check the notes for extra links.
Tools• So we are now going to crash our first application. • Application name: Free MP3 CD Ripper • Type of Vulnerability: Buffer Overflow • Tools of Trade: ImmunityDebugger, Mona.py, Python, Notepad++• ImmunityDebugger – Variant of OllyDbg easily scriptable since its python compatible!• Mona.py – Amazing script created by Corelan Team that integrates with ImmunityDebugger and provides lots of functionality for finding vulns and writing exploits• Python – Best scripting language ever for fast prototyping and testing shit.• Notepad++ - Pretty colors on notepad ftw! • Virtual Machines -
Mona.py• Installing mona – Copy mona.py to the PyCommands folder.• Useful inicial commands: • !mona help • !mona update –t trunk • !mona config –set workingfolder c:logs%p Constructor code
Step 2 - ExploitDeveloping a working exploit and Integration into Metasploit framework using mona
Quick recap• Where are we at the moment: • We can crash the app • We sort of know how much we have to pass onto it to crash it (5k A’s) • We know we control the EIP! (41414141)• What do we need: • Know exactly how much “junk” we have to pass onto it • Get proper shellcode and pointers without bad characters
Getting IT!• Know exactly how much “junk” we have to pass onto it – Mona can do this for us,We need to turn our A’s into a cyclic pattern : !mona pc 5000• Get proper shellcode and pointers without bad characters – null pointers are bad! !mona suggest –cpb ‘x00x0ax0d’
Quick Recap• So the process goes likes this: 1. Manage to crash an app using the normal constructors 2. Confirm that we control the registers 3. Create a cyclic pattern and replace it on the constructors 4. Use mona.py suggest to generate the exploit.rb 5. Check if it works out of the box by copying it to correct folder and trying it 6. Fix it if needed 7. Done. 8. (Optional) – Submit module to metasploit development and have it implemented onto the framework.
Step 3 - MetasploitLearning a bit about metasploit, why you want your exploits integrated and and use it.
Metasploit Quick Background• Exploitation framework• Is made of lots of different modules and tools that work together• First written in PERL• Then changed to Ruby (HELL YEAH!)• 4 Versions – Pro, Express , Community (Free), Development (Free)• On the last year more then 1 million downloads were made• Open sauce
Metasploit• There is a world of functionality within metasploit, however today we will focus only on meterpreter and a bit of metasm!• If I was to talk of all the funcionality within metasploit I would need at least a 2 hour slot only to grasp the top features of this amazing framework.
Meterpreter• Meterpreter is what you could call Shell Ultimate Gold Over 9000 level edition!• The best way in my opinion to show you the power of meterpreter is to do a demo! Explaining this Francisco Guerreiro style
DEMO 6 - Payload Generation - Normal DEMO 6.1 - Session established DEMO 6.2 - Meterpreter First
Meterpreter• This is all really cool ! However not a real scenario, so lets up the stakes a bit!
Meterpreter • There are a few other things about meterpreter I didn’t show you: • post/windows/gather/smart_hashdump – This module sumps local accounts from SAM Database, if the target is a Domain Controller it will dump the Domain Account Database. • post/windows/gather/screen_spy – Get your popcorn, this module makes an almost real time movie of the targets screen. • post/windows/gather/enum_shares – This script will enumerate all the shares that are currently configured on the target • post/windows/gather/enum_services – This script will enumerate all the services that are currently configured on the target • post/windows/gather/enum_computers – This script will enumerate all the computers that are included in the primary Domain And my favourites:post/windows/gather/bitcoin_jacker – Downloads any Bitcoin wallet.dat on the target system.post/windows/manage/autoroute - Allows you to attack other machines via our first compromised machine (PIVOTING).
F.A.Q.• Want to attack: Solaris? FreeBSD? Want to attack virtualization stuff? Vmauthd_version Scada? Yup! Esx_fingerprint OS X ? Yup! Vmauthd_login Netware? Yup Vmware_enum_users Irix? Yup Vmware_enum_vms Poweroff_vm /Poweron_vm
F.A.Q.• IPv6 Fully Compatible• And most important….
F.A.Q.How does Mona deal with:ASLR:Mona will, by default, only query non-ASLR and non-rebase modules.If you can find a memory leak, you can still query ASLR/rebase modules .For partial overwrite : say you need to overwrite half of the saved return pointer and makeit point to jmp eax from module1.dll, which has base 0xAABB0000, then you could searchfor these pointers using!mona find –type instr –s “jmp eax” –b 0xAABB0000 -t 0xAABBFFFFThis will get you all pointers from that memory region, so you can use the last 2 bytes in thepartial overwrite
F.A.Q.How does Mona deal with:DEP:Mona will attempt to automatically generate ROP chainsAlso, Usually, people only think about bad chars when creating payload… but especially incase of ROP chains, a lot of the payload may be pointersSo… when using mona, you can use for example –cpb ‘x00x0ax0dx20’ to excludepointers that have those bad chars(this option is available for any command)Mona will also create a stackpivot file, which you can use in case of SEH overwrite
Becoming a vuln researcher1st – Corelan.be – Read through the exploit development tutorial - Learn a scriptinglanguage and ASM2nd – Read “ A Bug Hunter’s diary” – Side by side: Learn how to use tools of the trade suchas: Immunity Dbg, Scapy, WinDbg, IDA.3rd – Read Metasploit book4th – Proceed to learn about fuzzing and other techniques.For extra directions go to: http://myne-us.blogspot.com/2010/08/from-0x90-to-0x4c454554-journey-into.html
References1. Corelan.be – AMAZING Team and you can learn so much on their website and IRC chan2. https://www.corelan.be/index.php/2011/07/14/mona-py-the-manual/ - Mona stuff3. www.metasploit.com/modules/4. http://www.offensive-security.com/metasploit-unleashed/