SlideShare a Scribd company logo
1 of 31
Download to read offline
Expanding the control over the
operating system from the database
   Bernardo Damele Assumpção Guimarães
               Guido Landi




      Barcelona (Spain) – September 21, 2009
Who we are

   Bernardo Damele Assumpção Guimarães
       Proud father
       Penetration tester / security researcher
       at Portcullis Computer Security Ltd
       sqlmap lead developer

   Guido Landi
       Reverse engineer
       Exploit writer
       Vulnerability researcher
SOURCE Conference 2009, Barcelona (Spain)   September 21, 2009   2
Introduction

   Database management systems are powerful
   applications

       Store and interact with data

       Interact with the file system and operating system

           When they can’t by design, you can force them to
           When they can’t due to limited user’s privileges, you
           can exploit them!

SOURCE Conference 2009, Barcelona (Spain)    September 21, 2009   3
Scenario

   You have got access to a database
       Direct access – provided account, weak passwords,
       brute-forcing credentials
       SQL injection – web application, stand-alone client,
       cash machine ☺, …

   What to do now other than enumerating data?
       Own the underlying operating system
       Why not even other servers within the DMZ?


SOURCE Conference 2009, Barcelona (Spain)   September 21, 2009   4
State of art – File system access

   Microsoft SQL Server
       Read: BULK INSERT
       Write: xp_cmdshell / debug.exe

   MySQL
       Read: LOAD_FILE()
       Write: SELECT … INTO DUMPFILE

   PostgreSQL
       Read: COPY / UDF
       Write: Large object’s lo_export()
SOURCE Conference 2009, Barcelona (Spain)   September 21, 2009   5
State of art – Command execution

   Microsoft SQL Server
       OPENROWSET can be abused to escalate privileges
       Built-in xp_cmdshell to execute commands

   Oracle
       If you find a SQL injection in a function owned by
       SYS and with authid definer, you can run
       PL/SQL as SYS
       Many ways to execute commands. Example:
       DBMS_EXPORT_EXTENSION package’s
       GET_DOMAIN_INDEX_TABLES() function

SOURCE Conference 2009, Barcelona (Spain)   September 21, 2009   6
State of art – Command execution

   MySQL and PostgreSQL support user-defined
   functions: custom function that can be evaluated
   in SQL statements

   UDF can be created from shared libraries that
   are compiled binary files
       Dynamic-link library on Windows
       Shared object on Linux

   PostgreSQL supports also procedural languages
SOURCE Conference 2009, Barcelona (Spain)   September 21, 2009   7
Demonstration



Operating system command execution by exploiting
a SQL injection vulnerability in a web application

Further information on these techniques can be
found on http://tinyurl.com/sqlmap1



SOURCE Conference 2009, Barcelona (Spain)   September 21, 2009   8
More than command execution

   Owning the underlying operating system is not
   only about command execution

   Full-duplex connection between the
   attacker host and the database server

   Database used as a stepping stone to establish
   this covert channel
       Shell, Meterpreter, VNC – http://metasploit.com
       DNS tunnel – http://heyoka.sourceforge.net
SOURCE Conference 2009, Barcelona (Spain)   September 21, 2009   9
Establish the channel

   On your box
       Forge a stand-alone payload stager with
       msfpayload
       Encode it with msfencode to bypass AV
       Run msfcli with multi/handler exploit


   On the database server
       Upload it to the file system temporary folder
       Execute it via UDF, xp_cmdshell, …


SOURCE Conference 2009, Barcelona (Spain)   September 21, 2009   10
Getting stealth

   Anti-forensics technique as an option to upload the
   stand-alone payload stager executable

   On your box
       Forge a shellcode with msfpayload
       Encode it with msfencode
       Run msfcli with multi/handler exploit


   On the database
       Create a UDF that executes a payload in-memory
       Execute the UDF providing the payload as a parameter
SOURCE Conference 2009, Barcelona (Spain)   September 21, 2009   11
User-defined function sys_bineval()

   Execute an arbitrary payload from the database
   management system memory

   Features

       Works in DEP/NX-enabled systems
       Supports alphanumeric payloads
       Protects the DBMS if the payload crashes
       It does not fork a new process

SOURCE Conference 2009, Barcelona (Spain)   September 21, 2009   12
sys_bineval() vs DEP/NX
   Use VirtualAlloc() to allocate an +RWX
   memory region

   code = (char *) VirtualAlloc(NULL,
                      4096,
                      MEM_RESERVE|MEM_COMMIT,
                      PAGE_EXECUTE_READWRITE);




SOURCE Conference 2009, Barcelona (Spain)   September 21, 2009   13
sys_bineval() and alphanum payloads
   Metasploit’s msfencode has alphanumeric
   encoders to encode the payload



   Problem: It is not able to produce pure
   alphanumeric payloads due to get_pc()




SOURCE Conference 2009, Barcelona (Spain)   September 21, 2009   14
sys_bineval() and alphanum payloads
   Solution:
       Use the BufferRegister option
      ./msfencode BufferRegister=EAX –e x86/alpha_mixed …


       Put the payload address in EAX register
       __asm
       {
                 MOV EAX, [lpPayload]
                 CALL EAX
       }


SOURCE Conference 2009, Barcelona (Spain)   September 21, 2009   15
sys_bineval(): avoid DBMS crash
   Spawn a new thread
    WaitForSingleObject(CreateThread(NULL, 0,
                        ExecPayload, CodePointer,
                        0, &pID),
                        INFINITE);

   Wrap the payload in a SEH frame
    __try {
          __asm {
                MOV EAX, [lpPayload]
                CALL EAX
          }
    }
SOURCE Conference 2009, Barcelona (Spain)   September 21, 2009   16
Demonstration



Exploit a SQL injection vulnerability in a web
application to establish an out-of-band channel
in-memory via a custom UDF




SOURCE Conference 2009, Barcelona (Spain)   September 21, 2009   17
Hands on the Windows registry

   Microsoft SQL Server

       Built-in stored procedures,
       xp_reg(read|write|delete)


   MySQL and PostgreSQL

       Upload and execute a bat file that executes reg
       (query|add|delete)
       Upload and execute a file and pass it to regedit
SOURCE Conference 2009, Barcelona (Spain)   September 21, 2009   18
MS09-004: Memory corruption

   Discovered by Bernhard Mueller, it affects
   Microsoft SQL Server up to 2005 SP2
   Triggered by a call to sp_replwritetovarbin
   No authentication and no privileges needed

   "Limited Memory Overwrite Vulnerability" could
   allow remote code execution
   "Limited Memory Overwrite"… Actually a pretty
   huge heap-based buffer overflow, ~4000 bytes

SOURCE Conference 2009, Barcelona (Spain)   September 21, 2009   19
Exploiting MS09-004

   Target heap metadata
       Could be hard/unreliable even if Microsoft SQL
       Server uses a custom allocator

   Target application specific data
       Function pointers, C++ object pointers, etc.

   Luckily for us Microsoft SQL Server tries hard to
   not crash by graceful handling exceptions…


SOURCE Conference 2009, Barcelona (Spain)   September 21, 2009   20
Exploiting MS09-004

   …this gives us more than one code path to
   achieve code execution:
       An almost arbitrary 4-bytes overwrite:
          MOV DWORD PTR DS:[EAX+4], EDI

       An object pointer overwrite:
          MOV EDX,DWORD PTR DS:[ESI]
          [...]
          MOV EAX,DWORD PTR DS:[EDX+10]
          [...]
          CALL EAX
SOURCE Conference 2009, Barcelona (Spain)   September 21, 2009   21
Bypass hardware-enforced DEP

   Use ret2libc to call
   ZwSetInformationProcess()
         Make ESP point to our buffer:
           PUSH ESI
           POP ESP
           RET

         No need for a fake stack frame, just return in the
         middle of LdrpCheckNXCompatibility()


SOURCE Conference 2009, Barcelona (Spain)   September 21, 2009   22
Bypass hardware-enforced DEP
   LdrpCheckNXCompatibility()
           […]
           MOV DWORD PTR SS:[EBP-4],2
           PUSH 4
           LEA EAX,DWORD PTR SS:[EBP-4]
           PUSH EAX
           PUSH 22
           PUSH -1
           CALL ntdll.ZwSetInformationProcess
           […]

   DEP is now disabled for the current process
       …then jump to the shellcode. Game over?
SOURCE Conference 2009, Barcelona (Spain)   September 21, 2009   23
Avoid crash

   The original stack address is gone, ESP and EBP
   point to our buffer

   Even if Microsoft SQL Server tries hard to handle
   exceptions, it will eventually crash

   We need to restore ESP and EBP

   Is there a generic way?

SOURCE Conference 2009, Barcelona (Spain)   September 21, 2009   24
Thread Environment Block

   TEB stores information about the currently
   running thread:
                     0:000> !teb
                     TEB at 7ffdd000
                         ExceptionList:          0012fd04
                         StackBase:              00130000
                         StackLimit:             0012e000
                         SubSystemTib:           00000000
                         FiberData:              00001e00
                         ArbitraryUserPointer:   00000000
                         Self:                   7ffdd000
                         EnvironmentPointer:     00000000
                         ClientId:               00000d2c
                         RpcHandle:              00000000
                         Tls Storage:            00000000
                     […]
SOURCE Conference 2009, Barcelona (Spain)           September 21, 2009   25
TEB: Restore the Stack Pointer(s)

   Contains 3 pointers to the current thread’s stack

   Addressable through the FS segment register

   Just prepend the shellcode with a little stub:
    MOV ESP, DWORD PTR FS:[0]
    MOV EBP, ESP
    SUB ESP, 20
   Game Over!

SOURCE Conference 2009, Barcelona (Spain)   September 21, 2009   26
Demonstration




Own the system by exploiting MS09-004
vulnerability via a SQL injection vulnerability in a
web application with back-end Microsoft SQL Server




SOURCE Conference 2009, Barcelona (Spain)   September 21, 2009   27
But… Wasn’t it meant to deal with data?
   Once you get access to a database you can
   compromise the whole system in most cases
       With a comfortable, fast and stable channel

   Once you have access to the system you can escalate
   privileges (token kidnapping, software bugs, kernel
   flaws, weak privileges, etc.)

   When you are root/Administrator/SYSTEM you
   can crack users’ passwords or impersonate them to
   get access to other servers within the network
   perimeter

SOURCE Conference 2009, Barcelona (Spain)   September 21, 2009   28
Credits

   Our mums for buying our first pre-school
   computers

   Alessandro Tanasi and Oliver Gruskovnjak for the
   technical discussions

   skape and skywing for their paper on DEP bypass

   H D Moore and the Metasploit development team

   Stacy Thayer and the SOURCE Conference team

SOURCE Conference 2009, Barcelona (Spain)   September 21, 2009   29
Questions?




SOURCE Conference 2009, Barcelona (Spain)   September 21, 2009   30
Thanks for your attention!

   Bernardo Damele Assumpção Guimarães
   bernardo.damele@gmail.com
   bda@portcullis-security.com
   http://bernardodamele.blogspot.com
   http://sqlmap.sourceforge.net

   Guido Landi
   lists@keamera.org
   http://www.pornosecurity.org
   http://milw0rm.com/author/1413

SOURCE Conference 2009, Barcelona (Spain)   September 21, 2009   31

More Related Content

What's hot

Got database access? Own the network!
Got database access? Own the network!Got database access? Own the network!
Got database access? Own the network!Bernardo Damele A. G.
 
ORM2Pwn: Exploiting injections in Hibernate ORM
ORM2Pwn: Exploiting injections in Hibernate ORMORM2Pwn: Exploiting injections in Hibernate ORM
ORM2Pwn: Exploiting injections in Hibernate ORMMikhail Egorov
 
Data Retrieval over DNS in SQL Injection Attacks
Data Retrieval over DNS in SQL Injection AttacksData Retrieval over DNS in SQL Injection Attacks
Data Retrieval over DNS in SQL Injection AttacksMiroslav Stampar
 
Time-Based Blind SQL Injection
Time-Based Blind SQL InjectionTime-Based Blind SQL Injection
Time-Based Blind SQL Injectionmatt_presson
 
A Brief Introduction in SQL Injection
A Brief Introduction in SQL InjectionA Brief Introduction in SQL Injection
A Brief Introduction in SQL InjectionSina Manavi
 
Heuristic methods used in sqlmap
Heuristic methods used in sqlmapHeuristic methods used in sqlmap
Heuristic methods used in sqlmapMiroslav Stampar
 
sqlmap - why (not how) it works?
sqlmap - why (not how) it works?sqlmap - why (not how) it works?
sqlmap - why (not how) it works?Miroslav Stampar
 
Sql Injection attacks and prevention
Sql Injection attacks and preventionSql Injection attacks and prevention
Sql Injection attacks and preventionhelloanand
 
Ppt on sql injection
Ppt on sql injectionPpt on sql injection
Ppt on sql injectionashish20012
 
SQL Injections - A Powerpoint Presentation
SQL Injections - A Powerpoint PresentationSQL Injections - A Powerpoint Presentation
SQL Injections - A Powerpoint PresentationRapid Purple
 
Advanced Sql Injection ENG
Advanced Sql Injection ENGAdvanced Sql Injection ENG
Advanced Sql Injection ENGDmitry Evteev
 
SQL INJECTION
SQL INJECTIONSQL INJECTION
SQL INJECTIONMentorcs
 
Sql Injection and XSS
Sql Injection and XSSSql Injection and XSS
Sql Injection and XSSMike Crabb
 

What's hot (20)

Got database access? Own the network!
Got database access? Own the network!Got database access? Own the network!
Got database access? Own the network!
 
ORM2Pwn: Exploiting injections in Hibernate ORM
ORM2Pwn: Exploiting injections in Hibernate ORMORM2Pwn: Exploiting injections in Hibernate ORM
ORM2Pwn: Exploiting injections in Hibernate ORM
 
Sql Injection 0wning Enterprise
Sql Injection 0wning EnterpriseSql Injection 0wning Enterprise
Sql Injection 0wning Enterprise
 
sqlmap internals
sqlmap internalssqlmap internals
sqlmap internals
 
Data Retrieval over DNS in SQL Injection Attacks
Data Retrieval over DNS in SQL Injection AttacksData Retrieval over DNS in SQL Injection Attacks
Data Retrieval over DNS in SQL Injection Attacks
 
Sql injection
Sql injectionSql injection
Sql injection
 
Time-Based Blind SQL Injection
Time-Based Blind SQL InjectionTime-Based Blind SQL Injection
Time-Based Blind SQL Injection
 
A Brief Introduction in SQL Injection
A Brief Introduction in SQL InjectionA Brief Introduction in SQL Injection
A Brief Introduction in SQL Injection
 
Heuristic methods used in sqlmap
Heuristic methods used in sqlmapHeuristic methods used in sqlmap
Heuristic methods used in sqlmap
 
sqlmap - why (not how) it works?
sqlmap - why (not how) it works?sqlmap - why (not how) it works?
sqlmap - why (not how) it works?
 
Xss ppt
Xss pptXss ppt
Xss ppt
 
Sql Injection attacks and prevention
Sql Injection attacks and preventionSql Injection attacks and prevention
Sql Injection attacks and prevention
 
Ppt on sql injection
Ppt on sql injectionPpt on sql injection
Ppt on sql injection
 
SQL Injection
SQL Injection SQL Injection
SQL Injection
 
SQL Injections - A Powerpoint Presentation
SQL Injections - A Powerpoint PresentationSQL Injections - A Powerpoint Presentation
SQL Injections - A Powerpoint Presentation
 
Advanced Sql Injection ENG
Advanced Sql Injection ENGAdvanced Sql Injection ENG
Advanced Sql Injection ENG
 
SQL INJECTION
SQL INJECTIONSQL INJECTION
SQL INJECTION
 
Sql Injection and XSS
Sql Injection and XSSSql Injection and XSS
Sql Injection and XSS
 
SQL injection
SQL injectionSQL injection
SQL injection
 
SQL Injection
SQL InjectionSQL Injection
SQL Injection
 

Viewers also liked

Windows Kernel Exploitation : This Time Font hunt you down in 4 bytes
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytesWindows Kernel Exploitation : This Time Font hunt you down in 4 bytes
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytesPeter Hlavaty
 
Object Oriented Exploitation: New techniques in Windows mitigation bypass
Object Oriented Exploitation: New techniques in Windows mitigation bypassObject Oriented Exploitation: New techniques in Windows mitigation bypass
Object Oriented Exploitation: New techniques in Windows mitigation bypassSam Thomas
 
Invoke-Obfuscation nullcon 2017
Invoke-Obfuscation nullcon 2017Invoke-Obfuscation nullcon 2017
Invoke-Obfuscation nullcon 2017Daniel Bohannon
 
Final lfh presentation (3)
Final lfh presentation (3)Final lfh presentation (3)
Final lfh presentation (3)__x86
 
How to-catch-a-chameleon-steven seeley-ruxcon-2012
How to-catch-a-chameleon-steven seeley-ruxcon-2012How to-catch-a-chameleon-steven seeley-ruxcon-2012
How to-catch-a-chameleon-steven seeley-ruxcon-2012_mr_me
 
D2 t2 steven seeley - ghost in the windows 7 allocator
D2 t2   steven seeley - ghost in the windows 7 allocatorD2 t2   steven seeley - ghost in the windows 7 allocator
D2 t2 steven seeley - ghost in the windows 7 allocator_mr_me
 
How Safe is your Link ?
How Safe is your Link ?How Safe is your Link ?
How Safe is your Link ?Peter Hlavaty
 
Advanced SQL injection to operating system full control (short version)
Advanced SQL injection to operating system full control (short version)Advanced SQL injection to operating system full control (short version)
Advanced SQL injection to operating system full control (short version)Bernardo Damele A. G.
 
Advanced SQL injection to operating system full control (short version)
Advanced SQL injection to operating system full control (short version)Advanced SQL injection to operating system full control (short version)
Advanced SQL injection to operating system full control (short version)Bernardo Damele A. G.
 
CSW2017 Peng qiu+shefang-zhong win32k -dark_composition_finnal_finnal_rm_mark
CSW2017 Peng qiu+shefang-zhong win32k -dark_composition_finnal_finnal_rm_markCSW2017 Peng qiu+shefang-zhong win32k -dark_composition_finnal_finnal_rm_mark
CSW2017 Peng qiu+shefang-zhong win32k -dark_composition_finnal_finnal_rm_markCanSecWest
 
CSW2017 Henry li how to find the vulnerability to bypass the control flow gua...
CSW2017 Henry li how to find the vulnerability to bypass the control flow gua...CSW2017 Henry li how to find the vulnerability to bypass the control flow gua...
CSW2017 Henry li how to find the vulnerability to bypass the control flow gua...CanSecWest
 
CSW2017 Weston miller csw17_mitigating_native_remote_code_execution
CSW2017 Weston miller csw17_mitigating_native_remote_code_executionCSW2017 Weston miller csw17_mitigating_native_remote_code_execution
CSW2017 Weston miller csw17_mitigating_native_remote_code_executionCanSecWest
 
Securing your web applications a pragmatic approach
Securing your web applications a pragmatic approachSecuring your web applications a pragmatic approach
Securing your web applications a pragmatic approachAntonio Parata
 
SQL injection exploitation internals
SQL injection exploitation internalsSQL injection exploitation internals
SQL injection exploitation internalsBernardo Damele A. G.
 
HackInBo2k16 - Threat Intelligence and Malware Analysis
HackInBo2k16 - Threat Intelligence and Malware AnalysisHackInBo2k16 - Threat Intelligence and Malware Analysis
HackInBo2k16 - Threat Intelligence and Malware AnalysisAntonio Parata
 
NCC Group 44Con Workshop: How to assess and secure ios apps
NCC Group 44Con Workshop: How to assess and secure ios appsNCC Group 44Con Workshop: How to assess and secure ios apps
NCC Group 44Con Workshop: How to assess and secure ios appsNCC Group
 

Viewers also liked (20)

ORM Injection
ORM InjectionORM Injection
ORM Injection
 
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytes
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytesWindows Kernel Exploitation : This Time Font hunt you down in 4 bytes
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytes
 
Object Oriented Exploitation: New techniques in Windows mitigation bypass
Object Oriented Exploitation: New techniques in Windows mitigation bypassObject Oriented Exploitation: New techniques in Windows mitigation bypass
Object Oriented Exploitation: New techniques in Windows mitigation bypass
 
Invoke-Obfuscation nullcon 2017
Invoke-Obfuscation nullcon 2017Invoke-Obfuscation nullcon 2017
Invoke-Obfuscation nullcon 2017
 
Final lfh presentation (3)
Final lfh presentation (3)Final lfh presentation (3)
Final lfh presentation (3)
 
How to-catch-a-chameleon-steven seeley-ruxcon-2012
How to-catch-a-chameleon-steven seeley-ruxcon-2012How to-catch-a-chameleon-steven seeley-ruxcon-2012
How to-catch-a-chameleon-steven seeley-ruxcon-2012
 
D2 t2 steven seeley - ghost in the windows 7 allocator
D2 t2   steven seeley - ghost in the windows 7 allocatorD2 t2   steven seeley - ghost in the windows 7 allocator
D2 t2 steven seeley - ghost in the windows 7 allocator
 
How Safe is your Link ?
How Safe is your Link ?How Safe is your Link ?
How Safe is your Link ?
 
Advanced SQL injection to operating system full control (short version)
Advanced SQL injection to operating system full control (short version)Advanced SQL injection to operating system full control (short version)
Advanced SQL injection to operating system full control (short version)
 
Advanced SQL injection to operating system full control (short version)
Advanced SQL injection to operating system full control (short version)Advanced SQL injection to operating system full control (short version)
Advanced SQL injection to operating system full control (short version)
 
Index chrome
Index chromeIndex chrome
Index chrome
 
Make profit with UI-Redressing attacks.
Make profit with UI-Redressing attacks.Make profit with UI-Redressing attacks.
Make profit with UI-Redressing attacks.
 
SQL injection: Not only AND 1=1
SQL injection: Not only AND 1=1SQL injection: Not only AND 1=1
SQL injection: Not only AND 1=1
 
CSW2017 Peng qiu+shefang-zhong win32k -dark_composition_finnal_finnal_rm_mark
CSW2017 Peng qiu+shefang-zhong win32k -dark_composition_finnal_finnal_rm_markCSW2017 Peng qiu+shefang-zhong win32k -dark_composition_finnal_finnal_rm_mark
CSW2017 Peng qiu+shefang-zhong win32k -dark_composition_finnal_finnal_rm_mark
 
CSW2017 Henry li how to find the vulnerability to bypass the control flow gua...
CSW2017 Henry li how to find the vulnerability to bypass the control flow gua...CSW2017 Henry li how to find the vulnerability to bypass the control flow gua...
CSW2017 Henry li how to find the vulnerability to bypass the control flow gua...
 
CSW2017 Weston miller csw17_mitigating_native_remote_code_execution
CSW2017 Weston miller csw17_mitigating_native_remote_code_executionCSW2017 Weston miller csw17_mitigating_native_remote_code_execution
CSW2017 Weston miller csw17_mitigating_native_remote_code_execution
 
Securing your web applications a pragmatic approach
Securing your web applications a pragmatic approachSecuring your web applications a pragmatic approach
Securing your web applications a pragmatic approach
 
SQL injection exploitation internals
SQL injection exploitation internalsSQL injection exploitation internals
SQL injection exploitation internals
 
HackInBo2k16 - Threat Intelligence and Malware Analysis
HackInBo2k16 - Threat Intelligence and Malware AnalysisHackInBo2k16 - Threat Intelligence and Malware Analysis
HackInBo2k16 - Threat Intelligence and Malware Analysis
 
NCC Group 44Con Workshop: How to assess and secure ios apps
NCC Group 44Con Workshop: How to assess and secure ios appsNCC Group 44Con Workshop: How to assess and secure ios apps
NCC Group 44Con Workshop: How to assess and secure ios apps
 

Similar to Expanding the control over the operating system from the database

Programming for Lego Mindstorms using Eclipse to take you back to your childh...
Programming for Lego Mindstorms using Eclipse to take you back to your childh...Programming for Lego Mindstorms using Eclipse to take you back to your childh...
Programming for Lego Mindstorms using Eclipse to take you back to your childh...Benjamin Cabé
 
Php classes in mumbai
Php classes in mumbaiPhp classes in mumbai
Php classes in mumbaiaadi Surve
 
Squeak DBX
Squeak DBXSqueak DBX
Squeak DBXESUG
 
Dessi docker kubernetes paas cloud
Dessi docker kubernetes paas cloudDessi docker kubernetes paas cloud
Dessi docker kubernetes paas cloudMassimiliano Dessì
 
Come costruire una Platform As A Service con Docker, Kubernetes Go e Java
Come costruire una Platform As A Service con Docker, Kubernetes Go e JavaCome costruire una Platform As A Service con Docker, Kubernetes Go e Java
Come costruire una Platform As A Service con Docker, Kubernetes Go e JavaCodemotion
 
Browser exploitation SEC-T 2019 stockholm
Browser exploitation SEC-T 2019 stockholmBrowser exploitation SEC-T 2019 stockholm
Browser exploitation SEC-T 2019 stockholmJameel Nabbo
 
UGIF 12 2010 - features11.70
UGIF 12 2010 - features11.70UGIF 12 2010 - features11.70
UGIF 12 2010 - features11.70UGIF
 
Informix User Group France - 30/11/2010 - Fonctionalités IDS 11.7
Informix User Group France - 30/11/2010 - Fonctionalités IDS 11.7Informix User Group France - 30/11/2010 - Fonctionalités IDS 11.7
Informix User Group France - 30/11/2010 - Fonctionalités IDS 11.7Nicolas Desachy
 
Mainframe Technology Overview
Mainframe Technology OverviewMainframe Technology Overview
Mainframe Technology OverviewHaim Ben Zagmi
 
Architecting .NET solutions in a Docker ecosystem - .NET Fest Kyiv 2019
Architecting .NET solutions in a Docker ecosystem - .NET Fest Kyiv 2019Architecting .NET solutions in a Docker ecosystem - .NET Fest Kyiv 2019
Architecting .NET solutions in a Docker ecosystem - .NET Fest Kyiv 2019Alex Thissen
 
Lec 04 intro assembly
Lec 04 intro assemblyLec 04 intro assembly
Lec 04 intro assemblyAbdul Khan
 
Building Hopsworks, a cloud-native managed feature store for machine learning
Building Hopsworks, a cloud-native managed feature store for machine learning Building Hopsworks, a cloud-native managed feature store for machine learning
Building Hopsworks, a cloud-native managed feature store for machine learning Jim Dowling
 
Getting Started with ElastiCache for Redis
Getting Started with ElastiCache for RedisGetting Started with ElastiCache for Redis
Getting Started with ElastiCache for RedisAmazon Web Services
 
LibOS as a regression test framework for Linux networking #netdev1.1
LibOS as a regression test framework for Linux networking #netdev1.1LibOS as a regression test framework for Linux networking #netdev1.1
LibOS as a regression test framework for Linux networking #netdev1.1Hajime Tazaki
 
New Features for Multitenant in Oracle Database 21c
New Features for Multitenant in Oracle Database 21cNew Features for Multitenant in Oracle Database 21c
New Features for Multitenant in Oracle Database 21cMarkus Flechtner
 

Similar to Expanding the control over the operating system from the database (20)

Programming for Lego Mindstorms using Eclipse to take you back to your childh...
Programming for Lego Mindstorms using Eclipse to take you back to your childh...Programming for Lego Mindstorms using Eclipse to take you back to your childh...
Programming for Lego Mindstorms using Eclipse to take you back to your childh...
 
Readme
ReadmeReadme
Readme
 
Php classes in mumbai
Php classes in mumbaiPhp classes in mumbai
Php classes in mumbai
 
Squeak DBX
Squeak DBXSqueak DBX
Squeak DBX
 
Dessi docker kubernetes paas cloud
Dessi docker kubernetes paas cloudDessi docker kubernetes paas cloud
Dessi docker kubernetes paas cloud
 
Come costruire una Platform As A Service con Docker, Kubernetes Go e Java
Come costruire una Platform As A Service con Docker, Kubernetes Go e JavaCome costruire una Platform As A Service con Docker, Kubernetes Go e Java
Come costruire una Platform As A Service con Docker, Kubernetes Go e Java
 
Browser exploitation SEC-T 2019 stockholm
Browser exploitation SEC-T 2019 stockholmBrowser exploitation SEC-T 2019 stockholm
Browser exploitation SEC-T 2019 stockholm
 
Handout2o
Handout2oHandout2o
Handout2o
 
UGIF 12 2010 - features11.70
UGIF 12 2010 - features11.70UGIF 12 2010 - features11.70
UGIF 12 2010 - features11.70
 
Informix User Group France - 30/11/2010 - Fonctionalités IDS 11.7
Informix User Group France - 30/11/2010 - Fonctionalités IDS 11.7Informix User Group France - 30/11/2010 - Fonctionalités IDS 11.7
Informix User Group France - 30/11/2010 - Fonctionalités IDS 11.7
 
Visual studio.net
Visual studio.netVisual studio.net
Visual studio.net
 
Mainframe Technology Overview
Mainframe Technology OverviewMainframe Technology Overview
Mainframe Technology Overview
 
Architecting .NET solutions in a Docker ecosystem - .NET Fest Kyiv 2019
Architecting .NET solutions in a Docker ecosystem - .NET Fest Kyiv 2019Architecting .NET solutions in a Docker ecosystem - .NET Fest Kyiv 2019
Architecting .NET solutions in a Docker ecosystem - .NET Fest Kyiv 2019
 
Lec 04 intro assembly
Lec 04 intro assemblyLec 04 intro assembly
Lec 04 intro assembly
 
Building Hopsworks, a cloud-native managed feature store for machine learning
Building Hopsworks, a cloud-native managed feature store for machine learning Building Hopsworks, a cloud-native managed feature store for machine learning
Building Hopsworks, a cloud-native managed feature store for machine learning
 
kubernetes for beginners
kubernetes for beginnerskubernetes for beginners
kubernetes for beginners
 
Windows PowerShell
Windows PowerShellWindows PowerShell
Windows PowerShell
 
Getting Started with ElastiCache for Redis
Getting Started with ElastiCache for RedisGetting Started with ElastiCache for Redis
Getting Started with ElastiCache for Redis
 
LibOS as a regression test framework for Linux networking #netdev1.1
LibOS as a regression test framework for Linux networking #netdev1.1LibOS as a regression test framework for Linux networking #netdev1.1
LibOS as a regression test framework for Linux networking #netdev1.1
 
New Features for Multitenant in Oracle Database 21c
New Features for Multitenant in Oracle Database 21cNew Features for Multitenant in Oracle Database 21c
New Features for Multitenant in Oracle Database 21c
 

Recently uploaded

Generative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfGenerative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfIngrid Airi González
 
Assure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyesAssure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyesThousandEyes
 
Kuma Meshes Part I - The basics - A tutorial
Kuma Meshes Part I - The basics - A tutorialKuma Meshes Part I - The basics - A tutorial
Kuma Meshes Part I - The basics - A tutorialJoão Esperancinha
 
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks  and Compliance Requirements i...Abdul Kader Baba- Managing Cybersecurity Risks  and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...itnewsafrica
 
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better StrongerModern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better Strongerpanagenda
 
A Framework for Development in the AI Age
A Framework for Development in the AI AgeA Framework for Development in the AI Age
A Framework for Development in the AI AgeCprime
 
Accelerating Enterprise Software Engineering with Platformless
Accelerating Enterprise Software Engineering with PlatformlessAccelerating Enterprise Software Engineering with Platformless
Accelerating Enterprise Software Engineering with PlatformlessWSO2
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsNathaniel Shimoni
 
Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...
Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...
Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...Jeffrey Haguewood
 
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)Mark Simos
 
Top 10 Hubspot Development Companies in 2024
Top 10 Hubspot Development Companies in 2024Top 10 Hubspot Development Companies in 2024
Top 10 Hubspot Development Companies in 2024TopCSSGallery
 
2024 April Patch Tuesday
2024 April Patch Tuesday2024 April Patch Tuesday
2024 April Patch TuesdayIvanti
 
UiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPathCommunity
 
4. Cobus Valentine- Cybersecurity Threats and Solutions for the Public Sector
4. Cobus Valentine- Cybersecurity Threats and Solutions for the Public Sector4. Cobus Valentine- Cybersecurity Threats and Solutions for the Public Sector
4. Cobus Valentine- Cybersecurity Threats and Solutions for the Public Sectoritnewsafrica
 
Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)Kaya Weers
 
React JS; all concepts. Contains React Features, JSX, functional & Class comp...
React JS; all concepts. Contains React Features, JSX, functional & Class comp...React JS; all concepts. Contains React Features, JSX, functional & Class comp...
React JS; all concepts. Contains React Features, JSX, functional & Class comp...Karmanjay Verma
 
Zeshan Sattar- Assessing the skill requirements and industry expectations for...
Zeshan Sattar- Assessing the skill requirements and industry expectations for...Zeshan Sattar- Assessing the skill requirements and industry expectations for...
Zeshan Sattar- Assessing the skill requirements and industry expectations for...itnewsafrica
 
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesThousandEyes
 
QCon London: Mastering long-running processes in modern architectures
QCon London: Mastering long-running processes in modern architecturesQCon London: Mastering long-running processes in modern architectures
QCon London: Mastering long-running processes in modern architecturesBernd Ruecker
 
All These Sophisticated Attacks, Can We Really Detect Them - PDF
All These Sophisticated Attacks, Can We Really Detect Them - PDFAll These Sophisticated Attacks, Can We Really Detect Them - PDF
All These Sophisticated Attacks, Can We Really Detect Them - PDFMichael Gough
 

Recently uploaded (20)

Generative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfGenerative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdf
 
Assure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyesAssure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyes
 
Kuma Meshes Part I - The basics - A tutorial
Kuma Meshes Part I - The basics - A tutorialKuma Meshes Part I - The basics - A tutorial
Kuma Meshes Part I - The basics - A tutorial
 
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks  and Compliance Requirements i...Abdul Kader Baba- Managing Cybersecurity Risks  and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
 
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better StrongerModern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
 
A Framework for Development in the AI Age
A Framework for Development in the AI AgeA Framework for Development in the AI Age
A Framework for Development in the AI Age
 
Accelerating Enterprise Software Engineering with Platformless
Accelerating Enterprise Software Engineering with PlatformlessAccelerating Enterprise Software Engineering with Platformless
Accelerating Enterprise Software Engineering with Platformless
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directions
 
Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...
Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...
Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...
 
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
 
Top 10 Hubspot Development Companies in 2024
Top 10 Hubspot Development Companies in 2024Top 10 Hubspot Development Companies in 2024
Top 10 Hubspot Development Companies in 2024
 
2024 April Patch Tuesday
2024 April Patch Tuesday2024 April Patch Tuesday
2024 April Patch Tuesday
 
UiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to Hero
 
4. Cobus Valentine- Cybersecurity Threats and Solutions for the Public Sector
4. Cobus Valentine- Cybersecurity Threats and Solutions for the Public Sector4. Cobus Valentine- Cybersecurity Threats and Solutions for the Public Sector
4. Cobus Valentine- Cybersecurity Threats and Solutions for the Public Sector
 
Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)
 
React JS; all concepts. Contains React Features, JSX, functional & Class comp...
React JS; all concepts. Contains React Features, JSX, functional & Class comp...React JS; all concepts. Contains React Features, JSX, functional & Class comp...
React JS; all concepts. Contains React Features, JSX, functional & Class comp...
 
Zeshan Sattar- Assessing the skill requirements and industry expectations for...
Zeshan Sattar- Assessing the skill requirements and industry expectations for...Zeshan Sattar- Assessing the skill requirements and industry expectations for...
Zeshan Sattar- Assessing the skill requirements and industry expectations for...
 
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
 
QCon London: Mastering long-running processes in modern architectures
QCon London: Mastering long-running processes in modern architecturesQCon London: Mastering long-running processes in modern architectures
QCon London: Mastering long-running processes in modern architectures
 
All These Sophisticated Attacks, Can We Really Detect Them - PDF
All These Sophisticated Attacks, Can We Really Detect Them - PDFAll These Sophisticated Attacks, Can We Really Detect Them - PDF
All These Sophisticated Attacks, Can We Really Detect Them - PDF
 

Expanding the control over the operating system from the database

  • 1. Expanding the control over the operating system from the database Bernardo Damele Assumpção Guimarães Guido Landi Barcelona (Spain) – September 21, 2009
  • 2. Who we are Bernardo Damele Assumpção Guimarães Proud father Penetration tester / security researcher at Portcullis Computer Security Ltd sqlmap lead developer Guido Landi Reverse engineer Exploit writer Vulnerability researcher SOURCE Conference 2009, Barcelona (Spain) September 21, 2009 2
  • 3. Introduction Database management systems are powerful applications Store and interact with data Interact with the file system and operating system When they can’t by design, you can force them to When they can’t due to limited user’s privileges, you can exploit them! SOURCE Conference 2009, Barcelona (Spain) September 21, 2009 3
  • 4. Scenario You have got access to a database Direct access – provided account, weak passwords, brute-forcing credentials SQL injection – web application, stand-alone client, cash machine ☺, … What to do now other than enumerating data? Own the underlying operating system Why not even other servers within the DMZ? SOURCE Conference 2009, Barcelona (Spain) September 21, 2009 4
  • 5. State of art – File system access Microsoft SQL Server Read: BULK INSERT Write: xp_cmdshell / debug.exe MySQL Read: LOAD_FILE() Write: SELECT … INTO DUMPFILE PostgreSQL Read: COPY / UDF Write: Large object’s lo_export() SOURCE Conference 2009, Barcelona (Spain) September 21, 2009 5
  • 6. State of art – Command execution Microsoft SQL Server OPENROWSET can be abused to escalate privileges Built-in xp_cmdshell to execute commands Oracle If you find a SQL injection in a function owned by SYS and with authid definer, you can run PL/SQL as SYS Many ways to execute commands. Example: DBMS_EXPORT_EXTENSION package’s GET_DOMAIN_INDEX_TABLES() function SOURCE Conference 2009, Barcelona (Spain) September 21, 2009 6
  • 7. State of art – Command execution MySQL and PostgreSQL support user-defined functions: custom function that can be evaluated in SQL statements UDF can be created from shared libraries that are compiled binary files Dynamic-link library on Windows Shared object on Linux PostgreSQL supports also procedural languages SOURCE Conference 2009, Barcelona (Spain) September 21, 2009 7
  • 8. Demonstration Operating system command execution by exploiting a SQL injection vulnerability in a web application Further information on these techniques can be found on http://tinyurl.com/sqlmap1 SOURCE Conference 2009, Barcelona (Spain) September 21, 2009 8
  • 9. More than command execution Owning the underlying operating system is not only about command execution Full-duplex connection between the attacker host and the database server Database used as a stepping stone to establish this covert channel Shell, Meterpreter, VNC – http://metasploit.com DNS tunnel – http://heyoka.sourceforge.net SOURCE Conference 2009, Barcelona (Spain) September 21, 2009 9
  • 10. Establish the channel On your box Forge a stand-alone payload stager with msfpayload Encode it with msfencode to bypass AV Run msfcli with multi/handler exploit On the database server Upload it to the file system temporary folder Execute it via UDF, xp_cmdshell, … SOURCE Conference 2009, Barcelona (Spain) September 21, 2009 10
  • 11. Getting stealth Anti-forensics technique as an option to upload the stand-alone payload stager executable On your box Forge a shellcode with msfpayload Encode it with msfencode Run msfcli with multi/handler exploit On the database Create a UDF that executes a payload in-memory Execute the UDF providing the payload as a parameter SOURCE Conference 2009, Barcelona (Spain) September 21, 2009 11
  • 12. User-defined function sys_bineval() Execute an arbitrary payload from the database management system memory Features Works in DEP/NX-enabled systems Supports alphanumeric payloads Protects the DBMS if the payload crashes It does not fork a new process SOURCE Conference 2009, Barcelona (Spain) September 21, 2009 12
  • 13. sys_bineval() vs DEP/NX Use VirtualAlloc() to allocate an +RWX memory region code = (char *) VirtualAlloc(NULL, 4096, MEM_RESERVE|MEM_COMMIT, PAGE_EXECUTE_READWRITE); SOURCE Conference 2009, Barcelona (Spain) September 21, 2009 13
  • 14. sys_bineval() and alphanum payloads Metasploit’s msfencode has alphanumeric encoders to encode the payload Problem: It is not able to produce pure alphanumeric payloads due to get_pc() SOURCE Conference 2009, Barcelona (Spain) September 21, 2009 14
  • 15. sys_bineval() and alphanum payloads Solution: Use the BufferRegister option ./msfencode BufferRegister=EAX –e x86/alpha_mixed … Put the payload address in EAX register __asm { MOV EAX, [lpPayload] CALL EAX } SOURCE Conference 2009, Barcelona (Spain) September 21, 2009 15
  • 16. sys_bineval(): avoid DBMS crash Spawn a new thread WaitForSingleObject(CreateThread(NULL, 0, ExecPayload, CodePointer, 0, &pID), INFINITE); Wrap the payload in a SEH frame __try { __asm { MOV EAX, [lpPayload] CALL EAX } } SOURCE Conference 2009, Barcelona (Spain) September 21, 2009 16
  • 17. Demonstration Exploit a SQL injection vulnerability in a web application to establish an out-of-band channel in-memory via a custom UDF SOURCE Conference 2009, Barcelona (Spain) September 21, 2009 17
  • 18. Hands on the Windows registry Microsoft SQL Server Built-in stored procedures, xp_reg(read|write|delete) MySQL and PostgreSQL Upload and execute a bat file that executes reg (query|add|delete) Upload and execute a file and pass it to regedit SOURCE Conference 2009, Barcelona (Spain) September 21, 2009 18
  • 19. MS09-004: Memory corruption Discovered by Bernhard Mueller, it affects Microsoft SQL Server up to 2005 SP2 Triggered by a call to sp_replwritetovarbin No authentication and no privileges needed "Limited Memory Overwrite Vulnerability" could allow remote code execution "Limited Memory Overwrite"… Actually a pretty huge heap-based buffer overflow, ~4000 bytes SOURCE Conference 2009, Barcelona (Spain) September 21, 2009 19
  • 20. Exploiting MS09-004 Target heap metadata Could be hard/unreliable even if Microsoft SQL Server uses a custom allocator Target application specific data Function pointers, C++ object pointers, etc. Luckily for us Microsoft SQL Server tries hard to not crash by graceful handling exceptions… SOURCE Conference 2009, Barcelona (Spain) September 21, 2009 20
  • 21. Exploiting MS09-004 …this gives us more than one code path to achieve code execution: An almost arbitrary 4-bytes overwrite: MOV DWORD PTR DS:[EAX+4], EDI An object pointer overwrite: MOV EDX,DWORD PTR DS:[ESI] [...] MOV EAX,DWORD PTR DS:[EDX+10] [...] CALL EAX SOURCE Conference 2009, Barcelona (Spain) September 21, 2009 21
  • 22. Bypass hardware-enforced DEP Use ret2libc to call ZwSetInformationProcess() Make ESP point to our buffer: PUSH ESI POP ESP RET No need for a fake stack frame, just return in the middle of LdrpCheckNXCompatibility() SOURCE Conference 2009, Barcelona (Spain) September 21, 2009 22
  • 23. Bypass hardware-enforced DEP LdrpCheckNXCompatibility() […] MOV DWORD PTR SS:[EBP-4],2 PUSH 4 LEA EAX,DWORD PTR SS:[EBP-4] PUSH EAX PUSH 22 PUSH -1 CALL ntdll.ZwSetInformationProcess […] DEP is now disabled for the current process …then jump to the shellcode. Game over? SOURCE Conference 2009, Barcelona (Spain) September 21, 2009 23
  • 24. Avoid crash The original stack address is gone, ESP and EBP point to our buffer Even if Microsoft SQL Server tries hard to handle exceptions, it will eventually crash We need to restore ESP and EBP Is there a generic way? SOURCE Conference 2009, Barcelona (Spain) September 21, 2009 24
  • 25. Thread Environment Block TEB stores information about the currently running thread: 0:000> !teb TEB at 7ffdd000 ExceptionList: 0012fd04 StackBase: 00130000 StackLimit: 0012e000 SubSystemTib: 00000000 FiberData: 00001e00 ArbitraryUserPointer: 00000000 Self: 7ffdd000 EnvironmentPointer: 00000000 ClientId: 00000d2c RpcHandle: 00000000 Tls Storage: 00000000 […] SOURCE Conference 2009, Barcelona (Spain) September 21, 2009 25
  • 26. TEB: Restore the Stack Pointer(s) Contains 3 pointers to the current thread’s stack Addressable through the FS segment register Just prepend the shellcode with a little stub: MOV ESP, DWORD PTR FS:[0] MOV EBP, ESP SUB ESP, 20 Game Over! SOURCE Conference 2009, Barcelona (Spain) September 21, 2009 26
  • 27. Demonstration Own the system by exploiting MS09-004 vulnerability via a SQL injection vulnerability in a web application with back-end Microsoft SQL Server SOURCE Conference 2009, Barcelona (Spain) September 21, 2009 27
  • 28. But… Wasn’t it meant to deal with data? Once you get access to a database you can compromise the whole system in most cases With a comfortable, fast and stable channel Once you have access to the system you can escalate privileges (token kidnapping, software bugs, kernel flaws, weak privileges, etc.) When you are root/Administrator/SYSTEM you can crack users’ passwords or impersonate them to get access to other servers within the network perimeter SOURCE Conference 2009, Barcelona (Spain) September 21, 2009 28
  • 29. Credits Our mums for buying our first pre-school computers Alessandro Tanasi and Oliver Gruskovnjak for the technical discussions skape and skywing for their paper on DEP bypass H D Moore and the Metasploit development team Stacy Thayer and the SOURCE Conference team SOURCE Conference 2009, Barcelona (Spain) September 21, 2009 29
  • 30. Questions? SOURCE Conference 2009, Barcelona (Spain) September 21, 2009 30
  • 31. Thanks for your attention! Bernardo Damele Assumpção Guimarães bernardo.damele@gmail.com bda@portcullis-security.com http://bernardodamele.blogspot.com http://sqlmap.sourceforge.net Guido Landi lists@keamera.org http://www.pornosecurity.org http://milw0rm.com/author/1413 SOURCE Conference 2009, Barcelona (Spain) September 21, 2009 31