Exploit-based Bandwidth/Network Analysis Framework

1
Exploit-based Bandwidth/Network Analysis
Framework

• Matt Weaver
• UCCS Spring 2007

2
Abstract

• Basic bandwidth tools are limited by network
  security.
• An exploit could be used to infect machines on a
  network and provide metrics while overcoming the
  problems inherent in the traditional approach.

3
Background

• The Morris Worm
• Robert Morris _at_ Cornell through MIT, 1988
• Government attention
• Unix back doors, bad passwords... hacked any way
  possible
• Hindsight security wasn't a big enough factor.

4
Related Work

• Chen, G. and Gray, R. S. 2006. Simulating
  non-scanning worms on peer-to-peer networks.
• How worms spread.
• Effectiveness of different styles.
• Kienzle, D. M. and Elder, M. C. 2003. Recent
  worms a survey and trends.
• Exploits are not innovative.
• Zou, C. C., Gong, W., and Towsley, D. 2002. Code
  red worm propagation modeling and analysis.
• Code Red infected Microsoft IIS (Internet
  Information Server) via buffer overflow.

5
Buffer Overflow

• In C, strcpy is not smart.
• No bounds checking.
• Write past the end of the buffer.
• void bad_function(char string)?
• void bad_function(char string)?
• char buffer5
• strcpy(buffer, string)
• int main(int argc, char argv)?
• char a_large_string
• "This string is far too big. Far, far too big."
• bad_function(a_large_string)
• exit(0)

6
Buffer Overflow

• In memory
• Registers...
• EBP (frame base pointer
• EIP (current instruction)?
• EAX, ESI, EDI, etc (various uses)?
• Each instruction is pushed on the stack. In
  Windows the stack grows down.

7
Buffer Overflow

• Options
• We can modify the return address EBP and EIP
  will revert to the calling frame. If we muck
  with these values, we can modify the return
  address.
• Overwrite EIP to make some other call (similar to
  the above)... this is how real exploits work.
  You must somehow change the flow of execution.
• Shellcode
• Put machine instructions into the extra
  characters. They will look like regular
  instructions, we just have to jump into them.
• Instruction have addresses where the machine code
  to execute them exists, these can be found with
  dumpbin.
• In Windows/x86, we can use a NOP sledge (no
  operation -gt \x90 in Shellcode).
• Hard to get working right in Windows
• Variable instruction addresses
• A product of DLL-Hell inherited from VMS
• Changes with patches, updates, and other products
  installed.
• Security settings introduced in newer MS
  compilers.

8
Using Overflow

• In essence, create a new function with shellcode.
• Modify EIP and EBP to point to our new
  function, that is the chunk of memory where our
  shellcode is loaded.

9
Exploit Architecture

• Follow the model of Russian exploits (SASSER,
  SLAMMER)
• Surround payload with NOP (no operation)
  instructions
• Modify EIP to execute our function
• We wont know exactly where it goes, but NOP
  instructions dont do anything.

10
Exploit Architecture

• Guessing part
• Which register holds a value that points to a
  memory location in the NOP sledge?
• EAX?
• EDI?

11
Exploit Architecture

• The JMP instruction will overwrite EIP.
• Hard-coding the JMP instruction is typical of
  Russian exploits.
• Other, more complicated methods of finding
  instructions at runtime exist but they are
  difficult to code and test.
• No way to know where we will jump, but we try
  until we can get to our NOP sledge.
• kernel32.dll JMP instructions will JMP EAX,
  JMP EDI, etc. Since we dont know what our
  target is doing
• We try a few, depending on the system we target
  (sometimes it just wont work)
• 0x77EA855E
• 0x77E448E2
• Researchers have done the tricky disassembly
  debug and made lists for SP0 (ex
  https//www.securinfos.info/international-opcodes/
  ).

12
Exploit Architecture

• Our JMP instruction will be the first thing
  executed after the overflow, rewriting the old
  EIP value on the stack
• We dont want to call it twice so the payload
  has to be smart.
• Stick the JMP instruction AFTER the payload, in
  our buffer.

13
Payload

• The easy part (kind of)!
• Tools can generate stable payloads, we can use
  Metasploit to generate new payloads for
• Starting a listener (call back with netcat).
• Download and execute.
• All kinds of things.
• Not all payloads work with all exploits
• OS security features might disable certain calls.
• Large payloads are easily detected by IDS
  because legitimate transactions arent usually
  long strings of hex.

14
Download and Execute

• This code will download and execute, provided
• Correct permissions settings in XP.
• Reasonably small executable, short transfer time,
  etc.
• Shellcode cant have \x00
• C sees this as the end of a string, so that will
  be stripped, either by the calling client
  (depending on implementation) or the service.
• Many methods can be used to cleverly replace
  \x00. Metasploit uses the XOR method.
• This code would have an \x00 following the
  cmd call, for example.
• LSASS exploits can't have "\x00\x0a\x0d\x5c\x5f\x
  2f\x2e

15
One last thing on shellcode

• Makes or breaks your overflow exploit.
• Unfortunately, this isnt always up to you.
• Many variables are beyond your control.
• The payload is easy, its the getting to the
  payload that is a trying process (pun
  intended).
• If it doesnt work, find a new exploit SOL.

16
sniFF Architecture

• sniFF app starts user buildable exploits (via XML
  config file and the command line).
• Captures data messages from clients.
• With certain clients, acts as a sort of parent
  lookup service
• Clients are downloaded and executed on remote
  machines.
• Some clients will be blocked.
• Not all exploits can complete download and
  execute.
• Other options exist.

17
sniFF Architecture
18
Tools/Technology

• Visual Studio .NET 2002, 2003, 2005.
• C, C, C
• Utilities integrated into SDK
• Dumpbin find addresses
• MIDL compiler for COM
• GCC/GDB (Cygwin and Bloodshed).
• C, C
• Metasploit
• Pre-existing exploit and payload generator.
• Write new modules in C or Perl.
• Invaluable in exploit research, writing, and
  investigation.
• Point to point attack only not concerned with
  the payload part.
• SPIKE DCE-RPC browser
• Inspect COM objects on a given machine
• Ethereal packet sniffer
• OllyDbg for debugging dlls... fuzzing.
• VMWare Workstation/Server
• Various incarnations of XP.
• Xcode gcc/gdb on OS X (bash) for testing,
  education as Unix provides an easier place to
  learn.

19
Lessons Learned

• Exploits are nasty to write
• Win addressing problem
• Not all payloads will work with a given exploit.
• Windows poorly handles security
• Never re-baselined, so lots of buggy code still
  exists. MS patches usually just move addresses
  around.
• Exploits that don't work can still crash systems.
• OS level services have mostly been blocked off
  (or hacked around by MS), newer overflow exploits
  focus on SQLServer, IIS, etc.
• IT Experts shouldn't know about potential
  overflows and do nothing to fix them.
• But with new Metasploit modules and new
  discoveries on milw0rm.com, we can keep trying.

20
Basically...

• Not like most CS problems
• Little good research has been done and
  documented.
• You are mostly poking around in the dark, when it
  comes to development.
• Constraints on imagination, versus technology.
• Science versus gambling/hacking/hoping/guessing.

21
Future Work

• Convert sniFF source to Mono and tinker with
  Fedora Core, Ubuntu, Solaris, etc.
• Write working instruction prowler shellcode for
  Windows
• All available text neglects to do this.
• Examples that exist... don't actually work.
• Get SASSER working with downloads.

22

• Aleph One. Smashing the Stack For Fun and
  Profit. Phrack (Volume seven, issue forty-nine
  November 8, 1996). http//www.phrack.org/phrack/49
  /P49-01
• Anderson, Ross. Security Engineering A Guide to
  Building Dependable Distributed Systems. New
  York, NY John Wiley Sons, Inc 2001.
• Blum, Richard. C Network Programming. Alameda,
  CA Sybex, 2003.
• Chen, G. and Gray, R. S. 2006. Simulating
  non-scanning worms on peer-to-peer networks. In
  Proceedings of the 1st international Conference
  on Scalable information Systems (Hong Kong, May
  30 - June 01, 2006). InfoScale '06, vol. 152. ACM
  Press, New York, NY, 29. DOI http//doi.acm.org/1
  0.1145/1146847.1146876
• Erickson, Jon. Hacking The Art of Exploitation.
  San Francisco No Startch Press, 2003.

23
Davis, Ralph. Win32 Network Programming. New
York Addison-Wesley, 1996. Irvine, Kip R.
Assembly Language For Intel-Based Computers.
Saddle Hill, New Jersey Prentice Hall,
2006. Kienzle, D. M. and Elder, M. C. 2003.
Recent worms a survey and trends. In Proceedings
of the 2003 ACM Workshop on Rapid Malcode
(Washington, DC, USA, October 27 - 27, 2003).
WORM '03. ACM Press, New York, NY, 1-10. DOI
http//doi.acm.org/10.1145/948187.948189 Koziol,
Jack et al. The Shellcoders Handbook.
Indianapolis Wiley Publishing, 2004. Petkov,
K. 2005. Overcoming programming flaws indexing
of common software vulnerabilities. In
Proceedings of the 2nd Annual Conference on
information Security Curriculum Development
(Kennesaw, Georgia, September 23 - 24, 2005).
InfoSecCD '05. ACM Press, New York, NY, 127-134.
DOI http//doi.acm.org/10.1145/1107622.1107652 P
fleeger, Charles P and Shari Lawrence Pfleeger.
Security in Computing. Saddle Hill, New Jersey
Prentice Hall, 2003.
24
Skape. Understanding Windows Shell code.
December 6, 2003. nologin.org. 16 July 2006
Spangler, Ryan. Analysis of the Microsoft
Windows LSASS Exploit. Packet Watch.
http//www.packetwatch.net/documents/papers/window
s-lsass.pdf Sk. Advances in Windows Shell code.
Phrack (Volume seven, issue sixty-two June 22,
2004). Zou, C. C., Gong, W., and Towsley, D.
2002. Code red worm propagation modeling and
analysis. In Proceedings of the 9th ACM
Conference on Computer and Communications
Security (Washington, DC, USA, November 18 - 22,
2002). V. Atluri, Ed. CCS '02. ACM Press, New
York, NY, 138-147. DOI http//doi.acm.org/10.1145
/586110.586130
25
Coda

• Demo
• Pieces of sniFF
• Clients
• Large client (recursive infection)?
• Lightweight client.
• Configuration
• Write new exploits, plug them in!
• Lots left to do.
• In action
• Clients run conventionally.
• Clients infecting XP no SP running bad service.
• A view of the network.
• Ethereal packet data.
• Use Metasploit and LSASS (fixed it!) to infect a
  machine.
• Use bad service to infect machine.
• Nearest neighbour randomized infection (failure,
  but examine IPs generated).
• A glance at the framework.

26
Voila!

• Questions?