Title: Exploit-based Bandwidth/Network Analysis Framework
1Exploit-based Bandwidth/Network Analysis
Framework
- Matt Weaver
- UCCS Spring 2007
2Abstract
- Basic bandwidth tools are limited by network
security. - An exploit could be used to infect machines on a
network and provide metrics while overcoming the
problems inherent in the traditional approach.
3Background
- The Morris Worm
- Robert Morris _at_ Cornell through MIT, 1988
- Government attention
- Unix back doors, bad passwords... hacked any way
possible - Hindsight security wasn't a big enough factor.
4Related Work
- Chen, G. and Gray, R. S. 2006. Simulating
non-scanning worms on peer-to-peer networks. - How worms spread.
- Effectiveness of different styles.
- Kienzle, D. M. and Elder, M. C. 2003. Recent
worms a survey and trends. - Exploits are not innovative.
- Zou, C. C., Gong, W., and Towsley, D. 2002. Code
red worm propagation modeling and analysis. - Code Red infected Microsoft IIS (Internet
Information Server) via buffer overflow.
5Buffer Overflow
- In C, strcpy is not smart.
- No bounds checking.
- Write past the end of the buffer.
- void bad_function(char string)?
- void bad_function(char string)?
-
- char buffer5
- strcpy(buffer, string)
-
- int main(int argc, char argv)?
-
- char a_large_string
- "This string is far too big. Far, far too big."
- bad_function(a_large_string)
- exit(0)
6Buffer Overflow
- In memory
- Registers...
- EBP (frame base pointer
- EIP (current instruction)?
- EAX, ESI, EDI, etc (various uses)?
- Each instruction is pushed on the stack. In
Windows the stack grows down.
7Buffer Overflow
- Options
- We can modify the return address EBP and EIP
will revert to the calling frame. If we muck
with these values, we can modify the return
address. - Overwrite EIP to make some other call (similar to
the above)... this is how real exploits work.
You must somehow change the flow of execution. - Shellcode
- Put machine instructions into the extra
characters. They will look like regular
instructions, we just have to jump into them. - Instruction have addresses where the machine code
to execute them exists, these can be found with
dumpbin. - In Windows/x86, we can use a NOP sledge (no
operation -gt \x90 in Shellcode). - Hard to get working right in Windows
- Variable instruction addresses
- A product of DLL-Hell inherited from VMS
- Changes with patches, updates, and other products
installed. - Security settings introduced in newer MS
compilers.
8Using Overflow
- In essence, create a new function with shellcode.
- Modify EIP and EBP to point to our new
function, that is the chunk of memory where our
shellcode is loaded.
9Exploit Architecture
- Follow the model of Russian exploits (SASSER,
SLAMMER) - Surround payload with NOP (no operation)
instructions - Modify EIP to execute our function
- We wont know exactly where it goes, but NOP
instructions dont do anything.
10Exploit Architecture
- Guessing part
- Which register holds a value that points to a
memory location in the NOP sledge? - EAX?
- EDI?
11Exploit Architecture
- The JMP instruction will overwrite EIP.
- Hard-coding the JMP instruction is typical of
Russian exploits. - Other, more complicated methods of finding
instructions at runtime exist but they are
difficult to code and test. - No way to know where we will jump, but we try
until we can get to our NOP sledge. - kernel32.dll JMP instructions will JMP EAX,
JMP EDI, etc. Since we dont know what our
target is doing - We try a few, depending on the system we target
(sometimes it just wont work) - 0x77EA855E
- 0x77E448E2
- Researchers have done the tricky disassembly
debug and made lists for SP0 (ex
https//www.securinfos.info/international-opcodes/
).
12Exploit Architecture
- Our JMP instruction will be the first thing
executed after the overflow, rewriting the old
EIP value on the stack - We dont want to call it twice so the payload
has to be smart. - Stick the JMP instruction AFTER the payload, in
our buffer.
13Payload
- The easy part (kind of)!
- Tools can generate stable payloads, we can use
Metasploit to generate new payloads for - Starting a listener (call back with netcat).
- Download and execute.
- All kinds of things.
- Not all payloads work with all exploits
- OS security features might disable certain calls.
- Large payloads are easily detected by IDS
because legitimate transactions arent usually
long strings of hex.
14Download and Execute
- This code will download and execute, provided
- Correct permissions settings in XP.
- Reasonably small executable, short transfer time,
etc. - Shellcode cant have \x00
- C sees this as the end of a string, so that will
be stripped, either by the calling client
(depending on implementation) or the service. - Many methods can be used to cleverly replace
\x00. Metasploit uses the XOR method. - This code would have an \x00 following the
cmd call, for example. - LSASS exploits can't have "\x00\x0a\x0d\x5c\x5f\x
2f\x2e
15One last thing on shellcode
- Makes or breaks your overflow exploit.
- Unfortunately, this isnt always up to you.
- Many variables are beyond your control.
- The payload is easy, its the getting to the
payload that is a trying process (pun
intended). - If it doesnt work, find a new exploit SOL.
16sniFF Architecture
- sniFF app starts user buildable exploits (via XML
config file and the command line). - Captures data messages from clients.
- With certain clients, acts as a sort of parent
lookup service - Clients are downloaded and executed on remote
machines. - Some clients will be blocked.
- Not all exploits can complete download and
execute. - Other options exist.
17sniFF Architecture
18Tools/Technology
- Visual Studio .NET 2002, 2003, 2005.
- C, C, C
- Utilities integrated into SDK
- Dumpbin find addresses
- MIDL compiler for COM
- GCC/GDB (Cygwin and Bloodshed).
- C, C
- Metasploit
- Pre-existing exploit and payload generator.
- Write new modules in C or Perl.
- Invaluable in exploit research, writing, and
investigation. - Point to point attack only not concerned with
the payload part. - SPIKE DCE-RPC browser
- Inspect COM objects on a given machine
- Ethereal packet sniffer
- OllyDbg for debugging dlls... fuzzing.
- VMWare Workstation/Server
- Various incarnations of XP.
- Xcode gcc/gdb on OS X (bash) for testing,
education as Unix provides an easier place to
learn.
19Lessons Learned
- Exploits are nasty to write
- Win addressing problem
- Not all payloads will work with a given exploit.
- Windows poorly handles security
- Never re-baselined, so lots of buggy code still
exists. MS patches usually just move addresses
around. - Exploits that don't work can still crash systems.
- OS level services have mostly been blocked off
(or hacked around by MS), newer overflow exploits
focus on SQLServer, IIS, etc. - IT Experts shouldn't know about potential
overflows and do nothing to fix them. - But with new Metasploit modules and new
discoveries on milw0rm.com, we can keep trying.
20Basically...
- Not like most CS problems
- Little good research has been done and
documented. - You are mostly poking around in the dark, when it
comes to development. - Constraints on imagination, versus technology.
- Science versus gambling/hacking/hoping/guessing.
21Future Work
- Convert sniFF source to Mono and tinker with
Fedora Core, Ubuntu, Solaris, etc. - Write working instruction prowler shellcode for
Windows - All available text neglects to do this.
- Examples that exist... don't actually work.
- Get SASSER working with downloads.
22- Aleph One. Smashing the Stack For Fun and
Profit. Phrack (Volume seven, issue forty-nine
November 8, 1996). http//www.phrack.org/phrack/49
/P49-01 - Anderson, Ross. Security Engineering A Guide to
Building Dependable Distributed Systems. New
York, NY John Wiley Sons, Inc 2001. - Blum, Richard. C Network Programming. Alameda,
CA Sybex, 2003. - Chen, G. and Gray, R. S. 2006. Simulating
non-scanning worms on peer-to-peer networks. In
Proceedings of the 1st international Conference
on Scalable information Systems (Hong Kong, May
30 - June 01, 2006). InfoScale '06, vol. 152. ACM
Press, New York, NY, 29. DOI http//doi.acm.org/1
0.1145/1146847.1146876 - Erickson, Jon. Hacking The Art of Exploitation.
San Francisco No Startch Press, 2003.
23Davis, Ralph. Win32 Network Programming. New
York Addison-Wesley, 1996. Irvine, Kip R.
Assembly Language For Intel-Based Computers.
Saddle Hill, New Jersey Prentice Hall,
2006. Kienzle, D. M. and Elder, M. C. 2003.
Recent worms a survey and trends. In Proceedings
of the 2003 ACM Workshop on Rapid Malcode
(Washington, DC, USA, October 27 - 27, 2003).
WORM '03. ACM Press, New York, NY, 1-10. DOI
http//doi.acm.org/10.1145/948187.948189 Koziol,
Jack et al. The Shellcoders Handbook.
Indianapolis Wiley Publishing, 2004. Petkov,
K. 2005. Overcoming programming flaws indexing
of common software vulnerabilities. In
Proceedings of the 2nd Annual Conference on
information Security Curriculum Development
(Kennesaw, Georgia, September 23 - 24, 2005).
InfoSecCD '05. ACM Press, New York, NY, 127-134.
DOI http//doi.acm.org/10.1145/1107622.1107652 P
fleeger, Charles P and Shari Lawrence Pfleeger.
Security in Computing. Saddle Hill, New Jersey
Prentice Hall, 2003.
24Skape. Understanding Windows Shell code.
December 6, 2003. nologin.org. 16 July 2006
Spangler, Ryan. Analysis of the Microsoft
Windows LSASS Exploit. Packet Watch.
http//www.packetwatch.net/documents/papers/window
s-lsass.pdf Sk. Advances in Windows Shell code.
Phrack (Volume seven, issue sixty-two June 22,
2004). Zou, C. C., Gong, W., and Towsley, D.
2002. Code red worm propagation modeling and
analysis. In Proceedings of the 9th ACM
Conference on Computer and Communications
Security (Washington, DC, USA, November 18 - 22,
2002). V. Atluri, Ed. CCS '02. ACM Press, New
York, NY, 138-147. DOI http//doi.acm.org/10.1145
/586110.586130
25Coda
- Demo
- Pieces of sniFF
- Clients
- Large client (recursive infection)?
- Lightweight client.
- Configuration
- Write new exploits, plug them in!
- Lots left to do.
- In action
- Clients run conventionally.
- Clients infecting XP no SP running bad service.
- A view of the network.
- Ethereal packet data.
- Use Metasploit and LSASS (fixed it!) to infect a
machine. - Use bad service to infect machine.
- Nearest neighbour randomized infection (failure,
but examine IPs generated). - A glance at the framework.
26Voila!