Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Saumil Shah
ceo, net-square
Hack In The Box 2006, Kuala Lumpur
# who am i
# who am i
16:08 up 4:26, 1 user, load averages: 0.28 0.40 0.33
USER TTY FROM LOGIN@ IDLE WHAT
saumil console - 11:43 0:05 bash
© Saumil Shah
From Vulnerability to Exploit
Fuzzing Debugger
Attack Vector
EIP = 0x41414141
Test Shellcode
Working exploit (INT 3)
© Saumil Shah
Stack Overflows
© Saumil Shah
Post mortem debugging
main()
{
:
push str
func1(str) CALL
: (push EIP)
: push EBP
:
}
func1(str)
{
:
:
:
}
RET
(pop EIP)
© Saumil Shah
victim’s Memory Map - before
.text
.data
.bss
Top of stack
ESP
func1::buffer[128]
saved EIP
ptr to param1
main() local vars frame 1 - main()
Top of stack
ESP
AAAAAAAAAAAAAAAAAAA
func1::buffer[128]
AAAAAAAAAAAAAAAAAAA
Stack frame
for func1()
saved
A A AEBP
A
A A AEIP
saved A
ptr to param1
main() local vars
Bottom of stack envp, argv, etc…
© Saumil Shah
The Stack Overflowed
.text
.data
.bss
POP AAAAAAAAAAAAAAAAAAA
func1::buffer[128]
AAAAAAAAAAAAAAAAAAA when func1 returns
saved
A A AEBP
A
EIP will be popped
A A AEIP
saved A EIP = 0x41414141
Top of stack
ESP ptr to param1
(“AAAA”)
main() local vars
Bottom of stack envp, argv, etc…
© Saumil Shah
Registers after the Stack Overflow
© Saumil Shah
Controlling EIP
© Saumil Shah
Introducing Metasploit
© Saumil Shah
Introducing Metasploit
• Generate shellcode.
• Shellcode encoding.
• Shellcode handlers.
• Scanning binaries for specific instructions:
• e.g. POP/POP/RET, JMP ESI, etc.
• Ability to add custom exploits, shellcode,
encoders.
• …and lots more.
© Saumil Shah
EIP = 0x41414141
• Metasploit’s Pex::Text::PatternOffset()
• Generate patterns, find substring.
© Saumil Shah
Distance to EIP
© Saumil Shah
Getting Control of Program Counter
• Stack Overflows
• Direct Program Counter overwrite
• Exception Handler overwrite
• Format String bugs
• Heap Overflows
• Integer Overflows
© Saumil Shah
Writing Shellcode
© Saumil Shah
Injecting the shellcode
© Saumil Shah
Where do you want to go…today?
EIP
func1() returns - pop EIP
0xbffff7c0
0xbffff790
execute shellcode
0xbffff7c0
© Saumil Shah
Jump through Register
buffer[] EIP
Bottom
of stack
strcpy(buffer, s)
saved EIP
overwritten
EAX ESP
EBX EBP
ECX ESI
EBX points within
EDX EDI the buffer (in this
case)
© Saumil Shah
Jump through Register
xyz.dll
call EBX
Return to a known
location within a DLL
EAX ESP
EBX EBP
ECX ESI
EDX EDI
abc.dll
jmp ESP
EIP
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA DLL addr nop nop shellcode
EAX ESP
EBX EBP
ECX ESI
EDX EDI
© Saumil Shah
msfpescan’ning Windows DLLs
© Saumil Shah
Candidate binaries
ESP
AAAAAAAAAAAAAAAAAAAAAAAAAAAA EIP
RET shellcode
© Saumil Shah
A little about shellcode
• Types of shellcode:
• Bind shell
• Exec command
• Reverse shell
• Staged shell, etc.
• Advanced techniques:
• Meterpreter
• Uploading and running DLLs “in-process”
• …etc.
© Saumil Shah
Payload Encoders
decoder UnWQ89Jas281EEIIkla2wnhaAS901las
© Saumil Shah
Payload Encoders
© Saumil Shah
Exploiting Exception Handling
exception handler
code local vars
(catch block)
saved EBP
saved EIP
params frame w/ exception
handling
addr of exception handler
more frames
Bottom of stack
© Saumil Shah
Windows SEH
© Saumil Shah
SEH Record
© Saumil Shah
SEH on the stack
^ stack
local vars
saved EIP
func_z() saved EBP
ex_handler_z() params
ptr to next SEH record
address of exception handler
main()
0xFFFFFFFF
address of exception handler
© Saumil Shah
Yet another way of getting EIP
© Saumil Shah
Overwriting SEH
buffer[12]
ex_handler()
saved EIP
saved EBP
params
ptr to next SEH record
address of exception handler
© Saumil Shah
Overwriting SEH
AAAA
AAAA
AAAA
ex_handler()
AAAA EIP = 0x41414141
AAAA causes segmentation fault.
OS invokes registered
AAAA exception handler in the chain
AAAA
BBBB
BBBB
EIP = 0x42424242 BBBB
BBBB
: : :
© Saumil Shah
Case study - sipXtapi CSeq overflow
© Saumil Shah
Putting the payload together
EBX
EBX
© Saumil Shah
Writing Metasploit exploit modules
EXPLOIT
preamble
Encoders
create payload
launch attack
get connection
Payload
handlers
© Saumil Shah
Writing a Metasploit exploit
© Saumil Shah
Structure of the exploit perl module
package Msf::Exploit::name;
use base “Msf::Exploit”;
use strict;
use Pex::Text;
my $advanced = { };
sub new {
constructor
return an instance of our exploit
}
sub Exploit {
exploit block
}
© Saumil Shah
%info
• Name • Payload
• Version • Encoder
• Authors • Refs
• Arch • DefaultTarget
• OS • Targets
• Priv • Keys
• UserOpts
© Saumil Shah
Metasploit Pex
• Perl EXtensions.
<metasploit_home>/lib/Pex.pm
<metasploit_home>/lib/Pex/
• Text processing routines.
• Socket management routines.
• Protocol specific routines.
• These and more are available for us to use
in our exploit code.
© Saumil Shah
Pex::Text
© Saumil Shah
Pex::Socket
• TCP
• UDP
• SSL TCP
• Raw UDP
© Saumil Shah
Pex - protocol specific utilities
• SMB
• DCE RPC
• SunRPC
• MSSQL
• …etc
© Saumil Shah
Pex - miscellaneous utilities
• Pex::Utils
• Array and hash manipulation
• Bit rotates
• Read and write files
• Format String generator
• Create Win32 PE files
• Create Javascript arrays
• …a whole lot of miscellany!
© Saumil Shah
metasploit_skel.pm
© Saumil Shah
Finished examples
• my_peercast.pm
• my_sipxtapi.pm
© Saumil Shah
Some command line Metasploit tools
• msfcli
• Metasploit command line interface.
• Can script up metasploit framework actions in a
non-interactive manner.
• msfpayload
• Generate payload with specific options.
• msfencode
• Encode generated payload.
© Saumil Shah
More command line Metasploit tools
• msfweb
• Web interface to the Metasploit framework.
• msfupdate
• Live update for the Metasploit framework.
© Saumil Shah
New in Version 3.0
• msfd
• Metasploit daemon, allows for client-server
operation of Metasploit.
• msfopcode
• command line interface to Metasploit’s online
opcode database.
• msfwx
• a GUI interface using wxruby.
© Saumil Shah
New in Version 3.0
© Saumil Shah
Saumil Shah
saumil@saumil.net | http://net-square.com
+91 98254 31192