Sei sulla pagina 1di 53

UsingGuidedMissilesinDrivebys

Automaticbrowser
fingerprintingand
exploitationwiththe
MetasploitFramework:
BrowserAutopwn

JamesLee

BrowserAutopwn

AuxiliarymodulefortheMetasploitFramework

Fingerprintsaclient

Determineswhatexploitsmightwork

Usedtosuck

Nowitdoesn't

Outline

Intro

Clusterbombs

Guidedmissiles

Fingerprintingandtargeting

Stealth

Demos

Commercialcomparison

#whoami

JamesLee

egypt

CoFounder,TeardropSecurity

Developer,MetasploitProject

MyInvolvementinMSF

Startedsubmittingpatchesandbugreportsin
2007
HDgavemecommitaccessinApril2008

BroketherepoApril2008

TheMetasploitFramework

CreatedbyHDMoorein2003

ncursesbasedgame

Laterbecamearealexploitframeworkinperl

Rewritteninrubyin2005

Whichiswaybetterthanpython

Extensibleframeworkforwritingexploits

I<3MSF

Modularpayloadsandencoders

Manyprotocolsalreadyimplemented

Manynonexploittools

Allkindsofexploits

Traditionalserverside

Clientsides

WhyClientsides

Karmetasploit

Anyothertoolthatgetsyouinthemiddle

Usersareweakestlink,blah,blah,blah

SeeChrisGates

ClientExploitsinMSF

ExtensiveHTTPsupport

Heapsprayintwolinesofcode

Sotirov's.NETDLL,heapfengshui

WiderangeofprotocollevelIDSevasion

Simpleexploitin~10linesofcode

SimpleExploit
content=<html><body>
<objectid='obj'classid='...'></object><script>
#{js_heap_spray}
sprayHeap(#{payload.encoded},#{target.ret},0x4000);
obj.VulnMethod(#{[target.ret].pack(V)*1000});
</script></body></html>
send_response(client,content)

10

OrArbitrarilyComplex

11

ani_loadimage_chunksizeis581linesofcode
AsofJune28,MSFhas85browserexploit
modules

Problem

Solution

ClusterBombApproach

IsitIE?SendalltheIEsploits

IsitFF?SendalltheFFsploits

Originallyexploitswereadhoc

14

Painintheasswhennewsploitscomeout

Problem

Solution

GuidedMissileApproach

BetterclientandOSfingerprinting

Onlysendexploitslikelytosucceed

17

lesslikelytocrashorhangthebrowser
BrowserisIE7?Don'tsendIE6sploits,etc.

FingerprintingtheClient

UserAgent

18

Easytospoof
Easytochangeina
proxy
Atinybitharderto
changeinJS

FingerprintingtheClient

VariousJSobjectsonlyexistinonebrowser

Someonlyexistincertainversions

window.createPopup,Array.every,window.Iterator

Renderingdifferencesandparserbugs

19

window.opera,Array.every

IE'sconditionalcomments

InternetExplorer

Parserbugs,conditionalcomments

ScriptEngine*Version()

20

Reliable,butnotprecise
Almostuniqueacrossallcombinationsofclientand
OS
BroughttomyattentionbyJeromeAthias

Opera

window.opera.version()

21

Includesminorversion,e.g.9.61

HybridApproachforFF

22

Existenceof
document.getElementsByClassName
meansFirefox3.0
IfUserAgentsaysIE6,gowithFF3.0
IfUAsaysFF3.0.8,it'sprobablynotlying,so
usethemorespecificvalue

Safari

Stillinprogress

Existenceofwindow.console

Availabilityofwindow.onmousewheel

23

IfFirebugisinstalledonFF,showsupthere,too
Defaultstonull,sohavetochecktypeof

FingerprintingtheOS

UserAgent

Couldusesomethinglikep0f

Fromtheserverside,that'saboutit

24

InternetExplorer

25

Again,ScriptEngine*Version()
Almostuniqueacrossallcombinationsofclient
andOS,includingservicepack

Opera

Eachbuildhasauniqueopera.buildNumber()

Givesplatform,butnothingelse

26

Firefox

27

navigator.platformandfriendsareaffectedby
theUserAgentstring
navigator.oscpuisn't

Linuxi686

WindowsNT6.0

Others

Reallyallwe'releftwithistheUserAgent

That'sokay,mostdon'tlie

28

Andthosethatdoarelikelytobepatchedanyway

Generic,workseverywherewhenUAisnot
spoofed

FutureFingerprinting

QuickTime

Adobe

Lesswellknownthirdpartystuff

29

ActiveX

30

newActiveXObject()worksifyouhave
theclassname
Otherwise,IEdoesn'tseemtohaveageneric
waytotellifanActiveXobjectgotcreated

document.write(<object...>)

document.createElement(object)

Solution

31

typeof(obj.method)

'undefined'iftheobjectfailedtoinitialize

'unknown'orpossiblyarealtypeifitworked

TargetAcquired

WhatisitVulnerableto?

Coarsedeterminationserverside

Serversendssploitsthatmatchthebrowserand
OS,possiblyversion

Finedeterminationclientside

33

JavaScriptbuildsfingerprint,sendsitbacktothe
server

navigator.javaEnabledexists,try
mozilla_navigatorjava

SelectaMissile

Sortbyreliability
Exploitscontain
theirownJStests

Problem

Solution

36

Obfuscation

Randomizeidentifiers

Buildstringsfromotherthings

JSON/AJAX

Obfuscationisnotcrypto

37

Encryption

PutakeyintheURL

38

Notavailableinthestandalonescript

SimpleXORisenoughtobeatAVandNIDS
Iftheyfigureitout,it'seasytomakethecrypto
stronger

Demonstrations

39

Andwe'reback...

40

Ihopethatworked
NowhowdoYOUmakeexploitsworkwithin
thisframework?

WritingExploits

Addautopwn_info()totopofexploitclass
:ua_nameisanarrayofbrowsersthisexploit
willworkagainst
:vuln_testissomejavascripttotestforthe
vulnerability(unlessit'sActiveX)

41

Usuallycomesdirectlyfromtheexploitanyway

Example:mozilla_navigatorjava
includeMsf::Exploit::Remote::BrowserAutopwn
autopwn_info({
:ua_name=>HttpClients::FF,
:javascript=>true,
:rank=>NormalRanking,#reliablememorycorruption
:vuln_test=>%Q|
if(
window.navigator.javaEnabled&&
window.navigator.javaEnabled()
){
is_vuln=true;
}
|,
})

42

Example:ms06_067_keyframe
includeMsf::Exploit::Remote::BrowserAutopwn
autopwn_info({
:ua_name=>HttpClients::IE,
:javascript=>true,
:os_name=>OperatingSystems::WINDOWS,
:vuln_test=>'KeyFrame',
:classid=>'DirectAnimation.PathControl',
:rank=>NormalRanking#reliablememorycorruption
})

43

Example:winzip_fileview
includeMsf::Exploit::Remote::BrowserAutopwn
autopwn_info({
:ua_name=>HttpClients::IE,
:javascript=>true,
:os_name=>OperatingSystems::WINDOWS,
:vuln_test=>'CreateFolderFromName',
:classid=>'{A09AE68FB14D43EDB713BA413F034904}',
:rank=>NormalRanking#reliablememorycorruption
})

44

BrowserAutopwnSummary

ReliableTargetAcquisition

SmartMissileSelection

StealthyfromanAVperspective

Easytoextend

Detectionresultsstoredinadatabase

45

CommercialComparison

Mpack

Firepack

Neosploit

Luckysploit

46

Mpack,Firepack

Hardtoacquire

Oldexploits

Detectionisonlyserverside

Hardtochangeorupdateexploits

Obfuscation+XOR

47

Neosploit

48

CompiledELFsrunasCGI
UnlessyougetthesourceordosomeRE,you
won'treallyknowwhatitdoes

Luckysploit

Realcrypto(RSA,RC4)

Evenhardertoacquire

49

BrowserAutopwn

Easytowritenewexploitsortakeoutoldones

Free(threeclauseBSDlicense)

Easytoget(http://metasploit.com)

NotwritteninPHP

50

OSandclientdetectionisclientside,more
reliableinpresenceofspoofedorborkedUA

Future

Moreflexiblepayloadselection

Stopwhenyougetashell

MaybeimpossibleinpresenceofNAT/proxies

EasiertouseJSobfuscation

UAProfformobiledevices

IntegrationwithMetaPhish

51

Downloadit

svncohttp://metasploit.com/svn/framework3/trunk

Submitpatchestomsfdev@metasploit.com

52

Thanks

hdm,valsmith,
tebo,mc,cg,Dean
deBeer,pragmatk
Everybodywho
helpedwithtesting
Whoevercreated
ActiveX