Upload
others
View
5
Download
0
Embed Size (px)
Citation preview
Integrating DMA attacks in
Metasploit
Rory Breuk [email protected]
Albert Spruyt [email protected]
University of Amsterdam
May 23, 2012
1/ 25
Introduction
Goal:
Metasploit Over Firewire Ownage
2/ 25
Computer architecture
CPU
RAMNorthbridge
Southbridge
PCMCIA
FireWire
PCI
SATA
Thunderbolt
3/ 25
Computer architecture
CPU
RAMNorthbridge
Southbridge
PCMCIA
FireWire
PCI
SATA
Thunderbolt
4/ 25
Computer architecture cont.
Memory divided into 4KiB pages
Virtual / physical addresses
5/ 25
DMA attack vectors
FireWire
Thunderbolt
PCMCIA/CardBus/
ExpressCard
6/ 25
Previous work
Encryption key/ password extraction
Winlockpwn/FTWAutopwn/Inception
libforensic1394
7/ 25
Goals
Use DMA attacks with Metasploit
Why?
• Huge potential, but under utilized
• Widespread awareness is lacking
• Making it easy
• Lots of possibilities
8/ 25
Usecase
IEEE1394
Internet
Localattacker Target
Remoteattacker
9/ 25
Usecase
169.254.x.x
10/ 25
Metasploit concepts
Exploits
Payloads
IEEE1394
Internet
Localattacker Target
Remoteattacker
11/ 25
Payloads
What to patch
RAM
LightDM
Library call
Patch
12/ 25
Windows DEMO
Target: Windows 7 SP1 32bit
Find the signature
Inject payload
13/ 25
Problems
Need to interact with the system
Easily user detectable
Detectable by tripwire
14/ 25
Proposed solution
Stage 1:
• Inject stager
• Allocate new page
Stage 2:
• Restore originally patched code
Stage 3:
• Inject second stager
• Restore process
• Execute payload15/ 25
Stage 1: Inject stager
Find signature
Save code
Inject special stager
Save state
Allocate page
Copy loop
Jump to page
16/ 25
Stage 2: Restore code
Find the new page
Restore patched code
17/ 25
Stage 3: Finish
Upload second
stager + payload
Directly overwrites
running code
Fork
Restore process
Execute payload
18/ 25
Interactionless exploit
Xorg
• root permissions
• runs periodically
19/ 25
Linux DEMO
Target: Ubuntu 12.04
Look ma, no hands!
Stagers, IDS evasion
Target process is kept alive
20/ 25
Mitigation: theoretical
Theoretical:
• IOMMU
No practical implementations
21/ 25
Mitigation: practical
For the consultants:
• Don’t buy them
• Destroy them / glue them
• Disable them
• Deny physical access
Does not guarantee safety
22/ 25
Achievements
Ported libforensic1394 bindings to Ruby
Integrate FireWire exploit into Metasploit
Reusable technique for DMA exploitation
23/ 25
Achievements
Enhanced attack:
• Smaller attack window
• Attack continued over TCP/IP
• Interactionless payload execution
• Use Metasploit functionality
https://github.com/mrbreaker/mofo
24/ 25
https://github.com/mrbreaker/mofo
Metasploit Over Firewire Ownage
Questions?
https://github.com/mrbreaker/mofo 25/ 25
https://github.com/mrbreaker/mofo