240 likes | 375 Views
Hacksim. HackSim : An Automation of Penetration Testing. POSTECH HPC Lab. 이 승민 2004-07-29. Contents. Introduction Tutorials for Two Issues Safe Pen-Test for Windows Remote Exploit Codes for Windows Demo (?). Introduction. 주제 : Windows 취약점 증명 기술 연구 (2004 년 ) 연구 내용
E N D
Hacksim HackSim : An Automation of Penetration Testing POSTECH HPC Lab. 이 승민 2004-07-29
Contents • Introduction • Tutorials for Two Issues • Safe Pen-Test for Windows • Remote Exploit Codes for Windows • Demo (?) HackSim Project
Introduction • 주제 : Windows 취약점 증명 기술 연구 (2004년) • 연구 내용 • Worm과 같은 악성 코드에 사용되는 Windows 공격 기술에 대한 분석 • 버퍼오버플로우와 같이 원격 공격 가능한 취약점에 대해 연구 • 공개된 원격 공격 코드에 대한 분석 및 모의 해킹 실험 • 여러 공격 코드 간의 코드 재사용이 가능한 프레임워크를 제안 • 전년도에 구현된 Solaris에 대한 Pen-Test 도구를 Windows로 확장 • 이전 과제 : Solaris 취약점 증명 기술 연구 • 취약점 증명 프레임워크에 대한 연구 (2002년) • 취약점 증명 프레임워크 확장에 대한 연구 (2003년) • 지원 기관 : 국가보안기술연구소 HackSim Project
Contents of Safe Pen-Test • Introduction • Using Kernel Service • Jump to the Shellcode • Brute Force & Offline Attack • Safe Jump • Conclusion • Future Works HackSim Project
Introduction • Application Crash • After attack, Application often ends with a crash. • Such behavior may be easily notified and the attack may be detected. • In some cases it may influence the whole system stability. • In multithreaded application, the whole application is terminated. • Each stage must work correctly. • Loading shellcode to the target host • Jumping to the start address of shellcode • Using kernel service • Termination HackSim Project
Using Kernel Service • System call in Windows • Windows support system calls but it is limited. • Use Windows API functions located in DLL. • To use Windows API Functions • Load DLL (Dynamic Linked Library) • Base address of DLL • Offset of API functions in DLL • Solution • Find kernel32.dll base address using PEB. • Get offset from PE EDT. HackSim Project
0x00000000 Start Address Buffer Return address 0xFFFFFFFF Jump to the Shellcode • What we need to know • Buffer size • Start address of shellcode • How to know • Brute force attack • Offline attack HackSim Project
Jump to the Shellcode (2/4) Brute Force & Offline Attack • Windows do not allow Brute force attack. • Process or Thread creation uses CreateProcess/CreateThread function. • Internally calls BaseProcessStart/BaseThreadSTart in kernel32.dll. • Knowing buffer size is trivial in offline attack. • Knowing start address of buffer in memory • Thread stack allocates consecutively in multithread. • Start address dependes on versions of Windows and service packs. VOID BaseProcessStart(PROCESS_START_ROUTINE pfnStartAddr) { __try { ExitThread((pfnStartAddr)()); } __except(UnhandledExceptionFilter(GetExceptionInformation())) { ExitProcess(GetExceptionCode()); } } HackSim Project
Jump to the Shellcode (3/4) 0x00000000 0x00000000 esp esp stack of g() stack of g() 0x9090…9090 ebp ebp Return Address 0x77E44BBD stack of f() stack of f() Return Address Return Address 0xFFE4 0x77E44BBD 0xFFFFFFFF 0xFFFFFFFF Safe Jump • Use ‘jmp esp’ instruction • 0xFFE4 in kernel32.dll • Before strcpy • After strcpy void g() { char buf[8]; strcpy(buf,shellcode); } void f() { char buf[200]; g(); } HackSim Project
Jump to the Shellcode (4/4) 0x00000000 stack of g() 0x9090…9090 0x77E44BBD esp stack of f() ebp Return Address 0xFFE4 0x77E44BBD 0xFFFFFFFF Safe Jump (Cont.) • After Return • Large Buffer Case 0x00000000 void g() { char buf[200]; strcpy(buf,shellcode); } void f() { char buf[8]; g(); } stack of g() 0x77E44BBD esp stack of f() SUB ESP, 0xCC 0xFFE4 ebp Return Address 0xFFE4 0x77E44BBD 0xFFFFFFFF HackSim Project
Conclusion • Windows doesn’t allow brute force attack. • The image of ‘jmp esp’ makes it easy to guess the start address of shellcode in multithread envionment. • Load shellcode in caller stack • One more jump to the callee stack • It might work well in dynamic stack method. • But ‘jmp esp’ instruction locates different from versions of Windows and service packs. HackSim Project
Future Works • Safe Jump • Survey the image of ‘jmp esp/ebx’. • Implement powerful OS Fingerprinting tools. • Safe Termination • ExitThread function works well currently. • We need to verify this method. HackSim Project
Contents of Remote Exploit • Get the Remote Shell • Issues for Getting the Remote Shell • Get the Remote Exploit • Public Exploit Codes • Candidate • RPC DCOM • LSASS • Analysis Process • Future Work HackSim Project
Get the Remote Shell Issues for Getting the Remote Shell • Loading ws2_32.dll using LoadLibrary() • Push the string “ws2_32” to stack. • Call LoadLibraryA() function. • Redirecting standard input, output and error to socket • Set the value of hStdInput, hStdOutput, hStdError to connected socket in STARTUPINFO struct. • Set the value bInheritHandles to true among arguments of CreateProcess() function. • Implementation • Bind Shellcode • Reverse Shellcode HackSim Project
Get the Remote Shell Bind Shellcode attacker vulnerable host stack overflow shellcode connect 4320 listen port 4320 achieve command shell commandshell HackSim Project
Get the Remote Shell Reverse Shellcode attacker vulnerable host stack overflow shellcode commandshell listen port 4320 HackSim Project
Get the Remote Shell Mechanism of Reverse Shellcode kernel32_symbol_hashes find_function ws2_32_symbol_hashes resolve_symbols_for_dll startup find_kernel32 kernel32.dll의 base address를 알아낸다. resolve_kernel32_symbols kernel32.dll과 관련되 있는 symbol(function)들의 address를 알아낸다. resolve_winsock_symbols : Call LoadLibraryA ws2_32.dll과 관련되 있는 symbol(function)들의 address를 알아낸다. initialize_winsock : Call WSAStartup socket를 만들기 위해 필요한 준비를 한다. (windows programming) create_socket : Call WSASocket attacker에게 접속할 socket를 만든다. do_connect : Call connect attacker에게 접속한다. shell command 를 만들기 위한 process를 초기화 시킨다. 여기서 Local shellcode와 다른 점은 STARTUPINFO struct의 hStdInput, hStdOutput, hStdError 의 값을 socket으로 설정해야 한다. 또한, CreateProcess의 bInheritHandles를 True로 지정한다. initialize_process execute_process : Call CreateProcessA attacker에게 command 창을 건네준다. wait_for_exit : Call WaitForSingleObject attacker’s command 창이 종료되길 기다린다. close_fd : Call closesocket client socket을 닫는다. exit_thread : Call ExitThread 공격code를 끝마친다. HackSim Project
Get the Remote Shell Mechanism of Bind Shellcode kernel32_symbol_hashes find_function ws2_32_symbol_hashes resolve_symbols_for_dll startup find_kernel32 kernel32.dll의 base address를 알아낸다. resolve_kernel32_symbols kernel32.dll과 관련되 있는 symbol(function)들의 address를 알아낸다. resolve_winsock_symbols : Call LoadLibraryA ws2_32.dll과 관련되 있는 symbol(function)들의 address를 알아낸다. initialize_winsock : Call WSAStartup socket를 만들기 위해 필요한 준비를 한다. (windows programming) create_socket : Call WSASocket attacker가 접속할 socket를 만든다. bind : Call bind attacker의 접속을 기다릴 준비를 한다. listen : Call listen attacker의 접속을 기다린다. accept : Call accept attacker의 접속을 받아들인다. initialize_process shell command 를 만들기 위한 process를 초기화 시킨다. execute_process : Call CreateProcessA attacker에게 command 창을 건네준다. wait_for_exit : Call WaitForSingleObject attacker’s command 창이 종료되길 기다린다. close_fd : Call closesocket client socket과 server socket을 닫는다. exit_thread : Call ExitThread 공격code를 끝마친다. HackSim Project
Get the Remote Exploit Public Exploit Codes • RPC DCOM • RPC Locator Service • MSSQL2000 UDP • Real Player Server • Workstation Service • Telnet Service • Samba Share Resource • LSASS • RPC DCOM • LSASS HackSim Project
Get the Remote Exploit Candidate • RPC DCOM Vulnerability • Blaster worm is a worm that exploits the DCOM RPC vulnerability described in Microsoft Security Bulletin MS03-026 and MS03-039. • Port 135(epmap : DCE endpoint resolution) • LSASS Vulnerability • Sasser worm is a worm that attempts to exploit the vulnerability described in Microsoft Security Bulletin MS04-011. • Port 445(microsoft-ds : Microsoft-DS) • Why we do select them ? • Exploit codes for general system services • Used in popular worms HackSim Project
Get the Remote Exploit Analysis Process • Checkpoint • shellcode • return address • DCOM exploit • It operated for english windows XP. • We found the image of return address in english windows. • We got the address of the image in korean windows. • Using the address, it operates for korean windows. • LSASS exploit • The image is “jmp esp” or “jmp ebx” in kernel32.dll, etc. • We used the address of them as a return address. HackSim Project
Future Work • Survey more vulnerabilities. • Analyze & modularize selected exploit codes. • RPC DCOM • LSASS • Propose a pen-testing framework for windows. • Adapt exploit codes in linux environments. HackSim Project