260 likes | 375 Views
Matt Weaver UCCS Spring 2007. Exploit-based Bandwidth/Network Analysis Framework. Abstract. Basic bandwidth tools are limited by network security. An exploit could be used to infect machines on a network and provide metrics while overcoming the problems inherent in the traditional approach.
E N D
Matt Weaver UCCS Spring 2007 Exploit-based Bandwidth/Network Analysis Framework
Matt Weaver: Exploit/Bandwidth Project Abstract Basic bandwidth tools are limited by network security. An exploit could be used to infect machines on a network and provide metrics while overcoming the problems inherent in the traditional approach.
Matt Weaver: Exploit/Bandwidth Project Background The Morris Worm Robert Morris @ Cornell through MIT, 1988 Government attention Unix back doors, bad passwords... hacked any way possible Hindsight: security wasn't a big enough factor.
Matt Weaver: Exploit/Bandwidth Project Related Work Chen, G. and Gray, R. S. 2006. Simulating non-scanning worms on peer-to-peer networks. How worms spread. Effectiveness of different styles. Kienzle, D. M. and Elder, M. C. 2003. Recent worms: a survey and trends. Exploits are not innovative. Zou, C. C., Gong, W., and Towsley, D. 2002. Code red worm propagation modeling and analysis. Code Red infected Microsoft IIS (Internet Information Server) via buffer overflow.
Matt Weaver: Exploit/Bandwidth Project Buffer Overflow In C, “strcpy” is not smart. No bounds checking. Write past the end of the buffer. void bad_function(char *string) void bad_function(char *string) { char buffer[5]; strcpy(buffer, string); } int main(int argc, char* argv[]) { char a_large_string[] = "This string is far too big. Far, far too big."; bad_function(a_large_string); exit(0); }
Buffer Overflow • In memory: • Registers... • EBP (frame base pointer • EIP (current instruction) • EAX, ESI, EDI, etc (various uses) • Each instruction is pushed on the stack. In Windows the stack grows down. Matt Weaver: Exploit/Bandwidth Project
Matt Weaver: Exploit/Bandwidth Project Buffer Overflow Options: We can modify the return address: EBP and EIP will revert to the “calling” frame. If we “muck” with these values, we can modify the return address. Overwrite EIP to make some other call (similar to the above)... this is how real exploits work. You must somehow change the flow of execution. Shellcode Put machine instructions into the “extra” characters. They will look like regular instructions, we just have to jump into them. Instruction have addresses where the machine code to execute them exists, these can be found with “dumpbin”. In Windows/x86, we can use a NOP sledge (no operation -> “\x90” in Shellcode). Hard to get working right in Windows: Variable instruction addresses: A product of DLL-Hell inherited from VMS Changes with patches, updates, and other products installed. Security settings introduced in newer MS compilers.
Matt Weaver: Exploit/Bandwidth Project Using Overflow In essence, create a new function with shellcode. Modify EIP and EBP to point to our new “function”, that is the chunk of memory where our shellcode is loaded.
Matt Weaver: Exploit/Bandwidth Project Exploit Architecture Follow the model of Russian exploits (SASSER, SLAMMER): Surround payload with NOP (no operation) instructions Modify EIP to execute our “function” We won’t know exactly where it goes, but NOP instructions don’t do anything.
Exploit Architecture • Guessing part: • Which register holds a value that points to a memory location in the NOP sledge? • EAX? • EDI? • … Matt Weaver: Exploit/Bandwidth Project
Matt Weaver: Exploit/Bandwidth Project Exploit Architecture The JMP instruction will overwrite EIP. Hard-coding the JMP instruction is typical of Russian exploits. Other, more complicated methods of finding instructions at runtime exist… but they are difficult to code and test. No way to know “where” we will jump, but we try until we can get to our NOP sledge. kernel32.dll JMP instructions will “JMP EAX”, “JMP EDI”, etc. Since we don’t know what our target is doing… We try a few, depending on the system we target (sometimes it just won’t work): “0x77EA855E” “0x77E448E2” Researchers have done the tricky disassembly debug and made lists for SP0 (ex: https://www.securinfos.info/international-opcodes/).
Matt Weaver: Exploit/Bandwidth Project Exploit Architecture Our JMP instruction will be the first thing executed after the overflow, rewriting the old EIP value on the stack: We don’t want to call it twice… so the payload has to be “smart”. Stick the JMP instruction AFTER the payload, in our “buffer”.
Matt Weaver: Exploit/Bandwidth Project Payload The easy part (kind of)! Tools can generate stable payloads, we can use Metasploit to generate new payloads for: Starting a listener (call back with netcat). Download and execute. All kinds of things. Not all payloads work with all exploits: OS security features might disable certain calls. Large payloads are easily detected by IDS… because legitimate transactions aren’t usually long strings of hex.
Download and Execute • This code will download and execute, provided: • Correct permissions settings in XP. • Reasonably small executable, short transfer time, etc. • Shellcode can’t have “\x00” • C sees this as the end of a string, so that will be stripped, either by the calling client (depending on implementation) or the service. • Many methods can be used to cleverly replace “\x00”. Metasploit uses the XOR method. • This code would have an “\x00” following the “cmd” call, for example. • LSASS exploits can't have: "\x00\x0a\x0d\x5c\x5f\x2f\x2e” Matt Weaver: Exploit/Bandwidth Project
Matt Weaver: Exploit/Bandwidth Project One last thing on shellcode Makes or breaks your overflow exploit. Unfortunately, this isn’t always up to you. Many variables are beyond your control. The payload is easy, it’s the “getting to the payload” that is a “trying” process (pun intended). If it doesn’t work, find a new exploit… SOL.
Matt Weaver: Exploit/Bandwidth Project sniFF Architecture sniFF app starts user buildable exploits (via XML config file and the command line). Captures data messages from clients. With certain clients, acts as a sort of “parent lookup service” Clients are downloaded and executed on remote machines. Some clients will be blocked. Not all exploits can complete download and execute. Other options exist.
Matt Weaver: Exploit/Bandwidth Project sniFF Architecture
Matt Weaver: Exploit/Bandwidth Project Tools/Technology Visual Studio .NET 2002, 2003, 2005. C, C++, C# Utilities integrated into SDK: Dumpbin – find addresses MIDL – compiler for COM GCC/GDB (Cygwin and Bloodshed). C, C++ Metasploit Pre-existing exploit and payload generator. Write new modules in C or Perl. Invaluable in exploit research, writing, and investigation. Point to point attack only… not concerned with the payload part. SPIKE DCE-RPC browser Inspect COM objects on a given machine Ethereal: packet sniffer OllyDbg: for debugging dlls... fuzzing. VMWare Workstation/Server Various incarnations of XP. Xcode: gcc/gdb on OS X (bash) for testing, education as Unix provides an easier place to learn.
Matt Weaver: Exploit/Bandwidth Project Lessons Learned Exploits are nasty to write: Win addressing problem Not all payloads will work with a given exploit. Windows poorly handles security Never re-baselined, so lots of buggy code still exists. MS patches usually just move addresses around. Exploits that don't work can still crash systems. OS level services have mostly been blocked off (or hacked around by MS), newer overflow exploits focus on SQLServer, IIS, etc. IT Experts shouldn't know about potential overflows and do nothing to fix them. But with new Metasploit modules and new discoveries on milw0rm.com, we can keep trying.
Matt Weaver: Exploit/Bandwidth Project Basically... Not like most CS problems: Little “good” research has been done and documented. You are mostly poking around in the dark, when it comes to development. Constraints on imagination, versus technology. Science versus gambling/hacking/hoping/guessing.
Matt Weaver: Exploit/Bandwidth Project Future Work Convert sniFF source to Mono and tinker with: Fedora Core, Ubuntu, Solaris, etc. Write working instruction prowler shellcode for Windows: All available text neglects to do this. Examples that exist... don't actually work. Get SASSER working with downloads.
Aleph One. Smashing the Stack For Fun and Profit. Phrack (Volume seven, issue forty-nine; November 8, 1996). http://www.phrack.org/phrack/49/P49-01 Anderson, Ross. Security Engineering: A Guide to Building Dependable Distributed Systems. New York, NY: John Wiley & Sons, Inc 2001. Blum, Richard. C# Network Programming. Alameda, CA: Sybex, 2003. Chen, G. and Gray, R. S. 2006. Simulating non-scanning worms on peer-to-peer networks. In Proceedings of the 1st international Conference on Scalable information Systems (Hong Kong, May 30 - June 01, 2006). InfoScale '06, vol. 152. ACM Press, New York, NY, 29. DOI= http://doi.acm.org/10.1145/1146847.1146876 Erickson, Jon. Hacking: The Art of Exploitation. San Francisco: No Startch Press, 2003.
Matt Weaver: Exploit/Bandwidth Project • Davis, Ralph. Win32 Network Programming. New York: Addison-Wesley, 1996. • Irvine, Kip R. Assembly Language For Intel-Based Computers. Saddle Hill, New Jersey: Prentice Hall, 2006. • Kienzle, D. M. and Elder, M. C. 2003. Recent worms: a survey and trends. In Proceedings of the 2003 ACM Workshop on Rapid Malcode (Washington, DC, USA, October 27 - 27, 2003). WORM '03. ACM Press, New York, NY, 1-10. DOI= http://doi.acm.org/10.1145/948187.948189 • Koziol, Jack et al. The Shellcoders Handbook. Indianapolis: Wiley Publishing, 2004. • Petkov, K. 2005. Overcoming programming flaws: indexing of common software vulnerabilities. In Proceedings of the 2nd Annual Conference on information Security Curriculum Development (Kennesaw, Georgia, September 23 - 24, 2005). InfoSecCD '05. ACM Press, New York, NY, 127-134. DOI= http://doi.acm.org/10.1145/1107622.1107652 • Pfleeger, Charles P and Shari Lawrence Pfleeger. Security in Computing. Saddle Hill, New Jersey: Prentice Hall, 2003.
Matt Weaver: Exploit/Bandwidth Project • Skape. Understanding Windows Shell code. December 6, 2003. nologin.org. 16 July 2006 • Spangler, Ryan. Analysis of the Microsoft Windows LSASS Exploit. Packet Watch. http://www.packetwatch.net/documents/papers/windows-lsass.pdf • Sk. Advances in Windows Shell code. Phrack (Volume seven, issue sixty-two; June 22, 2004). • Zou, C. C., Gong, W., and Towsley, D. 2002. Code red worm propagation modeling and analysis. In Proceedings of the 9th ACM Conference on Computer and Communications Security (Washington, DC, USA, November 18 - 22, 2002). V. Atluri, Ed. CCS '02. ACM Press, New York, NY, 138-147. DOI= http://doi.acm.org/10.1145/586110.586130
Matt Weaver: Exploit/Bandwidth Project Coda Demo: Pieces of sniFF Clients Large client (recursive infection) Lightweight client. Configuration: Write new exploits, plug them in! Lots left to do. In action: Clients run conventionally. Clients infecting XP no SP running bad service. A view of the network. Ethereal packet data. Use Metasploit and LSASS (fixed it!) to infect a machine. Use “bad service” to infect machine. Nearest neighbour randomized infection (failure, but examine IPs generated). A glance at the framework.
Matt Weaver: Exploit/Bandwidth Project Voila! Questions?