2. Before we start
• Some slides might seem like they have too much text, the reason this happens is that I
want you to be able to get home after this presentation and start messing around with
the stuff you will learn about here. To do that there is a lot of text you need as a reference
that even though it is on the slides I might not read.
• Also this presentation will be compiled in a package, with all the software, notes and
cheat sheets that you need to hack away as soon as you are out of here.
3. Who Am I ?
Team Leader of these guise
• Tiago Henriques
• @balgan
• 23
• BSc
• MSc
• CEH Which
• CHFI Means
file:///C:/Users/balga
You
n/Downloads/11545_
• CISSP Should
192585389754_51359
• MCSA Probably
9754_3020198_33334
• CISA Leave
9_n.jpg
• CISM Because
Currently employed
• CPT I will
by these guise
• CCNA Talk shit
Amirite?
• OSCP
Next project
5. Terminology
• Vulnerability - Security hole in a piece of software, or hardware and can provide a
potential vector to attack a system. It can go from something simple like a weak password
to something more complex like buffer overflow, or SQL injection.
• Exploit – A program whose only reason is to take advantage of a vulnerability. Exploits
often deliver payloads to a target system.
• Payload – Piece of software that allows an attacker to control the exploited system.
• DEP – Data Execution Prevention – First introduced in Win XP SP2 – Used to mark certain
parts of the stack as non-executable.
• ASLR – Address Space Layout Randomization – Windows Vista onwards – Randomizes the
base addresses of executables, dll’s, stack and heap.
6. Step 1 - Vulnerability
Where can I find one? Why should I look for one ?What am I looking for?
7. Why do I want to look for
vulnerabilities?
• There are plenty of reasons why you would want to look for vulnerabilities:
1. Fame – Who doesn’t know people like Charlie Miller, Dino Dai Zovi, and Alex
Sotirov?
2. Money – You can make a living out of this! ZDI and other programs buy vulns and
depending on how critical it is you can get quite a lot of money for it!
3. Technical knowledge – You can learn a lot more by digging into the internals of
software/hardware then just using it normally.
8. How to find one?
• Multiple techniques exist to find vulnerabilities but we will mention only these three main
ones:
• Static analysis – Analyse the programs without running them, reading source code or
using tools for static analysis. Analyse how the program flow works and how data
enters the software.
• Potentially vulnerable Code Locations – Look at specific parts of source code, mainly
at “unsafe” locations, such as strcpy() and strcat() which are amazing for buffer
overflows.
• Fuzzing – Fuzzing is a completely different approach to finding vulnerabilities, it’s a
dynamic analysis that consists of testing the application by throwing malformed or
unexpected data as input. Though its easy to automate, the problem with this
approach is that you can crash an application 70000 times and out of those you get
10 vulns and only 2 are exploitable.
… and messing around with the aplication.
9. More theory
• Every windows application uses memory! The process memory has 3 major components:
• Code segment – Instructions that the CPU executes – EIP keeps track of next
instruction (!very important!)
• Data segment – used for variables, dynamic buffers
• Stack segment – used to pass data /arguments to functions.
• If you want to access the stack memory directly, you can use the ESP (Stack Pointer) which
points at the top (lowest memory address ) of the stack.
• The CPU’s general purpose registers (Intel, x86) are :
• EAX : accumulator : used for performing calculations, and used to store return values from
function calls. Basic operations such as add, subtract, compare use this general-purpose
register
• EBX : base (does not have anything to do with base pointer). It has no general purpose and
can be used to store data.
• ECX : counter : used for iterations. ECX counts downward.
• EDX : data : this is an extension of the EAX register. It allows for more complex calculations
(multiply, divide) by allowing extra data to be stored to facilitate those calculations.
• ESP : stack pointer
• EBP : base pointer
• ESI : source index : holds location of input data
• EDI : destination index : points to location of where result of data operation is stored
• EIP : instruction pointer
For more information on this check the notes for extra links.
10. Tools
• So we are now going to crash our first application.
• Application name: Free MP3 CD Ripper
• Type of Vulnerability: Buffer Overflow
• Tools of Trade: ImmunityDebugger, Mona.py, Python, Notepad++
• ImmunityDebugger – Variant of OllyDbg easily scriptable since its python compatible!
• Mona.py – Amazing script created by Corelan Team that integrates with
ImmunityDebugger and provides lots of functionality for finding vulns and writing
exploits
• Python – Best scripting language ever for fast prototyping and testing shit.
• Notepad++ - Pretty colors on notepad ftw!
• Virtual Machines -
16. Step 2 - Exploit
Developing a working exploit and Integration into Metasploit framework using mona
17. Quick recap
• Where are we at the moment:
• We can crash the app
• We sort of know how much we have to pass onto it to crash it (5k A’s)
• We know we control the EIP! (41414141)
• What do we need:
• Know exactly how much “junk” we have to pass onto it
• Get proper shellcode and pointers without bad characters
18. Getting IT!
• Know exactly how much “junk” we have to pass onto it – Mona can do this for us,
We need to turn our A’s into a cyclic pattern :
!mona pc 5000
• Get proper shellcode and pointers without bad characters – null pointers are bad!
!mona suggest –cpb ‘x00x0ax0d’
24. Quick Recap
• So the process goes likes this:
1. Manage to crash an app using the normal constructors
2. Confirm that we control the registers
3. Create a cyclic pattern and replace it on the constructors
4. Use mona.py suggest to generate the exploit.rb
5. Check if it works out of the box by copying it to correct folder and trying it
6. Fix it if needed
7. Done.
8. (Optional) – Submit module to metasploit development and have it
implemented onto the framework.
25. Step 3 - Metasploit
Learning a bit about metasploit, why you want your exploits integrated and and use it.
26. Metasploit Quick Background
• Exploitation framework
• Is made of lots of different
modules and tools that work
together
• First written in PERL
• Then changed to Ruby (HELL
YEAH!)
• 4 Versions – Pro, Express ,
Community (Free), Development
(Free)
• On the last year more then 1
million downloads were made
• Open sauce
28. Metasploit
• There is a world of functionality within metasploit, however today we will focus only on
meterpreter and a bit of metasm!
• If I was to talk of all the funcionality within metasploit I would need at least a 2 hour slot
only to grasp the top features of this amazing framework.
29. Meterpreter
• Meterpreter is what you could call Shell Ultimate Gold Over 9000 level edition!
• The best way in my opinion to show you the power of meterpreter is to do a demo!
Explaining this Francisco Guerreiro style
30. DEMO 6 - Payload Generation - Normal
DEMO 6.1 - Session established
DEMO 6.2 - Meterpreter First
31. Meterpreter
• This is all really cool ! However not a real scenario, so lets up the stakes a bit!
33. Meterpreter
• There are a few other things about meterpreter I didn’t show you:
• post/windows/gather/smart_hashdump – This module sumps local accounts from SAM Database, if
the target is a Domain Controller it will dump the Domain Account Database.
• post/windows/gather/screen_spy – Get your popcorn, this module makes an almost real time movie
of the targets screen.
• post/windows/gather/enum_shares – This script will enumerate all the shares that are currently
configured on the target
• post/windows/gather/enum_services – This script will enumerate all the services that are currently
configured on the target
• post/windows/gather/enum_computers – This script will enumerate all the computers that are
included in the primary Domain
And my favourites:
post/windows/gather/bitcoin_jacker – Downloads any Bitcoin wallet.dat on the target system.
post/windows/manage/autoroute - Allows you to attack other machines via our first compromised machine (PIVOTING).
38. F.A.Q.
How does Mona deal with:
ASLR:
Mona will, by default, only query non-ASLR and non-rebase modules.
If you can find a memory leak, you can still query ASLR/rebase modules .
For partial overwrite : say you need to overwrite half of the saved return pointer and make
it point to jmp eax from module1.dll, which has base 0xAABB0000, then you could search
for these pointers using
!mona find –type instr –s “jmp eax” –b 0xAABB0000 -t 0xAABBFFFF
This will get you all pointers from that memory region, so you can use the last 2 bytes in the
partial overwrite
39. F.A.Q.
How does Mona deal with:
DEP:
Mona will attempt to automatically generate ROP chains
Also, Usually, people only think about bad chars when creating payload… but especially in
case of ROP chains, a lot of the payload may be pointers
So… when using mona, you can use for example –cpb ‘x00x0ax0dx20’ to exclude
pointers that have those bad chars
(this option is available for any command)
Mona will also create a stackpivot file, which you can use in case of SEH overwrite
40. Becoming a vuln researcher
1st – Corelan.be – Read through the exploit development tutorial - Learn a scripting
language and ASM
2nd – Read “ A Bug Hunter’s diary” – Side by side: Learn how to use tools of the trade such
as: Immunity Dbg, Scapy, WinDbg, IDA.
3rd – Read Metasploit book
4th – Proceed to learn about fuzzing and other techniques.
For extra directions go to: http://myne-us.blogspot.com/2010/08/from-0x90-to-0x4c454554-journey-into.html
41. References
1. Corelan.be – AMAZING Team and you can learn so much on their website and IRC chan
2. https://www.corelan.be/index.php/2011/07/14/mona-py-the-manual/ - Mona stuff
3. www.metasploit.com/modules/
4. http://www.offensive-security.com/metasploit-unleashed/
Simple demo of running multiple wav files built with constructors and app crashes on one of them
DEMO2 - Crash-EIPControl
DEMO 3 - Generate Cyclic Pattern
DEMO4 - Mona-suggest
DEMO5 - Exploit - metasploit - exploitation
DEMO5 - Exploit - metasploit - exploitation
ROP is a generalization of the classic return-to-libc attack that involves leveraging small sequences of instructions, typically function epilogues, at known addresses to execute arbitrary code incrementally. This is achieved by controlling data pointed to by ESP, the stack pointer register, such that each ret instruction results in incrementing ESP and transferring execution to the next address chosen by the attacker.