Академический Документы
Профессиональный Документы
Культура Документы
Greg Hoglund
Attack Theory
Formalize the Attack Method Re-Use of Attack Code Separate the Deployment from the Payload Payloads can be chosen for desired effect Details and Restraints of both Payload and Deployment code
Exploits
A BUG in Software New bugs reported every day
automated testing tools
USSR Labs
Application Crash (most common) Recoverable Exception Mobile Code (deadly) File Access (read or write) Denial of Service
Payload (deployed)
usually not tied to bug at all - limited only by imagination. Some restraints.
Injection Vector
Target Dependant OS Dependant Application Version Dependant Protocol Dependant Encoding Dependant
Payload
Independent of Injection Vector Still Depends on Machine, Processor, etc.
With some exceptions
Mobile Code, Just like a Virus Once established, can spread by any means
trust scanning for more bugs
Payload
Denial of Service
use as launching point (arp spoofing)
Worm/Virus
extremely dangerous
Injector/Payload Pairs
One injector works on n qualified hosts Example - IIS Injector works on ~20% of Web Hosts. Payload
Remote Shell for control Shutdown Machine Shutdown ALL Machines on subnet
Types of Injection
Content Based
characters inserted into a data stream that result in the remote process doing something it shouldnt. Process is still in control.
Buffer Overflow
poor programming practice subverts architecture of code execution. Process loses control.
Types of Injection
Trust Based
Boot virus/ Floppy/ CD (parasite process) MACRO virus Email Attachments (Melissa, etc) Web Browsing (exploit users trust, etc)
click thru
Russian KGB
prior to 1991 coup attempt, KGB has virii intended to shut down US computers in times of war
Challenges
Injector/Payload size restrictions
tight coding requirements
Stack Injection
Stack is used for execution housekeeping as well as buffer storage. Stack-based buffer must be filled in direction of housekeeping data. Must overwrite the housekeeping data
Address Housekeeping
A B C D SP BP IP DI SI FLAG
code
IP
heap stack
Stack Overflow
00 40 20 08 00 40 20 0C
00 40 20 10
00 40 20 14
00 40 20 18
00 40 20 1C
00 40 20 10
00 40 20 14
00 40 20 18
00 40 20 1C
00 40 20 10
00 40 20 14
00 40 20 18
00 40 20 1C
OK
00 40 20 0C
00 40 20 08 CD20 40 00 0C 68 45 7F
00 40 20 04
00 40 20 00
Injection is Complete
We control the instruction pointer
04 21 40 00
New Address
00 40 20 0C
00 40 20 08 04 21 40 00 New Address
00 40 20 04
00 40 20 00
Confined Payload
Byte Compression Use only preloaded functions
Payload doesnt need to build jumptables Useable functions must be loaded
77 40 20 10
77 40 20 14 0D 45 68 77
77 40 20 18
77 40 20 1C
IP DI SI FLAG
code
heap
Then RET
RET = C3
Guessing where to go
We jump to the wrong address
crashes software payload doesnt execute
NOP Sled
End up at payload
IP DI SI FLAG
code
heap
Overwrite VTABLE
Must have 2 C++ Objects (on heap)
Injection is complete
Kernel level overflows all over in NT Off by one errors causing frame pointer overwrite Multi-stage attacks where you must first get the target into a state before attempting overflow The effects of URL or MIME encoding
The Payload
NOP Sled
Real Code
DATA
Getting Bearings
Call RELOC: RELOC: pop edi
EB 00 00 00 00
edi now has our code address we can use this as an offset to our data
XOR Protection
Cannot have NULLs in data portion
code
Build a jumptable
getprocaddress
Use Jumptable
PE Header
PE OFFSET
Check CRCs
CRC
The Bridge
WININET.DLL
Use DLL functions
InternetOpenURL() InternetReadFile()
Does all the hard work Makes payload smaller Download and Execute any file, anywhere File stored anonymously - hard to trace
WS2_32.DLL
Socket bind listen send recv accept
Interrupt Calls
Dont require addresses Small Easy to use
Load register with call number Load register with argument pointer interrupt (2 bytes long) CD 2E (interrupt 2E) CD 80 (interrupt 80)
Covert Channel
If exploited process is root or SYSTEM
TDI or NDIS hook session over ACK packets or ICMP
IIS
Patch any point where URL requests are handled no kernel required
WORMS
Payload searches for new hosts to attack Trust Exploitation
sniff passwords on wire SMB sessions to other NT hosts NT Registry Alteration NFS/Drive Sharing
Lysine Deficiency
Worm will die if certain condition is not met Existance of File Existance of Network Entity Floppy in floppy drive (testing lab)
RECAP
Injection is not the same as payload Payloads can perform
Denial of Service WORM Remote Shell Rootkit
RECAP
Injection has many challenges
NULL characters Stack size Highland/Lowland address Calling thru CPU registers
RECAP
Filters limit what we can use in a payload Limited OP-CODE sets can still be used to build fully functional programs
RECAP
Our payload is encoded We can build jumptables We can load new DLLs and Functions We can hard-code addresses or load them dynamically We can use Lysine Deficiency to keep Worms from spreading uncontrolled
Thank You
Your mind is your primary weapon http://www.rootkit.com hoglund@ieway.com