Date post: | 03-Jul-2015 |
Category: |
Technology |
Upload: | bonsai-information-security |
View: | 865 times |
Download: | 1 times |
Web ApplicationSecurity Payloads
http://www.bonsai-sec.com/
Andrés Riancho – Lucas Apa
Ekoparty 2010
2
Web Application Security Payloads
[email protected]$ whoami Consultant @ Bonsai Information Security
Penetration Testing y Vulnerability Research
Web Application Security enthusiast
3
Web Application Security Payloads
[email protected]$ whoami Founder @ Bonsai Information Security
Director of Web Security @ Rapid7
Programmer (python!)
Open Source Evangelist
Deep knowledge in networking , design and IPS evasion.
Project leader: open source w3af
4
Web Application Security Payloads
w3af w3af is a Web Application Attack and Audit Framework
Open Source tool (GPLv2.0) to detect and exploit Web vulnerabilities.
Plugin based architecture, easely extensible.
Development started late 2006 on my spare time, and growing tillpresent, moment in which we have multiple contributors round theglobe and a full time developer on our office.
5
Web Application Security Payloads
6
Web Application Security Payloads
Actual Situation Exploitation frameworks like Metasploit provides mainly “payloads”
to use specially on the best case, in other words, when there iscontrol on the execution flow. (“exploit for buffer overflow”).
Web applications allows us, depending on the vulnerability, tointeract with the system in a particular way:
Local file read
File write
SQL Commands execution
OS Commands execution
Till now, Which steps of post-exploitation can we make in anautomatized way in an environment where we can´t execute OS system commands?
7
Web Application Security Payloads
Actual Situation Additionally, Web vulnerabilities are mutating every time faster
making their post exploitation leading to have no starting or final objective defined.
Many different automatized tools are focusing in the particular, in exploiting a vulnerability emphasizing on the how.
Not defined which information is going to be compromised. Thevulnerabilities expires or changes.
8
Web Application Security Payloads
Web Application Security Payloads
9
Web Application Security Payloads
Small pieces of code running in w3af after exploiting one or moreknown vulnerabilities.
Every payload is independent of the discovered vulnerabilities. By themeans the exploit exports “System Calls”, that are then used bypayloads:
Design
Exploit System calls exported System calls emulated
Local file read read()
Local file include read()
OS Commanding execute() read() , write() , unlink()
DAV Shell write() execute() , read(), unlink()
File Upload write() execute() , read(), unlink()
10
Web Application Security Payloads
Payloads are in general 100 lines of code that uses some system calls,like for example “running_vm”:
Design
~53 Payloads developed
12
Web Application Security Payloads
Demo #1:“users”
13
Web Application Security Payloads
Sinergy between payloadsre
ad() System call to
read files use
rs Payload thatreads/etc/passwdand identifieshome directories
use
rs_c
on
fig_
file
s Payload whichuses theknowledgegained of home directories and looks forconfigurationfiles there.
14
Web Application Security Payloads
Demo #2:Sinergy between
payloads: “users_config_files”
15
Web Application Security Payloads
Demo #3:Integration with w3af:
“get_source_code”
16
Web Application Security Payloads
Conclusions and pending work Conceptualize this idea as an standar in automatized post-
explotación over Web Applications.
Develop more payloads for Windows environments.
Research about syscall hooking and remote syscall delivery by Web Applications Payloads.
Syscall Hierachy Priority : when exists more than one syscall, whichone we use to communicate with the remote system? Faster? More privileged?
Contribute with the global community discovering new attacktechniques through minimalistic post-exploitation approaches, expanding the information they gather.
17
Web Application Security Payloads
¿Doubts?¿Questions?
18
Web Application Security Payloads
Thank you!