Syscall Proxying Pivoting Systems

Similar documents
Syscall Proxying - Simulating remote execution Maximiliano Caceres <maximiliano.caceres@corest.com> Copyright 2002 CORE SECURITY TECHNOLOGIES

64-Bit NASM Notes. Invoking 64-Bit NASM

Kernel Intrusion Detection System

The Plan Today... System Calls and API's Basics of OS design Virtual Machines

OS Virtualization Frank Hofmann

Assembly Language: Function Calls" Jennifer Rexford!

W4118 Operating Systems. Junfeng Yang

Return-oriented programming without returns

Systems Design & Programming Data Movement Instructions. Intel Assembly

Abysssec Research. 1) Advisory information. 2) Vulnerable version

Encryption Wrapper. on OSX

Application-Level Debugging and Profiling: Gaps in the Tool Ecosystem. Dr Rosemary Francis, Ellexus

CS412/CS413. Introduction to Compilers Tim Teitelbaum. Lecture 20: Stack Frames 7 March 08

Hacking Techniques & Intrusion Detection. Ali Al-Shemery arabnix [at] gmail

Software Vulnerabilities

Lecture 27 C and Assembly

CHAPTER 6 TASK MANAGEMENT

For a 64-bit system. I - Presentation Of The Shellcode

There s a kernel security researcher named Dan Rosenberg whose done a lot of linux kernel vulnerability research

Evading Infrastructure Security Mohamed Bedewi Penetration Testing Consultant

esrever gnireenigne tfosorcim seiranib

PuttyRider. With great power comes great responsibility. # Pivoting from Windows to Linux in a penetration test. Adrian Furtunã, PhD adif2k8@gmail.

Off-by-One exploitation tutorial

Hotpatching and the Rise of Third-Party Patches

Integrated Network Vulnerability Scanning & Penetration Testing SAINTcorporation.com

Example of Standard API

Windows XP SP3 Registry Handling Buffer Overflow

Lecture 7: Machine-Level Programming I: Basics Mohamed Zahran (aka Z)

CYBERTRON NETWORK SOLUTIONS

Threat Intelligence Pty Ltd Specialist Security Training Catalogue

Instruction Set Architecture

Buffer Overflows. Security 2011

Socket = an interface connection between two (dissimilar) pipes. OS provides this API to connect applications to networks. home.comcast.

Stack Overflows. Mitchell Adair

Automated Penetration Testing with the Metasploit Framework. NEO Information Security Forum March 19, 2008

Under The Hood: The System Call

Web Application Security Payloads. Andrés Riancho Director of Web Security OWASP AppSec USA Minneapolis

Hands-on Hacking Unlimited

Defense in Depth: Protecting Against Zero-Day Attacks

Last Class: OS and Computer Architecture. Last Class: OS and Computer Architecture

Introduction. Figure 1 Schema of DarunGrim2

OPERATING SYSTEM SERVICES

Testing for Security

Introduction to Operating Systems. Perspective of the Computer. System Software. Indiana University Chen Yu

Format string exploitation on windows Using Immunity Debugger / Python. By Abysssec Inc

ELEC 377. Operating Systems. Week 1 Class 3

Upon completion of this chapter, you will able to answer the following questions:

Intel 8086 architecture

Code Injection From the Hypervisor: Removing the need for in-guest agents. Matt Conover & Tzi-cker Chiueh Core Research Group, Symantec Research Labs

Fighting malware on your own

TODAY, FEW PROGRAMMERS USE ASSEMBLY LANGUAGE. Higher-level languages such

Reverse Engineering and Computer Security

Worms, Trojan Horses and Root Kits

Lecture 7: Java RMI. CS178: Programming Parallel and Distributed Systems. February 14, 2001 Steven P. Reiss

Certified Ethical Hacker (CEH) Ethical Hacking & Counter Measures Course 9962; 5 Days, Instructor-Led

HP ProLiant Essentials Vulnerability and Patch Management Pack Planning Guide

Programming from the Ground Up

CVE Adobe Flash Player Integer Overflow Vulnerability Analysis

Penetration Testing Walkthrough

IceWarp to IceWarp Server Migration

Configuring Security for FTP Traffic

Exceptions in MIPS. know the exception mechanism in MIPS be able to write a simple exception handler for a MIPS machine

CSC 2405: Computer Systems II

Make a folder named Lab3. We will be using Unix redirection commands to create several output files in that folder.

Introduction. What is an Operating System?

Understanding a Simple Operating System

Port Scanning and Vulnerability Assessment. ECE4893 Internetwork Security Georgia Institute of Technology

System Security Fundamentals

Kernel Types System Calls. Operating Systems. Autumn 2013 CS4023

Betriebssysteme KU Security

Advanced Mac OS X Rootkits. Dino Dai Zovi Chief Scientist Endgame Systems

RISC-V Software Ecosystem. Andrew Waterman UC Berkeley

CS:APP Chapter 4 Computer Architecture Instruction Set Architecture. CS:APP2e

CSE331: Introduction to Networks and Security. Lecture 15 Fall 2006

Programming from the Ground Up. Jonathan Bartlett

An Implementation Of Multiprocessor Linux

Malware Analysis Quiz 6

Symantec Cyber Readiness Challenge Player s Manual

PCI-SIG ENGINEERING CHANGE REQUEST

Where s the FEEB? The Effectiveness of Instruction Set Randomization

The BackTrack Successor

Securing shared hosting using CageFS

ITEC441- IS Security. Chapter 15 Performing a Penetration Test

COMMMUNICATING COOPERATING PROCESSES

Objectives. Chapter 2: Operating-System Structures. Operating System Services (Cont.) Operating System Services. Operating System Services (Cont.

Toasterkit - A NetBSD Rootkit. Anthony Martinez Thomas Bowen

REPORT ON AUDIT OF LOCAL AREA NETWORK OF C-STAR LAB

sys socketcall: Network systems calls on Linux

Understanding Virus Behavior in 32-bit Operating Environments

Linux Driver Devices. Why, When, Which, How?

Pen Testing Methodology Gueststealer TomCat Zero Day Directory Traversal VASTO

KVM: A Hypervisor for All Seasons. Avi Kivity avi@qumranet.com

Penetration Test Methodology on Information-Security Product Utilizing the Virtualization Technology

CS 416: Opera-ng Systems Design

Securing your Virtual Datacenter. Part 1: Preventing, Mitigating Privilege Escalation

Linux Kernel Architecture

Transcription:

Syscall Proxying Pivoting Systems Filipe Balestra filipe@balestra.com.br Rodrigo Rubira Branco rodrigo@kernelhacking.com rodrigo@risesecurity.org

Agenda: What is Syscall Proxying? - Why Syscall Proxy is better than the open-source Squid? - Why not open the Syscall Proxy source-code? Security Reasons! - Understand the proxy architecture

Agenda (the real one!): Background knowledge What is Syscall Proxying? Why I need it or When it's interesting? Difficulties Some samples The Future Acknowledges References

Background Knowledge When a process need any resource it must perform a system call to ask the operation system for the needed resource. Syscall interface are generally offered by the libc (the programmer doesn't need to care about system calls) We will discuss syscall proxying under Linux environment, so, some aspects: * Homogeneous way for calling syscalls (by number) * Arguments passed via register (or a pointer to the stack) * Little number of system calls

Background Knowledge http://www.risesecurity.org

Syscall Interface Read from a file http://www.risesecurity.org Reader Linux Kernel open read close Disk

Syscall Interface Read from a file http://www.risesecurity.org # strace cat /etc/passwd execve("/bin/cat", ["cat", "/etc/passwd"], [/* 17 vars */]) = 0... open("/etc/passwd", O_RDONLY O_LARGEFILE) = 3...... read(3, "root:x:0:0:root:/root:/bin/bash\n"..., 4096) = 1669... close(3) = 0 As we can see using the strace program, even a simple command uses many syscalls to accomplish the task

Syscall Interface Passing arguments using registers http://www.risesecurity.org EAX holds the system call number EBX, ECX, EDX, ESI and EDI are the arguments (some system calls, like socket call can use the stack to pass arguments) Call int $0x80 (software interrupt) Value is returned in EAX

What is Syscall Proxying? The idea is to split the default syscall functionality in two steps: * A client stub Receives the requests for resources from the programs Prepair the requests to be sent to the server (called marshalling) Send requests to the server Marshall back the answers * A syscall proxy server Handle request from the client Convert the request in the native form (in our case, just linux) Calls the asked system call Sends back the response http://www.risesecurity.org

I don't wanna ask again! What a Hell is Syscall Proxying? A way to use many tools without install anything in an owned machine (in an attack or in a penetration test) Just play with the memory Use your own tools (for your own native system) and don't care about what is the operation system owned (the syscall proxy server for sure need to be coded for many operation systems) Pivoting is because you can use the syscall proxy server to attack many other servers in the local network of the syscall proxy

Syscall Interface Read from a file http://www.risesecurity.org Reader Client Stub Syscall Server Linux Kernel h_open h_read h_close sys_send open sys_send read sys_send close Disk

Why I need it or When it's interesting? The syscall proxy server can be injected in a remote process and offer an interface to the underlying operation system (including remotely 'local' privilege escalation) You can use any tools you like to your own system, without change then (if you use LD_PRELOAD) The local process you are running under the stub does not know it is running remotely Easily infection of remote process and the kernel itself (using the IDT patch you can easily execute arbitrary commands in the kernel showed by me in the latest Hackers to Hackers Conference)

Difficulties RPC does the same idea that we have showed, but the problem is in the server side we have lots of complexity We need a small piece of code in the server side, because it will be injected in the vulnerable program To accomplish that, we have in the client side the 'image' of the stack state of the server side

Difficulties Process Pack Arguments Pseudo Stack Create the request with syscall data Received a response from the server Unpack results Send to the server and wait for a reply http://www.risesecurity.org Send back the stack block as reply Server Read Request Stack Pop Operation Registers int $0x80 Restore the Stack

Difficulties In the beginning of a connection, the server returns its ESP Client Request filename (pointer) flags mode Server Stack The request 0x00 ESP DATA local vars saved ESP EBP 0xbfffffff

Some Samples Remote Shell using syscall proxying Remote Process Injection (using ptrace be explained in another h2hc 3 presentation) Remote Scanning (pivoting system) Remote Kernel Infection (not using IDT patch explained in my presentation at h2hc 2)

The Future Finish the stub implementation of more system calls Have a better version of the syscall proxy server for *BSD systems Optimize the size of the syscall proxy server Optimize the speed of execution of the syscall proxy scheme (for remotely sniffing sections)

Acknowledges - RISE Security - H2HC Organization? I'm included! - Casek from UberWall for some news and ideas - Tiago Assumpção First person to talk with me about it (~2003) - Ramon de Carvalho Valle from RISE - Assembly Master - Your patience! - Without friends, we are nothing, let's drink! http://www.risesecurity.org

References Syscall Proxying Simulating Remote Execution by Maximiliano Caceres http://www.coresecurity.com/blackhat2002.htm > This presentation are embased in lot of ideas and samples showed here Syscall Proxying fun and applications by Casek http://events.ccc.de/congress/2005/fahrplan/events/553.en.html > The sample injection and scan codes are ideas shared by Casek in his presentation RISE Security http://www.risesecurity.org Personal Website http://www.kernelhacking.com/rodrigo

END! Really is? DOUBTS? Filipe Balestra filipe@balestra.com.br Rodrigo Rubira Branco rodrigo@kernelhacking.com rodrigo@risesecurity.org

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information