Embed Size (px)
Citation preview
HackSim : An Automation of PenetrHackSim : An Automation of Penetration Testingation Testing
POSTECH HPC Lab.POSTECH HPC Lab.이 승민이 승민
2004-07-292004-07-29
HacksimHacksim
2004-07-29 HackSim Project 2/24
ContentsContents
Introduction
Tutorials for Two Issues
• Safe Pen-Test for Windows
• Remote Exploit Codes for Windows
Demo (?)
2004-07-29 HackSim Project 3/24
IntroductionIntroduction
주제 : Windows 취약점 증명 기술 연구 (2004 년 )
연구 내용• Worm 과 같은 악성 코드에 사용되는 Windows 공격 기술에 대한 분석 • 버퍼오버플로우와 같이 원격 공격 가능한 취약점에 대해 연구• 공개된 원격 공격 코드에 대한 분석 및 모의 해킹 실험
• 여러 공격 코드 간의 코드 재사용이 가능한 프레임워크를 제안
• 전년도에 구현된 Solaris 에 대한 Pen-Test 도구를 Windows 로 확장
이전 과제 : Solaris 취약점 증명 기술 연구• 취약점 증명 프레임워크에 대한 연구 (2002 년 )
• 취약점 증명 프레임워크 확장에 대한 연구 (2003 년 )
지원 기관 : 국가보안기술연구소
Safe Pen-Test for WindowsSafe Pen-Test for Windows
2004-07-29 HackSim Project 5/24
Contents of Safe Pen-TestContents of Safe Pen-Test
Introduction
Using Kernel Service
Jump to the Shellcode• Brute Force & Offline Attack• Safe Jump
Conclusion
Future Works
2004-07-29 HackSim Project 6/24
IntroductionIntroduction
Application Crash• After attack, Application often ends with a crash.• Such behavior may be easily notified and the attack may be detected.• In some cases it may influence the whole system stability.• In multithreaded application, the whole application is terminated.
Each stage must work correctly.• Loading shellcode to the target host• Jumping to the start address of shellcode• Using kernel service• Termination
2004-07-29 HackSim Project 7/24
Using Kernel ServiceUsing Kernel Service
System call in Windows• Windows support system calls but it is limited.• Use Windows API functions located in DLL.
To use Windows API Functions• Load DLL (Dynamic Linked Library)• Base address of DLL• Offset of API functions in DLL
Solution• Find kernel32.dll base address using PEB.• Get offset from PE EDT.
2004-07-29 HackSim Project 8/24
Jump to the ShellcodeJump to the Shellcode
What we need to know• Buffer size• Start address of shellcode
How to know• Brute force attack• Offline attack
0xFFFFFFFF
0x00000000
Return address
Start Address
Buffer
2004-07-29 HackSim Project 9/24
Brute Force & Offline AttackBrute Force & Offline Attack
Windows do not allow Brute force attack. Process or Thread creation uses CreateProcess/CreateThread function.
• Internally calls BaseProcessStart/BaseThreadSTart in kernel32.dll.
Knowing buffer size is trivial in offline attack. Knowing start address of buffer in memory
• Thread stack allocates consecutively in multithread.• Start address dependes on versions of Windows and service packs.
VOID BaseProcessStart(PROCESS_START_ROUTINE pfnStartAddr) {
__try {
ExitThread((pfnStartAddr)());
}
__except(UnhandledExceptionFilter(GetExceptionInformation())) {
ExitProcess(GetExceptionCode());
}
}
Jump to the Shellcode (2/4)
2004-07-29 HackSim Project 10/24
Safe JumpSafe Jump
Use ‘jmp esp’ instruction• 0xFFE4 in kernel32.dll
void g() {
char buf[8];
strcpy(buf,shellcode);
}
void f() {
char buf[200];
g();
}
Before strcpy After strcpy
espstack of g()
0xFFFFFFFF
Return Address
Return Address
stack of f()
ebp
0x00000000
espstack of g()
0xFFFFFFFF
Return Address
stack of f()
ebp
0x00000000
0x77E44BBD
0xFFE4 0x77E44BBD
0x9090…9090
Jump to the Shellcode (3/4)
2004-07-29 HackSim Project 11/24
Safe Jump (Cont.)Safe Jump (Cont.)
After Return
Large Buffer Case
esp
stack of g()
0xFFFFFFFF
Return Address
stack of f()
ebp
0x00000000
0x77E44BBD
0xFFE4 0x77E44BBD
0x9090…9090
esp
stack of g()
0xFFFFFFFF
Return Address
stack of f()
ebp
0x00000000
0x77E44BBD
0xFFE4 0x77E44BBD
SUB ESP, 0xCC
0xFFE4
Jump to the Shellcode (4/4)
void g() {
char buf[200];
strcpy(buf,shellcode);
}
void f() {
char buf[8];
g();
}
2004-07-29 HackSim Project 12/24
ConclusionConclusion
Windows doesn’t allow brute force attack.
The image of ‘jmp esp’ makes it easy to guess the start address of shellcode in multithread envionment.
• Load shellcode in caller stack
• One more jump to the callee stack
It might work well in dynamic stack method.
But ‘jmp esp’ instruction locates different from versions of Windows and service packs.
2004-07-29 HackSim Project 13/24
Future WorksFuture Works
Safe Jump• Survey the image of ‘jmp esp/ebx’.• Implement powerful OS Fingerprinting tools.
Safe Termination• ExitThread function works well currently.• We need to verify this method.
Remote Exploit CodesRemote Exploit Codesfor Windowsfor Windows
2004-07-29 HackSim Project 15/24
Contents of Remote ExploitContents of Remote Exploit
Get the Remote Shell• Issues for Getting the Remote Shell
Get the Remote Exploit • Public Exploit Codes
• Candidate RPC DCOM LSASS
• Analysis Process
Future Work
2004-07-29 HackSim Project 16/24
Issues for Getting the Remote ShellIssues for Getting the Remote Shell
Loading ws2_32.dll using LoadLibrary()• Push the string “ws2_32” to stack.• Call LoadLibraryA() function.
Redirecting standard input, output and error to socket• Set the value of hStdInput, hStdOutput, hStdError to connected s
ocket in STARTUPINFO struct.• Set the value bInheritHandles to true among arguments of Create
Process() function.
Implementation• Bind Shellcode• Reverse Shellcode
Get the Remote ShellGet the Remote Shell
2004-07-29 HackSim Project 17/24
Bind ShellcodeBind Shellcode
shellcodestackoverflow
listenport 4320
commandshell
vulnerable host attacker
achievecommand
shell
connect 4320
Get the Remote ShellGet the Remote Shell
2004-07-29 HackSim Project 18/24
Reverse ShellcodeReverse Shellcode
shellcodestackoverflow
listenport 4320
commandshell
vulnerable host attacker
Get the Remote ShellGet the Remote Shell
2004-07-29 HackSim Project 19/24
Mechanism of Reverse ShellcodeMechanism of Reverse Shellcode
find_kernel32
startup
kernel32_symbol_hashes
ws2_32_symbol_hashes
find_function
resolve_kernel32_symbols
resolve_symbols_for_dll
resolve_winsock_symbols : Call LoadLibraryA
initialize_winsock : Call WSAStartup
create_socket : Call WSASocket
do_connect : Call connect
initialize_process
execute_process : Call CreateProcessA
wait_for_exit : Call WaitForSingleObject
close_fd : Call closesocket
exit_thread : Call ExitThread
kernel32.dll 과 관련되 있는 symbol(function) 들의 address 를 알아낸다 .
ws2_32.dll 과 관련되 있는 symbol(function) 들의 address 를 알아낸다 .
attacker 에게 command 창을 건네준다 .
attacker’s command 창이 종료되길 기다린다 .
client socket 을 닫는다 .
공격 code 를 끝마친다 .
attacker 에게 접속할 socket 를 만든다 .
attacker 에게 접속한다 .
shell command 를 만들기 위한 process 를 초기화 시킨다 .여기서 Local shellcode 와 다른 점은 STARTUPINFO struct 의hStdInput, hStdOutput, hStdError 의 값을 socket 으로 설정해야 한다 .또한 , CreateProcess 의 bInheritHandles 를 True 로 지정한다 .
socket 를 만들기 위해 필요한 준비를 한다 . (windows programming)
kernel32.dll 의 base address 를 알아낸다 .
Get the Remote ShellGet the Remote Shell
2004-07-29 HackSim Project 20/24
Mechanism of Bind ShellcodeMechanism of Bind Shellcode
find_kernel32
startup
kernel32_symbol_hashes
ws2_32_symbol_hashes
find_function
resolve_kernel32_symbols
resolve_symbols_for_dll
resolve_winsock_symbols : Call LoadLibraryA
initialize_winsock : Call WSAStartup
create_socket : Call WSASocket
bind : Call bind
listen : Call listen
accept : Call accept
execute_process : Call CreateProcessA
wait_for_exit : Call WaitForSingleObject
close_fd : Call closesocket
exit_thread : Call ExitThread
kernel32.dll 과 관련되 있는 symbol(function) 들의 address 를 알아낸다 .
ws2_32.dll 과 관련되 있는 symbol(function) 들의 address 를 알아낸다 .
attacker 에게 command 창을 건네준다 .
attacker’s command 창이 종료되길 기다린다 .
client socket 과 server socket 을 닫는다 .
공격 code 를 끝마친다 .
attacker 가 접속할 socket 를 만든다 .
attacker 의 접속을 기다릴 준비를 한다 .
attacker 의 접속을 기다린다 .
attacker 의 접속을 받아들인다 .
socket 를 만들기 위해 필요한 준비를 한다 . (windows programming)
kernel32.dll 의 base address 를 알아낸다 .
initialize_process shell command 를 만들기 위한 process 를 초기화 시킨다 .
Get the Remote ShellGet the Remote Shell
2004-07-29 HackSim Project 21/24
Public Exploit CodesPublic Exploit Codes
RPC DCOM
RPC Locator Service
MSSQL2000 UDP
Real Player Server
Workstation Service
Telnet Service
Samba Share Resource
LSASS
RPC DCOM
LSASS
Get the Remote Exploit Get the Remote Exploit
2004-07-29 HackSim Project 22/24
CandidateCandidate
RPC DCOM Vulnerability• Blaster worm is a worm that exploits the DCOM RPC vulnerability
described in Microsoft Security Bulletin MS03-026 and MS03-039.
• Port 135(epmap : DCE endpoint resolution)
LSASS Vulnerability• Sasser worm is a worm that attempts to exploit the vulnerability
described in Microsoft Security Bulletin MS04-011.• Port 445(microsoft-ds : Microsoft-DS)
Why we do select them ?• Exploit codes for general system services• Used in popular worms
Get the Remote Exploit Get the Remote Exploit
2004-07-29 HackSim Project 23/24
Analysis ProcessAnalysis Process
Checkpoint• shellcode• return address
DCOM exploit• It operated for english windows XP.• We found the image of return address in english windows.• We got the address of the image in korean windows.• Using the address, it operates for korean windows.
LSASS exploit• The image is “jmp esp” or “jmp ebx” in kernel32.dll, etc.• We used the address of them as a return address.
Get the Remote Exploit Get the Remote Exploit
2004-07-29 HackSim Project 24/24
Future WorkFuture Work
Survey more vulnerabilities.
Analyze & modularize selected exploit codes.• RPC DCOM • LSASS
Propose a pen-testing framework for windows.
Adapt exploit codes in linux environments.
