Professional Documents
Culture Documents
Objectives
Penetration Testing Precompiled Tools Targeting TFTP
Advanced Concepts
Testing a TFTP Server for Bugs Discovering the Bug Exploiting the TFTP Server
Precompiled Tools
Pros
Can quickly be used Customer support Broad user community Often allow custom scripts or modules Limited in scope Only discover and test known vulnerabilities Skilled attackers are not relying solely on them Precompiled tools offer a sense of complacency Do not perform code coverage or do deep fuzzing
Cons
Targeting
General Steps
1. Determine Target Application and Operating System 2. Obtain a Copy of the Application 3. Analyze RFC and Communications Protocols 4. Discover and Record a Crash Condition 5. Analyze Crash Condition for Exploitation Opportunities
Theres way more to analyze, but this is a start! Advanced Penetration Testing - 2009 SANS
11
Targeting (2)
Our goal is to discover and exploit a Windows Program vulnerability! The techniques well cover is applicable with any target or service Were targeting a TFTP service
Must understand how the protocol works Developers should follow RFCs
We can leverage the RFC as well
TFTP Server Published by TallSoft Vulnerability discovered in 2008 by Mati Aharoni of Offensive Security
13
TFTP
Trivial File Transfer Protocol (TFTP)
Simple protocol for transferring files over a network Clear-text protocol using UDP port 69 Used for transferring files by network devices, VOIP phones and other client-server programs
Advanced Penetration Testing - 2009 SANS
14
TFTP Behavior
Connection request is combined with either a read or write request Blocks of data are sent in a fixed 512 byte size
Each block must be acknowledged for error control
A block less than 512 bytes indicates the end of the stream
Advanced Penetration Testing - 2009 SANS
15
Example
Request Type Read \x00\x01
17
18
Tools We Need
Programming/Scripting Language
Python, Perl, Ruby, C
Shellcode
Metasploit, Milw0rm, Custom
An open mind!
Knowledge of OS controls, Opcodes, Tricks Advanced Penetration Testing - 2009 SANS
19
Python
Object-oriented, High-level Programming Language Very Intuitive Very Modular No Manual Compilation Plays well with other languages C, C++, Jython, IronPython (.NET) Good Debugging
Advanced Penetration Testing - 2009 SANS
20
Tool: OllyDbg
Software Debugger for Windows
Author: Oleh Yuschuk
Shareware! Binary Code Analysis Register Contents, Procedures, API Calls, Patching, memory searching and more!
21
The header format must be correct to trigger a valid response Command line scripting not always the best option
You may want to write a script
22
No Crash in Olly
Advanced Penetration Testing - 2009 SANS
27
Success!
30
32
Advanced Concepts
Depending on the OS Version, a number of controls have been added
SafeSEH ASLR DEP
Protects SEH pointers against overwrites Randomizes locations of libraries and memory segments Prevents code execution on the stack and heap Pushes unique values onto the stack and heap during allocations which are checked upon exit or free
Security Cookies
33
More Information
Defeating the Stack Based Buffer Overflow Prevention Mechanism of Microsoft Windows 2003 Server by David Litchfield http://www.nextgenss.com/papers/defeating-w2k3-stackprotection.pdf Preventing the Exploitation of SEH Overwrites by Skape Matt Miller http://www.uninformed.org/?v=5&a=2&t=pdf SEH Overwrites Simplified v1.01 by Aelphaeis Mangaraehttp://www.milw0rm.com/papers/187 Defeating Microsoft Windows XP SP2 Heap protection and DEP bypass by Alexander Anisimov http://www.maxpatrol.com/defeating-xpsp2-heap-protection.pdf Reliable Windows Heap Exploits by Matt Conover & Oded Horovitz http://www.slideshare.net/amiable_indian/reliable-windows-heap-exploits Third Generation Exploitation by Halvar Flake www.blackhat.com/presentations/win-usa02/halvarflake-winsec02.ppt Defeating the Stack Based Buffer Overflow Prevention Mechanism of Microsoft Windows 2003 Server by David Litchfield http://www.ngssoftware.com/papers/defeating-w2k3-stackprotection.pdf Heap Feng Shui in JavaScript by Alexander Sotirov http://www.blackhat.com/presentations/bh-europe-07/Sotirov/Presentation/bh-eu-07sotirov-apr19.pdf Understanding Windows Shellcode by Skape http://www.hick.org/code/skape/papers/win32shellcode.pdf
34
End
Questions? SANS SEC709 Developing Exploits for Penetration Testers and Security Researchers stephen@deadlisting.com
Advanced Penetration Testing - 2009 SANS
35