Exploit-based Bandwidth/Network Analysis Framework

Exploit-based Bandwidth/Network Analysis Framework

Matt WeaverUCCS Spring 2007

4/26/2007 Matt Weaver: Exploit/Bandwidth Project 2

Abstract

• Basic bandwidth tools are limited by network security.• An exploit could be used to infect machines on a network and provide

metrics while overcoming the problems inherent in the traditional approach.


Background

• The Morris Worm – Robert Morris @ Cornell through MIT, 1988– Government attention– Unix back doors, bad passwords... hacked any

way possible

• Hindsight: security wasn't a big enough factor.


Related Work• Chen, G. and Gray, R. S. 2006. Simulating non-scanning worms on peer-to-peer networks.

– How worms spread.

– Effectiveness of different styles.

• Kienzle, D. M. and Elder, M. C. 2003. Recent worms: a survey and trends.

– Exploits are not innovative.

• Zou, C. C., Gong, W., and Towsley, D. 2002. Code red worm propagation modeling and analysis.

– Code Red infected Microsoft IIS (Internet Information Server) via buffer overflow.


Buffer Overflow• In C, “strcpy” is not smart.

– No bounds checking.– Write past the end of the buffer.

• void bad_function(char *string)

void bad_function(char *string)

{

char buffer[5];

strcpy(buffer, string);

}

int main(int argc, char* argv[])

{

char a_large_string[] =

"This string is far too big. Far, far too big."; bad_function(a_large_string);

exit(0);

}


Buffer Overflow• In memory:

– Registers...

• EBP (frame base pointer

• EIP (current instruction)

• EAX, ESI, EDI, etc (various uses)

– Each instruction is pushed on the stack. In Windows the stack grows down.


Buffer Overflow• Options:

– We can modify the return address: EBP and EIP will revert to the “calling” frame. If we “muck” with these values, we can modify the return address.

– Overwrite EIP to make some other call (similar to the above)... this is how real exploits work. You must somehow change the flow of execution.

• Shellcode

– Put machine instructions into the “extra” characters. They will look like regular instructions, we just have to jump into them.

• Instruction have addresses where the machine code to execute them exists, these can be found with “dumpbin”.

– In Windows/x86, we can use a NOP sledge (no operation -> “\x90” in Shellcode).

– Hard to get working right in Windows:

• Variable instruction addresses:

– A product of DLL-Hell inherited from VMS

– Changes with patches, updates, and other products installed.

• Security settings introduced in newer MS compilers.


Using Overflow

• In essence, create a new function with shellcode.

• Modify EIP and EBP to point to our new “function”, that is the chunk of memory where our shellcode is loaded.


Exploit Architecture

• Follow the model of Russian exploits (SASSER, SLAMMER):– Surround payload with NOP (no operation)

instructions– Modify EIP to execute our “function”

• We won’t know exactly where it goes, but NOP instructions don’t do anything.



• Guessing part:– Which register holds a

value that points to a memory location in the NOP sledge?

• EAX?• EDI?• …



• The JMP instruction will overwrite EIP.– Hard-coding the JMP instruction is typical of Russian exploits.– Other, more complicated methods of finding instructions at

runtime exist… but they are difficult to code and test.

• No way to know “where” we will jump, but we try until we can get to our NOP sledge.

• kernel32.dll JMP instructions will “JMP EAX”, “JMP EDI”, etc. Since we don’t know what our target is doing…

– We try a few, depending on the system we target (sometimes it just won’t work):• “0x77EA855E”

• “0x77E448E2”• Researchers have done the tricky disassembly debug and made lists for SP0

(ex: https://www.securinfos.info/international-opcodes/).



• Our JMP instruction will be the first thing executed after the overflow, rewriting the old EIP value on the stack:– We don’t want to call it twice… so the payload

has to be “smart”.– Stick the JMP instruction AFTER the payload,

in our “buffer”.


Payload

• The easy part (kind of)!– Tools can generate stable payloads, we can

use Metasploit to generate new payloads for:• Starting a listener (call back with netcat).• Download and execute.• All kinds of things.

– Not all payloads work with all exploits:• OS security features might disable certain calls.• Large payloads are easily detected by IDS…

because legitimate transactions aren’t usually long strings of hex.


Download and Execute• This code will download and

execute, provided:– Correct permissions settings in XP.– Reasonably small executable,

short transfer time, etc.• Shellcode can’t have “\x00”

– C sees this as the end of a string, so that will be stripped, either by the calling client (depending on implementation) or the service.

– Many methods can be used to cleverly replace “\x00”. Metasploit uses the XOR method.

– This code would have an “\x00” following the “cmd” call, for example.

– LSASS exploits can't have: "\x00\x0a\x0d\x5c\x5f\x2f\x2e”


One last thing on shellcode

• Makes or breaks your overflow exploit.– Unfortunately, this isn’t always up to you.– Many variables are beyond your control.

• The payload is easy, it’s the “getting to the payload” that is a “trying” process (pun intended).– If it doesn’t work, find a new exploit… SOL.


sniFF Architecture

• sniFF app starts user buildable exploits (via XML config file and the command line). – Captures data messages from clients.– With certain clients, acts as a sort of “parent

lookup service”– Clients are downloaded and executed on

remote machines.• Some clients will be blocked.• Not all exploits can complete download and execute.• Other options exist.


sniFF Architecture


Tools/Technology• Visual Studio .NET 2002, 2003, 2005.

– C, C++, C#– Utilities integrated into SDK:

• Dumpbin – find addresses• MIDL – compiler for COM

• GCC/GDB (Cygwin and Bloodshed).– C, C++

• Metasploit– Pre-existing exploit and payload generator.

• Write new modules in C or Perl.

– Invaluable in exploit research, writing, and investigation.– Point to point attack only… not concerned with the payload part.

• SPIKE DCE-RPC browser– Inspect COM objects on a given machine

• Ethereal: packet sniffer

• OllyDbg: for debugging dlls... fuzzing.

• VMWare Workstation/Server

• Various incarnations of XP.

• Xcode: gcc/gdb on OS X (bash) for testing, education as Unix provides an easier place to learn.


Lessons Learned• Exploits are nasty to write:

– Win addressing problem

– Not all payloads will work with a given exploit.

• Windows poorly handles security

– Never re-baselined, so lots of buggy code still exists. MS patches usually just move addresses around.

– Exploits that don't work can still crash systems.

– OS level services have mostly been blocked off (or hacked around by MS), newer overflow exploits focus on SQLServer, IIS, etc.

• IT Experts shouldn't know about potential overflows and do nothing to fix them.

– But with new Metasploit modules and new discoveries on milw0rm.com, we can keep trying.


Basically...

• Not like most CS problems:– Little “good” research has been done and

documented.– You are mostly poking around in the dark, when

it comes to development.– Constraints on imagination, versus technology.

• Science versus gambling/hacking/hoping/guessing.


Future Work

• Convert sniFF source to Mono and tinker with: Fedora Core, Ubuntu, Solaris, etc.

• Write working instruction prowler shellcode for Windows:– All available text neglects to do this.– Examples that exist... don't actually work.

• Get SASSER working with downloads.

Aleph One. Smashing the Stack For Fun and Profit. Phrack (Volume seven, issue forty-nine; November 8, 1996). http://www.phrack.org/phrack/49/P49-01

Anderson, Ross. Security Engineering: A Guide to Building Dependable Distributed Systems. New York, NY: John Wiley & Sons, Inc 2001.

Blum, Richard. C# Network Programming. Alameda, CA: Sybex, 2003.

Chen, G. and Gray, R. S. 2006. Simulating non-scanning worms on peer-to-peer networks. In Proceedings of the 1st international Conference on Scalable information Systems (Hong Kong, May 30 - June 01, 2006). InfoScale '06, vol. 152. ACM Press, New York, NY, 29. DOI= http://doi.acm.org/10.1145/1146847.1146876

Erickson, Jon. Hacking: The Art of Exploitation. San Francisco: No Startch Press, 2003.

http://www.phrack.org/phrack/49/P49-01


Davis, Ralph. Win32 Network Programming. New York: Addison-Wesley, 1996.

Irvine, Kip R. Assembly Language For Intel-Based Computers. Saddle Hill, New Jersey: Prentice Hall, 2006.

Kienzle, D. M. and Elder, M. C. 2003. Recent worms: a survey and trends. In Proceedings of the 2003 ACM Workshop on Rapid Malcode (Washington, DC, USA, October 27 - 27, 2003). WORM '03. ACM Press, New York, NY, 1-10. DOI= http://doi.acm.org/10.1145/948187.948189

Koziol, Jack et al. The Shellcoders Handbook. Indianapolis: Wiley Publishing, 2004.

Petkov, K. 2005. Overcoming programming flaws: indexing of common software vulnerabilities. In Proceedings of the 2nd Annual Conference on information Security Curriculum Development (Kennesaw, Georgia, September 23 - 24, 2005). InfoSecCD '05. ACM Press, New York, NY, 127-134. DOI= http://doi.acm.org/10.1145/1107622.1107652

Pfleeger, Charles P and Shari Lawrence Pfleeger. Security in Computing. Saddle Hill, New Jersey: Prentice Hall, 2003.

http://doi.acm.org/10.1145/948187.948189

http://doi.acm.org/10.1145/1107622.1107652


Skape. Understanding Windows Shell code. December 6, 2003. nologin.org. 16 July 2006

Spangler, Ryan. Analysis of the Microsoft Windows LSASS Exploit. Packet Watch. http://www.packetwatch.net/documents/papers/windows-lsass.pdf

Sk. Advances in Windows Shell code. Phrack (Volume seven, issue sixty-two; June 22, 2004).

Zou, C. C., Gong, W., and Towsley, D. 2002. Code red worm propagation modeling and analysis. In Proceedings of the 9th ACM Conference on Computer and Communications Security (Washington, DC, USA, November 18 - 22, 2002). V. Atluri, Ed. CCS '02. ACM Press, New York, NY, 138-147. DOI= http://doi.acm.org/10.1145/586110.586130

http://doi.acm.org/10.1145/586110.586130


Coda• Demo:

– Pieces of sniFF• Clients

– Large client (recursive infection)– Lightweight client.

• Configuration:– Write new exploits, plug them in!

» Lots left to do.• In action:

– Clients run conventionally.– Clients infecting XP no SP running bad service.

» A view of the network.» Ethereal packet data.» Use Metasploit and LSASS (fixed it!) to infect a machine.» Use “bad service” to infect machine.

– Nearest neighbour randomized infection (failure, but examine IPs generated).

• A glance at the framework.


Voila!

• Questions?

Documents

Exploit-based Bandwidth/Network Analysis Framework