Scribd Logo
Upload

Welcome to Scribd!

  • Syscall Proxying Pivoting

    Uploaded by

    yanus0
    187 views20 pages
    This document discusses syscall proxying, which allows processes to make system calls on remote machines. It works by splitting system calls into a client stub and server. The client stub prepares and sends requests to the server, which handles the request and makes the actual system call. This allows tools to be used on one system to access resources on another. Examples given include remote shells, process injection, and pivoting to scan other machines on a local network. Challenges include implementing many system calls and optimizing performance. Syscall proxying provides a way to access and control remote machines.

    Original Description:

    Copyright

    © Attribution Non-Commercial (BY-NC)

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    This document discusses syscall proxying, which allows processes to make system calls on remote machines. It works by splitting system calls into a client stub and server. The client stub prepares and sends requests to the server, which handles the request and makes the actual system call. This allows tools to be used on one system to access resources on another. Examples given include remote shells, process injection, and pivoting to scan other machines on a local network. Challenges include implementing many system calls and optimizing performance. Syscall proxying provides a way to access and control remote machines.

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    187 views20 pages

    Syscall Proxying Pivoting

    Uploaded by

    yanus0
    This document discusses syscall proxying, which allows processes to make system calls on remote machines. It works by splitting system calls into a client stub and server. The client stub prepares and sends requests to the server, which handles the request and makes the actual system call. This allows tools to be used on one system to access resources on another. Examples given include remote shells, process injection, and pivoting to scan other machines on a local network. Challenges include implementing many system calls and optimizing performance. Syscall proxying provides a way to access and control remote machines.

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 20

    Syscall Proxying || Pivoting Systems

    Filipe Balestra Rodrigo Rubira Branco

    filipe@balestra.com.br rodrigo@kernelhacking.com
    rodrigo@risesecurity.org

    http://www.risesecurity.org
    Agenda:

    ­ What is Syscall Proxying?


    - Why Syscall Proxy is better than the open-source Squid?
    - Why not open the Syscall Proxy source-code? Security
    Reasons!
    - Understand the proxy architecture

    http://www.risesecurity.org
    Agenda  (the real one!):

    ­ Background knowledge
    ­ What is Syscall Proxying?
    ­ Why I need it  or  When it's interesting?
    ­ Difficulties
    ­ Some samples
      ­ The Future
    ­ Acknowledges
    ­ References

    http://www.risesecurity.org
    Background Knowledge

    ­ When a process need any resource it must perform a system call to ask
    the operation system for the needed resource.

    ­ Syscall interface are generally offered by the libc (the programmer doesn't 
    need to care about system calls)

    ­ We will discuss syscall proxying under Linux environment, so, some
    aspects:
    * Homogeneous way for calling syscalls (by number)
    * Arguments passed via register (or a pointer to the stack)
    * Little number of system calls
    http://www.risesecurity.org
    Background Knowledge

    http://www.risesecurity.org
    Syscall Interface – Read from a file

    Reader Linux Kernel

    open

    read

    close Disk

    http://www.risesecurity.org
    Syscall Interface – Read from a file

    # strace cat /etc/passwd

    execve("/bin/cat", ["cat", "/etc/passwd"], [/* 17 vars */]) = 0
    ...
    open("/etc/passwd", O_RDONLY|O_LARGEFILE) = 3
    ...
    ...
    read(3, "root:x:0:0:root:/root:/bin/bash\n"..., 4096) = 1669
    ...
    close(3)                                = 0

    ­ As we can see using the strace program, even a simple command uses
    many syscalls to accomplish the task

    http://www.risesecurity.org
    Syscall Interface – Passing arguments using
    registers

    ­ EAX holds the system call number

    ­ EBX, ECX, EDX, ESI and EDI are the arguments (some system
    calls, like socket call can use the stack to pass arguments)

    ­ Call int $0x80 (software interrupt)

    ­ Value is returned in EAX

    http://www.risesecurity.org
    What is Syscall Proxying?
    ­ The idea is to split the default syscall functionality in two steps:

    * A client stub
    Receives the requests for resources from the programs
    Prepair the requests to be sent to the server (called marshalling)
    Send requests to the server
    Marshall back the answers

    * A syscall proxy server
    Handle request from the client
    Convert the request in the native form (in our case, just linux)
    Calls the asked system call
    Sends back the response
    http://www.risesecurity.org
    I don't wanna ask again! What a Hell is
    Syscall Proxying?

    ­ A way to use many tools without install anything in an owned machine
    (in an attack or in a penetration test)

    ­ Just play with the memory

    ­ Use your own tools (for your own native system) and don't care about
    what is the operation system owned (the syscall proxy server for sure need to
    be coded for many operation systems)

    ­ Pivoting is because you can use the syscall proxy server to attack many
    other servers in the local network of the syscall proxy

    http://www.risesecurity.org
    Syscall Interface – Read from a file

    Reader Client Syscall Linux 


    Stub Server Kernel

    h_open
    sys_send
    open
    h_read
    sys_send
    h_close read Disk
    sys_send
    close

    http://www.risesecurity.org
    Why I need it or When it's interesting?
    ­ The syscall proxy server can be injected in a remote process and offer
    an interface to the underlying operation system (including remotely 'local'
    privilege escalation)

    ­ You can use any tools you like to your own system, without change
    then (if you use LD_PRELOAD) 

    ­ The local process you are running under the stub does not know it is
    running remotely

    ­ Easily infection of remote process and the kernel itself (using the
    IDT patch you can easily execute arbitrary commands in the kernel – showed
    by me in the latest Hackers to Hackers Conference)
    http://www.risesecurity.org
    Difficulties

    ­ RPC does the same idea that we have showed, but the problem is
    in the server­side we have lots of complexity

    ­ We need a small piece of code in the server­side, because it will be
    injected in the vulnerable program

    ­ To accomplish that, we have in the client­side the 'image' of the stack­state
    of the server­side

    http://www.risesecurity.org
    Difficulties
    Server
    Process

    Pack Arguments Read Request

    Pseudo Stack Stack
    Send to the server and wait
    Pop Operation
    for a reply
    Create the request with  Registers
    Send back
    syscall data
    the stack block
      Received a response from the server as reply int $0x80
    Unpack results Restore the
    http://www.risesecurity.org Stack
    Difficulties
    ­ In the beginning of a connection, the server returns its ESP
    Client Request Server Stack
    filename (pointer) 0x00
    flags
    The request ESP
    mode

    DATA local vars EBP


    saved ESP
            0xbfffffff

    http://www.risesecurity.org
    Some Samples

    ­ Remote Shell using syscall proxying

    ­ Remote Process Injection (using ptrace – be explained in another
    h2hc 3 presentation)

    ­ Remote Scanning (pivoting system) 

    ­ Remote Kernel Infection (not using IDT patch – explained in my
    presentation at h2hc 2)

    http://www.risesecurity.org
    The Future

    ­ Finish the stub implementation of more system calls

    ­ Have a better version of the syscall proxy server for *BSD systems

    ­ Optimize the size of the syscall proxy server

    ­ Optimize the speed of execution of the syscall proxy scheme (for
    remotely sniffing sections)

    http://www.risesecurity.org
    Acknowledges
    - RISE Security

    - H2HC Organization? I'm included!

    - Casek from UberWall for some news and


    ideas

    - Tiago Assumpção – First person to talk


    with me about it (~2003)

    - Ramon de Carvalho Valle from RISE -


    Assembly Master

    - Your patience!

    - Without friends, we are nothing,


    let's drink!
    http://www.risesecurity.org
    References
    ­ Syscall Proxying – Simulating Remote Execution by Maximiliano Caceres
    http://www.coresecurity.com/blackhat2002.htm ­> This presentation are embased in lot of
    ideas and samples showed here

    ­ Syscall Proxying fun and applications by Casek
    http://events.ccc.de/congress/2005/fahrplan/events/553.en.html ­> The sample injection
    and scan codes are ideas shared by Casek in his presentation

    ­ RISE Security ­ http://www.risesecurity.org

    ­ Personal Website ­ http://www.kernelhacking.com/rodrigo

    http://www.risesecurity.org
    END! Really is?

    DOUBTS ?
    Filipe Balestra Rodrigo Rubira Branco
    filipe@balestra.com.br rodrigo@kernelhacking.com
    rodrigo@risesecurity.org

    http://www.risesecurity.org

    You might also like