Scribd Logo
Upload

Welcome to Scribd!

  • Guided Missiles 090809134641 Phpapp02 PDF

    Uploaded by

    mk7777
    17 views53 pages
    Browser Autopwn Fingerprints a client Determines what exploits might work Used to suck Now it doesn't Outline Intro Cluster bombs Guided missiles fingerprinting and targeting Stealth Demos.

    Original Description:

    Original Title

    guided-missiles-090809134641-phpapp02.pdf

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    Browser Autopwn Fingerprints a client Determines what exploits might work Used to suck Now it doesn't Outline Intro Cluster bombs Guided missiles fingerprinting and targeting Stealth Demos.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    17 views53 pages

    Guided Missiles 090809134641 Phpapp02 PDF

    Uploaded by

    mk7777
    Browser Autopwn Fingerprints a client Determines what exploits might work Used to suck Now it doesn't Outline Intro Cluster bombs Guided missiles fingerprinting and targeting Stealth Demos.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 53

    UsingGuidedMissilesinDrivebys

    Automaticbrowser
    fingerprintingand
    exploitationwiththe
    MetasploitFramework:
    BrowserAutopwn

    JamesLee

    BrowserAutopwn

    AuxiliarymodulefortheMetasploitFramework

    Fingerprintsaclient

    Determineswhatexploitsmightwork

    Usedtosuck

    Nowitdoesn't

    Outline

    Intro

    Clusterbombs

    Guidedmissiles

    Fingerprintingandtargeting

    Stealth

    Demos

    Commercialcomparison

    #whoami

    JamesLee

    egypt

    CoFounder,TeardropSecurity

    Developer,MetasploitProject

    MyInvolvementinMSF

    Startedsubmittingpatchesandbugreportsin
    2007
    HDgavemecommitaccessinApril2008

    BroketherepoApril2008

    TheMetasploitFramework

    CreatedbyHDMoorein2003

    ncursesbasedgame

    Laterbecamearealexploitframeworkinperl

    Rewritteninrubyin2005

    Whichiswaybetterthanpython

    Extensibleframeworkforwritingexploits

    I<3MSF

    Modularpayloadsandencoders

    Manyprotocolsalreadyimplemented

    Manynonexploittools

    Allkindsofexploits

    Traditionalserverside

    Clientsides

    WhyClientsides

    Karmetasploit

    Anyothertoolthatgetsyouinthemiddle

    Usersareweakestlink,blah,blah,blah

    SeeChrisGates

    ClientExploitsinMSF

    ExtensiveHTTPsupport

    Heapsprayintwolinesofcode

    Sotirov's.NETDLL,heapfengshui

    WiderangeofprotocollevelIDSevasion

    Simpleexploitin~10linesofcode

    SimpleExploit
    content=<html><body>
    <objectid='obj'classid='...'></object><script>
    #{js_heap_spray}
    sprayHeap(#{payload.encoded},#{target.ret},0x4000);
    obj.VulnMethod(#{[target.ret].pack(V)*1000});
    </script></body></html>
    send_response(client,content)

    10

    OrArbitrarilyComplex

    11

    ani_loadimage_chunksizeis581linesofcode
    AsofJune28,MSFhas85browserexploit
    modules

    Problem

    Solution

    ClusterBombApproach

    IsitIE?SendalltheIEsploits

    IsitFF?SendalltheFFsploits

    Originallyexploitswereadhoc

    14

    Painintheasswhennewsploitscomeout

    Problem

    Solution

    GuidedMissileApproach

    BetterclientandOSfingerprinting

    Onlysendexploitslikelytosucceed

    17

    lesslikelytocrashorhangthebrowser
    BrowserisIE7?Don'tsendIE6sploits,etc.

    FingerprintingtheClient

    UserAgent

    18

    Easytospoof
    Easytochangeina
    proxy
    Atinybitharderto
    changeinJS

    FingerprintingtheClient

    VariousJSobjectsonlyexistinonebrowser

    Someonlyexistincertainversions

    window.createPopup,Array.every,window.Iterator

    Renderingdifferencesandparserbugs

    19

    window.opera,Array.every

    IE'sconditionalcomments

    InternetExplorer

    Parserbugs,conditionalcomments

    ScriptEngine*Version()

    20

    Reliable,butnotprecise
    Almostuniqueacrossallcombinationsofclientand
    OS
    BroughttomyattentionbyJeromeAthias

    Opera

    window.opera.version()

    21

    Includesminorversion,e.g.9.61

    HybridApproachforFF

    22

    Existenceof
    document.getElementsByClassName
    meansFirefox3.0
    IfUserAgentsaysIE6,gowithFF3.0
    IfUAsaysFF3.0.8,it'sprobablynotlying,so
    usethemorespecificvalue

    Safari

    Stillinprogress

    Existenceofwindow.console

    Availabilityofwindow.onmousewheel

    23

    IfFirebugisinstalledonFF,showsupthere,too
    Defaultstonull,sohavetochecktypeof

    FingerprintingtheOS

    UserAgent

    Couldusesomethinglikep0f

    Fromtheserverside,that'saboutit

    24

    InternetExplorer

    25

    Again,ScriptEngine*Version()
    Almostuniqueacrossallcombinationsofclient
    andOS,includingservicepack

    Opera

    Eachbuildhasauniqueopera.buildNumber()

    Givesplatform,butnothingelse

    26

    Firefox

    27

    navigator.platformandfriendsareaffectedby
    theUserAgentstring
    navigator.oscpuisn't

    Linuxi686

    WindowsNT6.0

    Others

    Reallyallwe'releftwithistheUserAgent

    That'sokay,mostdon'tlie

    28

    Andthosethatdoarelikelytobepatchedanyway

    Generic,workseverywherewhenUAisnot
    spoofed

    FutureFingerprinting

    QuickTime

    Adobe

    Lesswellknownthirdpartystuff

    29

    ActiveX

    30

    newActiveXObject()worksifyouhave
    theclassname
    Otherwise,IEdoesn'tseemtohaveageneric
    waytotellifanActiveXobjectgotcreated

    document.write(<object...>)

    document.createElement(object)

    Solution

    31

    typeof(obj.method)

    'undefined'iftheobjectfailedtoinitialize

    'unknown'orpossiblyarealtypeifitworked

    TargetAcquired

    WhatisitVulnerableto?

    Coarsedeterminationserverside

    Serversendssploitsthatmatchthebrowserand
    OS,possiblyversion

    Finedeterminationclientside

    33

    JavaScriptbuildsfingerprint,sendsitbacktothe
    server

    navigator.javaEnabledexists,try
    mozilla_navigatorjava

    SelectaMissile

    Sortbyreliability
    Exploitscontain
    theirownJStests

    Problem

    Solution

    36

    Obfuscation

    Randomizeidentifiers

    Buildstringsfromotherthings

    JSON/AJAX

    Obfuscationisnotcrypto

    37

    Encryption

    PutakeyintheURL

    38

    Notavailableinthestandalonescript

    SimpleXORisenoughtobeatAVandNIDS
    Iftheyfigureitout,it'seasytomakethecrypto
    stronger

    Demonstrations

    39

    Andwe'reback...

    40

    Ihopethatworked
    NowhowdoYOUmakeexploitsworkwithin
    thisframework?

    WritingExploits

    Addautopwn_info()totopofexploitclass
    :ua_nameisanarrayofbrowsersthisexploit
    willworkagainst
    :vuln_testissomejavascripttotestforthe
    vulnerability(unlessit'sActiveX)

    41

    Usuallycomesdirectlyfromtheexploitanyway

    Example:mozilla_navigatorjava
    includeMsf::Exploit::Remote::BrowserAutopwn
    autopwn_info({
    :ua_name=>HttpClients::FF,
    :javascript=>true,
    :rank=>NormalRanking,#reliablememorycorruption
    :vuln_test=>%Q|
    if(
    window.navigator.javaEnabled&&
    window.navigator.javaEnabled()
    ){
    is_vuln=true;
    }
    |,
    })

    42

    Example:ms06_067_keyframe
    includeMsf::Exploit::Remote::BrowserAutopwn
    autopwn_info({
    :ua_name=>HttpClients::IE,
    :javascript=>true,
    :os_name=>OperatingSystems::WINDOWS,
    :vuln_test=>'KeyFrame',
    :classid=>'DirectAnimation.PathControl',
    :rank=>NormalRanking#reliablememorycorruption
    })

    43

    Example:winzip_fileview
    includeMsf::Exploit::Remote::BrowserAutopwn
    autopwn_info({
    :ua_name=>HttpClients::IE,
    :javascript=>true,
    :os_name=>OperatingSystems::WINDOWS,
    :vuln_test=>'CreateFolderFromName',
    :classid=>'{A09AE68FB14D43EDB713BA413F034904}',
    :rank=>NormalRanking#reliablememorycorruption
    })

    44

    BrowserAutopwnSummary

    ReliableTargetAcquisition

    SmartMissileSelection

    StealthyfromanAVperspective

    Easytoextend

    Detectionresultsstoredinadatabase

    45

    CommercialComparison

    Mpack

    Firepack

    Neosploit

    Luckysploit

    46

    Mpack,Firepack

    Hardtoacquire

    Oldexploits

    Detectionisonlyserverside

    Hardtochangeorupdateexploits

    Obfuscation+XOR

    47

    Neosploit

    48

    CompiledELFsrunasCGI
    UnlessyougetthesourceordosomeRE,you
    won'treallyknowwhatitdoes

    Luckysploit

    Realcrypto(RSA,RC4)

    Evenhardertoacquire

    49

    BrowserAutopwn

    Easytowritenewexploitsortakeoutoldones

    Free(threeclauseBSDlicense)

    Easytoget(http://metasploit.com)

    NotwritteninPHP

    50

    OSandclientdetectionisclientside,more
    reliableinpresenceofspoofedorborkedUA

    Future

    Moreflexiblepayloadselection

    Stopwhenyougetashell

    MaybeimpossibleinpresenceofNAT/proxies

    EasiertouseJSobfuscation

    UAProfformobiledevices

    IntegrationwithMetaPhish

    51

    Downloadit

    svncohttp://metasploit.com/svn/framework3/trunk

    Submitpatchestomsfdev@metasploit.com

    52

    Thanks

    hdm,valsmith,
    tebo,mc,cg,Dean
    deBeer,pragmatk
    Everybodywho
    helpedwithtesting
    Whoevercreated
    ActiveX

    You might also like