Professional Documents
Culture Documents
Blackhat DC 2010 Bannedit Advanced Command Injection Exploitation 1 Slides
Blackhat DC 2010 Bannedit Advanced Command Injection Exploitation 1 Slides
Metasploit
Develop Codes for stuff
www.metasploit.com
2
C
Command
d Injection
I j ti
Definition
Command injection is an attack method in which a hacker alters
d
dynamically
i ll generatedt d content
t t on a Web
W b page by b entering
t i HTML
code into an input mechanism, such as a form field that lacks
effective validation constraints. A malevolent hacker (also known
as a cracker)) can exploit
p that vulnerability
y to g
gain unauthorized
access to data or network resources. When users visit an affected
Web page, their browsers interpret the code, which may cause
malicious commands to execute in the users' computers and
across their networks
networks.
3
C
Command
d Injection
I j ti
Uhm
Uhm
Really???
4
C
Command
d Injection
I j ti
Definition
An attack technique used to take advantage of a vulnerability
which results in the execution of operating-system commands.
5
C
Command
d Injection
I j ti
Our Focus
OS Command Injection (to be specific)
L
Less useful
f l toolset
t l t tot work
k with
ith compared
d tto UNIX
UNIX, Linux,
Li etc.
t
6
C
Command
d Injection
I j ti
Examples
CVE-2009-3845 HP OpenView NNM Perl CGI
7
C
Command
d Injection
I j ti
Current Exploits
Typically a low level of sophistication
8
C
Command
d Injection
I j ti
Exploitation Considerations
Some Operating
p g Systems
y only
y offer a small set of commands
Bli d injections
Blind i j ti
9
C
Command
d Injection
I j ti
Exploitation Considerations
Commands available on all Operating System targets
Writable/Executable directories
Metacharacter Filters
10
C
Command
d Injection
I j ti
More features
Meterpreter FTW!!!
11
C
Command
d Injection
I j ti
Network Fu
FTP/TFTP
WScript
Fileshares
rcp
12
C
Command
d Injection
I j ti
Pros
Fast downloads
Easily scripted
13
C
Command
d Injection
I j ti
Cons
Firewalls
Web Filters
Reliability
14
C
Command
d Injection
I j ti
Non-network Fu
Debug.exe
g (Not
( supported
pp on Windows Vista/7))
WScript
Scripting.FileSystemObject
batch2binary
15
C
Command
d Injection
I j ti
Pros
Use existing
g connection
Bypasses firewalls
16
C
Command
d Injection
I j ti
Cons
Slower downloads ((need to use buffering
g to prevent
p errors))
Complex scripting
17
C
Command
d Injection
I j ti
Reasonably fast
18
C
Command
d Injection
I j ti
Many options
19
C
Command
d Injection
I j ti
OS Detection
We can use If exists to detect the OS
20
C
Command
d Injection
I j ti
21
C
Command
d Injection
I j ti
Plan of Attack
The most reliable option is Non
Non-Network
Network Fu
22
C
Command
d Injection
I j ti
Demo time!
23
C
Command
d Injection
I j ti
Code review
24
C
Command
d Injection
I j ti
Meterpreter FTW!
An agent which provides a lot of post exploitation capabilities
Dump Hashes
Upload/Download files
Pivoting
25
C
Command
d Injection
I j ti
Conclusion
Current command injection exploitation techniques are lacking
26
C
Command
d Injection
I j ti
Questions?
27