On the Nature of Endeavor Code Iván Arce.

Uploaded on:
Pacific Security 2004 | November 11-12 2004 | Tokyo, Japan On the Nature of Adventure Code Iván Arce Center Security Advances 46 Farnsworth St Boston, Mama 02210   Ph: (617) 399-6980 www.coresecurity.com Diagram Preface: Setting and definitions Why misuse code?
Slide 1

Pacific Security 2004 | November 11-12 2004 | Tokyo, Japan On the Quality of Exploit Code Ivã¡n Arce Core Security Technologies 46 Farnsworth St Boston, MA 02210â â  Ph: (617) 399-6980 www.coresecurity.com

Slide 2

OUTLINE Prologue: Context and definitions Why adventure code? Quality measurements Examples Epilog: Future work

Slide 3


Slide 4

Lets begin by characterizing a typical dialect VULNERABILITIES & EXPLOITS Vulnerability( thing ) “A defect in a framework that, if utilized by an assailant, can conceivably affect the security of said system” Also: security bug , security imperfection, security opening Exploit ( verb ) “To utilize or control to one’s advantage” (Webster) “A security gap or an occurrence of exploiting a security gap ”

Slide 5

Exploit code is not only “proof of concept” EXPLOIT CODE Proof of Concept adventure - PoC ( thing ) A programming program or apparatus that endeavors a powerlessness with the sole reason for demonstrating its presence. Endeavor code ( thing ) A programming program or device created to adventure a helplessness with a specific end goal to perform a particular objective. Conceivable objectives: dissent of administration, discretionary execution of code, and so on

Slide 6

WHY TALK ABOUT EXPLOIT CODE? A developing part in the infosec hone

Slide 7

Base Camp An objective server is assaulted and bargained The procured server is utilized as vantage point to enter the corporate net Further assaults are executed as an inside client The fantastic assault uses adventure code... Life structures OF A REAL WORLD ATTACK ATTACKER

Slide 8

Exploit code turns out to be more sofisticated EXPLOIT CODE FUNCTIONALITY Add a basic “listen shell” echo "ingreslock stream tcp nowait root/receptacle/sh - i" >>/tmp/bounce ;/usr/sbin/inetd - s/tmp/sway &" Add a record to the traded off framework: echo "sys3:x:0:103::/:/canister/sh" >>/and so forth/passwd; echo "sys3:1WXmkX74Ws8fX/MFI3.j5HKahNqIQ0:12311:0:99999:7:::" >>/and so on/shadow Execute a “bind-shell” Execute a “reverse shell” Deploy and execute a multi-reason operators Command shell, FTP, TFTP, IRC, “zombies”, snifers, rootkits... Send and execute operators that re-uses existing association. Send and execute operators that has low-level association with the OS Syscall Proxing And more shellcode advances... Loader payloads, InlineEgg, ShellForge, polymorphism, reusable parts, encodings, and so on

Slide 9

Exploit code turns into a “valueable asset” A RECENT TREND IN THE INDUSTRY Detailed data about vulnerabilities has worth Exploit code is being purchased and sold Included in business programming offerings Exploit code advancement preparing Several books on misusing programming and endeavor code improvement “Exploiting Software”, Hoglund & McGraw “The Shellcoderâ\'s Handbook”, Koziol et. al. “Hacking: The Art of Exploitation”, Jon Erickson

Slide 10

Some honest to goodness utilizes for adventure code WHAT CAN I DO WITH MY EXPLOITS? Infiltration Testing Test and calibrate firewall setups Test and tweak IDS arrangements Test occurrence reaction abilities Vulnerability Management

Slide 11

Using Exploits The entrance testing procedure EXPLOIT CODE & PENETRATION TESTING Penetration Testing

Slide 12

Using endeavors to test and design firewalls EXPLOIT CODE & FIREWALLS Firewall setup and testing

Slide 13

Using adventures to test and design Intrusion Detection Systems EXPLOIT CODE & INTRUSION DETECTION SYSTEMS IDS setup and testing

Slide 14

Discover Scan Report Resolve Prioritize Vulnerability administration: Scan & Patch technique THE VULNERABILITY MANAGEMENT PROCESS Vulnerability Management

Slide 15

Discover Scan Report Resolve Attack Using Exploits Use endeavor code to minimize slips and organize better IMPROVED VULNERABILITY MANAGEMENT PROCESS Vulnerability Management + Exploit Code

Slide 16

Discover Scan Verify Report Resolve Attack Use endeavor code to confirm right moderation AN ADDITIONAL IMPROVEMENT Vulnerability Management + Exploit Code + Verification Using Exploits

Slide 17

Discover Report Verify Resolve Attack Combine defenselessness administration and infiltration testing VULNERABILITY MANAGEMENT & PENETRATION TESTING COMBO Vulnerability Management + Rapid Penetration Testing Using Exploits

Slide 18


Slide 19

The true blue employments of endeavor code calls for quality measurements QUALITY METRICS FOR EXPLOIT CODE There are a few honest to goodness utilizes for endeavor code We have to comprehend the qualities and constraints of the instruments we utilize A scientific categorization will help to compose our comprehension of our apparatuses Metrics give a more target method for measuring adventure code quality Caveat: Taxonomies and measurements are discretionary

Slide 20

What do we utilize the measurements for? QUALITY METRICS FOR EXPLOIT CODE Measure the nature of our adventures Comparative investigation Guidance for R&D Measure its application to taking care of genuine issues Improve the security forms that utilization endeavor code as parts

Slide 21

A couple of more definitions are required... Endeavor CODE INTERNALS Remote adventure A project or apparatus that does not oblige true blue access to the defenseless framework keeping in mind the end goal to misuse the security blemish Exploit payload The parts of the adventure code that executes the wanted usefulness after effective abuse of a helpless framework Example payloads: “add inetd service” “add account” “bind shell” “reverse shell”

Slide 22

A couple of more definitions are required... Endeavor CODE INTERNALS Exploit assault vector The means utilized by the adventure code to trigger the powerlessness on the objective framework MS04-011 “Microsoft SSL PCT vulnerability” (CAN-2003-0719) http://www.cve.mitre.org/cgi-receptacle/cvename.cgi?name=CAN-2003-0719 http://www.microsoft.com/technet/security/release/MS04-011.mspx http://www.securityfocus.com/chronicle/1/361836 One helplessness with seven assault vectors: MS IIS/Exchange ports https:443, smtp:25, imap:993, pop3:995, nntp:563 MS Active index ports ldaps:636, globalcatLDAPssl: 3269

Slide 23

A couple of more definitions are required... Adventure CODE INTERNALS Exploit procedure The strategy utilized by the endeavor code to modify the execution stream of a defenseless framework and drive it to execute the exploit’s payload. Some endeavor systems Overwriting the stack memory Read/compose operations Write/execute operations Write operations Overwriting the store memory Read/compose operations Write/executive operations Mirrored compose operations Overwriting procedure stream control structures Pointer overwrite (GOT, PLT, class pointers, destructors, atexit() ) Program information overwrite (approval keys, banners, certifications, FDs)

Slide 24

These measurements can be utilized to survey the nature of adventure code GENERIC QUALITY METRICS Attack vectors One More than one All Exploit rationale Brute-driving versus hard-coded locations OS fingerprinting versus OS determination by the client Connection use Total running time Debugging capacities, documentation, fixes Exploit procedure and dependability Some systems are intrinsically more solid than other Lab testing under perfect conditions 80% - 100% half - 79% 20% - 49% Less than 20%

Slide 25

Metrics identified with system topology attributes GENERIC QUALITY METRICS Network topology obliges Link layer compels (dialup, PPP, remote, and so on) LAN versus WAN Attacker behind NAT gadget Target behind NAT gadget Target behind FW blocking approaching associations Target behind FW obstructing in/out associations Target behind Proxy/Application door FW IP Fragmentation Network foot shaped impression Latency Constrained transmission capacity

Slide 26

Metrics identified with the runtime enviroment of the powerless framework/application GENERIC QUALITY METRICS Runtime environment System load Multi-threading Fork & Exec Multiplexing/Asynchronous administration Filesystem access Memory and record descriptors Environment variables and charge line contentions Compile choices, investigating, improvements, logging Service startup (manual, boot time, inetd, and so on.)

Slide 27

Metrics identified with security solidified frameworks and administrations GENERIC QUALITY METRICS Security solidifying measures Vulnerable administration keeps running as unprivileged procedure Privilege partition/downsize Sand-boxing (chroot, correctional facility, systrace, abilities) Non executable stack Non executable pile StackGuard, StackShield, ProPolice, Microsoft VS/GS banner PaX, GrSecurity, W ^ X, DEP Portability and OS reliance Exploit utilizes outside libraries or projects? Endeavor keep running on particular OS? Adventures obliges neighborhood benefits?

Slide 28

Metrics identified with framework solidness GENERIC QUALITY METRICS System dependability After fruitful misuse Unstable administration Interrupted administration System reboot or stop After unsuccessful abuse Unstable administration Interrupted administration System reboot or end System contamination and tidy up Modifies setup Modifies document framework Leaves review follow

Slide 29

OS scope for adventures that objective MS WINDOWS EXPLOITS: OS COVERAGE Architecture x86 - (32bit/64bit) Operating System WinNT, Win2k, WinXP, Win2003 Operating System releases WinNT 4.0: Workstation, Server, Enterprise, Terminal Server Win2k: Professional, Server, Advanced Server WinXP: Home, Professional Win2003: Standard, Enterprise, Web Service Packs WinNT 4.0: SP0-SP6,SP6a Win2k: SP0-SP4 WinXP: SP0-SP2 Win2003: SP0 Languages English, Spanish, French , Portuguese, German, Japanese, Chinese

Slide 30

OS scope for endeavors that objective LINUX EXPLOITS: OS COVERAGE Architecture x86 - Intel IA32 (32bit), x86 - Intel IA64 (64bit), ARM, SPARC Linux Distribution RedHat, Suse, Deb

View more...