Offensive Security 2013 – FSU – Lecture15 – Web Application Hacking 104 & Exploit Development 104

alright since everyone’s here we’re going to get started homework 5 is out and going to start the lecture and I’m going to pause in the middle of the discuss because on a gift I’m people always show up late to get feedback from all of you guys just about the timing of certain deadlines for homework four or five as well as the midterm so today’s lecture is on web application packing as well as export development we’re finishing up both subjects we said the base of the culmination of the advanced topics of both subjects intersect it is good lecture so today we’re going to talk about intrusion detection systems and treating prevention systems web application firewalls and how to defeat them on so in essence network intrusion detection prevention systems primarily defend against attacks at the transport and network layer basically if they monitor for malicious activity or policy violations and in the case of an intrusion detection system will report each event basically to a management station which is usually run by the system administrator and security personnel vanity and this happens at a per packet basis so huge packet is analyzed for policy violations and potential tax signatures so this is something also firewalls do basically stateful tracking of connections so firewalls intrusion detection systems and intrusion prevention systems can implement stateful packet inspection which basically extends to the TCP and UDP headers and it scans both incoming and outgoing packets to look for protocol non non compliance essentially IP is stateless transport layer protocols like TCP and UDP are actually stateful are mostly state that TCP UDP not so much so is totally possible for a firewall or some true detective system to build a stage sheet of each connection going in and out of the network that’s TCP so basically for each syn packet a new model his new state machines basically invoked and then connect and then packets following that same connection from point A to point B or then traversed along on the state machine to make sure that they comply with the protocol now this prevents many kinds of denial service attacks because certain implementations on say like old legacy systems of the TCP stack may have verne abilities that didn’t account for things happening out of state happening in ways that they shouldn’t so essentially essentially what happens is this is formed this is a TCP a state transition diagram this is basically the state machine for TCP so the firewall or IDs are IPS forms this model and will drop any packets violating the TCP state machine it’s pretty simple and so on top of other firewall policies like block any incoming connections on these pores because we don’t allow anyone to establish connections from the outside to the inside go ahead and defeating many many attacks so this brings us to the next form of packet inspection which is called deep packet inspection it searches not only the headers of the IP header it searches the TCP UDP headers as well as the payload the packet data it searches the packet data for basically any signatures that can indicate the existence of viruses spam potential intrusions as well as particle non-compliance is commonly used by enterprise networks Internet service providers and governments a side note it’s worth mentioning that deep packet inspection technology roughly allows for eavesdropping data mining and censorship because aside from looking for viruses famine intrusions in packet data you can look for undesirable keywords say if you’re a certain country you don’t want people talking about elections you can filter out everything in your language that talks about Elaine elections or

seems like elections and just drop those packets at the ISP level so there are certain technologies that simply implement deep packet inspection on his own for such purposes like you shopping at 1r and typically they just combine the functionality of intrusion section system in a stateful firewall in essence so deep packet inspection this can be easily defeated by compression encoding and encryption and sometimes tunneling so the payload of your packet is compressed and coded or encrypted it will usually defeat any deep packet inspection mechanisms that uses signature-based detection say for keyword censorship or for virus or attack detection is based off signatures so the problem with encoding is that they on the other end it has to be decoded problem with the encryption is it on the other end it has to have the key to decrypt it the problem with compression is that on the other end is easiest to handle but as to have the algorithm and the means to decompress it so tunneling is useful for getting around certain policies maybe I know I allow my my my network users to establish this type of connection with Network a but not be so I can tunnel from A to B to use the forbidden connections perhaps so intrusion detection systems are really primarily focused on identifying possible incidents and logging all the information they can about them the goal is to report all attempts for possible policy violations and attacks and secondary uses for establishing an IDs involve identifying problems with your existing security policies perhaps you have some gaps in your business logic or security policy logic ideas can be useful for identifying them we’re also i get documenting existing threats on your network and also for deterring insider threats so in the case of insider threats if you’re going to say work at an insurance company in your bad guy and there’s a database as you know that the actions for it is completely controlled its audited and whatnot FBI does this as well every now and then you hear about FBI agent using the database to look into his ex-girlfriend or something like that and then he gets fired so aside from defeating all the audits that you have in the database you have to also worried about getting caught by the idea so it’s very useful for deterring insider threats so intrusion prevention systems are exactly the same as IDs but have some extra functionality in that they can kill traffic basically they can force they can drop the package that they violate the policies or if a signature indicates that there’s a threat with high threshold of confidence and so it kind of acts like a firewall what it also can do is sometimes it’s configured with some custom tools to trigger for instance a honeypot to come online to mangle some payloads for traffic say I detect a some signatures in this packet payload i’m just going to mangle the payload and see how the traffic proceeds it exists as some implementations it’s kind of interesting in theory it doesn’t do a whole lot to stop this investigate attacker um there’s other is where the IDS can reconfigure the firewall if sufficient amount threats are detected and then there’s other custom tools that are basically allow for you to modify basically security environment variables such as like an overall threat level so threat levels can be thought of like Department of Homeland Security’s you know green blue yellow orange red threat levels but in that for each set level you essentially have a set of security policies that you enact you can go from each threat level to the next and previous based on base various heuristics for instance the number of threats you receive today or the number of threats in this category or basically own a detected go to the maximum try level and then that basically locks down the network the most until you can prevent those threats reaching inside their network and then you can restore functionality to look less restrictive security policies so there are a number of different ways that interview detection system that prevention systems can be deployed they can be deployed on a network layer

network setting in that basically it’s an independent platform for identifying intrusions for and it does this by examining the network traffic of multiple hosts in the network the other way is to install intrusion detection system on a single computer this is called host-based intrusion detection systems also hid X is essentially looks more the code level the instruction level to monitor basically system calls that are being made from user space on the machine as well as monitoring application logs file system modifications and other activities and states that get perhaps identify intrusions there are some tools that do this that are well known such as tripwire and os set system call monitoring is actually a very interesting area that’s been researched for a long time there’s some good work done by de Denning on detection intrusion detection based systems for system call monitoring and they had in their trials very high levels of attack identification because it just so happened that the order in which malicious system calls would be accessed it’s usually very very different than the way normal application would utilize system calls it’s a very interesting thing to think about then this a very rare form of pure injection systems called stack base is basically implemented the operating system level and that basically allows for intrusion detection system monitoring at the whole tcp/ip stack so you have back to hear it allows for basically monitoring along this whole staff at the operating system level and some form or another so as far as detection rules the one everyone should be familiar with this signature-based detection essentially I have a virus I’ve analyzed it I’m a firewall company i’ve created a rule for it and then i push it out to my customers and they download the rule and that uplift updates their intrusion detection system so it will detect an unmodified version a virus coming over the wire there’s other forms that can cause problems but are also useful for capturing things that would be used by sophisticated attackers like zero days like a compressed encoded or encrypted version of that virus your signature will no longer work for that so statistical anomaly based detection can be used for this however the problem with these things with the anomaly based detection is that you will incur you encounter false positives normal traffic will be reported as malicious traffic and so the key is to minimize the false positives and maximize the the false negatives as well yes I say that right whatever moving wants so essentially anomaly based detection balls breaks down into a baseline for behavior and that behavior could be common common levels of bandwidth usage from a protocol sportster be established common connections like majority of HTTP traffic is actually going to the web server not to our database server which is located somewhere else and so alerts can be generated when anomalous traffic patterns can occur so related to that is specification based on not leak detection in other words the system minutes traitor hard codes what the normal levels and ranges for traffic should be on this requires basically expert knowledge of your system and so thus it is very rare however it can be a more useful in certain cases so aside from depending of things at the network and transport layer this appliances to defend against application layer attacks and commonly the most common applications that are attacked or web applications to be at the web server or some other port ad serving service so web application firewall is essentially an appliance server plugin or filter that applies a set of rules to http conversations it’s extremely useful for defending against sequel injection and

cross-site scripting it can be very effective at mitigating most attacks and often is mandated by regulation in many industries such as the payment card industry the PCI DSS version 1.1 mandates that you either do two things you regularly code out it all of your web application code or you establish a web application firewall then you properly maintained in usually those regulations also require burn ability assessment I penetration testing to be done at an annual rate so IDs and IPS is that the transport network layer Wow basically is at the application layer some form of these sub levels so common users for web application firewalls involve banks online shops basically any company that has a customer portal a partner and portal or an employee portal so essentially for the main things web up firewalls do is that they ensure that the proper data is going into the proper input if this inputs accepting a string it should accept it should only have as input printable ASCII characters make sense on so that is basically the the realm of data sanity checking and so also there should be very very few false positives and you should never disallow and authorized valid request so let’s talk about bypassing them so it’s bringing back to exploitation development and it’s going to be the majority of this lecture so far so if you’re hoping to never see shell code again I’m sorry to disappoint you wrestle lecture is going to be pretty heavy on it we’re going to take it we’re gonna take it easy because I know this it’s a little it’s difficult for a lot of you guys so one of the easiest ways to defend defeat intrusion detection systems and treatment prevention systems web up intro firewalls and firewalls all at the same time is by using connect back shell code usually firewalls don’t prohibit or limit any connections made from the inside of the network to the outside if you were to use port binding shell code in other words you attacker machine you cause machine to open up the poor essentially what’s going to happen is the tradition of section system may let the traffic go through and it will exploit will run it will open up a port and if it doesn’t Texas signature everything’s fine however wrong however when you try to connect back into the network the firewall will prohibit your connection for the outside to the inside usually just by default so this causes much difficulty for an attacker so this brings us to connect back shell code essentially you need to build some assembly code that establishes the connection going back to your IP address the problem here is that you’re exposing some information about some yourself or your attack capabilities in other words you have to control that IP address whether it’s some other machine that you’ve hacked and you establish a listener there or some machine that you control your leaving behind in your attack code that you’re putting on your target an IP address that you can be tied to in some form or another so that’s the one problem with this for attackers however it will defeat all these defenses when done right so essentially you teach you p connect back to the attackers IP and the thing is the attacker must have a listener way so you could do this with something simple like netcat so i wanna give you guys some history first according to the shell cutters handbook port binding shellcode wasn’t introduced to the public until 2020 a cod thought about that for a minute like that doesn’t even sound right these techniques should have been around for a long long time essentially in 2005 there’s a black hat presentation by michael lin and he presented proof of concept code on how to write a bind port landing shell on cisco iOS systems so that’s really interesting to get Cisco IOS systems

don’t implement system calls like a normal Linux system this is entirely different architecture and they also probably don’t even implement lipsy so the techniques he used to do this were very it must have been very innovative of time on and this cause cisco and ISS to censor the talks of details improvement concept were never actually publish so i did some research though and i found the earliest i could find on public information on how to write networking shellcode was in 2004 which is i’d assume that this stuff has been around since before 2000 so that was just interesting to think about and I the thing that led me on this this goose hunt was I was looking through the shell cutters handbook for any mention of networking shellcode I couldn’t find anything except for that one mention of the Bobcat talk and this book was published in 2007 so I guess it must be a somewhat a relatively new concept for attackers within the past decade I guess so this is a frank article on how to essentially right connect back shell code and port binding shellcode I think on Windows systems so I don’t know hmm so there’s two components really to connect back shell code you have to have a listener set up on the attacker machine and then you have to have shell code that basically opens a pork next back and provide shell access so here’s the anatomy really of it and why it defeats firewall is that basically you send in your exploit if you get past the ids and done doesn’t trigger a basically the victim machine will connect back and then you get gel control so you own the box and so in the case of intrusion prevention systems if it triggers a signature or policy violation it can kill the traffic and prevent the latter two of these basically I arrows from occurring so Before we jump into just straight shellcode at the Assembly level i’m going to show you guys some code examples of non assembly connect back sheltered so one of the most commonly used listeners on the attacker machine is going to be netcat and basically NC hyphen vlp basically means verbose listen and use this port so that will set up a listener on 43 1337 now on another machine if you want to just test this for yourself you can basically as long as you have a version of netcat that has the option type and eat you can do this so netcat execute slash bin sh and then pointed to basically your listeners IP and port 3 1337 so if my attackers IP is 1n who dont 16 a dot one dot 166 this code would allow me to connect back to my attacker machine it’s not that difficult at this level so there are some cheap cheats on how to write connect back shell code and all sorts of languages and I’ve listed these at the top and the code on the next two slides and this one I was taking straight from them so here’s some perl code too it’s really messy really hard to read with that’s a one-liner that in Perl will connect back to 10 02 02 one on port 1 2 3 4 obviously you just replace that with whatever is relevant and here’s the same code in Python PHP is simpler and Ruby is pretty simple as well but we need to know how to write assembly level connect back shell code basically for science so since we have roughly full class I’m going to talk about taking the intermission we jump into the technical stuff and talk about deadlines and dates so on the syllabus have the midterm scheduled for next Tuesday it’s March 5th homework for is also due tomorrow at midnight I’ve had a lot of questions on homework for probably the vast majority of you guys have emailed me a question about homework for at least several times so I’m kind of at the notion that the majority the class would perhaps benefit from an extension on homework or weasels so many people are having trouble with it who would like homework or to be

pushed back to friday at midnight that’s like everyone okay so homework for friday so I’ve released homework 5 homework 5 is on networking and it’s basically there’s two parts to it partay they both use a different pcap file and it’s just a traffic trace of different things going on the first one was set up by one of my friends and who’s not in the class a second one was set up by me it’s just a man-in-the-middle trace of SSL strip and so it’s about 40 questions which is more questions than most homeworks and at the end of the day most questions come down to 225 points each so it’s a lot of questions but they’re not too hard to answer because just finding the right information in wireshark and it exposes you guys in a good way to wireshark in and not too difficult online however I if I wanted to have everything do before the midterm since I signed it today I essentially have to have it to basically the day of the picture so I want to be able to test them that so I want to expose you guys do a homework on that because I can have the midterm roughly based off homework questions to give you guys do a midterm on things that you should expect to have already known and been tested on so which brings me to the midterm next Tuesday most professors have their midterms and all their projects due before spring right so they can grade over spring break who would like the midterms we push to after spring break okay that’s again like everyone so okay it’s so you thinkin maybe tuesday thursday after spring break and it’s not going to be pushed back again after earth so homework homework 5 i will probably allow you guys more time i’ll have it do next tuesday next thursday instead of next to sit on top the update them to website because it is it is 40 questions so i know with everything else you guys probably have going on right now I don’t want Spartan you down to modulate it’s just me it’s just a lot of tedious work in a short time so don’t call me a bad guy just yet question yes you means that are you mean friday let’s call it friday at eleven fifty-nine p.m. ok so the scheduling on all these deadlines I a promise probably already extra homework by now was planned way ahead of time so the first time we’re offering the class so you know just some needs to be some flexibility here now let’s get back to the lecture I’ll send out email with the updated dates for every time to class so you guys have to copy plan writing so before we get to connect back shell code we’re going to go over again something we’ve covered previously it’s in the court by Nichelle code we’re going to go to it go into it a lot of in a lot of detail step-by-step so I hopefully don’t lose anyone so mmm come on animation don’t kill me now great it skipped forward ahead or top okay so mm this is a sea program that will open a port and accept connections it won’t do anything other than that once the connection is accepted it really just does offer it’s no service and mm there’s some important things here essentially there’s some structures that we need to be aware of essentially this is the socket structure and then there’s also interest for handling file descriptors in Linux every file descriptor is essentially addressed as an integer and you can either read or write or both from so there’s also a socket structure it’s really just an integer for the size of socket and so here we establish the socket and we pass in some default flags that the compiler will recognize in the convergence of the appropriate integer values same here we have another flag that we’re passing it and we’re setting up this structure here and then we’re also this is also setting up some part of the structure and then

we bind to the socket using the basically the address structure for the socket and then we listen and then we accept connections on the Jews who is not taking a networking class before okay okay so I’ll try to go through it pretty slowly and cover things much depth looking so essentially as we’ve done before in shellcode we usually approach things by trying to emulate what some see programs doing and trying to understand it the system call level so every single one of these port parts for salvaging the socket for binding to the socket for listening and for accepting connections is actually done through the exact same system call that system call assistant called number 102 it’s called socket Paul here’s the main page for sake call essentially you type man 2 socket call into a terminal and you’ll get this essentially socket call is sought its own subsystem call handler in that there’s a number of different socket calls and you index these with your with its own integer here so instead of for instance in talks ad you push eax to whatever the system call for the operating system is here basically the first parameter to this is called the first argument is this phone call is indexed to its own table of socket system calls all right there’s not that many and then basically you have a pointer to ours the man page itself says they’re really only standard library implementing implementers and Colonel hackers need to even know about this and that’s where we come in so this is the table of the the calls did you can make with system call so there’s bind just connect there’s listen is accept and so on and so the arguments will depend will vary depending on each one each one will take different arguments so how do we take this and move conceptually to show code essentially we need to use 1024 the socket call and then ebx is the first parameter to that system call so that’s the int call number and then ECX is the second parameter so that’s a pointer to the arguments array that we’re going to pass that particular sake call and then we basically do intox aging and they don’t handle it now just as that is pretty simple but other parts get really really tricky so creating a structure that’s not something we’ve done is simply so far at least populating parts of the structure so the circle code and code is highlighted in red is what’s responsible for building the sock outer structure and so I have listed on the right here in this structure itself there’s a short there’s an unsigned short there’s another struct called inadar and soon matter and then there’s a eight character array it’s called just euro and the C library comments say just zero this out if you want it essentially doesn’t matter so let’s look at this code line by line as to what corresponds to in assembly so sock FD equals socket PFI net sock stream comma 0 corresponds to this so it looks like we’re moving three variables onto the stack and then making a call so these are arguments to basically the call to socket all right and so we know that one of them is 0 and arguments are pushed on in basically reverse order so 0 corresponds to that sock stream corresponds to 1 and PF inet corresponds to 2 so that’s not too that’s not too difficult now some of the next one we have another another case of we’re dealing with a flag that the compiler will recognize

and translate for us so this essentially corresponds to move somewhere to handle it somehow the value 0 x2 so essentially AF inet equals 2 and if you were to actually do programming a network programming and you’re just getting started and coming to the case where do i use AF inet or PF inet you’ll find a lot of forum posts on like stackoverflow and whatnot site it really doesn’t matter but best practice is to use this in this case and that in that case because the pilot both interprets them to two so it doesn’t really matter um so this brings us to the next part which is we’re setting up the port the import and we’re passing it hton s3 1337 so we want to use port 3 1337 but hto NS is host to the network short yeah and this it’s important to realize what that does so the code here is actually just two lines it moves the value of ox7 a 69 which when you expand that when you convert that the decimal is 3 1337 and then it calls this so the result of this is that this byte order will be reversed in a little Indian fashion to be compatible with the networking architecture or rather way the network handles shorts specifically the way they network handles byte ordering so II the result of this is that seven a 69 becomes 697 a these byte ordering so if this is losing you guys this hex payer 7a that’s a bite on this hex pair 69 is another bus any questions ok so again we’re dealing with another flag in adder any and we’re passing it as a value to some struct and at that point it can become really confusing however in AD or any means we’ll listen to connections from any address so that map’s 200 200 now this should throw a flag for you guys because when you’re dealing with shellcode that’s a lot of no lights no bites are no bling so we get here and we go through memset and that just zeros out things we don’t need to see more assembly code on how to put no bikes in the memory Spacely just move and we look at this in gdb and we print out the structure or host outer and this is exactly what we’re looking at and it is this so there are some things that you should guys should recognize remember that AI net is to remember that three 1337 when flipped around was 697 a although when you read it like this is seven a 69 however this is stored in little-endian format so this is first it’s a second and so these are basically d word pairs so this value here is actually 0002 and now it’s tricky and then in AD or any so 000 tubes so you can visualize it this this is the network reverse order for three 1337 and this is 0 20 20 20 and the rest of the stuff on the next line is essentially that other stuff that can be completely zeroed out so this first line is really all that matters to us so it’s not too much to deal with however we had to worry about those no wipes so I have the struck there hopefully your arrows had a bloomin a let’s guy on the first four is that short and then the next war is the unsigned short and then we have

two final eight that is the IP address so we roughly know how to call socket fall all right with the system call one or two and how to set that up and we know what the sockaddr instructor should look like but we need to do the following things before we can establish port binding shellcode we need to bind the port 23 1337 we need to listen to the poor and we need to accept TCP connections as to just handle the networking so this is the shell code that does that I know it’s a lot so don’t pay if we’re going to go through it step by step make sure you guys understand it so I have in comments with for each block semi clone and then the comments of what the code is actually doing and roughly see pseudocode so the first part basically sets up the socket the second part here binds the nice part listens that accepts connections TCP connections so this shell code basically mimics what’s going on here so let’s go through it step by step so this part sets up essentially sock ft equals socket PFI net sock stream comma 0 and saves the socket file descriptor to use for later so essentially a lot of things going on here are shellcode treks to avoid encountering no bites so you’ll see a lot of things you should have just moved Oh x66 into eax you push the bike value 0 x 66 on stack and then you pop it into EAS it’s double the instructions but actually result in no no vice so if you read it through it thinking that a lot of these are just no bite avoidance tricks it becomes a little easier to deal with and so there’s a good amount of comments on each line showing you exactly what each one is doing so basically what you do here is you zero out edx for use because we’re gonna use as a D word later and then we zero out EBX and this is going to be the socket call then we increment ebx because we want to use sis socket that’s the the socket call call number that we want to access then we push basically EDX EDX has been zeroed out so remember we’re doing socket to 10 right here so we push a 0 into EDX we push not in Des we push it onto the stack sorry so we’re pushing these values onto the stack then we push one on the stack when we push to on the stack so we’re pushing these in reverse order so too is push on last so it’s at the top of this act and then we basically for the arguments array so remember eax is going to be 1024 that system call so that’s 0 x 6 6 eb x is the int call number so we’re using cysts akut so ebx is going to be one ECX for the system call is going to be a pointer to the argument array for that socket call prefers his socket so what we’re doing here for ec exes were moving ESP so by pushing all these things on the stack ESP is going to point here as you can point at beginning of this arguing over right and we do in talks 80 cause the system call it sets of the socket boom and gives us the file descriptor in eax as we push the bleep basically push that in the ESI for later alright so essentially to recap we get basically to this point Nuria mr. push in reverse order all right so let’s look at next part bond so this sets up essentially the bind sock FD and as well as the sockaddr struct post adder so again we’re pushing into onto the sack system call number 102 and we’re popping in da x DX was use here so we have to reset

that we increment ebx ebx was not used in this previous point so we don’t need wasn’t used in any of these instructions that’s either a swap space or sometime very value so still intact so it’s one so we incremented to to because we want to bind and two is what the system call table for softball for bind is then basically we start building the structure so we build a structure already this essentially we’re just pushing a an argument array on the stack so we accept inadar any so we push edx and then we push basically in reverse order Oh x 6 97 a as for port 3 1337 and then we push a DX which is basically the the first half where I guess the least significant half of EDX so that’s going to be too the reason we do that instead of push ebx is because I think that causes no bites so by accessing the lower the least significant half the resulting off codes have no no vices it’s just a little trick and essentially we move east we move stack pointer and ECX because we’re again exas 102 ebx is going to be to to access a cyst blind and socket hole that’s the first primer saukville the second parameter soccer crawl is pointer to art argument ray so we’re pushing that pointer to the argument or a to e CX and essentially right we do uh let’s see and so what we need to do is then push basically 16 which is the size of the struct and then we push the other point on the stack and the socket file descriptor on the stack that we established here and then finally we push a array to all this again on to the stack and we call intoxicating so essentially what’s going on is that we’re setting up all the parameters for this so here we have the the the file descriptor right here the struct pointer right here and add 16 right here and a pointer to these arguments and then we call intoxicating it’s a little complicated at that point it doesn’t get more complicated though so essentially right after bind we’re pushing all this on the stack or passing it’s the softballs so next we go to the listens assembly code and this is much simpler this code sets up listen sock ft and in this case we’re passing at zero and again we set up basically zero x 66 for the setting up 102 and then we increment ebx twice because it used to be too we haven’t reused at any point so we recommend it to four persists listen and then we basically pass in four and then the PSI which is that file descriptor for the socket and we call in top safety as well as passing it basically the array to the pointer to this argument array which is just these two values so ii x is going to be 1 0 2 eb x is going to be 4 and ECX is going to point to an array of

basically the file descriptor comma 4 that’s called in dog Sadie so then the last part is accept connections it’s very similar to the previous block and doing roughly the same thing so here basically the parameters were passing in our the file descriptor and we can pass them 00 so that’s exactly what’s happening here so the dbx needs to be incremented 25 and that’s the integer the incall number first just accept and then we pass it these parameters and we pass it basically a pointer to the stack and ecs to point to this parameter ray and we call them toss ad so the shellcode will bind 24 31 37 it will wait for incoming exceptions it will block at the except call when the connection is accepted the new file descriptors sword EXO it doesn’t do anything else so it won’t provide shell access to an attacker connects backs connects to the victim machine also open court this is just the networking assembly code so we need to tie the file descriptors to a shell to handle talking basically from the socket to hotel and so this gives us this leads us to talking about Duke too so do Q is a system call that basically creates copies of file descriptors so I have YouTube highlighted bulb so doop to makes a super amers first one’s fault old file descriptor section 112 new file descriptor it makes new file descriptor a copy of old valid scriptor and closes the new one if necessary pretty straightforward so what do we use this for so after our accept code imagine the previous show the pages shoko that we just looked at the show go on the ride is what’s necessary for spawning a shell for anyone who connects to that socket so what this does is that there’s three standard input output file descriptors for every process their standard in the standard out under standard airing those terms should be relatively familiar to all of you who haven’t done any level c or c++ program programming because you’ve seen like C in C out so what we do is we do a lot of redundant stuff we call three system calls here we’re calling dupe three times so what we do is basically we’re copying a file descriptor 0 files krypter one file descriptor 2 we’re using those for our socket to handle basically passing connection between the socket and exact Sh so that’s what’s going on on the right so basically we move the socket Paula scripter and ebx and then we basically push system call number 36 63 which is x fo x 3 up and we pop that into eex and well we get essentially we use ECX for standard input and so then we call from toxicity so we’re basically x is system call 63 EV x is the old file descriptor in ec x is the new column scripter and it gives us a copy of gold into the new so easy x becomes the new possibility and we sue did we do this again for for standard output 40 is standard input 1 is standard output and then ECX here last time the standard air so confident standard input/output in air then basically this constructs saw / sh and then slash bin on the stack then it basically does everything necessary to do exactly I asked all straightforward you guys all these modules are so this is a lot of shellcode kind of messy too we have a lot of shellcode normally when you’re

just getting stars that means more ways for you to go wrong especially if you’re starting from scratch more places for mobilize to occur so the reason I’m going over this is because most people when they’re working with networking chocolate to start from something they’re already worse then you just make little modifications so I need to make you guys at least familiar with how things were so you can make those modifications I can expect you to write anything from scratch so what should be noted is that when this is used in exploit it will only handle one connection the detection is closed on the other server or the attacker side that’s it you don’t get you have to launch to exploit ago so this is messy and long shellcode usually means more problems so there’s ways to basically cut down on the size by using jumps and looping to cut down on some of the size here in the dupe too because as you can see we have a lot of redundant assembly instructions a lot of eight increment ECX intox AE going on so what we can do is go over branching control structures to handle this this is an important concept I believe that you guys should at least know about know how to do it’s not that difficult so there’s a good section on the book it’s about two pages this in today’s reading I believe so and I’ve posted out until this or spring break I’m going to revamp the website put the reading on the lectures page as well as uploaded all the videos to YouTube just put them down so II immunization code so that don’t require the program is the bedroom no it does not so the socket libraries the sea libraries all the libraries they’re just wrappers for the system calls you often see various different versions of exact like exec ve exec al exec le8 all these other things so probably never even like that they’re just different ways to handle passing things to the system call to basically did phosphate and I do different logic checks and security checks here mark so we’re going to cover basically how to take that dupe section and divert it into something that uses lose its really simple not going to burden you down with all the assembly possibilities you could do or we’re going to say we’re going to just take this example it’s already done and show you how it was done mmm so this is straight from the book they first start off by doing exchange EAX EBX now what this does is it actually uses ebx is a swap so with this exchange swaps two registers in order to do that you have to have some scratch space so you have a be swap them you can’t just do a equals B then you lose the value an a so you have to move a somewhere temporary first and do a equals B and then B equals your temporary value and then you swap them so uses ebx for that swap value so if you do it in this way it can essentially uh in some instances it’s useful for minimizing shellcode it’s zeroing out EBX at the same time as well as whatever register you doing so here essentially we’re swapping the file descriptor which is normally served in eax with 5 which is normally starting ebx so 5 was that aah what we are using to access into call in socket falls so that was a system except sis except was what we incremented up to five so what is it using for a scratch bed I guess I think about it using eb access won’t work so you must be using something else maybe I don’t understand as well as I should yes their vehicle wants the other than that I present given you get one I’m having a hard time seeing that but I guess I guess you’re right I don’t know that it won’t be effectively you can do it okay interesting okay so this I guess

if that’s true does some source them twice to swap down right and then pushes to onto the stack and pushes pops and ECX so what we’re doing in the rest of this is we start with two we’re going to do file descriptor 2 then we’re going to decrement it to one we’re going to do file descriptor 1 then we’re decremented 20 Duke file descriptor 0 and where your decremented again and if it’s negative 1 it will encounter this and it will go forward if it’s positive in other words the sign flag is not set it will jump back so as long as is positive it keeps jumping back so that by the end here when it gets the negative 1 it precedes it onto the exact ve assembly code so sunday what’s happening here each time is it’s moving 63 into eax using the AL register to avoid no bites that’s the least significant half of the eax and then basically calls intox 80 so what has here is eax a 63 and then he what I doing EBX is the old file descriptor and ECX is what we’re dipping it too so it starts at two so the first one is doop doop to the old file descriptor and then to a decrement sits and it does dupe to file descriptor 1 then dupe to file scriptor 0 and then it gets the negative one right here and I precedes it breaks its loop so how do we take this and go from and that that’s working shellcode once you just like the previous one it’s just cleaned up with the looping control structure so how do we take this and go from port finding to connect that it’s actually really really simple we take take out two sections and we change two lines of assembly if it’s really bad because it’s I’m serious you just change two lines of assembly and remove the listening accept section and basically it becomes connect back so it becomes not only smaller but now it defeats firewall ids IPS and laugh if you do it right so by introducing these things like a firewall to prevent people from doing port binding shellcode they never foresaw that by defeating the shellcode by defeating the firewall they just had to use easier to write shellcode they never foresaw that it made the attacks easier so what is it doing ok so now it fits all on one page because we’ve moved listen and accept and the bind here to remove listen accept and bind it becomes connect then we only change two lines of assembly in this section I’m going to show you the ones highlighted in red so what we previously had is push a AF adder any which is 0 20 20 20 so what we have to do is actually in Reverse byte order represent the IP address that we want to have our listener on being the attackers coded here in hats so some interesting things if you see shellcode a lot is that a 8 c 0 when you’re dealing with IP addresses reads as 192 168 so we have to replace everything before the cursor so 01 is dot 1 and since I was testing this on my own yeah set up at all inside my neck i was using 192 that wants to save da tawanda 161 it was just IP address in my Birkin tree and then instead of a sis bind I incremented to three and sis connect as good game this works just well when I exploit Adonis on a program it will connect back to my listener and I guess shell access it’s smaller easier

to write and you only really have to change two lines of your old existing code that was defeated by all firewalls at the time so yes if there’s no listener it will just connect it will send a packet and the TCP will stack both do a basically if you ball the state model it sends a sin and gets enough syn ACK it will retransmit three times it usually happens in microseconds lesson milliseconds usually and then it fails yeah so in order to do this you have to first have your listener set up then and you have to have you know your exploit with correct IP address encoded in it to make sure there’s no no bites in that and then you launch your exploit and connect back to your listener yes so if it’s a set new ID program it’ll run is whatever the owner for that file is normally at this mount aside you ID program i’ll run is whatever the owner for whoever executed whatever whatever the UID the EU ID of whoever executed that finer so all the other side will get us to move still while to get miss you all so the listener when it connects back can type any shell commands then though they’ll be processed off the victim machine you’ll get there the terminal response on inside so that’s all well and interesting however there’s a lot of ways that can be defeated normally this is where web application firewalls come in northern feet web up you should fire walls since they do data sanity checking they make sure that the string buffer that this is receiving has only printable ASCII characters as I say important in other words there’s a filter before the buffer is received by the web application so that extra layer of Defense that filters out potentially nasty stuff so a lot of shell a lot of assembly off codes when they’re assembled result in hex values that aren’t in printable a ski ranch so that defeats a lot of shell code in buffer overflow exploits you can have a to the end of you know the return address and you start your shellcode and or some memory address appointed shellcode somewhere in your buffer is going to hit that filter in the filter is going to be like nah this this is not legit a perfect so the way to defeat that is to use printable ASCII characters that also are valid assembly op codes to build some sort of encoding for the rest of your payload and the rest of your payload is actually all the shellcode that spawns that she’ll spawns doesn’t networking and all that’s been rendered in some ways so that basically those decoding assembly instructions basically subtract and some magical factoring in values that are fine and print flying such that the shellcode is basically because acted on the stack in a way that is no longer printable a skeeters valid shellcode and it defeats all the defense’s so I’m not going to make you guys do this just going over this sexually so why you attack something that’s behind all these defenses web average parallel intrusion detection prevention systems and a firewall so the reason really comes down to regulations mandate in many industries that companies do either regular code auditing of the software to get rid of bugs that requires paying people who are skilled developers and no software security or establishing a web application firewall intrusion detection prevention system instead and forget the fact that you have potential bugs and burn abilities from software you’re just going to essentially brush them under the rug and the way you may stay up to date is by having an annual pen test so this is common in payment card industry however those verna buildings are still there you can still be attacked so from an attacker standpoint if a company is using web application firewall is likely they’re not doing code auditing so it’s actually likely that they have vulnerabilities so let’s go over some history this is completely irrelevant but the lessons very similar there is

one svet talion governor they wanted to introduce potatoes to the daily lives of its citizens mainly because they are easily cheap they grew very eat they were cheap they’re easy to grow in the region and they’re good for business and they could have really boosted their agricultural exports by growing mass crops of potatoes but Dallas really didn’t want any part of it it wasn’t they couldn’t conceive of any way to introduce into the normal cuisine um so the governor started selling them cheap wouldn’t catch on so he started giving away for free actually caught on even less people started thinking well this must be dirt it must be worthless so the next thing he did was brilliant and really played on human logic he put armed guards around cards of potatoes in marketplaces so people would think collectively well if they’re being guarded they must be worth something so when the guards took their brakes they’re basically instructed not chase down too hard anyone stealing potatoes and so people would go and steal potatoes and they would just basically start raving about the man these things are great and it worked it was a brilliant success is really really weird but also we can get a lesson from you hear that if you put up defenses it can naturally drive people to attack it more so that one the on the other hand we have webbing far off that and when they’re established they likely don’t have any colour on so there’s likely more bugs there along with the combined factor that people sometimes want to attack challenging things or want to attack it simply because hey there’s likely something valuable there because it’s being defendants oh well gets us into a whole lot of messes and so this is also the motivation for the use of honey pots and maybe we’ll cover that later so buffer restrictions on web applications usually they’re done by web application firewall filter and they do some sort of data type checking to make sure you know there’s only asking printable input for string buffers numerical only input for integers and etc prevents many vulnerabilities from being exploited whatever the stubborn abilities therapies are not being fixed so this brings us to polymorphic printable shasti shellcode polymorphic essentially refers to any code that modifies itself it’s kind of worked with this already basically if you’ve had your if you try to attack one of the problems in the homework for and you’re dealing with that shellcode the scant Rochelle’s function you kind of have to build the bin sh string if you do if depending on how you do it so that’s that’s that’s already polymorphic so kind of we’ve got our feet wet just a little bit with it maybe so there’s some challenges here we need the basic components that make a working exploit we need not slaves that happen to be printable asking and we also need a way to zero out register so we have a way to reliably work with them and then we lastly need some encoders and decoders that can transform the rest of them payload into actual shellcode that we can use and so the ascii range of hex values and we’re working with is ox-3 320 X 70 so the total set of valid opcodes here it’s actually rather small it would be absolutely insane to just write complex shellcode just using the small instruction set so instead we find some way such that the printable opcodes that we can use in this small set modify the rest of the shellcode and essentially what your payload looks like is this you have that asking off sled then you get to the decoder and that decodes the rest of your payload and this will handle basically kick connect back as well as spawning the showing him the file descriptors yes that’s most of the instructions you talking about you haven’t okay I don’t know um maybe not that would be interesting I’m sure this means the research done in it already because that’s a very interesting questions um let’s see we have subtract and and you build nan from that in fact yeah so you may be able to have a turing-complete language with printable ASCII characters so this is all so what because space can

break a lot of things in your own coding one night um and it’s also what the book used to not been up late 33 that’s a twin I will pull up ASCII chart so X now 33 that’s wrong so P I took this great from the book maybe this is maybe before 33 there’s no valid opcodes so I I have no explanation of them I just took the straight from your textbook because I don’t have the time to write my own coders and figure them all out nor my dad insane um at the end of this I’ll show you guys tool you know those tools actually automate this 27 yeah so no listen that’s the thing I try to match it up in seven he would end yeah he doesn’t make sense successful so yeah so I don’t know I took the straight from the book may be good before oh XD 3 is no valid optics maybe there’s nothing that’s actually even useful so here’s some sample op codes that actually print that thing so push ESP actually renders as T pop eax renders sx push eax renders p and pop ESP renders is / here and then you see these subtract and add along with some hard-coded values those actually print out to the strings and so what we can do is use hands to actually zero out registers and if the algis being the values being handed are inverses in other words they shared no one’s in common it will effectively zero out register so what I printed this here is that this value and this value actually will give you zero so that Kenyatta register so the ascii percent jo any % 501 colon if you type it in as assembly instructions will actually zero out your es that’s interesting so now we know how to 0 basically register is the way to proceed basically either use these crazy op codes to build shellcode on stack from scratch or use the opcodes decode the rest of the Taylor so we have all these useful instructions like subtract this subtract a subtractive subtract out what we can do with our shell code is basically take the raw bytes incremented by these values some combination of these values such that the result is actually a printable ascii character and we put that as our that’s our encoding and we just decode them in the same way we’ve added subtract the drives in the same way on the stack then the result is basically as fully decoded shellcode this executable so everyone see that this is a little a little interesting trick there’s other ways to do encoding this is just the way I’m introducing your feet wet so then once everything is in everything’s encoded is in the printable a ski ranch it will bypass every ASCII filter on the planet Islam it will sometimes fail at signature-based filters on ids IPS so that’s going to keep note of and then basically use the subtraction opcodes to basically decode the payload and then you get shell code that looks like this and this is valid shell spawning ascii printable shellcode so networking shellcode here gets really tricky that’s

where I mascot so what you need to know about this is you need to know how polymorphic shellcode works conceptually you also need to know that there’s tools out there that automate this but you should note that they just don’t work brow the box they require some tinkering with they get to account for some hard coded registry or are coded addressing sometimes on the this is really more of an art than his sights and that’s the end of my lecture said questions all right so I ran a little over so what’d you guys get