http://www.elearnsecurity.com/r/h9mag_s_1.php

http://www.elearnsecurity.com/r/h9mag_s_2.php

4 04/2011

04/2011 (04)

4

team

Editor in Chief: Grzegorz Tabakagrzegorz.tabaka@hakin9.org

Managing Editor: Natalia Boniewicznatalia.boniewicz@hakin9.org

Editorial Advisory Board: Rebecca Wynn, Matt Jonkman, Donald Iverson, Michael Munt, Gary S. Milefsky, Julian Evans, Aby Rao

DTP: Ireneusz PogroszewskiArt Director: Ireneusz Pogroszewski ireneusz.pogroszewski@hakin9.org

Proofreaders: Michael Munt, Rebecca Wynn, Elliott Bujan, Bob Folden, Steve Hodge, Jonathan Edwards, Steven Atcheson

Top Betatesters: Nick Baronian, Rebecca Wynn, Rodrigo Rubira Branco, Chris Brereton, Gerardo Iglesias Galvan, Jeff rey Smith, Aby Rao, Jason Duke, Carlos Alaya, Joseph Werns, Shane Hartman, Jose L. Herrera

Special Thanks to the Beta testers and Proofreaders who helped us with this issue. Without their assistance there would not be a Hakin9 Expoiting Software magazine.

Senior Consultant/Publisher: Paweł Marciniak

CEO: Ewa Dudzicewa.dudzic@hakin9.org

Production Director: Andrzej Kuca andrzej.kuca@hakin9.org

Publisher: Software Press Sp. z o.o. SK02-682 Warszawa, ul. Bokserska 1Phone: 1 917 338 3631www.hakin9.org/en

Whilst every effort has been made to ensure the high quality of the magazine, the editors make no warranty, express or implied, concerning the results of content usage.All trade marks presented in the magazine were used only for informative purposes.

All rights to trade marks presented in the magazine are reserved by the companies which own them.To create graphs and diagrams we used program by

Mathematical formulas created by Design Science MathType™

DISCLAIMER!The techniques described in our articles may only be used in private, local networks. The editors hold no responsibility for misuse of the presented techniques or consequent data loss.

Dear Readers,This very last of 2011 and pre-Christmas issue we have titled Shellcode. This small peace of code, being simply a portable native code, has the ability to run at any place in memory, for example, inside an exploit to connect back to the attacker or do what the attacker needs to do. It is the key behind any successful exploit.

If you are curious how to write your own shellcode, how to bypass the limitations of your shellcode with null free shellcode and alphanumeric shellcode, I highly encourage you to read an article Shellcode: From a Simple Bug to OS Control written by Amr Thabet. You will learn how to use the Metasploit framework to try out your exploit.

The article DPA Exploitation and GOTs with Python written by Craig Wright is a follow-up and second part of a look at format strings in the C and C++ programming languages; in particular, how these may be abused. This time author endeavoured to make the process of exploiting format string vulnerabilities as simple as possible for the inexperienced exploit developer. You will learn how to write into the address of our choosing using the exploitation of Direct Parameter Access (DPA).

A well-known issue, the rogue router attack against IPv6 protocol enabled network, exploits the router advertisement (RA) functionality of ICMPv6 protocol. In the article Detecting Ipv6: Rouge Router Incidents Using Bro NSM Matti Mantere will depict a method for detecting three components of the CIA – triad using open source Bro NSM.

In the article Application Security 101: Our Dynamic Threat Landscape Anthony Czarnik will show us how vulnerabilities in applications that access sensitive data can lead to significant loss.

Do you want to know why managers love Python? Are you curious what are the top emerging threats? If the answer is yes, do not miss the interview with Aldo Ceccareli.

We wish you a beautiful Christmas and happy New Year!

Natalia Boniewicz& Hakin9 Team

���������������������������������������������������������������������

������������������������������������������������������������������

���������������������������������������������������������������������

������������������������������������������������������������������

���������������������������

�

������������������������������������������������������������������

������������������������������������������������������������������

��������������������������������������������������������������

�������������������������������������������������������������������

��������������������������������������������������������������������

������������������������������������������������������

������������������������������������������������������������������

����������������

6 04/2011

CONTENTS

ATTACK PATTERN8 DPA Exploitation and GOTs with PythonBy Craig WrightIf we can write into the GOT, we can effectively redirect the execution flow of a program and allowing ourselves to gain a root shell. This article is a follow-up and second part of a look at format strings in the C and C++ programming languages; in particular, how these may be abused. The article goes on to discuss crafting

attacks using Python in order to attack through DPA (Direct Parameter Access) such that you can enact a 4-byte overwrite in the DTORS and GOT. This time author endeavoured to make the process of exploiting format string vulnerabilities as simple as possible for the inexperienced exploit developer. A basic knowledge of Python has been assumed as well as an understanding of the Linux operating system and how to use gdb. This starts off with detailing the use of Direct Parameter access and how this process works and then describes the Global Offset Tables in detail. You will see that using the exploitation of Direct Parameter Access (DPA) will allow us to write into the address of our choosing.

16 Shellcode: From a Simple Bug to OS ControlBy Amr ThabetThe secret behind any good exploit is a reliable shellcode. The shellcode is the most important element in your exploit. Generating shellcode with automated tools only helps so much in formulating your exploit. Knowing how to create your own shellcode will help you overcome barriers that lie ahead, and that’s what this article will demonstrate. You will learn how to write a reliable shellcode on the Win32 plaform, how to bypass the obstacles that you will face in writing a win32 shellcode, and how to implement your shellcode into Metasploit.

DEFENSE PATTERN34 Detecting Ipv6: Rouge Router Incidents Using Bro NSM By Matti MantereInternet Protocol version 6 (IPv6) has been a long time coming. As the protocol is making its entrance several security risks of varying criticality are known to exist. However, the amount of skilled personnel needed to assure the security of IPv6 network deployment as well as awareness of the said risks remains woefully low. As IPv6 migration slowly gains momentum, situations where administrators responsible for deployment of network equipment have very poor knowledge and non-existent operational experience of the new protocol are unavoidable. Matti depicts one method for detecting them using open source Bro NSM. Bro Network Security Monitor (Bro NSM) is a flexible open source network analysis framework that is freely distributed under BSD license.

38 Application Security 101: Our Dynamic Threat LandscapeBy Anthony CzarnikOver the last couple of years, industry statistics clearly indicate two major changing trends regarding the

www.hakin9.org/en 7

CONTENTS

information technology threat landscape. First, applications are now targeted as the primary attack vector, to the extent that 75% of current, reported attacks target the application layer. Although we have interest in threats, as security professionals with a responsibility to the owners of our assets, our security decisions should ultimately be based on risk. You will see how vulnerabilities in applications that access sensitive data can lead to significant loss.

INTERVIEW42 Interview with Aldo Ceccarelli

Two simple ingredients: when choosing follow your real passion in order to be able to deliver your best talents and at full capacity; be curious when learning and generous when teaching. Bonus track: patient when teamworking! – says Aldo Ceccarelli, Chief Information Officer and Business Process Expert at SEDAMYL SPA, joint-venture partner of Syral. You will see why managers love Python and what are the top emerging threats.

8

ATTACK PATTERN

04/2011 www.hakin9.org/en 9

DPA exploitation and GOTs with Python

It then continues the attack by exploiting the GOT and injecting shell code. We demonstrate how these simple but still often overlooked and even generally

accepted vulnerabilities can be used to read arbitrary locations from memory, write to memory, execute commands, and, finally, to gain a shell.

Introduction In the first part of this article (presented in Hakin9 in Exploiting Software 2/2011), we discussed format string attacks. In this article we are going to extend these, beginning with DPA (Direct Parameter Access) and moving to using the GOT (Global Offset Table) to spawn a root shell. To gain a complete understanding of this process, it is recommended that part one from last month’s issue is read first.

In this paper, we have endeavoured to make the process of exploiting format string vulnerabilities as simple as possible for the inexperienced exploit developer. A basic knowledge of Python has been assumed as well as an understanding of the Linux operating system and how to use gdb. This starts off with detailing the use of Direct Parameter access and how this process works and then describes the Global Offset Tables in detail.

If we can write into the GOT, we can effectively redirect the execution flow of a program and allowing ourselves to gain a root shell. This process will also help when there is some form of stack protection that stops us from altering the address pointed to through EIP and redirecting it to a shellcode address.

In this process, we will inject a reference in place of that which the GOT references for a selected function. Here we want to have a function that can execute system commands as substitutes to overwriting the subsequent instruction with the memory address that

the shellcode we wish to call. The modern protections built into nearly all operating systems have started to load the GOT in a read-only memory area. Where this has occurred, the system avoids the exploitation technique discussed in this paper to a large extent. That being said, it is possible to find systems where these protections have been disabled or older unpatched systems where the complete attacks work natively. At worst, even in a read-only system, the GOT can be read.

Direct Parameter AccessDPA allows an attacker to access arguments through the use of a $ qualifier. Just like we had to learn all of that difficult math before we moved into formulaic integrals in high school, last lesson we learned the hard way to call arguments using format strings. DPA makes format string attacks simple. It allows us to directly call the location we wish to exploit instead of having to pad attacks using %x%x%x… Basically, as we can address the argument directly, we do not have to increment the byte count until we find the memory location we wish to exploit.

We showed in the last article how the use of the following syntax will allow us to access the 8th argument from the stack (%8\$x%8\$n) using the $ qualifier. Again,

This article is a follow-up and second part of a look at format strings in the C and C++ programming languages; in particular, how these may be abused. The article goes on to discuss crafting attacks using Python in order to attack through DPA (Direct Parameter Access) such that you can enact a 4-byte overwrite in the DTORS and GOT (Global Access Table).

DPA Exploitation and GOTs with Python

Figure 1. What Happened To 100?

���� ���������� �����

������������������

������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������

���������������������

��������������������

��������������������������������������������������������������������������������������� � ��������������������������

����������������������������������������������������������������������������������� � �������������������������������

������������������������������������������������

�����������������������������������������������������������������

��� �������������������

������������������������������������������

����������������������������������������������������� ������������������������������

���������������������������������������������������������������

16

ATTACK PATTERN

04/2011 www.hakin9.org/en 17

Shellcode: From a Simple Bug to OS Control

In this article I’m going to teach you how to write a reliable shellcode on the Win32 plaform, how to bypass the obstacles that you will face in writing a

win32 shellcode, and how to implement your shellcode into Metasploit.

Part 1: The BasicsWhat’s Shellcode?Shellcode is simply a portable native code. This code has the ability to run at any place in memory, for example, inside an exploit to connect back to the attacker or do what the attacker needs to do.

The Three Types of ShellcodeShellcode is classified by the limitations of the environment that you are facing while crafting a program to exploit a specific vulnerability.

Null Byte-Free ShellcodeIn this type of shellcode, you are forced to write a shellcode without any null byte. For example, while exploiting a vulnerability in a string manipulation code inside a function, C functions such as strcpy() or sprintf() work by searching for the null byte in the string (as strings are null terminated) without checking on the maximum accepted length of this string. A successful byte-free shellcode will make this application

susceptible to the buffer overflow vulnerability. If your shellcode contains a NULL byte, this byte will be interpreted as a string terminator, with the result that the program accepts the shellcode in front of the NULL byte and discards the rest. So you will have to avoid any null-byte inside your shellcode, but you will have the ability to use just one null byte – the last byte.

Alphanumeric Shellcode:In strings, it’s not common to see strange characters or Latin characters inside. In this case, some IDSs (Intrusion detection systems) detect these strings as malicious especially when they include suspicious sequence of opcodes. These systems could detect the presence of shellcode. Not only that, but also some applications filter the input string and accept only the normal characters and numbers (a-z, A-Z and 0-9).

In this case, you need to write your shellcode in characters. You are forced to use only these characters and only accept bytes from 0x30 to 0x39 and from 0x40 to 0x5A and from 0x60 to 0x7A.

Egg-hunting ShellcodeIn some vulnerabilities, you may have a very small buffer to insert your shellcode. With the off-by-one vulnerability, you are restricted to a specific size and you can’t send a shellcode bigger than that.

Alternatively, you could use two buffers to put your shellcode into. One is for your real shellcode and the second is for attacking and searching the first buffer for the eggs.

Part 2: Writing ShellcodeShellcode SkeletonAny shellcode consists of four parts: Getting the delta, getting the kernel32 imagebase, getting your APIs and the payload.

The secret behind any good exploit is a reliable shellcode. The shellcode is the most important element in your exploit. Generating shellcode with automated tools only helps so much in formulating your exploit. Knowing how to create your own shellcode will help you overcome barriers that lie ahead, and that’s what this article will demonstrate.

Shellcode: From a Simple Bug to OS Control

Figure 1. Shellcode Skeleton

������������������

�������������

��������������������������

������������

�������

34

DEFENSE PATTERN

04/2011 www.hakin9.org/en 35

Detecting IPv6 Rogue Router Incidents Using Bro NSM

These situations are bound to cause information security events of varying gravity. We use the term information security here as defined broadly

by the CIA –triad, CIA for confidentiality, integrity and availability.

A well-known issue, the rogue router attack against IPv6 protocol enabled network, exploits the router advertisement (RA) functionality of ICMPv6 protocol. A rogue router incident can be caused by malicious attackers or through poor deployment and configuration of IPv6 capable equipment. Rogue router attack can be used to break the confidentiality of the data, availability of Internet access from local area network (LAN) and data integrity e.g. in form of data manipulation by the rogue router. Thus affecting all three components of the CIA – triad

In this article we depict one method for detecting them using open source Bro NSM. Bro Network Security Monitor (Bro NSM) is a flexible open source network analysis framework that is freely distributed under BSD license.

IntroductionInternet Protocol version 6 (IPv6) has been a long time coming. As the protocol is making its entrance several security risks of varying criticality are known to exist. However, the amount of skilled personnel needed to assure the security of IPv6 network deployment as well as awareness of the said risks remains woefully low.

Here we concentrate on the one particular issue that is caused by a particular ICMPv6 message in a particular configuration and setting. The ICMPv6 is a much more critical component of the IPv6 protocol than its predecessor ICMP was for Internet Protocol version 4 (IPv4). For example, in IPv6, the functionality that was previously handled by the Address Resolution Protocol (ARP) is now being taken up by the Internet Control Message Protocol version 6 (ICMPv6). Total filtering and blocking of all ICMP traffic did not cripple IPv4, but in contrast disabling the ICMPv6 will discernibly hamper the functionality of IPv6. ICMPv6 runs on top of IPv6, having its own

As IPv6 migration slowly gains momentum, situations where administrators responsible for deployment of network equipment have very poor knowledge and non-existent operational experience of the new protocol are unavoidable.

Detecting IPv6 Rogue Router Incidents Using Bro NSM

Listing 1. Partial icmp. bro listing of a development version

event icmp_router_advertisement(c: connection, icmp: icmp_conn)

{

print_log(c, icmp, "");

if ( |router_whitelist| == 0 || icmp$orig_h in router_whitelist )

return;

NOTICE([$note=ICMPRogueRouter,

$msg=fmt("rogue router advertisement from %s", icmp$orig_h)]);

}

38

DEFENSE PATTERN

04/2011 www.hakin9.org/en 39

Application Security 101

According to the Verizon 2010 Report, web applications accounted for 54% of data breaches and 92% of records breached. Although the

indication is that as a group, Information Security professionals are currently doing a commendable job guarding the perimeter and OS layer, it is also clear we have our work cut out for us on the application front.

The second major trend on our threat landscape is regarding intent. Over the last few years, cyber criminals are generally not rogue individuals, but predominantly organized groups, with the objective of financial or political gain. Identity and credit card theft are the most common avenues for financial gain. Political gain, including state sponsored attacks, is often achieved thru intellectual property theft or cyber terrorism, including denial of service. Using a schoolyard analogy, these are no longer bad boys spray painting the walls, they’re gangs stealing our tuition funds.

Threats are relevant; Risk is our ultimate focusAlthough we have interest in threats, as security professionals with a responsibility to the owners of our assets, our security decisions should ultimately be based on risk. Risk is the product of the threat level, our degree of vulnerability and our potential loss. That’s the formula. The reality is that a data breach, which adversely affects our IT security pillars of confidentiality and integrity, will cause you to lose your honor, and by the way, they cost $6.6M on average, which will probably cause you to lose your job.

Another common risk is compliance failure. If your IT organization is responsible for protecting PHI (healthcare data), failure is a HIPAA violation. Processing or storing credit card data? Failure is a PCI violation. The added risk with compliance is that you don’t even need to

get breached to suffer a loss. Non-compliance results in fines (consider that incurring HIPAA fines is also becoming trendy since HITECH was passed).

Public reaction to data breaches has also become severe. According to the Ponemon Institute, 33% of consumers who have had their information breached, terminate their relationship with the business partner determined to be responsible. How bad is that? Go ask your Marketing VP how much it cost to attain 33% of your customers. The aggregate consequences from a data breach can be brutal:

• Lost customers & lost revenue (long term effect)• Legal & compliance problems • Reputational damage

Beyond a data breach, we must also be concerned with Denial of Service attacks, degrading our availability security pillar, and resulting in lost revenue and lost customers.

Application vulnerabilities: the perfect stormThere is a reason that since we secured the OS and perimeter fairly well, cyber criminals are targeting the application layer. Applications consist of source code, often from numerous sources, architectural decisions, executable code, configurations, database integration, implementation into the existing network, and more. Applications are complex to secure and application security is immature; the perfect storm. The result: both Gartner and NIST reported that 95% of recently reported vulnerabilities are located in software. SANS comparisons highlighted that the number of vulnerabilities currently being discovered in applications is tremendously higher than the number being discovered in operating systems. Gartner also estimates that two-thirds of web applications

Over the last couple of years, industry statistics clearly indicate two major changing trends regarding the information technology threat landscape. First, applications are now targeted as the primary attack vector, to the extent that 75% of current, reported attacks target the application layer.

Application Security 101Our Dynamic Threat Landscape

04/201142

INTERVIEW

How did you realize that the solutions would best fit your business model then other methods?Our must is learning to evaluate and introduce outsourcing at best. Last outsourcing surveys (I like to remember State of Outsourcing 2011 survey conducted in partnership with The Outsourcing Unit at the London School of Economics in particular) show that CIOs are achieving cost savings from their arrangements with their services providers, but an important issue is that sometimes we aren’t getting much else in the way of business value. Here’s how IT solution buyers can change that.

According to this year outlook perspective IT service providers aren’t likely to change their approaches unless buyers demand more from them. Therefore, IT outsourcing customers who want to move beyond cost cutting must put business value at the forefront of their outsourcing arrangements. Here are four ways to accomplish that goal that I am trying to follow:

• Stop taking the low-cost bait. Cost cutting deals will deliver cost cutting.

• Contract for value. Real business value gets short shrift in most outsourcing deals.

• Have the courage to change. Be willing to abandon processes and technologies that don’t deliver real innovation goods.

• Look beyond SLAs to business outcomes. Service level agreements are important but business value is tantamount. Work with your provider to create outcome-based metrics for the relationship to supplement the deal’s operational SLAs.

What separates your methods from others? I am trying to focus on the fact that as CIOs we would benefit from a framework for innovation, and some of us operating in SME would be willing to pay more for an outsourcer that really can help us formalize and maintain a successful innovation process. A good method for us was to institute monitoring of leading key performance indicators and adopt formal root cause analysis processes. In this manner, issues are detected before they become critical, and once detected, can be definitely eliminated.

Could you tell more about company that you work for?In the early 1950’s the Frandino family founded Sedamyl, a simple fruit distillery (its original name was Seda).

From the earliest stages, the company’s growth has been characterized by dedication to maintaining its core values. It has become the leading Italian producer of wheat-based products for the food and paper industries, as well as for fermentation.

Starch is used in various industries: food, textile, paper, detergent, glue and plastic.

Glucose syrups, liquid or dehydrated, are used as ingredients for soft drinks, ice creams, sweets and other food products.

Grain Alcohol due to its neutral flavor and excellent quality, has always been used in the production of high quality spirits and liquors.

Gluten is used in the food industry, primarily for baked goods.

Interview with

Aldo CeccarelliAldo Ceccarelli is Chief Information Officer and Business Process Expert at SEDAMYL SPA, joint-venture partner of Syral (Group Tereos, France) In the past he was member of S-IT Management (in outsourcing for SEDAMYL SPA) at Etea (http://www.eteagroup.com/), System Administrator, Programmer and ISO 9000 Quality Manager at CITAL SRL (http://www.cital.it)

http://www.mhprofessional.com/templates/112-computing.php