7. Basic Types of Buffer Overflows And Demo 03
So let’s real quickly talk about the different stages of exploit development. The first stage is we’re going to create a shell code. Now, I get this name because it’s the code we produce that creates a shell, all right? A shell or a command prompt window. And because most of the time we’re not going to get a Gui like I showed in the example, it’s simply going to be a man prompt or a shell and it’s going to be a very basic one because we don’t typically have that much stacker or what I refer to as elbow root. This is what it looks like in reality, all right? And what I was talking about before is you’re probably not going to see any kind of shellcode in here that ever has that zero zero, which is the null because it would immediately stop the shellcode from going in.
The other thing is the injection vector and that’s the offset where the shellcode is placed in memory and the return address is modified to point to. Then you have something called a request builder and this is the code that actually triggers the exploit. So this is the one that actually snaps its fingers, if you will, if it’s related to string functions and scripting languages are generally referred when this is happening. Then you also have what’s called a handler routine and this typically generates the majority of the code. So this is a handle for the shell code doing operations like linking to a bind shell or connecting to a console socket or perhaps pointing to where Vnc is located in memory, for example, because we just pushed it in.
8. Stages of Exploit Development
Now, here what we’re going to do is we’re going to talk about prevention of a buffer overflow. Now, the first thing we can do is use different language tools. For example, when I learned C, I was taught this in 1989, to grab a information from some source and put it into some destination, we use the command St. Now, this particular function accounts for about 95% of the buffer overflows in the world today. If we were simply to change it to using Strn Cpy, which has a width qualifier, it wouldn’t be able to put in that long string and overflow the destination buffer. So I didn’t even know about this until about like 1995. I wasn’t even taught this during that particular time. Now, you’re probably saying things at this point like, well, why don’t we just do it? Well, there’s a lot of reasons.
Most people would say, well, all we need to do is just go through the code and edit where we got Stri and change it to Strn. We’d have to fix the width and everything. Well, yeah, that actually is the easy part. The problem is we generally don’t have the code to do that. In most cases, when you write and see, you link in various libraries that were done by somebody else. So if you wrote a huge C program that took you several years, you may have written maybe two 3% of what you actually are executing. The rest is linked in as libraries that somebody else wrote. So you’re hoping that they use this instead of this, but you’re not really sure.
But even if individuals that sell libraries as, quote unquote, secure libraries, meaning surely they’ve used this and they’re not going to allow a buffer overflow, the only problem is those libraries have libraries, and those libraries have libraries have libraries, and those libraries that have libraries have libraries also have libraries. You’d have to go all the way back to Kernigan and Richie, the original developers of C, and rewrite every single library to make it work. In other words, it’s not happening. So let’s look at some other things that we might be able to do. We can design and build security within the code. Now, what we’re talking about here is segmenting this into different areas of protection.
For example, a web server is typically set up to where it doesn’t run as root, because if we end up exploiting the web server, we’re in that particular system as root. So consequently, that’s not ever a good idea. So we run the front end at a lower privilege and what connects to the back end? Maybe we use a higher privilege. But this has to be designed from the get go. It’s very difficult to bolt this on after the fact. We could use source code scanning tools like Rat and Fortify, which will look for these various functions like this that are being used, and a whole bunch of other ones and alert you to this fact. We can use compiler enhancement tools and we talked a little bit about this.
This is called either a stack cookie or a canary word and it gets its name from the canary that may be guarding the coal mine. If you see the canary at the bottom of the cage, you better get out or you’re going to be next. Because what happens is they’re telling the coal miners that there’s a gas leak in there and they’re breathing that particular gas. When the compiler compiles this, it compiles what it’s going to push onto the stack. So it places what’s called a stack cookie there or a canary word there of a sentinel value, a particular value. So if it’s not randomized and the user knows what that value is, we could just simply push it in as well. So that’s not always the best way of taking care of it.
You could know what’s on your operating system, make sure you patch the operating system and application to the latest version. Now I love to argue this one because I always have people in my class well, I use Java or I use Net and you don’t have to worry about that. It is true that Java and Net do not have a function such as this where the destination doesn’t give you a width qualifier. Although if you’re doing much of anything and you’re interfacing, especially with hardware, you’re probably going to be writing that in C or you’ll be linking in a library in C. And so what you’re going to do is you’re going to write a wrapper around that in Java or Net, and you’re back in the same boat you were before.
We need to make sure that we have enough room. Now shellcode can be as small as 24 bytes in Linux and 300 bytes in Windows. In reality it can be much smaller, but the Ceh test has that as a value of 300 bytes. So I put that on the particular slide. The next thing we want to talk about is something called data Execution prevention. And this is where we’re utilizing any processes that was developed or I guess came out after 2003, whether that’s AMD or intel is going to have either the Execute Prevention or the Execute disable register in it. And it keeps track of where that instruction pointer is pointing. So it in reality should only be pointing, if you recall, into the code segment and extended segment.
If that instruction pointer points down into the data or down into the stack segment, it halts the process. And so if we were to look at that on a Windows machine, I’ve got a Windows Seven here, I’ll just use that to demonstrate with. I’ll bring this up here and see if we can take a look at it. So I’ve got a Windows machine and if I go into it, into the advanced system settings underneath here, underneath settings. Right here we have data execution, prevention. Now, the default for Data Execution Prevention is to turn on dep for essential Windows programs and services only. If you haven’t modified it, it will be that.
That means that anything that came with Windows or is a service running on Windows is going to be difficult at best to do a buffer overflow on. But this is actually a better setting. People don’t put this in because they have to put in all the exceptions. Let me give you an example of that. So if I go in here and I right click and I’m going to open up Task Manager here, and if I look at my processes, select columns, that’s what it is, all right? And one of them should be Data Execution Prevention, all right? So I could look at the processes that I have now that are running on my system, and if I see any of them that are disabled, that would be one that I would be able to do a buffer overflow on.
So there are still processes that are running on our systems right now that aren’t using this data Execution Prevention. So theoretically, what you should do is you should turn it on for everything. And then if this causes a problem, then you could just sit, add an exception for that. Now, if you look at this right here, this was an exception on Internet Explorer. And a friend of mine came up and he said, what’s going on here? I said don’t touch anything. I want to take a picture of this because you definitely don’t want to change the settings on this and add an exception for this particular one, especially because this is interfacing directly to the Internet.
9. Buffer Overflow Prevention
Now let’s talk about the project that was originally created by a gentleman by the name of HD. Moore, and it’s called a metasploit project. It’s a computer security project that basically involves providing information about security vulnerabilities and it AIDS in penetration testing and IDs signature development. Its best known subproject is the Open Source Metasploit Framework framework, a tool for developing and executing exploit code against a remote target machine. Other important sub projects include the Opcode Database, shellcode Archive, and related research. Now, a framework in computer programming is something was written so you don’t have to write everything yourself.
We use Frameworks all over the place, and it allows the programmer to not spend a whole lot of time worrying about how a particular machine paints a window or does the interface buttons or all that kind of thing. We’re more interested in writing what the information is to solve the particular project or problem. Well, that’s exactly what the Metasploit Project or Metasploit Framework, I should say, does for individuals that want to write an exploit. So we don’t have to worry about all of the things for the interface on how we’re going to push the code in and the handler and all that. All we need to do is knock the wall down using an exploit. We write that inside the Metasploit tool.
We could write it in Ruby or or more than likely in Ruby, but you could write it in other applications as well. So let me give you just a little bit of history. Actually what happened with this. In 2003, HD. Moore created the Portable Network tool using perl. By 2007, the framework had been completely rewritten in Ruby. On October 21, 2009, the Metasploit Project announced that it had been acquired by Rapid Seven. Now here’s kind of the scuttle, but in the industry, HD. Moore, while he did write the original code for Metasploit, all of these other people in the community wrote all the various pieces for the thing coming into it. But when he went to Rapid Seven and I think he sold it for $7 million, he didn’t give any of the money to anybody else. So that’s kind of the scuttlebutt that actually is known for that.
So just a little bit of gossip in the computer security world, which you’re going to find out if you’re in this world. There’s a lot of that. Now what Rapid Seven has done is it added some more open core proprietary additions like Metasploit Express and Metasploit Pro. So it’s done some things to really enhance it. Now, the Metasploit’s emerging position as the de facto exploit development framework led to the release of Software Vulnerability Advisories, often accompanied by a third party Metasploit exploit module that highlights that exploitability risk and remediation in that particular bug. Remember me telling you that if there is an exploit in Metasploit, you better get that thing fixed quick because this is free.
Every kid in the world is downloading this thing and banging on every single thing that he can do to try and break in. So you’re going to be owned real quick if there is an exploit available in this. Now they also have newer things that metasploit 30 began to include fuzzing tools used for discovering software vulnerabilities rather than just exploits and that kind of thing. Now I’m going to do some of that for you in the bonus section. Now since the test doesn’t have any questions related to this I’m not going to go into a lot of detail on it. Now you need to know that it runs on both Linux and Windows and it can be kind of compared to Canvases and Course security technologies core impact that I’m going to demonstrate with the video here.
So just a little bit of computer history for ten bonus points. Who do you think this guy is standing next to me? Now this is me of course on the right. Let’s look at some other previous student guesses mombarak the former leader of the well no that’s not him. King of Dullah of Jordan? No that’s not him either. Saddam Hussein? No that’s not him. No that’s not him either. Not even Jamal. This is actually his HD. Moore and I don’t think he even is Middle Eastern to my knowledge but he’s actually a really nice guy. I’ve spoken with him at some security conferences and like I said there is a little bit of scuttle but in the industry as there always is.
10. The Metasploit Project
Now used to be when I first started teaching this company about core impact, they would give the instructors a full blown version of this that they could use on any system to demonstrate with. They don’t even do that anymore. They basically say, well if you have somebody that’s interested, just point them to us and we’ll try and sell it to them. Demonstrating the thing is very expensive to get a full blown license that’ll do everything on the internet. And please don’t hold me to these numbers because I may be a little bit off on it. I believe it’s like 60 or $70,000. And that’s not just a buy at once and forget it. That’s every year. Now a lot of people don’t buy everything they can do on the internet.
They’ll buy various numbers of IP addresses or they’ll buy a whole network subnet that they use within their organization or something like that. But the really claim to fame of this product is it walks through the OSS TMM model like we showed you when we walk through each one of these particular sections. So first off it starts off with information gathering, then it’ll do an attack and penetration, then it’ll do local information gathering. It’ll try and do Privilege Escalation and it will do something called a Pivot which allows you to do that whole process again from the machine that you compromised while keeping track of all the clicks and everything that you did so that it can create a report for you and just simply give to the client.
It is really a fantastic tool but I mean, you’re going to pay for this thing. You could do every single thing this tool does with metasploit. It’s just not as easy. This right here is any teenager can run this thing. But I guess it’s a good thing that most it’s not free out on the internet because this would be the one that they’re using. Anyone could really run this. Now I had a guy come into class once and this is when I was teaching a class in where it was, it was in Dubai and he came in and as we go through and introduce everybody, he said that he was a penetration tester. And I’m thinking to myself, what are you doing in this class? Because this is basically the beginning class that tells you about how I’d like to describe it.
The tools that are in your toolbox, they don’t really go into a lot of penetration testing in this particular class. Now in the Ecsa from EC Council, that is actually a penetration testing class. Or if you are of the Gica fame, that would be the GPIN. Where the gica? This would be the G six. I plan on doing some Giac classes as well for certification. But let’s go ahead and continue and finish up with this one. So then we are going to do a clean up, removing things as we move back and then the report generation. It’s a fantastic tool. Well, come to find out what happened with this guy that was in Dubai is he had purchased Core Impact. And after we got through the class, because you’ve seen how we broken each step down so you could do it manually and you’ll understand what Core Impact is doing.
Now, I’m not going to sit here and tell you not to use something like this. If you have it available to you, of course use it. If you pop up an application or you pop an operating system with Core Impact, it’s just as popped as if you do it manually. So if you could do it and save you the ease of doing it, well, for God’s sakes, do it. It’s just that this thing can be really expensive. It’s kind of funny because a lot of times when I’ll demonstrate this with a video that I’ll show to some of the students, they’ll end up saying, well, the price scares them off initially. And then when they sit back and think, well, I could move some money off of this project and put it over here, they’re trying to justify how they would be able to utilize this product.
Now I’m going to show you a video, and what I’m going to do is I may pause the video during certain pieces of it so that you’ll be able to be able to comment on certain parts. Now, to finish out my story for the guy that was sitting in my class in Dubai, after he got all the way through the class, I explained exactly how Core Impact was working and how it’s fitting together. And he basically rose his hand and he said, I guess I’m not a penetration tester, but a Core Impact operator. I said, well, you said that. I didn’t, because you need to understand how far the tool will get you because it’ll will only get you that far, and then you need to be able to do the rest on your own. So that’s kind of the story I wanted to finish up there.