Integrating DMA attacks in

Metasploit

Rory Breuk rbreuk@os3.nl

Albert Spruyt aspruyt@os3.nl

University of Amsterdam

May 23, 2012

1/ 25

Introduction

Goal:

Metasploit Over Firewire Ownage

2/ 25

Computer architecture

CPU

RAMNorthbridge

Southbridge

PCMCIA

FireWire

PCI

SATA

Thunderbolt

3/ 25

Computer architecture

CPU

RAMNorthbridge

Southbridge

PCMCIA

FireWire

PCI

SATA

Thunderbolt

4/ 25

Computer architecture cont.

Memory divided into 4KiB pages

Virtual / physical addresses

5/ 25

DMA attack vectors

FireWire

Thunderbolt

PCMCIA/CardBus/

ExpressCard

6/ 25

Previous work

Encryption key/ password extraction

Winlockpwn/FTWAutopwn/Inception

libforensic1394

7/ 25

Goals

Use DMA attacks with Metasploit

Why?

• Huge potential, but under utilized

• Widespread awareness is lacking

• Making it easy

• Lots of possibilities

8/ 25

Usecase

IEEE1394

Internet

Localattacker Target

Remoteattacker

9/ 25

Usecase

169.254.x.x

10/ 25

Metasploit concepts

Exploits

Payloads

IEEE1394

Internet

Localattacker Target

Remoteattacker

11/ 25

Payloads

What to patch

RAM

LightDM

Library call

Patch

12/ 25

Windows DEMO

Target: Windows 7 SP1 32bit

Find the signature

Inject payload

13/ 25

Problems

Need to interact with the system

Easily user detectable

Detectable by tripwire

14/ 25

Proposed solution

Stage 1:

• Inject stager

• Allocate new page

Stage 2:

• Restore originally patched code

Stage 3:

• Inject second stager

• Restore process

• Execute payload15/ 25

Stage 1: Inject stager

Find signature

Save code

Inject special stager

Save state

Allocate page

Copy loop

Jump to page

16/ 25

Stage 2: Restore code

Find the new page

Restore patched code

17/ 25

Stage 3: Finish

Upload second

stager + payload

Directly overwrites

running code

Fork

Restore process

Execute payload

18/ 25

Interactionless exploit

Xorg

• root permissions

• runs periodically

19/ 25

Linux DEMO

Target: Ubuntu 12.04

Look ma, no hands!

Stagers, IDS evasion

Target process is kept alive

20/ 25

Mitigation: theoretical

Theoretical:

• IOMMU

No practical implementations

21/ 25

Mitigation: practical

For the consultants:

• Don’t buy them

• Destroy them / glue them

• Disable them

• Deny physical access

Does not guarantee safety

22/ 25

Achievements

Ported libforensic1394 bindings to Ruby

Integrate FireWire exploit into Metasploit

Reusable technique for DMA exploitation

23/ 25

Achievements

Enhanced attack:

• Smaller attack window

• Attack continued over TCP/IP

• Interactionless payload execution

• Use Metasploit functionality

https://github.com/mrbreaker/mofo

24/ 25

https://github.com/mrbreaker/mofo

Metasploit Over Firewire Ownage

Questions?

https://github.com/mrbreaker/mofo 25/ 25

https://github.com/mrbreaker/mofo