Advanced Command Injection – Black Hat
Transcript of Advanced Command Injection – Black Hat
![Page 1: Advanced Command Injection – Black Hat](https://reader034.fdocuments.in/reader034/viewer/2022051319/586e29eb1a28abba488c59dc/html5/thumbnails/1.jpg)
![Page 2: Advanced Command Injection – Black Hat](https://reader034.fdocuments.in/reader034/viewer/2022051319/586e29eb1a28abba488c59dc/html5/thumbnails/2.jpg)
david d rude <bannedit0 [ at ] gmail com>david d. rude
Affiliated Computer Services
<bannedit0 [ at ] gmail.com>
Affiliated Computer ServicesPenetration Tester www.acs-inc.com
MetasploitMetasploitDevelop Codes for stuff www.metasploit.com
2
![Page 3: Advanced Command Injection – Black Hat](https://reader034.fdocuments.in/reader034/viewer/2022051319/586e29eb1a28abba488c59dc/html5/thumbnails/3.jpg)
C d I j tiCommand Injection
DefinitionCommand injection is an attack method in which a hacker alters d i ll t d t t W b b t i HTMLdynamically generated content on a Web page by entering HTMLcode into an input mechanism, such as a form field that lacks effective validation constraints. A malevolent hacker (also known as a cracker) can exploit that vulnerability to gain unauthorized ) p y gaccess to data or network resources. When users visit an affected Web page, their browsers interpret the code, which may cause malicious commands to execute in the users' computers and across their networksacross their networks.
3
![Page 4: Advanced Command Injection – Black Hat](https://reader034.fdocuments.in/reader034/viewer/2022051319/586e29eb1a28abba488c59dc/html5/thumbnails/4.jpg)
C d I j tiCommand Injection
UhmUhm…Really???Really???
4
![Page 5: Advanced Command Injection – Black Hat](https://reader034.fdocuments.in/reader034/viewer/2022051319/586e29eb1a28abba488c59dc/html5/thumbnails/5.jpg)
C d I j tiCommand Injection
DefinitionAn attack technique used to take advantage of a vulnerability which results in the execution of operating-system commands.
5
![Page 6: Advanced Command Injection – Black Hat](https://reader034.fdocuments.in/reader034/viewer/2022051319/586e29eb1a28abba488c59dc/html5/thumbnails/6.jpg)
C d I j tiCommand Injection
Our FocusOS Command Injection (to be specific)
Windows Operating Systems
L f l t l t t k ith d t UNIX Li tLess useful toolset to work with compared to UNIX, Linux, etc.
Harder to work with post exploitation
6
![Page 7: Advanced Command Injection – Black Hat](https://reader034.fdocuments.in/reader034/viewer/2022051319/586e29eb1a28abba488c59dc/html5/thumbnails/7.jpg)
C d I j tiCommand Injection
ExamplesCVE-2009-3845 – HP OpenView NNM Perl CGI
CVE-2008-5516 – gitweb common repository web interface used by open source projectsopen source projects
CVE-2007-3670 – The infamous IE FirefoxURL protocol handler bugSpawned many related issuesSpawned many related issues
7
![Page 8: Advanced Command Injection – Black Hat](https://reader034.fdocuments.in/reader034/viewer/2022051319/586e29eb1a28abba488c59dc/html5/thumbnails/8.jpg)
C d I j tiCommand Injection
Current ExploitsTypically a low level of sophisticationTypically a low level of sophistication
Most are for Unix/Linux environments
Most use network related commands for file transfer, etc
8
![Page 9: Advanced Command Injection – Black Hat](https://reader034.fdocuments.in/reader034/viewer/2022051319/586e29eb1a28abba488c59dc/html5/thumbnails/9.jpg)
C d I j tiCommand Injection
Exploitation ConsiderationsSome Operating Systems only offer a small set of commandsp g y y
Command length limits XP / Win2k3 / Vista 8191bWin2k 2047bWin95 / 98 256b
Bli d i j tiBlind injections
9
![Page 10: Advanced Command Injection – Black Hat](https://reader034.fdocuments.in/reader034/viewer/2022051319/586e29eb1a28abba488c59dc/html5/thumbnails/10.jpg)
C d I j tiCommand Injection
Exploitation ConsiderationsCommands available on all Operating System targetsCommands available on all Operating System targets
Common command flags
Writable/Executable directories
Metacharacter Filters
10
![Page 11: Advanced Command Injection – Black Hat](https://reader034.fdocuments.in/reader034/viewer/2022051319/586e29eb1a28abba488c59dc/html5/thumbnails/11.jpg)
C d I j tiCommand Injection
Going Beyond Simple CommandsUpload binary payloadsp y p y
Gives us more options
More features
Meterpreter FTW!!!
11
![Page 12: Advanced Command Injection – Black Hat](https://reader034.fdocuments.in/reader034/viewer/2022051319/586e29eb1a28abba488c59dc/html5/thumbnails/12.jpg)
C d I j tiCommand Injection
Network FuFTP/TFTP
WScript
Fileshares
Mount Remote Drives
rcp
12
![Page 13: Advanced Command Injection – Black Hat](https://reader034.fdocuments.in/reader034/viewer/2022051319/586e29eb1a28abba488c59dc/html5/thumbnails/13.jpg)
C d I j tiCommand Injection
ProsFast downloads
Easily scripted
Low Overhead (no encoding needed)Low Overhead (no encoding needed)
13
![Page 14: Advanced Command Injection – Black Hat](https://reader034.fdocuments.in/reader034/viewer/2022051319/586e29eb1a28abba488c59dc/html5/thumbnails/14.jpg)
C d I j tiCommand Injection
ConsFirewalls
Web Filters
Reliability
14
![Page 15: Advanced Command Injection – Black Hat](https://reader034.fdocuments.in/reader034/viewer/2022051319/586e29eb1a28abba488c59dc/html5/thumbnails/15.jpg)
C d I j tiCommand Injection
Non-network FuDebug.exe (Not supported on Windows Vista/7)g ( pp )
WScript Scripting.FileSystemObject
batch2binary
15
![Page 16: Advanced Command Injection – Black Hat](https://reader034.fdocuments.in/reader034/viewer/2022051319/586e29eb1a28abba488c59dc/html5/thumbnails/16.jpg)
C d I j tiCommand Injection
ProsUse existing connectiong
Bypasses firewalls
Works in harsh environments
16
![Page 17: Advanced Command Injection – Black Hat](https://reader034.fdocuments.in/reader034/viewer/2022051319/586e29eb1a28abba488c59dc/html5/thumbnails/17.jpg)
C d I j tiCommand Injection
ConsSlower downloads (need to use buffering to prevent errors)( g p )
Complex scripting
Overhead (binary to ASCII conversion)
17
![Page 18: Advanced Command Injection – Black Hat](https://reader034.fdocuments.in/reader034/viewer/2022051319/586e29eb1a28abba488c59dc/html5/thumbnails/18.jpg)
C d I j tiCommand Injection
Designing a Command StagerMust be reliable
Capable of sending any potential payload
Reuse existing connections (bypass firewalls)
Clean up after itself (Non-persistent)
Stream buffering of data
Reasonably fast
18
Reasonably fast
![Page 19: Advanced Command Injection – Black Hat](https://reader034.fdocuments.in/reader034/viewer/2022051319/586e29eb1a28abba488c59dc/html5/thumbnails/19.jpg)
C d I j tiCommand Injection
Binary to ASCII ConversionCould use base64
ASCII representation of hex (0x35 = 0x33 0x35)
Ruby: hex = exe.unpack("H*")[0]
Many options
19
![Page 20: Advanced Command Injection – Black Hat](https://reader034.fdocuments.in/reader034/viewer/2022051319/586e29eb1a28abba488c59dc/html5/thumbnails/20.jpg)
C d I j tiCommand Injection
OS DetectionWe can use ‘If exists’ to detect the OS
Check for debug.exe (XP or prior)
Echo a 2048 byte long line to a file (XP)
Echo a < 2048 byte long line to a file (Win2k or prior)
Boot.ini grep/find for a string (XP and prior)
20
![Page 21: Advanced Command Injection – Black Hat](https://reader034.fdocuments.in/reader034/viewer/2022051319/586e29eb1a28abba488c59dc/html5/thumbnails/21.jpg)
C d I j tiCommand Injection
Using Covert ChannelsPing.exe can be used to send messages fairly reliablyg g y y
Even the harshest of environments typically allow outgoing ICMP
We can use packet size as our status indicator
Using the number of packets to send is overkill
21
![Page 22: Advanced Command Injection – Black Hat](https://reader034.fdocuments.in/reader034/viewer/2022051319/586e29eb1a28abba488c59dc/html5/thumbnails/22.jpg)
C d I j tiCommand Injection
Plan of Attack
The most reliable option is Non Network FuThe most reliable option is Non-Network Fu
WScript decoder stub (decode a base64 encoded file)
Drop the payload as an executable file and run it
Reverse TCP connections are probably best (Reverse TCP All p y (ports even better)
22
![Page 23: Advanced Command Injection – Black Hat](https://reader034.fdocuments.in/reader034/viewer/2022051319/586e29eb1a28abba488c59dc/html5/thumbnails/23.jpg)
C d I j tiCommand Injection
Demo time!
23
![Page 24: Advanced Command Injection – Black Hat](https://reader034.fdocuments.in/reader034/viewer/2022051319/586e29eb1a28abba488c59dc/html5/thumbnails/24.jpg)
C d I j tiCommand Injection
Code review
24
![Page 25: Advanced Command Injection – Black Hat](https://reader034.fdocuments.in/reader034/viewer/2022051319/586e29eb1a28abba488c59dc/html5/thumbnails/25.jpg)
C d I j tiCommand Injection
Meterpreter FTW!An agent which provides a lot of post exploitation capabilitiesAn agent which provides a lot of post exploitation capabilities
Dump Hashes
Upload/Download files
Pivoting
Local Privilege Escalation
25
![Page 26: Advanced Command Injection – Black Hat](https://reader034.fdocuments.in/reader034/viewer/2022051319/586e29eb1a28abba488c59dc/html5/thumbnails/26.jpg)
C d I j tiCommand Injection
ConclusionCurrent command injection exploitation techniques are lackingCurrent command injection exploitation techniques are lacking
Reusing existing connections more reliable
WScript is on all windows operating systems
Meterpreter Rocks for post exploitation!
26
![Page 27: Advanced Command Injection – Black Hat](https://reader034.fdocuments.in/reader034/viewer/2022051319/586e29eb1a28abba488c59dc/html5/thumbnails/27.jpg)
C d I j tiCommand Injection
Questions?
27