Static PIE, How and Why - Metasploit's new POSIX payload: Mettle
-
Upload
brent-cook -
Category
Internet
-
view
986 -
download
1
Transcript of Static PIE, How and Why - Metasploit's new POSIX payload: Mettle
Static PIEHow and Why
Adam Cammack and Brent CookRapid7
About US
Adam Cammack
MetasploitErlang
Musician
Brent CookProgrammer: 30 years
Father: 13 yearsOpenBSD: 3 yearsMetasploit: 2 years
@busterbcook
The ABCs of Executable File Formats
A is for a.out"Assembler output" – 1968
Ken ThompsonThe file header is literally PDP-7 machine code
C is for.COMDEC -> CP/M -> MS-DOS
Just code + data, no headers
E is for EXEMS-DOS to Windows 10, everything in between
Many different things over timeMostly PE/COFF these days
M is for Mach-ONeXTStep, iOS, OS X (aka Mac OS :)
Covers libraries, core dumps,and executablesMulti-architecture
E is also for ELFAlso used for executables, libraries and core dumpsThe standard (almost) file format for Unix systems
and Clones
$(CC) -o hello hello.cOf file formats and dynamic linkers
Stages of compilation and goals of ELF• Flexible [1]• Orthogonal segments and sections• Arbitrary sections and data• Configurable element widths for
standard arrays• Each binary explicitly says how it
should be loaded and run• Universal• Lots of version fields• Lots of machine-dependent fields• Big and little endian modes
[1] https://www.linuxjournal.com/node/1060/print
Flavor of ELF: static, dynamic, shared libraries
• Insert Diagrams here
Magic: -fPIC & runtime (re-)linking
• .dynamic section/DYNAMIC segment• Everything a linker could want• Mostly duplicates info from the section headers• Includes helpful info like needed libraries and dynamic object type
• Offset and procedure linking tables galore• All symbols resolve to the linker for the first call• Lazy lookup
Securing ELF
Address Space Layout Resolution (ASLR)
• Buffer overflows require jumping to known offsets• ASLR randomizes executable layout, making offsets _less_ predictable• Implemented to varying degrees on many operating systems• BSD Linux Windows Solaris
• Catch – only works with Dynamic executables (shared libraries)
Breaking security without even trying
#include <stdio.h>
int main(){ printf("%p\n", printf); return 0;}
Breaking security without even trying
bcook@toaster:~$ uname -aLinux toaster 4.4.0-36-generic #55-Ubuntu SMP Thu Aug 11 18:01:55 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
bcook@toaster:~$ gcc hello .c -o hellobcook@toaster:~$ ./hello0x400400bcook@toaster:~$ ./hello 0x400400
Position Independent Executables (PIE)
• We want to solve 2 problems• Code can be relocated for security (Position independent code)• Code can be relocated to avoid conflicts (no MMU)
This is easy, until...
bcook@toaster:~$ gcc hello.c -o hello -fPICbcook@toaster:~$ ./hello0x7f10c8aca7b0bcook@toaster:~$ ./hello0x7f8a8a1cd7b0
bcook@toaster:~$ gcc hello. c -o hello -fPIC -staticbcook@toaster:~$ ./hello0x40f300bcook@toaster:~$ ./hello0x40f300
This is easy, until...
bcook@toaster:~$ gcc hello.c -o hello -fPICbcook@toaster:~$ ./hello0x7f10c8aca7b0bcook@toaster:~$ ./hello0x7f8a8a1cd7b0
bcook@toaster:~$ gcc hello. c -o hello -fPIC -staticbcook@toaster:~$ ./hello0x40f300bcook@toaster:~$ ./hello0x40f300
Binaries for offensive use
Position independent shellcode
• Often unpredictable and uncontrollable injection addresses• Often can’t rely on specifics of target system• Hand written out of necessity• All jumps and memory operations relative to instruction pointer or
allocated memory
Static Position-dependent Executables
• No dependencies on target libraries• Straightforward to build• Requires specific memory addresses to be allocable or clobbered
Static Position-independent Executables
• Would remove memory dependency• Great for embedded/NOMMU• Simplifies shellcode• Simplifies payload generation
• Possible??????
Static Position-independent Executables
• Yes!!! Static PIE is implemented in:• OpenBSD 5.7 (on by default on x86/x64)• Musl libc on Linux with a custom toolchain (2012)
Prior Work in Metasploit
Reflective DLL injection & Windows Meterpreter
• From Stephen Fewer: https://github.com/stephenfewer/ReflectiveDLLInjection
• TL; DR: Inject a small loader thread that identifies library functions from kernel32, use these to further load dependent libraries and the target library image.
Linux Meterpreter custom linker & loader
• From Philip Sanderson• Uses an embedded copy of Android Bionic plus custom linker scripts
and compiler magic to embed shared libraries as zip archives• Not fully Position Independent, leading to loading issues• At runtime, the loader unpacks and links shared libraries in memory to
bootstrap the PIE part of the payload
Pedal to the mettleA new POSIX meterpreter
Utilizing out-of-tree dependencies
• With our powers combined…• curl• libdnet• libev• libeio• libsigar• mbedtls
• Reliable code we don’t have to write• We need a toolchain that takes arbitrary libraries and spits out payloads
Generating ELF process images
• It’s simple, just do whatever it is the kernel does• Ok, so we just mmap(2) these segments…• And then do some stack magic• Reference docs to the rescue [1]
[1] http://c9x.me/compile/bib/abi-x64.pdf
Minimizing setup in shellcode
• read(2) the process image• Push the stack• Jump• …• Profit?
Minimum Stack Layout
Deep magic: -shared -Bstatic -Bsymbolic
• -shared• Generate a useful dynamic section• Suppress generation of PT_INTERP segment
• -Bstatic• Pull in all symbols instead of linking• Make sure all symbols are resolved
• -Bsymbolic• Generate self-contained relocations• Self-interpreting executable (with special crt.o)
Flexible multi-architecture support
• Cross-compile ALL THE THINGS• Lots of embedded developers interested in building cross-compilers• Liberal use of endian.h
export QEMU_STRACE=1
• User-mode qemu doesn’t have man pages• qemu supports strace-like format (see title)• It can also host a gdb server for all your favorite tools (-g <port>)• We can also compile for native Linux and OSX targets to use even more
tools
It’s a *NIX system, I know this!
• Portable RAT• Works on OS X, Linux, Android• Memory footprint is < 500K• supports SOHO routers to large servers with minimal disruption
Future WorkFreeBSD / OpenBSD / Solaris support
WindowsFoothold for other payloads
https://github.com/rapid7/mettle
Demo & QA