Using Guided Missiles in Drive-bys: Automatic Browser Fingerprinting and Exploitation with the Metasploit Framework's Browser Autopwn
2 likes1,238 views
This document discusses using guided missiles in drive-bys through automatic browser fingerprinting and exploitation with the Metasploit Framework's Browser Autopwn module. It describes how the module fingerprints browsers to determine effective exploits, selects targeted exploits, and aims for stealth to evade detection. Examples are provided of writing exploits for the module and its advantages over commercial tools. The document encourages downloading and contributing to its continued development.
![Simple Exploit
content = “<html><body>
<object id='obj' classid='...'></object><script>
#{js_heap_spray}
sprayHeap(#{payload.encoded}, #{target.ret}, 0x4000);
obj.VulnMethod(#{[target.ret].pack(“V”)*1000});
</script></body></html>“
send_response(client, content)
10](https://image.slidesharecdn.com/guided-missiles-090809134641-phpapp02/85/Using-Guided-Missiles-in-Drive-bys-Automatic-Browser-Fingerprinting-and-Exploitation-with-the-Metasploit-Framework-s-Browser-Autopwn-10-320.jpg)
Using Guided Missiles in Drive-bys: Automatic Browser Fingerprinting and Exploitation with the Metasploit Framework's Browser Autopwn
- 1. Using Guided Missiles in Drivebys Automatic browser fingerprinting and exploitation with the Metasploit Framework: Browser Autopwn James Lee
- 2. Browser Autopwn ● Auxiliary module for the Metasploit Framework ● Fingerprints a client ● Determines what exploits might work ● Used to suck ● Now it doesn't 2
- 3. Outline ● Intro ● Cluster bombs ● Guided missiles ● Fingerprinting and targeting ● Stealth ● Demos ● Commercial comparison 3
- 4. # whoami ● James Lee ● egypt ● CoFounder, Teardrop Security ● Developer, Metasploit Project 4
- 5. My Involvement in MSF ● Started submitting patches and bug reports in 2007 ● HD gave me commit access in April 2008 ● Broke the repo April 2008 5
- 6. The Metasploit Framework ● Created by HD Moore in 2003 ● ncurses based game ● Later became a real exploit framework in perl ● Rewritten in ruby in 2005 ● Which is way better than python ● Extensible framework for writing exploits 6
- 7. I <3 MSF ● Modular payloads and encoders ● Many protocols already implemented ● Many nonexploit tools ● All kinds of exploits ● Traditional serverside ● Clientsides 7
- 8. Why Clientsides ● Karmetasploit ● Any other tool that gets you in the middle ● Users are weakest link, blah, blah, blah ● See Chris Gates 8
- 9. Client Exploits in MSF ● Extensive HTTP support ● Heapspray in two lines of code ● Sotirov's .NET DLL, heap feng shui ● Wide range of protocollevel IDS evasion ● Simple exploit in ~10 lines of code 9
- 11. Or Arbitrarily Complex ● ani_loadimage_chunksize is 581 lines of code ● As of June 28, MSF has 85 browser exploit modules 11
- 12. Problem
- 13. Solution
- 14. Cluster Bomb Approach ● Is it IE? Send all the IE sploits ● Is it FF? Send all the FF sploits ● Originally exploits were adhoc ● Pain in the ass when new sploits come out 14
- 15. Problem
- 16. Solution
- 17. Guided Missile Approach ● Better client and OS fingerprinting ● less likely to crash or hang the browser ● Only send exploits likely to succeed ● Browser is IE7? Don't send IE6 sploits, etc. 17
- 18. Fingerprinting the Client ● User Agent ● Easy to spoof ● Easy to change in a proxy ● A tiny bit harder to change in JS 18
- 19. Fingerprinting the Client ● Various JS objects only exist in one browser ● window.opera, Array.every ● Some only exist in certain versions ● window.createPopup, Array.every, window.Iterator ● Rendering differences and parser bugs ● IE's conditional comments 19
- 20. Internet Explorer ● Parser bugs, conditional comments ● Reliable, but not precise ● ScriptEngine*Version() ● Almost unique across all combinations of client and OS ● Brought to my attention by Jerome Athias 20
- 21. Opera ● window.opera.version() ● Includes minor version, e.g. “9.61” 21
- 22. Hybrid Approach for FF ● Existence of document.getElementsByClassName means Firefox 3.0 ● If User Agent says IE6, go with FF 3.0 ● If UA says FF 3.0.8, it's probably not lying, so use the more specific value 22
- 23. Safari ● Still in progress ● Existence of window.console ● If Firebug is installed on FF, shows up there, too ● Availability of window.onmousewheel ● Defaults to null, so have to check typeof 23
- 24. Fingerprinting the OS ● User Agent ● Could use something like p0f ● From the server side, that's about it 24
- 25. Internet Explorer ● Again, ScriptEngine*Version() ● Almost unique across all combinations of client and OS, including service pack 25
- 26. Opera ● Each build has a unique opera.buildNumber() ● Gives platform, but nothing else 26
- 27. Firefox ● navigator.platform and friends are affected by the User Agent string ● navigator.oscpu isn't ● “Linux i686” ● “Windows NT 6.0” 27
- 28. Others ● Really all we're left with is the User Agent ● That's okay, most don't lie ● And those that do are likely to be patched anyway ● Generic, works everywhere when UA is not spoofed 28
- 29. Future Fingerprinting ● QuickTime ● Adobe ● Less wellknown third party stuff 29
- 30. ActiveX ● “new ActiveXObject()” works if you have the class name ● Otherwise, IE doesn't seem to have a generic way to tell if an ActiveX object got created ● document.write(“<object ...>”) ● document.createElement(“object”) 30
- 31. Solution ● typeof(obj.method) ● 'undefined' if the object failed to initialize ● 'unknown' or possibly a real type if it worked 31
- 32. Target Acquired
- 33. What is it Vulnerable to? ● Coarse determination serverside ● JavaScript builds fingerprint, sends it back to the server ● Server sends sploits that match the browser and OS, possibly version ● Fine determination clientside ● navigator.javaEnabled exists, try mozilla_navigatorjava 33
- 34. Select a Missile ● Sort by reliability ● Exploits contain their own JS tests
- 35. Problem
- 36. Solution 36
- 37. Obfuscation ● Randomize identifiers ● Build strings from other things ● JSON / AJAX ● Obfuscation is not crypto 37
- 38. Encryption ● Put a key in the URL ● Not available in the standalone script ● Simple XOR is enough to beat AV and NIDS ● If they figure it out, it's easy to make the crypto stronger 38
- 40. And we're back... ● I hope that worked ● Now how do YOU make exploits work within this framework? 40
- 41. Writing Exploits ● Add autopwn_info() to top of exploit class ● :ua_name is an array of browsers this exploit will work against ● :vuln_test is some javascript to test for the vulnerability (unless it's ActiveX) ● Usually comes directly from the exploit anyway 41
- 42. Example: mozilla_navigatorjava include Msf::Exploit::Remote::BrowserAutopwn autopwn_info({ :ua_name => HttpClients::FF, :javascript => true, :rank => NormalRanking,#reliable memory corruption :vuln_test => %Q| if ( window.navigator.javaEnabled && window.navigator.javaEnabled() ){ is_vuln = true; } |, }) 42
- 45. Browser Autopwn Summary ● Reliable Target Acquisition ● Smart Missile Selection ● Stealthy from an AV perspective ● Easy to extend ● Detection results stored in a database 45
- 46. Commercial Comparison ● Mpack ● Firepack ● Neosploit ● Luckysploit 46
- 47. Mpack, Firepack ● Hard to acquire ● Old exploits ● Detection is only serverside ● Hard to change or update exploits ● Obfuscation + XOR 47
- 48. Neosploit ● Compiled ELFs run as CGI ● Unless you get the source or do some RE, you won't really know what it does 48
- 49. Luckysploit ● Real crypto (RSA, RC4) ● Even harder to acquire 49
- 50. Browser Autopwn ● Easy to write new exploits or take out old ones ● Free (threeclause BSD license) ● Easy to get (http://metasploit.com) ● Not written in PHP ● OS and client detection is clientside, more reliable in presence of spoofed or borked UA 50
- 51. Future ● More flexible payload selection ● Stop when you get a shell ● Maybe impossible in presence of NAT/proxies ● Easiertouse JS obfuscation ● UAProf for mobile devices ● Integration with MetaPhish 51
- 52. Download it ● svn co http://metasploit.com/svn/framework3/trunk ● Submit patches to msfdev@metasploit.com 52
- 53. Thanks ● hdm, valsmith, tebo, mc, cg, Dean de Beer, pragmatk ● Everybody who helped with testing ● Whoever created ActiveX