extrabacons sploit core
TRANSCRIPT
ExtraBacon's Sploit Framework
Or: How to break the Ruby Bonds of Metasploit
By: Daniel Reilly (Oni)https://github.com/dreilly369
https://the-it-ninja.blogspot.com/https://www.linkedin.com/in/daniel-reilly-58b28171
Disclaimer
● This is my own work not endorsed, supported, or generally approved of, by good people.
● I don't encourage malicious attacks.● I do encourage offensive security and
asymmetric layered defense
Where'd this come from?
● ShadowBrokers announces their supposed Equation Group tool dump and teaser files.
● Cisco Confirms EXBA is effective against several versions of ASA *
● Researchers report porting the exploit to newer ASA versions *
● Gov't (sort of) acknowledges tools by charging Harold T. Martin III *
● I Decide to fork the core Sploit code and port one of my favorite configuration exploits (postgeSQL lo_creat()) as a PoC
Let me be clear
● I love Metasploit...but -– You don't always need a tank.
– I am not a fan of Ruby.
– Custom Tools F.T.W.
– Sploits can run from much smaller devices. ● Possibly IoT small (currently a hypothesis)
Workflow of a MSF Exploit
● Make sure Postgres is configured/running● Start MSFConsole or Armitage● db_nmap the target subnet● Run some favorite exploit/payload combos
based on services discovered ● If you're fancy you export all of these
commands to a resource script
Sploit's place in the world
● Sploit is for turning an exploit into a tool.● Metasploit is for when you have a target and need to find
an exploit. Sploit is the opposite.● Normal flow might be:
– Find an exploitable flaw (or borrow one like I have)– Write Exploit by extending the Sploit class– Convert exploit script to command line tool using distutils
● Py2exe compile a windows executable? Sure why not.
– Distribute tool to minions.– Minions hack the Gibsons
What is a Sploit?
● Sploit is a Python class for flexible exploit delivery. By default it was designed to deliver custom SNMP packets to firewalls. But why stop there?
● extrabacon_1.1.0.1.py can be thought of as similar to a MSF resource script...on steroids. It handles fingerprinting, version selection, exploit running, post exploit cleanup, etc. It extends the Sploit Class with exploit-specific functionality
● Zen of Sploit Development: “Define exploit workflow as subcommands”. These in turn define the actions available for each step.
Structure of a Sploit
Sploit FunctionsCore
● __init__()● __del__()● _init_parser()● description()● enable_debugging()● launch()● pre_exploit()● send_exploit()● post_exploit()● run()● send_touch()
Communication Management● create_socket()● build_payload()● build_shellcode()● version_check()● generate_exploit()● generate_touch()● parse_error()● perform_healthcheck()
Data Management
● get_key_dir()
● get_key_file()
● list_from_file()
● post_touch()
● report_key()
CLI Parameter Management● add_connection_params()● add_healthcheck_params()● add_key_params()● add_logging_params()● add_subcommand()● pre_parse()● post_parse()● setup_parser()
Types of Subcommands
● Information Subcommands– Generate data about systems. In my example the “seek” and
“dict” Subcommands. Also the Crypto Key Management subcommands
● Action Subcommands– Attempt to change the state of the target in some way. In my
example the “destroy” Subcommand
● Shortcut Subcommands– Combine two or more Subcommand ideas into one command.
In my example I combine all three exploit steps into one command “seek-and-destroy”
Versions
● The Extrabacon release had ~17 different version files focused between 8.0.1 and 8.4.4 (with the notable exception of 8.1.x)
● Version files hold the details about the modifications to the exploit needed for specific version of the target app (NOP length, offsets, etc.)
● The Versions files could also be used to differentiate between O.S.es, architectures, payload choice, etc.
● Not all Sploits need multiple version files.
Versions Files
Veganowner
● Based on msf/modules/exploits/multi/postgres/postgres_createlang.rb
● Uses C instead of scripting● Writes a pseudo-randomly named malicious DLL to the
system which contains a reverse_tcp Shell.● Credit and thanks for the original exploit module go to :
– 'Micheal Cottingham', # author of this module
– 'midnitesnake', # the postgres_payload module that this is based on,
– 'Nixawk' # Improves the module
Veganowner Subcommands
Seek
Dict(ionary)
Destroy
Seek-And-Destroy
Demo Time
Initial Infection
Reverse TCP Callback
Persistent Bot
Sockets & Spoofing
● Original EXBA Exploit can use Scapy to manually construct TCP packets with Spoofed src info
● PostgreSQL uses TCP 5432● Conclusion: IP white-listing/black-listing is not a
sufficient defense. – TCP traffic NEEDS IPSec and/or a separate VPN/C.
– Check out Karyn Benson's research on Internet Background Radiation (IBR)
Concluding thought
Resources● http://www.securityweek.com/leaked-cisco-asa-exploit-adapted-newer-versions
● https://blog.silentsignal.eu/2016/08/25/bake-your-own-extrabacon/
● https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160817-asa-snmp
● https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/admin/cisco/cisco_asa_extrabacon.rb
● https://www.youtube.com/watch?v=wjva6ZJyhwE
● https://gist.github.com/sampsyo/462717
● https://www.goodreads.com/author/show/3787.Daniel_Schorr
● Audio Track - “BackOUt” by BlakOpz
● https://www.youtube.com/watch?v=OJgOUITOpQ8