Integrating DMA attacks in Metasploit Rory Breuk
[email protected] Albert Spruyt
[email protected] University of Amsterdam
May 23, 2012
1/ 25
Introduction
Goal: Metasploit Over Firewire Ownage
2/ 25
Computer architecture CPU
Northbridge
RAM
Southbridge PCMCIA
Thunderbolt
FireWire
SATA PCI
3/ 25
Computer architecture CPU
Northbridge
RAM
Southbridge PCMCIA
Thunderbolt
FireWire
SATA PCI
4/ 25
Computer architecture cont.
Memory divided into 4KiB pages Virtual / physical addresses
5/ 25
DMA attack vectors
FireWire Thunderbolt PCMCIA/CardBus/ ExpressCard
6/ 25
Previous work
Encryption key/ password extraction Winlockpwn/FTWAutopwn/Inception libforensic1394
7/ 25
Goals
Use DMA attacks with Metasploit Why? • Huge potential, but under utilized • Widespread awareness is lacking • Making it easy • Lots of possibilities
8/ 25
Usecase Local attacker
Target
IEEE1394
Internet
Remote attacker
9/ 25
Usecase 169. 254. x . x
10/ 25
Metasploit concepts Local attacker
Target
IEEE1394
Exploits Internet
Payloads Remote attacker
11/ 25
Payloads RAM LightDM
What to patch
L i br a r yc a l l Pa t c h
12/ 25
Windows DEMO
Target: Windows 7 SP1 32bit Find the signature Inject payload
13/ 25
Problems
Need to interact with the system Easily user detectable Detectable by tripwire
14/ 25
Proposed solution Stage 1: • Inject stager • Allocate new page
Stage 2: • Restore originally patched code
Stage 3: • Inject second stager • Restore process • Execute payload
15/ 25
Stage 1: Inject stager
S a v es t a t e
Find signature
Al l oc a t epa ge
Save code Inject special stager Copyl oop J umpt opa ge
16/ 25
Stage 2: Restore code
Find the new page Restore patched code
17/ 25
Stage 3: Finish
Upload second stager + payload Directly overwrites running code
F or k
Res t or epr oc es s E x ec ut epa y l oa d
18/ 25
Interactionless exploit
Xorg • root permissions • runs periodically
19/ 25
Linux DEMO
Target: Ubuntu 12.04 Look ma, no hands! Stagers, IDS evasion Target process is kept alive
20/ 25
Mitigation: theoretical
Theoretical: • IOMMU
No practical implementations
21/ 25
Mitigation: practical
For the consultants: • Don’t buy them • Destroy them / glue them • Disable them • Deny physical access
Does not guarantee safety
22/ 25
Achievements
Ported libforensic1394 bindings to Ruby Integrate FireWire exploit into Metasploit Reusable technique for DMA exploitation
23/ 25
Achievements Enhanced attack: • Smaller attack window • Attack continued over TCP/IP • Interactionless payload execution • Use Metasploit functionality
https://github.com/mrbreaker/mofo
24/ 25
Metasploit Over Firewire Ownage
Questions?
https://github.com/mrbreaker/mofo
25/ 25