Integrating DMA Attacks in Metasploit.pdf [PDF]

May 23, 2012 - Use DMA attacks with Metasploit. Why? • Huge potential, but under utilized. • Widespread awareness is
7 downloads 24 Views 3MB Size
Report
Download PDF
PNG Network

Recommend Stories

DMA IN MUSIC
Ask yourself: What have you done in your life that you are most proud of? Next
DMA Controller
Don't be satisfied with stories, how things have gone with others. Unfold your own myth. Rumi
Live DMA
In every community, there is work to be done. In every nation, there are wounds to heal. In every heart,
dma-5009
Your task is not to seek for love, but merely to seek and find all the barriers within yourself that
PDF Download Algorithmic Trading and DMA
No amount of guilt can solve the past, and no amount of anxiety can change the future. Anonymous
Advancements in Botnet Attacks
You miss 100% of the shots you don’t take. Wayne Gretzky
Contagion in Cybersecurity Attacks
Respond to every call that excites your spirit. Rumi
[PDF] Seven Deadliest Social Network Attacks (Seven Deadliest Attacks)
Seek knowledge from cradle to the grave. Prophet Muhammad (Peace be upon him)
Review Algorithmic Trading and DMA
Silence is the language of God, all else is poor translation. Rumi
DMA-5003-ia
What we think, what we become. Buddha

Idea Transcript

Integrating DMA attacks in Metasploit Rory Breuk [email protected] Albert Spruyt [email protected] University of Amsterdam

May 23, 2012

1/ 25

Introduction

Goal: Metasploit Over Firewire Ownage

2/ 25

Computer architecture CPU

Northbridge

RAM

Southbridge PCMCIA

Thunderbolt

FireWire

SATA PCI

3/ 25

Computer architecture CPU

Northbridge

RAM

Southbridge PCMCIA

Thunderbolt

FireWire

SATA PCI

4/ 25

Computer architecture cont.

Memory divided into 4KiB pages Virtual / physical addresses

5/ 25

DMA attack vectors

FireWire Thunderbolt PCMCIA/CardBus/ ExpressCard

6/ 25

Previous work

Encryption key/ password extraction Winlockpwn/FTWAutopwn/Inception libforensic1394

7/ 25

Goals

Use DMA attacks with Metasploit Why? • Huge potential, but under utilized • Widespread awareness is lacking • Making it easy • Lots of possibilities

8/ 25

Usecase Local attacker

Target

IEEE1394

Internet

Remote attacker

9/ 25

Usecase 169. 254. x . x

10/ 25

Metasploit concepts Local attacker

Target

IEEE1394

Exploits Internet

Payloads Remote attacker

11/ 25

Payloads RAM LightDM

What to patch

L i br a r yc a l l Pa t c h

12/ 25

Windows DEMO

Target: Windows 7 SP1 32bit Find the signature Inject payload

13/ 25

Problems

Need to interact with the system Easily user detectable Detectable by tripwire

14/ 25

Proposed solution Stage 1: • Inject stager • Allocate new page

Stage 2: • Restore originally patched code

Stage 3: • Inject second stager • Restore process • Execute payload

15/ 25

Stage 1: Inject stager

S a v es t a t e

Find signature

Al l oc a t epa ge

Save code Inject special stager Copyl oop J umpt opa ge

16/ 25

Stage 2: Restore code

Find the new page Restore patched code

17/ 25

Stage 3: Finish

Upload second stager + payload Directly overwrites running code

F or k

Res t or epr oc es s E x ec ut epa y l oa d

18/ 25

Interactionless exploit

Xorg • root permissions • runs periodically

19/ 25

Linux DEMO

Target: Ubuntu 12.04 Look ma, no hands! Stagers, IDS evasion Target process is kept alive

20/ 25

Mitigation: theoretical

Theoretical: • IOMMU

No practical implementations

21/ 25

Mitigation: practical

For the consultants: • Don’t buy them • Destroy them / glue them • Disable them • Deny physical access

Does not guarantee safety

22/ 25

Achievements

Ported libforensic1394 bindings to Ruby Integrate FireWire exploit into Metasploit Reusable technique for DMA exploitation

23/ 25

Achievements Enhanced attack: • Smaller attack window • Attack continued over TCP/IP • Interactionless payload execution • Use Metasploit functionality

https://github.com/mrbreaker/mofo

24/ 25

Metasploit Over Firewire Ownage

Questions?

https://github.com/mrbreaker/mofo

25/ 25

Helpful Links

Smile Life

When life gives you a hundred reasons to cry, show life that you have a thousand reasons to smile

Get in touch

© Copyright 2015 - 2024 PDFFOX.COM - All rights reserved.