Friday, January 18, 2013

Owning Real Things

So part of the Immunity interview process derives from real-world problems you have when hacking. The test is this: We give people a web application with a simple system("USER DATA HERE") vulnerability, and then we see if they can own the target. And by own, we mean "Have interactive access as root".

It's not hard, for people with real operator experience. Literally, 5 minutes, in some cases from butt-in-seat to "#". In most cases, however, it's hours of frustration. Look - if you can't handle a few hours of frustration in your interview you're not Immunity material probably.

The difference is partially mindset. How do you deal with transferring a file from point A to point B when there are unknown firewall rules in the way, and unknown tools on the remote box (not to mention unknown latency and packetloss issues). Let's just say, for example, that wget isn't on the box, and ftp seems blocked. Now what?

See, if SWORDFISH was anywhere near accurate, that's more the problem he would have been solving while the gun was to his head.

There are a number of options for doing the Ruby on Rails exploit - one of which is to call back as a Ruby command and build what we would call a "Shell Listener" in Ruby. Essentially, to stay in the web server process and load stage after stage of Ruby code.

This has benefits (nothing touches disk, for example), but is also subject to problems when the process times out. So eventually you want to upload another trojan, and have that trojan connect back to you. But over what ports? And how? Keep in mind you don't get to see the results of any of your commands that you run.

CANVAS includes a simple exploit type called the CommandLineExecutor which is designed for exactly this kind of problem. You just derive your exploit from this base class, provide it a simple way to execute commands, and it will execute a series of commands to get MOSDEF connectivity back to you. It is, as a New Zealander would say "Sweet As".

First, of course, it determines what OS it is on, and then it determines what directories it can write into, and then what programs it can use to upload onto that machine, and then finally, what ports it can use to get outbound. SOUNDS simple, doesn't it? It's this sort of innovation that really feeds into SWARM - which is a whole different story I'll tell later. :>

No comments: