Home - Blog - Advisories - Research - Papers - Books - Presentations - Tools - About

Advanced Exploiting

This site is supposed to give the interested a little overview of my "Advanced Exploiting" research project. If you are looking at the currently available (enterprise-level) security products you can see two big trends:

1. The security products are getting better (host as network based)
2. The security products are getting more complex (protocol inspection, parser, ...)

For an attacker this can have two challenges:

1. Find (new) ways to still be able to bypass these ("better") security products
2. Find vulnerabilities within these security products to manipulate them or their configuration

I find these two topics very exciting. So I'm doing some personal research regarding the possibilities to bypass or attack "modern enterprise" security products. I'm doing this because I want to know the strengths as well as the limitations of these products.

Overview and Scope

This project deals with different aspects of software vulnerabilities and their exploitation. I'm currently focusing on advanced exploitation techniques regarding remote memory corruption vulnerabilities within network services that are deployed in (highly secured) enterprise environments. The following figure gives a broad overview of the whole project and its scope.

Figure 1: Exploitation Matrix

MCV - There are many different software vulnerability classes that allow an attacker to compromise systems. The vulnerabilities I'm currently focusing on are memory corruption vulnerabilities (MCV). These MCV involve, among others, buffer overflows, format string vulnerabilities, integer overflows and so on. MCV can affect all kind of software: OS kernels, client apps (browser, mail clients, P2P clients, IM clients, ...), network services (Apache, IIS, Samba, ...), embedded systems, security products etc. Furthermore it is possible to distinguish between remote and local vulnerabilities. Remote vulnerabilites allow an attacker to compromise remote systems without any prior access to the vulnerable system (e.g. through a vulnerable network service) and local vulnerabilities usually allow an attacker to escalate her/his privileges on a system she/he already has access to (e.g. through a vulnerable setuid binary). This project is currently focusing on MCV within network services that are remotely exploitable.

Already known MCV vs. 0-day MCV - Either the vulnerability is well-known in the public (there's an advisory and perhaps even a patch/fix for it) or the vulnerability is kept secret and only known by its discoverer (0-day).

Exploiting - When it comes to the exploitation of MCV there are two possible ways: the appropriate exploit, that takes advantage of the MCV, is meant as a proof of concept, or advanced techniques are used that make the exploit survive in the wild. Both variants will be discussed in the following.

Proof of Concept - Proof of Concept (PoC) exploits try to demonstrate the existence of a vulnerability. They are usually very fragile and only meant to work in lab environments without any security measures (see milw0rm, packetstorm, etc.).

Advanced Exploiting - Two of the biggest buzzwords when it comes to IT security today are "0-day vulnerabilities" and "0-day exploits". There's a lot of effort going on to find new 0-day vulns within widespread software products. They are indeed one of the biggest threats today. But what harm can a new fancy remote 0-day vuln do if the appropriate exploit

(1) has a bad implementation of the injection vector or simple won't survive in the wild
(2) is very fragile/unreliable
(3) uses standard remote payloads (like bindport or backconnect)
(4) spawns a standard shell for further communication
(5) doesn't consider network/local detection/prevention mechanisms, forensics, honeypots, ...

What if the victim server is protected by "modern" security technologies like stateful firewalling, reverse proxies, (deep) packet and protocol inspection as well as host based security measures? What if the victim server is monitored by a NIDS/HIDS?

Well, the new fancy 0-day vuln/exploit will in fact be of very little value in such "enterprise" environments. What I want to say is that 0-day vulns are only one half of the cake. To successfully break into protected enterprise server systems you also need a set of advanced techniques regarding the exploit development.

Or look at well-known vulnerabilities. Most people think they have no value for breaking into enterprise level server systems just because: [a] they are public, [b] the services are already patched, [c] the security measures prevent already available PoC exploits from working and [d] IDS have patterns/signatures to detect the attack. Well, I don't fully agree with that. There are quite a few problems with security updates or patches. Who hasn't heard sentences like: "Well, we can't apply this security patch because we don't know if the app *** will work any more.", "If we apply the security patch the vendor *** will no longer provide support for the app ***.", "Before we apply this security patch it must be fully tested, so that we can be sure there will be no problems in the production environment.", "We have firewalls, so patching is not necessary.", etc. To sum this up, there are a lot of unpatched server systems out there even if the vulnerability is well-known and the patch is available. But as well as with 0-day vulnerabilities advanced techniques regarding the exploit development are required to successfully compromise even very protected enterprise-level server systems.

The "Advanced Exploiting" project know deals with three different aspects of advanced techniques regarding the exploit development:

(1) Robust exploits for real life environments
(2) Bypass of preventive security measures
(3) Stealth

These three issues will be described further in the following.

Robust exploits for real life environments - These are techniques that allow an exploit to survive in the wild (no milw0rm, packetstorm, full disclosure or bugtraq PoC's). There are many different issues a robust exploit have to deal with outside a lab environment, like slow connections, packet loss, NAT, (reverse) proxies, etc.

Bypass of preventive security measures - To successfully attack enterprise-level server systems its necessary to be able to bypass the security measures in the actual exploitation phase, that are protecting these systems.

Stealth - This involves all techniques that allow an attacker to be untraceable during the actual exploitation phase as well as in the post exploitation phase (forensics).

The following figures give an overview of some security measures that try to stop, detect or complicate the exploitation of memory corruption vulnerabilities.

Figure 2: Security measures regarding the actual exploitation phase

Figure 3: Security measures regarding the post exploitation phase

These are the security measures that need to be bypassed when attacking enterprise-level server systems.

To summarize the scope of this project: This project is currently focusing on advanced exploitation techniques regarding remote memory corruption vulnerabilites within network services that are deployed in (very protected) enterprise environments.

Material and further information

Beneath this spartanic website you can find some more information regarding my research within the following presentation I held at the IT-Defense security conference 2005.

Presentation (in german): Advanced Exploiting

What is the intention of this site?

Or: "What the hell does this guy want with this page? There's no *real* information nore code available that proves his claims!"

Well you are absolutly right ;) in an ideal world, this site wouldn't be needed but:

Unfortunately there are some incompetent/shady journalists and wannabe experts out there who have to comment everything even if they have no clue about the topic. Actually this explanation should be enough, but let me describe this a bit further:

As I went public with some aspects of my research (see IT-Defense speech) some journalists didn't get the point and wrote totally crappy articles about it. They are technically wrong and contain excerpts I never said. Even better are the "experts" that commented these articles. There are discussions about personal firewalls and anti virus software ... but stop, did I say anything about these topics? NO. Did I mention it in my speech? NO. Has my research project or the speech anything to do with personal firewalls, browser attacks or anti virus software? NO.

So the intent of this site is to clarify what this research project as well as the speech is all about. I know this won't stop all these further mentioned journalists and self-proclaimed experts from writing totally unrelated crap but I hope all the others (that are interested in this whole topic) now got a clue.

:: Copyright (c) 2000-2010 Tobias Klein. All rights reserved. ::