Web ApplicationSecurity Payloads

http://www.bonsai-sec.com/

Andrés Riancho – Lucas Apa

Ekoparty 2010

2

Web Application Security Payloads

lucas@bonsai-sec.com$ whoami Consultant @ Bonsai Information Security

Penetration Testing y Vulnerability Research

Web Application Security enthusiast

3

Web Application Security Payloads

andres@bonsai-sec.com$ whoami Founder @ Bonsai Information Security

Director of Web Security @ Rapid7

Programmer (python!)

Open Source Evangelist

Deep knowledge in networking , design and IPS evasion.

Project leader: open source w3af

4

Web Application Security Payloads

w3af w3af is a Web Application Attack and Audit Framework

Open Source tool (GPLv2.0) to detect and exploit Web vulnerabilities.

Plugin based architecture, easely extensible.

Development started late 2006 on my spare time, and growing tillpresent, moment in which we have multiple contributors round theglobe and a full time developer on our office.

5

Web Application Security Payloads

6

Web Application Security Payloads

Actual Situation Exploitation frameworks like Metasploit provides mainly “payloads”

to use specially on the best case, in other words, when there iscontrol on the execution flow. (“exploit for buffer overflow”).

Web applications allows us, depending on the vulnerability, tointeract with the system in a particular way:

Local file read

File write

SQL Commands execution

OS Commands execution

Till now, Which steps of post-exploitation can we make in anautomatized way in an environment where we can´t execute OS system commands?

7

Web Application Security Payloads

Actual Situation Additionally, Web vulnerabilities are mutating every time faster

making their post exploitation leading to have no starting or final objective defined.

Many different automatized tools are focusing in the particular, in exploiting a vulnerability emphasizing on the how.

Not defined which information is going to be compromised. Thevulnerabilities expires or changes.

8

Web Application Security Payloads

Web Application Security Payloads

9

Web Application Security Payloads

Small pieces of code running in w3af after exploiting one or moreknown vulnerabilities.

Every payload is independent of the discovered vulnerabilities. By themeans the exploit exports “System Calls”, that are then used bypayloads:

Design

Exploit System calls exported System calls emulated

Local file read read()

Local file include read()

OS Commanding execute() read() , write() , unlink()

DAV Shell write() execute() , read(), unlink()

File Upload write() execute() , read(), unlink()

10

Web Application Security Payloads

Payloads are in general 100 lines of code that uses some system calls,like for example “running_vm”:

Design

~53 Payloads developed

12

Web Application Security Payloads

Demo #1:“users”

13

Web Application Security Payloads

Sinergy between payloadsre

ad() System call to

read files use

rs Payload thatreads/etc/passwdand identifieshome directories

use

rs_c

on

fig_

file

s Payload whichuses theknowledgegained of home directories and looks forconfigurationfiles there.

14

Web Application Security Payloads

Demo #2:Sinergy between

payloads: “users_config_files”

15

Web Application Security Payloads

Demo #3:Integration with w3af:

“get_source_code”

16

Web Application Security Payloads

Conclusions and pending work Conceptualize this idea as an standar in automatized post-

explotación over Web Applications.

Develop more payloads for Windows environments.

Research about syscall hooking and remote syscall delivery by Web Applications Payloads.

Syscall Hierachy Priority : when exists more than one syscall, whichone we use to communicate with the remote system? Faster? More privileged?

Contribute with the global community discovering new attacktechniques through minimalistic post-exploitation approaches, expanding the information they gather.

17

Web Application Security Payloads

¿Doubts?¿Questions?

18

Web Application Security Payloads

Thank you!