ExtraBacon's Sploit Framework

Or: How to break the Ruby Bonds of Metasploit

By: Daniel Reilly (Oni)https://github.com/dreilly369

https://the-it-ninja.blogspot.com/https://www.linkedin.com/in/daniel-reilly-58b28171

Disclaimer

● This is my own work not endorsed, supported, or generally approved of, by good people.

● I don't encourage malicious attacks.● I do encourage offensive security and

asymmetric layered defense

Where'd this come from?

● ShadowBrokers announces their supposed Equation Group tool dump and teaser files.

● Cisco Confirms EXBA is effective against several versions of ASA *

● Researchers report porting the exploit to newer ASA versions *

● Gov't (sort of) acknowledges tools by charging Harold T. Martin III *

● I Decide to fork the core Sploit code and port one of my favorite configuration exploits (postgeSQL lo_creat()) as a PoC

Let me be clear

● I love Metasploit...but -– You don't always need a tank.

– I am not a fan of Ruby.

– Custom Tools F.T.W.

– Sploits can run from much smaller devices. ● Possibly IoT small (currently a hypothesis)

Workflow of a MSF Exploit

● Make sure Postgres is configured/running● Start MSFConsole or Armitage● db_nmap the target subnet● Run some favorite exploit/payload combos

based on services discovered ● If you're fancy you export all of these

commands to a resource script

Sploit's place in the world

● Sploit is for turning an exploit into a tool.● Metasploit is for when you have a target and need to find

an exploit. Sploit is the opposite.● Normal flow might be:

– Find an exploitable flaw (or borrow one like I have)– Write Exploit by extending the Sploit class– Convert exploit script to command line tool using distutils

● Py2exe compile a windows executable? Sure why not.

– Distribute tool to minions.– Minions hack the Gibsons

What is a Sploit?

● Sploit is a Python class for flexible exploit delivery. By default it was designed to deliver custom SNMP packets to firewalls. But why stop there?

● extrabacon_1.1.0.1.py can be thought of as similar to a MSF resource script...on steroids. It handles fingerprinting, version selection, exploit running, post exploit cleanup, etc. It extends the Sploit Class with exploit-specific functionality

● Zen of Sploit Development: “Define exploit workflow as subcommands”. These in turn define the actions available for each step.

Structure of a Sploit

Sploit FunctionsCore

● __init__()● __del__()● _init_parser()● description()● enable_debugging()● launch()● pre_exploit()● send_exploit()● post_exploit()● run()● send_touch()

Communication Management● create_socket()● build_payload()● build_shellcode()● version_check()● generate_exploit()● generate_touch()● parse_error()● perform_healthcheck()

Data Management

● get_key_dir()

● get_key_file()

● list_from_file()

● post_touch()

● report_key()

CLI Parameter Management● add_connection_params()● add_healthcheck_params()● add_key_params()● add_logging_params()● add_subcommand()● pre_parse()● post_parse()● setup_parser()

Types of Subcommands

● Information Subcommands– Generate data about systems. In my example the “seek” and

“dict” Subcommands. Also the Crypto Key Management subcommands

● Action Subcommands– Attempt to change the state of the target in some way. In my

example the “destroy” Subcommand

● Shortcut Subcommands– Combine two or more Subcommand ideas into one command.

In my example I combine all three exploit steps into one command “seek-and-destroy”

Versions

● The Extrabacon release had ~17 different version files focused between 8.0.1 and 8.4.4 (with the notable exception of 8.1.x)

● Version files hold the details about the modifications to the exploit needed for specific version of the target app (NOP length, offsets, etc.)

● The Versions files could also be used to differentiate between O.S.es, architectures, payload choice, etc.

● Not all Sploits need multiple version files.

Versions Files

Veganowner

● Based on msf/modules/exploits/multi/postgres/postgres_createlang.rb

● Uses C instead of scripting● Writes a pseudo-randomly named malicious DLL to the

system which contains a reverse_tcp Shell.● Credit and thanks for the original exploit module go to :

– 'Micheal Cottingham', # author of this module

– 'midnitesnake', # the postgres_payload module that this is based on,

– 'Nixawk' # Improves the module

Veganowner Subcommands

Seek

Dict(ionary)

Destroy

Seek-And-Destroy

Demo Time

Initial Infection

Reverse TCP Callback

Persistent Bot

Sockets & Spoofing

● Original EXBA Exploit can use Scapy to manually construct TCP packets with Spoofed src info

● PostgreSQL uses TCP 5432● Conclusion: IP white-listing/black-listing is not a

sufficient defense. – TCP traffic NEEDS IPSec and/or a separate VPN/C.

– Check out Karyn Benson's research on Internet Background Radiation (IBR)

Concluding thought

Resources● http://www.securityweek.com/leaked-cisco-asa-exploit-adapted-newer-versions

● https://blog.silentsignal.eu/2016/08/25/bake-your-own-extrabacon/

● https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160817-asa-snmp

● https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/admin/cisco/cisco_asa_extrabacon.rb

● https://www.youtube.com/watch?v=wjva6ZJyhwE

● https://gist.github.com/sampsyo/462717

● https://www.goodreads.com/author/show/3787.Daniel_Schorr

● Audio Track - “BackOUt” by BlakOpz

● https://www.youtube.com/watch?v=OJgOUITOpQ8