static pie, how and why - metasploit's new posix payload: mettle
TRANSCRIPT
![Page 1: Static PIE, How and Why - Metasploit's new POSIX payload: Mettle](https://reader034.vdocument.in/reader034/viewer/2022051520/589af0c81a28ab3e288b4c53/html5/thumbnails/1.jpg)
Static PIEHow and Why
Adam Cammack and Brent CookRapid7
![Page 2: Static PIE, How and Why - Metasploit's new POSIX payload: Mettle](https://reader034.vdocument.in/reader034/viewer/2022051520/589af0c81a28ab3e288b4c53/html5/thumbnails/2.jpg)
About US
![Page 3: Static PIE, How and Why - Metasploit's new POSIX payload: Mettle](https://reader034.vdocument.in/reader034/viewer/2022051520/589af0c81a28ab3e288b4c53/html5/thumbnails/3.jpg)
Adam Cammack
MetasploitErlang
Musician
![Page 4: Static PIE, How and Why - Metasploit's new POSIX payload: Mettle](https://reader034.vdocument.in/reader034/viewer/2022051520/589af0c81a28ab3e288b4c53/html5/thumbnails/4.jpg)
Brent CookProgrammer: 30 years
Father: 13 yearsOpenBSD: 3 yearsMetasploit: 2 years
@busterbcook
![Page 5: Static PIE, How and Why - Metasploit's new POSIX payload: Mettle](https://reader034.vdocument.in/reader034/viewer/2022051520/589af0c81a28ab3e288b4c53/html5/thumbnails/5.jpg)
The ABCs of Executable File Formats
![Page 6: Static PIE, How and Why - Metasploit's new POSIX payload: Mettle](https://reader034.vdocument.in/reader034/viewer/2022051520/589af0c81a28ab3e288b4c53/html5/thumbnails/6.jpg)
A is for a.out"Assembler output" – 1968
Ken ThompsonThe file header is literally PDP-7 machine code
![Page 7: Static PIE, How and Why - Metasploit's new POSIX payload: Mettle](https://reader034.vdocument.in/reader034/viewer/2022051520/589af0c81a28ab3e288b4c53/html5/thumbnails/7.jpg)
C is for.COMDEC -> CP/M -> MS-DOS
Just code + data, no headers
![Page 8: Static PIE, How and Why - Metasploit's new POSIX payload: Mettle](https://reader034.vdocument.in/reader034/viewer/2022051520/589af0c81a28ab3e288b4c53/html5/thumbnails/8.jpg)
E is for EXEMS-DOS to Windows 10, everything in between
Many different things over timeMostly PE/COFF these days
![Page 9: Static PIE, How and Why - Metasploit's new POSIX payload: Mettle](https://reader034.vdocument.in/reader034/viewer/2022051520/589af0c81a28ab3e288b4c53/html5/thumbnails/9.jpg)
M is for Mach-ONeXTStep, iOS, OS X (aka Mac OS :)
Covers libraries, core dumps,and executablesMulti-architecture
![Page 10: Static PIE, How and Why - Metasploit's new POSIX payload: Mettle](https://reader034.vdocument.in/reader034/viewer/2022051520/589af0c81a28ab3e288b4c53/html5/thumbnails/10.jpg)
E is also for ELFAlso used for executables, libraries and core dumpsThe standard (almost) file format for Unix systems
and Clones
![Page 11: Static PIE, How and Why - Metasploit's new POSIX payload: Mettle](https://reader034.vdocument.in/reader034/viewer/2022051520/589af0c81a28ab3e288b4c53/html5/thumbnails/11.jpg)
$(CC) -o hello hello.cOf file formats and dynamic linkers
![Page 12: Static PIE, How and Why - Metasploit's new POSIX payload: Mettle](https://reader034.vdocument.in/reader034/viewer/2022051520/589af0c81a28ab3e288b4c53/html5/thumbnails/12.jpg)
Stages of compilation and goals of ELF• Flexible [1]• Orthogonal segments and sections• Arbitrary sections and data• Configurable element widths for
standard arrays• Each binary explicitly says how it
should be loaded and run• Universal• Lots of version fields• Lots of machine-dependent fields• Big and little endian modes
[1] https://www.linuxjournal.com/node/1060/print
![Page 13: Static PIE, How and Why - Metasploit's new POSIX payload: Mettle](https://reader034.vdocument.in/reader034/viewer/2022051520/589af0c81a28ab3e288b4c53/html5/thumbnails/13.jpg)
Flavor of ELF: static, dynamic, shared libraries
• Insert Diagrams here
![Page 14: Static PIE, How and Why - Metasploit's new POSIX payload: Mettle](https://reader034.vdocument.in/reader034/viewer/2022051520/589af0c81a28ab3e288b4c53/html5/thumbnails/14.jpg)
Magic: -fPIC & runtime (re-)linking
• .dynamic section/DYNAMIC segment• Everything a linker could want• Mostly duplicates info from the section headers• Includes helpful info like needed libraries and dynamic object type
• Offset and procedure linking tables galore• All symbols resolve to the linker for the first call• Lazy lookup
![Page 15: Static PIE, How and Why - Metasploit's new POSIX payload: Mettle](https://reader034.vdocument.in/reader034/viewer/2022051520/589af0c81a28ab3e288b4c53/html5/thumbnails/15.jpg)
Securing ELF
![Page 16: Static PIE, How and Why - Metasploit's new POSIX payload: Mettle](https://reader034.vdocument.in/reader034/viewer/2022051520/589af0c81a28ab3e288b4c53/html5/thumbnails/16.jpg)
Address Space Layout Resolution (ASLR)
• Buffer overflows require jumping to known offsets• ASLR randomizes executable layout, making offsets _less_ predictable• Implemented to varying degrees on many operating systems• BSD Linux Windows Solaris
• Catch – only works with Dynamic executables (shared libraries)
![Page 17: Static PIE, How and Why - Metasploit's new POSIX payload: Mettle](https://reader034.vdocument.in/reader034/viewer/2022051520/589af0c81a28ab3e288b4c53/html5/thumbnails/17.jpg)
Breaking security without even trying
#include <stdio.h>
int main(){ printf("%p\n", printf); return 0;}
![Page 18: Static PIE, How and Why - Metasploit's new POSIX payload: Mettle](https://reader034.vdocument.in/reader034/viewer/2022051520/589af0c81a28ab3e288b4c53/html5/thumbnails/18.jpg)
Breaking security without even trying
bcook@toaster:~$ uname -aLinux toaster 4.4.0-36-generic #55-Ubuntu SMP Thu Aug 11 18:01:55 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
bcook@toaster:~$ gcc hello .c -o hellobcook@toaster:~$ ./hello0x400400bcook@toaster:~$ ./hello 0x400400
![Page 19: Static PIE, How and Why - Metasploit's new POSIX payload: Mettle](https://reader034.vdocument.in/reader034/viewer/2022051520/589af0c81a28ab3e288b4c53/html5/thumbnails/19.jpg)
Position Independent Executables (PIE)
• We want to solve 2 problems• Code can be relocated for security (Position independent code)• Code can be relocated to avoid conflicts (no MMU)
![Page 20: Static PIE, How and Why - Metasploit's new POSIX payload: Mettle](https://reader034.vdocument.in/reader034/viewer/2022051520/589af0c81a28ab3e288b4c53/html5/thumbnails/20.jpg)
This is easy, until...
bcook@toaster:~$ gcc hello.c -o hello -fPICbcook@toaster:~$ ./hello0x7f10c8aca7b0bcook@toaster:~$ ./hello0x7f8a8a1cd7b0
bcook@toaster:~$ gcc hello. c -o hello -fPIC -staticbcook@toaster:~$ ./hello0x40f300bcook@toaster:~$ ./hello0x40f300
![Page 21: Static PIE, How and Why - Metasploit's new POSIX payload: Mettle](https://reader034.vdocument.in/reader034/viewer/2022051520/589af0c81a28ab3e288b4c53/html5/thumbnails/21.jpg)
This is easy, until...
bcook@toaster:~$ gcc hello.c -o hello -fPICbcook@toaster:~$ ./hello0x7f10c8aca7b0bcook@toaster:~$ ./hello0x7f8a8a1cd7b0
bcook@toaster:~$ gcc hello. c -o hello -fPIC -staticbcook@toaster:~$ ./hello0x40f300bcook@toaster:~$ ./hello0x40f300
![Page 22: Static PIE, How and Why - Metasploit's new POSIX payload: Mettle](https://reader034.vdocument.in/reader034/viewer/2022051520/589af0c81a28ab3e288b4c53/html5/thumbnails/22.jpg)
Binaries for offensive use
![Page 23: Static PIE, How and Why - Metasploit's new POSIX payload: Mettle](https://reader034.vdocument.in/reader034/viewer/2022051520/589af0c81a28ab3e288b4c53/html5/thumbnails/23.jpg)
Position independent shellcode
• Often unpredictable and uncontrollable injection addresses• Often can’t rely on specifics of target system• Hand written out of necessity• All jumps and memory operations relative to instruction pointer or
allocated memory
![Page 24: Static PIE, How and Why - Metasploit's new POSIX payload: Mettle](https://reader034.vdocument.in/reader034/viewer/2022051520/589af0c81a28ab3e288b4c53/html5/thumbnails/24.jpg)
Static Position-dependent Executables
• No dependencies on target libraries• Straightforward to build• Requires specific memory addresses to be allocable or clobbered
![Page 25: Static PIE, How and Why - Metasploit's new POSIX payload: Mettle](https://reader034.vdocument.in/reader034/viewer/2022051520/589af0c81a28ab3e288b4c53/html5/thumbnails/25.jpg)
Static Position-independent Executables
• Would remove memory dependency• Great for embedded/NOMMU• Simplifies shellcode• Simplifies payload generation
• Possible??????
![Page 26: Static PIE, How and Why - Metasploit's new POSIX payload: Mettle](https://reader034.vdocument.in/reader034/viewer/2022051520/589af0c81a28ab3e288b4c53/html5/thumbnails/26.jpg)
Static Position-independent Executables
• Yes!!! Static PIE is implemented in:• OpenBSD 5.7 (on by default on x86/x64)• Musl libc on Linux with a custom toolchain (2012)
![Page 27: Static PIE, How and Why - Metasploit's new POSIX payload: Mettle](https://reader034.vdocument.in/reader034/viewer/2022051520/589af0c81a28ab3e288b4c53/html5/thumbnails/27.jpg)
Prior Work in Metasploit
![Page 28: Static PIE, How and Why - Metasploit's new POSIX payload: Mettle](https://reader034.vdocument.in/reader034/viewer/2022051520/589af0c81a28ab3e288b4c53/html5/thumbnails/28.jpg)
Reflective DLL injection & Windows Meterpreter
• From Stephen Fewer: https://github.com/stephenfewer/ReflectiveDLLInjection
• TL; DR: Inject a small loader thread that identifies library functions from kernel32, use these to further load dependent libraries and the target library image.
![Page 29: Static PIE, How and Why - Metasploit's new POSIX payload: Mettle](https://reader034.vdocument.in/reader034/viewer/2022051520/589af0c81a28ab3e288b4c53/html5/thumbnails/29.jpg)
Linux Meterpreter custom linker & loader
• From Philip Sanderson• Uses an embedded copy of Android Bionic plus custom linker scripts
and compiler magic to embed shared libraries as zip archives• Not fully Position Independent, leading to loading issues• At runtime, the loader unpacks and links shared libraries in memory to
bootstrap the PIE part of the payload
![Page 30: Static PIE, How and Why - Metasploit's new POSIX payload: Mettle](https://reader034.vdocument.in/reader034/viewer/2022051520/589af0c81a28ab3e288b4c53/html5/thumbnails/30.jpg)
Pedal to the mettleA new POSIX meterpreter
![Page 31: Static PIE, How and Why - Metasploit's new POSIX payload: Mettle](https://reader034.vdocument.in/reader034/viewer/2022051520/589af0c81a28ab3e288b4c53/html5/thumbnails/31.jpg)
Utilizing out-of-tree dependencies
• With our powers combined…• curl• libdnet• libev• libeio• libsigar• mbedtls
• Reliable code we don’t have to write• We need a toolchain that takes arbitrary libraries and spits out payloads
![Page 32: Static PIE, How and Why - Metasploit's new POSIX payload: Mettle](https://reader034.vdocument.in/reader034/viewer/2022051520/589af0c81a28ab3e288b4c53/html5/thumbnails/32.jpg)
Generating ELF process images
• It’s simple, just do whatever it is the kernel does• Ok, so we just mmap(2) these segments…• And then do some stack magic• Reference docs to the rescue [1]
[1] http://c9x.me/compile/bib/abi-x64.pdf
![Page 33: Static PIE, How and Why - Metasploit's new POSIX payload: Mettle](https://reader034.vdocument.in/reader034/viewer/2022051520/589af0c81a28ab3e288b4c53/html5/thumbnails/33.jpg)
Minimizing setup in shellcode
• read(2) the process image• Push the stack• Jump• …• Profit?
![Page 34: Static PIE, How and Why - Metasploit's new POSIX payload: Mettle](https://reader034.vdocument.in/reader034/viewer/2022051520/589af0c81a28ab3e288b4c53/html5/thumbnails/34.jpg)
Minimum Stack Layout
![Page 35: Static PIE, How and Why - Metasploit's new POSIX payload: Mettle](https://reader034.vdocument.in/reader034/viewer/2022051520/589af0c81a28ab3e288b4c53/html5/thumbnails/35.jpg)
Deep magic: -shared -Bstatic -Bsymbolic
• -shared• Generate a useful dynamic section• Suppress generation of PT_INTERP segment
• -Bstatic• Pull in all symbols instead of linking• Make sure all symbols are resolved
• -Bsymbolic• Generate self-contained relocations• Self-interpreting executable (with special crt.o)
![Page 36: Static PIE, How and Why - Metasploit's new POSIX payload: Mettle](https://reader034.vdocument.in/reader034/viewer/2022051520/589af0c81a28ab3e288b4c53/html5/thumbnails/36.jpg)
Flexible multi-architecture support
• Cross-compile ALL THE THINGS• Lots of embedded developers interested in building cross-compilers• Liberal use of endian.h
![Page 37: Static PIE, How and Why - Metasploit's new POSIX payload: Mettle](https://reader034.vdocument.in/reader034/viewer/2022051520/589af0c81a28ab3e288b4c53/html5/thumbnails/37.jpg)
export QEMU_STRACE=1
• User-mode qemu doesn’t have man pages• qemu supports strace-like format (see title)• It can also host a gdb server for all your favorite tools (-g <port>)• We can also compile for native Linux and OSX targets to use even more
tools
![Page 38: Static PIE, How and Why - Metasploit's new POSIX payload: Mettle](https://reader034.vdocument.in/reader034/viewer/2022051520/589af0c81a28ab3e288b4c53/html5/thumbnails/38.jpg)
It’s a *NIX system, I know this!
• Portable RAT• Works on OS X, Linux, Android• Memory footprint is < 500K• supports SOHO routers to large servers with minimal disruption
![Page 39: Static PIE, How and Why - Metasploit's new POSIX payload: Mettle](https://reader034.vdocument.in/reader034/viewer/2022051520/589af0c81a28ab3e288b4c53/html5/thumbnails/39.jpg)
Future WorkFreeBSD / OpenBSD / Solaris support
WindowsFoothold for other payloads
https://github.com/rapid7/mettle
![Page 40: Static PIE, How and Why - Metasploit's new POSIX payload: Mettle](https://reader034.vdocument.in/reader034/viewer/2022051520/589af0c81a28ab3e288b4c53/html5/thumbnails/40.jpg)
Demo & QA