Thursday, April 12, 2018

Stealing the Socket for Policy and Profit

One exploit that has fascinated me for more than a couple of years is this one by Yuange of NSFOCUS. When I mentioned this on Twitter, Yuange himself pointed me at this paper, where he describes a bit of his technique and his philosophy. A few things stick out from this exploit:

The first, is he was ahead of his time in adopting the PE parsing technique for writing portable Windows shellcode. He also had a uniquely Chinese style of writing the entire exploit in C, and having the shellcode just "compiled" instead of hand written. Thirdly, he used an entirely new and innovative method of stealing the socket on IIS by using the built in ISAPI handler calls. Fourthly, he built in a micro-backdoor to his exploit shellcode.



I want to highlight the third thing - the socket stealing. But first, I want to look at the work of another well known hacker group: LSD-PL. I can't remember now if their Windows Asmcode paper was the first public example of the PE-parsing technique for Windows shellcode. I remember Oded Horowitz worked in that area before it was public (and also wrote a special purpose linker for Windows which allowed you to write your shellcode in C using Visual Studio).

LSD used a specific technique for their FindSck Asmcode which looks almost exactly like their Unix version. I'll paste it below since a significant portion of the policy community is learning hacker assembly now.

Page 22 of this presentation has the decompilation of this.

In this case they go through every FD from 0 to 0xffff and call getpeername() on it. Then they see if the source port is the one they hardcoded into the shellcode at runtime to look for.

However, compare that technique to the first GOCode in Apache Nosejob from hacker comedy group Gobbles. Apache Nosejob was the second version of Apache-scalp, which exploited an "impossible" bug released by IIS XForce researcher Mark Dowd.


As you can see it's called "GOCode" because on the remote side, the shellcode is going through its FDs and sending "G" to them and the exploit responds to that G with an O as a simple handshake. This technique is obviously noisier (every socket gets a G, like in some weird Oprah show!) but more resilient against certain kinds of networking environments (aka NAT).

But why are all these somewhat contemporary techniques so different? And why even invest this kind of time and energy in stealing sockets?

Here's what Yuange has to say:


And here is what LSD has to say about that same thing:


One key point from the LSD-pl Windows slides is that they implemented a mini-backdoor in assembly partially to solve the problem all Unix hackers had moving to Windows before Powershell was included by default - the OS feels lobotomized.

Shellcode is called "Shellcode" because a Unix shell is a full-featured programming environment. There are thousands of ways to transfer files from point A to point B given shell access to a 1990's Unix system. This is not nearly as easy on Windows 2000. But LSD and Yuange both realized that the path of least resistance on Windows was to build file transfer into your stage-1 assembly code rather than trying to script up a debug.com wrapper.

Yuange's IIS exploit doesn't "pop cmd.exe" - it has this mini-shell for the operator to use.
So now let's go back to the Yuange exploit and talk about the ISAPI-stealing code as if you are 22yo me, puzzling over it. The first thing he does is set an exception handler for all access violations, and then he walks up the stack, testing for a possible EXTENSION_CONTROL_BLOCK.


The ECB has a set size (0x90), which it stores as the first DWORD and then the connID field at ecb+8 will always point...right back at the ECB! Once he has found the ECB he now has a connID and the addresses (stored in the ECB) for function pointers to the ReadClient() and WriteClient() that IIS provides every ISAPI.

This means his exploit is going to steal the socket reliably, no matter what ISAPI he targets, and whether or not it is In_Proc or Out_Proc, using SSL or not, even if he is behind several layers of middleware and firewalls and proxies of various sorts. In that sense it is BETTER and more generic than the LSD-PL and GOCode styles for this particular problem set (IIS Exploits).

Generic shellcode platforms are often derided for not being worth the effort by penetration testers, but I hope by reading this article you have now gained the foresight to see that for real work, by skilled but small teams who cannot afford a room of Raytheon engineers to architect bespoke solutions to every exploit and operation's microclimate, this became a necessary investment. Kostya summed up a lot of Immunity experience with this in a BlackHat talk.

Generally further in time from left to right.

If you're completely non-technical, then the goal of this kind of analysis is difficult to understand, but we wanted to point out that real teams consider their exploit only done when it "Works in the wild" and socket-stealing and post-exploit data transfer is a big part of that. Likewise, there are many ways to solve these problems, and different teams chose different ways which speak in interesting patterns. Historically, the people who were developing these techniques have moved on into interesting places (Yuange is at Tencent I hear) and if you were not impressed with them in 2001, you may not truly understand the modern landscape.

There was a purpose to hacking in the 2000's beyond getting on stage somewhere. The early hacker groups were run by strong philosophies. Mendez is not the only hacker who had a political bent driven by a strong-world view. What and/or who was the AntiSec movement, for example? You can't spend all of your spare time obsessively reading secrets without being changed and those twists are evident in modern geopolitics as clearly as glacial troughs, if you have the right eyes for it.