Web Application Security Payloads

Andrs Riancho
Director of Web Security
BlackHat 2011 - Barcelona

Topics

Short w3af introduction

Whats new in w3af
Automating Web application exploitation
The problem and how other tools are not handling it
Web Application Payloads, our solution

Vulnerabilities have capabilities!

Abstracting system calls in payloads
Our own SCA
Metasploit integration
Routing TCP/IP traffic

Conclusions
2

andres@rapid7.com$ whoami
Director of Web Security @ Rapid7
Founder @ Bonsai Information Security

Developer (python!)
Open Source Evangelist
Deep knowledge in networking , design and IPS evasion.
Project leader for w3af

Short w3af introduction

The features and the behind the scenes story

Introduction to w3af
w3af is an open source Web Application
Attack and Audit Framework
First version released in March 2007
Open Source tool (GPLv2.0) to identify and exploit Web
vulnerabilities
Architecture supports plug-ins (easily extensible)
Available for free download @ www.w3af.org

w3af project is sponsored by Rapid7

Since July 2010

Full time development resources
Roadmap, prioritized backlog & structured development process
Quality assurance
Back office including marketing and communications

Code Swarm

GUI demo
This is how it looks

What weve achieved

In these four years of life, the w3af project has achieved
these goals:

A low false negative rate

Good link and code coverage
Widely known, distributed in most (all?) hacking live-cds
Packages for most linux distributions

Highlights of the latest

releases
How we improved w3af in the last 3 months

Highlights of the latest releases

Replaced Beautiful Soup by the faster libxml2 library
Introduced the usage of XPATH queries that will allow us to
improve performance and reduce false positives in grep plugins.

Added two new grep plugins:

user_defined_regex.py
form_autocomplete.py

Fixed hundreds of bugs between w3af 1.0-rc3 and rc5!

Wrote documentation for the new users

10

Highlights of the latest releases

One of our most annoying bugs was fixed by Javier
Andala! (w3afMustStopException: The xUrllib found too much consecutive errors.
The remote webserver doesn't seem to be reachable anymore; please verify manually.)

Replaced a persistent list implemented with a sqlite3

backend with a Bloom filter, increasing the frameworks
performance in ~15%.-

Added an auto-update feature to help users keep up with

the latest features and bug fixes we develop daily.
Created a new w3af installer for Windows.
11

Stable code base and Performance

We still have much to acomplish!
Achieve stable code base
Increase performance for the core framework features (sending
of HTTP requests, HTTP cache, analysis of responses, threading,
etc.)

Based on a recent poll, were changing our roadmap to

quickly achieve what users need:
Identify 100% of the vulnerabilities - Scan time doesnt matter
Low False positive rate
Plugin / Extension system documentation

12

The Web Application

Penetration Tester issue
And how other tools are not covering it

13

Experience on a recent Web Penetration Test

Vuln!

2 hours

3 hours

6 hours

14

Discovered arbitrary file read in PHP application

Still reading files but didnt find anything interesting

Found an unlinked application directory

Arbitrary file upload
Uploaded file to get unprivileged command execution (www-data)

Accessed all DB data

Got root privileges (mysql password == root password)

No web post-exploitation :-(

During this experience we noticed that:
None of the currently available tools, Open Source or
Commercial, have any post exploitation techniques we could
apply to Web application vulnerabilities in order to escalate
privileges.
Commercial exploitation platforms provide exploits and
payloads to use in best case scenarios, in other words, when
there is control on the execution flow (exploits for buffer
overflow).

15

The reasons
Exploitation frameworks are focused on memory corruption
exploits because they were the most important vulnerability
class.
Attention has now shifted to Web applications, which are
different because they only allows us, depending on the
vulnerability, to interact with the system in a particular way:

16

Read a file
Write a file
Control a section of a SQL query
Execute user controlled source code
Execute operating system commands

Web Application Security

Payloads
Helping you get root from low-privileged vulnerabilities

17

A paradigm shift in exploitation

Which capabilities does a Web application vulnerability export? Two
simple examples:
Web application vulnerability Capabilities exported

Arbitrary File Read

read()

File upload

write()
[often restricted to specific directory]

Changing our mindset from buffer overflow exploits to Web

exploitation with reduced capabilities, we started to define all the
actions that could be done only with read()s:

18

Read Apache config files,

Read .htpasswd files,
Get the remote process list,
Get the list of open TCP and UDP connections, and MANY more.

A paradigm shift in exploitation

After identifying all actions that could be performed with read() , we
moved on to different scenarios where we analyzed:
Only write()
Only exec()
write() and read() , which is usually found when there are two different
vulnerabilities present.

Where we realized that we could emulate some syscalls using

others.

19

Emulating other syscalls

Each exploit exports system calls, which are then used by the
payloads:
Exploit

Exported Syscalls

Emulated system calls

Local file read

read()

Local file include

read()

OS Commanding

execute()

read() , write() , unlink()

DAV Shell

write()

execute() , read(),
unlink()

File Upload

write()

execute() , read(),
unlink()

Each syscall acts as an abstraction layer, allowing the payload to run

without knowing/caring which exploit is in use.
20

Emulating syscalls
Syscall emulation is easy in some cases, for example read() is
emulated via the execution of "cat filename" or "type filename",
depending on the OS:

And in some other cases it is more difficult, write() to exec() can be

challenging due to file system permissions, programming language
configuration and the application itself.
21

Simple but powerful pieces of code

Payloads are usually short code snippets that use a couple
of system calls and have specific knowledge about which
files to read and how to extract information from them:

Knowledge

read()
Parse

22

The first example

The usage of the Web Application Security Payloads
within w3af is very easy
But because this is our first run, lets explain it beforehand.
These are the steps that will be shown in the demo:
1.
2.
3.

Start a w3af scan

Identify arbitrary file read vulnerability
Execute the users payload:

4.
23

Reads from "/etc/passwd

Extracts users and other information

Show the results

Demo users
Baby steps

24

25

Payload that
reads
/etc/passwd
and identifies
home
directories

interesting_files

System call to
read files

users

read()

Synergy between payloads

This payload
uses the home
directories and
a list of
interesting
filenames to
search for
passwords.

The "interesting_files" payload

interesting_extensions = []
interesting_extensions.append('')
# no extension
interesting_extensions.append('.txt')
...
file_list = []
file_list.append('passwords')
file_list.append('passwd')
...
for user in users_result:
home = users_result[user]['home']
for interesting_file in file_list:
for extension in interesting_extensions:
file_fp = home + interesting_file + extension
files_to_read.append( file_fp )
26

Demo interesting_files
Treasure hunt

27

Payloads are integrated into the framework

Payloads can take decisions based on facts that were
saved to the knowledge base during the scan:

Identified vulnerabilities
Remote Web server type (Apache, IIS, etc.)
Remote operating system
Found URLs

This is one of the biggest advantages of having everything

integrated into w3af!

28

The "get_source_code" payload

apache_root_directory = self.exec_payload('apache_root_directory')
webroot_list = apache_root_directory['apache_root_directory']

url_list = kb.kb.getData('urls', 'urlList')

for webroot in webroot_list:
for url in url_list:

path_and_file = getPath( url )

relative_path_file = path_and_file[1:]
remote_full_path = os.path.join(webroot,relative_path_file)
file_content = self.shell.read(remote_full_path)
if file_content:
self._save_file_locally(remote_full_path, file_content)
29

Demo get_source_code
w3af integration

30

w000t!

We have the applications

source code, what now?

31

Integration with Static Code Analysis tools

Web application payloads can easily integrate with other
tools. They are developed in Python, so everything is
possible :)
Our first stab at this problem was to integrate Pixy as a
payload. The worse thing was that it did not return the
information we needed.
Together with Javier Andalia from Rapid7 weve
developed a PHP Static Code Analyzer as a PoC to show
that it is possible to combine these two technologies:
Black-Box scanning
Static Code Analysis
32

Integration with Static Code Analysis tools

This is how were integrating our SCA tool into w3af:

33

w3af scan

Identify local
file read

Exploit

read()

SCA

Identify SQLi

Exploit

write()

exec()

Static Code Analysis characteristics

Based on phply, a PHP parser implemented in PLY (Python
Lex-Yacc)
Identifies the following vulnerabilities:

SQL Injection
OS Commanding
Arbitrary file read
Remote file inclusion
eval() vulnerabilities

Taint analysis

34

Static Code Analysis with Taint Analysis

Our SCA follows tainted variables from the various
sources of user controlled data:

$_GET[]
$_POST[]
$_COOKIE[]
$_REQUEST[]

To sensitive functions like system() , eval() and

mysql_query()
Taking into account validation functions such as
escapeshellarg() and intval()
35

Static Code Analysis with Taint Analysis

PHP Code:
<?
$bar = 'ls ' . $_GET['foo'];
system( $bar );

?>

SCA output:
Tainted variable $bar created as concatenation of 'ls ' and user
controlled variable $_GET['foo']
Tainted variable $bar used as parameter #1 of system() in line 2
Exploit: /filename.php?bar=;ls

36

Static Code Analysis with Taint Analysis

PHP Code:
<?
$foo = $_GET['bar'];
$foo = escape_shell_args( $foo );
system( 'ls ' . $foo );
?>

SCA output:
Tainted variable $foo declared in line 2, taint source is
$_GET['bar']
$foo is now clean for OS Commanding.

37

Demo Static Code Analyzer

A step closer to retirement

38

Static Code Analysis with Taint Analysis

This SCA was a PoC developed over two weeks, it lacks
many important functions such as:

Support for require_once() , require(), include_once(), include()

Better support for loops and if statements
Classes, methods and attributes
Detection for all vulnerabilities

Interested in extending this section of w3af? Contact me!

39

Available payloads and their main focus

Payloads with exec()

That was easy!

41

And when we can execute OS commands

Great! We found a way to execute operating system
commands using our web application payloads that run
with low privileges, now what?
When were able to execute OS commands everything is
simpler. In these cases, w3af provides the following
payloads:

42

msf_linux_x86_meterpreter_reverse
msf_windows_meterpreter_reverse_tcp
msf_windows_vncinject_reverse
w3af_agent

Metasploit integration
Completely rewritten as a Web application Payload
Metasploit integration is very simple and is achieved
through the following steps:
1.
2.
3.
4.

43

w3af runs msfpayload and creates an EXE/ELF

Upload the EXE file to the remote server using "echo" or a
"reverse wget".
Run a msfcli with a payload handler in the w3af box
Run the payload in the remote host

Demo metasploit integration

msf_linux_x86_meterpreter_reverse

44

w3af agent
The w3af agent allows us to route traffic through the
compromised host without any effort.
1.
2.
3.

45

w3af uploads an agent client to the remote host

The agent client connects back, and the TCP connections are
kept alive to route traffic.
w3af starts a SOCKS daemon in the local machine, which is the
entry point for all connections that the user wants to forward.

Demo w3af_agent
Routing traffic through the compromised host

46

Syscall hooking
Syscall hooking using ptrace() is a research in progress, for
which we only have a small PoC, but I wanted to explain it here
to get feedback and new ideas.
The initial idea we had with Lucas Apa (the main Web
application security payload developer) was to create a
framework that would hook into a process and forward it
over the network to the remote server using the Web
application exploit.
Using this method, we would be able to run any software
installed on the host running w3af in the remote box. A simple
example would be clamav.

47

Syscall hooking

open()

emulated
read()

48

Syscall hooking

Subterfugue is a framework for observing and playing

with the reality of software; it's a foundation for building
tools to do tracing, sandboxing, and many other things.
You could think of it as "strace meets expect".
Which is a great software for hooking into a process using
ptrace and modifying its state, but has two big issues:
Not supported by the orginal developer anymore
Doesnt work in 64bit arch.

49

Syscall hooking
# Called before linuxs read() syscall
def callbefore(self, pid, call, args):
m = Memory.getMemory(pid)
arg_mem_addr_path = args[0]
filename = m.get_string( arg_mem_addr_path )
# Calling the read syscall of one of w3afs exploits
local_filename = self.shell.download( filename )
area, area_size = m.areas()[0]
m.poke(area, local_filename + '\0')
# Rewrite the syscall in order to read the local file
return (None, None, None, (area, args[1], args[2]) )

50

Conclusions and pending work

Develop more MS Windows payloads
Take actions based on payload results:
Launch a new scan against a particular resource
Exploit vulnerabilities using the increased knowledge obtained by w3afs
payloads

Our goal is to make this the standard for automatized postexplotation of Web application vulnerabilities.

51

Sharing your ideas and knowledge is easy!

Got an idea? Share it in our mailing list!
http://www.w3af.org/mailing-list.php
Want to read the code? The source code for the web
application security payloads, w3af agent and metasploit
wrapper can be found in these directories:

plugins/attack/payloads/
core/controllers/vdaemon/
core/controllers/w3afAgent/
core/controllers/payloadTransfer/

http://w3af.svn.sourceforge.net/viewvc/w3af/trunk/
52

Time for your questions!

Andrs Riancho
Director of Web Security
General Manager of Rapid7s Web
Application Center of Excellence in
Buenos Aires

andres_riancho@rapid7.com
Follow me on Twitter @w3af

53

Thank you!
Web Application Center of Excellence,
Buenos Aires, Argentina