ࡱ>  uq  !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~RdO)28\L PicturesjPowerPoint Document(E_SummaryInformation(l  !"#$&n,}zD4h PNG  IHDR}, sRGB pHYs+,dIDATx^ Uy'p\^>(.jKk"kr)jJG!Zj *.4"$'`֘M$1z.򸝽a={{9Ys~f)oƌv%@%X:W:qcFtQVgضm7) we2я|y'ҷ @*CۿƟyJd&|{v9{={Vb@ п}SS〖g^db)݂M;ooݺm_OOΝkb\455 Q{'gBiϝ2e⤏l۾{{Tn@olrу ;5zn*O>K oG)I P%n9ģ|pekn߼JC  8~dCetܾo} D~{`w*ݖ-;)< 8t]]XbbT!!CZJwm[w]]^^G^o _2ٹlwgL^{ھmCWvk^ok} &IƹjFk*%:KTu:7yem,kXz<4tHK?k^^]3Ҵwqz_k ϐT>}l_vWk>wooo}sSX@5]֐1&싥/~Wx}WΉ$3 8ng>&}Cozl痜G> N[gyO:n4|A> >qSO{- {SbѤy^3a懮,Y5˯!7O_=㢑kpkG0 {bli/deU,ȉ1V?V*9qϥ ~GW u lX/Jl oՕ6wn &\+>9p4Ҏ:F-Y+O?e__[P_0᪟>r͓+|H_fuᤶL3"!M<{do'{b9'yo {GK84~ A<Ȕ&[.N͍ 5{mBm{\do7LНoVVozOϨ%O>8oȘGxXOzIU*HyRW> -~~4+Wi u,ThObRkK)Joo2%ȘAރjw&Gt{/=]z:+o3m7cʚD4R)Dhe锿z#4ҡ|Me4f' _[3O>*iK~-TjRԫ_y7NW2=z&HkKXrSx.4/}7)6#[0?Th F 11~禎W [,Z^Y]]W^&_9kr9LuʹA_M@7@yLQ,ug}Wa%/_}Qn꠽R/ )zՄ^ͻ73_:IW<|^:ȐΓ@WflniO6{; _x{oB׫l~}ʪ|h\5u1Ȇ%˟]qcG mlx?y+s؛>5fM^dwF=e_pwل=Ok_sn=8m}|_-虶it̯rnq ?m2[]G>ɃX 5#5IvYZz8p؇]@/#aWy[U}ץ/Q)ٵk jme/T>rw_B?A~;zg>8w_ݺk𓏧rT2d̈ʹMg~=['7'-o3D?So?m7싑 ?ì%Y.SY@{ in#+eٽۖzJs/:l TX}_¯+ o]K(~_w1Lc_LWt~14DÀRoI}SvaЎkN]c0!Qc--|}t_G]߼.=~ɲoߧ&v77=c{-_|9cG4'UqD֩Mvڻ*ר SN.$.V/O}+һ3tr×;~춳u[{ ϓ2s_rx7ܻuNH(~N㶻uh]Za^t|'B0,]>r]J8vZ"oo[ۮc  ;;w_{ͭ-Ztö vY?{%1Ncg-[HGǖ}  !ѣ]\Vnrŋe8 L@fhgV+w0 GJk P(]Q1.@~tH EEGJk P(]Q1.@~tH EEGJk P(]Q1.@~tH A2 Pe$vP@S,0cĮ;P, ߐP#v7tѣ)S};(]'̦*sQ)>?y~ΤtNղ=QU0G$s-fϞM\zo 9g/w5DJSX:1l#k?'`9-={gҺc[G"ϯ$ͻze_paciqɩ_$N%=MZ2[2G]JYD#a،7IU9Е˄H o@h,AFg8Hoi}qf:Q6ny ,2GO͙3r> m}dӤw7}YYjhfM2V(6XG$!a_|țkI}[a-Pjɖ01->"͊uQeN<%pFAHC+w905,$wPt|L"H.Tr@Rlii-}K"ʨˮƨS$̣[䘹$s)IAǒM6Dzzɡ_&Gבmd{9xʦQ+]r qƭ]S;"sW~IJG߿G~4n!?AV\I&q)jw;M3ܧ}IZ&%xDje@ b7y)l*]yۮ&^% yrTuǞ^?qժU s,юi*]4(~Ze" S' U.zøqcV֮ɛ[) ýRn{W;]scmۦhH.s)+<[R Ŏ^enV^k䇫+kȤ;+յ7߾g]D>mooOh݋jނH*hDKnMu8PSul4w2X:S'ΓGuZd^2v0ٽ\/ZouOñܜBJ;/m v%QƆAaMC=J/{6d$D76 )Hj[j7ڏaԠޢO /LB{Y~z`WwS?C}9]Z/Uϛ6ڤr7?yUyAbheRw.G"9lٽIʋ{o[CE$:=g(5jT2gWm#l,X-=,9BR.bh B x2ҳn9uÄ~)ӡL=5qGԩS% `5X)GC43h('ٜLz/Döuz}|&akSbj:*VR-pk]9\>Ty9=v¦ya{h_لFӯErh=+5oeﴞ:a2I՜Mtނ(T 5w,4doP{s\WM .&W*ᎇywtHomlӉZʱ2.sY)]Sϲ@KuLj'p`w˾o7ЋH"o֬Ye!sP:j nc?*]DĎA1'@oZx|^,]DBɰ⎉KrysxR>J.QՋHfL29t `]Fޠ,̂8DJP2 @FtY@J\Ȉ.#0  (Cɀ+ efA"s(p@ #P,Ct%dDJXp@iﺻʙ&L8! $&⋯3};tKl@@!3fJwuW8 \Lp.1KpAttΧ$&K@'s>Ep@ 1(]b0 <()  @# @OHLJ! 8OJ| @bPa@y9)ݨ'ps;fj$hK"d#ynhɎYشf8XrR:Q6t6#:,68$4ޠ%}K`ӷB t$ N:t\ݮk} H2d_ZVfb_q6HpִqQMIsTkDFWE l\ lP'<ĸBS 4m\~diKSȼe(h0fZ#l\w^jc6Q;]D6!^ԅ54be0b]<75C@AQQV0m,h'!&ޠ^\6heܲKuiVAQ:Q9ZKxq6хApD285Ù">nbsTbOQmViIË$[IgdV6G)k[hJN6bcE5mǞ6Eю[1A &(>7'tɰ?Z=KYc1utHA3mKt!~B0)䱩Fl 0h6+v( AIA %UjPΓ^.GӠH'j\{ b9E'rym.Zʯ F:Ҧ;`-OK<(jڙjbի'}JUE; Nx V:&%V+]:6شiԸZ@f t|FنA(+]Qac\"҉R猲D{XdWPCic@NJGٱfEU|U[K]q6юV6Te.*VSxed357pQB{Btpĸ'6x;M8YOQY3;3@P:ý]1^Amc%^-,[5g5.5*k tGsnξ*s69 ewмU;jUz]=:LYNJǓ#NG̊Q:imxeRB3&Ra3M{W#1L|PwPu[>UbM+ CuDRU6{VZҲٸ1VMXɍ>'t=^{VږQ#M8TOXH$#6p6xC+?cӋ\[Ĉ`0⽕6a?R7hԆ%1ba]+"| M~"k>nkҙSf FzKK\z2^Tp"g,z TVU 椁wjZ૱cL+(")SRZzĖ>DqB5"(4opy6Iۡl([F9ZtòE493^3 Vj9C8zb @L \H@J|Mr:6eicrvO@VrR:B&]Z2 vP':rR:)=&҉Uxřx9v'5P_69&&_z7J[BU&^32"MPK" K`PN4[ybTnR'[I(j7hYG@-AmD;"&f!KN ߓ%0e*=CPMՓE1JBŨ r V%Ӟrje8!D S"^SijDFB!İi^C]GvIJf(@wH-ydI[ڄj6R1ZfQQ0[,W,紴LV aydq]l?1⍅^@ ' }7Rc{ ˢXlY@投9, gPmg ]7CV1B\"ёvOR2xs2%;CAL ׭1GE70iEb,N`s#p7t@+ .ҹ (]:a@eP:@!K#LJrv@:tp @\|H. 2(فo ҥV@\&s9; @ Pt8 t.gCJGXp7t@+ .ҹ (]:a@eP:@!K#LJrv@:rR:#'@-FR104 d>v/hS%?oehSYxoȆM6^MI+a=ՖA}y/ [<2g384{)խ ޞuT}ml&#uHuX \WPТ.HCtԾkXJA+B"NYitZr&-U8lKXM'ZXtlЀ((_ƻnr믻"0Rql*mIVKMoP*βmhU#Q8gg; iˆ+D+]\_@@(f@U!s@ @?Lj@J9 Pt՟cD ~P1"HtI ^5Y۫ 'UvNLD+X-~![:IUD~d+1.dUftJۛݸZʾp}*Rg4=ˈ,ST L骯aIp. z䨦G P@@*,ap@ @D b.Jw' II gZɎ>c`z(Xΰ нRgL )Jôh[F9J2EW:}7 TJ >HR:)j+m$yRܑ7N}E#(ՖCixdb EUBAjهi[e-+Guodyzhw0''A2 ڳwm~ő RqA&B(GI&J'T$ feT$wނ=,rd]K q@[)ܟ0{u $҉H<@hyMwh<Վ嬇A`Tb6:bh╎ba,31ۈ'S`oڍ(#ކNh3JPv"MiUqTT=tFQ N?ɬJҷvO8EEȡwW7&xkl4n Ak <ߙb0U#p03UtyX DJWAɂ 1 T'1yu' ^;HFv4"t8#~"T"%]9M'UvHӕ~F7g֗Xˑ>{MtWlY_ɚj'UvHEN: sT@"JO$"qCc$ȴiHtp1@EUd4@$PH@" @*2mp@ (]$\h  Pt68  ..4HPLD|?ܳ?A@q9\r3畕qw&PV@*E Y)IENDB`FЍv0^dJFIFHHAExifMM*bj(1r2i ' 'Adobe Photoshop CS2 Macintosh2006:07:08 01:00:12&(. HHJFIFHH Adobe_CMAdobed            x" ?   3!1AQa"q2B#$Rb34rC%Scs5&DTdE£t6UeuF'Vfv7GWgw5!1AQaq"2B#R3$brCScs4%&5DTdEU6teuFVfv'7GWgw ?G1C&.LtLRI? q)ƈj<‹$s ɔ:F)?l WͭWD0N'oVI$+vrvF<'GE.3T;(-ϙ@+ .c恳I$ɍ@AӂyuӴL*Rn *B$wQXSݩʓI4R7iE'q%#u,:Š] #JiH^RvN9M;cptKۣ&H䨩YqE|gN)50T&}IRQSh2b>iCp8R,O> >]xK)56;몊vM, RI.)]$<F4&} Ed ܨ!H蠔c恰RIU*tI#Ԩ)$JRn|RN+{' ׺IA껴qqh[+&ҠdAJRdncE$c5vA$|6*$Photoshop 3.08BIM8BIM%F &Vڰw8BIM com.apple.print.PageFormat.PMHorizontalRes com.apple.print.ticket.creator com.apple.printingmanager com.apple.print.ticket.itemArray com.apple.print.PageFormat.PMHorizontalRes 72 com.apple.print.ticket.client com.apple.printingmanager com.apple.print.ticket.modDate 2006-07-07T19:26:45Z com.apple.print.ticket.stateFlag 0 com.apple.print.PageFormat.PMOrientation com.apple.print.ticket.creator com.apple.printingmanager com.apple.print.ticket.itemArray com.apple.print.PageFormat.PMOrientation 1 com.apple.print.ticket.client com.apple.printingmanager com.apple.print.ticket.modDate 2006-07-07T19:26:45Z com.apple.print.ticket.stateFlag 0 com.apple.print.PageFormat.PMScaling com.apple.print.ticket.creator com.apple.printingmanager com.apple.print.ticket.itemArray com.apple.print.PageFormat.PMScaling 1 com.apple.print.ticket.client com.apple.printingmanager com.apple.print.ticket.modDate 2006-07-07T19:26:45Z com.apple.print.ticket.stateFlag 0 com.apple.print.PageFormat.PMVerticalRes com.apple.print.ticket.creator com.apple.printingmanager com.apple.print.ticket.itemArray com.apple.print.PageFormat.PMVerticalRes 72 com.apple.print.ticket.client com.apple.printingmanager com.apple.print.ticket.modDate 2006-07-07T19:26:45Z com.apple.print.ticket.stateFlag 0 com.apple.print.PageFormat.PMVerticalScaling com.apple.print.ticket.creator com.apple.printingmanager com.apple.print.ticket.itemArray com.apple.print.PageFormat.PMVerticalScaling 1 com.apple.print.ticket.client com.apple.printingmanager com.apple.print.ticket.modDate 2006-07-07T19:26:45Z com.apple.print.ticket.stateFlag 0 com.apple.print.subTicket.paper_info_ticket com.apple.print.PageFormat.PMAdjustedPageRect com.apple.print.ticket.creator com.apple.printingmanager com.apple.print.ticket.itemArray com.apple.print.PageFormat.PMAdjustedPageRect 0.0 0.0 783 559 com.apple.print.ticket.client com.apple.printingmanager com.apple.print.ticket.modDate 2006-07-07T19:29:00Z com.apple.print.ticket.stateFlag 0 com.apple.print.PageFormat.PMAdjustedPaperRect com.apple.print.ticket.creator com.apple.printingmanager com.apple.print.ticket.itemArray com.apple.print.PageFormat.PMAdjustedPaperRect -18 -18 824 577 com.apple.print.ticket.client com.apple.printingmanager com.apple.print.ticket.modDate 2006-07-07T19:29:00Z com.apple.print.ticket.stateFlag 0 com.apple.print.PaperInfo.PMPaperName com.apple.print.ticket.creator com.apple.print.pm.PostScript com.apple.print.ticket.itemArray com.apple.print.PaperInfo.PMPaperName iso-a4 com.apple.print.ticket.client com.apple.print.pm.PostScript com.apple.print.ticket.modDate 2003-07-01T17:49:36Z com.apple.print.ticket.stateFlag 1 com.apple.print.PaperInfo.PMUnadjustedPageRect com.apple.print.ticket.creator com.apple.print.pm.PostScript com.apple.print.ticket.itemArray com.apple.print.PaperInfo.PMUnadjustedPageRect 0.0 0.0 783 559 com.apple.print.ticket.client com.apple.printingmanager com.apple.print.ticket.modDate 2006-07-07T19:26:45Z com.apple.print.ticket.stateFlag 0 com.apple.print.PaperInfo.PMUnadjustedPaperRect com.apple.print.ticket.creator com.apple.print.pm.PostScript com.apple.print.ticket.itemArray com.apple.print.PaperInfo.PMUnadjustedPaperRect -18 -18 824 577 com.apple.print.ticket.client com.apple.printingmanager com.apple.print.ticket.modDate 2006-07-07T19:26:45Z com.apple.print.ticket.stateFlag 0 com.apple.print.PaperInfo.ppd.PMPaperName com.apple.print.ticket.creator com.apple.print.pm.PostScript com.apple.print.ticket.itemArray com.apple.print.PaperInfo.ppd.PMPaperName A4 com.apple.print.ticket.client com.apple.print.pm.PostScript com.apple.print.ticket.modDate 2003-07-01T17:49:36Z com.apple.print.ticket.stateFlag 1 com.apple.print.ticket.APIVersion 00.20 com.apple.print.ticket.privateLock com.apple.print.ticket.type com.apple.print.PaperInfoTicket com.apple.print.ticket.APIVersion 00.20 com.apple.print.ticket.privateLock com.apple.print.ticket.type com.apple.print.PageFormatTicket 8BIMxHH/8Ag{HH(dh 8BIMHH8BIM&?8BIM x8BIM8BIM 8BIM 8BIM' 8BIMH/fflff/ff2Z5-8BIMp8BIM@@8BIM8BIMCmatrix1nullboundsObjcRct1Top longLeftlongBtomlongRghtlongslicesVlLsObjcslicesliceIDlonggroupIDlongoriginenum ESliceOrigin autoGeneratedTypeenum ESliceTypeImg boundsObjcRct1Top longLeftlongBtomlongRghtlongurlTEXTnullTEXTMsgeTEXTaltTagTEXTcellTextIsHTMLboolcellTextTEXT horzAlignenumESliceHorzAligndefault vertAlignenumESliceVertAligndefault bgColorTypeenumESliceBGColorTypeNone topOutsetlong leftOutsetlong bottomOutsetlong rightOutsetlong8BIM( ?8BIM8BIM 'x JFIFHH Adobe_CMAdobed            x" ?   3!1AQa"q2B#$Rb34rC%Scs5&DTdE£t6UeuF'Vfv7GWgw5!1AQaq"2B#R3$brCScs4%&5DTdEU6teuFVfv'7GWgw ?G1C&.LtLRI? q)ƈj<‹$s ɔ:F)?l WͭWD0N'oVI$+vrvF<'GE.3T;(-ϙ@+ .c恳I$ɍ@AӂyuӴL*Rn *B$wQXSݩʓI4R7iE'q%#u,:Š] #JiH^RvN9M;cptKۣ&H䨩YqE|gN)50T&}IRQSh2b>iCp8R,O> >]xK)56;몊vM, RI.)]$<F4&} Ed ܨ!H蠔c恰RIU*tI#Ԩ)$JRn|RN+{' ׺IA껴qqh[+&ҠdAJRdncE$c5vA$|68BIM!UAdobe PhotoshopAdobe Photoshop CS28BIM:http://ns.adobe.com/xap/1.0/ image/jpeg Adobe Photoshop CS2 Macintosh 2006-07-08T00:57:16+05:30 2006-07-08T01:00:12+05:30 2006-07-08T01:00:12+05:30 uuid:9FF62FDF0FAE11DB85B3EBF1E0DF218A uuid:421617E90FAF11DBB70ADA50CFD5729F uuid:9FF62FDE0FAE11DB85B3EBF1E0DF218A uuid:9FF62FDE0FAE11DB85B3EBF1E0DF218A 1 720000/10000 720000/10000 2 256,257,258,259,262,274,277,284,530,531,282,283,296,301,318,319,529,532,306,270,271,272,305,315,33432;6AFCF5E676D2502BDB177F64991F6B57 640 480 1 36864,40960,40961,37121,37122,40962,40963,37510,40964,36867,36868,33434,33437,34850,34852,34855,34856,37377,37378,37379,37380,37381,37382,37383,37384,37385,37386,37396,41483,41484,41486,41487,41488,41492,41493,41495,41728,41729,41730,41985,41986,41987,41988,41989,41990,41991,41992,41993,41994,41995,41996,42016,0,2,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,20,22,23,24,25,26,27,28,30;5F16774B6DAC1BD6435F8A113F749540 3 sRGB IEC61966-2.1 XICC_PROFILE HLinomntrRGB XYZ  1acspMSFTIEC sRGB-HP cprtP3desclwtptbkptrXYZgXYZ,bXYZ@dmndTpdmddvuedLview$lumimeas $tech0 rTRC< gTRC< bTRC< textCopyright (c) 1998 Hewlett-Packard CompanydescsRGB IEC61966-2.1sRGB IEC61966-2.1XYZ QXYZ XYZ o8XYZ bXYZ $descIEC http://www.iec.chIEC http://www.iec.chdesc.IEC 61966-2.1 Default RGB colour space - sRGB.IEC 61966-2.1 Default RGB colour space - sRGBdesc,Reference Viewing Condition in IEC61966-2.1,Reference Viewing Condition in IEC61966-2.1view_. \XYZ L VPWmeassig CRT curv #(-27;@EJOTY^chmrw| %+28>ELRY`gnu| &/8AKT]gqz !-8COZfr~ -;HUcq~ +:IXgw'7HYj{+=Oat 2FZn  % : O d y  ' = T j " 9 Q i  * C \ u & @ Z t .Id %A^z &Ca~1Om&Ed#Cc'Ij4Vx&IlAe@e Ek*Qw;c*R{Gp@j>i  A l !!H!u!!!"'"U"""# #8#f###$$M$|$$% %8%h%%%&'&W&&&''I'z''( (?(q(())8)k))**5*h**++6+i++,,9,n,,- -A-v--..L.../$/Z///050l0011J1112*2c223 3F3334+4e4455M555676r667$7`7788P8899B999:6:t::;-;k;;<' >`>>?!?a??@#@d@@A)AjAAB0BrBBC:C}CDDGDDEEUEEF"FgFFG5G{GHHKHHIIcIIJ7J}JK KSKKL*LrLMMJMMN%NnNOOIOOP'PqPQQPQQR1R|RSS_SSTBTTU(UuUVV\VVWDWWX/X}XYYiYZZVZZ[E[[\5\\]']x]^^l^__a_``W``aOaabIbbcCccd@dde=eef=ffg=ggh?hhiCiijHjjkOkklWlmm`mnnknooxop+ppq:qqrKrss]sttptu(uuv>vvwVwxxnxy*yyzFz{{c{|!||}A}~~b~#G k͂0WGrׇ;iΉ3dʋ0cʍ1fΏ6n֑?zM _ɖ4 uL$h՛BdҞ@iءG&vVǥ8nRĩ7u\ЭD-u`ֲK³8%yhYѹJº;.! zpg_XQKFAǿ=ȼ:ɹ8ʷ6˶5̵5͵6ζ7ϸ9к<Ѿ?DINU\dlvۀ܊ݖޢ)߯6DScs 2F[p(@Xr4Pm8Ww)KmAdobed         P  s!1AQa"q2B#R3b$r%C4Scs5D'6Tdt& EFVU(eufv7GWgw8HXhx)9IYiy*:JZjzm!1AQa"q2#BRbr3$4CS%cs5DT &6E'dtU7()󄔤euFVfvGWgw8HXhx9IYiy*:JZjz ?*U+t8H(xv*UثUdUxXZ=2YتpFv#MFә1R5R@cq;3$%"yUثWb]v*UثUثUWbUZ"e-`Wb]v*=+^&`Nl &8K Z5Ȓv*UثWbc!`iY]BҤֹYj Rت_k|݌X^d삡C1Y;v*UتdF+N@KXثUHo.7c$EXR)=)k+#>7H>kNFL[-%ثWb*U|k,s5eԀlFs N]v*uDWZm_-9F4(dv*TejB#*݉)NFYS UʉfVb]v*UثWbW lEviv*UɉRӹȓikX؏ 8i\5UتQN-MR)Ŏ!)sPȥn*UثWbWjeW+F`50ʈK1;\M\dARzɜPE)Iv*UثU܏LSmVKWbUЏubdad45db7X3}0.$1S;v*U*Urf2/-5 wE)<̭.]v*ei H6 b%irR(ܽB\ R܂]v*UثWbBNeoHZrWCxIVUثclS&)Z>ǚVGJ؊fa$4V\Ѡ")3ثWb[Z]v*UثjhrQ4R|H?2mO*KWb]v*Uتˢ, rsP"b[o&byAgb .O6gt4K`v&`;k2v*U*U_0ˆ!ֲ9 ’ ܂]v*UrcU|6ߙ_ r U2 2W ?<ˌcI4Б~$%Ij6ZBQ$R]v*UثWbWWy"pb]\ vUlbi~!Z{W[jVdn=MNUfllv*UثcBҾd eIv*UثWb]5OYR$SzdvK1;v*UثWb]UNIV+WbjiF#cɮ[%5hceW\`ڞPثWb*Uz}4_fQ>lVJjyVi읊v*UrM+lҮy^h˪bBcv*lM H2j[:Gc_|hSFbжanA.]v*UU,qPثt[B܊]v*Uu2B$DV+Wb[@F?LT@m 0[ڝ=+KWb_*Uw*x:ŻS+ -%ثWb[aUE3_5)cfeIv*UثWb]v*UثWbiUsN9H>M뒈.ڹ.V֞RZ]nU <j5SAW1Td5¸3ZU<0jCpFgiCTSS@rP'joreiv*UثWb+J5 ;e%s]3Z]lkv*UثUE2|´i [Wb]DMN]b'thRfekj@|з"]v*U*U|jMY M+s(_R_ 6.qe v*U*54ِ2DcMH܎ݲ)ni4`KWb]v*UثWb]UN1 l7HCYRV]9ؕ*3ʂܥ+qV eiv*UثUeZ2!lLPB2 r*UثUD~=qZH1P'|&7`V?'Qkr v*Uث*Ur}1AW{.Ne R0=12v*Uث{aWS |1)hkv*dZ<*&8x:I=wȒO5[.]v*UثWb.-VUP9S-JA Abkv*UثWb]v*k]6@2}YGn,^p;S7AL@fy)!C1v*UثU™(TМ =?BS)fVbVv*Uت2 EsbZ5GLY)Iv*Uت`Z(R-a%jhAEJ~w[b ]*UrSl*AUgQ?F, zf*UثUB]d ԫU 7̞((Jo,H,SRUpī$@ UثWb]v*UP.+tZR,T7˰rZSʒUثc_@: mLmk-W1E!nA.]v*Z|%H_Xx# 2jk;ZVUثWbW*dA]B;oUtUCY\(AlLl2v*UتP{,A%i9)-`Wb[qV.+QZh<4"!V[cj_2 E;4݊v**UثWb]v*U *1c~D{ey2q$ Yث`!]\x]v*UثWb]W|9{BÕ% UثWbU܁-)k$l[KWb] IHDKjnVeLz3 ҽy`uG"w(ثWb]HCe kKr v*UR]DA r v*UثU@kG  9drHI 2v*8w3L4[%*~xb,ңՕ9 O P>A湵n*Uث*UثWb]v*UثWb]d;aPQOf] A-HPTN]v*UثWb]v*UثV* a 4ȥҸHV+UXEOJFF2UH<ș#o\ R0+>xh\lv*UثWbWbqWbWa$jnA]v*UQ@#-A%kli!!EB܊]n[* s<Q9ͬUثWb]*UثWb]v*UثWb]퓊 @\= 0P0 o$ojYثWb]v*UثWb]v*UU7?P݉ l$ri[JW`*U[F-] )dNш*ȴ+ܟq c4)Hkv*UثWbUV*2R=[KWb]2q# [KWbJZ5'#eK%Wb]*UثWb]v*(CgIjIV*Uث{j!"#- ,t-AYثWb]v*Uv*_lc%  k2 v*UتZ-YA+VE[**Uث`⪋-62flLmӒ3 )4Rckr v*UثWb$%N[*k&`QmRYJ Up(CM2Lɉ^2,dU}E:eC\JO""V*6 rLTWb]v*UتUت+M&nĂPF߯ ASVKqWbUZOLʻ*ONFNJ9"U4VUثWbc䂵N<2nA.]v*UzV WVo^Zv(!fA.WNY2 ]v*r;hNHȫWb| *QNx6EOHcZڑVMb]v*U*UثWb]v*+k}x1;WL$)O*KUۮ][!ƒpFשrHZhN @ r v*UثWb]ol*\Hr%-(|S;3&WbV6 R,4A|sJ mĔ]v*|ci|QyiOɆ oH|fUثWbWS.*A ˌVƊǑAfVb\  W [[Wb]W_f^9FH7IM<.]0ǚd14B2y( YC'b]v*U*UثWb]v*rGW + :.GTZB+ɏ ̭.[uUHП.I] b0$ (f#7b]v*UثVZ'WPbB܊v*v#% GL $kV}RRils-pJ-AYثWbzI30lIUA ͗XǩPVn]v*UrԜA;fV8--4a4Uثbªvt̸Ǘs 2 uUK63 CcArVI@RvNU#nC2ͅQY\$s Ur{Ep}k2v*Uثt® kv*UتqsbbM*zAz8XZiLkfaO)KWb]*UdD UثUtf(!'!+Kr4^CX2H"GXZ I*UثWb]v*UثcUBPfT%7bA^4\s5屬Uu08+WbZ!o9ńS-Svdv*Uz2HH"fcקG$v*̭.]v*Uz2rDU49(Qـ$Zf$L[KUHSL+5Yj]]ޭ `KWb* t68m}(%\Qh2(s\A ȥثWb]*Uث{b]v*o|S٠%*u u{dv*UQT]觶:FgcQdv*UثWb]lbk+Jp6t2PbCF;c,<.W|rq(-^+Ikv*1nZVL42RvN[o*D:x؁%TG 3ff;sثWb]J0j:S|ˌ 0'uU&AS;v*UثWb]\Fkv*UMj1UFs'BXN'6i0'`lZr2斲*UثWb*Uت]a r v*UثUD 9t$Ć)3(ehnY4pI v*dc;SVanE]v*UثWb](|/0XM<|pdmO)Kc\;RaZ#! nA.Q _Hs2&F;05keASC5銎c2v*j r2yXo9`@\ؠ#J9ثWb] :C.b@i!;Reiv*UثWb]o®V+WbkA QBw۩edńw(b6vAV]v**Uتr`ҴiVWb]U'2q)NN5ȫD%-`Wbe2%슴qKXثWb]v*U[R|*ѩ㙸A+IZᒔIFE[r~!E:-]Z2$%nA]G6^d< HOBwpeT)f;'bAL qWb]v*"Bf`$ t1Z}YFc6n]C UثWb]v*UB~#O2y%'ZdĆ(2ʃaJ3M`Wb]*U1WS%‡pIkv*UU:ubW #̰nH1Mv%UتR3'S;xu[HӶb̂܊]v*UثWbWbB Í)O* K0^ƿH-,Ҽ>ԦZ2m)I5JVT-ȥت%h! `KWbqW'ws3"BtNXQ)CN1N=7ʊZ]v*U*UqVE4Om-`Wb]v* ]\U]W}8XثWb]v*Uu0p*GOu5#~<"7bmt2̆2;c\AU:e E- 2e C%HJҕ20!lHC,읊H Ct9>oi@]v*Uتnv;.2=HUҠfQO67*a~ 2ت#āWsڀd@ȥ<+~9o{M3r<ҷ"]v*UتN2Q(vgC@#tP:mҙ#Sؒ{fINUikv*UثW*Uv*ADE9\,UثUN0[z-D܊]v*H+UlZ]v*UثV[NB[JFn8˒ q9a@GS9C&V++tlW5hJR4,tyq/=] ثc%^TvKd Rv*UثWb#֙vދk"tpWp1Q]*IdB*s-q )N+eZBaBÔN|UH<3"1bHZf]R)fVbVaW]v*Uتb "ЊrQ4 wrdSY;TTA.A0v,-)v*UثU܏LSU=ikv*1S֙f1 . `>c+K$f2ݎNRU6ԗ% UثWb_*UتGqQN'"M v*UتccJىTRV@e4,;7Ā4s#oՔe RY;TmC/ATX|ǎ#X\S9v*UثWb[Jl~`6B̩+X CenF2BdulP w_ :u#O)ƹFK& 3AF(PHsdH  W ((,6\rQO-#ڹ8Zh>y\B̭.]v*UZA}dG62(ř j6& ݿ3ќPقUQ:_ lO6 7;aךdv*UتdԌ&$,9K&+WbW1a74qGXfxy"3%Wb]*UثWb]v*( k uA\l@(@ YثWb"tqXcm'/xL@8HQ@[.]v*UثV*,A*+P"9 ąJx&cnN`ϛb܊v*lM 0 *Q-q;f!@+'ZU8"D Cf+cV׮J*@azR!ULJl%ثWb]ĈƌibܱuGusO̸Ǒ`H*39c|%Bc2v*EM+>58R1VWbW0FD CD׮FDjRUث`*l) S5HR_ S.-\y얞f-`Wb]v**UثWb]v*[[ |[qHd2v*Uت`S~,Ɂm~JisݱRUثWb]o*aZ2#Dnn"Zޣ 2HCaS6WbWu]GU &o\m2T PVeiv*E|>#h%yZ}iFq2$)e v*Uت4޴98ꂬ&b8'2Fbv<+j>?4m*9ثcR^~ac,dv*v*`!QP"bWSLE#F |6Xش]=T2Y7E/m92v*UثWb*UثtƕUثWbUcVlĮ"vѓ#nHP6n]UY(: 9@LiިQ^}6@J UثWb]l \`ERgNYKAw')Ls+AO*KWbW4Fu*[# 2l|Q#B̭.]*z]P[$S YثWb]\ %R {K2lJOLBUe,ʒ ] V`Wb[֣Uz[aSDbh*'4MrdnP$Jhz,AnE]v*Uث*Up㒏5^GM Ԁ() SRUثUPvD[JDh rv*UQ~[A-|zrY1, +#KgJ\P*KWb]v*UqUܷ7x4RRUV@_̨PbBjPjT0ͱnE]\*2b8%CYW&Cr& v*{ˌbeÈZP䐷+KWb]T&=xeH&??̸`Jelp4ˌQn*N,;02&.%桘l ]^µˢ6Ai!;-%ثUʵ4DYEP j;86TeRGFBC3%ј|VHmc2kv*Uث*U^꼔=G{ IfVb]@ ؐV퓘PثWb!4-ZˌlU Hai5@T]v*UثWbTER@H|sn3/ܰ2tM^#ZcXثVZkQ*/BK>2ˢ0y7v*UثWb*UrcJ1H&>w%zsbmfVb]R[* PA]g()K1;v*UPJR|њ@R C:Sf^ڻ9(dZ#HY%ثWb]v*&B0FY"'$-b]v*UQ- 9'rr) p+UJ49gEW dg9S,kcJ܊]v*UتfSPrQ$.{2al^iR;?V "sWb]Z]Z}9l?^2 ,UثUXVFX+SHC1v*UثWb*Uz}\ZӸ@ubz9Z]v*r]% KzS9ɬUثU*il*ޜ|eq6lƌf 3 2v*UثWbW/Q5n2˳D!oTUh~Ʉ A,rcPa0(v*Uw*슴1TB[fN*Yg1ݛyp C1v*1qSrvwB܂]v*UتUJ5W3:t%0E1O)dUثWbPJZ[$j*UتrpPQ*u`" )f;'b]D˸={fN@2ىQ(+AvVHAYثWb]v*&Aod) ;iצeb԰HXlfY6k\lklb|;+[sHhmC zt6x$(|cP H#7@fتRrq@FY-zF ؁C< Y*jWʲĤSY;v*UثUث@pfP"Q,AK1;v*Z[Uv*UثWb#$ */UFlaG&Rm鍷+Lbw@ iovEV]v**Ur#i!AXDFݦdg"eiv*UتObr@^r*UثVmxrhplyPaRR]v*UثWbl1檟OlT3%A1z^ߎ'?𩓾cMb]r|FMKXUf`(+9vn\sH b̬<wfwd;dH O/>YfmŔGefUثWb]$ SY2[lb%Z'"b]v*Uث`⨘e>rHD"a2$m7~ \d5DcRd"]v**Ur6O*jY(YKYi޹\Iv*U\|12cl`45v*8s3S (~y+1MekJT [[KWb]v*U\UwNnTW+J)ю4eފ$Rs-`UI; I'qC dJa8O%&(7ȥT| I-HG|X,(*YتjeH!w|L9TxV@m UثWbWbQSlBiJe-K1;lb8XxU UتwZ lhnE]^-OH|la(riIU{ 2r@d30't#AHٶM`Wb]*Uت DJH!Z]TWG% (!Ӱ#E--]DGPoجmelv^iQ Ie0\ǵ(0 2v*UثWb[^BPFةr*HJQk#uC l>#9JG\ʄ@ nMrD)C$2IIN] PT~9 ݁wIPVN]*ֹ([\;Y%ثWb]1V\M{H(@-QT2v*ئolUn]Z8 ] no2+&5},y),^k-HRZ mPkJԌX@NF?#n@%MLǘ쐷"b]*U=2[ EO)KWbU+;e|~sXWb W=BD-4O"U UثWb]l UqR>_FXb@EIURs׮>N/ '(&&݆|(L@i@i yJ]v*UثWb]8ANQԊa\8#Z&'rͲ D̘ebB~e< RH3LQR0YAFci_͐i26q X S?WB[3^UUM=wA 2v*UثWbUs0LrA,Uxaoq ȪLl慹v*UثWb(ǒDEvԟ ǩa,k´b~`dw]?)mv*UثWS( r/ 0DTimes New Roman PIn@OPQRSV\ " ] ^ _`'a ,- .  '@efgh/Xb$}zD4h ,PR$Ѝv0^d,Pc $ f3333@8EFx ʚ;0x2ʚ; g4vdvdn` ppp@ <4!d!d0F@gʚ;<4dddd0F@gʚ;<4KdKd0F@gʚ;0 g4=d=dnLň^p@ pp` ___PPT10@ 8 (Hc(d0eHf @0NHL@P@S0I KHW@X Y@\0]g0h( 0 008P (180H`8a0b@88 82H304(506H(;8>0^___PPT9@80PcPd`ef@@`NLPS`I@KWX@Y\`]0g`hP ` ``p P1p0`pa`b0pp p23`4P5`6P;p>`0h___PPT2001D<4X@___PPTMac11@f   hnamd` Arial&Monotype Typography    hnamd` Arial&Monotype Typography    hnamd` Arial&Monotype Typography    hnamd` Arial&Monotype Typography    hnamd` Arial&Monotype Typography    hnamd` Arial&Monotype Typography    hnamd` Arial&Monotype Typography( 4   hnamd` Arial&Monotype Typography     hnamd` Arial&Monotype Typography  D x   x   x   x  x cD   hnamd` Arial&Monotype Typography     hnamd` Arial&Monotype Typography     hnamd` Arial&Monotype Typography  d8   hnamd` Arial&Monotype Typography     hnamd` Arial&Monotype Typography  e   hnamd` Arial&Monotype Typography     hnamd` Arial&Monotype Typography     hnamd` Arial&Monotype Typography     hnamd` Arial&Monotype Typography     hnamd` Arial&Monotype Typography     hnamd` Arial&Monotype Typography     hnamd` Arial&Monotype Typography  f0   hnamd` Arial&Monotype Typography     hnamd` Arial&Monotype Typography  @X   hnamd` Arial&Monotype Typography     hnamd` Arial&Monotype Typography     hnamd` Arial&Monotype Typography     hnamd` Arial&Monotype Typography  N   hnamd` Arial&Monotype Typography     hnamd` Arial&Monotype Typography     hnamd` Arial&Monotype Typography     hnamd` Arial&Monotype Typography     hnamd` Arial&Monotype Typography     hnamd` Arial&Monotype Typography     hnamd` Arial&Monotype Typography  L   hnamd` Arial&Monotype Typography     hnamd` Arial&Monotype Typography     hnamd` Arial&Monotype Typography     hnamd` Arial&Monotype Typography     hnamd` Arial&Monotype Typography     hnamd` Arial&Monotype Typography  P   hnamd` Arial&Monotype Typography     hnamd` Arial&Monotype Typography     hnamd` Arial&Monotype Typography     hnamd` Arial&Monotype Typography     hnamd` Arial&Monotype Typography     hnamd` Arial&Monotype Typography  SX   hnamd` Arial&Monotype Typography     hnamd` Arial&Monotype Typography     hnamd` Arial&Monotype Typography     hnamd` Arial&Monotype Typography  I    hnamd` Arial&Monotype Typography  KD   hnamd` Arial&Monotype Typography    hnamd` Arial&Monotype Typography W`   hnamd` Arial&Monotype Typography     hnamd` Arial&Monotype Typography     hnamd` Arial&Monotype Typography     hnamd` Arial&Monotype Typography  X0   hnamd` Arial&Monotype Typography     hnamd` Arial&Monotype Typography  Y`   hnamd` Arial&Monotype Typography     hnamd` Arial&Monotype Typography     hnamd` Arial&Monotype Typography     hnamd` Arial&Monotype Typography  \8   hnamd` Arial&Monotype Typography     hnamd` Arial&Monotype Typography ]   hnamd` Arial&Monotype Typography  gX   hnamd` Arial&Monotype Typography     hnamd` Arial&Monotype Typography    hnamd` Arial&Monotype Typography    hnamd` Arial&Monotype Typography hD   hnamd` Arial&Monotype Typography     hnamd` Arial&Monotype Typography     hnamd` Arial&Monotype Typography   (   hnamd` Arial&Monotype Typography   H   hnamd` Arial&Monotype Typography     hnamd` Arial&Monotype Typography     hnamd` Arial&Monotype Typography  X   hnamd` Arial&Monotype Typography     hnamd` Arial&Monotype Typography     hnamd` Arial&Monotype Typography     hnamd` Arial&Monotype Typography  L   hnamd` Arial&Monotype Typography     hnamd` Arial&Monotype Typography     hnamd` Arial&Monotype Typography  x   hnamd` Arial&Monotype Typography    hnamd` Arial&Monotype Typography    hnamd` Arial&Monotype Typography    hnamd` Arial&Monotype Typography    hnamd` Arial&Monotype Typography D   hnamd` Arial&Monotype Typography     hnamd` Arial&Monotype Typography     hnamd` Arial&Monotype Typography  1l   hnamd` Arial&Monotype Typography     hnamd` Arial&Monotype Typography     hnamd` Arial&Monotype Typography     hnamd` Arial&Monotype Typography     hnamd` Arial&Monotype Typography  0T   hnamd` Arial&Monotype Typography     hnamd` Arial&Monotype Typography    hnamd` Arial&Monotype Typography `\   hnamd` Arial&Monotype Typography     hnamd` Arial&Monotype Typography     hnamd` Arial&Monotype Typography     hnamd` Arial&Monotype Typography  aX   hnamd` Arial&Monotype Typography     hnamd` Arial&Monotype Typography     hnamd` Arial&Monotype Typography     hnamd` Arial&Monotype Typography  b   hnamd` Arial&Monotype Typography     hnamd` Arial&Monotype Typography     hnamd` Arial&Monotype Typography     hnamd` Arial&Monotype Typography     hnamd` Arial&Monotype Typography     hnamd` Arial&Monotype Typography     hnamd` Arial&Monotype Typography  ,   hnamd` Arial&Monotype Typography  |   hnamd` Arial&Monotype Typography     hnamd` Arial&Monotype Typography     hnamd` Arial&Monotype Typography     hnamd` Arial&Monotype Typography     hnamd` Arial&Monotype Typography     hnamd` Arial&Monotype Typography   l   hnamd` Arial&Monotype Typography    hnamd` Arial&Monotype Typography    hnamd` Arial&Monotype Typography    hnamd` Arial&Monotype Typography    hnamd` Arial&Monotype Typography 2   hnamd` Arial&Monotype Typography     hnamd` Arial&Monotype Typography     hnamd` Arial&Monotype Typography     hnamd` Arial&Monotype Typography     hnamd` Arial&Monotype Typography     hnamd` Arial&Monotype Typography  3X   hnamd` Arial&Monotype Typography     hnamd` Arial&Monotype Typography     hnamd` Arial&Monotype Typography     hnamd` Arial&Monotype Typography  4D   hnamd` Arial&Monotype Typography     hnamd` Arial&Monotype Typography     hnamd` Arial&Monotype Typography  5X   hnamd`       !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstvwxyz{|}~Arial&Monotype Typography     hnamd` Arial&Monotype Typography     hnamd` Arial&Monotype Typography     hnamd` Arial&Monotype Typography  6   hnamd` Arial&Monotype Typography     hnamd` Arial&Monotype Typography     hnamd` Arial&Monotype Typography     hnamd` Arial&Monotype Typography     hnamd` Arial&Monotype Typography     hnamd` Arial&Monotype Typography     hnamd` Arial&Monotype Typography  T   hnamd` Arial&Monotype Typography     hnamd` Arial&Monotype Typography     hnamd` Arial&Monotype Typography     hnamd` Arial&Monotype Typography  ;,   hnamd` Arial&Monotype Typography >X   hnamd` Arial&Monotype Typography     hnamd` Arial&Monotype Typography     hnamd` Arial&Monotype Typography     hnamd` Arial&Monotype Typography     hnamd` Arial&Monotype Typography  ? %O =PX8More on Metasploit plugins from vulnerability to exploit49 93Saumil Shah ceo, net-square EUSecWest - London 2007B4    4< # who am i r Saumil Shah - "krafty" ceo, net-square solutions saumil@saumil.net author: "Web Hacking - Attacks and Defense"nY + A1HFrom Vulnerability to Exploit  The CPU's registers The Intel 32-bit x86 registers: The Process Memory Map  ?Win32 Process Memory Map  cGetting control of EIP CStack overflows Heap overflows Format string bugs Integer overflows:D  DdGetting control of EIP Overwrite saved return address saved EIPs in stack frames Overwrite exception handlers SEH overwrites Arbitrary memory overwrites Controlling "what" and "where"v  eBrowser overflows Client-side exploits are becoming the rage. ActiveX components. Media handlers / libraries. Toolbars / Plugins. Platform specific characteristics. Overflows delivered as HTTP responses. "Surf-n-crash".b, #&  fBrowser overflows "Javascript / Vbscript helps in targeting vulnerable components& & and building up the exploit on-the-fly. Javascript is always enabled these days.0@)(  @!Exploit example - IE VML overflow "$Buffer overflow in IE's VML implementation MS06-055 <v:fillmethod="AAAAAAAA& "> Exploiting IE 6 on XP SP2 Triggering the exploit by overwriting SEHD+  * N Windows SEH aSEH - Structured Exception Handler Windows pops up a dialog box: Default handler kicking in.bb#   bLException handling kTry / catch block Pointer to the exception handling code also saved on the stack, for each code block.Xl T lMFException handling & implementation $ P SEH Record Each SEH record is of 8 bytes These SEH records are found on the stack. In sequence with the functions being called, interspersed among function (block) frames. WinDBG command - !exchainX* X Q SEH Chain Each SEH record is of 8 bytes RSEH on the stack SYet another way of getting EIP Overwrite one of the addresses of the registered exception handlers& & and, make the process throw an exception! If no custom exception handlers are registered, overwrite the default SEH. Might have to travel way down the stack& & but in doing so, you get a long buffer!D E+K) ( TOverwriting SEH UOverwriting SEH HStage 1 proof of concept: ISetting up the exploit bServe up the exploit page over HTTP Point IE and surf to the page with a debugger attached to it:D$  cJ Crashing IE  Surf-n-crash KEIP = 0x41414141 4We control EIP. Where do you want to go& ? Direct return to stack? XP SP2 doesn't allow it. Jump through registers? EDX ESP and EBP are the only possible options& but they don't point to our buffer. Other registers are cleared, thanks to XP SP2. XP SP2 also forbids jumping into DLLs. R/&  WHow do we pull it off? In other circumstances, we'd have to go through long tedious routes& & or publish a DoS exploit and call it a day. L4m3 We are exploiting a browser. Browsers run Javascript. Javascript has arrays. Javascript arrays occupy heap memory.lrsE- % XLoading our buffer in the heap Can we load our shellcode in the heap via Javascript? How do we know where our buffer lies? Direct jump into heap? yes! that is possible.:s6&  Y Heap Spraying :Technique pioneered by Skylined. Make a VERY large NOP sled. Append shellcode at its end. Create multiple instances of this NOP sled in the heap memory. using Javascript arrays& a[0] = str; a[1] = str& The heap gets "sprayed" with our payloads. Land somewhere in the NOPs, and you win.l1T!? 1+( [ Heap Spraying  \Tips on Heap Spraying .Make really large NOP sleds approx 800,000 bytes per spray block Adjust the size of the NOP sled to leave very little holes inbetween spray blocks. Javascript Unicode encoding works great for shellcode. shellcode = unescape("%uXXXX%uXXXX& "); Null bytes are not a problem anymore.b%M%S7 '& ]Stage 2 ^Placeholder INT3 shellcode. Look for "90 90 90 90 cc cc cc cc" in the memory after IE crashes.&_B _g Jump to heap 0We can point EIP to any of the sprayed blocks. Arbitrarily choose addresses: 0x03030303 0x04040404 0x05050505& etc. Verify if they land in the NOP zones.XM&&/  & hStage 3 Overwrite SEH record with 0x05050505. INT 3 shellcode. Causes EIP to land into one of the NOP zones& & and eventually reach our dummy shellcode.:&.*  iStage 3 Overwriting SEH jStage 3 BLanding in the NOP zone& and INT 3 " Introducing Metasploit An advanced open-source exploit research and development framework. http://metasploit.com Current stable version: 2.7 Written in Perl, runs on Unix and Win32 (cygwin) Brand new 3.0 Complete rewrite in Rubybv1D1   Introducing Metasploit Generate shellcode. Shellcode encoding. Shellcode handlers. Scanning binaries for specific instructions: e.g. POP/POP/RET, JMP ESI, etc. Ability to add custom exploits, shellcode, encoders. & and lots more.Xi E- E Enter Shellcode Code assembled in the CPU's native instruction set. Injected as a part of the buffer that is overflowed. Most typical function of the injected code is to "spawn a shell" - ergo "shellcode". A buffer containing shellcode is termed as "payload".D45U4  Writing Shellcode Need to know the CPU's native instruction set: e.g. x86 (ia32), x86-64 (ia64), ppc, sparc, etc. Tight assembly language. OS specific system calls. Shellcode libraries and generators. Metasploit Framework.b/1m/1 $ 1A little about shellcode 6Types of shellcode: Bind shell Exec command Reverse shell Staged shell, etc. Advanced techniques: Meterpreter Uploading and running DLLs "in-process" & etc.9:    ( $$ ,Payload Encoders $Payload encoders create encoded shellcode, which meets certain criteria. e.g. Alpha2 generates resultant shellcode which is only alphanumeric. Allows us to bypass any protocol parsing mechanisms / byte filters. An extra "decoder" is added to the beginning of the shellcode. size may increase.DIFD?  %~1Payload Encoders }Example: Alpha2 encoding Transforms raw payload into alphanumeric only shellcode. Decoder decodes the payload "in-memory".dc 9( ~0Payload Encoders Metasploit offers many types of encoders. Work around protocol parsing e.g. avoid CR, LF, NULL toupper(), tolower(), etc. Defeat IDS Polymorphic Shellcode Shikata Ga NaiG3 %*    `&Using Metasploit to generate shellcode 'We need Javascript Unicode encoded shellcode. No encoding needed We will run "calc.exe" msfpayload - cmdline shellcode generation. msfencode - cmdline shellcode encoder. jsencode.pl - wrapper around Metasploit's Pex::Utils::JSUnescape() function.b..+ 'L aGenerate calc.exe shellcode jGenerate JSencoded shellcode: Final version contains working shellcode. A slight problem too many CALCs!N[*  kb"Exit function - "thread" vs. "seh" #jExiting via SEH causes the whole thing to repeat itself. Re-generate the shellcode using EXITFUNC="thread"&k91 k2"Writing Metasploit exploit modules #Integration within the Metasploit framework. Multiple target support. Dynamic payload selection. Dynamic payload encoding. Built-in payload handlers. Can use advanced payloads. & a highly portable, flexible and rugged exploit!X- 0 4How Metasploit runs an exploit  5Writing a Metasploit exploit Perl module (2.7), Ruby module (3.0) Pre-existing data structures %info, %advanced Constructor sub new {& } Exploit code sub Exploit {& }B  %   6$Structure of the exploit perl module % 7%info *Name Version Authors Arch OS Priv UserOptsN+   + /Payload Encoder Refs DefaultTarget Targets KeysN0  02Metasploit Pex Perl EXtensions. /lib/Pex.pm /lib/Pex/ Text processing routines. Socket management routines. Protocol specific routines. These and more are available for us to use in our exploit code.x: ?  3 Pex::Text Encoding and Decoding (e.g. Base64) Pattern Generation Random text generation (to defeat IDS) Padding & etcDk$'  k4 Pex::Socket TCP UDP SSL TCP Raw UDP:  5!Pex - protocol specific utilities ":SMB DCE RPC SunRPC MSSQL & etcD  6Pex - miscellaneous utilities TPex::Utils Array and hash manipulation Bit rotates Read and write files Format String generator Create Win32 PE files Create Javascript arrays & a whole lot of miscellany!b     8metasploit_skel.pm A skeleton exploit module. Walk-through. Can use this skeleton to code up exploit modules. Place finished exploit modules in: /exploits/F~ 2#  9Finished examples  my_ie_vml.pm ;"Some command line Metasploit tools #msfcli Metasploit command line interface. Can script up metasploit framework actions in a non-interactive manner. msfpayload Generate payload with specific options. msfencode Encode generated payload.k ( #H (  <"More command line Metasploit tools #emsfweb Web interface to the Metasploit framework. msfupdate Live update for the Metasploit framework.N+ *+ *  f=New in Version 3.0 msfd Metasploit daemon, allows for client-server operation of Metasploit. msfopcode command line interface to Metasploit's online opcode database. msfwx a GUI interface using wxruby.vE ?E ?  >New in Version 3.0 New payloads, new encoders. Ruby extension - Rex (similar to Pex) NASM shell. Back end Database support. & whole lot of goodies here and there.D&  % : Thank You!  CSaumil Shah saumil@saumil.net http://net-square.com +91 98254 31192,D  &*/;)?*R.U1V2^:`<a=b>c?d@eAfBgCPQYZ[\]^_`abcdPPsx,, e|HH(d9h  `` ` ̙33` 333MMM` ff3333f` f` f` 3` x33>?" dd@$?" dd@    @ ` n?" dd@   @@``PR    @ ` `(p>> $$C(  0 ^  C (Amatrix1"~  6 ?"p  T Click to edit Master title style! !Z 0  # "`hB  s *D1"0hB  s *D1"p`0`hB  s *D1" p hB  s *D1" hB   s *D1"00`hB   s *D1"p`p Z 0   # "<hB   s *D1"0hB   s *D1"p`0`hB  s *D1" p hB  s *D1" hB  s *D1"00`hB  s *D1"p`p Z 0  # L";ahB  s *D1"0hB  s *D1"p`0`hB  s *D1" p hB  s *D1" hB  s *D1"00`hB  s *D1"p`p Z 0  # "_ahB  s *D1"0hB  s *D1"p`0`hB  s *D1" p hB  s *D1" hB  s *D1"00`hB  s *D1"p`p $   0@: " P  RClick to edit Master text styles Second level Third level Fourth level Fifth level!     S~ ! 0D"0___PPT106___PPT9B___PPTMac11   hnamd` Arial&Monotype Typography  @(2  " 0 G" @(2  # 00J"P0___PPT106___PPT9B___PPTMac11   hnamd` Arial&Monotype Typography  U Saumil Shah(2   $ 0p[ "P0___PPT106___PPT9B___PPTMac11   hnamd` Arial&Monotype Typography  Teusecwest 2007 2  B  s *޽h ? x3ff matrixtheme; `   (  n p[  ^  C (Amatrix1"~  6W ?" `    W#Click to edit Master subtitle style$ $B  s *޽h ? x3ff z(    0|  P    R*    0Ph     T*  d  c $ ?    0  @  RClick to edit Master text styles Second level Third level Fourth level Fifth level!     S  6 `P   R*    6@ `   T*  H  0޽h ? ̙3380___PPT10.rp     ( ҈    0P P   0___PPT106___PPT9B___PPTMac11   hnamd` Arial&Monotype Typography  R*    0    0___PPT106___PPT9B___PPTMac11   hnamd` Arial&Monotype Typography  T*    6 `P  0___PPT106___PPT9B___PPTMac11   hnamd` Arial&Monotype Typography  R*    6 `  0___PPT106___PPT9B___PPTMac11   hnamd` Arial&Monotype Typography  T*  H  0޽h ? 3380___PPT10.q,F 00(    0=    l  C P? `   H  0޽h ? x3ff * @g(  x  c $0,  P  /  <P,c"m0___PPT106___PPT9B___PPTMac11   hnamd` Arial&Monotype Typography  # who am i 16:08 up 4:26, 1 user, load averages: 0.28 0.40 0.33 USER TTY FROM LOGIN@ IDLE WHAT saumil console - 11:43 0:05 bashC x  c $,p   H  0޽h ? x3ff___PPT10e+D=' ǐ= @B +( . _(W(P&(  D l  C  'p     0-f0 0___PPT106___PPT9B___PPTMac11   hnamd` Arial&Monotype Typography  QFuzzing   0-f0 0___PPT106___PPT9B___PPTMac11   hnamd` Arial&Monotype Typography  ZEIP = 0x41414141   0-fP 0___PPT106___PPT9B___PPTMac11   hnamd` Arial&Monotype Typography  RDebugger     0-fpP 0___PPT106___PPT9B___PPTMac11   hnamd` Arial&Monotype Typography  W Attack Vector   0-f P   @___PPT10 V___PPT980j___PPTMac11D<   hnamd` Arial&Monotype Typography    hnamd` Arial&Monotype Typography    hnamd` Arial&Monotype Typography  Reliable EIP return address@    0-f P  0___PPT106___PPT9B___PPTMac11   hnamd` Arial&Monotype Typography  XBad characters     0.f@ P   @___PPT10 V___PPT980j___PPTMac11D<   hnamd` Arial&Monotype Typography    hnamd` Arial&Monotype Typography    hnamd` Arial&Monotype Typography  Test Shellcode (INT 3)@ ~   0 .f P 0___PPT106___PPT9B___PPTMac11   hnamd` Arial&Monotype Typography  NINT 3? X   0``d"   <H IuP0 P `X  0  pp  HZGHI   p  HZGHI   p  HZGHI  @ p  HZG(HI(   j2  BG HXI   0. 0 0___PPT106___PPT9B___PPTMac11   hnamd` Arial&Monotype Typography  YFinal Shellcode   0. 0 0___PPT106___PPT9B___PPTMac11   hnamd` Arial&Monotype Typography  YWorking exploit   0`&.0 00___PPT106___PPT9B___PPTMac11   hnamd` Arial&Monotype Typography  \Shellcode Handling p2  HGHj]I^ `P X  0 `` X  0 ``H  0޽h ?`           x3ff80___PPT10. s$)/  f/^/`T.(  Tr T S .p   l T C p.  P  } T 0P.f0  0___PPT106___PPT9B___PPTMac11   hnamd` Arial&Monotype Typography  MESP } T 0/f00 0___PPT106___PPT9B___PPTMac11   hnamd` Arial&Monotype Typography  MEAX } T 0 /f@ 0 0___PPT106___PPT9B___PPTMac11   hnamd` Arial&Monotype Typography  MEBP } T 0/f@0 0 0___PPT106___PPT9B___PPTMac11   hnamd` Arial&Monotype Typography  MEBX } T 0/fP @ 0___PPT106___PPT9B___PPTMac11   hnamd` Arial&Monotype Typography  MESI }  T 0/fP 0 @ 0___PPT106___PPT9B___PPTMac11   hnamd` Arial&Monotype Typography  MECX }  T 0"/f` P 0___PPT106___PPT9B___PPTMac11   hnamd` Arial&Monotype Typography  MEDI }  T 0(/f` 0 P 0___PPT106___PPT9B___PPTMac11   hnamd` Arial&Monotype Typography  MEDX }  T 0+/fp``0___PPT106___PPT9B___PPTMac11   hnamd` Arial&Monotype Typography  MEIP   T < 5/ V,0___PPT106___PPT9B___PPTMac11   hnamd` Arial&Monotype Typography  O accumulator   T <;/0 ` 0___PPT106___PPT9B___PPTMac11   hnamd` Arial&Monotype Typography  Hbase  T <A/@ ZD 0___PPT106___PPT9B___PPTMac11   hnamd` Arial&Monotype Typography  Kcounter  T <@H/P `0___PPT106___PPT9B___PPTMac11   hnamd` Arial&Monotype Typography  Hdata  T <N/` 0___PPT106___PPT9B___PPTMac11   hnamd` Arial&Monotype Typography  Winstruction pointer  T <PP/P * 0___PPT106___PPT9B___PPTMac11   hnamd` Arial&Monotype Typography  Udestination index  T <`\/@ 0  0___PPT106___PPT9B___PPTMac11   hnamd` Arial&Monotype Typography  P source index   T <_/0 0  0___PPT106___PPT9B___PPTMac11   hnamd` Arial&Monotype Typography  P base pointer   T <h/ 0 0___PPT106___PPT9B___PPTMac11   hnamd` Arial&Monotype Typography  Q stack pointer H T 0޽h ? x3ff80___PPT10.~q +  **p!U*(  r  S  p     s *0 0___PPT106___PPT9B___PPTMac11   hnamd` Arial&Monotype Typography  Zenvironment vars   s *' 0___PPT106___PPT9B___PPTMac11   hnamd` Arial&Monotype Typography  \cmd line arguments z  s *+  0___PPT106___PPT9B___PPTMac11   hnamd` Arial&Monotype Typography  P**envp z  s *1   0___PPT106___PPT9B___PPTMac11   hnamd` Arial&Monotype Typography  P**argv x  s *9   0___PPT106___PPT9B___PPTMac11   hnamd` Arial&Monotype Typography  Nargc   s *?   0___PPT106___PPT9B___PPTMac11   hnamd` Arial&Monotype Typography  [main() local vars v  s * B   0___PPT106___PPT9B___PPTMac11   hnamd` Arial&Monotype Typography  L&  A  s *K f LDH___PPT10( f___PPT9H@~___PPTMac11XP   hnamd` Arial&Monotype Typography    hnamd` Arial&Monotype Typography    hnamd` Arial&Monotype Typography    hnamd` Arial&Monotype Typography  v heap ^ stackR     v  s *Y 0___PPT106___PPT9B___PPTMac11   hnamd` Arial&Monotype Typography  L&    s *Z 0___PPT106___PPT9B___PPTMac11   hnamd` Arial&Monotype Typography  _heap - malloc'ed data x  s *f 0___PPT106___PPT9B___PPTMac11   hnamd` Arial&Monotype Typography  N.bss y  s *h 0___PPT106___PPT9B___PPTMac11   hnamd` Arial&Monotype Typography  O.data y  s *r 0___PPT106___PPT9B___PPTMac11   hnamd` Arial&Monotype Typography  O.text    <po %0___PPT106___PPT9B___PPTMac11   hnamd` Arial&Monotype Typography  P 0xc0000000    ! <| 0kH0___PPT106___PPT9B___PPTMac11   hnamd` Arial&Monotype Typography  P 0x08000000   H  0޽h ? x3ffu5 _ %55@ 4(  @ x @ c $p7 p   } @ s *9 0___PPT106___PPT9B___PPTMac11   hnamd` Arial&Monotype Typography  S No access    @ s *`: 0___PPT106___PPT9B___PPTMac11   hnamd` Arial&Monotype Typography  ZShared user page w @ s *H  0___PPT106___PPT9B___PPTMac11   hnamd` Arial&Monotype Typography  MPEB } @ s *Q   0___PPT106___PPT9B___PPTMac11   hnamd` Arial&Monotype Typography  S First TEB   x @ s * U   0___PPT106___PPT9B___PPTMac11   hnamd` Arial&Monotype Typography  NDLLs x @ s *]   0___PPT106___PPT9B___PPTMac11   hnamd` Arial&Monotype Typography  NDLLs x  @ s *@_   0___PPT106___PPT9B___PPTMac11   hnamd` Arial&Monotype Typography  NDLLs x  @ s *e f0___PPT106___PPT9B___PPTMac11   hnamd` Arial&Monotype Typography  Nheap   @ s *@k 0___PPT106___PPT9B___PPTMac11   hnamd` Arial&Monotype Typography  W program image l @ s *u f0___PPT106___PPT9B___PPTMac11   hnamd` Arial&Monotype Typography  B  @ s *y 0___PPT106___PPT9B___PPTMac11   hnamd` Arial&Monotype Typography  Xerror trapping  @ <  0___PPT106___PPT9B___PPTMac11   hnamd` Arial&Monotype Typography  P 0x7FFFFFFF    @ <Ђ qN`0___PPT106___PPT9B___PPTMac11   hnamd` Arial&Monotype Typography  P 0x00000000    @ <0 lIP0___PPT106___PPT9B___PPTMac11   hnamd` Arial&Monotype Typography  P 0x00010000   y @ s * f 0___PPT106___PPT9B___PPTMac11   hnamd` Arial&Monotype Typography  Ostack  @ < 00___PPT106___PPT9B___PPTMac11   hnamd` Arial&Monotype Typography  P 0x7FFE1000    @ < @0___PPT106___PPT9B___PPTMac11   hnamd` Arial&Monotype Typography  P 0x7FFE0000    @ <P P 8___PPT10F___PPT9( V___PPTMac110(   hnamd` Arial&Monotype Typography    hnamd` Arial&Monotype Typography  ` 0x7FFDF000(  #  @ <` `  0___PPT106___PPT9B___PPTMac11   hnamd` Arial&Monotype Typography  Z 0x7FFDE000  #  @ <  9P 0___PPT106___PPT9B___PPTMac11   hnamd` Arial&Monotype Typography  R 0x40000000  # H @ 0޽h ? x3ff   ( st>yseMmegasKNSP  l  C  p   l  C 2   P  H  0޽h ? x3ff80___PPT10.s<   (   l  C /-p   l  C !&  P  H  0޽h ? x3ff80___PPT10.s䬾$  p $(   r  S v| p   r  S  {   P  H  0޽h ? x3ff80___PPT10.s>y$   $(    r  S ˓ p   r  S `   P  H  0޽h ? x3ff80___PPT10.s'  H (  H l H C ~ p   l H C P   P  H H 0޽h ? x3ff80___PPT10.s   (   r  S P p   r  S p   P  ^  6A?pB H  0޽h ? x3ff80___PPT10.sO    | ( {5 | r | S 6 p   r | S    P  u | 0` @  x ___PPT10`X  ___PPT9   ___PPTMac11     hnamd` Arial&Monotype Typography    hnamd` Arial&Monotype Typography    hnamd` Arial&Monotype Typography    hnamd` Arial&Monotype Typography    hnamd` Arial&Monotype Typography    hnamd` Arial&Monotype Typography    hnamd` Arial&Monotype Typography    hnamd` Arial&Monotype Typography    hnamd` Arial&Monotype Typography    hnamd` Arial&Monotype Typography    hnamd` Arial&Monotype Typography  try { : code that may throw : an exception. } catch { : attempt to recover from : the exception gracefully. } 2C$CC C CC(C)C C $C$(C( H | 0޽h ? x3ff80___PPT10.s$ ` $$ $(   x  c $K p   l  s *K 0___PPT106___PPT9B___PPTMac11   hnamd` Arial&Monotype Typography  B z  s *K  0___PPT106___PPT9B___PPTMac11   hnamd` Arial&Monotype Typography  Pparams }  s *K 0___PPT106___PPT9B___PPTMac11   hnamd` Arial&Monotype Typography  S saved EIP   }  s *K 0___PPT106___PPT9B___PPTMac11   hnamd` Arial&Monotype Typography  S saved EBP     <`K 0___PPT106___PPT9B___PPTMac11   hnamd` Arial&Monotype Typography  UBottom of stack XB  @ 0D @ XB  @ 0D@XB  @ 0D@  < K ij8___PPT10F___PPT9( V___PPTMac110(   hnamd` Arial&Monotype Typography    hnamd` Arial&Monotype Typography  ] more frames$  ^  60^  6   <L   @___PPT10 V___PPT980j___PPTMac11D<   hnamd` Arial&Monotype Typography    hnamd` Arial&Monotype Typography    hnamd` Arial&Monotype Typography  {frame w/ exception handling2 ~  s *L 0___PPT106___PPT9B___PPTMac11   hnamd` Arial&Monotype Typography  T local vars     s *L   0___PPT106___PPT9B___PPTMac11   hnamd` Arial&Monotype Typography  caddr of exception handler R  s *L `0LDH___PPT10( f___PPT9H@~___PPTMac11XP   hnamd` Arial&Monotype Typography    hnamd` Arial&Monotype Typography    hnamd` Arial&Monotype Typography    hnamd` Arial&Monotype Typography  $exception handler code (catch block)R%    %j"  BH*IO008 H  0޽h ?     x3ffN   N(   r  S 4L p   r  S 6L   P    s *P?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~r  S @M   P  H  0޽h ? x3ff80___PPT10.s. b 0 2( Sj  ^  6P x  c $`M p   l  s *`M 0___PPT106___PPT9B___PPTMac11   hnamd` Arial&Monotype Typography  B   s *M ` P 0___PPT106___PPT9B___PPTMac11   hnamd` Arial&Monotype Typography  faddress of exception handler   s *N p` 0___PPT106___PPT9B___PPTMac11   hnamd` Arial&Monotype Typography  `ptr to next SEH record   s * N `08___PPT10F___PPT9( V___PPTMac110(   hnamd` Arial&Monotype Typography    hnamd` Arial&Monotype Typography  h ex_handler().   j"  BH ;IO0   s *N "p0___PPT106___PPT9B___PPTMac11   hnamd` Arial&Monotype Typography  Pparams   s *N "0___PPT106___PPT9B___PPTMac11   hnamd` Arial&Monotype Typography  S saved EBP     s * N "0___PPT106___PPT9B___PPTMac11   hnamd` Arial&Monotype Typography  S saved EIP     s *%N "`0___PPT106___PPT9B___PPTMac11   hnamd` Arial&Monotype Typography  Pbuffer H  0޽h ?     x3ff1 c B1:1@ 0(     6GN P X___PPT1080___PPT9h`___PPTMac11x   hnamd` Arial&Monotype Typography    hnamd` Arial&Monotype Typography    hnamd` Arial&Monotype Typography    hnamd` Arial&Monotype Typography    hnamd` Arial&Monotype Typography    hnamd` Arial&Monotype Typography  AAAA AAAA AAAA : : :^    x  c $IN p   l  s *NN 0___PPT106___PPT9B___PPTMac11   hnamd` Arial&Monotype Typography  B   s *SN f` P 8___PPT10F___PPT9( V___PPTMac110(   hnamd` Arial&Monotype Typography    hnamd` Arial&Monotype Typography  bAAAA0 x  s *`\N p` 0___PPT106___PPT9B___PPTMac11   hnamd` Arial&Monotype Typography  NAAAA   s *dN `08___PPT10F___PPT9( V___PPTMac110(   hnamd` Arial&Monotype Typography    hnamd` Arial&Monotype Typography  h ex_handler().     s *jN "p0___PPT106___PPT9B___PPTMac11   hnamd` Arial&Monotype Typography  NAAAA   s * uN "0___PPT106___PPT9B___PPTMac11   hnamd` Arial&Monotype Typography  NAAAA J  s *yN "LDH___PPT10( f___PPT9H@~___PPTMac11XP   hnamd` Arial&Monotype Typography    hnamd` Arial&Monotype Typography    hnamd` Arial&Monotype Typography    hnamd` Arial&Monotype Typography  AAAA AAAA AAAAR     s *PN f" P0___PPT106___PPT9B___PPTMac11   hnamd` Arial&Monotype Typography  [Illegal memory access {  s *PN f" PpLDH___PPT10( f___PPT9H@~___PPTMac11XP   hnamd` Arial&Monotype Typography    hnamd` Arial&Monotype Typography    hnamd` Arial&Monotype Typography    hnamd` Arial&Monotype Typography  Ocauses segmentation fault. OS invokes registered exception handler in the chainBP   Pp  HZG~HJ=I~p8   s *@N f"@ $ 0___PPT106___PPT9B___PPTMac11   hnamd` Arial&Monotype Typography  VEIP = 0x42424242 p  HGiHNIi `@   s *N "0___PPT106___PPT9B___PPTMac11   hnamd` Arial&Monotype Typography  NAAAA H  0޽h ?/@       x3ff  ( Pl (  l l l C N p   l l C N   P   l 0N `H___PPT10( f___PPT9H@N___PPTMac11(    hnamd` Arial&Monotype Typography   LCLG;C C  H l 0޽h ? x3ff80___PPT10.ǖs*f  `p f( xu  p l p C N p   l p C @N   P  F p <N 6 H___PPT10( f___PPT9H@N___PPTMac11(    hnamd` Arial&Monotype Typography  <$ ./daemon.pl ie_vml1.html [*] Starting HTTP server on 8080L=CG"C C  =H p 0޽h ? x3ff80___PPT10.ǖs3E  XPpt (  t l t C :O p   l t C P !exchain 0013e420: 41414141 Invalid exception stack at 41414141 0:000> g (18c.584): Access violation - code c0000005 (first chance) eax=00000000 ebx=00000000 ecx=41414141 edx=7c9037d8 esi=00000000 edi=00000000 eip=41414141 esp=0013b0d0 ebp=0013b0f0 iopl=0 nv up ei pl zr na po nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246 41414141 ?? ???'CG8C C CGC G C  'H t 0޽h ? x3ff80___PPT10.ȖsK  x (  x l x C O p   l x C O   P  H x 0޽h ? x3ff80___PPT10.ɖsrd   ( D{5  l  C 7p p   l  C p8p   P  H  0޽h ? x3ff80___PPT10.Ֆs   ( `D  l  C p p   l  C p   P  H  0޽h ? x3ff80___PPT10.֖sPM   ( {5  l  C  p p   l  C p   P  H  0޽h ? x3ff80___PPT10.֖sr{0 d 00& 0(   x  c $Aq p   ^B  6D P^B  6DP|  s *pLq  `0___PPT106___PPT9B___PPTMac11   hnamd` Arial&Monotype Typography  RNOP sled   }  s *`Oq ` P0___PPT106___PPT9B___PPTMac11   hnamd` Arial&Monotype Typography  S shellcode   |  s *0Yq   0___PPT106___PPT9B___PPTMac11   hnamd` Arial&Monotype Typography  RNOP sled   }  s *Uq  p 0___PPT106___PPT9B___PPTMac11   hnamd` Arial&Monotype Typography  S shellcode   |  s *bq  0___PPT106___PPT9B___PPTMac11   hnamd` Arial&Monotype Typography  RNOP sled   }  s *jq  0___PPT106___PPT9B___PPTMac11   hnamd` Arial&Monotype Typography  S shellcode     0@q  ___PPT10     ___PPT9xp     :___PPTMac11  (namd Monaco  (namd Monaco  (namd Monaco  x  (namd Monaco  x  (namd Monaco  (namd Monaco  (namd Monaco  (namd Monaco  (namd Monaco  (namd Monaco  (namd Monaco  (namd Monaco  (namd Monaco  (namd Monaco  (namd Monaco  (namd Monaco  (namd Monaco  (namd Monaco  (namd Monaco  e : exploit trigger condition goes here : v CCC C CCCC C $C$(C(,C,0C0 4C48C8 s 02000000 l fffffff 90 90 90 90 cc cc cc cc 02150020 90 90 90 90 cc cc cc cc-cc cc cc cc cc cc cc cc ................ 02360020 90 90 90 90 cc cc cc cc-cc cc cc cc cc cc cc cc ................ 02570020 90 90 90 90 cc cc cc cc-cc cc cc cc cc cc cc cc ................ 02780020 90 90 90 90 cc cc cc cc-cc cc cc cc cc cc cc cc ................ 02990020 90 90 90 90 cc cc cc cc-cc cc cc cc cc cc cc cc ................ 02ba0020 90 90 90 90 cc cc cc cc-cc cc cc cc cc cc cc cc ................ 02db0020 90 90 90 90 cc cc cc cc-cc cc cc cc cc cc cc cc ................ 02fc0020 90 90 90 90 cc cc cc cc-cc cc cc cc cc cc cc cc ................ 031d0020 90 90 90 90 cc cc cc cc-cc cc cc cc cc cc cc cc ................ 033e0020 90 90 90 90 cc cc cc cc-cc cc cc cc cc cc cc cc ................ : : :<2C,GC 2H  0޽h ? x3ff80___PPT10.ؖs$  P $( {5  r  S  p   r  S    P  H  0޽h ? x3ff80___PPT10.ٖs=$  ` $(   r  S  p   r  S `   P  H  0޽h ? x3ff80___PPT10.sp    \ T p  (   r  S @ p   r  S P   P    0 PP xpP___PPT100(v___PPT9XP___PPTMac11ld   hnamd` Arial&Monotype Typography    hnamd` Arial&Monotype Typography    hnamd` Arial&Monotype Typography    hnamd` Arial&Monotype Typography    hnamd` Arial&Monotype Typography  R0:000> g (148.360): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=0013b648 ebx=001dbc94 ecx=0013b63c edx=00000505 esi=000024dc edi=00140000 eip=5deded1e esp=0013b624 ebp=0013b84c iopl=0 nv up ei pl nz na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202 vgx!$DllMain$_gdiplus+0x30e8d: 5deded1e 668917 mov [edi],dx ds:0023:00140000=6341 0:000> !exchain 0013e5a4: 05050505 Invalid exception stack at 05050505`SCG C G 8C SH  0޽h ? x3ff80___PPT10.sd      (   r  S  p   r  S PĜ   P  j  0ɜ PP`___PPT10@8___PPT9xp___PPTMac11   hnamd` Arial&Monotype Typography    hnamd` Arial&Monotype Typography    hnamd` Arial&Monotype Typography    hnamd` Arial&Monotype Typography    hnamd` Arial&Monotype Typography    hnamd` Arial&Monotype Typography    hnamd` Arial&Monotype Typography  20:000> db 0x05050505 05050505 90 90 90 90 90 90 90 90-90 90 90 90 90 90 90 90 ................ 05050515 90 90 90 90 90 90 90 90-90 90 90 90 90 90 90 90 ................ 0:000> g (148.360): Break instruction exception - code 80000003 (first chance) eax=00000000 ebx=00000000 ecx=05050505 edx=7c9037d8 esi=00000000 edi=00000000 eip=05230024 esp=0013b254 ebp=0013b274 iopl=0 nv up ei pl zr na po nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246 05230024 cc int 3 0:000> u 05230024 cc int 3 05230025 cc int 3 05230026 cc int 3C GC G ]CGmC H  0޽h ? x3ff80___PPT10.sd  1  t( ?j tl t C (s p   l t C )s   P  H t 0޽h ? x3ff80___PPT10.r9 2 0x( B xl x C 0os p   l x C ps   P  H x 0޽h ? x3ff80___PPT10.r'Z  @( d@ r  S s p   l  C s   P  H  0޽h ? x3ff80___PPT10.Iqx  P( c r  S Mt p   l  C pNt   P  H  0޽h ? x3ff80___PPT10.Iqy : (  l  C /| p   l  C |   P  H  0޽h ? x3ff80___PPT10.rU=$ < X$(  Xr X S | p   r X S P|   P  H X 0޽h ? x3ff80___PPT10.5qC  P     (   l  C @R} p   l  C S}   P  {  s *Z} @0 0___PPT106___PPT9B___PPTMac11   hnamd` Arial&Monotype Typography  Qdecoder   s *a} f@0 0___PPT106___PPT9B___PPTMac11   hnamd` Arial&Monotype Typography  j UnWQ89Jas281EEIIkla2wnhaAS901las!! !  s *d} 0 0___PPT106___PPT9B___PPTMac11   hnamd` Arial&Monotype Typography  j original shellcode (ascii 0-255)!! !^B  6D @^B  6D  @H  0޽h ? x3ff80___PPT10. sI Q  (    l  C } p   l  C `}   P  H  0޽h ? x3ff80___PPT10. s?   (   l  C ~ p   l  C ~   P  H  0޽h ? x3ff80___PPT10.ۖsl|   |(   l  C `b~   P  \  <k~ BP___PPT100(v___PPT9XP"___PPTMac11 (namd Monaco    hnamd` Arial&Monotype Typography  N$ ./msfpayload win32_exec EXITFUNC="seh" CMD="calc.exe" R | ./jsencode.pldOC8GG G C Ol  C j~ p   H  0޽h ? x3ff80___PPT10.ǖs3E   (   l  C ~ p   l  C ~   P  _  <~  g| P___PPT100(v___PPT9XP"___PPTMac11 (namd Monaco    hnamd` Arial&Monotype Typography  Q$ ./msfpayload win32_exec EXITFUNC="thread" CMD="calc.exe" R | ./jsencode.pldRC;GG G C RH  0޽h ? x3ff80___PPT10.ݖs]= = |(  |l | C  p   l | C    P  H | 0޽h ? x3ff80___PPT10.r ( > (('( dep yaol l  C p p    8  p   P p`   0y  p0___PPT106___PPT9B___PPTMac11   hnamd` Arial&Monotype Typography  Xcreate payload   0p|  p 0___PPT106___PPT9B___PPTMac11   hnamd` Arial&Monotype Typography  W launch attack   0@  p 0___PPT106___PPT9B___PPTMac11   hnamd` Arial&Monotype Typography  Xget connection   0@  p @___PPT10 V___PPT980j___PPTMac11D<   hnamd` Arial&Monotype Typography    hnamd` Arial&Monotype Typography    hnamd` Arial&Monotype Typography  ~EXPLOIT preamble@    60  p @___PPT10 V___PPT980j___PPTMac11D<   hnamd` Arial&Monotype Typography    hnamd` Arial&Monotype Typography    hnamd` Arial&Monotype Typography  List of known target values@    0p  @___PPT10 V___PPT980j___PPTMac11D<   hnamd` Arial&Monotype Typography    hnamd` Arial&Monotype Typography    hnamd` Arial&Monotype Typography  user supplied exploit info@     0 P @___PPT10 V___PPT980j___PPTMac11D<   hnamd` Arial&Monotype Typography    hnamd` Arial&Monotype Typography    hnamd` Arial&Monotype Typography  Metasploit Shellcode Library@    0 @ 0___PPT106___PPT9B___PPTMac11   hnamd` Arial&Monotype Typography  REncoders     0   @___PPT10 V___PPT980j___PPTMac11D<   hnamd` Arial&Monotype Typography    hnamd` Arial&Monotype Typography    hnamd` Arial&Monotype Typography  ~Payload handlers@ p"  HGH`TI& p  HG@HI@P``@j"  BHxIp p @ HZG`HsI`p p  HZG0HI0`  H  0޽h ?_       x3ffQ80___PPT10.rM ? ( u@ l  C  p   l  C    P  H  0޽h ? x3ff80___PPT10.r퓰! @ 2!*!   (  l  C 9 p     << \ J___PPT10     6___PPT9     ___PPTMac11   hnamd` Arial&Monotype Typography  (namd Monaco  (namd Monaco  (namd Monaco  (namd Monaco  (namd Monaco  (namd Monaco  (namd Monaco  (namd Monaco  (namd Monaco  (namd Monaco  (namd Monaco  (namd Monaco  (namd Monaco  (namd Monaco  (namd Monaco    hnamd` Arial&Monotype Typography  package Msf::Exploit::name; use base "Msf::Exploit"; use strict; use Pex::Text; my $advanced = { }; my $info = { }; sub new { } sub Exploit { }CC C C CCCC C  $C$(C(,C,0C04C48C8 @p  X ___PPT10ph     ___PPT9     ___PPTMac11 x    |namdtTimes New Roman&Monotype Typography     |namdtTimes New Roman&Monotype Typography     |namdtTimes New Roman&Monotype Typography     |namdtTimes New Roman&Monotype Typography     |namdtTimes New Roman&Monotype Typography     |namdtTimes New Roman&Monotype Typography     |namdtTimes New Roman&Monotype Typography     |namdtTimes New Roman&Monotype Typography     |namdtTimes New Roman&Monotype Typography   \nLet us understand the process of vulnerability research. There are three distinct areas of focus: Vulnerability discovery Reverse engineering, debugging and disassembly for analysis of the vulnerability Creating a stable working exploit Vulnerability discovery involves a process called "fuzzing" - sending varying amounts and types of data as inputs to applications, in an attempt to cause a failure situation. If a failure situation results in getting control of the instruction pointer, then we have a candidate for exploitation. The debugging process is an iterative process to analyse how exactly we can take control of the instruction pointer, what attack vectors work, how do we determine which character sets are allowed by the protocol / parser and which characters are denied, and eventually, where and how can we pack our custom code into the attack vector. The exploit creation process involves choice of a suitable payload and determining reliable offsets and addresses. This process also involves analysis on various platforms, operating systems, service packs, patches, etc. to create a one-size-fits-all exploit.c" " 9) Q") P$$((,,00 oH  0޽h ? ̙3380___PPT10. sn% "$ VN@ ( l6 P,0O  R  3    T  C b @   The concepts in Metasploit framework 2.6 and 3.0 are more or less the the same. The 3.0 framework is completely re-written using Ruby, in a very object oriented manner. The code is much cleaner than Perl, but the 3.0 branch is still incomplete. There are a lot of features yet to be developed. For our presentation, we shall be focussing on the 2.6 code, with some examples in 3.0. It is the concepts that we want to focus upon, and not the implementation. H  0޽h ? ̙3380___PPT10. sn%y "$ P ( l6 /N`  R  3      C p @   qSome of the features of the Metasploit framework. Metasploit is useful in vulnerability research in many ways.  rH  0޽h ? ̙3380___PPT10. sn%W"$ ( g( l6 NPQN ( R ( 3     ( C  @d  LH___PPT10( f___PPT9H@___PPTMac11`X   |namdtTimes New Roman&Monotype Typography     |namdtTimes New Roman&Monotype Typography   !There are different types of shellcode, depending on the functionality. Of particular interest is "staged shellcode", which is a two-part shellcode. The first part is a "loader" stage, which waits for a connection and the second stage to arrive. It loads the second part in the memory, and transfers control to it. Staged shellcode is useful in situations where the buffer space is small. The loader is small enough to fit in many tight situations, and the second part of the shellcode can be transmitted later. Metasploit has some advanced shellcode, such as the Meterpreter (which stands for METasploit intERPRETER). The Meterpreter allows for very advanced post-exploitation and stealth techniques.0  H ( 0޽h ? ̙3380___PPT10. sn% "$ y0 ( l6 NPQN 0 R 0 3     0 C W @d  LH___PPT10( f___PPT9H@___PPTMac11`X   |namdtTimes New Roman&Monotype Typography     |namdtTimes New Roman&Monotype Typography   mIn most cases, using the raw shellcode will not work. This is because the shellcode may contain characters that are not usable within the exploit's attack vector. Null bytes (0x00) have to be almost always avoided, because the parsing mechanisms in the victim program will terminate at the occurrence of a null byte. If we are dealing with ASCII protocols such as HTTP, characters such as CR and LF have to be avoided too, since these constitute line breaks. We have two choices - either hand-assemble the shellcode avoiding all opcodes and operands which result into such characters, or use a payload encoder, provided by Metasploit. Payload encoders are small pieces of code which decode part of the shellcode in memory. A popular shellcode encoder is "Alpha2" written by Skylined. The Alpha2 encoder generates alphanumeric only shellcode (similar to Base64 encoding).0n  nH 0 0޽h ? ̙3380___PPT10. sn%"$ rj4 ( l6 NN 4 R 4 3    p 4 C ` @   So far, we have seen how we can write our own exploit scripts with help from Metasploit, for finding the EIP distance, looking through shared libraries and binaries for JMP or CALL opcodes. We have seen how we can get control of the EIP and make it jump to our dummy shellcode. Now let us see some more features of Metasploit, and understand how we can re-write our own exploit modules so they become a part of the Metasploit framework. This gives us great flexibility in exploit design. H 4 0޽h ? ̙3380___PPT10. sn%"$  08 ( l6 `NPQN 8 R 8 3      8 C P @   This diagram shows conceptually how Metasploit works with plugins. We have to write our plugins in a specific manner, for them to be used with Metasploit. Metasploit will then provide functionality such as choice of shellcode and encoders, capturing user input and passing it on to the exploit module, and eventually using an appropriate payload hander for working with the payload sent. H 8 0޽h ? ̙3380___PPT10. sn%"$ bZ< ( P@e  < R < 3    ` < C   @   At a minimum, every Metasploit plugin must have a constructor, with the name "new" and an exploit module with the name "Exploit". Metasploit will pass all inputs to the plugin via two hash arrays, %info and %advanced. H < 0޽h ? ̙3380___PPT10. sn%)"$ @@ 9( Nl6 PNЦN @ R @ 3     @ C pu @   G!Every plugin must have this code. "H @ 0޽h ? ̙3380___PPT10. sn%"$ D #( l6 NPQN D R D 3     D C m @d  L___PPT10     &___PPT9     f___PPTMac11@8   |namdtTimes New Roman&Monotype Typography     |namdtTimes New Roman&Monotype Typography     |namdtTimes New Roman&Monotype Typography     |namdtTimes New Roman&Monotype Typography     |namdtTimes New Roman&Monotype Typography     |namdtTimes New Roman&Monotype Typography     |namdtTimes New Roman&Monotype Typography     |namdtTimes New Roman&Monotype Typography     |namdtTimes New Roman&Monotype Typography     |namdtTimes New Roman&Monotype Typography     |namdtTimes New Roman&Monotype Typography     |namdtTimes New Roman&Monotype Typography     |namdtTimes New Roman&Monotype Typography     |namdtTimes New Roman&Monotype Typography   The %info hash array is meant for providing information to the Metasploit framework, Some of the contents of %info are as mentioned in the slide. Name exploit name Version exploit version (if any) Authors exploit authors Arch CPU architecture (x86, ppc, sparc, etc) OS OS it runs on (linux, win32, etc) Priv Boolean value 0 = does not yield root, 1 = yields root UserOpts User supplied options which need to be passed to the exploit, for example Remote Host IP, Remote Port, login name, etc. Payload Information about the payload. Size available, bad characters, any code to prefix (such as stack relocation code), etc. Encoder Preferred encoder to use Refs References to vulnerability details, such as Bugtraq ID, CVE id,OSVDB id, etc. Targets Information specific to kernels, service packs, etc. For example, location of JMP ESP in USER32.DLL for SP4, XP2, etc. This will be passed to the exploit module DefaultTarget Default target to use (if any) Keys Keywords (useful for searching through exploit modules)" /'> $$"((V,,00-44>88<< H D 0޽h ? ̙3380___PPT10. sn%i"$ @H y( l6 NЦN H R H 3     H C P @   aLet us now study a skeleton plugin. We can use this template to create our own working exploits. bH H 0޽h ? ̙3380___PPT10. sn%"$ 4,PL ( l6 ` OPQN L R L 3    2 L C Є @   The Peercast and sipXtapi exploit scripts can be adapted for use with Metasploit as shown by these two examples. We shall walk through them, and then have a demonstration. H L 0޽h ? ̙3380___PPT10. sn%t1"$   (   R  3      C p9 @   lThis example shows how a raw shellcode is transformed into an encoded shellcode packed with its own decoder. mH  0޽h ? ̙3380___PPT10.- s0"$ -% (   R  3    +  C ག @   In addition to working around unusable characters, encoded shellcode can also be used to defeat IDS's with polymorphic and variable encoders, such as Shikata Ga Nai. H  0޽h ? ̙3380___PPT10.- s.2"$ G?( (  ( R ( 3    E ( C 7 @   At the core of Metasploit's libraries is PEX (Perl EXtensions). The Pex library contains many text processing routines, socket calls, calls specific to protocols and miscellaneous utilities. H ( 0޽h ? ̙3380___PPT10.E sn˂K3"$ , [(  , R , 3     , C pY @   iCThe Pex::Text library contains text and string processing routines. DH , 0޽h ? ̙3380___PPT10.E sJ'4"$ 800 ( @A 0 R 0 3    6 0 C  i @   Pex::Socket contains routines to handle network connections. In addition to TCP and UDP, Pex::Socket contains calls to manage SSL connections and send raw UDP packets as well. H 0 0޽h ? ̙3380___PPT10.E s9DH5"$  4 X( D{5 4 R 4 3     4 C  @   f@Pex also contains libraries to work with popular application layer protocols such as SMB, DCERPC, SunRPC, Microsoft SQL server, and others. This simplifies the process of preparing the attack vector, allowing developers to concentrate more on the actual exploit rather than messing with ensuring protocol compatibility. AH 4 0޽h ? ̙3380___PPT10.E sco6"$ 08 (   8 R 8 3     8 C P @   gPex::Utils is an assortment of miscellaneous utilities, which exploit developers can use in their code. hH 8 0޽h ? ̙3380___PPT10.F s;"$ $`< (  < R < 3    " < C 0 @   In addition to msfconsole, Metasploit framework has smaller command line utilities which can be used by themselves or in a script to perform specific tasks. H < 0޽h ? ̙3380___PPT10.F sEr ?"$ D (  D X D C     D S 0 @d  LH___PPT10( f___PPT9H@___PPTMac11`X   |namdtTimes New Roman&Monotype Typography     |namdtTimes New Roman&Monotype Typography   0The Operating System contains a system call called exec(), which invokes the Loader. The Loader takes an image of a running program from disk (the binary executable file), and loads it up into a new memory area according the the layout of the program image. The Loader also creates two memory structures, the Stack and the Heap. The Heap is used by the program when it nees to use dynamically allocated memory. The Stack is used for keeping a track of functions, the local variables to a function, parameters passed to function and return values from functions. The Loader turns a program on the disk into a process. A "process" is a "program in motion". The layout of a typical process contains compiled code and statically compiled data at the top of the process (low numbered memory addresses). The Stack begins at the bottom of the memory (high numbered memory addresses) and grows upwards. The Heap begins below the TEXT, DATA and BSS segments and grows downwards.06  H D 0޽h ? ̙3380___PPT10.q,F M"$  (   X  C      S k @    H  0޽h ? ̙3380___PPT10.q,F R"$  (   X  C      S x @    H  0޽h ? ̙3380___PPT10.q,F6T"$  F(   X  C      S  @   H"This example shows a step-by-step view of how SEH overwrites occur. We shall see how we can overwrite the pointer to the exception handler function by overflowing the variable buffer[]. In this example, the array buffer[] can hold only 12 bytes. This is not enough to hold our shellcode. #H  0޽h ? ̙3380___PPT10.q,F U"$ &    (   X  C       S Ш @d  LH___PPT10( f___PPT9H@___PPTMac11`X   |namdtTimes New Roman&Monotype Typography     |namdtTimes New Roman&Monotype Typography   dAssume that we fill the variable buffer[] with AAAAAAAAAAAAAAAAABBBBBB& & We will overwrite the saved value of EIP with "AAAA" (0x41414141), and also end up overwriting the pointer to ex_hander() with "BBBB" as shown in the diagram. When the function returns, EIP will be popped off from the stack and assume a value of 0x41414141. This will cause a segmentation fault or a page violation when the CPU attempts to fetch an opcode from the memory location 0x41414141, which isn't mapped. This exception will cause the operating system to invoke the handler registered in the exception handler chain. However, we overwrote this pointer with "BBBB", and therefore EIP becomes 0x42424242. This illustrates how we can get control of EIP by overwriting exception handlers.0I  H  0޽h ? ̙3380___PPT10.q,F ["$  (   X  C      S , @    H  0޽h ? ̙3380___PPT10.q,Fdxp^RЀ3ÿ lHbP  @AL G@;b `B&V^(h').4Y0?[E S[oHR]U kqIu^w`)2,ܕh~px!(#H% $ +-/2U$w70M,39 B;OQvcf1S$8L@+DKFkHJ 8s{}?_DFHJL԰A( r/ 0DTimes New Roman PIn@?@ABCDEFGHIJKMNOPRSTUVWXYZ[\]^_`abcdefghijklmnoprstuvwxyz{|}~ Oh+'0<0 DP p |  'More on Metasploit Pluginsi^3  Saumil Shah^3 ^3 9Saumil's Follies:Users:saumil:shows:xcon:matrixtheme.pot Saumil Shah797Microsoft PowerPoint@01@Gu;@s`@28\{GPICT HH HH  l            %0.$     %      ""#,!"    '   #        ""        (   !      31           "   #0F            2994J       (.),17)     3;8"        + :.  !*       #   (  $2   *.2?/            ##'*+     ,%        )-6        ,6A%   #$     0./        # (5,           *1    ,"       $))  -0  0"         38<  (0    &(#        $-9  /1  &(     "   )=.%+,'  ,*, "        .-8   !  !    +%-        (%     +)& ,''-%     "&           $ :+    %      *&)D1   "            #./?-    !     #     #+2*          "      %&                  !) !      3   %  :؁    +))2$     Ɂ      %0<   !    $&3=/         #(4@0  Ɂ    '$$05 !"                         !                      #" %      !)/  #     !.       !                          %$   &       $"                  *+2'        %    &"3/      !   # /#     #       !% %34" &       &//(    %       !    %1-.7,%!      #!    ##$&( "               #        "#           $      ! % #! I ; h$'Z:9n;l; h$'Z:9n:l L    04uK1H K &/J;8ȟ[;A_;"7;8 ȟ[:A_:"7 SG  t J!Rw M  +E,ρ;̝o+ɟ;sLG *b†0 x@l$¬1}d:}{ : D3 ʙ"ha:f(`'`b†5;̝o+ɟ;sLG *b†0x@m$¬1}d:}{ : D3 ʙ"hb:f(`'`b†5 NŌ6ǟI`Y "5{0."X-?}IܝL5.V@("I95#y1y{B"#"ǁӄI7.g X? c=%2//ʌCֲ GRH(̥eHw""uJD+£58308L   ǁ; 4hy<4i xn%%0pW̚-UA}'tB)A\Q:yL9\ "t/;;f\ o,|,ln%&\H; 4hz=4i xn%%0pX̚,TB})vB)A\R:yL9\ "t1=";f\o,|,ln%&\HLA0Ρ'a %A# ׵//0ʏv; lU ΝͲKS4RtfK.%_Ht"SaBPu(88//s[  ˁ; Iƃ:ry?$˘1n%%q"e-$ǰ(c̃Wô|A̗ʊ:ɬP93ȶ"to;#ą |(ln&&A0; IƄ:ry?$˘1n%%q$f-$ǰ)c̃Wô|A̗ʊ;ɬP93ȶ"tp<#ą |(ln%&A0L a2)S?.>//˙><-3|mRN2)dH@"V,3!321R=(%#p   A  t  Ih>    A  t  Ih>        $  R   !  fN 32"? r$r? q %r #$#)O #,  < '-5"       !   &(1&      )#(( # (       $,%.,#!)#  ( M  "    01    !**)!  %9(      ""  $% (0/ A       * ,3  )      )% 0       $-( "    %,,) D            "G      %    P      '!    *'$#   +.+) =   !"  $))    "%!     " ,#)*"    3) )          %(   !+(&%  '>5)        4',               1          2&)$$ (  Y       $%  $6  !*# "# S     &&#6(0$ !     #61 P         2=9   ')   %% '$&   &7G+D      1;   #     )7@,G        .D1        $3,$6      (3/)  4 101!   S        1) -6%    -   !  #"0  / +.7&1          .'!  .6+"   !  '  $0! !A= !    '   *   #   477*    !       #'*        #           &21X        !  %   9721;     #  "  +.?-    !?0-        &4" !  -3@0 2   !"$' ,  %1%  .!#    $#    ! '-7 "          *  !!    ++>     "%$  "# /;?) "   & $  3  .19*     " % B  %(/)    (! )" 98".  '4:% 6        "$"  "(  )--<           .4 S                 +;=A9 1       1  /+>#-    (1 '"!   6    !   ")>'&   ##         '# 6'  !   !$%0"       ')  '&'" 8OPS\ " ] ^ _`'a ,- .  '@efgh/Xb$}zD4h ,PR$Ѝv0^d,Pc $ f3333@8EF ʚ;0x2ʚ; g4vdvdn` ppp@ <4!d!d0F@gʚ;<4dddd0F@gʚ;<4KdKd0F@gʚ;Hg4=d=dnLň^p@ pp` ___PPT10@ 8 (Hc(d0eHf @0NHL@P@S0I KHW@X Y@\0]g0h( 0 008P (180H`8a0b@88 82H3H6H>0___PPT90PcPd`ef@@`NLPS`I@KWX@Y\`]0g`hP ` ``p P1p0`pa`b0pp p236>`0h___PPT2001D<4X___PPTMac11ڬ@f   hnamd` Arial&Monotype Typography    hnamd` Arial&Monotype Typography    hnamd` Arial&Monotype Typography    hnamd` Arial&Monotype Typography    hnamd` Arial&Monotype Typography    hnamd` Arial&Monotype Typography H   hnamd` Arial&Monotype Typography( 4   hnamd` Arial&Monotype Typography     hnamd` Arial&Monotype Typography  D x   x   x   x  x cD   hnamd` Arial&Monotype Typography     hnamd` Arial&Monotype Typography     hnamd` Arial&Monotype Typography  d8   hnamd` Arial&Monotype Typography     hnamd` Arial&Monotype Typography  e   hnamd` Arial&Monotype Typography     hnamd` Arial&Monotype Typography     hnamd` Arial&Monotype Typography     hnamd` Arial&Monotype Typography     hnamd` Arial&Monotype Typography     hnamd` Arial&Monotype Typography     hnamd` Arial&Monotype Typography  f0   hnamd` Arial&Monotype Typography     hnamd` Arial&Monotype Typography  @X   hnamd` Arial&Monotype Typography     hnamd` Arial&Monotype Typography     hnamd` Arial&Monotype Typography     hnamd` Arial&Monotype Typography  N   hnamd` Arial&Monotype Typography     hnamd` Arial&Monotype Typography     hnamd` Arial&Monotype Typography     hnamd` Arial&Monotype Typography     hnamd` Arial&Monotype Typography     hnamd` Arial&Monotype Typography     hnamd` Arial&Monotype Typography  L   hnamd` Arial&Monotype Typography     hnamd` Arial&Monotype Typography     hnamd` Arial&Monotype Typography     hnamd` Arial&Monotype Typography     hnamd` Arial&Monotype Typography     hnamd` Arial&Monotype Typography  P   hnamd` Arial&Monotype Typography     hnamd` Arial&Monotype Typography     hnamd` Arial&Monotype Typography     hnamd` Arial&Monotype Typography     hnamd` Arial&Monotype Typography     hnamd` Arial&Monotype Typography  SX   hnamd` Arial&Monotype Typography     hnamd` Arial&Monotype Typography     hnamd` Arial&Monotype Typography     hnamd` Arial&Monotype Typography  I    hnamd` Arial&Monotype Typography  KD   hnamd` Arial&Monotype Typography    hnamd` Arial&Monotype Typography W`   hnamd` Arial&Monotype Typography     hnamd` Arial&Monotype Typography     hnamd` Arial&Monotype Typography     hnamd` Arial&Monotype Typography  X0   hnamd` Arial&Monotype Typography     hnamd` Arial&Monotype Typography  Y`   hnamd` Arial&Monotype Typography     hnamd` Arial&Monotype Typography     hnamd` Arial&Monotype Typography     hnamd` Arial&Monotype Typography  \8   hnamd` Arial&Monotype Typography     hnamd` Arial&Monotype Typography ]   hnamd` Arial&Monotype Typography  gX   hnamd` Arial&Monotype Typography     hnamd` Arial&Monotype Typography    hnamd` Arial&Monotype Typography    hnamd` Arial&Monotype Typography hD   hnamd` Arial&Monotype Typography     hnamd` Arial&Monotype Typography     hnamd` Arial&Monotype Typography   (   hnamd` Arial&Monotype Typography   H   hnamd` Arial&Monotype Typography     hnamd` Arial&Monotype Typography     hnamd` Arial&Monotype Typography  X   hnamd` Arial&Monotype Typography     hnamd` Arial&Monotype Typography     hnamd` Arial&Monotype Typography     hnamd` Arial&Monotype Typography  L   hnamd` Arial&Monotype Typography     hnamd` Arial&Monotype Typography     hnamd` Arial&Monotype Typography  x   hnamd` Arial&Monotype Typography    hnamd` Arial&Monotype Typography    hnamd` Arial&Monotype Typography    hnamd` Arial&Monotype Typography    hnamd` Arial&Monotype Typography D   hnamd` Arial&Monotype Typography     hnamd` Arial&Monotype Typography     hnamd` Arial&Monotype Typography  1l   hnamd` Arial&Monotype Typography     hnamd` Arial&Monotype Typography     hnamd` Arial&Monotype Typography     hnamd` Arial&Monotype Typography     hnamd` Arial&Monotype Typography  0T   hnamd` Arial&Monotype Typography     hnamd` Arial&Monotype Typography    hnamd` Arial&Monotype Typography `\   hnamd` Arial&Monotype Typography     hnamd` Arial&Monotype Typography     hnamd` Arial&Monotype Typography     hnamd` Arial&Monotype Typography  aX   hnamd` Arial&Monotype Typography     hnamd` Arial&Monotype Typography     hnamd` Arial&Monotype Typography     hnamd` Arial&Monotype Typography  b   hnamd` Arial&Monotype Typography     hnamd` Arial&Monotype Typography     hnamd` Arial&Monotype Typography     hnamd` Arial&Monotype Typography     hnamd` Arial&Monotype Typography     hnamd` Arial&Monotype Typography     hnamd` Arial&Monotype Typography  ,   hnamd` Arial&Monotype Typography  |   hnamd` Arial&Monotype Typography     hnamd` Arial&Monotype Typography     hnamd` Arial&Monotype Typography     hnamd` Arial&Monotype Typography     hnamd` Arial&Monotype Typography     hnamd` Arial&Monotype Typography   l   hnamd` Arial&Monotype Typography    hnamd` Arial&Monotype Typography    hnamd` Arial&Monotype Typography    hnamd` Arial&Monotype Typography    hnamd` Arial&Monotype Typography 2   hnamd` Arial&Monotype Typography     hnamd` Arial&Monotype Typography     hnamd` Arial&Monotype Typography     hnamd` Arial&Monotype Typography     hnamd` Arial&Monotype Typography     hnamd` Arial&Monotype Typography  3   hnamd` Arial&Monotype Typography     hnamd` Arial&Monotype Typography     hnamd` Arial&Monotype Typography     hnamd` Arial&Monotype Typography     hnamd` Arial&Monotype Typography     hnamd` Arial&Monotype Typography     hnamd` Arial&Monotype Typography  6   hnamd` Arial&Monotype Typography     hnamd` Arial&Monotype Typography     hnamd` Arial&Monotype Typography     hnamd` Arial&Monotype Typography     hnamd` Arial&Monotype Typography     hnamd` Arial&Monotype Typography     hnamd` Arial&Monotype Typography  >X   hnamd` Arial&Monotype Typography     hnamd` Arial&Monotype Typography     hnamd` Arial&Monotype Typography     hnamd` Arial&Monotype Typography     hnamd` Arial&Monotype Typography  ? %O =R8More on Metasploit plugins from vulnerability to exploit49 93Saumil Shah ceo, net-square EUSecWest - London 2007B4    4< # who am i r Saumil Shah - "krafty" ceo, net-square solutions saumil@saumil.net author: "Web Hacking - Attacks and Defense"nY + A1HFrom Vulnerability to Exploit  The CPU's registers The Intel 32-bit x86 registers: The Process Memory Map  ?Win32 Process Memory Map  cGetting control of EIP CStack overflows Heap overflows Format string bugs Integer overflows:D  DdGetting control of EIP Overwrite saved return address saved EIPs in stack frames Overwrite exception handlers SEH overwrites Arbitrary memory overwrites Controlling "what" and "where"v  eBrowser overflows Client-side exploits are becoming the rage. ActiveX components. Media handlers / libraries. Toolbars / Plugins. Platform specific characteristics. Overflows delivered as HTTP responses. "Surf-n-crash".b, #&  fBrowser overflows "Javascript / Vbscript helps in targeting vulnerable components& & and building up the exploit on-the-fly. Javascript is always enabled these days.0@)(  @!Exploit example - IE VML overflow "$Buffer overflow in IE's VML implementation MS06-055 <v:fillmethod="AAAAAAAA& "> Exploiting IE 6 on XP SP2 Triggering the exploit by overwriting SEHD+  * N Windows SEH aSEH - Structured Exception Handler Windows pops up a dialog box: Default handler kicking in.bb#   bLException handling kTry / catch block Pointer to the exception handling code also saved on the stack, for each code block.Xl T lMFException handling & implementation $ P SEH Record Each SEH record is of 8 bytes These SEH records are found on the stack. In sequence with the functions being called, interspersed among function (block) frames. WinDBG command - !exchainX* X Q SEH Chain Each SEH record is of 8 bytes RSEH on the stack SYet another way of getting EIP Overwrite one of the addresses of the registered exception handlers& & and, make the process throw an exception! If no custom exception handlers are registered, overwrite the default SEH. Might have to travel way down the stack& & but in doing so, you get a long buffer!D E+K) ( TOverwriting SEH UOverwriting SEH HStage 1 proof of concept: ISetting up the exploit bServe up the exploit page over HTTP Point IE and surf to the page with a debugger attached to it:D$  cJ Crashing IE  Surf-n-crash KEIP = 0x41414141 4We control EIP. Where do you want to go& ? Direct return to stack? XP SP2 doesn't allow it. Jump through registers? EDX ESP and EBP are the only possible options& but they don't point to our buffer. Other registers are cleared, thanks to XP SP2. XP SP2 also forbids jumping into DLLs. R/&  WHow do we pull it off? In other circumstances, we'd have to go through long tedious routes& & or publish a DoS exploit and call it a day. L4m3 We are exploiting a browser. Browsers run Javascript. Javascript has arrays. Javascript arrays occupy heap memory.lrsE- % XLoading our buffer in the heap Can we load our shellcode in the heap via Javascript? How do we know where our buffer lies? Direct jump into heap? yes! that is possible.:s6&  Y Heap Spraying :Technique pioneered by Skylined. Make a VERY large NOP sled. Append shellcode at its end. Create multiple instances of this NOP sled in the heap memory. using Javascript arrays& a[0] = str; a[1] = str& The heap gets "sprayed" with our payloads. Land somewhere in the NOPs, and you win.l1T!? 1+( [ Heap Spraying  \Tips on Heap Spraying .Make really large NOP sleds approx 800,000 bytes per spray block Adjust the size of the NOP sled to leave very little holes inbetween spray blocks. Javascript Unicode encoding works great for shellcode. shellcode = unescape("%uXXXX%uXXXX& "); Null bytes are not a problem anymore.b%M%S7 '& ]Stage 2 ^Placeholder INT3 shellcode. Look for "90 90 90 90 cc cc cc cc" in the memory after IE crashes.&_B _g Jump to heap 0We can point EIP to any of the sprayed blocks. Arbitrarily choose addresses: 0x03030303 0x04040404 0x05050505& etc. Verify if they land in the NOP zones.XM&&/  & hStage 3 Overwrite SEH record with 0x05050505. INT 3 shellcode. Causes EIP to land into one of the NOP zones& & and eventually reach our dummy shellcode.:&.*  iStage 3 Overwriting SEH jStage 3 BLanding in the NOP zone& and INT 3 " Introducing Metasploit An advanced open-source exploit research and development framework. http://metasploit.com Current stable version: 2.7 Written in Perl, runs on Unix and Win32 (cygwin) Brand new 3.0 Complete rewrite in Rubybv1D1   Introducing Metasploit Generate shellcode. Shellcode encoding. Shellcode handlers. Scanning binaries for specific instructions: e.g. POP/POP/RET, JMP ESI, etc. Ability to add custom exploits, shellcode, encoders. & and lots more.Xi E- E Enter Shellcode Code assembled in the CPU's native instruction set. Injected as a part of the buffer that is overflowed. Most typical function of the injected code is to "spawn a shell" - ergo "shellcode". A buffer containing shellcode is termed as "payload".D45U4  Writing Shellcode Need to know the CPU's native instruction set: e.g. x86 (ia32), x86-64 (ia64), ppc, sparc, etc. Tight assembly language. OS specific system calls. Shellcode libraries and generators. Metasploit Framework.b/1m/1 $ 1A little about shellcode 6Types of shellcode: Bind shell Exec command Reverse shell Staged shell, etc. Advanced techniques: Meterpreter Uploading and running DLLs "in-process" & etc.9:    ( $$ ,Payload Encoders $Payload encoders create encoded shellcode, which meets certain criteria. e.g. Alpha2 generates resultant shellcode which is only alphanumeric. Allows us to bypass any protocol parsing mechanisms / byte filters. An extra "decoder" is added to the beginning of the shellcode. size may increase.DIFD?  %~1Payload Encoders }Example: Alpha2 encoding Transforms raw payload into alphanumeric only shellcode. Decoder decodes the payload "in-memory".dc 9( ~0Payload Encoders Metasploit offers many types of encoders. Work around protocol parsing e.g. avoid CR, LF, NULL toupper(), tolower(), etc. Defeat IDS Polymorphic Shellcode Shikata Ga NaiG3 %*    `&Using Metasploit to generate shellcode 'We need Javascript Unicode encoded shellcode. No encoding needed We will run "calc.exe" msfpayload - cmdline shellcode generation. msfencode - cmdline shellcode encoder. jsencode.pl - wrapper around Metasploit's Pex::Utils::JSUnescape() function.b..+ 'L aGenerate calc.exe shellcode jGenerate JSencoded shellcode: Final version contains working shellcode. A slight problem too many CALCs!N[*  kb"Exit function - "thread" vs. "seh" #jExiting via SEH causes the whole thing to repeat itself. Re-generate the shellcode using EXITFUNC="thread"&k91 k2"Writing Metasploit exploit modules #Integration within the Metasploit framework. Multiple target support. Dynamic payload selection. Dynamic payload encoding. Built-in payload handlers. Can use advanced payloads. & a highly portable, flexible and rugged exploit!X- 0 4How Metasploit runs an exploit  5Writing a Metasploit exploit Perl module (2.7), Ruby module (3.0) Pre-existing data structures %info, %advanced Constructor sub new {& } Exploit code sub Exploit {& }B  %   6$Structure of the exploit perl module % 7%info *Name Version Authors Arch OS Priv UserOptsN+   + /Payload Encoder Refs DefaultTarget Targets KeysN0  02Metasploit Pex Perl EXtensions. /lib/Pex.pm /lib/Pex/ Text processing routines. Socket management routines. Protocol specific routines. These and more are available for us to use in our exploit code.x: ?  3 Pex Utilities Pex::Text Encoding and Decoding, Pattern Generation, Random text generation, Padding, etc& Pex::Socket TCP, UDP, SSL TCP, Raw UDP Protocol specific utilities SMB, DCE RPC, Sun RPC, MSSQL, etc&  Q #  & #  6Pex - miscellaneous utilities TPex::Utils Array and hash manipulation Bit rotates Read and write files Format String generator Create Win32 PE files Create Javascript arrays & a whole lot of miscellany!b     9Finished examples  my_ie_vml.pm =New in Version 3.0 msfd Metasploit daemon, allows for client-server operation of Metasploit. msfopcode command line interface to Metasploit's online opcode database. msfwx a GUI interface using wxruby.vE ?E ?  >New in Version 3.0 New payloads, new encoders. Ruby extension - Rex (similar to Pex) NASM shell. Back end Database support. & whole lot of goodies here and there.D&  % : Thank You!  CSaumil Shah saumil@saumil.net http://net-square.com +91 98254 31192,D  &*/,;)?*R.U1V2^:`<a=b>c?d@eAgCPQYZ]_`abcdPpsx,, e|HH(d9h 0     d 00& 0(   x  c $Aq p   ^B  6D P^B  6DP|  s *pLq  `0___PPT106___PPT9B___PPTMac11   hnamd` Arial&Monotype Typography  RNOP sled   }  s *`Oq ` P0___PPT106___PPT9B___PPTMac11   hnamd` Arial&Monotype Typography  S shellcode   |  s *0Yq   0___PPT106___PPT9B___PPTMac11   hnamd` Arial&Monotype Typography  RNOP sled   }  s *Uq  p 0___PPT106___PPT9B___PPTMac11   hnamd` Arial&Monotype Typography  S shellcode   |  s *bq  0___PPT106___PPT9B___PPTMac11   hnamd` Arial&Monotype Typography  RNOP sled   }  s *jq  0___PPT106___PPT9B___PPTMac11   hnamd` Arial&Monotype Typography  S shellcode     0@q  ___PPT10     ___PPT9xp     :___PPTMac11  (namd Monaco  (namd Monaco  (namd Monaco  x  (namd Monaco  x  (namd Monaco  (namd Monaco  (namd Monaco  (namd Monaco  (namd Monaco  (namd Monaco  (namd Monaco  (namd Monaco  (namd Monaco  (namd Monaco  (namd Monaco  (namd Monaco  (namd Monaco  (namd Monaco  (namd Monaco  e : exploit trigger condition goes here : v CCC C CCCC C $C$(C(,C,0C0 4C48C8