athcon.org
Athens, 3-4 May, 2012
Day1, Track1, 17:30-17:50
"Exploitation Toolkit Codename: Icarus" First Part,
Glafkos Chralambous & George Nicolaou 

"Exploitation Toolkit Codename: Icarus" First Part,

Finding vulnerability
 
   Protocol analyzer (fuzzing or reverse engineering)
        SPIEE
        peach
        General Purpose Fuzzer GPF
        Sulley
        Fuzzing is more effective when used in combination with binary analysis

    Binary analysis
        Inspector (HB Gary)
        SecurityReview (Veracode)
        BugScan (IDA Plugin by Halvar Flake)

    Vulnerability testing
        RATS
        CodSecure
        ??

    Reports
        Crash reports


Exploit development
    Vulnerability classification
    Exploitability analysis
    Design exploit skeleton
        calculate the location in buffer
        calculate where to close or open injection parameters

    Skeleton Implementation ANALYSIS
        Constraints and barriers imposed on the exploit payload
        Examples:
            ASLR
                Space limitations
                Restricted characters
                Character escape functions

    Exploit Generation
        Generate the initial trigger payload
            Building ROP technique
            Encode the web-payload to bypass web-filter
            Calculate offsets (for ASLR for example)

Payload Generation
    Payload generation
        Bind shell
        command execution
        signed shellcode
        eggshell
    Payload "ninjification"
        To evade the protection technique
            Signature-based
            Anomaly-based
            Integrity checks
        Code obfuscation
        Code metamorphism
        Optional technique
        Tools: BH2009 ABCodeMutate
    Payload normalizations
        Ninjification can alter the code that it requires "normalization"

Metasploit
    Covers only a part of the proposed methodology of ICARUS

ICARUS
    Cover all the steps ("check all boxes") in the methodology
    Targets multi-platforms (Intel IA32, Intel 64, ARM)
    Windows/Linux/Other_OS Libraries
    Input language interfaces:  python, C#, etc.
    Reporting and generating outputs in various formats
    Reasons not to develop over metsploit the missing parts:
        metasploit is more a database of exploits
            icarus wants to be more than this, and not a database of exploits
        metasploit is slow, runs as ruby/plugin
            
    
    Have classes/interfaces:
        encoders, elf parser, gen hex pattern, parsers, instruction, instr finder, instr obfuscator, windows aslr, windows dep, 
        
    Code is about 5-6 k lines of code as of now