While playing around with all those meterpreter binary payloads on Linux either in virtual environment or on a live system an important question comes to mind, how to prevent this from executing on my machine ? I do not wish to get too technical here about this and I am sure this is nothing new really, nevertheless the best at what I could get my hands on are GRSEC patches, period.
I have never used it before on my desktop (Debian 64bit) so I have decided to give it a try after seeing an interesting Finnish LiveCD Digabi http://sourceforge.net/projects/digabi/ which is a Live-Linux distro for The Matriculation Examination Board of Finland.
Installation is pretty straightforward to those that have compiled a custom kernel before. Download grsecurity patches from their site @ http://grsecurity.net/download.php for both 2.6.x and 3.2.x stable branches of the Linux kernel, patch the kernel
# cd linux-3.2.x # patch -p1 < ../grsecurity-2.9.1-3.2xxxxxx.patch
While my Debian system was using a backport Debian kernel vmlinuz-3.2.0-0.bpo.2-amd64 I decided to use its config-3.2.0-bpo.2-amd64 and use it via #make oldconfig when compiling the grsec-patched kernel. During make oldconfig I was asked to add additional options that were missing from the backport kernel 3.2.0-0.bpo.2-amd64 and which were present in the 3.2.51 vanilla + grsec patches.
One should read the documentation about the Grsecurity/PAX configuration options here
On Debian I have done the following to compile the kernel
# fakeroot make deb-pkg
Once compiled, install the deb package (it can get quite big as the debugging symbols have not been stripped out) and boot into the new kernel.
What I tested first was the following:
Metasploit generated executable payloads
- ShellcodeExecute with Alpha encoded payload inside the executable - gcc compiled
- msfencode -t elf -e x86/shikata_ga_nai >> executable (reverse_tcp)
- unsigned char shellcode[]= – gcc compiled
Metaploit win32 executable payload for Windows to be executed via wine.
- ShellcodeExecute with Alpha encoded payload inside the executable - Visual Studio compiled
- msfencode -t exe (various types)
- unsigned char shellcode[]= Visual Studio compiled
None of the payloads work with the default GRSEC/PAX settings in the patched kernel. Here are some console outputs for the reference:
user@Obelix:~/stuff/metasploit/ShellCode$ ./Executive
dmesg….
[ 9311.625455] PAX: execution attempt in: /dev/zero (deleted), e8fc0000-e8fc1000 00000000
[ 9311.625462] PAX: terminating task: /home/user/stuff/metasploit/ShellCode/Executive(Executive):8527, uid/euid: 1000/1000, PC: 00000000e8fc0000, SP: 00000000f7234d5c
[ 9311.625466] PAX: bytes at PC: 89 e7 db d1 d9 77 f4 5a 4a 4a 4a 4a 4a 4a 4a 4a 4a 4a 4a 43
[ 9311.625478] PAX: bytes at SP-8: 00000579 f7234d88 08048523 e8fc0000 08049750 00000579 00001000 e8f9aff4 0804971c f7234d88 e8f9aff4 00000000 00000000 f7234da8 0804855f 08049750 e8f9aff4 08048580 f7234db8 e8e878a5 f7234dc0 f7234e38
user@Obelix:~/Malware$ wine test.exe
err:virtual:map_image failed to set 60000020 protection on section .text, noexec filesystem?
Killed
dmesg
[ 9354.532356] PAX: execution attempt in: <anonymous mapping>, 00401000-0041a000 00401000
[ 9354.532360] PAX: terminating task: /usr/local/bin/wine-preloader(test.exe):8553, uid/euid: 1000/1000, PC: 0000000000414000, SP: 000000000032fe74
[ 9354.532362] PAX: bytes at PC: e8 08 00 00 00 6a 00 ff 15 50 90 41 00 55 89 e5 81 ec 34 01
[ 9354.532369] PAX: bytes at SP-8: 00000000 00000000 e326d08c 7ffdf000 00000000 e32ab5f0 7ffdf000 0032fec8 e327062b 7ffdf000 00414000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 e340d86c f1f66d74
Some additional things that I wanted to mention is that VirtualBox will not work with grsec patched kernel. No problem with that, I wanted to get rid of it anyway so I have migrated all my vbox images to KVM qcow2 format, KVM works perfectly under grsec kernel.
Also it is important to stress that some desktop applications need some exceptions from PAX in order to work correctly. In order to make these exceptions you need to install paxclt tool to modify individual binaries in order to make them run under grsec-kernel
Firefox
root@Obelix:/home/user/firefox# paxctl -v firefox
PaX control v0.5
Copyright 2004,2005,2006,2007 PaX Team <pageexec@freemail.hu>
- PaX flags: —–m-x-e– [firefox]
MPROTECT is disabled
RANDEXEC is disabled
EMUTRAMP is disabled
root@Obelix:/home/user/firefox# paxctl -v firefox-bin
PaX control v0.5
Copyright 2004,2005,2006,2007 PaX Team <pageexec@freemail.hu>
- PaX flags: —–m-x-e– [firefox-bin]
MPROTECT is disabled
RANDEXEC is disabled
EMUTRAMP is disabled
In order to modify the PaX flags of the above binaries run the following
#paxctl -C binary #paxctl -m binary
In order for flash to work (and other plugins possibly) you need to do the same to the plugin-container executable as well as the libflashplayer.so
Some programs that need the above paxctl mods are: OpenOffice, Skype, Remina, Opera…
Grsec is a great way to harden your Linux Box, especially when doing any kind of security research.
