Core Impact Underlying Technology
Agent Technology
Agents are a critical component of Core Impact's architecture because they provide the functionality to execute code in the form of modules, either locally or on other agents. The following sections describe the key underlying technology employed by Core Impact agents.
The ProxyCall Interface
Every module execution in Core Impact is associated with a source agent, the default agent that the module uses to interact with the operating system (OS). The interaction between the agent and the OS is achieved using the ProxyCall Interface, a common interface for all platforms. The ProxyCall Interface abstracts the operating system's user-mode services using syscalls for UNIX and Win32 API functions for Windows. This common interface makes Core Impact's modules available in all platforms where a ProxyCall implementation exists. A ProxyCall implementation provides the module with one function call for each available syscall in the underlying OS and a mechanism to call arbitrary syscalls if needed.
For example, the gethostname()
syscall is part of this common interface. In a UNIX ProxyCall implementation the gethostname()
call is translated in its corresponding syscall into the OS's kernel. In a Windows implementation it is translated into a call to the gethostname()
function within the wsock32.dll dynamic library.
There are two main branches in the ProxyCall hierarchy:
UnixProxyCall
andProxyCallv2
for Unix, provide services for marshalling calls to any system call supported by the underlying UNIX-like OS. These calls are sent directly into the system kernel.WindowsProxyCall
andProxyCallv2
for Windows, provide services for marshalling calls to any DLL entry-point function by first dynamically loading the library into the process space of the agent using theLoadLibrary
call, then obtaining the offset of the desired function in the loaded library using theGetProcAddress
call, and lastly jumping into it.
Python
Core Impact 's Console uses a Python Virtual Machine (see http://www.python.org/) to run modules. The only significant difference between the typical Python VM distribution and the one distributed with Core Impact is that Core Impact 's VM uses the ProxyCall
Interface to implement all of Python's system services.
This means that:
- Python's file object uses the
ProxyCall
Interface for all its functions. - Python's socket object uses the
ProxyCall
Interface for all its services. - Basic OS services implemented in the sys and os modules use the
ProxyCall
Interface.
A Python script that is typically used to open a socket will open a ProxyCall
socket when run inside Core Impact. (This is why Core Impact modules do not look significantly different from typical Python code.)
SysCall Proxying
If a ProxyCall
implementation forwards the call to a remote server instead of directly calling the underlying OS syscall, remote execution will be simulated. Whenever a module is run by a remote source agent, all the module's calls into the ProxyCall
interface are forwarded to a remote ProxyCall
server. This is known as SysCall Proxying.
The following example describes how SysCall Proxying works:
- A module is executed using a remote agent deployed in host victim.
- The module calls the
gethostname()
from the agent'sProxyCall
interface. - The function marshals its arguments into a structure that is specific to the remote system's OS and generates a remote call into the
ProxyCall
server running in the victim host. - The server in victim calls the real
gethostname()
function in victim's operating system, marshals the result, and sends it back to the client. - The client
ProxyCall
implementation returns the results to the module. - The module prints the
gethostname()
results to the console as if it was running in victim.
Inside Core Impact's architecture ProxyCall
servers are implemented as target-dependent assembly code. Optimized for size, these tiny SysCall servers are the basic component of agents.
Using a SysCall server as payload for an exploit also makes the task of customizing a shellcode unnecessary. Once the remote agent is up and running, further syscalls can be executed in the remote system.
The following example describes how this works:
- An attack module that exploits a vulnerability in a ftp daemon succeeds and installs an agent.
- You connect to the newly deployed agent and realize that you are inside a chroot jail.
- You select the new agent as source and run a setuid module and a chroot breaker module.
- The agent is freed from the chroot jail.
The successful completion of the process described above would typically require the exploit developer to change the exploit's shellcode to accommodate the change made in step 3. It would also depend on the user successfully exploiting the vulnerability again, which might not be possible.
For a comprehensive explanation of Syscall Proxying, refer to "Syscall Proxying - Simulating Remote Execution" by Maximiliano Caceres.
About Agents
Core Impact agents can multi-task (run multiple modules) and have a Secure Communication Channel. Once deployed, they can provide all system calls and arbitrary code execution on platforms with built-in stack protection. Local agents use Python Virtual Machine and local Syscall implementation embedded in the console connected to the database.
The following table lists the platforms that agents support.
Agent-supported Platforms
Platform | ||||||||||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
The following table compares the functionality and attributes of the different deployment types of Core Impact agents. Because the communication channels available to agents are dependent on privilege level, the table includes both agents and agents running "as root". Note that some agent functionality listed below (such as sniffing and IP spoofing) is dependent on the presence of optional product plug-ins.
Agent Functionality and Attribute Comparison
Category | Multi-task? | Crypto? | Send ICMP? | Sniff? | Spoof IP? | Persistent | Real Shell |
---|---|---|---|---|---|---|---|
Agent | yes | yes | no | no | no | no | yes |
Agent as root / Administrator | yes | yes | yes | no | no | yes | yes |
Agent + PCAP as root / Administrator | yes | yes | yes | yes | yes | yes | yes |
Local Agent | yes | N/A | yes | yes | yes | N/A (yes) | no |