Sometime in 2012, when Cyber Fast Track was in full swing at DARPA, I had what I thought was a novel idea. People with “hacker mindsets” go through life finding “vulnerabilities”, “exploits”, “asymmetries”, or “idiosyncrasies” in the systems that we come across on a regular basis. This could be subway systems, iPhones, or cars.
I had an idea that I had been holding onto from the days of using Metasploit during the Perl era. Early on, Metasploit had a shellcode interface that was basic, and much more primitive than what is available today. Since I was doing lots of work with shellcode in those days (2004-2007), I had an intimate familiarity with what each shellcode did at the instruction level.
At that time, I had identified a weakness in the “stager” shellcode in Metasploit whose only purpose was to receive (recv) a 2nd stage payload of roughly 2000-4000 bytes. The only problem was that, in certain circumstances, the call to (recv) in the “stager” shellcode, was not robust enough to handle any error conditions or irregularity in network conditions.
For my purposes, I needed to rewrite the stager shellcode to handle the conditions of the environment my shellcode would operate in. This required rewriting the stager shellcode from scratch.
Admittedly, I did not have a relationship with H.D. Moore, or anybody working on the Metasploit toolkit. If I were working on this today, I probably would have fed that “fix” into the Metasploit toolkit. Mea Culpa.*
Anyways, for years I had thought about the “vulnerability” in Metasploit if used in different network conditions. What I had seen was, if there was any latency in the network, the 2nd stage of the shellcode would only be partially received, and the 2nd stage would fail upon execution.
I thought that this was a tremendous weakness in Metasploit in general. This is what HAVOC (Halting Attacks Via Obstructing Configurations) was/is about. I surmised that attacker tools that are often reused by malware authors, hackers, and other “Advanced Persistent Actors” have inherent vulnerabilities that can be “exploited” by defenders.
I proposed HAVOC as an exploratory research program to see if this were in fact true. The more basic premise was, could we identify conditions that NORMAL software is tolerant of, but that causes malware to fail (and fail miserably).
Over a few more blog entries, I am going to provide some of our interesting results.
*P.S. Interestingly enough, a quick code audit before we started HAVOC showed that the latest version of Metasploit shellcodes had patched the aforementioned vulnerability. More interestingly though, we found better/worse (perspective?) weaknesses in “malware”.