Upload
dan-h
View
642
Download
0
Tags:
Embed Size (px)
DESCRIPTION
Seminar security analyst, vulnerability analysis. UIN 21 Jun 2014
Citation preview
Hacking | Information Security Analysis
HackingSecurity Analysis
-- Build security with creativityDanang Heriyadi ([email protected])
Hacking | Information Security Analysis
Hello World
Hacking | Information Security Analysis
Today
Hacking Incidents
Assets
Vulnerability Analysis
Hacking | Information Security Analysis
Top 3 - Hacking in action
Cyber Spying
Fraud or Forgery
Illegal Access
Hacking | Information Security Analysis
Cyber Spying
Hacking | Information Security Analysis
Fraud or Forgery
Hacking | Information Security Analysis
Illegal Access
Hacking | Information Security Analysis
How they can do that?
• Sensitive information disclosure– Search Engine (google, bing, yahoo)– Magazine– etc
• Social engineering attacks– The knowledge and attitude members of an organization possess
regarding the protection of the information assets.
• Vulnerability on your system– Attacker exploit the vulnerability to gaining access.
Hacking | Information Security Analysis
Google Hacking
Hacking | Information Security Analysis
What are you trying to protect?
• Senstive personal data• Your network infrastructure• Your assets
Hacking | Information Security Analysis
Common Vulnerabilities
• Web– XSS– Database Injection– OS command Injection– Local File Disclosure– File Inclusion– Path Disclosure– CSRF– Dir. Traversal
• Low level Vulnerability– Stack Overflow– Heap Overflow– Integer Overflow– Memory Corruption– Etc
Hacking | Information Security Analysis
Buffer Overflow
• Low level vulnerability– Stack Overflow ( Very easy )– Integer Overflow ( easy )– Heap Overflow ( medium ) – Memory Corruption ( easy - medium )– .....
Hacking | Information Security Analysis
Impact of buffer overflow
• Application– Crash and terminated– Arbitary code execution
• Operating System– Crash, hang, or reboot– Arbitary code execution– Privilege escalation
Hacking | Information Security Analysis
Basic Knowledge
• CPU Register– EAX EDI– EBX ESI– ECX EBP– EDX ESP– EIP
Hacking | Information Security Analysis
Basic Knowledge
• Assembly Language– mov ret– push– pop– shr– jmp
Hacking | Information Security Analysis
WindowsMemory Allocation
0x00000000
0xFFFFFFFF
Stack
Heap
Program Image• PE Header• .text, .rdata, .data, ...
Can be allocated as heap or stack for other threads
DLLPEB
Shared User Page
No Access
0x00400000
0x7FFE10000x7FFE00000x7FFDF000
Hacking | Information Security Analysis
C++ from beginner
#include <stdio.h>
void vulnerable(char *Buffer){char stack_data[128];strcpy (stack_data, Buffer);printf( " Isi variabel stack_data : %s ", stack_data);
}int main(int argc, char **argv){
vulnerable(argv[1]);return 0;
}
Hacking | Information Security Analysis
Run it !!
Hacking | Information Security Analysis
Stack Allocation
#include <stdio.h>#include <string.h>
void vulnerable(char *Buffer){char stack_data[128];strcpy (stack_data, Buffer);printf( " Isi variabel stack_data : %s ", stack_data);
}int main(int argc, char **argv){
vulnerable(argv[1]);return 0;
}
CPU Register (Example)• EIP = 0x01234567 => address of main()
0x00000000
Top of Stack
Hacking | Information Security Analysis
Stack Allocation
#include <stdio.h>#include <string.h>
void vulnerable(char *Buffer){char stack_data[128];strcpy (stack_data, Buffer);printf( " Isi variabel stack_data : %s ", stack_data);
}int main(int argc, char **argv){
vulnerable(argv[1]);return 0;
}
0x00000000
Top of Stack
CPU Register (Example)• EIP = 0x01234571 => address of vulnerable()
Hacking | Information Security Analysis
Stack Allocation
#include <stdio.h>#include <string.h>
void vulnerable(char *Buffer){char stack_data[128];strcpy (stack_data, Buffer);printf( " Isi variabel stack_data : %s ", stack_data);
}int main(int argc, char **argv){
vulnerable(argv[1]);return 0;
}
0x00000000
Top of Stack
CPU Register (Example)• EIP = 0x01234585 => stack_data[128]
Hacking | Information Security Analysis
Stack Allocation
#include <stdio.h>#include <string.h>
void vulnerable(char *Buffer){char stack_data[128];strcpy (stack_data, Buffer);printf( " Isi variabel stack_data : %s ", stack_data);
}int main(int argc, char **argv){
vulnerable(argv[1]);return 0;
}
0x00000000
Top of Stack
CPU Register (Example)• EIP = 0x01234544 => address of strcpy()
<Space for stack_data>
ESP<ptr to argv[1]>
Saved EBP 0x00112233
Saved EIP 0x00112237
Hacking | Information Security Analysis
Stack Allocation
#include <stdio.h>#include <string.h>
void vulnerable(char *Buffer){char stack_data[128];strcpy (stack_data, Buffer);printf( " Isi variabel stack_data : %s ", stack_data);
}int main(int argc, char **argv){
vulnerable(argv[1]);return 0;
}
0x00000000
Top of Stack
ABCD
ESP<ptr to argv[1]>
Saved EBP 0x00112233
Saved EIP 0x00112237
CPU Register (Example)• EIP = 0x01234548 => address of printf()
Hacking | Information Security Analysis
Stack Allocation
#include <stdio.h>#include <string.h>
void vulnerable(char *Buffer){char stack_data[128];strcpy (stack_data, Buffer);printf( " Isi variabel stack_data : %s ", stack_data);
}int main(int argc, char **argv){
vulnerable(argv[1]);return 0;
}
0x00000000
Top of Stack
ESP<ptr to argv[1]>
Saved EBP 0x00112233
Saved EIP 0x00112237
CPU Register (Example)• EIP = 0x01234552 => restore saved EIP -> EIP
Hacking | Information Security Analysis
Stack Allocation
#include <stdio.h>#include <string.h>
void vulnerable(char *Buffer){char stack_data[128];strcpy (stack_data, Buffer);printf( " Isi variabel stack_data : %s ", stack_data);
}int main(int argc, char **argv){
vulnerable(argv[1]);return 0;
}
0x00000000
Top of Stack
ESP<ptr to argv[1]>
CPU Register (Example)• EIP = 0x01234599 => exit(0)
Hacking | Information Security Analysis
Stack Allocation
#include <stdio.h>#include <string.h>
void vulnerable(char *Buffer){char stack_data[128];strcpy (stack_data, Buffer);printf( " Isi variabel stack_data : %s ", stack_data);
}int main(int argc, char **argv){
vulnerable(argv[1]);return 0;
}
0x00000000
Top of Stack
Hacking | Information Security Analysis
Stack Allocation(Stack Overflow)
Hacking | Information Security Analysis
Stack Allocation(Stack Overflow)
#include <stdio.h>#include <string.h>
void vulnerable(char *Buffer){char stack_data[128];strcpy (stack_data, Buffer);printf( " Isi variabel stack_data : %s ", stack_data);
}int main(int argc, char **argv){
vulnerable(argv[1]);return 0;
}
0x00000000
Top of Stack
CPU Register (Example)• EIP = 0x012345 => address of strcpy()
<Space for stack_data>
ESP<ptr to argv[1]>
Saved EBP 0x00112233
Saved EIP 0x00112237
Hacking | Information Security Analysis
Stack Allocation(Stack Overflow)
#include <stdio.h>#include <string.h>
void vulnerable(char *Buffer){char stack_data[128];strcpy (stack_data, Buffer);printf( " Isi variabel stack_data : %s ", stack_data);
}int main(int argc, char **argv){
vulnerable(argv[1]);return 0;
}
0x00000000
Top of Stack
414141414141414141414141414141414141414141414141414141414141414141414141
Saved EBP 0x41414141
Saved EIP 0x41414141
ESP414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141
0x001122330x00112237
CPU Register (Example)• EIP = 0x01234548 => address of printf()
Hacking | Information Security Analysis
Stack Allocation
#include <stdio.h>#include <string.h>
void vulnerable(char *Buffer){char stack_data[128];strcpy (stack_data, Buffer);printf( " Isi variabel stack_data : %s ", stack_data);
}int main(int argc, char **argv){
vulnerable(argv[1]);return 0;
}
0x00000000
Top of Stack
ESP414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141
0x001122330x00112237
Saved EBP 0x41414141
Saved EIP 0x41414141
CPU Register (Example)• EIP = 0x41414141 => restore saved EIP -> EIP
Hacking | Information Security Analysis
Stack Allocation
#include <stdio.h>#include <string.h>
void vulnerable(char *Buffer){char stack_data[128];strcpy (stack_data, Buffer);printf( " Isi variabel stack_data : %s ", stack_data);
}int main(int argc, char **argv){
vulnerable(argv[1]);return 0;
}
0x00000000
Top of Stack
ESP414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141
0x001122330x00112237
CPU Register (Example)• EIP = 0x41414141 Access Volation when executing 0x41414141
Hacking | Information Security Analysis
Stack Exploitation
Hacking | Information Security Analysis
Stack Exploitation(Stack Overflow)
0x00000000
Top of Stack
414141414141414141414141414141414141414141414141414141414141414141414141
Saved EBP 0x41414141
Saved EIP 0x41414141
ESP414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141
0x001122330x00112237
0x00000000
Top of Stack
414141414141414141414141414141414141414141414141414141414141414141414141
Saved EBP 0x41414141
Saved EIP 0x80221122
ESP31c031db31c931d2eb16bfea07457e50535150ffd75950684141414189e3ebeae8f0ffffff48
656c6c6f776f726c64
0x001122330x00112237
Shellcode
Address for JMP ESP
Hacking | Information Security Analysis
Shellcode
• Small piece of code used as the payload in the exploitation of a software vulnerability
• Why is our shellcode not working?– bad character– Big size
Hacking | Information Security Analysis
• Fuzzing Technique– Detecting Buffer Overflow– Find offset to overwrite EBP and EIP register
• Find -> JMP ESPwindbg command > lm muser32windbg command > s -b 7xxxxx 7xxxxx ff e4
• Generate shellcode– msfvenom– manual :-P
• Finishing Exploit
Stack Exploitation(Stack Overflow)
Hacking | Information Security Analysis
Mitigation and Technique
• Windows XP– Hardware DEP -> ROP shellcode
• Windows Vistra– ASLR -> Static address on shared data memory– DEP -> ROP shellcode
• Windows 7– ASLR + DEP -> ROP / JIT ROP / JIT ROP Spraying
Hacking | Information Security Analysis
Mitigation and Technique
• Windows 8– ASLR + DEP (new) -> ROP / JIT ROP