Beruflich Dokumente
Kultur Dokumente
team
Editor in Chief: Grzegorz Tabaka
grzegorz.tabaka@hakin9.org
Managing Editor: Natalia Boniewicz
natalia.boniewicz@hakin9.org
Editorial Advisory Board: Daniel Dieterle, Rebecca Wynn,
Michael Munt, Aby Rao
Proofreaders: Daniel Dieterle, Nick Baronian, Jeffrey Smith,
Robert Wood, Michael Munt, Elliott Bujan, Bob Folden,
Steve Hodge, Jonathan Edwards, Steven Atcheson,
Mixchal Jahim
Its been almost one year since the the first issue of Exploiting
Software Hakin9 was published. Exploiting Software Bible is the
effect of over ten months work and it consists of the best articles
of all Exploiting Software Hakin9 issues. It covers a wide range of
topics concerning stack overflow, shellcode, stack overflow, reverse
engineering, exploiting client software and defense patterns. I would
like to express my thanks to all without whose great assistance this
issue could not emerge. Special thanks to the authors, editorial
advisory board, proof readers, betatesters and graphics. Its your
work and fantastic enthusiasm that made it all possible.
Enjoy the reading,
Natalia Boniewicz & Hakin9 Team
Whilst every effort has been made to ensure the high quality of
the magazine, the editors make no warranty, express or implied,
concerning the results of content usage.
All trade marks presented in the magazine were used only for
informative purposes.
All rights to trade marks presented in the magazine are
reserved by the companies which own them.
program
To create graphs and diagrams we used
by
Mathematical formulas created by Design Science MathType
DISCLAIMER!
01/2012
CONTENTS
SHELLCODE
www.hakin9.org/en
CONTENTS
course comes with a price. Many penetration testers
have become tool jockeys with little understanding of
just how software functions. This script kiddie approach
to code testing does have its place. It has allowed us to
drastically increase the number of people working on
testing systems for vulnerabilities and in assessing the
risks these pose. At the same time, if these individuals
do not progress further, simply relying on the ability to
leverage the efforts of others, we will hit bottlenecks in
the creation of new tests and processes. This article is
going to follow from previous articles as well as going
into some of the fundamentals that you will need in order
to understand the shellcode creation process, how to use
Python as a launch platform for your shellcode and that
the various system components are.
54 Understanding conditionals in
shellcode
By Craig Wright
BUFFER OVERFLOW
68 Smashing the Stack
05/2012
CONTENTS
for an exploitation for OS which include this vulnerable
software. You will learn how to write your own exploitation
with python programming language and bypassing ASLR
protection and finally, how to run your own shellcode to
control Vulnerable OS.
REVERSE
ENGINEERING
www.hakin9.org/en
EXPLOITING CLIENT
SOFTWARE
CONTENTS
author. Can we find pertinent system settings, and even pull
information from them? Were you ever curious about what
could be done with a memory dump of an active computer?
This article is a short demonstration on how to acquire a
memory dump from a running system, and then how to use
tools to not only recover the system password hashes from
the memory dump, but also how to decode them.
Nmap (contraction of Network Mapper) is an opensource software designed to rapidly scan both single
hosts and large networks. To perform its functionalities
Nmap uses particular IP packets (raw-packets) in order
to probe what hosts are active on the target network:
about these hosts, it is able to discover the running
services (type and version), the operating system in
use (type and version); it is also able to obtain more
advanced information, such as, for example, the type of
firewall used on the target network. You will learn how to
deceive an IDS/IPS system through a particular feature
offered by Nmap software, a simple option able to trick
the rules generally used in this kind of systems to detect
05/2012
CONTENTS
variations of supported IOS code and hardware platforms.
The author discusses the use of and demonstrates an
IOS Embedded Event Manager rootkit and worm. When
a router is infected it can be leveraged into a powerful
malware platform. Capabilities demonstrated are network
packet captures, reverse shell connections, a spam
module, and a mini malware httpd server leveraged with
ip address hijacking. In this article you will learn how to
exploit critical network devices, network traffic traversing
these devices and act as a launch point for further attacks
into a network You will also learn about a self replicating
IOS worm with stealth features and self defense
mechanisms, all with platform independent code.
DEFENSE
www.hakin9.org/en
SHELLCODE
Shellcode:
From a Simple Bug to OS Control
The secret behind any good exploit is a reliable shellcode. The
shellcode is the most important element in your exploit. Generating
shellcode with automated tools only helps so much in formulating
your exploit. Knowing how to create your own shellcode will help
you overcome barriers that lie ahead, and thats what this article will
demonstrate.
10
01/2012
SHELLCODE
Exploiting format
Strings with Python
In this article we will look at format strings in the C and C++
programming languages. In particular, how these may be abused.
Introduction
28
01/2012
SHELLCODE
DPA Exploitation
and GOTs with Python
This article is a follow-up and second part of a look at format strings
in the C and C++ programming languages; in particular, how these
may be abused. The article goes on to discuss crafting attacks using
Python in order to attack through DPA (Direct Parameter Access)
such that you can enact a 4-byte overwrite in the DTORS and GOT
(Global Access Table).
Introduction
34
01/2012
SHELLCODE
Starting to
Write Your Own Linux Shellcode
We have seen more and more people become reliant on tools such
as Metasploit in the last decade. This ability to use these tools has
empowered many and has created a rise in the number of people
who can research software vulnerabilities.
Introduction
42
01/2012
SHELLCODE
Beyond Automated
Tools and Frameworks: the shellcode injection process
This article is going to follow from previous articles as well as
going into some of the fundamentals that you will need in order to
understand the shellcode creation process, how to use Python as
a launch platform for your shellcode and that the various system
components are.
Introduction
Listing 1. Shellcode sample (This sample of shellcode has been taken from Zillion (2002). This page goes into detail as to the operation
of the shellcode and the reader is encouraged to step through this. The reader will nd countless many examples online with a simple
Google search and many good examples are also included within the Metasploit framework.)
"\xeb\x1a\x5e\x31\xc0\x88\x46\x07\x8d\x1e\x89\x5e\x08\x89\x46"
"\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\xe8\xe1"
"\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68\x23\x41\x41\x41\x41"
"\x42\x42\x42\x42";
48
01/2012
Atola Insight
Thats all you need for data recovery.
Atola Technology offers Atola Insight the only data recovery device that covers
the entire data recovery process: in-depth HDD diagnostics, firmware recovery,
HDD duplication, and file recovery. It is like a whole data recovery Lab in one Tool.
This product is the best choice for seasoned professionals as well as start-up data
recovery companies.
Case management
Real time current monitor
Firmware area backup system
Serial port and power control
Write protection switch
SHELLCODE
Taking Control,
Functions to DLL injection
This article is going to follow from previous articles as well as
going into some of the fundamentals that you will need in order to
understand the code exploitation process. In this article we look at
one of the primary infection steps used to compromise a Windows
host, DLL injection.
Introduction
62
What is a DLL?
01/2012
BUFFER OVERFLOW
Theoretical Background
68
01/2012
BUFFER OVERFLOW
Smashing
the Stack 2
Modern operating systems come with sophisticated protection
mechanisms to prevent one-click exploitations. But, how can
attackers bypass such techniques to compromise remote machines
all over the world? And downloading PDF documents is always a
safe practice?
80
01/2012
BUFFER OVERFLOW
Exploit a Software
with Buffer Overflow Vulnerability and Bypassing Aslr
Protection
In this article you will find out what the Buffer overflow vulnerability is,
and how you can scan any software for this kind of vulnerability.
For example
88
Figure 3. VUPlayer
01/2012
REVERSE ENGINEERING
Goals of RE:
Figure 1. RE Process
98
Figure 2. Stack
01/2012
REVERSE ENGINEERING
A Quick Hands On
Introduction to Packing
miasm
The tools
Overview
pele
PE format
In their simplest form PE files can be represented as a
collection of sections and a bunch of metadata. Sections
are blobs that are mapped in memory when the program
starts. These blobs can contain anything useful to the
program: such as the program code itself, constant
values, icons, etc. The metadata (mostly located in
the PE file headers) contains a lot of information; at
the very least the metadata defines where the sections
are located in the file, what their name is, where they
are supposed to be mapped to in memory, and where
the starting point of the program is in memory, once the
sections are mapped.
Listing 1. peles basis
>>> import pefile #loading the pefile module
...
print s.Name
.text
.data
102
.rsrc
01/2012
REVERSE ENGINEERING
Hacking Applets:
A Reverse Engineering Approach
In this article well discuss a technique that can be used to modify
the applets Java byte code without having to recompile the applet.
This is useful when the source code of the applet is not recoverable
because it is obfuscated using tools such as DotFuscator.
Code Attribute:
Constant Pool
u1 tag;
u1 info[];
Fields Array
Method Array
110
01/2012
Hijacking Software
Updates with Evilgrade
On a daily basis, software and applications are connecting to remote
servers looking for updates. Almost every modern application
comes with a simple, built-in update mechanism. Usually it is
sensible for users to accept updates that improve the security and
operation of the program.
116
Evilgrade on BackTrack 5:
01/2012
Direct Object
Reference or,
How a Toddler Can Hack Your Web Application
There is no point in denying that everyday software is steadily moving
from desktop applications to Web applications. When you can check your
mail, play games, create documents and file your tax report without ever
leaving your browser, then you are indeed a citizen of the Web.
122
Message_id From To
Title
Message
...
...
...
...
...
776
23
11
Hey!
Hey man!<br>
What news?</br>
777
11
25
Foo...
U there?
778
25
42
No Title
Kthnxbye!
779
23
11
...
...
...
...
01/2012
How to
Recover Passwords from a Memory Dump
Were you ever curious about what could be done with a memory
dump of an active computer? This article is a short demonstration
on how to acquire a memory dump from a running system, and then
how to use tools to not only recover the system password hashes
from the memory dump, but also how to decode them.
128
malware analysis tools and pull key data from it. But
that is not all; a copy of the Windows passwords is kept
in memory. And not just for the current logged in user,
but a collection of the passwords for ALL of the systems
users.
The passwords are not stored in plain text in memory.
They are stored as password hashes. Hashes are an
encrypted form of the passwords and they are in a
format that looks like this:
aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59
d7e0c089c0
01/2012
www.webauthority.eu
Co-funding support provided by European Union from European Regional Development Fund
Creating a
Fake Wi-Fi Hotspot to Capture Connected Users
Information
We can use a standard laptop to create a fake open wireless access
point that allows us to capture a large amount of information about
connected users; in certain environments, such as airports or meeting
areas, this kind of operation can represent an enormous security threat
but, on the other hand, the same approach is a powerful way to check
the wireless activity in certain areas where the security is very important.
134
Everywhere
01/2012
Deceiving Networks
Defenses
with Nmap Camouflaged Scanning
An attacker could deceive an IDS/IPS system through a particular
feature offered by Nmap software, a simple option able to trick the
rules generally used in this kind of systems to detect any suspect
activity inside a medium/large network; the used software is the
most famous network scanner in the world and the knowledge of its
potentiality is a good way to improve our security policies.
142
01/2012
Overriding Function
Calls in Linux
Function hooking and overriding plays a vital role in penetration test of thick
client application. In this article we will discuss how shared libraries in Linux
environment can be overridden with out recompiling the code. By overriding
the function calls we can sniff the communication protocol, modify the
communication parameters and fuzz the communication protocol.
Background
Hacking WGET
150
01/2012
Cracking Java
applications using AOP exploits (part 1)
Introduction
156
before: p { t = getSystemTime(); }
in +
(getSystemTime() t) ); }
01/2012
Cracking Java
Applications using AOP (part 2)
Introduction
160
01/2012
Cisco IOS
rootkits and malware: A practical guide
166
01/2012
DEFENSE
Easy Network
Security Monitoring with Security Onion
Intrusion Detection Systems monitor and analyze your network traffic
for malicious threats. The problem is that they can be very difficult to
configure and time consuming to install. Some take hours, days or even
weeks to setup properly. The Security Onion IDS and Network Security
Monitoring system changes all of that. Do you have 10 minutes? That is
about how long it takes to setup and configure Security Onion.
ackers and the malware that they create are Snort, Suricata, Sguil, Squert, Snorby, Xplico, Argus,
getting much better at evading anti-virus Bro, Wireshark, and many others.
programs and firewalls. So how do you detect
Sounds complicated right?
or even defend against these advanced threats?
Well, Doug has done all the hard work in integrating
Intrusion Detection Systems (IDS) were created to these systems together into a very user friendly
help detect the malicious activity that our networks are environment (see Figure 1).
facing. The only problem is, they tend to throw a lot of
Run Security Onion on a system that has two network
false positive alerts and can get very overwhelming to cards and you have a complete NSM/IDS system. One
monitor.
NIC connects to your network or the internet side of
Enter Network Security Monitoring (NSM). In your traffic and records and monitors every packet that
basic terms, NSM software examines the alerts comes in or goes out of your system. The second NIC
from IDS systems, events and full packet data, and connects to your LAN and is used for management and
then prioritizes these threats and present them in a system updates.
graphical interface to be reviewed by an analyst. The
analyst can then choose whether the
alert needs to be acted on or if it can
be dismissed.
There are several commercial
products out there that do this, but the
free products from the open source
community are very feature rich and
capable. If you want a robust, cost
effective and easy to use Intrusion
Detection System (IDS) and Network
Security Monitoring (NSM) platform,
look no further than Doug Burks
Security Onion (http://securityonion.b
logspot.com/).
Security Onion is one of my favorite
security tools. Doug Burks did an
amazing job pulling together many
of the top open source IDS and NSM
programs into a user friendly Linux
distribution. Its based on Ubuntu and
contains a ton of utilities including Figure 1. Security Onion Desktop
180
01/2012
SeagateDataRecovery.com
With our No DataNo Recovery Charge Guarantee, our skilled professional data
recovery technicians use cutting-edge technology to retrieve your data. And for
your peace of mind, we also recover data from server applications and virtual
technologies. Learn more at www.seagatedatarecovery.com.
2012 Seagate Technology LLC. All rights reserved. Seagate, Seagate Technology and the Wave logo are registered trademarks of Seagate Technology LLC
DEFENSE
Inspecting Https
Traffic On Gateways
In the past, security devices inspecting application content for
attack patterns, misuse or malware, had been blind to encrypted
traffic and because of this, encrypted protocols such as Hypertext
Transfer Protocol Secure (HTTPS) have been a safe method used by
attackers to bypass security inspection.
186
01/2012
DEFENSE
Detecting IPv6
Rogue Router Incidents Using Bro NSM
As IPv6 migration slowly gains momentum, situations where
administrators responsible for deployment of network equipment
have very poor knowledge and non-existent operational experience
of the new protocol are unavoidable.
Introduction
NOTICE([$note=ICMPRogueRouter,
}
192
01/2012
DEFENSE
The Gentoo
Hardened Project:
Or How to Minimize Exploits Risks
If you are reading this, then you might know what Gentoo Linux
is. If not, Gentoo Linux is a Linux distribution with plenty of years
of history and development. It was born on October 4th, 1999 by
Daniel Robbins.
196
default/linux/x86/10.0
[3]
default/linux/x86/10.0/desktop/gnome
[2]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
[11]
[12]
[13]
[14]
[15]
default/linux/x86/10.0/desktop
default/linux/x86/10.0/desktop/kde
default/linux/x86/10.0/developer
default/linux/x86/10.0/server
hardened/linux/x86
hardened/linux/x86/selinux
selinux/2007.0/x86
selinux/2007.0/x86/hardened
selinux/v2refpolicy/x86
selinux/v2refpolicy/x86/desktop
selinux/v2refpolicy/x86/developer
selinux/v2refpolicy/x86/hardened
selinux/v2refpolicy/x86/server
01/2012