seminar hacking & security analysis

Hacking | Information Security Analysis

HackingSecurity Analysis

-- Build security with creativityDanang Heriyadi ([email protected])


Hello World


Today

Hacking Incidents

Assets

Vulnerability Analysis


Top 3 - Hacking in action

Cyber Spying

Fraud or Forgery

Illegal Access


Cyber Spying


Fraud or Forgery


Illegal Access


How they can do that?

• Sensitive information disclosure– Search Engine (google, bing, yahoo)– Magazine– etc

• Social engineering attacks– The knowledge and attitude members of an organization possess

regarding the protection of the information assets.

• Vulnerability on your system– Attacker exploit the vulnerability to gaining access.


Google Hacking


What are you trying to protect?

• Senstive personal data• Your network infrastructure• Your assets


Common Vulnerabilities

• Web– XSS– Database Injection– OS command Injection– Local File Disclosure– File Inclusion– Path Disclosure– CSRF– Dir. Traversal

• Low level Vulnerability– Stack Overflow– Heap Overflow– Integer Overflow– Memory Corruption– Etc


Buffer Overflow

• Low level vulnerability– Stack Overflow ( Very easy )– Integer Overflow ( easy )– Heap Overflow ( medium ) – Memory Corruption ( easy - medium )– .....


Impact of buffer overflow

• Application– Crash and terminated– Arbitary code execution

• Operating System– Crash, hang, or reboot– Arbitary code execution– Privilege escalation


Basic Knowledge

• CPU Register– EAX EDI– EBX ESI– ECX EBP– EDX ESP– EIP


Basic Knowledge

• Assembly Language– mov ret– push– pop– shr– jmp


WindowsMemory Allocation

0x00000000

0xFFFFFFFF

Stack

Heap

Program Image• PE Header• .text, .rdata, .data, ...

Can be allocated as heap or stack for other threads

DLLPEB

Shared User Page

No Access

0x00400000

0x7FFE10000x7FFE00000x7FFDF000


C++ from beginner

#include <stdio.h>

void vulnerable(char *Buffer){char stack_data[128];strcpy (stack_data, Buffer);printf( " Isi variabel stack_data : %s ", stack_data);

}int main(int argc, char **argv){

vulnerable(argv[1]);return 0;

}


Run it !!


Stack Allocation

#include <stdio.h>#include <string.h>




}

CPU Register (Example)• EIP = 0x01234567 => address of main()

0x00000000

Top of Stack


Stack Allocation





}

0x00000000

Top of Stack

CPU Register (Example)• EIP = 0x01234571 => address of vulnerable()


Stack Allocation





}

0x00000000

Top of Stack

CPU Register (Example)• EIP = 0x01234585 => stack_data[128]


Stack Allocation





}

0x00000000

Top of Stack

CPU Register (Example)• EIP = 0x01234544 => address of strcpy()

<Space for stack_data>

ESP<ptr to argv[1]>

Saved EBP 0x00112233

Saved EIP 0x00112237


Stack Allocation





}

0x00000000

Top of Stack

ABCD

ESP<ptr to argv[1]>



CPU Register (Example)• EIP = 0x01234548 => address of printf()


Stack Allocation





}

0x00000000

Top of Stack

ESP<ptr to argv[1]>



CPU Register (Example)• EIP = 0x01234552 => restore saved EIP -> EIP


Stack Allocation





}

0x00000000

Top of Stack

ESP<ptr to argv[1]>

CPU Register (Example)• EIP = 0x01234599 => exit(0)


Stack Allocation





}

0x00000000

Top of Stack


Stack Allocation(Stack Overflow)







}

0x00000000

Top of Stack

CPU Register (Example)• EIP = 0x012345 => address of strcpy()

<Space for stack_data>

ESP<ptr to argv[1]>









}

0x00000000

Top of Stack

414141414141414141414141414141414141414141414141414141414141414141414141



ESP414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141

0x001122330x00112237

CPU Register (Example)• EIP = 0x01234548 => address of printf()


Stack Allocation





}

0x00000000

Top of Stack

ESP414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141

0x001122330x00112237



CPU Register (Example)• EIP = 0x41414141 => restore saved EIP -> EIP


Stack Allocation





}

0x00000000

Top of Stack

ESP414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141

0x001122330x00112237

CPU Register (Example)• EIP = 0x41414141 Access Volation when executing 0x41414141


Stack Exploitation


Stack Exploitation(Stack Overflow)

0x00000000

Top of Stack

414141414141414141414141414141414141414141414141414141414141414141414141



ESP414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141

0x001122330x00112237

0x00000000

Top of Stack

414141414141414141414141414141414141414141414141414141414141414141414141



ESP31c031db31c931d2eb16bfea07457e50535150ffd75950684141414189e3ebeae8f0ffffff48

656c6c6f776f726c64

0x001122330x00112237

Shellcode

Address for JMP ESP


Shellcode

• Small piece of code used as the payload in the exploitation of a software vulnerability

• Why is our shellcode not working?– bad character– Big size


• Fuzzing Technique– Detecting Buffer Overflow– Find offset to overwrite EBP and EIP register

• Find -> JMP ESPwindbg command > lm muser32windbg command > s -b 7xxxxx 7xxxxx ff e4

• Generate shellcode– msfvenom– manual :-P

• Finishing Exploit

Stack Exploitation(Stack Overflow)


Mitigation and Technique

• Windows XP– Hardware DEP -> ROP shellcode

• Windows Vistra– ASLR -> Static address on shared data memory– DEP -> ROP shellcode

• Windows 7– ASLR + DEP -> ROP / JIT ROP / JIT ROP Spraying


Mitigation and Technique

• Windows 8– ASLR + DEP (new) -> ROP / JIT ROP

seminar hacking & security analysis

Technology

char stack

data128 strcpy stack

stack abcd esp

stack cpu register example

information assets

build security

saved eip eip

senstive personal data