Download presentation
Presentation is loading. Please wait.
1
1 一樣的程式 ( 城市 ), 不一樣的結局 許富皓 資訊工程學系 中央大學
2
2 How Fast Could Your Computer Be Comprised? Based on the observation of an unpatched version of Windows 2000 or Windows XP located within a dial-in network of a German ISP. Normally it takes only a couple of minutes before it is successfully compromised. On average, the expected lifespan of the honeypot is less than ten minutes. After this small amount of time, the honeypot is often successfully exploited by automated malware. The shortest compromise time was only a few seconds: Once we plugged the network cable in, an SDBot compromised the machine via an exploit against TCP port 135 and installed itself on the machine.TCP port
3
3 第一次網路大戰 (2008-12-12 讀者文摘 ) 愛沙尼亞是全歐洲網路化程度最高的國家,去 年遭受空前的網路攻擊,背後主使者是誰?下 一個遭殃的又會是誰? 超級電腦病毒 “Stuxnet” 現蹤 伊朗核電廠是 最終攻擊目標? (2010/09/24 20:15 鄭杰 綜 合報導, 中華電視公司 )
4
4 Stack Smashing Attacks
5
5 Principle of Stack Smashing Attacks Overwritten control transfer structures, such as return addresses or function pointers, to redirect program execution flow to desired code. Attack strings carry both code and address(es) of the code entry point.
6
6 A Linux Process Layout and Stack Operations kernel address space Libraries heap BSS data code high address low address stack main() { : G(1); } void G(int a) { : H(3); } void H(int c) { : } env, argv, argc EIP main G H
7
7 Explanation of BOAs (1) b return address add_g address of G’s frame point C[0] H’s stack frame G(int a) { H(3); add_g: } H( int b) { char c[100]; int i=0; while((c[i++]=getch())!=EOF) { } } C[99] Input String: abc cbacba G’s stack frame 0xabc 0xaba 0xabb i ebp esp
8
8 Explanation of BOAs (2) b return address add_g address of G’s frame point C[0] H’s stack frame addrress oxabc G(int a) { H(3); add_g: } H( int b) { char c[100]; int i=0; while((c[i++]=getch())!=EOF) { } } C[99] Injected Code 0xabc Attack String: xxInjected Codexy0xabc Length=108 bytes 0xaba 0xabb xxxx x y i X : 1 byte y : 4 bytes ebp esp
9
9 Injected Code: The attacked programs usually have root privilege; therefore, the injected code is executed with root privilege. The injected code is already in machine instruction form; therefore, a CPU can directly execute it. However the above fact also means that the injected code must match the CPU type of the attacked host. Usually the injected code will fork a shell; hence, after an attack, an attacker could have a root shell.
10
10 Memory Address Obfuscation/ASLR - Overview code seg. data seg. heap seg. stack seg. code seg. data seg. heap seg. stack seg. code seg. data seg. heap seg. stack seg. libraries
11
11 Heap Spray and Drive-by Download
12
12 Heap Spray Overview [Puttaraksa]Puttaraksa
13
13 Mishandling Tag Attribute Values (2) [Julam]Julam <IFRAME SRC=file://BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB : BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB NAME=“CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC : CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC”>
14
14 Good web server Vulnerable browser Malicious web server attacker.com bad.htm Client sideWWW
15
15 Good web server Vulnerable browser Malicious web server attacker.com bad.htm attacker2.com document.write(unescape("%3C%73%63%72%69%70%74%20%6 C%61%6E%67%75%61%67%65%3D%22%6A%61%76%61%73%63%72%6 9%70%74%22%3E%0D%0A%69%66%28%6E%61%76%69%67%61%74%6 F%72%2E%75%73%65%72%41%67%65%6E%74%2E%74%6F%4C%6F%7 7%65%72%43%61%73%65%28%29%2E%69%6E%64%65%78%4F%66%2 8%22%5C%78%36%44%5C%78%37%33%5C%78% ……… Client sideWWW
16
16 Cross-site Scripting
17
17 Cookie Delivery
18
18 Through Hyperlinks An attacker may be able to embed their malicious code within a hyperlink to the target site. When the client web browser follows the link, the URL sent to trusted.org includes malicious code. The site ( trusted.org ) sends a page back to the browser including the value of criteria without validating user supplied input, which consequently forces the execution of code from the evil attackers’ server. For example; "> Go to trusted.org In the attack above, one source is inserting code into pages sent by another source. It should be noted that this attack: disguises the link as a link to http://trusted.org, can be easily included in an HTML email message, does not supply the malicious code inline, but is downloaded from http://evil.org. Thus the attacker retains control of the script and can update or remove the exploit code at anytime. Web browser trusted.org
19
19 SQL Injection [SK]SK
20
20 How Do You Test If It Is Vulnerable? hi' or 1=1--
21
21 Web Application Input and Its Corresponding SQL Query Take an asp page that will link you to another page with the following URL: http://duck/index.asp?category=food In the URL, ' category ' is the variable name, and ' food ' is the value assigned to the variable. In order to do that, an ASP might contain the following code: v_cat = request("category") sqlstr="SELECT * FROM product WHERE PCategory='" & v_cat & "'" set rs=conn.execute(sqlstr) As we can see, our variable will be wrapped into v_cat and thus the SQL statement should become: SELECT * FROM product WHERE PCategory='food' The query should return a result set containing one or more rows that match the WHERE condition, in this case, ' food '.
22
22 Why ' or 1=1-- ? Now, assume that we change the URL into something like this: http://duck/index.asp?category=food' or 1=1-- Now, our variable v_cat equals to " food' or 1=1-- ", if we substitute this in the SQL query, we will have: SELECT * FROM product WHERE PCategory='food' or 1=1--' The query now should now select everything from the product table regardless if PCategory is equal to ' food ' or not. A double dash " -- " tell MS SQL server ignore the rest of the query, which will get rid of the last hanging single quote ( ' ). Sometimes, it may be possible to replace double dash with single hash " # ".
23
23 Fast Flux [Riden][SSAC]RidenSSAC
24
24 DNS Resolution Sequence (1)
25
25 DNS Resolution Sequence (2) root domain server
26
26 Web Request – Normal Network
27
27 Web Request – Fast Flux
28
28 DNS Resolution – Single Flux
29
29 DNS Resolution – Double Flux
30
30 DNS Resolution – Double Flux
31
31 Click Fraud
32
32 Google AdSense Abuse A similar abuse is also possible with Google's AdSense program:Google's AdSense AdSense offers companies the possibility to display Google advertisements on their own website and earn money this way. The company earns money due to clicks on these ads, for example per 10,000 clicks in one month. An attacker can abuse this program by leveraging his botnet to click on these advertisements in an automated fashion and thus artificially increments the click counter. This kind of usage for botnets is relatively uncommon, but not a bad idea from an attacker's perspective.
33
33 Loss Caused by Click Fraud [Catherine Holahan]Catherine Holahan On average, consultants estimate that between 14% and 15% of clicks are fraudulent.
34
34 Google Search Page
35
35 Google Search Result Page
36
36 Source HTML File of the Google Search Result Page
37
37 Ampersands ( & 's) in URLs [Liam Quinn ]Liam Quinn Always use & in place of & when writing URLs in HTML: E.g.:...
38
38 Click Fraud (1) - Use the Browser’s URL Field
39
39 Click Fraud (2) – Connect to the Google Server Directly Attackers could launch the same attacks by opening a HTTP connection to a Google server and sending the URL in the previous slide to the above server directly.
40
40 Click Fraud (3) - Use Fake Page (1)
41
41 Click Fraud (3) - Use Fake Page (2) [Mr. 東 ]Mr. 東
42
42 Click Fraud (3) - Use Fake Page (3)
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.