What are exploits? Exploits. How to stop hackers from exploiting third-party software vulnerabilities

Where do spoilers come from? Have you ever wondered how the lackluster news from
does the bag truck turn into a really working master key? How can two dozen
lines of code can you get a shell on a remote server? Today we will visit
Sploit factory and see in detail how it is made
quality product.

Launch MSF eXploit Builder, go to the "Editor" menu and select "New".
A window appears with several tabs (Information, Badchars, Analysis,
Shellcode, Design). Let's go to the "Information" tab and see a lot of interesting
fields. As you remember, this section indicates the goals (OS + SP) and type/protocol
exploit (for example, remote/tcp). Moreover, the program provides us
the ability to test and debug the resulting exploit, so you can immediately
select the executable file and specify the parameters for launching it (port, IP address).

So, select our tftpd.exe, after which the utility will offer the following actions
choice: run the application, run it under a debugger, or not run it
In general, let’s just launch the application. Notice that on the right side
A list of DDLs loaded by the application will be displayed.

Now we begin to look at the exploit code - fortunately for us, it is extremely clear.

Many novice specialists in the field information security Many questions arise about exploits: What are exploits? Who writes exploits? How to use exploits? In this article you will find answers to these questions!

What is an exploit?

Exploit- This computer program, a piece of software code or a sequence of commands that exploits vulnerabilities in software and is used to carry out an attack on computer system. The purpose of the attack can be either to seize control of the system (privilege escalation) or to disrupt its functioning (DoS attack). ...

At its core, an exploit is a small example of how a given vulnerability can be exploited; in the hands of an experienced hacker, an exploit is a powerful weapon that allows one to compromise the target system.

Who writes exploits?

Exploits are written by thousands of enthusiasts passionate about studying information security; they publish them on many well-known sites like SecurityFocus. They do this not for the sake of fame and not for the joy of script kiddies, they do it for notification system administrators and other information security specialists about the existence of this vulnerability. After all, having the implementation of a specific vulnerability in hand, you can easily write a “patch”.

How to use exploits?

Despite the fact that many newcomers are confused huge bases with exploits they are quite easy to use!

For example, take a vulnerability found in one of the many Joomla components. You can find a description of the exploit by following the link Joomla Component com_camp SQL Injection Vulnerability.

First of all, you should look at the application and version of the application for which the vulnerability exists. If you find what you need, start studying the description of the exploit. In the description they usually write where exactly the vulnerability was found. In our case, it is the com_camp component. As you can see, the vulnerability exists due to a lack of filtering in the cid variable:

Http://127.0.0.1/index.php?option=com_camp&task=show&cid=

By visiting a site with this vulnerability and substituting a quote in the cid variable, you will most likely find an error on the page, which indicates the presence of sql injection.

What to do next? If you only have a little imagination, you can do a lot! This is where we come to the exploit itself. On the exploit description page, they usually post a file with the exploit itself or a line of program code that needs to either be compiled or somehow “feed” to the vulnerable application. In our case, we see a line of sql code that needs to be inserted into the cid variable:

1/**/UNION/**/SELECT/**/1,2,3,4,5,6,7,8,9,10,11,12,13,14--

Also in our case we see an example of the implementation of this vulnerability:

Http://127.0.0.1/index.php?option=com_camp&task=show&cid=-1/**/UNION/**/SELECT/**/1,2,3,4,5,6,7,8, 9,10,11,12,13,14--

Having this data and knowing the structure of the Joomla database, you can easily get all the necessary data, including logins and password hashes for users, including the administrator.

What other exploits are there?

Depending on the method of gaining access to vulnerable software, exploits are divided into remote and local.

Exploits are designed to perform third-party actions on a vulnerable system and can be divided among themselves as follows:

In general, GoogleHack & “Advanced Search” will help you search on a specific site, for example site: http:securityfocus.com joomla sql injection will show you many exploits that allow you to carry out sql injection in joomla.

Can exploits be used by every fool?

No, no and NO. To use exploits, at a minimum, you need general knowledge of programming (many exploits are deliberately written with errors and do not provide much functionality because this is just a “presentation” of a vulnerability), it is also necessary to study the system that is being attacked and collect enough information to carry it out. Experience shows that many people who want “easy money” simply do not have the necessary knowledge.

Conclusion:
Every day more and more vulnerabilities are found, and therefore more and more exploits are written. I do not encourage you to become script kiddies and in no case will I say that you should not use this information for illegal purposes!

Nuclear energy can bring light, or it can bring eternal darkness, everyone decides for themselves how to live...

Our magazine would not be called what it is if we did not analyze the situation in the world of exploit packs and drive-by-downloads with enviable regularity (see, for example, ][ No. 162). Since last review many changes have affected delivery means malicious code. In particular, people whose duties include protecting ordinary workers from all sorts of dangers world wide web, did not sleep, and the arrest of the notorious Paunch, the author of the once most popular set of Black Hole exploits, probably influenced the redistribution of the main players in the exploit pack market.

WARNING!

All information is provided for informational purposes only. Neither the author nor the editors are responsible for any possible harm caused by the materials of this article.

Our list today will feature nine of the most popular exploit kits. It is worth noting that such an obvious leader as he once was Black Hole, is not among them, and the popularity of one or another representative is not always assessed equally by different researchers and antivirus companies. However, the overall picture looks something like this:

• Angler Exploit kit;
• Sweet Orange Exploit kit;
• Nuclear Exploit kit;
• Fiesta Exploit kit;
• Magnitude Exploit kit;
• Neutrino Exploit kit;
• Astrum Exploit kit;
• RIG Exploit kit;
• Archie Exploit kit.

Angler Exploit kit

The leader of our review today. It appeared at the end of last year, and, according to some reports, many Black Hole Exploit Kit users switched to using this exploit pack after Paunch’s arrest. Today it has in its arsenal exploits for twelve vulnerabilities (and two of them are very recent).

First ( CVE 2015-0311) allows you to execute arbitrary code at Flash versions up to 16.0.0.287 for Windows and OS X, second ( CVE 2015-0310) - bypass security restrictions in Adobe Flash Player, disable ASLR and execute arbitrary code.

Before starting its malicious activity, Angler EK checks whether the machine under attack is running in a virtual environment (VMware, VirtualBox and Parallels Workstation are recognized by the presence of the corresponding drivers) and what anti-virus tools are installed (detected different versions Kaspersky, antiviruses from Trend Micro and Symantec, antivirus utility AVZ). In addition to the above, the presence of the Fiddler web debugger is also checked.

By the way, this kind of checks are now implemented to one degree or another in many exploit packs, including those from our review today.

The Angler EK code, as expected, is very well obfuscated and encrypted, and the authors regularly clean the exploit pack code (as it gets into the anti-virus databases).

Sweet orange Exploit kit

Although this exploit pack is not that new (it appeared back in 2012), it can boast of not the least popularity (especially after October 2013) and the exploitation of one recent vulnerability. According to some researchers, the penetration rate of an exploit pack is about 15%. On this moment includes exploits for ten vulnerabilities, and, unlike Angler EK, Sweet Orange exploits several Java vulnerabilities ( CVE 2012-1723, CVE 2013-2424, CVE 2013-2460, CVE 2013-2471).

Sweet Orange uses an algorithm to generate random domain names every few minutes, making this exploit pack difficult to detect and investigate. For example, subdomain names can look like this:

• abnzzkpp.syt * .net
• abtkslxy.syt * .net
• ajijaohoo.syt * .net
• ancezvwzvn.syt * .net
• azrrfxcab.syt * .net
• bnfjqksp.syt * .net
• bvakjbktwg.syt * .net

To check domain names and IP addresses for their presence in the blacklists of different antiviruses, the scan4you.net service is used; the user of the bundle can specify another checking service.

Bundle price - 2500 WMZ plus the first two weeks of cleaning and domain changes are free.

Additional services:

• Cleaning: one month - 1000 WMZ.
• Changing domains:
  • Quantity limit, price is for one domain:
    • up to 10 - 25 WMZ;
    • from 10 to 30 - 15 WMZ;
    • from 30 - 10 WMZ.
  • time limit (in days):
    • 10 - 300 WMZ;
    • 20 - 400 WMZ;
    • 30 - 600 WMZ.
• Server change: 20 WMZ.

Nuclear Exploit kit

The first versions of this bunch of exploits appeared back in 2009. To date, the most loaded exploit pack of all those presented in the review includes exploits for twelve vulnerabilities (it is worth noting that not all of them are the latest).

In most cases, a three-level redirect is used for infection according to the following scheme: the first level is a compromised web page with an embedded iframe, the second level is a link to the exploit pack, and the third is the bundle itself.

The exploit pack code is very heavily obfuscated, there is a large number of variables and functions declared in different places that are not used.

To deobfuscate the code when executing, Nuclear EK uses approximately the following functions (I think the actions that perform these functions are clear without explanation):

VV8Y6W = function(uAVnC, mhTbz) ( return uAVnC(mhTbz); ); WL3 = function(uAVnC, mhTbz, YSu) ( return uAVnC(mhTbz, YSu); );

In addition, the code for some functions, in particular the script for determining the platform and versions of browser plugins (the PluginDetect JS library is used to determine plugins), is generated dynamically:

J_version = PluginDetect.GetVersion("Java"); p_version = PluginDetect.GetVersion("AdobeReader"); f_version = PluginDetect.GetVersion("Flash"); s_version = PluginDetect.GetVersion("Silverlight");

• 50k - 500 WMZ;
• 100k - 800 WMZ;
• 200k - 1200 WMZ;
• 300k - 1600 WMZ.

Two weeks:

• 50k - 300 WMZ;
• 100k - 500 WMZ;
• 200k - 700 WMZ;
• 300k - 900 WMZ.

One week:

• 100k - 300 WMZ;
• 200k - 400 WMZ;
• 300k - 500 WMZ.

The oldest vulnerability in our review is CVE 2010-0188, an exploit for which is included in Nuclear EK, allows you to execute arbitrary code on the attacked system using a specially crafted PDF file.

Fiesta Exploit kit

This exploit pack started its journey from an exploit to a vulnerability. CVE-2007-5659 back in 2008. Today it carries nine exploits on board, the vulnerabilities to which date back to 2010–2013. The most recent of these are Silverlight vulnerabilities that allow arbitrary code to be executed on the system due to a double pointer dereference error ( CVE 2013-0074) or due to incorrect processing of objects in memory ( CVE 2013-3896).

Checking for the availability of the required versions of Silverlight and AdobeFlash is done as follows:

// Check for Silverlight presence new ActiveXObject("AgControl.AgControl"); // Examination Adobe Flash new swfobject.embedSWF();

If both of these functions generate an exception, then an attempt is made to exploit other vulnerabilities (Java or IE).

The exploit pack code is heavily obfuscated and in addition uses encryption of most strings using random numbers and sequences.

Magnitude Exploit kit

The bundle appeared on the market in early 2013 and was initially known as PopAds Exploit Kit.

The main feature of this exploit pack is the use of the scan4you.net service to check IP addresses and domains, as well as the code of the exploit pack itself, for detection by different antiviruses. In addition, Magnitude EK, like Sweet Orange EK, uses dynamic generation and changes of subdomain names every few minutes.

Despite the not-so-recent exploited vulnerabilities (there are currently seven in this set), this exploit pack provides quite acceptable penetration.

You can deobfuscate the binding code using the String.fromCharCode method, the arguments of which are the elements of the XOR-encrypted sequence. To separate elements in this sequence from each other, the % symbol is used.

Unlike other exploit packs, Magnitude EK cannot be rented, for example, for a week or a month. The creators of this bundle take a certain percentage of infected computers from the customer’s total traffic as payment.

Neutrino Exploit kit

This exploit pack began its journey around March 2013 and then included exploits for only two vulnerabilities ( CVE 2012–1723 And CVE 2013–0431, both for Java). Today, the list of exploited vulnerabilities has expanded slightly, now it includes five exploits for Java and one ( CVE 2013-2551) To Internet Explorer.

The exploit pack code is obfuscated in approximately the same way as in Magnitude EK. For deobfuscation, the following function is used:

Function xor (input, pass) ( var output = ""; var i = 0; var pos = 0; for (i = 0; i< input.length; i++){ pos = Math.floor(i%pass.length); output += String.fromCharCode(input.charCodeAt(i) ^ pass.charCodeAt(pos)); } return output; }

The “payload” downloaded by Neutrino EK to the victim’s infected computer is transmitted in XOR-encrypted form, which somewhat reduces the likelihood of detection by antivirus products.

The cost of renting an exploit pack for shared server with general cleanings:

• day - 40 dollars;
• week - 150 dollars;
• month - 450 dollars.

Astrum Exploit kit

The youngest set of exploits in our review today. According to some antivirus companies, the date of its first release is approximately mid-September 2014.

The exploit pack code is heavily obfuscated and contains an internal check for the presence of various hacker tools on the infected machine, antivirus programs, as well as the fact that it is running in a virtual machine. In addition, the on-screen keyboard protection plugin from Kaspersky received a separate check:

Try ( var O = $(Kaspersky.IeVirtualKeyboardPlugin.JavaScriptApi.1); O && (mr = 1) ) catch (s) ()

It contains exploits for seven vulnerabilities (Silverlight, Flash, LibTiff and IE).

RIG Exploit kit

RIG EK began its malicious activities at the end of 2013 and today exploits vulnerabilities in Internet Explorer, Java, Adobe Flash and Silverlight.

Users are redirected to the page with the exploit pack using a JS script embedded on the compromised page, which is based on current date(the CRC32 hash is taken from it) generates domain names, where the exploit pack code is located.

This bunch of exploits also checks for the presence of anti-virus products (though only Kaspersky and Trend Micro) - determining whether the following drivers are present:

• c:\\Windows\\System32\\drivers\\kl1.sys
• c:\\Windows\\System32\\drivers\\tmactmon.sys
• c:\\Windows\\System32\\drivers\\tmcomm.sys
• c:\\Windows\\System32\\drivers\\tmevtmgr.sys
• c:\\Windows\\System32\\drivers\\TMEBC32.sys
• c:\\Windows\\System32\\drivers\\tmeext.sys
• c:\\Windows\\System32\\drivers\\tmnciesc.sys
• c:\\Windows\\System32\\drivers\\tmtdi.sys

Cost of this exploit kit:

• day - 40 dollars;
• week - 100 dollars;
• month - 500 dollars.

Archie Exploit kit

This exploit pack appeared relatively recently (according to F-Secure - approximately at the end of July last year). Its creators did not bother themselves with developing the code themselves and took exploit modules from Metasploit Framework, and to obtain information about Silverlight versions, Flash and other things, the PluginDetect JS library is used.

The first versions of Archie did not pamper their users with obfuscation or any other tricks, but later versions introduced both code obfuscation and encryption of URLs and file names, as well as checking for virtual machines and antivirus programs.

Conclusion

Captain Obvious from his prompter box tells me that as time goes on, there are no fewer vulnerabilities and exploit packs. Therefore, to summarize, we can draw several conclusions:

• the authors of most exploit packs have moved from direct sales to rental on their servers, and they often provide a full range of services - from cleaning to permanent shift domain names and antivirus detection checks;
• almost all exploit packs began to actively exploit Java and Silverlight vulnerabilities;
• many exploit packs began to acquire functions for recognizing the presence of virtual machines, antiviruses and various hacking utilities;
• vulnerability CVE 2013-2551 is very popular and is used in all exploit kits from our review.

WWW

Recently source codes RIG Exploit Kit leaked Free access. You can talk about this

Information for those who do not quite understand what an exploit is.
What is an exploit?
The "official" definition can be read in computer encyclopedias. I like this: “Depending on the purpose, a program, piece of code, or script that allows you to take advantage of an existing vulnerability in the software for anything that is software controlled.” In a sense, a hammer against a smartphone is also a technical exploit, acting with a primitive goal - to destroy the device. Let's consider the essence, principle of application and role of an exploit in hacking a system. The question of where to get the exploit, whether it makes sense to download or buy it, and why a confirmed exploit may not work is considered.

• What are exploits
• What kind of exploits are there?
• A little about vulnerabilities
• The role of an exploit in an attack on a system
• Example of a successful exploit
• Exploit databases
• Problems with the exploit

• service exploit
• client exploit
• privilege exploit

Gradually we are getting closer to the principle of how system compromise works. Each of these stages is a very complex process that requires a multi-volume manual. But it can be shown schematically like this:

• a potentially vulnerable system is scanned for open ports and running services
• points are identified that can be struck
• on remote computer an exploit of a known vulnerability is sent to this or these points
• a payload is attached to the exploit (it will allow you to control the victim’s system)
• if the exploit works (it is the first one that is launched) and the victim’s system responds, the payload is launched; Based on the results of execution of the payload code, the hacker gains access to the victim’s computer

• nmap -v -n 192.168.0.162

• -v allows you to get a detailed report about the address
• -n disables reverse DNS lookups

nmap -T4 -A -v 192.168.0.162

There is plenty of information. We choose the location of the strike.
A whole bunch of ports are open, which are potential backdoors into the enemy's system.
Let this be one of the open ports 135 With running service mcrpc(aka Microsoft Windows RPC - system remote procedure call service). All we have to do is select the appropriate exploit for a specific process.
Exploit Database. A couple of seconds for theory.
If you are currently sitting in Cali, the base is at your fingertips. All you need is a network connection and running msfconsole(aka Metasploit toolkit). A constantly updated base of exploits that you can see right now by launching the console msfconsole and typing the command show exploits, will display a list of exploits:

Displaying a list on the screen won't tell you anything yet. They are presented in alphabetical order with the date of publication, assigned rank for application and reliability of operation, and a short explanation of what they are aimed at.
A kind of mirror of the base is a famous resource
It is entirely dedicated to exploits as well. And here you can (armed with a dictionary) get acquainted with the history of the exploit in more detail, download it directly (if you want to compose your own exploit, more on that later), and get acquainted with information on the exploit. In general, all the relish is located here. But there's something else.
Not a bad resource where you can find something interesting is:
ru.0day.today/
A multilingual resource that offers not only well-known (read: long-covered) exploits, but also the participants’ own versions. For money. Visit and check out: the Russian language is also supported there.
Let's continue. We are looking for a suitable exploit.
Metasploit is directly connected to the exploit database, so you don’t have to remember the steps you see: the good thing about Metasploit is that its steps are automated (which, however, is not always good). The article is about the exploit, and we will only use it, i.e. manually. Let's find it, download it, upload it. Why manually? More on this in the Exploit Problems paragraph.
How to find the exploit you are interested in?
If you are interested in an exploit that can be used against a specific platform or program, you don’t have to scroll through the list of more than one and a half thousand manual exploits displayed by the command
show exploits
Instead, you can type a command like this in an open Metasploit session:
search name:smb type:exploit platform:windows
Metasploit will display only those exploits that work on Windows OS. Next, if you are interested in browser exploits on Windows OS, add a name to the command. See:
msf > search name:browser type:exploit platform:windows

In addition, in Kali Linux you can directly search for exploits directly from the terminal without running a Metasploit session. Type the command to search for an exploit in the format:
searchsploit internet explorer
The terminal will return to you all available exploits in the database, which is updated weekly.
Let's continue...
So, we know the service, we see the OS type. So in the database we type: Search-button after entering a request:
windows rpc
Before searching, let’s go through verification of the robot and get acquainted with the results:

Here's ours. We click on the link, go to the following Download link, and it is on our computer in as file 66.c.
I REPEAT . Everything that has been done above can be done faster. With Metasploit running, type the command to search for an exploit from your Kali:

And I push the exploit binary straight into the XP victim:
./66 6 192.168.0.162

The system responded. Scientifically, this is called a successful result of system compromise. In fact, this computer is already in the hands of a hacker. The hacker sees him as if he were sitting at a computer - he can control the system using console commands. Now let's see how the Metasploit-controlled exploit is used. Ports of the victim we are already "ringed" using Nmap. And as you noticed, among others, it is also open 445 under service controlMicrosoft-ds. In the Metasploit window, select the appropriate exploit:
exploit/windows/smb/ms08_067_netapi
exploit
The computer no longer belongs to the owner.

Exploit problems or a paragraph for those who like “ready-made”.
This part deserves a separate topic. But just a paragraph is enough. What awaits a pentester on the way to using an exploit? I’ll explain it in simple terms (professionals forgive me):

• The first problem is the aging of the vulnerability, for which developers almost immediately install a patch. Yes, the vast majority of exploits as they exist are not worthy of your attention. They are useless - security updates cover them up. So there are few options: we use 0day exploits ( zero day) - if you can find and apply; or we turn on our heads and work on our own; this is problem number one - we have to learn from operating systems and programs previous generations: the reason is simple - the developers have given up on support (Windows XP is a typical example) and do not respond to emerging vulnerabilities even with official notification (not forgetting, however, to check whether this vulnerability will appear in working versions of programs or OSes).
• the second problem (follows from the first) - if a vulnerability is published and there is an exploit for it, dozens of specialists are already working to ensure that the vulnerability remains a thing of the past. They get paid. And people who look for vulnerabilities also want to be paid too. So don’t rely on well-trodden vulnerability: the beauty lies where the path is less traveled. If something you need appears, but you don’t have the intelligence or experience, you sometimes have to pay for it (with the risk of being left without results and without money). And it’s not always the fault of the vulnerability pioneer and exploit writer. If only because there is a third problem...
• The technical aspects of using the exploit are that WHAT WORKED in the English locale of Windows is MOST LIKELY NOT WILL RIDE in Russian. Exploit written for American Windows versions justifiably will not work for the Russian system. The result of the application may be unexpected: to a silent error with Metasploit type Exploit seems to be failed until a service failure on the victim's system side causes it to become wary.

At the development stage, protection mechanisms against hackers are built into all programs and networks, such as locks that prevent unauthorized attacks from the outside. Vulnerability is similar to open window, which will not be difficult for an attacker to get through. In the case of a computer or network, attackers can install malware, taking advantage of a vulnerability, in order to gain control or infect the system for their own selfish purposes with the corresponding consequences. Most often, all this happens without the user’s knowledge.

How do exploits occur?

Exploits are caused by errors in the development process software, as a result of which vulnerabilities appear in the program protection system, which are successfully used by cybercriminals to gain unlimited access to the program itself, and through it, further, to the entire computer. Exploits are classified according to the type of vulnerability used by the hacker: zero-day, DoS, spoofing or XXS. Of course, program developers will soon release security updates to eliminate the defects found, but until then, the program is still vulnerable to attackers.

How to recognize an exploit?

Since exploits exploit holes in software security mechanisms, the average user has virtually no chance of detecting their presence. This is why it is extremely important to support installed programs updated, especially to promptly install security updates released by program developers. If a software developer releases a security update to fix a known vulnerability in their software, but the user does not install it, then, unfortunately, the program will not receive the necessary latest virus definitions.

How to fix the exploit?

Due to the fact that exploits are the consequence of bugs, their elimination is the direct responsibility of the developers, so it will be the authors who will have to prepare and distribute bug fixes. However, the responsibility to keep installed programs updated and install update packages in a timely manner to prevent hackers from taking advantage of vulnerabilities rests entirely with the program user. One of possible ways Don't miss the latest updates - use an application manager, which will make sure that all installed programs are updated, or - even better - use a tool automatic search and installing updates.

How to stop hackers from exploiting vulnerabilities third party programs

• Make sure you have the latest security updates and patches for all programs
• To stay safe online and stay up to date, install all updates as soon as they are released.
• Install and use a premium antivirus that can automatically update installed programs