Post on 08-Jun-2015
description
MS Windows – KILL BILL
Prathan PhongthiproekACIS Professional CenterSenior Information Security ConsultantMarch 20 th, 2010
Instructor / Speaker Red Team : Penetration Tester (Team Leader) Security Consultant / Researcher CWH Underground Exploits and Vulnerabilities Disclosure
Milw0rm, Exploit-db, Security Focus, Secunia, Zeroday, etc
Who am I ?
Overview
Remote Attack MS Windows OS
The Message From Slave to God
MS Office Evil
Internet Explorer Pwn2Own
USB Autorun Attack
Local Buffer Overflow
Microsoft Windows is SUCK !!
Why MS Windows is SUCK ???
NetBIOS Null Sessions -> The Holy Grail of Windows Hacking
See Movie “Pirates of Silicon Valley”
Remote Microsoft Windows Vulnerabilities !!
Buffer Overrun In RPC Interface (MS03-026)
Buffer Overrun In RPCSS Service (MS03-039)
Vulnerability in LSASS service (MS04-011)
Vulnerability in Plug and Play (MS05-039)
Vulnerability in Server Service (MS06-040)
Vulnerability in Server Service Relative Path Corruption (MS08-067)
Vulnerability in SMBv2 Command Value (MS09-050)
Not Include DOS Exploit
MS Windows RPC Vulnerability MS08-067
“PoC’s work against Windows XP SP2, Windows XP SP3 and Windows 2003 Server SP2 machines”
MS Windows SMB2 Vulnerability MS09-050
“PoC’s work against Windows Vista SP1/2, Windows 2008 SP1/2 (Not R2) and Windows 7 (RC) machines”
MS Windows – Defensive
MS Windows – Defensive
Gaining Access without Exploit
Exploit MS Vista (MS09-050)
The Message From Slave to God
Get The Hell Outta Here !!Get The Hell Outta Here !!
MS Windows NT #GP Trap Handler Allows Users to Switch Kernel Stack
An error exists within the #GP trap handler (nt!KiTrap0D)
An error exists within the Windows kernel not correctly resetting a pointer when freeing memory
Affect every release of the Windows NT kernel (Window 2000, XP, Server 2003, Vista, Server 2008, 7)
Non-Affect : Windows 7 (64-bit), Windows Server 2008 (64-bit, Itanium)
Patch release MS10-015 on Feb 09 2010
0-day for 1 month. W00t ! W00t !
KiTra0d – Local Ring0 Kernel Exploit
KiTra0d – Local Ring0 Kernel Exploit
Token - Web Cookies (Credentials When RDP, MAP Network Drive)
On Windows XP / 2003 – Windows Service run as SYSTEM account Compromise of a Service == Full System Compromise
On Windows Vista / 2008 - LocalService / NetworkService == System
Affect every release of the Windows NT kernel (Window 2000, XP, Server 2003, Vista, Server 2008, 7)
Patch release MS09-012 on April 14 2009
0-day for 1 year. W00t ! W00t !
Black hat Mind !! Combine Attack Layer 8 + KiTrap0d + Token Kidnapping
Token Kidnapping – Elevate Privilege
MS Office (Evil Macro)
MS Office is Evil !!
MS Office (Evil Macro)
MS Office (Evil Macro)
MS Office (Evil Macro)
Internet Explorer Pwn2Own
Internet Explorer Pwn2Own
Internet Explorer Pwn2Own
Internet Explorer Pwn2Own
Internet Explorer Pwn2Own
Internet Explorer Pwn2Own - ActiveX
USB Autorun Attack
Autoplay NOT Autorun
USB Autorun Attack
Turn Off Autoplay -> It’s still vulnerable from evil usb
USB Autorun Attack
USB Autorun Attack
USB Autorun Attack
\HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
0xff
USB Autorun Attack
USB Autorun Attack
Local Buffer Overflow
Local Buffer Overflow
Local Buffer Overflow
See you at Citec-Con 3… Q&A
THANK YOU