Exploit Kits – Exploitation via JSRashid Feroz & Krishnendu Paul

About us!

• Information security enthusiasts.

• Love to break into things!

• A college grad and an Industry veteran.

What Are Exploit Kits?• A toolkit that automates the exploitation of client-side

vulnerabilities.

• Usually targets browsers and programs that a website can invoke through the browser.

• The attacker doesn’t need to know how to create exploits to benefit from infecting systems.

• It provides a user-friendly web interface that helps the attacker track the infection campaign.

Famous Exploit Kits

• Blackhole• FlashPack • Magnitude • Rig • Nuclear • Angler • Sweet Orange • Neutrino Exploit Kits

Exploit Kit distribution

Most commonly used vulnerable 3rd party software

• Oracle Java Runtime environment

• Adobe Acrobat Reader

• Adobe Flash Player / Plugin

• Apple Quicktime

From sale to infection

• The buyer would license a copy of a kit from the creator.

• The victim opens a spam email link or loads an infected web page.

• The page contains JavaScript that determines vulnerabilities of the victim’s computer and notifies the kit user of what files the victim’s computer held.

• If the kit found a usable exploit, the malicious payload would be loaded onto the victim's computer.

Phases

• Compromised site • Redirector • Landing page • Post-infection traffic Phases

Compromised sites• LFI in RevSlider plugin of Wordpress

– http://[compromised.com]/wp-admin/admin- ajax.php?action=revslider_show_image&img=../wp-config.php

• XSS in Simple Security Wordpress plugin– http://[compromised.com]/wp-admin/users.php?page=access_log&datefilter=

%27%22%3E%3C script%3Ealert%28/HACKED/%29;%3C/script%3E

• Drupal Sql Injection

• CDN reference compromise (Eg. Operation Poisoned Helmand)

• Iframe Injectors Compromised sites

Demo time

Demo

Beef framework(JS hook)

Payload delivery via Social Engineering

Antivirus evasion(FUD)

Get a meterpreter shell back

Virus scan results

How to stay safe?

• Stay up to date with security patches on your desktop machine.

• There are several specialized tools which identify vulnerabilities in systems, install patches, and validate those patches. Use a 3rd party utility or software to constantly update your system.

• Make sure that your browser, operating system, and browser’s

plugins are all up to date. • Install a good host-based intrusion prevention system (HIPS) to

monitor for suspicious activity on your computer.

References

• https://heimdalsecurity.com/blog/nuclear-exploit-kit-flash-player/

• http://www.slideshare.net/SafeBytesSoftware/exploit-kits-and-your-computers-vulnerability.

• https://heimdalsecurity.com/blog/exploit-kits-service-automation-changing-face-cyber-crime/

Thanks