applicationlayer

출처:

ftp://ftp.oreilly.de/pub/examples/english_examples/9780735622142/cd_contents/MiniFuzz/LaunchExe.cpp

http://blog.naver.com/PostView.nhn?blogId=hks9999&logNo=30105498369

#include "stdafx.h"

#include "fuzz.h"

#include "log.h"

using namespace std;

// How long should the app run for us to consider the test a success (1.2secs)

const DWORD MAX_EXE_RUNTIME_MS  = 1200;

// log interesting info if we get a debug event back from the debugged app

bool ReportFailure(DEBUG_EVENT *pdbg, const char *szFilename) {

HANDLE hThread = OpenThread(THREAD_ALL_ACCESS, FALSE, pdbg->dwThreadId);

if (!hThread) {

Log("OpenThread failed");

return false;

}

string sExc;

switch(pdbg->u.Exception.ExceptionRecord.ExceptionCode) {

case EXCEPTION_ACCESS_VIOLATION : sExc = "Access Violation"; break;

case EXCEPTION_STACK_OVERFLOW: sExc = "Stack Overflow"; break;

case EXCEPTION_DATATYPE_MISALIGNMENT: sExc = "Datatype misalignment"; break; 

case EXCEPTION_ARRAY_BOUNDS_EXCEEDED : sExc = "Array Bounds Exceeded"; break;

case EXCEPTION_FLT_DIVIDE_BY_ZERO: sExc = "Float Div/0"; break;

case EXCEPTION_INT_DIVIDE_BY_ZERO: sExc = "Int Div/0"; break;

case EXCEPTION_ILLEGAL_INSTRUCTION: sExc = "Illegal Instruction"; break;

case EXCEPTION_IN_PAGE_ERROR: sExc = "In-page error"; break;

case EXCEPTION_PRIV_INSTRUCTION: sExc = "Privileged Instruction";break;

default : sExc = "Unknown"; break;

}

CONTEXT ctx;

memset(&ctx,0,sizeof CONTEXT);

ctx.ContextFlags = CONTEXT_ALL;

if (!GetThreadContext(hThread, &ctx)) {

Log("GetThreadContext failed");

return false;

}

ReportFuzzError(szFilename,sExc,ctx);

return true;

}

// spawn the exe to fuzz

bool LaunchFile(const char *szDir, const char *szExe, const char *szFilename, bool *pfDeleteTempFile) {

if (pfDeleteTempFile == NULL && szDir == NULL || szExe == NULL || szFilename == NULL) {

Log("Invalid args to LaunchFile");

return false;

}

*pfDeleteTempFile = false;

bool fError = false;

PROCESS_INFORMATION pi;

    STARTUPINFO         si;

memset(&pi,0,sizeof PROCESS_INFORMATION);

memset(&si,0,sizeof STARTUPINFO);

si.cb = sizeof STARTUPINFO;

// build up the cmd-line

string sExe(szExe);

sExe.append(" ");

sExe.append(szFilename);

BOOL fRet = CreateProcess(NULL, 

const_cast<LPSTR>(sExe.c_str()), 

NULL, NULL,

FALSE,

DEBUG_ONLY_THIS_PROCESS,

NULL, NULL,

&si, &pi);

if (!fRet) {

Log("Unable to launch process", szExe, GetLastError());

return false;

}

DWORD dwStart = GetTickCount();

// Now wait for debug events from the new process

do {

DEBUG_EVENT  dbg;

if (WaitForDebugEvent(&dbg, 200)) {

// we get copies of all loaded DLL file handles - we don't need 'em - so close 'em

if (dbg.dwDebugEventCode == LOAD_DLL_DEBUG_EVENT) {

CloseHandle(dbg.u.LoadDll.hFile);

ContinueDebugEvent(dbg.dwProcessId, dbg.dwThreadId, DBG_CONTINUE);

continue;

}

// we get a copy of the loaded exe file handle - we don't need it - so close it

if (dbg.dwDebugEventCode == CREATE_PROCESS_DEBUG_EVENT) {

CloseHandle(dbg.u.CreateProcessInfo.hFile);

ContinueDebugEvent(dbg.dwProcessId, dbg.dwThreadId, DBG_CONTINUE);

continue;

}

// at this point we only care about real debug events

if (dbg.dwDebugEventCode != EXCEPTION_DEBUG_EVENT) {

ContinueDebugEvent(dbg.dwProcessId, dbg.dwThreadId, DBG_CONTINUE);

continue;

}

// An exception occured

// CAVEAT: this code can catch *ALL* exceptions, including first-chance exceptions.

// Catching and logging a first-chance exception does *NOT* mean there is a security bug

// in your code. Don't go filing bugs on first-chance exceptions unless it's a real bug!

switch (dbg.u.Exception.ExceptionRecord.ExceptionCode) {

case EXCEPTION_ACCESS_VIOLATION : 

case EXCEPTION_STACK_OVERFLOW:

case EXCEPTION_DATATYPE_MISALIGNMENT:

case EXCEPTION_ARRAY_BOUNDS_EXCEEDED :

case EXCEPTION_FLT_DIVIDE_BY_ZERO: 

case EXCEPTION_INT_DIVIDE_BY_ZERO:

case EXCEPTION_ILLEGAL_INSTRUCTION: 

case EXCEPTION_IN_PAGE_ERROR:

case EXCEPTION_PRIV_INSTRUCTION:

// DO NOT HANDLE FIRST CHANCE EXCEPTIONS!

// If you want to handle them, then change this code to:

// if (dbg.u.Exception.dwFirstChance) {

if (!dbg.u.Exception.dwFirstChance) {

ReportFailure(&dbg, szFilename);

fError = true;

}

break;

default:

ContinueDebugEvent(dbg.dwProcessId, dbg.dwThreadId, DBG_CONTINUE);

break;

}

} else {

break;

}

} while((GetTickCount() - dwStart) < MAX_EXE_RUNTIME_MS);

DebugActiveProcessStop(pi.dwProcessId);

if (!TerminateProcess(pi.hProcess,1)) 

Log("Unable to kill process", szExe, GetLastError());

if (pi.hThread)  

CloseHandle(pi.hThread);

if (pi.hProcess) 

CloseHandle(pi.hProcess);

if (pfDeleteTempFile && !fError)

*pfDeleteTempFile = true;

return fError;

}

http://jangpd007.tistory.com/19

DllHijackAuditor.zip

dll hajacking에 취약한지 점검

출처:http://securityxploded.com/dllhijackauditor.php

http://blog.naver.com/PostView.nhn?blogId=budlpiry&logNo=100020917029&redirect=Dlog&widgetTypeCall=true

재밌네

window_shopping_browser_bug_hunting_in_2012_roberto_suggi_liverani_scott_bell.pdf

출처: http://packetstormsecurity.com/files/119303/androidchrome-bypass.txt

CVE Number:         CVE-2012-4908

Title:              Chrome for Android - Bypassing SOP for Local Files By Symlinks

Affected Software:  Confirmed on Chrome for Android v18.0.1025123

Credit:             Takeshi Terada

Issue Status:       v18.0.1025308 was released which fixes this vulnerability

Overview:

  Chrome for Android's Same-Origin Policy for local files (file: URI) can be

  bypassed by using symbolic links. It results in theft of Chrome's private

  files by malicious Android apps.

Details:

  Chrome for Android seems to forbid a local file to read another file,

  except for the originating file itself.

  http://code.google.com/p/chromium/issues/detail?id=37586

  However, it is possible to circumvent the restriction by a trick using

  symbolic link.

  This issue enables malicious Android apps to steal Chrome's private

  files such as Chrome's Cookie file, bookmark file, and so on.

  As an example, steps to steal Chrome's Cookie file are described below:

  1. An attacker's app creates a malicious HTML file, and makes Chrome load

     its URL with file: URI. The malicious HTML contains JavaScript code

     which, a few seconds later, tries to read the content of same URL with

     the malicious HTML itself via XMLHttpRequest.

     <body>

     <u>Wait a few seconds.</u>

     <script>

     function doitjs() {

       var xhr = new XMLHttpRequest;

       xhr.onload = function() {

         alert(xhr.responseText);

       };

       xhr.open('GET', document.URL);

       xhr.send(null);

     }

     setTimeout(doitjs, 8000);

     </script>

     </body>

  2. Before XHR fires, the attacker's app replaces the malicious

     HTML file with a symlink pointing to Chrome's Cookie file.

  3. When XHR fires, Chrome follows the symlink and provides the

     content of the Chrome's Cookie file to the malicious HTML.

  The attacker's app can also get the content of Chrome's other private

  files in a similar manner.

Proof of Concept:

  HTML/JavaScript is shown above. At present I do not have plans to disclose

  PoC of malicious Android app.

Timeline:

  2012/08/19  Reported to Google security team

  2012/08/25  Re-reported to Chrome security team

  2012/09/12  Vender announced v18.0.1025308

  2013/01/07  Disclosure of this advisory

Recommendation:

  Upgrade to the latest version.

Reference:

  http://googlechromereleases.blogspot.jp/2012/09/chrome-for-android-update.html

  https://code.google.com/p/chromium/issues/detail?id=144866

브라우저별 SOP(same origin policy)허용범위

www.abc.net 에 접근 한다고 가정할 경우

ie.

가능 www.abc.net

가능 abc.net

chrome

가능 www.abc.net

가능 abc.net

성능이 얼마나 올라갈까

##############################################

======> 트래픽이 높아지니 kernel에러 또는 로그없이 스노트가 멈추는 현상이 발생해서 2.9.4.0으로 교체함. 아직까진 문제 없음. 

2.9.4로 설치시 daq만 2.0으로 재설치하면 나머지 과정은 같다. (pf_ring관련모듈 재컴파일 필요)

최신버전에서는 mysql output을 지원하지 않는다. db저장시 snort-barnyard-mysql 방식을 이용할것

##############################################

환경: CentOS 5.8 / Snort 2.9.2 / 

######기존snort삭제########################

make uninstall

###########################################

파일 다운로드 및 압축해제

# tar xvzf libpcap-1.2.1.tar.gz

# tar xvzf daq-0.6.2.tar.gz

# tar xvzf libdnet-1.12.tar.gz

# tar xvzf pcre-8.30.tar.gz

# tar xvzf snort-2.9.2.2.tar.gz

# cd libpcap-1.2.1

# ./configure

# make

# make install

# cd /usr/lib64/

# rm libpcap.so

# rm libpcap.so.0

# rm libpcap.so.0.9

# ln -s /usr/local/lib/libpcap.so.1.2.1 /usr/lib64/libpcap.so.1.2.1

# ln -s /usr/lib64/libpcap.so.1.2.1 /usr/lib64/libpcap.so.1

# ln -s /usr/lib64/libpcap.so.1 /usr/lib64/libpcap.so

# cd daq-0.6.2

# ./configure

# make

# make install

# cd pcre-8.30

# ./configure

# make

# make install

# cd libdnet-1.12

# ./configure

# make

# make install

# cd snort-2.9.2.2

# ./configure -with-mysql-libraries=/usr/lib64/mysql/ -enable-dynamicplugin -enable-zlib -enable-ipv6  -enable-sourcefire

# make

# make install

중간확인해보기

# snort -V

   ,,_     -*> Snort! <*-

  o"  )~   Version 2.9.2.2 IPv6 GRE (Build 121)

   ''''    By Martin Roesch & The Snort Team: http://www.snort.org/snort/snort-team

           Copyright (C) 1998-2012 Sourcefire, Inc., et al.

           Using libpcap version 1.2.1

           Using PCRE version: 8.30 2012-02-04

           Using ZLIB version: 1.2.3

# groupadd snort

# useradd -g snort snort -s /sbin/nologin

# mkdir /etc/snort

# mkdir /etc/snort/rules

# mkdir /etc/snort/so_rules

# mkdir /etc/snort/preproc_rules

# mkdir /var/log/snort

# chown snort:snort /var/log/snort

# mkdir /usr/local/lib/snort_dynamicrules

# cd etc/

# cp * /etc/snort/

####룰파일 다운로드/적용(snort공홈)###########################

# tar xvzf snortrules-snapshot-2921.tar.gz

# cd rules/

# cp * /etc/snort/rules

# cp ../so_rules/precompiled/Centos-5-4/x86-64/2.9.2.1/* /etc/snort/so_rules

# cp ../preproc_rules/* /etc/snort/preproc_rules

***/etc/snort/snort.conf설정은 알아서 바꾸시고....

##PF_RING설치##############################

필요한 프로그램 다운로드 및 설치 (./configure & make & make install)

#tar zxvf autoconf-2.69.tar.gz

#tar zxvf automake-1.9.tar.gz

#tar zxvf libtool-2.4.tar.gz

PF_RING다운로드 / 압축해제

cd PF_RING/kernel

make

make install

insmod ./pf_ring.ko

***커널에 모듈이 올라왔는지 확인

***lsmod |grep pf_ring

cd lib

./configure

make

make install

***/usr/local/lib/libpfring.so파일이 생겼는지 확인

#cd snort/pfring-daq-module

#autoreconf -ivf

#./configure

#make

#make install

##Snort동작 확인#########################################

snort --daq-dir=/usr/local/lib/daq --daq pfring -i eth9 -c /etc/snort/snort.conf -T

참고

http://kezhong.wordpress.com/2012/04/07/install-snort-2-9-2-2-on-centos5-8x86_64/

alert는 snortDB, log는 snort2DB에 저장하기

->alert에 대한 output은 snort.conf설정에, log에 대한 output은 룰파일 내부 ruletype으로 설정한다.

※둘다 snort.conf에 설정할 경우 alert이벤트가 두DB에 중복 저장됨

ruletype redalert {

        type log

        output database: log, mysql, user=snort password=ahslxj1234 dbname=snort2 host=localhost

}

snort이벤트를 다루는 방법

03~LogParser.pdf