Hacker Space
?Download as PPT, PDF?
1 like?716 views
The document summarizes various remote and local attacks that can be performed against Microsoft Windows operating systems. It discusses vulnerabilities in Windows services like RPC, SMB, and LSASS that can allow remote code execution. It also covers techniques like token kidnapping that can be used to elevate privileges on Windows systems. The document demonstrates exploits for the MS09-050 SMB vulnerability and KiTrap0d local kernel exploit. It warns that applications like Internet Explorer and Office macros can also be weaponized to attack Windows machines. Throughout it emphasizes that Windows OSes are prone to security issues.
Hacker Space
- 1. MS Windows ¨C KILL BILL Prathan Phongthiproek ACIS Professional Center Senior Information Security Consultant March 20 th , 2010
- 2. Who am I ? Instructor / Speaker Red Team : Penetration Tester (Team Leader) Security Consultant / Researcher CWH Underground Exploits and Vulnerabilities Disclosure Milw0rm, Exploit-db, Security Focus, Secunia, Zeroday, etc
- 3. Overview Remote Attack MS Windows OS The Message From Slave to God MS Office Evil Internet Explorer Pwn2Own USB Autorun Attack Local Buffer Overflow
- 4. Microsoft Windows is SUCK !! Why MS Windows is SUCK ??? NetBIOS Null Sessions -> The Holy Grail of Windows Hacking See Movie ¡°Pirates of Silicon Valley ¡±
- 5. Remote Microsoft Windows Vulnerabilities !! Buffer Overrun In RPC Interface (MS03-026) Buffer Overrun In RPCSS Service (MS03-039) Vulnerability in LSASS service (MS04-011) Vulnerability in Plug and Play (MS05-039) Vulnerability in Server Service (MS06-040) Vulnerability in Server Service Relative Path Corruption (MS08-067) Vulnerability in SMBv2 Command Value (MS09-050) Not Include DOS Exploit
- 6. MS Windows RPC Vulnerability MS08-067 ¡° PoC¡¯s work against Windows XP SP2, Windows XP SP3 and Windows 2003 Server SP2 machines¡±
- 7. MS Windows SMB2 Vulnerability MS09-050 ¡° PoC¡¯s work against Windows Vista SP1/2, Windows 2008 SP1/2 (Not R2) and Windows 7 (RC) machines¡±
- 8. MS Windows ¨C Defensive
- 9. MS Windows ¨C Defensive
- 10. Gaining Access without Exploit DEMO
- 11. Exploit MS Vista (MS09-050) DEMO
- 12. The Message From Slave to God Get The Hell Outta Here !!
- 13. MS Windows NT #GP Trap Handler Allows Users to Switch Kernel Stack An error exists within the #GP trap handler (nt!KiTrap0D) An error exists within the Windows kernel not correctly resetting a pointer when freeing memory Affect every release of the Windows NT kernel (Window 2000, XP, Server 2003, Vista, Server 2008, 7) Non-Affect : Windows 7 (64-bit), Windows Server 2008 (64-bit, Itanium) Patch release MS10-015 on Feb 09 2010 0-day for 1 month. W00t ! W00t ! KiTra0d ¨C Local Ring0 Kernel Exploit
- 14. KiTra0d ¨C Local Ring0 Kernel Exploit
- 15. Token - Web Cookies (Credentials When RDP, MAP Network Drive) On Windows XP / 2003 ¨C Windows Service run as SYSTEM account Compromise of a Service == Full System Compromise On Windows Vista / 2008 - LocalService / NetworkService == System Affect every release of the Windows NT kernel (Window 2000, XP, Server 2003, Vista, Server 2008, 7) Patch release MS09-012 on April 14 2009 0-day for 1 year. W00t ! W00t ! Black hat Mind !! Combine Attack Layer 8 + KiTrap0d + Token Kidnapping Token Kidnapping ¨C Elevate Privilege
- 16. MS Office (Evil Macro) MS Office is Evil !!
- 17. MS Office (Evil Macro)
- 18. MS Office (Evil Macro)
- 19. MS Office (Evil Macro) DEMO
- 25. Internet Explorer Pwn2Own - ActiveX DEMO
- 26. USB Autorun Attack Autoplay NOT Autorun
- 27. USB Autorun Attack Turn Off Autoplay -> It¡¯s still vulnerable from evil usb
- 30. USB Autorun Attack KEY_CURRENT_USERoftwareicrosoftindowsurrentVersionoliciesxplorer 0xff
- 32. USB Autorun Attack DEMO
- 35. Local Buffer Overflow DEMO
- 36. See you at Citec-Con 3¡ Q&A THANK YOU