Search for notes by fellow students, in your own course and all over the country.
Browse our notes for titles which look like what you need, you can preview any of the notes via a sample of the contents. After you're happy these are the notes you're after simply pop them into your shopping cart.
Document Preview
Extracts from the notes are below, to see the PDF you'll receive please use the links above
STRICTLY CONFIDENTIAL
August 2, 2003
Hack any website
Defcon 11 – 2003 Edition - Alexis Park, Las Vegas, USA
Grégoire Gentil
CEO and CTO of Twingo Systems
This document is solely for the presentation of Twingo Systems
...
By reading this document, the Receiving Party agrees:
(i) to hold the Disclosing Party’s Proprietary Information in confidence and to take reasonable precautions to protect such Proprietary Information (including, without
limitation, all precautions the Receiving Party employs with respect to its confidential materials),
(ii) not to divulge any such Proprietary Information or any information derived there from to any third person,
(iii) not to make any use whatsoever at any time of such Proprietary Information except to evaluate internally its relationship with the Disclosing Party
(iv) not to copy or reverse engineer any such Proprietary Information and not to export or reexport (within the meaning of U
...
or other export control laws or
regulations) any such Proprietary Information or product thereof
...
0 and Windows 95 or later
Google Zeitgeist (http://www
...
com/press/zeitgeist
...
(c) 2003 Twingo Systems, Confidential
8
ADVANTAGES OF THE ATTACK
• No modification on the targeted server is required
• The attack uses a feature developped by Internet Explorer!!!
Microsoft provides and supports all the required tools
• The installed DLL cannot be detected by anti-virus
...
• The browser initializes the object and asks it for a certain interface
...
The typical implementation will simply store such a
pointer for further use
HRESULT SetSite( IUnknown* pUnkSite )
{
if ( pUnkSite != NULL ) {
m_spWebBrowser2 = pUnkSite;
if ( m_spWebBrowser2 ) {
// Connect to the browser in order to handle events
if ( ! ManageConnection( Advise ) )
MessageBox( NULL, "Error", "Error", MB_ICONERROR );
}
}
return S_OK;
}
(c) 2003 Twingo Systems, Confidential
12
GETTING THE BROWSER EVENTS
• The IConnectionPoint interface: HRESULT Connect( void )
To intercept the events fired by the browser, the BHO needs to connect to it via an IConnectionPoint
interface and pass the IDispatch table of the functions that will handle the various events
HRESULT Connect( void )
{
HRESULT hr;
CComPtr
// Receives the connection point for WebBrowser events
hr = m_spCPC->FindConnectionPoint( DIID_DWebBrowserEvents2, &spCP );
if ( FAILED( hr ) )
return hr;
// Pass our event handlers to the container
...
pdispVal;
CComPtr
HRESULT hr = m_spWebBrowser2->get_Document( &pDisp );
if ( FAILED( hr ) ) break;
CComQIPtr
spHTML = pDisp;
if ( spHTML ) {
// Get the BODY object
CComPtr
hr = spHTML->get_body( &m_pBody );
// Get the HTML text
BSTR bstrHTMLText;
hr = m_pBody->get_outerHTML( &bstrHTMLText );
// Get the URL
CComBSTR url;
m_spWebBrowser2->get_LocationURL( &url );
}
}
return S_OK;
}
(c) 2003 Twingo Systems, Confidential
14
REGISTRING AND INSTALLING THE COMPONENT
• Register the DLL (regsvr32
...
dll for instance) and create a key in
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft \Windows\CurrentVersion\Explorer\Browser
Helper Objects with the GUID of the component
The next instance of Internet Explorer will automatically load the BHO
(c) 2003 Twingo Systems, Confidential
15
AGENDA
• Overview of the attack
• Demos
• General analysis
• Technical analysis
• How to defend?
• Conclusion
• Questions and Answers
(c) 2003 Twingo Systems, Confidential
16
SOME POSSIBLE DEFENSES
• Disable all or selected BHOs installed on the client
Simply Enumerate the BHOs from the registry and analyze the DLL information (see code on the
DefCon CD)
HKEY hkey;
TCHAR szPath = “SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Browser Helper Objects”;
If ( RegOpenKey( HKEY_LOCAL_MACHINE, szPath, &hkey ) == ERROR_SUCCESS ) {
TCHAR szGUID[255];
LONG ret = RegEnumKey( HKEY_LOCAL_MACHINE, 0, szGUID, 255 );
Int i = 0;
while ( ( ret != ERROR_NO_MORE_ITEMS ) && ( ret == ERROR_SUCCESS ) ) {
// You have the BHO GUID in szGUID
ret = RegEnumKey ( HKEY_LOCAL_MACHINE, i, szGUID, 255 );
i++;
}
}
• Main drawback: Pretty painful as BHOs can be sometimes useful
Acrobat plug-in is a BHO, Google toolbar uses BHO, …
(c) 2003 Twingo Systems, Confidential
17
SOME POSSIBLE OTHER DEFENSES
• Microsoft could improve BHO support in coming releases of Internet Explorer
Create a tag
Implement an authentication system to disable only non approved BHOs (implementation of
a tag
(c) 2003 Twingo Systems, Confidential
18
AGENDA
• Overview of the attack
• Demos
• General analysis
• Technical analysis
• How to defend?
• Conclusion
• Questions and Answers
(c) 2003 Twingo Systems, Confidential
19
CONCLUSION
• Attack can be selective, personalized
The malicious can connect to an external website and download specific information
• You should not trust what you see (especially if this is not your computer)
• Use BHOWatcher to regurarly check the BHO installed on your computer
(c) 2003 Twingo Systems, Confidential
20
CONTACT INFORMATION
• Main contact:
Gregoire Gentil
CEO and CTO of Twingo Systems
gregoire@twingosystems
...
Provides security tool to secure the untrusted computer
(c) 2003 Twingo Systems, Confidential
21
AGENDA
• Overview of the attack
• Demos
• General analysis
• Technical analysis
• How to defend?
• Conclusion
• Questions and Answers
(c) 2003 Twingo Systems, Confidential
22
QUESTIONS AND ANSWERS
• If you have any question, it is the moment to ask…
(c) 2003 Twingo Systems, Confidential
23