The Cake is a Lie
Wednesday, November 27, 2013
Testing HTML tags
367440962c84982e7c2209d3b15c447d
c2b43833ef3e16f4e1280d5b484f5245
666260b6b977a9d7e421196adda5d23a
be7c370b2d5d47ffb1fbc2af5bd19ea6
3d3bac6318f5 113307b8f6f913f334c9
465c55b91b77 3bfe95d62878af923569
fe701ab75ea8 ef226e4557459c205bb1
98ba020ccc76𐃁f7ac5e3993867ec23cb1
Saturday, November 2, 2013
Hacklu 2012: safehouse (binary 150) writeup
So first of all, we have to ssh a web page, here is what we got:
beginning screen (from https://f00l.de/blog/) |
So, let's start!
file command gives us "setuid setgid ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.24, BuildID[sha1]=0x5446b9058fdd04404a8b84827d5873028204ee90, not stripped"
Ok fine, so a 64bit executable, setuid (as we already know), not stripped lucky us!
run the program, nothing happen, exit 0.
Run the program with an argument display the following string:
Mmm.. me lika string! let's open it with IDA and look for the string!
A quick look on the binary let us find the function in charge of displaying our string:
Function display the string "Zombie detected" |
Series of actions for the main |
mov bh, 0x3 -> b7 03 //highest part of 1006
mov bl, 0xee -> b3 ee //lowest part of 1006
int 0x80 -> 80 cd
Wow! we just need to split the setting of the bx register in two parts, and all our input is nicely divided in block 2 bytes-long!
Obviously we still need to fill up 1 byte without letting the process crash, what's better than a nice old 0x90!?
we just built 4 arguments then (remember LITTLE ENDIAN!):
'0x9017b0', '0x9003b7', '0x90eeb3', '0x9080cd'
Now it's just a matter of converting them to integer and we should be cool!
[9443248, 9438135, 9498291, 9470157]
Trying to call the program with these arguments give us
And a nice little shell for us!
that's it, I found this easy exploitation very didactic for building up a custom shellcode, a very nice piece of work!
There was also another version of this challenge a bit more complex, it will be for next time!
This is a link (from LeetMore writeup) for downloading the binary.
Enjoy!
Friday, November 1, 2013
IRC BOT: node.js, why not!?
So let's create an IRC bot!
First thing was to decide the programming language:
I saw a lot of examples, from Ruby, Python, C, even Haskell! but all of them were a bit too complex, with tons of lines of code (except C, which was actually my first idea) that were unuseful for me.
So, what did I want?
I wanted something fast to write (I allocated no more than 2 hours for writing the whole code) and easy to configure, with the following actions:
- respond when consulted;
- give a challenge, wait for some time and activate a callback when the timeout expire.
Wait a minute, something silent, event-driven, scalable, non-blocking (should give different challenges to different channel at the same time).. that's the definition written on the home page of node.js!
Lucky me, somebody already implemented a module for implementing IRC in a really easy way, the code is basically a huge switch for doing different activities based on the message received by the client, with a few additions (a parser, a flood-avoidance), sounds good for me!
So, what is needed in order to configure it?
This:
;
Where config.json is
;
Not bad, uh?!
Then we just have to add some listeners, according to what we want the bot to listen to!
I wanted the bot to listen to the messages said on the channel, and if it sees a keyword ("@challenge"), activate a challenge!
the interface is the following:
;
really easy, so we just have to look at the message (which is a string, so we can/should parse it in a text via split), parse it and look if it contains our beloved string.
when the bot want to say something, all it has to do is just
;
Just that!
NOTE: currently I'm having an issue when a player is leaving a channel, the bot crashes with a ValueError. Quick and dirty solver, put the for content at line 503 in a try/catch statement and it won't happen again.
I just had to implement the logic for supporting challenges, with timeout etc, and that's it!
The implemented logic is really easy, the bot listen for a message starting with "@challenge", then look at the next word, and if there is a challenge with that name. If present, it then loads a challenge, write it to the channel and set a timeout.
If the bot receives a message starting with "@sol", look if there is an active challenge with that name for that channel, check the proposed solution with the actual one, and if the outcome is positive, it delete the timer and gives the prize.
I wanted an easy way to add new challenges, where I didn't have to touch the code, therefore I created a separate file (which has to be called with require), which gives to the bot the following object:
In this way we can create a challenge in a quick and easy way, all you need is just an idea of a challenge.
The only issue is that right now the challenge is intended as a question-answer, without middle-steps, but in that case is just a matter of doing a slight modification to the bot.js, by allowing an array of function as chall and solver, so that we can track the current step.
Link to the github repo.
Have fun!
Monday, October 28, 2013
Transformer: mass deobfuscation of php files
Now, if you have to deal with deobfuscation of a single php file you have several opportunities, from web services (like this) to the great php extension created from Stefan Esser evalhook (here is a link of explanation). These strategies are all good if you have a single file, as all of them require user interaction. But what if you have >1000 PHP files per day, and you want to deobfuscate them daily in order to run some similarity tool!?
Let's begin with the basic:
In PHP we basically have two ways of deobfuscating a file and then execute it:
- simple eval function;
- preg_replace with "e" (dear PHP developers, was that really necessary!? a preg_replace with included eval!?);
The main problems when using Evalhook extension over a big number of files are of two categories:
- Evalhook for every "eval" step asks for confirmation of evaluating the code(and that's ok, we can easily automatize a yes answer);
- The file is actually executed while analyzed (and that's not ok at all!)
So what I basically wanted was a way to use Evalhook in an automatic way, in order to let it run over my 1000 files per day, but at the same time I didn't want to execute any part of the code other than the strict necessary for evalhook to do the job.
Typical example of evalhook usage |
This is especially important when we are dealing with files created by one author and then used by several others. Most of the web shells I see, in fact, contains a tiny base64 string which is evaluated at run time and which is in charge of sending an e-mail to the creator of the shell (not the one who is actually using it) letting him know that his shell has been uploaded to a certain server. If we run this kind of files with evalhook, and letting him deobfuscating everything, in fact, it will blindly execute all the code up to the point when it reaches the obfuscated part, provoking any sort of damage to the testing machine.
That's why I created Transformer. The principle of Transformer is exactly the one from above: it explores the code, look for any eval/preg_replace with "e" in the code, isolate them, run evalhook over these single pieces and put these pieces back inside the code, allowing for a safer and better deobfuscation.
Details
Transformer run a regex over the file in order to find possible matches (yes, you understood well, it's regex-based). a regex approach has obviously some limitations derived by the nature of regex, but that's the only way to isolate the obfuscated parts of the files without using a PHP parser (which is a very, very hard thing to do) or directly creating a PHP extension (and we don't want any part of the code to run into PHP, in order to be safe against any possible event).
an example of these regex is listed below:
It's important to notice that these regex are made to work over characters. During my experience I saw that an usual way attackers obfuscate their code, other than eval'ing things, is by substituting some of the characters with its hex correspondent. PHP, in fact, accept hex-encoded characters as instructions without any problem.
half hex encoded half ascii! |
That's why the whole code, before being splitted, pass through a "decode_hext" function, which is in charge of decoding any hex character into the corresponding ascii.
Once we isolate our obfuscated part of the code, if we are lucky we just give it to evalhook and obtain the decoded version, but what about things like
$a = obfuscated_string;
eval($a)
Transformer is able to match these use-cases by performing a minimal parsing of the code, in order to do some sort of tainting of the variables involved inside the obfuscated parts and attach all operations involving these variables to the obfuscated code. This is particularly useful when dealing with personalised obfuscation, which obfuscate the code via XOR and other operations (personally I also saw something similar to Caesar cypher).
Once we have a script containing both the obfuscated code and any other operations on the variables used during the obfuscation, we let evalhook do his amazing job, obtaining the deobfuscated code.
The output from evalhook is then put back inside the original code, replacing the obfuscated code.
Where It works
Transformer is not intended to be a universal perfect deobfuscator, its strong points are its ability to decode parts of the scripts in an automatic fashion, catching any small obfuscated piece of code and producing the deobfuscated code. It works great when you have massive amounts of obfuscated files and you need the deobfuscated version in order to look at any similarity between the files.
Where It fails
Transformers does not have any knowledge of PHP. Therefore if the obfuscated script goes through several multiline functions before being evaluated, the deobfuscation will fail. There is also a software which obfuscate the script in such a way that during the deobfuscation the script read itself several time, appending determined bytes one next to each other in order to create a new file that will be deobfuscated.
In these cases there are no automatic procedures that can help, as the deobfuscation must be performed by hand checking every single line of evalhook in order to understand when to stop.
Conclusions
What I presented here is a nice way for automatically deobfuscate different PHP files. Obviously we are not as much precise as in a manual analysis (and we don't want to) but if you collect massive amounts of PHP scripts per day, this can be useful.
I obviously created a github repo for the project, I still have to add some example files, the problem is that I only have malicious obfuscated files which I don't want to publish on my github, so I'm creating something ad-hoc!
Notice: even if this tools is meant for having a safer deobfuscation than just using evalhook on the whole script, I still recommend to let the software run in a virtualized machine without connection to the outer world, in order to minimize possibile dangers.
Sunday, October 27, 2013
Hacklu 2013 - Reverse 150 Write-up
we are going to analyze the reverse 150, a nice win32 executable called RoboAuth. As always, at the end of this post you will find a link to a github repo with the write-up and the original executable so that you can repeat the challenge.
Let's start!
The introduction to the challenge said that the flag should be written as flag1_flag2, therefore we expect to have some kind of double password check.
As always, we start with a "file" command in order to understand some details about the executable, and we find
RoboAuth.exe: PE32 executable for MS Windows (console) Intel 80386 32-bit
Ok,
time for some Windows VM!
Open it and launch it gives you this nice introduction, followed by a request for a password
Very nice, let's see if we find something interesting in the strings of the program.
Strings in ida give us the position where we find the initial text and the "you passed level 1" string inside the executable, nice!
Looking at the code at the location where we find the "you passed level 1" string, we see A LOT of mov instructions and finally what ever password cracker want to see:
scanf
strcmp
puts
Hey, that's easy! so now we know that the program is simply getting at most 20 chars checking against a fixed string and printing out the result, just run it in a debugger, stopping at that point and see at the compared values.
Personally, I do static analysis on ida and dynamic one on ollydbg as I think ida pro debugger sucks, so here is the screenshot of the memory dump from olly
Great!
now we have the 1st password, "R0b0RUlez!", ok let's move on!
After the first password we are requested for a second one.
As before, we look for another string and we can't find it. Ok, so where is the second check?! well we know that the second check is going to do a puts and a scanf, let's look for that function then!
We discover that there is a second scanf in the function at 40157f, so let's look at it!
As we can see, there is a scanf as in the first password scenario, then a call to 401547 and then a test followed by a puts, nice! usual acquire, check and decision based on the check!
the problem here is that when we put a bp on the call sub_401547 instruction we see that the program won't stop, but instead we are stopped on a int 3 instruction.
Fiu, that means, as we can expect from the end of the function before (ExitProcess), that the program for checking the second password is actually another process launched by the father, so in order to debug we should do very nasty tricks etc etc etc (read: I am lazy, if I have another way to acquire the same information why I should not use it!?).
So what we can do!? well actually we have the executable, so why we can't tamper it? as we can see, the parameters used by the function sub_401547 are in positon [esp+38h+var_34] and var_38, one of them is the string acquired through the scanf and the other one is used during the check.. probably our delightful password! the idea is to display it instead of the string displayed by the puts after the check, bypassing the test (obviously). A bunch of NOPS and the edit of
mov eax, ds:dword_40ada4
into
mov eax, ds:dword_40ad98
will do the trick!
nice! here is our beautiful string, "u1nnf2lg\x02" (\x02 being the little face in win32).
let's look at the check function:
even better, the check is just XORing every byte of the solution and checking it with our buffer up to the byte \x02, a one line python operation:
print "".join([chr(ord(el)^2) for el in "u1nnf2lg"])
and we obtain our second password, w3lldone
I find it to be a really nice way to tamper an executable in order to display memory content we can use, especially when using a debugger would require tracing different processes etc..
In the end.. here you will find the github repo with the original file, the tampered file which display the second password and this writeup.
Enjoy!
Saturday, October 26, 2013
Presentation
Hi, My name is Maurizio Abbà, I'm an Information Technology Engineer with a deep interest in security. My main fields are Web Security and Reverse Engineering (yes, because we love opposites!). That means that I spend most of my time (without considering sleeping, cooking and eating) by writing code, looking at an Ida Pro graph or just looking for how to script an operation that I probably won't repeat over the next five years but which I completely refuse to do it by hand.
I love challenges, therefore I'll write here most of my CTF write-ups (starting from HAckLu 2013), always trying to improve myself. Check out my posts, and if you are interest here is my latest CV (I'm always looking for a job, a collaboration or just a new challenge!) My Amazing CV
Hacklu 2013 - Web 200 writeup
What is the best way to begin a blog? with a write up of course!
So, I participated at Hacklu 2013, but I only managed to solve 4 challenges, Web 200, Reverse 150 and 400. The challenges were very funny, I'm just sorry for wasting a lot of time on web 150 without figuring out the solution (SQL injection in basic authentication!?! The Horror!).
So here is my wirte up for web 200, very easy challenge in my opinion, but still funny!
So at first we are presented with this web page:
Just an image and an input box with a button: insert a key, display "wrong answer".
First things first, let's look at HTML code:
As you can see, we have a form which, upon the click of the button, will do a POST request to /gimmetv with a key, and a nice little script below called key.js.
Let's take a look at the script then:
The script add a listener on the submit, and will send our AJAX request to the server, receiving a JSON containing a "success" field. The most interesting thing here is obviously the xhr.send function, which has a commented &debug parameter.
Doing the same request with the debug parameter will give us the same response with two new fields, "start" and "end". Looks like a timing attack!
Sending the same request with different letters/numbers and looking at the value end-start we can see how this value will almost be the same for all the letters but one, which will have a significant 0.1 difference from the others.
Things are natural then, let's write a small python script in order to accumulate this value up to the point where "success" is true, and look at the response.
This code is not the most performing one, as It does not stop upon the 0.1 threshold (I wanted to be sure to take the maximum, I didn't care too much about its speed) and it checks also for punctuation characters (same reason, I wanted to be sure to get the right result)
In a matter of seconds we have the solution, in the "response" parameter of the JSON response we see "OH_THAT_ARTWORK!"
Maybe this challenge was too easy for 200 points, I expected to have something obfuscated (as far as I remember last year every javascript code was obfuscated), but still, a nice 5 minute exercise!
I created a github repo where you will find:
the writeup
the solver in python
a server which replicate (more or less) the same behavior as the original one so that you can replicate the challenge!
Enjoy!