Check out my gitHub page! and my updated CV!

Wednesday, November 27, 2013

Testing HTML tags

This is a test for verification of empty HTML characters

367440962c84982e7c2209d3b15c447d
c2b43833ef3e​16f4e1280d5b484f5245
666260b6b977⁣a9d7e421196adda5d23a
be7c370b2d5d᠎47ffb1fbc2af5bd19ea6
3d3bac6318f5 113307b8f6f913f334c9
465c55b91b77 3bfe95d62878af923569
fe701ab75ea8 ef226e4557459c205bb1
98ba020ccc76𐃁f7ac5e3993867ec23cb1

https://iseclab.org/people/dcanali/page.html

Saturday, November 2, 2013

Hacklu 2012: safehouse (binary 150) writeup

Yes, i know we are in 2013, but I still want to do a quick writeup of the binary safehouse from hacklu 2012, as I found this to be one of the best challenges I ever did in my life, really didactic!

So first of all, we have to ssh a web page, here is what we got:

beginning screen (from https://f00l.de/blog/)
ok, a nice setuid executable and its flag. As you can see, our user is called ctf, the target one (the one we want to impersonate) is called safe house.
So, let's start!

file command gives us "setuid setgid ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.24, BuildID[sha1]=0x5446b9058fdd04404a8b84827d5873028204ee90, not stripped"
Ok fine, so a 64bit executable, setuid (as we already know), not stripped lucky us!

run the program, nothing happen, exit 0.
Run the program with an argument display the following string:


Mmm.. me lika string! let's open it with IDA and look for the string!

A quick look on the binary let us find the function in charge of displaying our string:

Function display the string "Zombie detected"

Ok, as presumed, if this function is called it will display the string and then exit.
Looking a bit more in the binary we find where this function is called and what the binary is doing:

Series of actions for the main
Ok, so basically our program is checking for the number of args (not displayed, but it's just "if argc ==0 exit"), then drop the privileges and set our function as a handler for signals (in particular SIGSEGV). Then it allocates a page, and declare it as WRX.

Then it writes on this page all strings we give as input as a double-word converted with strtoul function, appending 0xc3 as 4th byte and then call it! After calling all our "inputs", if no signal were received in the mean time it pops up a shell.

We begin to have an idea about what we have to do, we basically have to inject a shellcode so that the program will acquire the privileges of safehouse (without going in segfault), then the program itself is going to pop up a shell for us! the only limitation is given by that 0xC3 injection as the fourth byte on every double word, we need a clever way to write our shell code.

We know that setuid is a a system call,  therefore we can call it by mean of a int 0x80h instruction.
Looking here we have a nice table of all system call, with relative parameters.
Gotcha! an int 0x80h with a 0x17 in eax will call sys_setuid, what we need! uid_t should be in ebx register, and we know safehouse is uid=1006 (in hex 0x3ee).

Now we need to divide our input in several pieces, all of them smaller than 4 bytes:

mov al, 0x17 -> b0 17
mov bh, 0x3 -> b7 03 //highest part of 1006
mov bl, 0xee -> b3 ee //lowest part of 1006
int 0x80 -> 80 cd

Wow! we just need to split the setting of the bx register in two parts, and all our input is nicely divided in block 2 bytes-long!
Obviously we still need to fill up 1 byte without letting the process crash, what's better than a nice old 0x90!?

we just built 4 arguments then (remember LITTLE ENDIAN!):

'0x9017b0', '0x9003b7', '0x90eeb3', '0x9080cd'

Now it's just a matter of converting them to integer and we should be cool!

[9443248, 9438135, 9498291, 9470157]

Trying to call the program with these arguments give us


And a nice little shell for us!

that's it, I found this easy exploitation very didactic for building up a custom shellcode, a very nice piece of work!

There was also another version of this challenge a bit more complex, it will be for next time!

This is a link (from LeetMore writeup) for downloading the binary.

Enjoy!



Friday, November 1, 2013

IRC BOT: node.js, why not!?

Some time ago I created an IRC channel, and what do you obviously want to do if you are the admin of an IRC channel?! create an awesome bot!

So let's create an IRC bot!
First thing was to decide the programming language:
I saw a lot of examples, from RubyPythonC, even Haskell! but all of them were a bit too complex, with tons of lines of code (except C, which was actually my first idea) that were unuseful for me.
So, what did I want?
I wanted something fast to write (I allocated no more than 2 hours for writing the whole code) and  easy to configure, with the following actions:
 - respond when consulted;
 - give a challenge, wait for some time and activate a callback when the timeout expire.

Wait a minute, something silent, event-driven, scalable, non-blocking (should give different challenges to different channel at the same time).. that's the definition written on the home page of node.js!
 Lucky me, somebody already implemented a module for implementing IRC in a really easy way, the code is basically a huge switch for doing different activities based on the message received by the client, with a few additions (a parser, a flood-avoidance), sounds good for me!

So, what is needed in order to configure it?

This:

;

Where config.json is

;

Not bad, uh?!

Then we just have to add some listeners, according to what we want the bot to listen to!

I wanted the bot to listen to the messages said on the channel, and if it sees a keyword ("@challenge"), activate a challenge!

the interface is the following:

;

really easy, so we just have to look at the message (which is a string, so we can/should parse it in a text via split), parse it and look if it contains our beloved string.

when the bot want to say something, all it has to do is just

;

Just that!

NOTE: currently I'm having an issue when a player is leaving a channel, the bot crashes with a ValueError. Quick and dirty solver, put the for content at line 503 in a try/catch statement and it won't happen again.

I just had to implement the logic for supporting challenges, with timeout etc, and that's it!

The implemented logic is really easy, the bot listen for a message starting with "@challenge", then look at the next word, and if there is a challenge with that name. If present, it then loads a challenge, write it to the channel and set a timeout.
If the bot receives a message starting with "@sol", look if there is an active challenge with that name for that channel, check the proposed solution with the actual one, and if the outcome is positive, it delete the timer and gives the prize.

I wanted an easy way to add new challenges, where I didn't have to touch the code, therefore I created a separate file (which has to be called with require), which gives to the bot the following object:



In this way we can create a challenge in a quick and easy way, all you need is just an idea of a challenge.
The only issue is that right now the challenge is intended as a question-answer, without middle-steps, but in that case is just a matter of doing a slight modification to the bot.js, by allowing an array of function as chall and solver, so that we can track the current step.

Link to the github repo.

Have fun!

Monday, October 28, 2013

Transformer: mass deobfuscation of php files

During my job I had to deal woth tons of malicious php files per day, let's say about 1000. Most of the files are obfuscated in various ways, from the usage of php-crypt.com up to amateur obfuscation.
Now, if you have to deal with deobfuscation of a single php file you have several opportunities, from web services (like this) to the great php extension created from Stefan Esser evalhook (here is a link of explanation). These strategies are all good if you have a single file, as all of them require user interaction. But what if you have >1000 PHP files per day, and you want to deobfuscate them daily in order to run some similarity tool!?

Let's begin with the basic:
In PHP we basically have two ways of deobfuscating a file and then execute it:
- simple eval function;
- preg_replace with "e" (dear PHP developers, was that really necessary!? a preg_replace with included eval!?);

The main problems when using Evalhook extension over a big number of files are of two categories:
- Evalhook for every "eval" step asks for confirmation of evaluating the code(and that's ok, we can easily automatize a yes answer);
- The file is actually executed while analyzed (and that's not ok at all!)

So what I basically wanted was a way to use Evalhook in an automatic way, in order to let it run over my 1000 files per day, but at the same time I didn't want to execute any part of the code other than the strict necessary for evalhook to do the job.

Typical example of evalhook usage

This is especially important when we are dealing with files created by one author and then used by several others. Most of the web shells I see, in fact, contains a tiny base64 string which is evaluated at run time and which is in charge of sending an e-mail to the creator of the shell (not the one who is actually using it) letting him know that his shell has been uploaded to a certain server. If we run this kind of files with evalhook, and letting him deobfuscating everything, in fact, it will blindly execute all the code up to the point when it reaches the obfuscated part, provoking any sort of damage to the testing machine.

That's why I created Transformer. The principle of Transformer is exactly the one from above: it explores the code, look for any eval/preg_replace with "e" in the code, isolate them, run evalhook over these single pieces and put these pieces back inside the code, allowing for a safer and better deobfuscation.

Details

Transformer run a regex over the file in order to find possible matches (yes, you understood well, it's regex-based). a regex approach has obviously some limitations derived by the nature of regex, but that's the only way to isolate the obfuscated parts of the files without using a PHP parser (which is a very, very hard thing to do) or directly creating a PHP extension (and we don't want any part of the code to run into PHP, in order to be safe against any possible event).
an example of these regex is listed below:



It's important to notice that these regex are made to work over characters. During my experience I saw that an usual way attackers obfuscate their code, other than eval'ing things, is by substituting some of the characters with its hex correspondent. PHP, in fact, accept hex-encoded characters as instructions without any problem.

half hex encoded half ascii!

That's why the whole code, before being splitted, pass through a "decode_hext" function, which is in charge of decoding any hex character into the corresponding ascii.

Once we isolate our obfuscated part of the code, if we are lucky we just give it to evalhook and obtain the decoded version, but what about things like

$a = obfuscated_string;
eval($a)

Transformer is able to match these use-cases by performing a minimal parsing of the code, in order to do some sort of tainting of the variables involved inside the obfuscated parts and attach all operations involving these variables to the obfuscated code. This is particularly useful when dealing with personalised obfuscation, which obfuscate the code via XOR and other operations (personally I also saw something similar to Caesar cypher).

Once we have a script containing both the obfuscated code and any other operations on the variables used during the obfuscation, we let evalhook do his amazing job, obtaining the deobfuscated code.

The output from evalhook is then put back inside the original code, replacing the obfuscated code.

Where It works

Transformer is not intended to be a universal perfect deobfuscator, its strong points are its ability to decode parts of the scripts in an automatic fashion, catching any small obfuscated piece of code and producing the deobfuscated code. It works great when you have massive amounts of obfuscated files and you need the deobfuscated version in order to look at any similarity between the files.

Where It fails

Transformers does not have any knowledge of PHP. Therefore if the obfuscated script goes through several multiline functions before being evaluated, the deobfuscation will fail. There is also a software which obfuscate the script in such a way that during the deobfuscation the script read itself several time, appending determined bytes one next to each other in order to create a new file that will be deobfuscated.
In these cases there are no automatic procedures that can help, as the deobfuscation must be performed by hand checking every single line of evalhook in order to understand when to stop.

Conclusions

What I presented here is a nice way for automatically deobfuscate different PHP files. Obviously we are not as much precise as in a manual analysis (and we don't want to) but if you collect massive amounts of PHP scripts per day, this can be useful.
I obviously created a github repo for the project, I still have to add some example files, the problem is that I only have malicious obfuscated files which I don't want to publish on my github, so I'm creating something ad-hoc!

Notice: even if this tools is meant for having a safer deobfuscation than just using evalhook on the whole script, I still recommend to let the software run in a virtualized machine without connection to the outer world, in order to minimize possibile dangers.

Sunday, October 27, 2013

Hacklu 2013 - Reverse 150 Write-up

Here we are, second post second write-up.
we are going to analyze the reverse 150, a nice win32 executable called RoboAuth. As always, at the end of this post you will find a link to a github repo with the write-up and the original executable so that you can repeat the challenge.

Let's start!

The introduction to the challenge said that the flag should be written as flag1_flag2, therefore we expect to have some kind of double password check.

As always, we start with a "file" command in order to understand some details about the executable, and we find

RoboAuth.exe: PE32 executable for MS Windows (console) Intel 80386 32-bit

Ok,
time for some Windows VM!

Open it and launch it gives you this nice introduction, followed by a request for a password


Very nice, let's see if we find something interesting in the strings of the program.
Strings in ida give us the position where we find the initial text and the "you passed level 1" string inside the executable, nice!
Looking at the code at the location where we find the "you passed level 1" string, we see A LOT of mov instructions and finally what ever password cracker want to see:
scanf
strcmp
puts


Hey, that's easy! so now we know that the program is simply getting at most 20 chars checking against a fixed string and printing out the result, just run it in a debugger, stopping at that point and see at the compared values.
Personally, I do static analysis on ida and dynamic one on ollydbg as I think ida pro debugger sucks, so here is the screenshot of the memory dump from olly


Great!
now we have the 1st password, "R0b0RUlez!", ok let's move on!

After the first password we are requested for a second one.
As before, we look for another string and we can't find it. Ok, so where is the second check?! well we know that the second check is going to do a puts and a scanf, let's look for that function then!
We discover that there is a second scanf in the function at 40157f, so let's look at it!


As we can see, there is a scanf as in the first password scenario, then a call to 401547 and then a test followed by a puts, nice! usual acquire, check and decision based on the check!
the problem here is that when we put a bp on the call sub_401547 instruction we see that the program won't stop, but instead we are stopped on a int 3 instruction.
Fiu, that means, as we can expect from the end of the function before (ExitProcess), that the program for checking the second password is actually another process launched by the father, so in order to debug we should do very nasty tricks etc etc etc (read: I am lazy, if I have another way to acquire the same information why I should not use it!?).

So what we can do!? well actually we have the executable, so why we can't tamper it? as we can see, the parameters used by the function sub_401547 are in positon [esp+38h+var_34] and var_38, one of them is the string acquired through the scanf and the other one is used during the check.. probably our delightful password! the idea is to display it instead of the string displayed by the puts after the check, bypassing the test (obviously). A bunch of NOPS and the edit of

mov eax, ds:dword_40ada4

into

mov eax, ds:dword_40ad98

will do the trick!


nice! here is our beautiful string, "u1nnf2lg\x02" (\x02 being the little face in win32).
let's look at the check function:


even better, the check is just XORing every byte of the solution and checking it with our buffer up to the byte \x02, a one line python operation:

print "".join([chr(ord(el)^2) for el in "u1nnf2lg"])

and we obtain our second password, w3lldone

I find it to be a really nice way to tamper an executable in order to display memory content we can use, especially when using a debugger would require tracing different processes etc..

In the end.. here you will find the github repo with the original file, the tampered file which display the second password and this writeup.

Enjoy!

Saturday, October 26, 2013

Presentation

Hi, My name is Maurizio Abbà, I'm an Information Technology Engineer with a deep interest in security. My main fields are Web Security and Reverse Engineering (yes, because we love opposites!). That means that I spend most of my time (without considering sleeping, cooking and eating) by writing code, looking at an Ida Pro graph or just looking for how to script an operation that I probably won't repeat over the next five years but which I completely refuse to do it by hand.
I love challenges, therefore I'll write here most of my CTF write-ups (starting from HAckLu 2013), always trying to improve myself. Check out my posts, and if you are interest here is my latest CV (I'm always looking for a job, a collaboration or just a new challenge!) My Amazing CV

Hacklu 2013 - Web 200 writeup

Here we are, my first post.
What is the best way to begin a blog? with a write up of course!
So, I participated at Hacklu 2013, but I only managed to solve 4 challenges, Web 200, Reverse 150 and 400. The challenges were very funny, I'm just sorry for wasting a lot of time on web 150 without figuring out the solution (SQL injection in basic authentication!?! The Horror!).
So here is my wirte up for web 200, very easy challenge in my opinion, but still funny!
So at first we are presented with this web page:

Just an image and an input box with a button: insert a key, display "wrong answer".

First things first, let's look at HTML code:

As you can see, we have a form which, upon the click of the button, will do a POST request to /gimmetv with a key, and a nice little script below called key.js.
Let's take a look at the script then:


The script add a listener on the submit, and will send our AJAX request to the server, receiving a JSON containing a "success" field. The most interesting thing here is obviously the xhr.send function, which has a commented &debug parameter.

Doing the same request with the debug parameter will give us the same response with two new fields, "start" and "end". Looks like a timing attack!
Sending the same request with different letters/numbers and looking at the value end-start we can see how this value will almost be the same for all the letters but one, which will have a significant 0.1 difference from the others.

Things are natural then, let's write a small python script in order to accumulate this value up to the point where "success" is true, and look at the response.



This code is not the most performing one, as It does not stop upon the 0.1 threshold (I wanted to be sure to take the maximum, I didn't care too much about its speed) and it checks also for punctuation characters (same reason, I wanted to be sure to get the right result)

In a matter of seconds we have the solution, in the "response" parameter of the JSON response we see "OH_THAT_ARTWORK!"

Maybe this challenge was too easy for 200 points, I expected to have something obfuscated (as far as I remember last year every javascript code was obfuscated), but still, a nice 5 minute exercise!

I created a github repo where you will find:
the writeup
the solver in python
a server which replicate (more or less) the same behavior as the original one so that you can replicate the challenge!

Enjoy!