25 Jan 2012 @ 12:54 AM 

HackIM scoreboard

 

Malcon 2011 CTM write up – Malcon-CTM-Writeup

NULLCON 2012 HackIM write up – HackIM – danny

Thanks to many people for constant help and support. I won both the CTFs and hope to participate and learn from the newer ones πŸ™‚

Posted By: Dan
Last Edit: 25 Jan 2012 @ 12:56 AM

EmailPermalinkComments (0)
Tags
Categories: CTF, Reverse Engineering

 22 Jul 2011 @ 6:34 PM 

One of my friend and colleague was working on automating Microsoft Attack Surface Analyzer (not going to explain what it is or what it does) for some of the projects. There is nothing much to automate other than generating baseline/product cabs and generating reports. For generating cabs, one has to just run the command asa.exe and you have the cabs in position. But for making reports, one has to run “Attack Surface Analyzer.exe”, select the cabs and press “Generate” button. Not quite scriptable is it? Searched for documentation or any online help, but there was none. Well, it is time for a (very) little bit of reverse engineering πŸ˜€

Microsoft Attack Surface Analyzer

“Attack Surface Analyzer.exe” is a .NET exe. So let us fire up Reflector. Oops, we don’t have free version of Reflector these days (too bad Red Gate). Fortunately we have ILSpy :). Fire up ILSpy and load the exe.
ILSpy

ILSpy have already identified the entry point for us, just click there and we will end up in Main.

Well, game over!

For the sake of completeness, I am posting the command line parameters here.

“Attack Surface Analyzer.exe” /BASELINE “your_baseline.cab” /PRODUCT “your_product.cab” /REPORT “your_report_dir” /USEHTML

Not sure why it was not documented πŸ˜›

Posted By: Dan
Last Edit: 22 Jul 2011 @ 06:45 PM

EmailPermalinkComments (0)
Tags

 16 Nov 2010 @ 4:05 PM 

[This post has been screwed due to Anti viruses claiming plain text as live exploits. I omitted most of the stuffs I planned to post 😐 ]

Many people don’t consider PDF files as a possible threat and oh, well I agree to them(!). It is not the PDF files but the rendering softwares we have to be afraid of. If you think I am referring to those Adobe Reader 0-days popping up periodically, hell yeah, you are RIGHT!. We are going to talk about PDF files, few Adobe Reader vulnerabilities, exploits and malwares that comes along with it πŸ˜‰

You can read about PDF in wiki page. PDF files are binary files with proper formatting and looks like a collection of objects. You can open a PDF file in a text editor or hex editor to view it’s object structure.

pdf file

As you can see PDF files start with a magic header %PDF or %%PDF followed by the spec version number.Β  From next line onwards you can see a pattern emerging, like [obj][data][endobj]. Well, this is the collection of object thing I said earlier. Each object is identified by an ID and a version number. 41 0 obj represents object 41 version 0. You can look into PDF specs for better understanding of the file architecture. You don’t have to understand every details of the spec, but you can specifically look into streams, encodings, java script implementations, acro forms etc… Before going further, I would like to explain a little more about streams. Streams are used to store data(images, text, java scripts etc…) and to make it efficient PDF allows us to use compression and encoding techniques like Flate/LZW/RLE etc. This creates sort of problem for us, we can’t just use text/hex editor for understanding the true content of PDF!. As a programmer I can’t ignore this challenge and I made a tool(PDF Analyzer) to solve this issue. I will use PDF Analyzer throughout this post but you won’t be able to get it as it is still in private build(I will release it…eventually ;)). For now you guys have other options, both commercial and freeware tools are available. I will post some links here.

PDF Dissector by zynamics – commercial

Origami by Sogeti ESEC Labs – freeware

PDF Stream Dumper by Dave – freeware

Various python PDF parsers from Didier Stevens and inREVERSE guys – freeware (search!)

PDF Analyzer is made in C# with only 3 external libraries, zlib(I should have used GZipStream with 2 byte header hack),Β  BeaEngine(Thanks BeatriX) and JSBeautifier(I ported 95% of code from js to C#). I spent around 2 weeks of free time on it. It may not be the fastest PDF parser, but it can handle every ill formatted PDF I have in my repository ;).

pdf analyzerAdobe reader’s top vulnerabilities come from Adobe specific javascript APIs. This gives us a chance to disable javascript and protect us from any of those javascript based exploits. Disabling javascript is crucial but it doesn’t fix vulnerabilities from other parts of Adobe Reader such as embedded image files and flash files.

Now we will look into some of the malware samples which exploits these vulnerabilities. You can find malware sample from many security blogs and I must thank two of my friends who sent a big archive of malware PDFs for analysis and testing :).

pdf analyzer jsThis particular sample splits javascript into three streams and concatenates them using <</Names[(1)6 0 R (2)7 0 R (3)8 0 R]>> which will eventually refer to three objects marked in red. After beautification, it seems it is exploiting one vulnerability existed inΒ  Adobe Reader namely this.media.newPlayer(null).

media newPlayer

It is essentially spraying heap with NOP sled and shellcode and calling the vulnerable function. The shellcode present here is a dropper/downloader, you can dump it to a file and use IDA to disassemble it.

Another PDF file which exploits util.printf is given below.

util printf
Again you can dump shellcode and disassemble with IDA. Another option is to use PDF Analyzers unescape functionality to directly disassemble the shell code.

disassemblyDisassembly starts with pretty straight forward steps to find base address via delta calculation(call – pop – sub). Then it fetches kernel32 base from PEB(fs[0x30])->Ldr.InInitOrder[0].base_address. This will be used to eventually load other modules and APIs.

Malware writers use multiple techniques to protect their payload. Techniques involves obfuscation, multiple and multi-level usage of encoding/compression schemes.

multiple encodingsIf any of you guys have samples that uses multi-level encoding, please send them to me πŸ˜‰ , I would like to test those with PDF Analyzer.

I will conclude the exploit samples by posting the latest exploit for the vulnerability printSeps. This code is retrieved from the PDF posted in full disclosure list.

printSeps
Evil actions of PDF malwares varies from regular password stealer to rootkits. Once you have attained arbitrary code execution, rest will be just imagination of malware writer. As malware writers are mainly targeting Adobe Reader, try to shift to other PDF rendering software or at least update to latest version. There are free PDF readers like Sumatra or GhostScript, try those out and always be cautious when opening a PDF file.

Posted By: Dan
Last Edit: 24 Nov 2010 @ 03:23 PM

EmailPermalinkComments (10)
Tags

 06 Nov 2010 @ 6:09 PM 

Well, it seems people are getting crazy about android platform(everyone is trying to buy an android phone!). I don’t have an android cell phone but, lets see if I can get my hands dirty with this Linux+java clean room engineered platform πŸ˜‰

To begin our journey we need Android SDK, a target to test with and the necessary tools.

You can download the necessary file from these locations:

Android SDK: http://developer.android.com/sdk/index.html

Deurus android crackme 03: http://crackmes.de/users/deurus/android_crackme03/

Smali and baksmali: http://code.google.com/p/smali/

Dex2jar: http://code.google.com/p/dex2jar/

Java decompiler: http://java.decompiler.free.fr/

Download and install android SDK, SDK platform(latest is 2.2 at the time of writing), necessary java packages and rest of the tools. Create a virtual device from SDK menu and start emulation. Within few minutes you can see the emulator booting up and showing the phone screen. Well, thats it! we have our emulator up and running.

Now we need to install the software(crackme, its legal!) to the emulator. For that you may have to get acquainted with android debug bridge(adb).Β  Installing a apk file is pretty simple, all you have to do is to run two commands from android SDK directory/tools.

adb install

After the installation you can see the crackme icon from application menu.

android emulator

Now run the crackme by clicking on it. If everything went as expected you will see the crackme application on the screen.

android crackme

Now we will play with it, pressing check button with no inputs pops a message “Min 4 chars”, and with a proper name it pops up “Bad boy”. We have to remember these strings because we will be using them as our search keys when we dis assemble the apk(actually dex) files. Also note that we have two hardware ids and we need to find out what those exactly means.

As our crackme is up and running in emulator, we now move onto reversing it. If you have read apk file format, you can visualize it as a extended jar file which essentially is a zip file. Now you can change the crackme file name from Crackme03.apk to Crackme03.zip and decompress it to any folder.

apk file

Now the interesting file for us is classes.dex, which contains the compiled vm codes. We are going to disassemble the dex file with baksmali. Commands are pretty simple as you can see from screen shots.

baksmali disassembly

If everything worked fine, we will have a folder structure similar to java packages. Interesting .smali files are located at “\com\example\helloandroid”. Open all the .smali files into your favorite text editor(I use NPP). If you have never done anything related to reverse engineering/esoteric programming/assembly(IL) programming, you will probably think: WTF!. Relax. We have just opened a disassembled dex file. Now, if you are thinking how on earth someone can find the correct location of checking function, I hope you remember those pop up strings I told earlier. Yeah, “Min 4 chars” and “Bad boy”. Now we will use those strings as our search keys. Searching “Min 4 chars” in all the opened .smali files, we will find a hit in HelloAndroid$2.smali line 130.

dex disassembly(I just applied java syntax highlighter as I don’t have dalvik syntax files)

Our aim is to understand the serial checking function and write a keygen for it. For that we have to know all the dalvik opcodes that are used here. You can visit this page to understand the opcodes and after that you can convert disassembled code to much higher language constructs. I will provide a briefΒ  code snippet which actually implements the algorithm. Two hardware ids used are IMEI and sim serial number.

//Read name from text box
const v23, 0x7f050004
invoke-virtual/range {v22 .. v23}, Lcom/example/helloandroid/HelloAndroid;->findViewById(I)Landroid/view/View;
move-result-object v9

//Read serial from text box
const v23, 0x7f050006
invoke-virtual/range {v22 .. v23}, Lcom/example/helloandroid/HelloAndroid;->findViewById(I)Landroid/view/View;
move-result-object v21

//Checking whether the name is of length greate than 4
const/16 v22, 0x4
move v0, v11
move/from16 v1, v22
if-ge v0, v1, :cond_51

//Popup showing Min 4 chars
const-string v23, "Min 4 chars"
const/16 v24, 0x1
.line 86
invoke-static/range {v22 .. v24}, Landroid/widget/Toast;->makeText(Landroid/content/Context;Ljava/lang/CharSequence;I)Landroid/widget/Toast;
move-result-object v13
.line 88
.local v13, notificacionToast:Landroid/widget/Toast;
invoke-virtual {v13}, Landroid/widget/Toast;->show()V

//There is a little exception trick to make integer string from username
//It converts aaaa to 97979797 which is ascii equivalent
invoke-virtual {v10, v5}, Ljava/lang/String;->charAt(I)C
move-result v3

//Getting first 5 chars from ascii converted name
const/16 v22, 0x0
const/16 v23, 0x5
move-object v0, v12
move/from16 v1, v22
move/from16 v2, v23
invoke-virtual {v0, v1, v2}, Ljava/lang/String;->substring(II)Ljava/lang/String;

//Converting it into integer and xoring with 0x6B016   - Serial part 1
invoke-static {v12}, Ljava/lang/Integer;->parseInt(Ljava/lang/String;)I
move-result v22
const v23, 0x6b016
xor-int v22, v22, v23

//Getting IMEI from TelephonyManager
//http://developer.android.com/reference/android/telephony/TelephonyManager.html
invoke-virtual {v8}, Landroid/telephony/TelephonyManager;->getDeviceId()Ljava/lang/String;
move-result-object v6
.line 102
.local v6, imei2:Ljava/lang/String;

//Getting sim serial
invoke-virtual {v8}, Landroid/telephony/TelephonyManager;->getSimSerialNumber()Ljava/lang/String;
move-result-object v16
.line 103
.local v16, simsn:Ljava/lang/String;

//Getting first 6 chars from IMEI, and similarly from sim serial (IMEI.Substring(0,6) will be used as Serial part 3)
const/16 v22, 0x0
const/16 v23, 0x6
move-object v0, v6
move/from16 v1, v22
move/from16 v2, v23
invoke-virtual {v0, v1, v2}, Ljava/lang/String;->substring(II)Ljava/lang/String;

//Converting them to integer and xoring    - Serial part2
invoke-static/range {v19 .. v19}, Ljava/lang/Integer;->parseInt(Ljava/lang/String;)I
move-result v22
invoke-static/range {v20 .. v20}, Ljava/lang/Integer;->parseInt(Ljava/lang/String;)I
move-result v23
xor-int v22, v22, v23

//Making a new StringBuilder object and formatting the string to part1-part2-part3
new-instance v22, Ljava/lang/StringBuilder;
invoke-static {v12}, Ljava/lang/String;->valueOf(Ljava/lang/Object;)Ljava/lang/String;
move-result-object v23
invoke-direct/range {v22 .. v23}, Ljava/lang/StringBuilder;-><init>(Ljava/lang/String;)V
const-string v23, "-"
invoke-virtual/range {v22 .. v23}, Ljava/lang/StringBuilder;->append(Ljava/lang/String;)Ljava/lang/StringBuilder;
move-result-object v22
invoke-static/range {v17 .. v18}, Ljava/lang/String;->valueOf(J)Ljava/lang/String;
move-result-object v23
invoke-virtual/range {v22 .. v23}, Ljava/lang/StringBuilder;->append(Ljava/lang/String;)Ljava/lang/StringBuilder;
move-result-object v22
const-string v23, "-"
invoke-virtual/range {v22 .. v23}, Ljava/lang/StringBuilder;->append(Ljava/lang/String;)Ljava/lang/StringBuilder;
move-result-object v22
move-object/from16 v0, v22
move-object/from16 v1, v19
invoke-virtual {v0, v1}, Ljava/lang/StringBuilder;->append(Ljava/lang/String;)Ljava/lang/StringBuilder;
move-result-object v22

//Checking whether user entered serial and program made serials are equal.
invoke-virtual {v14, v15}, Ljava/lang/String;->equals(Ljava/lang/Object;)Z

As you can see, the algorithm is pretty straight forward. It is using name and two hardware ids as input and doing some operations on them to make a serial.Β  We can easily recode it in any programming language we prefer to make it as a keygen. Anyway, I am not posting any keygen sources as it will spoil the whole phun!

A demonstrative serial calculation routine is given below:

Name: aaaaa

HW ID1: 0000000000000000

HW ID2: 89014103211118510720

“aaaaa” will be converted to “9797979797”, from which we will take first 5 letters and convert it into integer 97979. This will be xored with 0x6B016(438294 in base to 10) resulting 511661 and this will be first part of serial. For second part, we will take first 6 letters from HW ID1 and HW ID2, convert them to integer and xor, resulting 000000^890141 = 890141. For third part we will use first 6 characters from HW ID1. Formatting with the specified delimiter the serial will become “511661-890141-000000”.

generated serial

Bingo! everything worked as expected. Now, for all those who thinks it is pretty hard to read all those disassembled instructions and manually converting them to higher language constructs, there are other options. As dalvik is based on design of java, it is also susceptible to decompilation. There is no decompiler available at this moment, but there is hope. For now we can use another utility which converts dex files to jar files so that we can use java decompilers to see much more abstracted code. From starting of this blog post you may have noticed the tool dex2jar. Use dex2jar to convert classes.dex to classes.dex.dex2jar.jar. Open it in a java decompiler and you can see much better output than dalvik disassembly. Please note that dex2jar is still in development phase and the output is meaningless at many places. This should be used only to get a quick understanding of all the functions called.

java decompiler

Well, thats it! We have analyzed an android program and defeated its protection. Cheerio!

Posted By: Dan
Last Edit: 14 May 2012 @ 05:54 PM

EmailPermalinkComments (20)
Tags

 10 Oct 2010 @ 4:02 PM 

Few days earlier one of my friend was bragging about OOPS concepts and how it protects private variables and sensitive data from outside world. I tried to explain that once it is being loaded to memory, we can access and change whatever you want with a suitable debugger. As per the saying “people won’t believe until they see”, I had to write a little bit of code to show that it is fairly easy to use reflection and there is no need for good old WinDbg for this simple thing :).

class MySecretClass
{
	private string mySecretinfo;
	public MySecretClass()
	{
		mySecretinfo = "dead-c0de";
	}

	public string GetMySecretInfo()
	{
		return mySecretinfo;
	}
}

private void btnNormal_Click(object sender, EventArgs e)
{
	MySecretClass mySecretClass = new MySecretClass();
	MessageBox.Show(mySecretClass.GetMySecretInfo());
}

private void btnReflection_Click(object sender, EventArgs e)
{
	MySecretClass mySecretClass = new MySecretClass();

	FieldInfo fi = typeof(MySecretClass).GetField("mySecretinfo", BindingFlags.NonPublic | BindingFlags.Instance);
	fi.SetValue(mySecretClass, "You are dead!");
	MessageBox.Show(mySecretClass.GetMySecretInfo());
}

Posted By: Dan
Last Edit: 10 Oct 2010 @ 04:14 PM

EmailPermalinkComments (1)
Tags
Categories: C#

 03 Oct 2010 @ 12:08 AM 

Executing batch files in UAC enabled Windows Vista/7 is a pain when the batch file is gonna make any changes to the restricted folders like windows or system32. UAC will just block any attempts to create or modify files from the protected folders. Hopefully there is an option to execute it with admin privileges by right clicking on bat file and selecting “Run as administrator”. This creates little trouble with current path. If bat is executed normally, it’s current path is the folder where bat resides, but if it is “Run as administrator” current path becomes \windows\system32. This will become a problem if we are trying to access a file which resides in the same folder as bat file. This problem can be resolved pretty easily by enabling command extensions and setting current path using %~dp0.

@setlocal enableextensions
@cd /d "%~dp0"

Posted By: Dan
Last Edit: 05 Oct 2010 @ 05:24 PM

EmailPermalinkComments (1)
Tags
Categories: Batch File, UAC

 27 Sep 2010 @ 11:37 AM 

We have seen dynamic IL compilation in managed environment and shellcode execution in unmanaged environment like C. What I present here is shellcode execution from C#. This particular trick uses CallWindowProc which were used by earlier VB6 programmers for inlining ASM in to the code or used LoadLibrary/GetModuleHandle and CallWindowProc for dynamic method invocation. There are couple of extra steps to work it in a managed environment, mainly due to Garbage Collector and *managed* nature.

namespace Shell
{
    class x86Shell
    {
        [DllImport("user32")]
        private static extern int CallWindowProc
            (IntPtr lpPrevWndFunc, int hWnd, int Msg, int wParam, int lParam);

        public unsafe int Add(int a, int b)
        {
            // 8B45 0C         MOV EAX,DWORD PTR SS:[EBP+C]
            // 8B5D 10         MOV EBX,DWORD PTR SS:[EBP+10]
            // 03C3            ADD EAX,EBX
            // C2 1000         RET 10

            // 4 parameter can be passed to CallWindowProc and can be adressed from 0x0C, 0x10, 0x14 and 0x18
            byte[] shellCode = { 0x8B, 0x45, 0x0C, 0x8B, 0x5D, 0x10, 0x03, 0xC3, 0xC2, 0x10, 0x00 };
            fixed (byte* bytePointer = shellCode)
            {
                IntPtr pointer = (IntPtr)bytePointer;
                return CallWindowProc(pointer, a, b, 0, 0);
            }

        }
    }
}

Compile with /unsafe enabled. Well, the question remains… What is the use of these kinda techniques? may be some malware writers will use it(if malwares are coded in a managed language πŸ˜› ) or some .NET obfuscator/protectors can use it to make reverse engineering a little harder(though they have to have both x86 and x64 version of the code)

Posted By: Dan
Last Edit: 27 Sep 2010 @ 11:46 AM

EmailPermalinkComments (7)
Tags
Categories: C#, Shellcode

 17 Sep 2010 @ 6:19 PM 

Well, This is the first post here and its kind of off-topic for me too. Anyway, we were doing some random stuffs and a requirement popped to make a internet connection from GSM module and send a GET request to a particular website which hosts the particular page that does the post processing of the information. I am listing the commands that were used to connect to GPRS and send TCP packets to web server. This can be also used for accessing FTP and other services hosted by different providers.

This is the GSM module we used for testing it.

We tested with a Airtel SIM and it works good πŸ™‚
AT+CGATT=1
AT+CGDCONT=1,"IP","airtelgprs.com"
AT+CDNSCFG="202.56.231.117"
AT+CSTT="airtelgprs.com","",""
AT+CIICR
AT+CIFSR
AT+CIPSTATUS
AT+CIPHEAD=1
AT+CDNSORIP=1
AT+CIPSTART="TCP","www.google.com","80"
AT+CIPSEND
>GET / HTTP/1.1
Host: www.google.com
Connection: Keep-Alive
Accept: */*
Accept-Language: en-us

Just use any compatible Terminal software and make sure you end the GET request with 2 CR LF.

Posted By: Dan
Last Edit: 05 Oct 2010 @ 05:26 PM

EmailPermalinkComments (0)
Tags
Categories: Hardware





 Last 50 Posts
Change Theme...
  • Users » 1
  • Posts/Pages » 19
  • Comments » 41
Change Theme...
  • VoidVoid « Default
  • LifeLife
  • EarthEarth
  • WindWind
  • WaterWater
  • FireFire
  • LightLight

About



    No Child Pages.