Mongii, part of the Saphead’s binary analysis team, took the time to create the comic alongside the other Saphead’s and he did a great job may I point out!

Hopefully we’ll be able to produce more work in this form after the Defcon finals .

You can find the comic at:
http://hackerschool.org/DefconCTF/17/B300.html

Any feedback is appreciated as always!

Please spread the word where applicable and feel free to leave a pingback if you like. Thank you!

I hope you enjoy the comic as much as I did .

“That has got to be the coolest write up, ever, in the history of ever.” – DarkTangent. Glad you like it DarkTangent .

It was also nice to see the comic featured on HackADay at http://hackaday.com/2009/07/14/binary-reversing-comic/ .

KOrUPt.

During the qualification round I took a brief look over this challenge and was able to locate the upload scripts and made a note of the SQL commands contained within the files you could download(once they were unpacked)… However I got sidetracked with Binary Analysis so I left this challenge to my team, unfortunately we didn’t solve it… Which makes this write up all the more interesting .

As usual you can find it over at Pastie:

http://pastie.org/505249.txt

I’ll have it mirrored locally in a few days.

Nice work Adc! I’m about to read over it now .

KOrUPt.

I’ve added some custom themes and a theme selection tool so you can revert back to the old one should you not like the current one, however I don’t recommend it.

I’ve also added quite a few more widgets and plugins, you can now receive email updates simply by subscribing(see the Notifications form to the right)…

For those interested I’ve integrated my Twitter account with this theme, so you can see what I’m up to on a daily basis.

Furthermore I’ve surveyed and updated the security settings and enhanced the search feature…

I took the time to remove some of the clutter from the sidebar too .

Hope you like the new look, I’m open to suggestions.

Just a quick update.

KOrUPt.

Let me start by saying me nor my team take any credit for this write up, it’s unclear as to who the author is but my guess is ADC of Loller Skaters produced it? Please correct me if I’m wrong in this assumption.

The write up can be found over at Pastie:

http://pastie.org/510841

I’ve also mirrored it locally just incase, it can be found here:

http://korupt.co.uk/defcon/T400Writeup.txt

I strongly recommend you view the above write up within a web browser(preferably Firefox).

To the author of the above guide, very nice work . My team and I didn’t manage to solve the T400 challenge during the qualification round. If you’d like me to update the above links please leave a comment and I’ll do so at the earliest opertunity.

KOrUPt ~ Sapheads.

For those interested in solving the Crypto Badness 400 challenge of the Defcon quals…
Hahah did a very good write up, which can be found at:

http://beist.org/defcon2009/defcon2009_crypto400_solution.txt

Good work Hahah, looking forward to any others you may do .

Thanks to T1g3r for bringing the article to my attention :p.

Enjoy!

KOrUPt.

Edit: Author updated.

This year we put forward a new and considerably stronger team than last year and we decided to go by the name of “Sapheads”, for those wondering, the definition of a “saphead” is an “idiot”, this name was chosen out of comedic value with [I assume] the intention of having a touch of irony to it… Similar to Lastplace, who tend to end up in first place (props @tlas and co ).

In fact, our team this year is the combined force of three of last years teams…

We finished 11th,  after 48 hours of what seemed to be near non-stop analysis, I got a passive 4 hours sleep during that period.

Our final result I think goes to show just how important it is to be well prepared, organized and to communicate correctly. Our team members excelled themselves and without the collaboration between us I doubt we’d of done as well as we did…

Binary Leetness 400 is a prime example of this, I served as my teams binary analyst. 85MB’s of JPEG’s… To a binary analyst, that doesn’t mean much… Though I was able to put together some of the puzzle. After handing the file down to our teams forensics expert, he eventually came back to us with an executable which I was able to provide an analysis of… That said, without his efforts, we wouldn’t have solved the challenge.

During the qualification rounds, good resource utilization is also helpful… Thinking about it, I did initially intend to stock 20 or so energy drinks, don’t know what happened to that plan though.

I think most of our team this year were a bit apprehensive once they’d learned that Kenshoto had stepped down and Ddtek opted to fill their shoes(props to you guys!)… I know I was! None of us were sure what to expect this year.

My initial impression wasn’t a very good one, the scoreboard was very slow to begin with and some of the services were periodically updated which threw a few of us off during mid-analysis. However, I have to admit the Ddtek crew did a very very good job to resolve the issues at hand, after a while things where once again bearable and all went well. I think I speak for everyone when I say we all had a great time!

Our team did solve all of the Binary Leetness challenges, which is something I’m proud of. We’ll be doing write up’s soon, as it stands I’ve already done a write up for the Binary Leetness 300 challenge, which can be found via a quick search.

Currently we intend to solve some of the challenges we weren’t able to solve during the qualification rounds and hopefully do write up’s of their solutions.

That said, I’m just one side of this team, you can find the rest of us over at http://www.sapheads.org, I’ll be mirroring most of the content here over there, with the intention of having a more centralized source of information for you all . I hope you all drop by sometime .

I’d like to conclude this post by extending a very big thank you to the ddtek team, and of course Kenshoto, who also put on a very good game over the years.

To my team, very good job, we will only continue to get stronger .

DDTek, best of luck handling the CTF at Defcon, I’m sure you’ll do well… P.S Mars, let me know how it goes if possible .

That just about wraps this article up for now I think… At this rate I’ll have to make a category specifically for Defcon related content .

References:

http://www.sapheads.org/ < our team.

http://ddtek.biz/ < this years ctf organizers.

http://shallweplayaga.me/ < VedaGodz.

http://brycekerley.net/blog/2009/06/trivia300.html < Bryce’s T300 solution.

Signing off.

~ KOrUPt.

Feedback appreciated!

Note: your anti-virus may detect the below archive as infected, it contains the b300 binary, which is packed. This is a false positive, I recommend you disable your AV.

http://korupt.co.uk/defcon/B300Writeup.rar

I’ll be posting a more in-depth overview of my experience at the quals shortly.

Enjoy!

KOrUPt ~ Sapheads.org.

First things first, I apoligise for the drought in new posts, I’m very busy at the moment dealing with real life problems and such…

Now on to what I actually wanted to write about.

Recently a friend of mine asked me if I’d like to write a few RE challenges and Wargame services for him… I thought this would be fun and I’ve had a few crafty idea’s . The intended platform is a currently undecided Linux distribution. This post documents some of my idea’s and thoughts on the matter :p.

I was thinking about creating some stripped bins and having some fun with RAW sockets, SSL certs, FLIRT signatures, kernel modules and a few other things, if all goes to plan this could be a fun adventure…

Drunken TCP servers and custom encryption schemes come to mind :p.

I was wondering if any of my readers have any idea’s for services I could implement and such?

I’d also like some opinions on how you’d go about throwing together some of the aforementioned things.

As I mentioned earlier, I’m very busy with real lifes issues at the moment so I don’t have much free time. So it could be a while before I actually implement these services.

I’m thinking of setting up an environment similar to the Defcon quals.

If anyone has any feedback or suggestions I’d love to hear them.

If you’d like to lend a hand in implementing a few services don’t hesitate to contact me. Support is something I need at the moment .

Hope to hear from you all. Spread the word where applicable.

KOrUPt.

For those not familiar with Defcon CTF, it’s basically a contest that consists of seven teams of highly skilled individuals. Each team must defend their server and attack the other teams server. For a more in depth description I’ll refer you to this page:

• http://nopsr.us/ctf2008/overview.html

Now before you go on reading this article… I want to point out that I was unable to get this binary to function correctly(or at all for that matter) on my FreeBsd 6.4 VM… So the write up I’m presenting here is mainly the outcome of my time spent performing static analysis and thus it may be incorrect. I’m hoping that if I am incorrect in my solution that someone may be able to correct me.

Well, of course we start by downloading the binary in question, you can find it here:

• http://nopsr.us/ctf2008/binaries/catdoord

Thanks go out to 1@stPlace for uploading the binaries , If you guys are reading this, I’d really like to hear from you.

We start by checking the file type:

[KOrUPt@Area51 /usr/home/KOrUPt/defcon]$ file catdoord
catdoord: ELF 32-bit LSB executable, Intel 80386, version 1 (FreeBSD),
dynamically linked (uses shared libs), stripped

No debug symbols, this makes disassembling with GDB rather awkward. But it isn’t a problem in this case as I’m using IDA.

I’ll be focusing on explaining the main callback procedure of this binary as the initial routines are near enough the same throughout every other available service. Just to outline the basic functionality:

1. Listen for connections on port 4341.
2. Drop “catdoor”’s user privileges.
3. Accept incoming connections and enter the client callback routine.

The callback routine in question can be found at the following address:

• 0×080493C0

Upon starting my initial analysis of the callback routine I used HexRays IDA decompiler plugin. This helped simplify a fair amount of the code.

I could see a few uninitialized variable’s being passed to memcpy:

pSzChar = &szChar;
pStruct = &struct[i++]; // 'i' is globally defined
memcpy(pStruct, &szChar, 8u);

the unknown structure is defined as follows:

.bss:0804A7C0 struct          struct_0 200h dup()

Regarding the calls to memcpy(), we see similar code throughout or analysis, this kept me wondering for quite a while but eventually I came to the conclusion that it must be a red-herring of sorts. I’ll go into more detail shortly.

Continuing our analysis we see a few calls to unknown functions, after a little time analysing them, it’s clear that the first seems to be a wrapper for the recv() function.

Its code is as follows and as you can see I’ve named this function “RecvData”:

; int __cdecl RecvData(SOCKET sock, char *buf)
.text:08049338 RecvData        proc near               ; CODE XREF: callback+70
.text:08049338
.text:08049338 fd              = dword ptr -8
.text:08049338 nbytesRecvd     = dword ptr -4
.text:08049338 sock            = dword ptr  8
.text:08049338 buf             = dword ptr  0Ch
.text:08049338
.text:08049338                 push    ebp
.text:08049339                 mov     ebp, esp
.text:0804933B                 sub     esp, 8
.text:0804933E                 mov     [ebp+nbytesRecvd], 0
.text:08049345                 mov     edx, [ebp+fd]
.text:08049348                 lea     edx, [esp+8]    ; first function parameter
.text:0804934C                 mov     eax, edx
.text:0804934E                 mov     [ebp+fd], eax
.text:08049351                 sub     esp, 4
.text:08049354                 push    8               ; size_t
.text:08049356                 push    [ebp+fd]        ; void *
.text:08049359                 mov     eax, ds:i
.text:0804935E                 shl     eax, 3          ; counter << 3
.text:08049361                 add     eax, offset struct
.text:08049366                 push    eax             ; void *
.text:08049367                 inc     ds:i
.text:0804936D                 call    _memcpy
.text:08049372                 add     esp, 10h
.text:08049375
.text:08049375 recvLoop:                               ; CODE XREF: RecvData+5C
.text:08049375                 push    0               ; flags
.text:08049377                 push    4096            ; len
.text:0804937C                 push    [ebp+buf]       ; buf
.text:0804937F                 push    [ebp+sock]      ; s
.text:08049382                 call    _recv
.text:08049387                 add     esp, 10h
.text:0804938A                 mov     [ebp+nbytesRecvd], eax
.text:0804938D                 cmp     [ebp+nbytesRecvd], 4095
.text:08049394                 jg      short recvLoop
.text:08049396                 sub     esp, 4
.text:08049399                 push    8               ; size_t
.text:0804939B                 dec     ds:i
.text:080493A1                 mov     eax, ds:i
.text:080493A6                 shl     eax, 3
.text:080493A9                 add     eax, offset struct
.text:080493AE                 push    eax             ; void *
.text:080493AF                 push    [ebp+fd]        ; void *
.text:080493B2                 call    _memcpy
.text:080493B7                 add     esp, 10h
.text:080493BA                 mov     eax, [ebp+nbytesRecvd]
.text:080493BD                 leave
.text:080493BE                 retn

Again, we see more operations taking place in regard to these mysterious structures. After going over the disassembly it’s worth noting that the data we send to this service does not appear to effect any variable’s used in the operations involving the unknown structure’s. Given we are trying to exploit the service I cannot see how the use of these structures may present a vulnerability and it is for this reason I decided to divert my attention to the other parts of the code.

Whilst writing this a quick thought has come to mind, unfortunately I’m unable to put this theory to the test at the moment, but perhaps an overflow condition is created during the receiving of data over the socket, which in turn overwrites the address of the functions local variable’s and the hardship is that of trying to keep the service up and running? This would address my later concern(which I’ll mention shortly). Any comments?

Disregarding my above sentiments, I shall continue with my explanation.

Just after the call to RecvData(), we’ve a second function being called, this one I’ve decided to call “WriteData”. Its code is as follows:

size_t __cdecl WriteData(int a1, void *buff, size_t length)
{
void *pStruct; // ST00_4@1
char *envHome; // eax@1
FILE *pFile; // eax@1
size_t bytesWritten; // eax@3
size_t pBytesWritten; // [sp+41Ch] [bp-Ch]@1
char filename; // [sp+10h] [bp-418h]@1
FILE *pFile2; // [sp+Ch] [bp-41Ch]@1
void *localStruct; // [sp+8h] [bp-420h]@1
 
pBytesWritten = 0;
memset(&filename, 0, 1024u);
pFile2 = 0;
localStruct = &localStruct;
pStruct = &struct[i++];
memcpy(pStruct, &localStruct, 8u);
envHome = getenv("HOME");
snprintf(&filename, 1024, "%s/.ssh/authorized_keys2", envHome);
pFile = fopen(&filename, "w+");
pFile2 = pFile;
if ( pFile )
{
bytesWritten = fwrite(buff, 1u, length, pFile2);
pBytesWritten = bytesWritten;
if ( (signed int)bytesWritten >= 0 )
fclose(pFile2);
}
--i;
memcpy(localStruct, &struct[i], 8u);
return pBytesWritten;
}

Again we see more operations involving our structures. But more importantly we can see that this code is overwriting the “~/.ssh/authorized_keys2″ file with the data we received over our socket earlier.

In theory, we should be able to generate a pair of DSA keys(public and private), overwrite the authorized_keys2 file with our public key and login via SSH using our chosen passphrase.

To further your understanding of this concept, I’ll quote a web page I read prior to writing this:

DSA key generation
-
While RSA keys are used by version 1 of the ssh protocol, DSA keys are used for protocol level 2, an updated version of the ssh protocol. Any modern version of OpenSSH should be able to use both RSA and DSA keys. Generating DSA keys using OpenSSH’s ssh-keygen can be done similarly to RSA in the following manner:

“% ssh-keygen -t dsa”

Again, we’ll be prompted for a passphrase. Enter a secure one. We’ll also be prompted for a location to save our DSA keys. The default, normally ~/.ssh/id_dsa and ~/.ssh/id_dsa.pub, should be fine. After our one-time DSA key generation is complete, it’s time to install our DSA public key to remote systems.

-

DSA public key install
-
Again, DSA public key installation is almost identical to RSA. For DSA, we’ll want to copy our ~/.ssh/id_dsa.pub file to remotebox, and then append it to the ~/.ssh/authorized_keys2 on remotebox. Note that this file has a different name than the RSA authorized_keys file. Once configured, we should be able to log in to remotebox by typing in our DSA private key passphrase rather than typing in our actual remotebox password.

Once we’ve SSH access there are many things that can be done. As I’m sure you’re aware of. On that note, we have effectively gained a means towards unauthorized access to the target machine(this being a game, we’re not breaking any laws :p).

Now to address my earlier concern… This is too easy! From my past experiences most Defcon services are rather complex, this service just doesn’t seem to be on the same level as the past ones I’ve faced. Thus for some reason I cant help but think I’m wrong in this explanation…

Well, given my current time constraints I’ll wrap this up here.

Please do not hesitate to leave me a comment and as always I hope you liked the read.

I’ll be having a go at some of the other Defcon binaries soon so stay tuned for more writeups .

KOrUPt.

• http://korupt.co.uk/?p=115

If a custom exception handler is in place the default Windows Error Reporting dialog will not be triggered and we wont have the chance to attach to our process using the JIT debugger… This is not what we want.

So, how do we go about restoring the default exception handler?

The default exception handler is always the last handler within the exception chain. A custom exception handler is set up like follows:

push NewHandler  ; address of our new exception handler
mov  eax, FS:[0] ;
push eax         ; address of previous exception handler
mov  FS:[0], ESP ; write the new handler

Assuming this is the first custom exception handler within our chain, the previous handler is in fact the default Kernel32 exception handler. We’ll need the address of this handler should we want to restore it. Note that the address of this handler is version specific.

if we check [EAX + 4] in OllyDbg’s dump window we’ll see the following:

0012FFE0 A8 9A 83 7C

Intel’s x86 architecture uses little endian, so we end up with an address of:

• 0×7C839AA8

This is the address of our default exception handler. So how do we go about overwriting the custom exception handler?

This task is rather trivial, the following code can do this for us:

mov  eax, fs:[0]
mov  [eax + 4], 0x7C839AA8
int 3 ; throw that exception!

No longer do we have to worry about custom exception handlers wreaking havoc.

It’s worth pointing out that there are various other methods we can use to stall a process, polymorphic breakpoints and the typical JMP -2 tactics are often useful should for some reason a typical INT 3 instruction turn out to be sub-standard.

We’ll, as always I look forward to reading your comments and such. I hope you enjoyed the read.

KOrUPt.