martes, 31 de marzo de 2009

Sean eternos los laureles...

It seems like there are an irregular amount of infected computers with that Conflicter worm, the Paris Hilton of the worms, (quoting some blog i lost the url) from Argentina as this CAIDA research shows: http://www.caida.org/research/security/ms08-067/conficker.xml



Argentina stands out has having a disproportionately large number of infected IP addresses
.

Two theories:
o Either the Conflicker worm was created here (Yes, I'm talking about you)
o or their version of the MS08-067 works pretty well on Spanish windows.

If tomorrow morning, when you are reading the news, you start seeing an important amount of Maradona's pictures, you will know the correct answer.

lunes, 30 de marzo de 2009

Small tools, Big hearts: A guide to Caring for your little tool

Dear Diary,
Bas always says that exploiting is nothing more than intelligent debugging. I agree, specially because I have probably a couple of weeks ahead schedule for more debugging...

So if that your case too, let me give you a hand:

Let said, you are planning your heap primitive. These days, you have to aim for something like the Lookaside single-list pointer, the Bitmask trick (a.k.a. a free chunk < 1024 and the only entry of that freelist or just a free chunk) or any other of the Brett Moore tricks.

The point is, that you need a special heap layout so when the actual overwrite happens, you modify exactly the chunk you plan to. That takes a lot of time, brain cells and a basket of try-error.
To help you reduce time, we wrote this simple hook script, that has been on ID for years:


!chunkanalizehook -a ADDRESS (exp)
ADDRESS of the place where you want to set a hook
(exp) expression to calculate the chunk address

The basic idea is, you set the script on the code address exactly before the actual overwrite is going to happen, and this will automatically dump you the chunk given by the "expression" argument and the next couple of chunks.
For example, let say you have this piece of code:

402020: MOV EDI,DWORD PTR DS:[EAX]
402022: SHR ECX,2
402025: REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS:[ESI]


When eip points to the opcode 402022, EDI will be the overwriting chunk data. So what you have to is set chunkanalize at the beggining of that chunk

!chunkanalizehook -a 0x402022 EDI - 0x8

And you can now run your exploit, each time that opcode gets executed, you will see on Immunity Debugger Log Window (Alt+L), the heap dump:


034CBC58 > Hit Hook 0x00402022, checking chunk: 0x034cbc58
===============================================
0x034cbc58> size: 0x00000520 (00a4) prevsize: 0x00000050 (000a)
heap: *0x00000000* flags: 0x00000001 (B)
0x034cc178> size: 0x00000410 (0082) prevsize: 0x00000520 (00a4)
heap: *0x00000000* flags: 0x00000000 (F)
next: 0x035fd930 prev: 0x034c0178
0x034cc588> size: 0x000002a8 (0055) prevsize: 0x00000410 (0082)
heap: *0x00000000* flags: 0x00000001 (B)


The first chunk is the overwritting chunk, the second one the one that soon is gonna get modified.
Seems I'm not lucky yet, hopefully you are

Peace,
Nico
PS: Take a look at the python script (PyCommands folder), it can be improved quite easily!

jueves, 26 de marzo de 2009

Technical trainings: The good, the bad, the weird.

Dear Diary,
I'm back in Buenos Aires again, enjoying the end of the summer. The training madness is over, until next May where i'm back with the heap overflow class.
Don't get me wrong, teaching is my favourite task at Immunity and out of it (Next week I'm gonna start as a teacher assistant on the subject "Ethics" on a local university. Greek tragedy is what I will be explaining). But the true is that training takes a lot from you, and at the same time it gives you so much.
My favourite part is in day two, when everything start making sense and you can see people really enjoying each exercise when they put all the pieces together.


The japanese training was amazing, I couldn't enjoy it more. The class was funny and entraining, one of the guys at the beginning of the class introduce himself as Shoichi Nakagawa, Japan's minister of finance who gave a press conference drunk.



The only big problem that i had was obviously the language. I got two girls translating, but it wasn't simultaneous so I have to make a pause on each phrase so its get translate.
The trick I pull to make it more dynamic, was to make a random student who finish the exercise explain what he did and why in the projector computer. It was a win-win situation, students got a second explanation in Japanese while the selected student explanation help him understand the subject even more deeply by being able to teach it.
People there were quite nice, we had pizza and some drinks on the first day, and at some point everyone got in a circle and start giving a small speech of who they were and what they expected for the class. I wish I can do that on every class!
I guess the main problem that i had with languages, was not to be able to listen to what students talk between each other, that's usually a key factor of a class, because it allows me to identify levels and gave different exercise upon it.

Japan itself was amazing, and I want to thanks on the website to the people from cyberdefense (Jack-san, Lauri-san, Yusuke-san and Matsumoto-san) for the big hand they gave me on the training.

They also took us to a traditional salaryman restaurant near Akihabara, where we try different types of local dishes and the freshest sushi i ever try. (yes, all the fishes in the picture were alive).


Going back to the training, I went back from Japan to Buenos Aires, only to stay two days and then back to Miami to give two more training with my dearest friend Kostya Kortchinsky. Those training were pretty good and we got quite an amount of really skilled students, it was a real surprise to see everyone at the same level!
Back in the airport, waiting for my flight back to Buenos Aires, i put together a list of rules (or tips) that i had being collecting over the years:


o Never ever ever never start compiling and fixing stuff in the middle of the class (only like 10 minutes max is allowed).
o Don't look insecure
o Be comfortable with your material, remember to read it and know exactly what is comming next. It's really common to get excited and start explaining stuff that might appear later.
o Always tell war stories.
o Most difficult task: Be prepare for the most advanced student and for the most inexperienced.
o Don't spent your entire class on the slow students: Try to push him, help them as much as possible, but don't loose the track of the class. You request at the beginning of the class for basic requirements that is the student responsibility to get before class.
o Always bring extra exercises.
o Real life examples is always a win. People enjoy owning a real server vs your exercise server.
o Improvization is good and people will appreciate it, only when your material is solid.
o Not knowing the answer of all the question is ok. You are not god neither Kostya.
o Exercise, Exercise and more Exercise. Always support your material with hand-ons exercise.
o Students love owning stuff, if they can archive shellcode execution they will be happy++. The satisfaction of writing a workable exploit is priceless, even tho is on your "hoolio" server.
o Be progressive with your exercise. Each exercise has to teach at least one new thing or introduce a new challenge.
o One, two even three challenges are ok per exercise, but try not overwhelm the students.


Peace,
Nico

viernes, 20 de marzo de 2009

no more free bugs?

It is me or this "no more free bugs" movement is as old as Methuselah?
I think the real challenge would be "no more pennys for bugs".


Nico
PS: Does fame count as money? Cause i had seen a lot of bugs paid with that currency.