echod bleeds... -by atlas

(One of these days I'm going to make atlas get his own blog, but probably not until I start posting more)

Program received signal SIGSEGV, Segmentation fault.
0xbfaedf4d in ?? ()


Finally, after weeks of teeth-gnashing I have been able to get echod to consistently bleed, yet some of the blood is my own.
(for those you not fortunate enough to understand it, this indicates that I have changed the instruction pointer to someplace in the stack where it doesn't belong... one or two steps from shell-access)

It's bleeding, not dead yet. I have to inject shellcode (in reverse for this vuln) before I can stick a fork in this baby.
I wish I could say "I finally got around to looking at it..." but I've been working on it ever since Def Con (many times only 1/2 hour at a time, which is awful). I have learned quite a bit, however, and have been intentionally taking my time, capitalizing on the opportunity to improve my skills (I've played and explored a bit. Big fun the "pay-for" guys might not get to enjoy as much). Still, I gotta get faster, even with the tough ones.

echod presents challenges, although much of my pain was self-inflicted. echod is multi-threaded, presenting oddities with both debugging and fuzzing. gdb would be piping along and suddenly it would inform me that it just thread-hopped and I was starting from a different location, working different logic. It became particularly difficult because I had my pseudo-fuzzer (it doesn't deserve to be called a real one) set in a loop most of the time... which I think somehow caused several threads to be pumping information into the binary, while I'm also attempting to debug and make sense out of the assembly. argggh! Aside from turning "0x0a" to "0x00" and splitting stings on "0x20", the string was pretty much straightforward, although the "reversing" functionality employed some logic I couldn't quite follow without stepping through it (and even then, it's up in the air).

That isn't to say that I didn't learn a great deal along the way.. You could say that I learned many things about reverse engineering, particularly threaded apps. Here are a few:

• Printing the dis/assembly is invaluable!


• Rather than avoiding "jump" calls to focus on the "meat", recognize that they are the structure. Capitalize on the opportunity to determine program flow. Draw the jumps with an arrow for each early in the reversing process


• Determine the "conditional statements" from the "jump" statements. Is it a "while (???) { }" or an "if (???){ } and what are the constraints? This helps determine where the "edges" of the program are


• "Ignore %reg, look around for meaning!" ie. Pay more attention to what memory location each register *represents*, instead of focusing on %eax specifically. Map this out on paper, being interested more in 0xffffffbe(%ebp) or 0x8(ebp) instead.


• Each sub has a finite number or variables (locals, parms, and heap)... know them. Label them if you can tell their purpose.


• For (%reg), look for %reg assignment BEFORE this line


• For %reg, look for %reg storage AFTER this line

So I sit down at a coffeeshop I don't frequently visit, because Skeletones (Coffee for the coming apocolypse!) is having a concert I'm too focused to enjoy. I end up sitting in 5 different spots throughout the night, making them hate the "bottomless mug" deal I chose, and being slightly distracted as the two employees mash right at the counter. I was expecting some wetware to come out but thankfully was wrong. After doing some Biblestudy (which is the real reason for my night out), I figure out that I left my reverse-dump hardcopy at work and they had all my scribblings and notes! SUCK BUTT! So, I tinkered and played. Probably the best thing, since I happened upon the "chink in the armor" by doing so. I continued having bad results until I changed approaches in fuzzing and reveng. more on that in a minute.

If this all seems a bit confusing, it's because I'm still somewhat unsure of what went wrong... I know that I was unable to produce consistent results when piping "perl -e" commands to netcat. I know I was able to produce some consistency with a total rewrite in perl. I also know that I've been rather cavalier with my fuzzing, which probably caused issues with consistency (not paying close attention to having multiple threads going at once, so long as I kept data pumping into my gdb/echod session for analysis. Again, ni puta idea!

This perl/bash combo was similar to what I used with poor results:

CX=1100; while true ; do CX=`expr $CX - 1`;echo $CX; perl -e "print(\"REV \" . \"\\x1\"x$CX);" | nc -v localhost 2000 ;done

I first started getting consistent results when I scrapped the command-line approach and used Perl's networking Socket interface to handle the network connectivity. Not as "slim" as using NetCat, but it works. And I was able to build the loop for fuzzing right into my perl-based sploit engine rather than the ugly bash code listed above. But consistency is key.

I have to take back all the evil wicked things I cursed about the author of echod. He may still be an evil bastard, but not nearly so much as I was giving him credit for. (sorry Visi)
Thanks to the nologin folks (thanks slow!) for helping me figure out the stack alignment oddities. Many thanks to Visigoth, Snit and the other kenshoto guys for the hours of wholesome fun ;D

I still have a few questions bouncing around:

* How do I get gdb to hold on to Display and Breakpoint settings between sessions (or perhaps simply preload them from a file at startup)?
* How do I get a service like echod to dump core? (a core dump is the contents of program memory at the time of a program fault. It allows a debugger to recreate the environment to better troubleshoot and correct issues)

Any comments can be sent to atlas@r4780y.com (thanks for the account, r4780y!)
@

If going fast scares you...

I just read this in the latest edition of www.michiganbikers.com:

"Talking of speed, there are riders who think 60mph is a bit scarey. If so, try going 70. Once you've accelerated to 70 for a moment, 60 will seem tame. I've noticed that after going 80mph for a while 70 begins to seem like slow motion. Next time you find yourself bothered by high speeds, try it."

Otherwise paraphrased as "Dude, you think *that* was fast..."

Sadly I have been neglecting the bike lately. As sunrise gets later, morning temps get cooler, and summer wanes, it looks like a continued trend for me. Th 50 miles I drive to work is a real bummer on the bike if the temp isn't at least 50 or 55. Besides feeling wussy lately I have to admit that I can't type very well on a bike ;) Driving with one knee can prove rather awkward!

Weather is the spice of life, however, and as fall draws closer, I know I'll enjoy that when it's here, and still look forward to summer again...

Black Hat and Def Con

Black Hat and Def Con! (by atlas)

Well, my friends. At last the week has come and gone. My family has done without me for 9 days, I've done without sleep for most of that, and my lips are swollen from desperately locking onto the firehose!

Web Application InSecurity

Starting out the week with NGS Software and Special Ops Security in the popular Web Application Software class. Two days was a little short for the original class, but it didn't lack. I was bored at first since they actually cover things as foreign to most developers as network topology and the security implications thereof. This has been my specialty for the past 4+ years.

I regained consiousness once we got started into the security aspects of web apps and server configs, though. Since these guys are pen-testers, not just security instructors their approach was refreshing, and took on much of the feel of an actual penetration test. I was rudely awakened by seemingly mundane things such as web server logging, when realizing how little useful information is logged by default when malicious code bangs it senseless. I guess I assumed that, but what I found intriguging was the settings to turn on valuable stuff!

Command Injection, SQL Injection, etc... It's all in there, and they didn't skimp on covering any of the good stuff. Each of the presenters were obviously accomplished in their field, and Chris Paget, the main instructor, even gave us a demo of his non-public time-based SQL injection tool, something that returns real data from the database server even when error messages are blocked by using time-based encoding. Very slick stuff indeed.

More on Chris later.

Drinking at BH/DC

I was fortunate enough to eat and drink with some of the greatest names in the security field, and that includes Mr. Paget. While checking into the hotel, a large man lumbers up behind me lugging some hefty computer equipment. I think my comment was "There can only be one reason you're here, what class are you taking?" He informed me that he was teaching Web App (In)Security. I laughed and introduced myself as being in his class the next day. When time came for him to meet friends and have a beer, I asked to accompany him. Little did I know who I would be drinking with. Great people (and names you'll recognize) such as David Litchfield (Jr. and Sr.), Marc Litchfield, Timothy Mullin, Eli O (whose card titles him "Grand Visier" of BH/DC), Erik Pace Birkholz and the rest of the SpecialOps (who co-taught the class), the rest of NGS, including Markus and Gunter, who is leaving NGS to take over technical leadership of another large company who has floundered in recent years (good luck to you Gunter!).

Overall they were great fun to hang out with and the conversations were very interesting, even of covering politics and faith. Ahhh, the wonders of alcohol and tobacco. Throughout the week I was also fortunate enough to drink with Mudge (who is very interesting and likeable), Simple Nomad, my dear friend Jay Beale (who has a nasty little Sushi habit!), Dan Kaminski, and many others who I leave off only for brevity, not unimportance. Indeed I've left out many who are very dear to my heart. Oh, what the hack! If you've reached your limit, skip this...

Greetz to Plato, Steven, Structure, Robb, individual, Toby and Amber!, Doc Brown and the Plan B crew, Jason, Darwin's Bastards (yo, guys!), TheArrogantSnit, Invisigoth, HackerJoe, Bob, Satori, Verbal, John, any other Kenshoto guys I may have missed, Nicole and Richard from NTO.

I must admit, however, that while being bold enough to converse with well-known people like they were normal people (a duh!) is great, I don't think some people are used to it. One person half way through the week asked me who the f*ck I was (I didn't take it badly, but it was curious). He said that when asked, everyone basically said that they thought I was *their* friend. When I asked if he thought me a social engineer, he said "Yes, exactly! not that that is necessarily a bad thing..." heh. Amusing times.

One of the highlights of the week was deep conversations with Chris Paget, particularly about weaknesses of current computer intelligence theory. Very unfortunately Chris had to leave early for personal reasons. He was definitely missed.

Another highlight had to be Microsoft's twin-parties. One at the Pure (Caesars Palace) and a followup at the Tangerine (Treasure Island). Not only did I get to meet and chat with awesome people, including HDMoore and Kevin Mitnick, but the night was topped off by watching Jay Beale and his unique and energetic dance moves! Heck, he even got *me* out on the dance floor.

Briefings

Wow, what a rush! First off, I've never seen so much alcohol on stage.

But beyond that, let's discuss the firehose I've been drinking!

Starting the morning off with David Litchfield discussing advanced SQL injection techniques, including time-based, as well as Oracle patching woes. Aside from some frustration over sound difficulties David was brilliant.

Mudge gave a talk on (what I think of as) basic-hacker-think... but the focus was on "functional fixation" and "learned immobility"... ie. who ever thought a plane could be a weapon!? Well, somebody did. The rest of us likely suffered from functional fixation. Short of a few meanderings not directly related to the topic Mudge proved he can handle lack of sleep and alcohol *very* well!

Spoonm and Skape from the MetaSploit Framework project were exceptional! The may have hit the basics of shellcoding a little too much for certain members of the crowd, but I can't say enough good things about the work they were detailing. I couldn't help but stick around afterward and catch the slides they felt compelled to skip to save time. Suffice it to say that Distributed Ninja and Meterpreter are payloads I will be learning in the near future. I did learn the unfortunate news that they will be forcing me to learn Ruby if I want to contribute (or read) Msf 3.0. I hear Ruby's great, but that's not a new theme for me (see Python/KenShoto later on). dN and Meterpretter are the next evolution of Syscall proxies, basically a snippit of code which accepts code from your system and executes it on the remote machine. Nothing is written to disk and Meterpretter even allows you to "migrate" which process they run in. dN runs on Linux, Meterpretter runs on Windows. They also clarified just what "stagers" are.

One of the stars of the show was definitely Johnny Long (johnny.ihackstuff.com). While I have a long history of appreciating Johnny, his speech was no let down. Particularly his wit when finding "googledorks". I really liked the comments about government findings ;) Buy Johnny's book. It's bound to be amusing and informative!

Not all Black Hat Briefings were as interesting to me. I attended one speaker who must have been a college professor (look and droning speech) who spoke on restricted computing environments, or sandboxes. While the potential impact was decent and the material could have been interesting (and he had *really cool* transitions in his preso), his presentation method lacked gusto and I was underwhelmed. Many folks didn't wait it out and left. I stuck around but to no avail.

DefCon

Yes, I know... I've already worn you out before getting to the good part. The truth is, I was so heads-down involved in the Capture the Flag (CTF) hacking competition that I don't have much to say.

The Kenshoto hacker group took over the CTF this year after the longstanding "Ghetto Hackers" hosts decided to retire. This being my first DefCon I can't speak to the transition. All I can say is that Kenshoto did an absolutely incredible job. There were some flubs along the way and yes, it cost me time, but overall I was so amazed at the complete package they put together, their thoroughness, that I can't even complain. They even included a feedback session afterwards so we could discuss how things turned out. I found it amusing that they did this prior to anyone learning who had won ;) Better that way, I think. What was so amazing?

From the moment I walked into the access-controlled room I felt like I was walking into a high-intensity playground/dance-club. Dim lights, technothrash music, the Black/Green color scheme, and the Blue siren-light all contributed to a feeling of greatness. The Kenshoto guys had their stuff together, even down to the green on black Kenshoto t-shirts which had different phrases each day...

Each night Caezar hosted parties which combined technogeeks with alcohol and saw amusing results. I was only able to catch two of the three parties, but the two I attended were pretty cool. Saturday I sat next to Dan Kaminski and a Microsoft employee and bash and posture and laugh until it hurt. That and discussions of Python being better than Perl (I'm not convinced yet), and of course watching Eli O dance while magically keeping two or three acryllic spheres afloat and tracing around his body-parts... they all contributed to a great time. Sunday's party was around pool 2 at the Alexis Park hotel, and enhanced by tossing a glow-stick inside the 1gallon juice jug filled with liquor-surprise... Tossing that around was probably more fun than the beach-balls. I got a chance to slow down and have a cool talk with Snit from Kenshoto, and ponder the impact of moving from my current address to the Virginia area. hmmmmm...... Tempting.

Falling asleep while _____ (version 2)

Well, I'm home now. After two hours sleep on Sunday, the plane rides were filled with the stuff. I intended to continue reversing CTF binaries, but alas that never happened. I just got around to that last night.

During the CTF Qualification round I found myself sleep-typing. At 5am it's amazing what the fingers have to say when you stop ordering them around and let their creative side show. "SegFailt os if it weren' groumedeor"

Well, since being home, I think I've topped it. I have actually fallen asleep while reading to my kids! "blah blah bla", he said............. <"daddy? Who said? Daddy???"> DOH!

Hopefully after some recovery I'll be able to better fit this new-found habit into my life without such extreme consequences.

By now, everyone is normally asking the question "How did you do at the CTF?" https://www.kenshoto.com/scores.html

Short and skinny? I didn't do nearly as well as I wished I had. And I won the individual (Ronin) contest, beating most of the teams.

Many thanks to those around me who I made alliances with, particularly the Darwin's Bastards, and of course my dear friend Plato, who very well could have beaten me. Greetz to the Shellphish and Sk3wl of R00t teams for a job very well done.

I won? and I'm not happy with that? Frankly, no. And it's not because I didn't beat the two top teams. It's about "my game" and no one else. I could have done more and done better and faster. I have much improvement to do this next year, and it can only come from more practice and better skillz. Why am I not happy? Because I resorted to lamer tactics of "low-hanging fruit" and social engineering rather than more challenging things. "Bottom line" is that I did what it took to win, but it's like playing defensive pool rather than simply shooting well. Next year I hope to run the table off the break.

Special nod to the friends I will keep out of this, especially Plato, Robb, Chris Paget, J-sLam, Snit and Invisigoth, drb and Toby.