-atlas wandering-
Bloggorama for breaking things
\
- /(38)
Subscribe
Subscribe
to a (RSS) feed of this weblog.
Tue, 12 Aug 2008
3@stplace?!?
Dude, lastplace got sk3wl3d this weekend at defcon. For those newcomers who are lost, I'm referring to defcon capture the flag contest held each year in vegas. ctf has a history of drawing the best of the best from all corners of the world, and this year was even moreso. wowhackers and taekwon-v from Korea came on strong, overcoming the language barrier and doing very well indeed. Up until the last five minutes of the game, taekwon-v had lastplace relegated to fourth place! Thankfully, the lastplace superpowers blasted one last break-through just in the nick of time to finish a solid third-place (indeed, kenshoto even changed our name on the score-board to 3@stplace ;)
Sexy Pandas were sexier than ever this year, taking command of the game very early on. Unfortunately, as they did last year, the pPandas seemed to lose their Gambas around the middle of Saturday. I don't know what's up with them, but I'm guessing they need to learn to cope with more sleep-deprivation :) They were amazing while they lasted though (remember, they drew first-blood last year).
Shellphish was back again after "taking a year sebatical", having not qualified last year. While it was good to see Giovanni Vigna and his team again, I was surprised that they didn't do as well as expected. As I can say the same about our team this year, I totally understand.
IGuardMiLan (sorry, I don't remember their real name), an Italian team from Milan, seemed to be doing very poorly (and unfortuantely I didn't get a chance to get to know them much)... but on Saturday night kenshoto gave out a challenge and ominously indicated it was worth "a couple hundred points" and both Shellphish and these guys nailed it! I'm not sure what it is about these Italians ;) but the challenge turned out to be worth 300 points, which they both got! Rock on! Unfortunately for the Pandas, this placed both of these teams above them. The challenge was this: kenshoto provided a text file with all of shakespeare's works. our job was to find the longest run of bytes which convert to x86 opcodes which don't touch memory. Very cool challenge, I spent a little time on it, and actually found the answer with the tool I wrote. However, without my emulation code in place I also turned up many false-answers, based on conditional-jumps so I dropped it. Bummer too. I wish I would have submitted it.
The Routards were back from last year, and came out of nowhere on Saturday to overtake us as second place, where they remained for the rest of the game. A French/Suisse team, they were really smokin!
And then (sound the Emperial March) came the Sk3wl 0f r00t. Lead by Jon Boss ("BossMan") and driven by Chris Eagle ("sk3wlmast3r"), these guys *completely* rocked our world. For the last two years lastplace has been stealing victory right out of this team's clutches using creativity, game-play, and a slight touch of evi1. This year, Sk3wl returned all we had given them and more. Probably most evi1 was when we used some technical prowess to keep Sk3wl from getting credit for many points last year, for several periods of several hours. This year, Sk3wl multiplied both the evi1 as well as the technical awe of our attack from last year, instead, denying any of our teams the ability to score. How they did this, I can't say specifically, but let's just say they pwned the services themselves and made their own version of a "service-r00tkit", modifying information to either prevent us from gaining shell on the box or changing the contents of keys so we received bogus keys and our overwrites were dorked as well.
I gotta admit, if we couldn't win, I'm ok with Sk3wl winning. Not only did they *totally* deserve it this year, but they're a great bunch of guys. I have a lot of respect for sk3wlmast3r and Bossman and the team they fielded this year was truly outstanding. Their game-place was flawless, their technical leetness was untouched, and they have real character. At the end of the game, they set-up their own projector on the wall over their team and played Guitar Hero... lol... but before they did, Bossman came over and said to me "I know this is going to seem arrogant, but this was not our idea... and I just wanted to let you know." That was pretty cool of them. They had every right to rub it in, but chose not to. rock on guys.
Ah, my dear lastplace.... On a personal note, I think it was really good for us to lose this year (sorry team, it's what I think). We came in as two-time, back-to-back winners, and a third time would have already been difficult to remain humble about. We also had let ourselves get complacent. I'm sorry guys, this one falls completely on me. As the buck-stopper, and as your captain, I failed in many way, the chunks of which I will not spew here. Having succeeded from the very beginning, I knew I/we were doing the right things for success... but I didn't really remember what the right things were this year... so it was a growing experience. Having not been defeated, I personally felt the stress of continuing the winning streak, even as much as I struggled against it. And after three consecutive wins, I was heavily considering "retiring" at least for a year or two. Now? I'm not quite sure what's going to happen. I know some of the guys are happy to field a team again next year. I'm going to hit 'em up in a few months. ctf bears some strong similarities to child-birth . Gradually one forgets how much pain and agony and misery goes into ctf, and for some crazy reason the desire to play again returns :) On the positive side, we played a very good game, aside from a few failings of mine. Most impressive to me is how much our attack-team has improved as a whole. We still have a couple rock-stars, but each of our attack team were "in the game". psifertex, jrod, jesse, drb, and myself, we were all in the same playing-field. That doesn't mean I think we don't need to do some training soon. I've got some very specific things in mind and there are many others I'm sure. But I got to see some of the other, lesser-contributors last year really stepping up, and that encourages me that the team is doing what it's meant to do. I'm also looking forward to our feeling challenged to excel... instead of just being "good enough".
To show up to the game is to be a winner. Each of the eight teams has to qualify in order to play the game (the returning champions don't actually have to play the quals round, but by being champions they already "qualify"). This year, well over 400 teams showed up for quals, and actually answered at least one question. I think at least 150 teams answered two or three. This is pretty significant, considering. Each of the teams I got to chill with this weekend had significant skillz, and it was an honor to be among them.
Ok, here's the (teasing) rant part of this blog post. Each of the teams playing in ctf qualified for the game... except one. One additional Korean team qualified this year, but they dropped out and we ended up with the first runner-up... That wasn't so bad (in fact, I was happy at the time because I have friends on the team which got to come). However, little did I know that this "first-runner-up" team would go on to completely dominate the game, shutting down our ability to score, and run away with the competition. That's right, folks. Sk3wl 0f r00t *failed to qualify*! lol. Oh well. </rant> I'm still glad they came. However, this highlights the reason lastplace has taken part in quals each year even though we didn't have to: ctf and quals are two very significantly different games, each one being amazingly awesome and worth the time and effort. kenshoto continues to deliver top-notch entertainment for the subversively-minded binary-hacker.
Many thanks to kenshoto, and especially to my good friends visi and squires... who did bring a fully-automated nerf-gun into my talk at defcon and launched a massive assult on the stage... that was awesome. In an otherwise draining and sad day, that gave me a great boost. I warned the crowd they might have to wake me up in the middle of the talk. I had bounced all over throughout the country, flying, driving, not sleeping, etc... and was already exhausted when I showed up for the sleep-depriving all-weekend siege of ctf.
BTW - If visi doesn't see fit to keep vtrace/vdb available from http://www.kenshoto.com/vtrace I may be lead to post them here.
sk3wlmast3r rocks. Let me just say that. He's an awesome guy, and one of the most brilliant reversers I've ever met. The last two years when lastplace beat his team, he was exceedingly gracious, meeting me with a (albeit disciplined) smile and congratulations. There's no doubt about the fact that he currently dwarfs me in skillz... but I've always been impressed with the man behind the evi1 :) I got to go see his talk at defcon (after ctf) and it was pretty slick. Keep on, man.
disass-v4.0 didn't make it for ctf. Sadly I had to use a mixture of disass-v3.0 and IDA to work on the vulns. This will continue to consume me for some time, until I have a workable GUI or I give up the whole mess (and mebbe write a CLI). I'm currently considering opening up development to interested outsiders, as it's quickly growing beyond something I can/want-to maintain alone. I'm not a GUI programmer, and would prefer telling someone how I want the GUI to behave and then go write the cool methods the GUI calls to actually do the work. Just a heads-up.
I got to spend time with a smattering of great friends this weekend, too many to list, and way too short a time to spend with each. But I wanted to send a shout-out to my awesome team, drb, wrffr, psifertex, mezzy, plato, shiruken, jrod, apu, and a couple guys who hung with us a bit and helped out some with a couple bins, and all the ctf teams (you all rock). Greetz to sk0d0 and jmfb, Figueroas, Subverted Dave, j0hnny, Thor (even though you skipped out on me :) Travis Goodspeed, GMark, vangelis, kenshoto (inc goons and pj, nice dice), Moose and VirusX (now *with* the Moose! thx for the Braundo dude, it kept me up on Saturday!), and the dudes who came to my Q&A session,
R.I.P. E P I C. I missed you. If we'd won ctf I was going to say it from stage.
@
[] permanent link / /
Wed, 11 Jun 2008
Quals 2008 Comes To A Close... (a week late)
Well my friends, CTF Quals 2008 has officially past, and what a wild ride it was. I'm barely awake this morning, not fully recovered from the weekend... but I'm sure some of that has to do with the incredible Paintball-Bachelor party I was called upon to make happen on Saturday. Yes, my team had to do without me for about 12 hours of the competition. I'm the best man, what could I do? Thankfully I have a brilliant team and a very strong co-captain. Even without me, they had to pull back a bit to avoid directing the game. You see, as last-year's CTF winners, we don't have to qualify (place in the top 7 teams), and feel a little awkward about choosing categories which could make or break other teams.
Intro to Quals
For those of you who are unfamiliar with the phenomenon that is Quals, each year Kenshoto, a terribly cool bunch o' hacker puts on the Defcon Capture-the-Flag hacking contest, but to get into the contest your team has to qualify. Quals (ctf Qualifier round) typically takes place a week or two after Memorial-day, and is a Jeopardy-like game with five categories with five challenges each providing from 100-500 points (no, there's no Double-Quals entry where you get to choose how many points to gain/lose). Unlike Jeopardy, in recent years Quals doesn't reduce points for wrong answers, and while each team somewhat chooses their own pace, you can only select challenges that are "available". The team who answers the newest challenge first gets to choose the next challenge, making it available to the rest of the teams. Quals has always been an excellent training-ground, and a worthy game in and of itself. In fact, Quals in 2005 was my entry and training-grounds for hard-core binary hacking.
If you remember last year, all the leading teams made it through all but one of the challenges, and it was the Binary Leetness 500 point challenge. It was insane and incredible, and worthy of spending our time. This year was a bit more of everything (except web-hacking, but more on that in a minute). The only down-side I ran into this year was BinLeet300, a challenge which I feel could have been better scoped or something. The question was "What libc function is this?" and we were given 57-bytes of binary which converted into basically a spinlock and a strlen. The question lead me to believe that I got to see the whole function, although I have heard the answer was inet_aton. what?
However, that's a minor complaint, whereas the whole rest of the game was amazing. First off, let me just pay homage to kenshoto's ability to keep the game stable!
Forensics 500 was quite the challenge, being an image of Kenshoto's logo, requiring conversion to another format and then analysis of the colors to identify an undisclosed form of stego.
BinLeet400 was a BSD kernel module which replaced much of the kernel call-table (yes, rootkit-style) with pass-through wrapper versions.
My favorite of the whole game was RealWorld300, a telnet-based D&D style game. Enter your name, hack your way through (literally, but the game was an RPG about hacking), and if you win, you find yourself the proud recipient of a format string exception. Through that FSE, you have to figure out what address to overwrite and what to overwrite it with. Thankfully, the FSE is great for stack-based recon. Read the write-up on http://nopsr.us to find our nifty stack-address-math-magic. Very fun, and I think the best part was getting to hack along-side drb most of the time. He's a brilliant friend, but we always seem to be working on separate tasks.
One interesting thing was the loss of the WebHacking category. I feel it is a loss indeed, as this is where most vulns are found these days... however, with the inclusion of RealWorld, I think the game was better this way.
Sk3wl0fr00t did not qual this year... perhaps sk3wlmast3r had a Bachelor party to attend as I did. I don't know what happened for them this year, however this is a great example of how different quals are from ctf (not that I'm complaining, they're both amazing). I'm sure that someone will drop out and that this ctf-titan will once again be making the competition difficult for all of us.
Shellphish was among the teams to qualify for ctf. Proven to be powerful in the past, this former-ctf-champion failed to qualify last year for whatever reason. Lead by Giovanni Vigna, Shellphish will make the competition interesting to say the least.
For those with a pair, check out the Quals write-ups over at http://nopsr.us
Yes I'm Hacking Fun Now.
@
[] permanent link / /
Thu, 24 Apr 2008
New Releases
After much anticipation ;)
disass-3.0-080424.tgz
libdisassemble-2.5-080424.tgz
Sorry, but no GUI yet. Still working on a great deal of changes for disass, including disass-emu, an emulation framework for x86. As you can imagine, these take an immense amount of work. Kenshoto has asked 1@stplace to create a challenge for the impending CTF Qualifiers, and its been eating up a great deal of my time lately.
Hack Fun!
@
[] permanent link / /
Thu, 21 Feb 2008
Post Shmoocon 2008
Well the great and mighty shmoo has left the building. What a weekend. I'm beat.
I couldn't get in until Saturday night, but I hear Friday and Saturday were amazing. Everything from H1kari's FPGAs attacking cellular to hacking Second Life's helper apps (dude, they really hacked quicktime through the game!? sweet!). Jay Freakin Beale had an acapella rap-cameo by his fellow Intelguardian JimmyD! G Mark is always interesting to hear and cool to chat with. Simple Nomad apparently had a picture of him on CNN (Crappy Network News) where they named him Mike and made him look like Winn Schwartau! Unbelievable. All I have to say is WWDKD? ok, just listing Dan Kaminski in a place where Jesus has been is making me step away from the keyboard....
<long pause>
ok. I'm back. No lightning yet... although I've checked my life insurance.
I had a beer scheduled with Moose, but nothing ever came of it (sadly). Hopefully we'll be able to sit down and chat some other time. Same deal with Joe from learnsecurityonline, but at least we hooked up by phone. He's putting together a cool set of binary reversing challenges for his readers and has graciously asked for my input and possibly help. We'll see what comes of it.
And Darren from hak5 was also supposed to catch up with me after my talk (9am was too early for them :) but he got held up as well. I'm thinking the parties were just too good, because by Sunday everybody was asleep. I actually drank red bull just before my presentation to try to regain some kick I had lost. Yes, I went to the shmoo party and got to see Pablos and his gang break it down. What was amazing was the number of folks in blue lock-shirts that cut a rug. Even Ed Skoudis was doin a dance! Jay MFBeale, well, you see there are dancers and there is Jay.... the difference? Dancers get tired and take a break. Jay is a freakin animal! Lara, dude, Lara. But the man with presence, Mike Poor, was dancing the whole freakin night! Whatever they're drinkin at Intelguardians has got to be better than redbull! gimme some-o-dat! I spent most the night over in the corner writing code. No, I'm not completely inept on the dance-floor, but I wanted to get a few things tweaked and tuned before my talk. Just because I gave a talk on the same topic at POC doesn't mean I don't work a lot on it in between. Programmatic Debugging for Vulnerabilities is a relatively new topic (at least for public consumption). Expect the topic to hit BH and defcon this year as well (if they'll have me), and full of untapped potential.
To be specific, and not just another "blogger positing his empty opinion", I was truing up the code which determines heap chunk length. Finding buffer overflows is not a simple task, and at the very core of that search (at least in this approach) is being able to consistently determine interesting values for buffer length. Stack buffers and heap buffers both present their own challenges. At POC I had the concept of measuring stack buffer length by finding a valid return pointer higher on the stack and measuring the difference. For that I developed findRET(), which, once I worked out a few bugs, is quite accurate. For HEAP chunk length, however, I was focused on DL Malloc and relying on HEAP chunks keeping their buffer length at ptr-4 (the 32-bit number immediately preceeding the memory pointer location). Unfortunately, many of the calls to memcpy() are copying portions of a HEAP chunk (since HEAP chunks are often cut to the size of a structure), so the values immediately preceeding many destination HEAP buffers is anything but the length of the buffer. That length may have been implied by the struct used to access the HEAP chunk, but that information is long gone, and must be reversed (another great topic).
So this time around I improved the HEAP length issue by running the allocated HEAP structures (again, DL Malloc, but RTL won't be hard to add). Once I find the HEAP chunk past the HEAP address we're measuring, we take the difference as the length. The odd thing I found was that the HEAP in some binaries (eg. top on linux) doesn't start at the beginning of the HEAP memory map. So, tracing the HEAP means finding it first. So you'll find code in getConnectedChain() that first searches for a connected chain of HEAP chunks before traversing it and returning the start of each HEAP chunk.
I need to mention that these methods are still somewhat archane and unrefined. They will indicate the most fruitful overflows, such as overwriting RET or the HEAP control structures.... They will not indicate overwrites which occur within the same HEAP chunk or between stack buffers.
Slides are here: odp pdf
New releases of atlasutils (formerly the @ Utility Belt) is coming shortly.
Found a few interesting links about the con, one was an interview I did with Joe from LearnSecurityOnline.com.
http://www.ethicalhacker.net/component/option,com_smf/Itemid,54/topic,2112.msg8708/topicseen,1/
http://www.learnsecurityonline.com/index.php?option=com_content&task=view&id=237&Itemid=1
Greetz to visi and squires, alien and hackerprincess, sk0d0 (nice pic!), sk3wlmast3r & son, Toby and joshwright, G. Mark, chris paget, vangelis, beetle, hollywood and jsyn, keith myers!, Intelguardians (choops for supporting the con!) and ASI guys. It was excellent to see you all again!
And thanks to those who came to my talk (for not stepping in front of the wizzing redbull and causing legal headaches!) Dude, Chuck, smile! Seriously, I hope you all enjoyed the talk and got something out of it.
@
[] permanent link / /
| |
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||